💾 Archived View for thrig.me › tech › gemini › servers.gmi captured on 2024-03-21 at 15:57:46. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-09-08)

-=-=-=-=-=-=-

Gemini Servers

Agate

Agate took a good long while to compile, and looks to have worse security than the C projects that follow. How could rust be worse than C on the security front, one might ask? First, Agate pulls in a whole lot of crates, which in theory would need to be reviewed for malicious code and supply chain attacks. Second, this is not clear, but Agate does not appear to make use of pledge nor unveil, unless that is hidden off undocumented in some nook or cranny (a search for pledge only found a code of conduct). So, one could learn rust (eh...) and figure out how to integrate yet more crates for pledge and unveil support (eh...) or you could use

gmid

gemini://gemini.omarpolo.com/post/gmid-2.0-first-alpha.gmi

Supports pledge and unveil. Configuration is very similar to httpd; one could think of gmid as "httpd, but for gemini". The downside of being like httpd is that there is about 8000 lines of C to review, according to cloc.

    # /etc/gmid.conf
    chroot "/var/gemini"
    ipv6 on
    user "_gemini"
    server "example.org" {
        cert "/etc/ssl/example.org.fullchain.pem"
        key "/etc/ssl/private/example.org.key"
        log off
        auto index on
        root "/example.org"
    }

This uses the same ACME client certificate at httpd does, which means in theory

    acme-client && rcctl reload gmi http

should bring new certificates into play automatically, but I have no idea (yet) how that plays with TOFU certificates in gemini clients. Answer! Poorly, unless you instruct Let's Encrypt to retain the private key and if the gemini client (such as Amfora) hashes the certificate in a particular way.

/tech/ssl/fingerprint.gmi

vger

Supports pledge and unveil. Much functionality that increases the code size (and thus attack surface) in gmid is pushed off to inetd and relayd. Has a package in the OpenBSD ports system. Has very little code to review (about 700 lines of C).

gemini://perso.pw:1965/blog//articles/vger-security.gmi

Both gmid and vger appear to have CGI support but I have not looked into that.

Related Links

../openbsd/pledge.gmi

TOFU

back to index