💾 Archived View for gemi.dev › gemini-mailing-list › 000352.gmi captured on 2024-08-31 at 16:46:00. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

Minimum requirements for client certificates

1. Sean Conner (sean (a) conman.org)


  I just encounted this issue with my Gemini server (running GLV-1.12556)
and caused it to stop receiving requests.  Diagnosing the issue, I found it
was most likely caused by a request to an area requiring a client
certificate, only the client certificate did NOT have a subject field.  The
Gemini protocol specification does NOT state what must be in a client
certificate, and my server made the assumption that a client certificate
will always have one (and did not check to see if it was missing).  It will
now return an error of '62' if the subject field is missing.

  So that brings me to my question---what *IS* the minimum we can expect to
be in a client certificate?  Is a client certificate without a subject
field even legal?  What about a missing issuer?

  -spc

Link to individual message.

2. colecmac (a) protonmail.com (colecmac (a) protonmail.com)

This would be a nice thing to have standardized in the spec.

I don't see why client certs need to have a subject or issuer
though. As long as they are valid certs that can form TLS
connections, than why not? However, it would also make sense
for a service like Astrobotany that relies on the client cert
Common Name to reject certs that don't have one. But that's
application specific.

makeworld

Link to individual message.

3. Solderpunk (solderpunk (a) posteo.net)

I think it goes without saying that at the absolute minimum a Gemini
client certificate ought to be a valid x509 certificate.  I did look
into this at some stage and IIRC the Issuer needs to be non-empty but
the Subject does not.  If that is indeed the case, then I'm not sure we
should mandate anything further.  As makeworld said, such certificates
might not be suitable for particular applications which make use of the
Subject.  I guess the appropriate server response there would be 61?  62
doesn't seem to apply since the certificate is technically valid.  But
this does make the "CERTIFICATE NOT AUTHORISED" name for 61 misleading.
Perhaps it ought to be "CERTIFICATE NOT ACCEPTED"?

Cheers,
Solderpunk

Link to individual message.

4. Sean Conner (sean (a) conman.org)

It was thus said that the Great Solderpunk once stated:
> I think it goes without saying that at the absolute minimum a Gemini
> client certificate ought to be a valid x509 certificate.  I did look
> into this at some stage and IIRC the Issuer needs to be non-empty but
> the Subject does not.  

  I was unaware of this and (incorrectly) assumed that the issuer and
subject fields would always be present.  Maybe mention somewhere in the
specification that servers could expect non-subject client certificates.

  -spc

Link to individual message.

5. Kevin Sangeelee (kevin (a) susa.net)

I think that, if a server requires a subject and no subject is given, then
it is sensible to say that the certificate is not authorised, in much the
same way that failing to provide a username would render a traditional
login unauthorised. I don't see that as misleading, and it would seem an
application specific matter to get appropriate credentials from the user.

Kevin

On Mon, 31 Aug 2020 at 17:52, Solderpunk <solderpunk at posteo.net> wrote:

> I think it goes without saying that at the absolute minimum a Gemini
> client certificate ought to be a valid x509 certificate.  I did look
> into this at some stage and IIRC the Issuer needs to be non-empty but
> the Subject does not.  If that is indeed the case, then I'm not sure we
> should mandate anything further.  As makeworld said, such certificates
> might not be suitable for particular applications which make use of the
> Subject.  I guess the appropriate server response there would be 61?  62
> doesn't seem to apply since the certificate is technically valid.  But
> this does make the "CERTIFICATE NOT AUTHORISED" name for 61 misleading.
> Perhaps it ought to be "CERTIFICATE NOT ACCEPTED"?
>
> Cheers,
> Solderpunk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200901/8f9c
d668/attachment.htm>

Link to individual message.

6. Baschdel (baschdel (a) disroot.org)

Sorry, that could have been me, dragonstone still generates certificates 
without a subject (And it won't be updated since I'm currently working 
on it successor).
Also there should be s little information as possible stored in the 
client certificates since they get transmitted in the clear to avoid 
giving away extra data to someone who is "just" eavesdropping without 
messing with the connection itself (and therefore having a pretty good 
chance of staying undetected).

Have a nice day!
-? Baschdel

P.s. Apologies to Sean for sending a duplicated mail, I apparently still 
manage to hit the wrong reply button in thunderbird

On 31.08.20 02:11, Sean Conner wrote:
>    I just encounted this issue with my Gemini server (running GLV-1.12556)
> and caused it to stop receiving requests.  Diagnosing the issue, I found it
> was most likely caused by a request to an area requiring a client
> certificate, only the client certificate did NOT have a subject field.  The
> Gemini protocol specification does NOT state what must be in a client
> certificate, and my server made the assumption that a client certificate
> will always have one (and did not check to see if it was missing).  It will
> now return an error of '62' if the subject field is missing.
>
>    So that brings me to my question---what *IS* the minimum we can expect to
> be in a client certificate?  Is a client certificate without a subject
> field even legal?  What about a missing issuer?
>
>    -spc
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200901/f09a
0384/attachment.htm>

Link to individual message.

7. Sean Conner (sean (a) conman.org)

It was thus said that the Great Baschdel once stated:
> Sorry, that could have been me, dragonstone still generates certificates 
> without a subject (And it won't be updated since I'm currently working 
> on it successor).

  There is no need to apologize, things happen, and in this case, my program
did the wrong thing due to a misunderstanding I had about client
certificates.  I'm just glad the bug was found.

> Also there should be s little information as possible stored in the 
> client certificates since they get transmitted in the clear to avoid 
> giving away extra data to someone who is "just" eavesdropping without 
> messing with the connection itself (and therefore having a pretty good 
> chance of staying undetected).
> 
> Have a nice day!

  You too.

> -? Baschdel
> 
> P.s. Apologies to Sean for sending a duplicated mail, I apparently still 
> manage to hit the wrong reply button in thunderbird

  No harm with that either.  

  -spc

Link to individual message.

---

Previous Thread: Lang parameters

Next Thread: [ANN] The Duckling Proxy