💾 Archived View for rawtext.club › ~nervuri › close_notify.gmi captured on 2023-07-10 at 14:08:31. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-01-29)

➡️ Next capture (2024-12-17)

-=-=-=-=-=-=-

Many capsules don't send TLS close_notify

Recently, Agunua started to throw an error when connecting to certain Gemini capsules:

OpenSSL.SSL.Error: [('SSL routines', '', 'unexpected eof while reading')]

It turns out that this has to with the release of OpenSSL 3. OpenSSL no longer tolerates TLS connections that don't shut down with a close_notify message, as per the TLS specification. So now things will break (as they should!) until people fix their servers. This is hitting Gemini hard, and it's affecting the web as well:

https://github.com/curl/curl/issues/7800

OpenSSL can not tell that all data was received or not if the close_notify is not received. It looks like a truncation attack to OpenSSL, so it's reporting that error.

Stéphane Bortzmeyer graciously added detection of this issue to Lupa, which now provides a list of affected hosts:

Lupa's list of affected hosts

The list is not yet complete, since this is a new feature and Lupa didn't get to check most of Geminispace. But I did. Here is a more complete list, for the time being:

My list of affected hosts

That's 115 hosts, around 5%-10% of known hosts in Geminispace (depending on whether you count subdomains for services like flounder.online). Lupa currently estimates 3.3% of capsules are affected, and that number is growing as the scan progresses:

Lupa stats

Call to action

If your capsule is on the list, first make sure that your server software is up to date. If it is, then please:

Contact me

You can test your server using Agunua's command line tool:

pip install agunua
agunua tilde.team

You can also use this command:

printf "gemini://tilde.team/\r\n" |
  openssl s_client -ign_eof -connect tilde.team:1965

(The last line should say "closed" to indicate that close_notify was sent. Otherwise, you should get an error: "...unexpected eof while reading...".)

Or you can check from a web browser, using:

https://portal.mozz.us/

You'll need to click "[view cert]". Example:

https://portal.mozz.us/gemini/tilde.team/?crt=1

Let's fix this!

Further reading:

TLS truncation attacks

Replies:

gemini://capsule.usebox.net/gemlog/20221218-re-many-capsules-don-t-send-tls-close-notify.gmi

gemini://foobucket.xyz/gemlog/2022-12-18-Re_Many_capsules_dont_send_TLS_close_notify.gmi

gemini://nytpu.com/gemlog/2022-12-18.gmi

gemini://station.martinrue.com/bortzmeyer/91ebe743d7704b78be9a871f6675d00f

_____________________

Published: 2022-12-17

Updated: 2022-12-19