💾 Archived View for gemini.circumlunar.space › ~acdw › 2020-06-25-re-parker-openssl.gmi captured on 2023-07-10 at 13:51:35. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2020-09-24)

-=-=-=-=-=-=-

OpenSSL woes

RE: Parker, "I really hate OpenSSL"

As of this writing,

gemini://pon.ix.tc/~krixano/

works in bollux, so I'm not sure what was going on earlier.

However, I've had some issues with sites not connecting in the past, and it turns out the problem was that

openssl req -x509 -newkey

defaults to using a v1 certificate, which does not support SNI. Self-signing server authors need to make sure that they use v3 certificates (which I'm not sure how to requisition with openssl; I've yet to set a cert up myself. Though I found an answer on serverfault that might help.)

"openssl keeps creating v1 certificate instead of v3" on serverfault

It'd be nice if someone could write a "best practices for server people" document. Or add it to the

existing best practices document.