💾 Archived View for gemi.dev › gemini-mailing-list › 000257.gmi captured on 2024-05-12 at 16:01:36. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

New Dillo plugin

1. Philip Linde (linde.philip (a) gmail.com)

Hi all,

I tried the existing Dillo plugin but couldn't get it to work.
Perhaps it got the job done at some iteration of the protocol.
I've written my own according to the current spec for anyone
interested:

https://github.com/boomlinde/gemini.filter.dpi

I've decided that in my client you explicitly have to pin invalid
certificates and certificates with unknown authorities. On the first
request to a site with a self-signed or invalid certificate, an error
description will be displayed and you'll be given the option to pin it
and continue anyway. After the certificate is pinned, you won't get a
warning again until it changes.

The certificate pins are stored in $HOME/.dillo/gemini/pinned as
base64 encoded sha1 sums of the entire certificate chain used.

For now it doesn't undersand client certificate status codes and will
show them as it does errors (simply outputting the header in plain
text). It will display an error on any encoding except utf-8 and
us-ascii.

Input works fine!

The project has also yielded two interesting libraries:

https://github.com/boomlinde/gemini is a protocol implementation, for
now only a client, in Go. The client library makes it easy to set up a
pin database and verifies connections by default.

https://github.com/boomlinde/dpi implements a Dillo plugin server, in
Go. It can be used to build both filter and server plugins.

Neither of these libraries are really versioned yet. I want to dog-food
the plugin for a while to weed any issues out before I will say that
the APIs are stable.

I hope someone else finds some use for this!

--
Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200626/a3d8
9eff/attachment.sig>

Link to individual message.

2. Charles E. Lehner (cel (a) celehner.com)

Hi Philip,

Nice work. I like the certificate pinning feature.

The other plugin (dillo-gemini) works with the current protocol, except 
for client certificates or any server certificate management. Maybe you 
were missing a dependency. I added a link to yours in its readme.

Regards,
Charles L.

On Fri, 26 Jun 2020 23:32:08 +0200
Philip Linde <linde.philip at gmail.com> wrote:

> Hi all,
> 
> I tried the existing Dillo plugin but couldn't get it to work.
> Perhaps it got the job done at some iteration of the protocol.
> I've written my own according to the current spec for anyone
> interested:
> 
> https://github.com/boomlinde/gemini.filter.dpi
> 
> I've decided that in my client you explicitly have to pin invalid
> certificates and certificates with unknown authorities. On the first
> request to a site with a self-signed or invalid certificate, an error
> description will be displayed and you'll be given the option to pin it
> and continue anyway. After the certificate is pinned, you won't get a
> warning again until it changes.
> 
> The certificate pins are stored in $HOME/.dillo/gemini/pinned as
> base64 encoded sha1 sums of the entire certificate chain used.
> 
> For now it doesn't undersand client certificate status codes and will
> show them as it does errors (simply outputting the header in plain
> text). It will display an error on any encoding except utf-8 and
> us-ascii.
> 
> Input works fine!
> 
> The project has also yielded two interesting libraries:
> 
> https://github.com/boomlinde/gemini is a protocol implementation, for
> now only a client, in Go. The client library makes it easy to set up a
> pin database and verifies connections by default.
> 
> https://github.com/boomlinde/dpi implements a Dillo plugin server, in
> Go. It can be used to build both filter and server plugins.
> 
> Neither of these libraries are really versioned yet. I want to
> dog-food the plugin for a while to weed any issues out before I will
> say that the APIs are stable.
> 
> I hope someone else finds some use for this!
> 
> --
> Philip


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200626/24f4
ba06/attachment.sig>

Link to individual message.

3. Philip Linde (linde.philip (a) gmail.com)

> Hi Philip,
> 
> Nice work. I like the certificate pinning feature.

Thanks, Charles. I think your plugin better embodies the "100-line
client" idea in at least having significantly less than a thousand lines
of code, and there is high value in that. I will link back to it as
well.

> The other plugin (dillo-gemini) works with the current protocol, except
> for client certificates or any server certificate management. Maybe you
> were missing a dependency. I added a link to yours in its readme.

I investigated a bit further and found that my client doesn't
understand the -verify_quiet flag:

 $ openssl s_client -verify_quiet -quiet "example.horse:1965"
 unknown option -verify_quiet
 # ...
 $ openssl version
 LibreSSL 3.0.2

So my openssl is actually from the LibreSSL fork. OpenBSD does this,
and (apparently) my desktop OS of choice, Void Linux. There seem to be
further differences preventing a simple fix.

I have systems running Debian with genuine OpenSSL so if I can work out
the differences and improve compatibility with LibreSSL in a clean way,
I'll send you a patch.

Have a great weekend,
Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200627/63e5
906e/attachment.sig>

Link to individual message.

---

Previous Thread: TLS certificate sizes in Geminispace

Next Thread: Illusory latency due to trailing slash redirects