💾 Archived View for lists.flounder.online › gemini › threads › ab605efa69fce8be90c0fbd195c97eb1@post… captured on 2022-04-28 at 19:20:12. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
From: solderpunk@posteo.net
Date: Sun, 07 Nov 2021 16:07:05 +0000
Message-Id: ab605efa69fce8be90c0fbd195c97eb1@posteo.net
To: "Gemini application layer protocol" <gemini@lists.orbitalfox.eu>
--------------------------------------
Howdy all,
When I started Gemini I dearly wanted to specify that TLS 1.3 be the minimum allowed version of TLS. However, I didn't because at that time TLS 1.3 was still not very widely implemented and I did not want to basically make it a requirement that all Gemini implementations rely on OpenSSL. In particular, I didn't want to exclude the possibility of using LibreSSL instead. So, instead I required 1.2 or above and left lots of caveats in the spec to make my feelings clear.
I have checked in on this issue for the first time in a while, and at least according to the English Wikipedia's "Comparison of TLS implementations", TLS 1.3 is now supported by OpenSSL, LibreSSL, GnuTLS and wolfSSL, and is "experimentally" supported by Mbed TLS (these last two are of somewhat special interest/appeal as they target embedded systems and so are much more lightweight than traditional TLS stacks). This gives me some glimmer of hope that as part of the spec finalisation we could actual require 1.3 or above as I always wished.
But I realise that there's potentially a lot of difference between between a green box on a Wikipedia page and actual practical, compatible real world implementation. So I would like to ask authors of Gemini servers or clients which use a TLS stack other than OpenSSL whether or not they have encountered any problems actually using TLS 1.3.
I would also like to ask anybody who runs an Gemini indexer/crawler who might have the data at hand if they can provide us with some kind of statistics on the current real-world Gemini TLS version landscape.
Cheers,
Solderpunk
From: stephane@sources.org
Date: Sun, 7 Nov 2021 17:15:16 +0100
Message-Id: YYf7lMLoWii/K2kI@sources.org
To: "Solderpunk" <solderpunk@posteo.net>
In-Reply-To: ab605efa69fce8be90c0fbd195c97eb1@posteo.net
Cc: "Gemini application layer protocol" <gemini@lists.orbitalfox.eu>
--------------------------------------
On Sun, Nov 07, 2021 at 04:07:05PM +0000,
Solderpunk <solderpunk@posteo.net> wrote
a message of 31 lines which said:
I would also like to ask anybody who runs an Gemini indexer/crawler
who might have the data at hand if they can provide us with some
kind of statistics on the current real-world Gemini TLS version
landscape.
gemini://gemini.bortzmeyer.org/software/lupa/stats.gmi
86 % of the capsules use TLS 1.3, 14 % use TLS 1.2.
(The code currently assumes a capsule is fully TLS 1.3 or fully TLS
1.2. Strange things will happen otherwise.)
From: solderpunk@posteo.net
Date: Sun, 07 Nov 2021 16:25:27 +0000
Message-Id: 2dd47dcf95853beec7f85ea73dbf8935@posteo.net
To: "Gemini application layer protocol" <gemini@lists.orbitalfox.eu>
In-Reply-To: YYf7lMLoWii/K2kI@sources.org
--------------------------------------
On 07.11.2021 17:15, Stephane Bortzmeyer wrote:
gemini://gemini.bortzmeyer.org/software/lupa/stats.gmi
> 86 % of the capsules use TLS 1.3, 14 % use TLS 1.2.
Thank you! That is encouraging. But it might just reflect the fact that most Gemini software is based on OpenSSL. I will feel even happier if get confirmation from people running software based on LibreSSL or WolfSSL that TLS 1.3 is working smoothly in practice for them on a regular basis.
Cheers,
Solderpunk
From: alex@nytpu.com
Date: Sun, 7 Nov 2021 10:01:15 -0700
Message-Id: 20211107170106.p4dex2k6rdiz3ocr@GLaDOS.local
To: "Gemini Mailing List" <gemini@lists.orbitalfox.eu>
In-Reply-To: ab605efa69fce8be90c0fbd195c97eb1@posteo.net
--------------------------------------
As of late 2019 client-side TLS 1.3 for LibreSSL was implemented, which
I can confirm. Server support was completed by mid-to-late 2020 but 1.3
support for their OpenSSL API clone wasn't finished yet.
Apparently in the latest LibreSSL release (3.4.1, October 14th) they
completed their implementation of the OpenSSL TLS 1.3 API, which means
that an up-to-date LibreSSL should have full support for TLS 1.3 through
all of their various APIs as of now---although I can't confirm it since
I use LibreSSL very intermittently and usually just for testing of
cross-compilation to a BSD.
I've been using GnuTLS a little bit in Ada and it seems to support 1.3
fine although my testing was at the absolute most basic level.
According to various developer's blogs and the changelog GnuTLS got TLS
1.3 support before the RFC draft was even finalized (even as far back as
2016 when it was in an ultra-draft state), so one can feel pretty safe
in assuming that any broken functionality would've been fixed by now.
I don't have experience with any other TLS libraries, sorry.
---
Vaguely related question: prior to the specification being finalized, is
there any plan to ensure that support for future TLS versions to be
supported implicitly? Something simple like "Clients MAY/MUST use TLS
1.3 (or the latest TLS version should TLS 1.3 be deprecated)" would be
better than being stuck at TLS 1.3 forever.
~nytpu
--
Alex // nytpu
alex@nytpu.com
gpg --locate-external-key alex@nytpu.com
From: moody@posixcafe.org
Date: Sun, 7 Nov 2021 16:19:29 -0700
Message-Id: c0745055-dcec-97e0-0b18-4de0352ce52e@posixcafe.org
To: "Solderpunk" <solderpunk@posteo.net>, "Gemini application layer protocol" <gemini@lists.orbitalfox.eu>
In-Reply-To: 2dd47dcf95853beec7f85ea73dbf8935@posteo.net
--------------------------------------
Greetings Solderpunk,
I know there is a small but fairly active group of people who are using gemini
from the comfort of plan9/9front, myself included. 9front has it's own
TLS stack instead of relying on POSIX-y implementations, and at the time of
writing 9front's implementation only supports up to TLS 1.2.
Getting 1.3 implemented is on a list of things to do, but no real
work has started on it from what I could tell. While I understand
it doesn't make much sense to hold back for the sake of an otherwise
small fringe group, I wanted to point out a hard requirement on TLS 1.3
would (perhaps momentarily) prevent the use of gemini on 9front should
these requirement get set and strictly enforced.
Thank you,
moody
From: jmcbray@carcosa.net
Date: Mon, 08 Nov 2021 09:15:04 -0500
Message-Id: 87fss6wx00.fsf@cassilda.carcosa.net
To: "Solderpunk" <solderpunk@posteo.net>
In-Reply-To: ab605efa69fce8be90c0fbd195c97eb1@posteo.net
Cc: <gemini@lists.orbitalfox.eu>
--------------------------------------
Solderpunk <solderpunk@posteo.net> writes:
But I realise that there's potentially a lot of difference between
between a green box on a Wikipedia page and actual practical,
compatible real world implementation. So I would like to ask authors
of Gemini servers or clients which use a TLS stack other than OpenSSL
whether or not they have encountered any problems actually using TLS
1.3.
I'd like to note that in my CL Gemini implementations (Germinal server,
and cl-gemini-client client), I /do/ use OpenSSL, and /support/ TLS 1.3,
but due to the way the cl+ssl wrapper is written, I'm unable to force
TLS 1.3-only. I've tried to submit patches upstream that would enable
doing so, but it's too hard for me to meet the requirements for multiple
CL implementations and multiple OpenSSL versions, so I've kind of given
up.
--
Jason McBrayer | “Strange is the night where black stars rise,
jmcbray@carcosa.net | and strange moons circle through the skies,
| but stranger still is lost Carcosa.”
| ― Robert W. Chambers,The King in Yellow
From: ben@benaaron.dev
Date: Mon, 22 Nov 2021 21:23:59 -0500
Message-Id: dc2cc67a-c5e7-057e-b1df-f6830c521156@benaaron.dev
To: "Solderpunk" <solderpunk@posteo.net>, "Gemini application layer protocol" <gemini@lists.orbitalfox.eu>
In-Reply-To: ab605efa69fce8be90c0fbd195c97eb1@posteo.net
--------------------------------------
Sorry for talking a while to respond to this, I'm not very active here.
But I realise that there's potentially a lot of difference between > between a green box on a Wikipedia page and actual practical, compatible > real world implementation. So I would like to ask authors of Gemini > servers or clients which use a TLS stack other than OpenSSL whether or > not they have encountered any problems actually using TLS 1.3.
stargazer uses rustls exclusively and I've had no problems with using TLS 1.3. rustls in fact only supports TLS 1.2 & 1.3, so I've haven't had to do anything special to restrict the use of older versions.