💾 Archived View for 80h.dev › glog › 2020-05-09.gemini captured on 2023-01-29 at 16:24:50. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-03-01)
-=-=-=-=-=-=-
When I started out writing gemserv I used native-tls[1] which is a cross
platform library that uses platform specific implementations. I figured that
would be for the best. However, having sni was always high up on the list of
features for gemserv. After looking around how to enable sni it became clear
that wasn't available.
What did I find next? Rustls[2]. Yep, you read that right I didn't just go from
native-tls to openssl. That would have been to easy after all. But sni worked!
Well, after some work.
See one of the features of gemini is client side TOFU instead of using a CA.
To me that's a good idea, not so for rustls. Rustls uses webpki[3] which will
check the validity of a certificate. Good. Except, it had problems with self
signed certificates. Unless I was doing something wrong, anyway.
I found a way around it by implementing my own sni cert resolver[4] and I
thought that would be the end of it. Yeah, no. I found out it was rejecting any
clients trying to connect with their own certs even though I set it to allow
any authenticated clients.
The reason I found out it was denying authenticated clients is because I tried
writing my own basic client using rustls. Which required me to write a
verifier to accept the self signed cert the server was using. OK, that was
annoying but fine. Until! It wouldn't work. The verifier was literally set to
accept anything and it still wouldn't connect. That's it I'm done. I couldn't
take any more of rustls.
Maybe I gave up to easy, maybe. Or I was just doing it wrong. Either way I gave
up on it, created a new branch named openssl, ripped out rustls and put openssl
in its place. I haven't looked at the diff but I'm pretty sure there's less loc
now. And authorized clients work. The only change in functionality I see is if
I run jetforce_diagnostics.py without the server_hostname set. The server will
allow the connection but won't do anything after that.
I'll play around with it a bit before merging it to master but if anyone is
interested I pushed the branch to this server. It doesn't show up in the
project page created by gemgit however. Now I have another feature to add to it.