💾 Archived View for bbs.geminispace.org › u › totroptof › 2519 captured on 2024-06-16 at 15:41:27. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-05-12)
-=-=-=-=-=-=-
Re: "Some nits re generated client certs"
I’m actually inclined to think that offering users such options is probably handing them a foot-gun (they can always import certs they generated themselves if they really want, right?). My suggestions are more around spec compliance and safe defaults.
As for the spec compliance bit, TLS v1.2 also requires X.509v3 certs.
2023-06-28 · 1 year ago
🕹️ skyjake [mod...] · 2023-06-28 at 06:13:
Hmm, I checked the TLS 1.2 RFC and it does seem version 3 client certificates are required.
With that in mind, I should check again whether this is an appropriate default for Gemini. I'm inclined to make the change, however see earlier discussion:
— https://github.com/skyjake/lagrange/issues/327
And yeah, you can always import whatever externally generated client certificates you have.
There are a few issues I noticed with certificates generated by Lagrange: First is that they aren’t compliant with TLS’ requirements. RFC 8446 §4.4.2.3 requires client certificates be in X.509v3 format unless otherwise negotiated; digging through the source and some traces from OpenSSL don’t seem to indicate that any such negotiation takes place, rendering Lagrange’s client auth out-of-spec. Another issue is that certificates don’t currently have any key use information. They really ought...
💬 totroptof · 4 comments · 2023-06-28 · 1 year ago · #feature