💾 Archived View for 80h.dev › glog › 2020-05-09.gemini captured on 2023-01-29 at 16:24:50. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-03-01)

-=-=-=-=-=-=-

The joy of tls libs in rust

When I started out writing gemserv I used native-tls[1] which is a cross

platform library that uses platform specific implementations. I figured that

would be for the best. However, having sni was always high up on the list of

features for gemserv. After looking around how to enable sni it became clear

that wasn't available.

What did I find next? Rustls[2]. Yep, you read that right I didn't just go from

native-tls to openssl. That would have been to easy after all. But sni worked!

Well, after some work.

See one of the features of gemini is client side TOFU instead of using a CA.

To me that's a good idea, not so for rustls. Rustls uses webpki[3] which will

check the validity of a certificate. Good. Except, it had problems with self

signed certificates. Unless I was doing something wrong, anyway.

I found a way around it by implementing my own sni cert resolver[4] and I

thought that would be the end of it. Yeah, no. I found out it was rejecting any

clients trying to connect with their own certs even though I set it to allow

any authenticated clients.

The reason I found out it was denying authenticated clients is because I tried

writing my own basic client using rustls. Which required me to write a

verifier to accept the self signed cert the server was using. OK, that was

annoying but fine. Until! It wouldn't work. The verifier was literally set to

accept anything and it still wouldn't connect. That's it I'm done. I couldn't

take any more of rustls.

Maybe I gave up to easy, maybe. Or I was just doing it wrong. Either way I gave

up on it, created a new branch named openssl, ripped out rustls and put openssl

in its place. I haven't looked at the diff but I'm pretty sure there's less loc

now. And authorized clients work. The only change in functionality I see is if

I run jetforce_diagnostics.py without the server_hostname set. The server will

allow the connection but won't do anything after that.

I'll play around with it a bit before merging it to master but if anyone is

interested I pushed the branch to this server. It doesn't show up in the

project page created by gemgit however. Now I have another feature to add to it.

native-tls

rustls

webpki

ResolvesServerCert