💾 Archived View for bbs.geminispace.org › u › alexlehm › 5587 captured on 2024-05-10 at 13:52:38. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-03-21)
-=-=-=-=-=-=-
Re: "SNI for misfin: I am getting a "you didn't provide SNI"..."
I guess SNI can be used but should be optional, i.e. if there is no SNI it should present a default cert and then use that domain
2023-09-26 · 7 months ago
📷 billsmugs · 2023-09-26 at 18:05:
For now I've put in a hacky fix to default to misfin.billsmugs.com for incoming connections on port 1958 that don't have SNI.
I do think the spec should explictly require SNI in future though, not make it optional.
😺 gemalaya · 2023-09-26 at 19:35:
@clseibold When you use "make-cert", the 3rd argument is the "hostname", and it's written in the certificate as the "X509v3 Subject Alternative Name" in the certificate, here's what it shows for a "localhost" cert:
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost
When you run a server with "receive-as", misfin opens the certificate and reads that value (the "DNS"), the code is in misfin/identity.py (LocalIdentity, in the __init__):
I plan to rewrite this part because when you run a server for an infinite number of identities (recipients), you'd most definitely want to have more control over which IP you listen on.
😺 gemalaya · 2023-09-26 at 19:40:
@clseibold So yeah, right now, the hostname value that you pass when you create the certificate is the hostname that misfin will bind the socket to.
But note that you can also pass an IP address, i just did that and it works
misfin make-cert ip "IP" 192.168.1.28 28.pem misfin receive-as 28.pem Receiving for: IP (ip@192.168.1.28) Listening on: 192.168.1.28
😺 gemalaya · 2023-09-26 at 20:13:
@clseibold You're right. I'm working on a service command that will let you serve multiple identities and store messages, it's not too much work.
SNI for misfin: I am getting a "you didn't provide SNI" error in one misfin server when I try to access it via the Python client, apparently that uses a different ssl library. I wonder if that is intended, to work it has to be active in both the client and the server