💾 Archived View for gemi.dev › gemini-mailing-list › 000203.gmi captured on 2023-11-04 at 12:32:41. Gemini links have been rewritten to link to archived content

View Raw

More Information

➡️ Next capture (2023-12-28)

-=-=-=-=-=-=-

[ANN] tanelorn.city: a public gemini host for writers

Matthew Graybosch <hello (a) matthewgraybosch.com>

I'm pleased to announce that tanelorn.city is now open. I'm catering
mainly to writers, but TBH I'll probably give an account to anybody who
wants one as long as they aren't a fascist, a white supremacist, or a
TERF.

-- 
Matthew Graybosch		gemini://starbreaker.org
#include <disclaimer.h>		gemini://demifiend.org
https://matthewgraybosch.com	gemini://tanelorn.city
"Out of order?! Even in the future nothing works."

Link to individual message.

colecmac@protonmail.com <colecmac (a) protonmail.com>

Amen. Happy to have another server!

However, in Bombadillo I get the error "Cert hostname does not match".
Make sure you're serving up the right certificate!


makeworld

??????? Original Message ???????
On Friday, June 12, 2020 10:31 AM, Matthew Graybosch <hello at 
matthewgraybosch.com> wrote:

> I'm pleased to announce that tanelorn.city is now open. I'm catering
> mainly to writers, but TBH I'll probably give an account to anybody who
> wants one as long as they aren't a fascist, a white supremacist, or a
> TERF.
>
> -------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------
>
> Matthew Graybosch gemini://starbreaker.org
> #include <disclaimer.h> gemini://demifiend.org
> https://matthewgraybosch.com gemini://tanelorn.city
> "Out of order?! Even in the future nothing works."

Link to individual message.

Matthew Graybosch <hello (a) matthewgraybosch.com>

On Fri, 12 Jun 2020 15:08:36 +0000
colecmac at protonmail.com wrote:

> Amen. Happy to have another server!

Thanks.

> However, in Bombadillo I get the error "Cert hostname does not match".
> Make sure you're serving up the right certificate!

Sorry to hear that!

I just downloaded Bombadillo so I could see for myself, and checked my
Gemserv config on kanajana. As far as I can tell my config is OK and
I'm using the correct cert for each hostname, but the problem might be
that kanajana isn't only serving tanelorn.city but demifiend.org and
starbreaker.org as well.

I'm not sure what to do about it, though since all three sites are
accessible using Castor and bollux.

-- 
Matthew Graybosch		gemini://starbreaker.org
#include <disclaimer.h>		gemini://demifiend.org
https://matthewgraybosch.com	gemini://tanelorn.city
"Out of order?! Even in the future nothing works."

Link to individual message.

tastytea <tastytea+gemini (a) tastytea.de>

On 2020-06-12 11:36-0400 Matthew Graybosch <hello at matthewgraybosch.com>
wrote:

> On Fri, 12 Jun 2020 15:08:36 +0000
> colecmac at protonmail.com wrote:
> 
> > Amen. Happy to have another server!  
> 
> Thanks.
> 
> > However, in Bombadillo I get the error "Cert hostname does not
> > match". Make sure you're serving up the right certificate!  
> 
> Sorry to hear that!
> 
> I just downloaded Bombadillo so I could see for myself, and checked my
> Gemserv config on kanajana. As far as I can tell my config is OK and
> I'm using the correct cert for each hostname, but the problem might be
> that kanajana isn't only serving tanelorn.city but demifiend.org and
> starbreaker.org as well.
> 
> I'm not sure what to do about it, though since all three sites are
> accessible using Castor and bollux.
> 

If I interpret the output from `openssl s_client`? correctly, the CN of
the certificate is set to ?Matthew Graybosch?, not a ?tanelorn.city?,
as it is custom for HTTPS. However, while the specification states in
4.2 that ?Clients can validate TLS connections however they like?, it
recommends a ?lightweight "TOFU" certificate-pinning system? without
mentioning hostname validation.

Kristall and elpher also show no error, by the way.

Kind regards, tastytea

? echo -e 'gemini://tanelorn.city\r\n\r\n' \
  | openssl s_client -verify_hostname tanelorn.city tanelorn.city:1965

-- 
Get my PGP key with `gpg --locate-keys tastytea at tastytea.de` or at
<https://tastytea.de/tastytea.asc>.

Link to individual message.

solderpunk <solderpunk (a) SDF.ORG>

On Fri, Jun 12, 2020 at 06:39:22PM +0200, tastytea wrote:
 
> If I interpret the output from `openssl s_client`? correctly, the CN of
> the certificate is set to ?Matthew Graybosch?, not a ?tanelorn.city?,
> as it is custom for HTTPS. However, while the specification states in
> 4.2 that ?Clients can validate TLS connections however they like?, it
> recommends a ?lightweight "TOFU" certificate-pinning system? without
> mentioning hostname validation.

I guess various best practices for non-conventional certificate
validation should be hashed out in, well, the best practices doc, or
even a dedicated document.

For what it's worth, AV-98 expects either the Subject CN or one of the
SubjectAlternativeNames to match the hostname in the URL it's trying to
fetch and will complain otherwise.  I can visit tanelorn.city just fine,
so I guess there's a valid SAN that perhaps Bombadillo isn't seeing?

Cheers,
Solderpunk

Link to individual message.

Matthew Graybosch <hello (a) matthewgraybosch.com>

On Fri, 12 Jun 2020 16:43:25 +0000
solderpunk <solderpunk at SDF.ORG> wrote:

> On Fri, Jun 12, 2020 at 06:39:22PM +0200, tastytea wrote:
>  
> > If I interpret the output from `openssl s_client`? correctly, the
> > CN of the certificate is set to ?Matthew Graybosch?, not a
> > ?tanelorn.city?, as it is custom for HTTPS. However, while the
> > specification states in 4.2 that ?Clients can validate TLS
> > connections however they like?, it recommends a ?lightweight "TOFU"
> > certificate-pinning system? without mentioning hostname validation.
> 
> I guess various best practices for non-conventional certificate
> validation should be hashed out in, well, the best practices doc, or
> even a dedicated document.
> 
> For what it's worth, AV-98 expects either the Subject CN or one of the
> SubjectAlternativeNames to match the hostname in the URL it's trying
> to fetch and will complain otherwise.  I can visit tanelorn.city just
> fine, so I guess there's a valid SAN that perhaps Bombadillo isn't
> seeing?

I might have gone about creating my certs the wrong way, too.

After RTFMing FreeBSD's openssl implementation I came up with the
following shell script.

 ```
#!/bin/sh

DOMAIN=${1}
SSL_CERT_PATH=/usr/local/etc/ssl/${DOMAIN}

if [ ! -d "${SSL_CERT_PATH}" ]; then
        mkdir -p $SSL_CERT_PATH
fi

openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
	-keyout ${SSL_CERT_PATH}/ssl.key \
	-out ${SSL_CERT_PATH}/ssl.crt
openssl dhparam -out ${SSL_CERT_PATH}/dhparam.pem 4096
 ```

It looks like I'm getting prompted to create a CSR for each cert as
well, and I might be putting in the wrong information.

-- 
Matthew Graybosch		gemini://starbreaker.org
#include <disclaimer.h>		gemini://demifiend.org
https://matthewgraybosch.com	gemini://tanelorn.city
"Out of order?! Even in the future nothing works."

Link to individual message.

colecmac@protonmail.com <colecmac (a) protonmail.com>

I think it should be noted, that to my knowledge,
Kristall, Elpher, Castor and Bollux all do not check certs.

makeworld

??????? Original Message ???????
On Friday, June 12, 2020 12:39 PM, tastytea <tastytea+gemini at tastytea.de> wrote:

> On 2020-06-12 11:36-0400 Matthew Graybosch hello at matthewgraybosch.com
> wrote:
>
> > On Fri, 12 Jun 2020 15:08:36 +0000
> > colecmac at protonmail.com wrote:
> >
> > > Amen. Happy to have another server!
> >
> > Thanks.
> >
> > > However, in Bombadillo I get the error "Cert hostname does not
> > > match". Make sure you're serving up the right certificate!
> >
> > Sorry to hear that!
> > I just downloaded Bombadillo so I could see for myself, and checked my
> > Gemserv config on kanajana. As far as I can tell my config is OK and
> > I'm using the correct cert for each hostname, but the problem might be
> > that kanajana isn't only serving tanelorn.city but demifiend.org and
> > starbreaker.org as well.
> > I'm not sure what to do about it, though since all three sites are
> > accessible using Castor and bollux.
>
> If I interpret the output from`openssl s_client`? correctly, the CN of
> the certificate is set to ?Matthew Graybosch?, not a ?tanelorn.city?,
> as it is custom for HTTPS. However, while the specification states in
> 4.2 that ?Clients can validate TLS connections however they like?, it
> recommends a ?lightweight "TOFU" certificate-pinning system? without
> mentioning hostname validation.
>
> Kristall and elpher also show no error, by the way.
>
> Kind regards, tastytea
>
> ? echo -e 'gemini://tanelorn.city\r\n\r\n' \
> | openssl s_client -verify_hostname tanelorn.city tanelorn.city:1965
>
> -------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
-----------------------------------------------------
>
> Get my PGP key with `gpg --locate-keys tastytea at tastytea.de` or at
> https://tastytea.de/tastytea.asc.

Link to individual message.

Case Duckworth <acdw (a) acdw.net>

On Fri, Jun 12, 2020, at 3:44 PM, colecmac at protonmail.com wrote:
> I think it should be noted, that to my knowledge,
> Kristall, Elpher, Castor and Bollux all do not check certs.
> 
> makeworld

For bollux, this is correct. TOFU implementation and certificate-checking 
is on the Very Important list for writing. So there's another good reason 
to make sure the certs work.

Link to individual message.

---

Previous Thread: [ANN] Yet another gemlog! gemini://gem.pwarren.id.au/

Next Thread: [ANN] gemini-textboard.fgaz.me: a simple textboard