💾 Archived View for bbs.geminispace.org › s › misfin › 19289 captured on 2024-12-17 at 15:05:21. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

Misfin with Jetforce sever

I am self-hosting my capsule using Jetforce server. I tried using gmcapsule, but having file reading issues for the CA certificate from certbot. But anyway, I am wondering if there is a guide to use any misfin client like skylab with Jetforce?

#Jetforce #skylab

Posted in: s/misfin

☕️ Aptor-theHobbit

Sep 01 · 4 months ago

15 Comments ↓

🐐 satch · Sep 01 at 13:44:

Yeah! You’ll need a misfin server as well as a client; I’d try this one:

— https://gitlab.com/clseibold/misfin-server

It works quite well along with Skylab.

💎 istvan · Sep 01 at 22:21:

Uh oh. Certbot?

See you in a couple months when you are asking why every Gemini client is throwing warnings about your capsule.

Gemini is trust on first use: not CA based. Clients don't care what the CA says is the right cert. Everything will throw a fit when the certificate changes because the updated cert is NOT the one they know your site as.

☕️ Aptor-theHobbit [OP] · Sep 02 at 23:53:

I am not that well versed with the SSL protocol, I just know the basics. Shouldn't the public key stay the same and certificate get renewed before the expiry date? If the certificate expires then only new certificate is needed and then gemini client will show the untrusted server warning. 😱

I noticed that astrobotony uses the CA certificates and they have a large userbase.

— astrobotany.mozz.us

If they are not having problems with the certificate, I assume, optimistically of course, that my capsule will be okay.

Just in case, if the CA certificate expires, I am not gonna loose the hundreds and thousands of visitors to my capsule that I don't have 🤣

🐐 satch · Sep 03 at 00:10:

Some clients handle things that way, but some clients will throw a warning anytime the certificate changes at all

☕️ Aptor-theHobbit [OP] · Sep 03 at 00:27:

That is such a wierd thing to do on the client side. Noone gonna issue indefinite CA certificate except the self-signed one. This incentivices the self signed certificates and punishes the one who has gone through the trouble of getting a CA properly. I understand TOFU, but client shouldn't have a problem (in an ideal world) with changing i.e. extending the expiry date every 90 days or so. If firefox ( for SSL) or package manager ( for pgp) showes me untrusted source, I would not go any further. I am sure there are a lot of people who click OK on anything without reading.

💎 istvan · Sep 03 at 00:30:

Yep. It all depends on whether the client follows the spec, which is TOFU.

If they accept any unexpired cert as good enough, then there won’t be a warning. Then again, there wouldn’t be a warning if you got hijacked anyway since that isn’t comparing to a CA.

Just be aware you are going to throw warnings for a lot of clients and you don’t gain anything since gemini has no concept of certificate authority.

💎 istvan · Sep 03 at 00:32:

This incentivices the self signed certificates and punishes the one who has gone through the trouble of getting a CA properly.

There is nothing proper about going through a CA. This is just something that was made up by Web people.

There is nothing at all that requires a certificate authority to sign SSL certs for you.

You are bringing World Wide Web warts into Gemini space.

☕️ Aptor-theHobbit [OP] · Sep 03 at 00:35:

I agree. I am just curious, which clients have you had experience with that throws such a warning ? May be I can try those as well, in addition to Lagrange, bombadillo, telescope and amfora. Also, is there a way to know which client is the most poppular ? ( I think I already know the answer, there is no way , other than self reporting, but I am now curious)

💎 istvan · Sep 03 at 00:43:

I only know Lagrange does it because I ran into that problem on my own capsule when it was sharing a key generated by certbot. But it’s a pretty popular client, especially with few alternatives on iOS/Android.

Not sure if anyone has metrics on client usage. I don’t think most of the servers out there collect any metrics by default. I’m not even sure if anything like that is passed in the environment where tracking would be possible.

☕️ Aptor-theHobbit [OP] · Sep 03 at 01:10:

Yeah that is the great thing about Gemioni, no tracking, ( I hope noone is logging all the IPs ), and almost complete anonymity.

May be someone can create a poll and get that info about what users of Gemini wants in a client. SSL is useful since the authoities can not read anything, I am suer most of the Gemini users are authentic in nature. Also there is a messaging protocol like misfin that needs SSL.

💎 istvan · Sep 03 at 02:24:

I keep meaning to put up a fake server to log IPs just so I can catch and ban all the different Gemini to Web proxies.

☕️ Aptor-theHobbit [OP] · Sep 03 at 03:00:

I did not know that was an issue. Are there a lot of proxies doning that? The only one I encountered was realted to Stargate which is actually doing the exact opposite.

💎 istvan · Sep 03 at 03:19:

It’s only an issue if you think it’s an issue. I’m just a weirdo who wants my gemini content to be not available on the web.

☕️ Aptor-theHobbit [OP] · Sep 03 at 03:42:

Well I am that kind of weirdo too. I am a kind of weirdo who used Ubuntu Touch phone for 6+ years and loved it.

💎 istvan · Sep 03 at 04:49:

OK, I went ahead and did the work since someone else is as crazy as I am. These are the IPs to drop at your firewall to prevent web proxies:

Wobbly (https://www.warmedal.se/~wobbly/) 109.228.177.104

Smolnet Portal (https://portal.mozz.us/) 159.89.51.21

yah2g (https://gem.any-key.press/) 5.23.49.151

Any other proxies still up and running?

Made document that spits out the IP of a requesting client. You can load in any proxy to find the IP it's reading from if you want to know who to block:

gemini://brainsocks.xyz/rat.gmi