💾 Archived View for bbs.geminispace.org › u › totroptof › 2516 captured on 2024-12-17 at 14:08:40. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-06-16)

-=-=-=-=-=-=-

Comment by 🚀 totroptof

Re: "Some nits re generated client certs"

In: s/Lagrange-Issues

Hmm, okay, maybe that last one isn’t such a good idea. It doesn’t look like TLS v1.2 supports RSASSA-PSS at all, so maybe it could cause interop issues. It probably isn’t necessary with the clientAuth EKU, anyway.

Also, if you wanted to put this off for a little while, I might end up with a patch in the course of fiddling with my current project. I had to write something similar not too long ago, so I might be able to spare you some digging through the god-awful OpenSSL man pages 😉

🚀 totroptof [OP]

2023-06-28 · 1 year ago

3 Later Comments ↓

🕹️ skyjake [mod...] · 2023-06-28 at 05:58:

While I agree the client certificate generator could use some flexibility and improvement when it comes to selection of version and type of encryption, the Gemini specification's only requirement here is that the client certificates are compatible with TLS 1.2. Any other aspects are undefined at the moment. This means having Lagrange enforce a specific type or format is inappropriate.

The downside of letting the user choose is that they may pick the "wrong" values, making the certificate incompatible with some servers. Thus the current "lowest common denominator" approach.

🚀 totroptof [OP] · 2023-06-28 at 06:07:

I’m actually inclined to think that offering users such options is probably handing them a foot-gun (they can always import certs they generated themselves if they really want, right?). My suggestions are more around spec compliance and safe defaults.

As for the spec compliance bit, TLS v1.2 also requires X.509v3 certs.

🕹️ skyjake [mod...] · 2023-06-28 at 06:13:

Hmm, I checked the TLS 1.2 RFC and it does seem version 3 client certificates are required.

With that in mind, I should check again whether this is an appropriate default for Gemini. I'm inclined to make the change, however see earlier discussion:

— https://github.com/skyjake/lagrange/issues/327

And yeah, you can always import whatever externally generated client certificates you have.

Original Post

🌒 s/Lagrange-Issues

There are a few issues I noticed with certificates generated by Lagrange: First is that they aren’t compliant with TLS’ requirements. RFC 8446 §4.4.2.3 requires client certificates be in X.509v3 format unless otherwise negotiated; digging through the source and some traces from OpenSSL don’t seem to indicate that any such negotiation takes place, rendering Lagrange’s client auth out-of-spec. Another issue is that certificates don’t currently have any key use information. They really ought...

💬 totroptof · 4 comments · 2023-06-28 · 1 year ago · #feature