💾 Archived View for bbs.geminispace.org › u › skyjake › 2520 captured on 2024-08-25 at 09:09:01. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-06-16)

-=-=-=-=-=-=-

Comment by 🕹️ skyjake

Re: "Some nits re generated client certs"

In: s/Lagrange-Issues

Hmm, I checked the TLS 1.2 RFC and it does seem version 3 client certificates are required.

With that in mind, I should check again whether this is an appropriate default for Gemini. I'm inclined to make the change, however see earlier discussion:

— https://github.com/skyjake/lagrange/issues/327

And yeah, you can always import whatever externally generated client certificates you have.

🕹️ skyjake [mod, sysop]

2023-06-28 · 1 year ago

Original Post

🌒 s/Lagrange-Issues

There are a few issues I noticed with certificates generated by Lagrange: First is that they aren’t compliant with TLS’ requirements. RFC 8446 §4.4.2.3 requires client certificates be in X.509v3 format unless otherwise negotiated; digging through the source and some traces from OpenSSL don’t seem to indicate that any such negotiation takes place, rendering Lagrange’s client auth out-of-spec. Another issue is that certificates don’t currently have any key use information. They really ought...

💬 totroptof · 4 comments · 2023-06-28 · 1 year ago · #feature