💾 Archived View for rawtext.club › ~nervuri › close_notify.gmi captured on 2023-07-10 at 14:08:31. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
Recently, Agunua started to throw an error when connecting to certain Gemini capsules:
OpenSSL.SSL.Error: [('SSL routines', '', 'unexpected eof while reading')]
It turns out that this has to with the release of OpenSSL 3. OpenSSL no longer tolerates TLS connections that don't shut down with a close_notify message, as per the TLS specification. So now things will break (as they should!) until people fix their servers. This is hitting Gemini hard, and it's affecting the web as well:
https://github.com/curl/curl/issues/7800
OpenSSL can not tell that all data was received or not if the close_notify is not received. It looks like a truncation attack to OpenSSL, so it's reporting that error.
Stéphane Bortzmeyer graciously added detection of this issue to Lupa, which now provides a list of affected hosts:
The list is not yet complete, since this is a new feature and Lupa didn't get to check most of Geminispace. But I did. Here is a more complete list, for the time being:
That's 115 hosts, around 5%-10% of known hosts in Geminispace (depending on whether you count subdomains for services like flounder.online). Lupa currently estimates 3.3% of capsules are affected, and that number is growing as the scan progresses:
If your capsule is on the list, first make sure that your server software is up to date. If it is, then please:
You can test your server using Agunua's command line tool:
pip install agunua agunua tilde.team
You can also use this command:
printf "gemini://tilde.team/\r\n" | openssl s_client -ign_eof -connect tilde.team:1965
(The last line should say "closed" to indicate that close_notify was sent. Otherwise, you should get an error: "...unexpected eof while reading...".)
Or you can check from a web browser, using:
You'll need to click "[view cert]". Example:
https://portal.mozz.us/gemini/tilde.team/?crt=1
Let's fix this!
Further reading:
Replies:
gemini://capsule.usebox.net/gemlog/20221218-re-many-capsules-don-t-send-tls-close-notify.gmi
gemini://foobucket.xyz/gemlog/2022-12-18-Re_Many_capsules_dont_send_TLS_close_notify.gmi
gemini://nytpu.com/gemlog/2022-12-18.gmi
gemini://station.martinrue.com/bortzmeyer/91ebe743d7704b78be9a871f6675d00f
_____________________
Published: 2022-12-17
Updated: 2022-12-19