💾 Archived View for gemi.dev › gemini-mailing-list › 000452.gmi captured on 2023-11-04 at 12:49:53. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Hiya! On behalf of the gmnisrv server software (https://git.sr.ht/~sircmpwn/gmnisrv), I'm writing to inform client authors that our intention is to *require* clients to enable server name identification (SNI) when making TLS connections. We will drop connections which do not provide SNI. It's pretty easy to add to your cilent, so please double check that yours does it! My server, gemini://drewdevault.com, is running gmnisrv with this requirement enabled if you want something to test against.
Drew DeVault <sir at cmpwn.com> writes: > Hiya! On behalf of the gmnisrv server software > (https://git.sr.ht/~sircmpwn/gmnisrv), I'm writing to inform client > authors that our intention is to *require* clients to enable server name > identification (SNI) when making TLS connections. We will drop > connections which do not provide SNI. > > It's pretty easy to add to your cilent, so please double check that > yours does it! My server, gemini://drewdevault.com, is running gmnisrv > with this requirement enabled if you want something to test against. This explain why I wasn't able to visit your server today, as it seems elpher doesn't do SNI. (please excuse my ignorance on the matter) what?s the rationale for this requirement? (other than allowing virtual hosts.) I'm asking because I'm curious if I need to follow the same behaviour in my server too.
Omar Polo <op at omarpolo.com> writes: > Drew DeVault <sir at cmpwn.com> writes: > >> Hiya! On behalf of the gmnisrv server software >> (https://git.sr.ht/~sircmpwn/gmnisrv), I'm writing to inform client >> authors that our intention is to *require* clients to enable server name >> identification (SNI) when making TLS connections. We will drop >> connections which do not provide SNI. >> >> It's pretty easy to add to your cilent, so please double check that >> yours does it! My server, gemini://drewdevault.com, is running gmnisrv >> with this requirement enabled if you want something to test against. > > This explain why I wasn't able to visit your server today, as it seems > elpher doesn't do SNI. The Gemini iOS app?? I was using also doesn't load Drew's server. I get the error message "The operation couldn't be completed. (OSStatus error -9806.)" Perhaps this could be clarified in the spec? Cheers, Will ? https://testflight.apple.com/join/ln6yTtqK ? https://github.com/pitr/gemini-ios -- https://jb55.com
To enable virtual hosts and automatic certificate generation.
Drew DeVault <sir at cmpwn.com> writes: > To enable virtual hosts and automatic certificate generation. Seems fair. But, since also another user complained that his client didn?t support SNI as well, would you mind relaxing this requirement for a bit? I really like reading your blog :) In the meantime I guess I?ll try to figure out how to teach SNI to elpher.
Since their server is meant to be something others can test their clients against, I think you could just use an alternative client like amfora until elpher can do this?
Omar Polo <op at omarpolo.com> writes: > In the meantime I guess I?ll try to figure out how to teach SNI to > elpher. I use elpher as my Gemini client, and gemini://drewdevault.com loads just fine for me. I'm running elpher version 2.10.0. Cheers, Gary -- GPG Key ID: 7BC158ED Use `gpg --search-keys lambdatronic' to find me Protect yourself from surveillance: https://emailselfdefense.fsf.org ======================================================================= () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Why is HTML email a security nightmare? See https://useplaintext.email/ Please avoid sending me MS-Office attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
See ?4 of the Gemini Specification: > Use of the Server Name Indication (SNI) extension to TLS is also > mandatory, to facilitate name-based virtual hosting. If your client does not support SNI, then it is in violation of the specification. I make a motion that SNI should actually be mandatory to ensure clients are following the specification (as apparently elpher and other clients aren't). I don't want a flip-flopped version of tag soup where servers have to cater to the lowest common denominator of clients even though they are in clear violation of the specification. -- Alex // nytpu alex at nytpu.com GPG Key: https://www.nytpu.com/files/pubkey.asc Key fingerprint: 43A5 890C EE85 EA1F 8C88 9492 ECCD C07B 337B 8F5B https://useplaintext.email/
Gary Johnson <lambdatronic at disroot.org> writes: > Omar Polo <op at omarpolo.com> writes: > >> In the meantime I guess I?ll try to figure out how to teach SNI to >> elpher. > > I use elpher as my Gemini client, and gemini://drewdevault.com loads > just fine for me. I'm running elpher version 2.10.0. > > Cheers, > Gary and it?s working indeed. I don?t know why, but yesterday I was unable to visit it, and elpher was failing with a timeout error. Given the timing, I assumed was related to this. As I found later, elpher is doing SNI correctly (lesson learned: when in doubt, first check the code.) Must have been a connection error on my end or PEBCAK. Sorry for the noise I guess?
Same here with the iOS client. I could not reproduce the error William saw, everything loads just fine. On Tue, Nov 10, 2020 at 10:47 Omar Polo <op at omarpolo.com> wrote: > > Gary Johnson <lambdatronic at disroot.org> writes: > > > Omar Polo <op at omarpolo.com> writes: > > > >> In the meantime I guess I?ll try to figure out how to teach SNI to > >> elpher. > > > > I use elpher as my Gemini client, and gemini://drewdevault.com loads > > just fine for me. I'm running elpher version 2.10.0. > > > > Cheers, > > Gary > > and it?s working indeed. I don?t know why, but yesterday I was unable > to visit it, and elpher was failing with a timeout error. Given the > timing, I assumed was related to this. As I found later, elpher is > doing SNI correctly (lesson learned: when in doubt, first check the > code.) Must have been a connection error on my end or PEBCAK. > > Sorry for the noise I guess? >
Peter Vernigorov <pitr.vern at gmail.com> writes: > Same here with the iOS client. I could not reproduce the error William > saw, everything loads just fine. Yup it looked like a transient issue unrelated to SNI, all good. Also apparently it's required? by the TLS spec anyways so it seems reasonable to enforce it. ? id:20201109205606.o44up5kpwv6oqq73 at GLaDOS
---
Previous Thread: more juicy gemini content to marinate your brain