💾 Archived View for gemi.dev › gemini-mailing-list › 000203.gmi captured on 2024-08-25 at 10:05:09. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-12-28)
-=-=-=-=-=-=-
I'm pleased to announce that tanelorn.city is now open. I'm catering mainly to writers, but TBH I'll probably give an account to anybody who wants one as long as they aren't a fascist, a white supremacist, or a TERF. -- Matthew Graybosch gemini://starbreaker.org #include <disclaimer.h> gemini://demifiend.org https://matthewgraybosch.com gemini://tanelorn.city "Out of order?! Even in the future nothing works."
Amen. Happy to have another server! However, in Bombadillo I get the error "Cert hostname does not match". Make sure you're serving up the right certificate! makeworld ??????? Original Message ??????? On Friday, June 12, 2020 10:31 AM, Matthew Graybosch <hello at matthewgraybosch.com> wrote: > I'm pleased to announce that tanelorn.city is now open. I'm catering > mainly to writers, but TBH I'll probably give an account to anybody who > wants one as long as they aren't a fascist, a white supremacist, or a > TERF. > > ------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------- > > Matthew Graybosch gemini://starbreaker.org > #include <disclaimer.h> gemini://demifiend.org > https://matthewgraybosch.com gemini://tanelorn.city > "Out of order?! Even in the future nothing works."
On Fri, 12 Jun 2020 15:08:36 +0000 colecmac at protonmail.com wrote: > Amen. Happy to have another server! Thanks. > However, in Bombadillo I get the error "Cert hostname does not match". > Make sure you're serving up the right certificate! Sorry to hear that! I just downloaded Bombadillo so I could see for myself, and checked my Gemserv config on kanajana. As far as I can tell my config is OK and I'm using the correct cert for each hostname, but the problem might be that kanajana isn't only serving tanelorn.city but demifiend.org and starbreaker.org as well. I'm not sure what to do about it, though since all three sites are accessible using Castor and bollux. -- Matthew Graybosch gemini://starbreaker.org #include <disclaimer.h> gemini://demifiend.org https://matthewgraybosch.com gemini://tanelorn.city "Out of order?! Even in the future nothing works."
On 2020-06-12 11:36-0400 Matthew Graybosch <hello at matthewgraybosch.com> wrote: > On Fri, 12 Jun 2020 15:08:36 +0000 > colecmac at protonmail.com wrote: > > > Amen. Happy to have another server! > > Thanks. > > > However, in Bombadillo I get the error "Cert hostname does not > > match". Make sure you're serving up the right certificate! > > Sorry to hear that! > > I just downloaded Bombadillo so I could see for myself, and checked my > Gemserv config on kanajana. As far as I can tell my config is OK and > I'm using the correct cert for each hostname, but the problem might be > that kanajana isn't only serving tanelorn.city but demifiend.org and > starbreaker.org as well. > > I'm not sure what to do about it, though since all three sites are > accessible using Castor and bollux. > If I interpret the output from `openssl s_client`? correctly, the CN of the certificate is set to ?Matthew Graybosch?, not a ?tanelorn.city?, as it is custom for HTTPS. However, while the specification states in 4.2 that ?Clients can validate TLS connections however they like?, it recommends a ?lightweight "TOFU" certificate-pinning system? without mentioning hostname validation. Kristall and elpher also show no error, by the way. Kind regards, tastytea ? echo -e 'gemini://tanelorn.city\r\n\r\n' \ | openssl s_client -verify_hostname tanelorn.city tanelorn.city:1965 -- Get my PGP key with `gpg --locate-keys tastytea at tastytea.de` or at <https://tastytea.de/tastytea.asc>.
On Fri, Jun 12, 2020 at 06:39:22PM +0200, tastytea wrote: > If I interpret the output from `openssl s_client`? correctly, the CN of > the certificate is set to ?Matthew Graybosch?, not a ?tanelorn.city?, > as it is custom for HTTPS. However, while the specification states in > 4.2 that ?Clients can validate TLS connections however they like?, it > recommends a ?lightweight "TOFU" certificate-pinning system? without > mentioning hostname validation. I guess various best practices for non-conventional certificate validation should be hashed out in, well, the best practices doc, or even a dedicated document. For what it's worth, AV-98 expects either the Subject CN or one of the SubjectAlternativeNames to match the hostname in the URL it's trying to fetch and will complain otherwise. I can visit tanelorn.city just fine, so I guess there's a valid SAN that perhaps Bombadillo isn't seeing? Cheers, Solderpunk
On Fri, 12 Jun 2020 16:43:25 +0000 solderpunk <solderpunk at SDF.ORG> wrote: > On Fri, Jun 12, 2020 at 06:39:22PM +0200, tastytea wrote: > > > If I interpret the output from `openssl s_client`? correctly, the > > CN of the certificate is set to ?Matthew Graybosch?, not a > > ?tanelorn.city?, as it is custom for HTTPS. However, while the > > specification states in 4.2 that ?Clients can validate TLS > > connections however they like?, it recommends a ?lightweight "TOFU" > > certificate-pinning system? without mentioning hostname validation. > > I guess various best practices for non-conventional certificate > validation should be hashed out in, well, the best practices doc, or > even a dedicated document. > > For what it's worth, AV-98 expects either the Subject CN or one of the > SubjectAlternativeNames to match the hostname in the URL it's trying > to fetch and will complain otherwise. I can visit tanelorn.city just > fine, so I guess there's a valid SAN that perhaps Bombadillo isn't > seeing? I might have gone about creating my certs the wrong way, too. After RTFMing FreeBSD's openssl implementation I came up with the following shell script. ``` #!/bin/sh DOMAIN=${1} SSL_CERT_PATH=/usr/local/etc/ssl/${DOMAIN} if [ ! -d "${SSL_CERT_PATH}" ]; then mkdir -p $SSL_CERT_PATH fi openssl req -x509 -nodes -days 365 -newkey rsa:4096 \ -keyout ${SSL_CERT_PATH}/ssl.key \ -out ${SSL_CERT_PATH}/ssl.crt openssl dhparam -out ${SSL_CERT_PATH}/dhparam.pem 4096 ``` It looks like I'm getting prompted to create a CSR for each cert as well, and I might be putting in the wrong information. -- Matthew Graybosch gemini://starbreaker.org #include <disclaimer.h> gemini://demifiend.org https://matthewgraybosch.com gemini://tanelorn.city "Out of order?! Even in the future nothing works."
I think it should be noted, that to my knowledge, Kristall, Elpher, Castor and Bollux all do not check certs. makeworld ??????? Original Message ??????? On Friday, June 12, 2020 12:39 PM, tastytea <tastytea+gemini at tastytea.de> wrote: > On 2020-06-12 11:36-0400 Matthew Graybosch hello at matthewgraybosch.com > wrote: > > > On Fri, 12 Jun 2020 15:08:36 +0000 > > colecmac at protonmail.com wrote: > > > > > Amen. Happy to have another server! > > > > Thanks. > > > > > However, in Bombadillo I get the error "Cert hostname does not > > > match". Make sure you're serving up the right certificate! > > > > Sorry to hear that! > > I just downloaded Bombadillo so I could see for myself, and checked my > > Gemserv config on kanajana. As far as I can tell my config is OK and > > I'm using the correct cert for each hostname, but the problem might be > > that kanajana isn't only serving tanelorn.city but demifiend.org and > > starbreaker.org as well. > > I'm not sure what to do about it, though since all three sites are > > accessible using Castor and bollux. > > If I interpret the output from`openssl s_client`? correctly, the CN of > the certificate is set to ?Matthew Graybosch?, not a ?tanelorn.city?, > as it is custom for HTTPS. However, while the specification states in > 4.2 that ?Clients can validate TLS connections however they like?, it > recommends a ?lightweight "TOFU" certificate-pinning system? without > mentioning hostname validation. > > Kristall and elpher also show no error, by the way. > > Kind regards, tastytea > > ? echo -e 'gemini://tanelorn.city\r\n\r\n' \ > | openssl s_client -verify_hostname tanelorn.city tanelorn.city:1965 > > ------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------- > > Get my PGP key with `gpg --locate-keys tastytea at tastytea.de` or at > https://tastytea.de/tastytea.asc.
On Fri, Jun 12, 2020, at 3:44 PM, colecmac at protonmail.com wrote: > I think it should be noted, that to my knowledge, > Kristall, Elpher, Castor and Bollux all do not check certs. > > makeworld For bollux, this is correct. TOFU implementation and certificate-checking is on the Very Important list for writing. So there's another good reason to make sure the certs work.
---
Previous Thread: [ANN] Yet another gemlog! gemini://gem.pwarren.id.au/
Next Thread: [ANN] gemini-textboard.fgaz.me: a simple textboard