💾 Archived View for bbs.geminispace.org › u › skyjake › 2520 captured on 2023-09-08 at 17:52:43. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-07-22)
-=-=-=-=-=-=-
Re: "Some nits re generated client certs"
Hmm, I checked the TLS 1.2 RFC and it does seem version 3 client certificates are required.
With that in mind, I should check again whether this is an appropriate default for Gemini. I'm inclined to make the change, however see earlier discussion:
— https://github.com/skyjake/lagrange/issues/327
And yeah, you can always import whatever externally generated client certificates you have.
2023-06-28 · 2 months ago
There are a few issues I noticed with certificates generated by Lagrange: First is that they aren’t compliant with TLS’ requirements. RFC 8446 §4.4.2.3 requires client certificates be in X.509v3 format unless otherwise negotiated; digging through the source and some traces from OpenSSL don’t seem to indicate that any such negotiation takes place, rendering Lagrange’s client auth out-of-spec. Another issue is that certificates don’t currently have any key use information. They really ought...
💬 totroptof · 4 comments · 2023-06-28 · 2 months ago · #feature