💾 Archived View for bbs.geminispace.org › u › skyjake › 2518 captured on 2024-12-17 at 13:52:10. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-06-16)
-=-=-=-=-=-=-
Re: "Some nits re generated client certs"
While I agree the client certificate generator could use some flexibility and improvement when it comes to selection of version and type of encryption, the Gemini specification's only requirement here is that the client certificates are compatible with TLS 1.2. Any other aspects are undefined at the moment. This means having Lagrange enforce a specific type or format is inappropriate.
The downside of letting the user choose is that they may pick the "wrong" values, making the certificate incompatible with some servers. Thus the current "lowest common denominator" approach.
2023-06-28 · 1 year ago
🚀 totroptof [OP] · 2023-06-28 at 06:07:
I’m actually inclined to think that offering users such options is probably handing them a foot-gun (they can always import certs they generated themselves if they really want, right?). My suggestions are more around spec compliance and safe defaults.
As for the spec compliance bit, TLS v1.2 also requires X.509v3 certs.
🕹️ skyjake [mod...] · 2023-06-28 at 06:13:
Hmm, I checked the TLS 1.2 RFC and it does seem version 3 client certificates are required.
With that in mind, I should check again whether this is an appropriate default for Gemini. I'm inclined to make the change, however see earlier discussion:
— https://github.com/skyjake/lagrange/issues/327
And yeah, you can always import whatever externally generated client certificates you have.
There are a few issues I noticed with certificates generated by Lagrange: First is that they aren’t compliant with TLS’ requirements. RFC 8446 §4.4.2.3 requires client certificates be in X.509v3 format unless otherwise negotiated; digging through the source and some traces from OpenSSL don’t seem to indicate that any such negotiation takes place, rendering Lagrange’s client auth out-of-spec. Another issue is that certificates don’t currently have any key use information. They really ought...
💬 totroptof · 4 comments · 2023-06-28 · 1 year ago · #feature