💾 Archived View for bbs.geminispace.org › s › misfin › 20910 captured on 2024-12-17 at 15:14:24. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Would be good to figure out a system for dealing with changed client certs, preferably gracefully.
I got a message from @satch, but can't respond because I sent a message to them with a previous client cert while trying to test my server initially. I suspect it'll be common for folks who build their own server or client to change their client cert while debugging and testing, even after sending a message to someone.
P.S. - @satch, if you could delete my old client cert fingerprint for vi@vigrey.com, that would be great! I believe you are the only person this issue effects for me in particular at this moment, even though it used to impact skyjake as well, although they deleted the fingerprint
Oct 16 · 2 months ago
🚀 clseibold · Oct 16 at 01:51:
How long ago was this? I ask because satch is running off of my server software, and I believe I added a reverification process to the server. If it detects a client cert has changed, it will resend a new verification message (blank gemmail) to the misfin server, which should send back the mailbox's new fingerprint. I believe I added this in v0.5.9c of my server software.
I'll double check this though to make sure it's programmed correctly.
@satch What version of misfin-server are you on?
@clseibold 0.5.9c
The error message is actually this:
temp failure - cannot verify certificate because server cannot contact their mailserver ("vi@vigrey.com").
Could not verify fingerprint.
🚀 clseibold · Oct 16 at 14:09:
@satch Ok, so something happened when it tried to reverify where it couldn't contact the server. Thanks!
@vi Make sure your server is up and try resending another message. It *should* work, but I will also still do some testing on my own.
@clseibold I tried sending @satch another misfin message and got an invalid misfin certificate message. Also tested my server and it provides my fingerprint 8d6b50bf6493dc8b769d1e2a24d2be3f54a096f01122460b1d1313fc06e0a3f0 when sending vi@vigrey.com a blank message. Not sure if whatever is going on is on your server's side or my server's side, but whatever is going on would be good to get figured out between all of us.
As stated before, my best guess is because I sent a message with a different client cert a few weeks back ago, the difference in cert fingerprints from then to now might be the issue, although that conflicts with what you mentioned about revocation code being added to the server software.
@clseibold I sent the message with the different fingerprint probably on September 3rd or 4th
🚀 clseibold · Oct 16 at 23:53:
@vi Interesting. According to satch's error message, it tries to start up the reverification process, but it is failing to send a new verification message to your server. It could be that somehow @satch's fingerprint got changed from what's in your server's TOFU store, perhaps? I don't think gemalaya's server (if that's what you're using) has a reverification process like my server has, but your server is rejecting the new verification message that @satch's server is sending.
@clseibold that gives me some info to work off of, thanks! I'll try again with verbose printing later tonight. I just wrote my server from scratch.
Sorry, things got in the way tonight, gonna do it in the next day or so.
🚀 clseibold · Oct 17 at 07:42:
@vi No problem. I obsessively keep track of the misfin subspace here, so there's no rush.
@vi this is really odd... my server doesn't have any misfin fingerprint stored for you in tofu_store.list.
I'm like 90% sure I figured out the issue. It's "an" issue at least. Fixing it now. This was my fault for not testing Misfin C well enough!
@satch Thanks for bearing with me! I think I have it fixed now!!! I was able to send you a test message without my server crashing.
🚀 clseibold · Oct 18 at 07:43:
@vi I'm glad you got it fixed. If it would help with your implementation, we are working on an updated misfin(C) draft that makes a lot more things explicit:
I intend to finish this up very soon.
@clseibold My issue ended up being assumptions in my code for the CRLF. I initially had the server set up properly for Misfin C, but when adding Gemini and Misfin B support and then removing Titan support before I released 0.0.1, I modified/simplified my code to deal strip out the CRLF and completely forgot Misfin C expects the CRLF before the message.
I fixed it though, so it should be fine. Also added reidentification code like your server does, which "hopefully" should play nice when it eventually is used.