💾 Archived View for gemini.circumlunar.space › users › parker › gemlog › openssl_troubles.gmi captured on 2024-12-17 at 10:49:42. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2020-09-24)

-=-=-=-=-=-=-

I really hate OpenSSL

The OpenSSL command line utility is truly weird. It seems to only want to verify TLS certs using a CA. And if your certificate isn't signed by a CA, running the typical s_client command won't work.

Most of the time this isn't a problem because most of the people on geminispace seemed to have just used the same TLS certs as the ones that are used on their HTTPS sites, or they might've used something like certbot or acme.sh to generate the TLS certs.

But if you have someone like Krixano who has used:

openssl req -x509 -newkey ...

to generate his cert, OpenSSL doesn't want to connect to his site.

This problem doesn't exist for most of you out there since your clients are probably written in an actual programming language like Python, Rust, Go, etc.. But I mainly browse geminispace with my client, gacme, written in rc shell. I connect to sites with the "openssl s_client" command. For a while I used bollux, a gemini client written in pure bash script, and it has the exact same problem as mine.

There's a few promising options in the man pages (such as -no-CA) but I haven't had any luck with this. I'll probably find the solution sometime soon, or I'll rewrite gacme in Go -- it has a built-in library for writing to acme screens. Hopefully it doesn't come to the latter. I think there's something special about writing a full web browser in shell script. I could only do this with gemini.

Krixano's site

=> https://github.com/pellertson/gacme Gacme (my client (yes I'm shilling))

=> https://sr.ht/~acdw/bollux/ Bollux

Back

Home