<-- back to the mailing list

TLS certificate sizes in Geminispace

Paul Warren pwarren at pwarren.id.au

Sat Jun 27 11:37:17 BST 2020

- - - - - - - - - - - - - - - - - - - 

G'day!

I've put an ed25519 based cert on gemini://gem.pwarren.id.au/ which isbeing served out by the latest gemserv.

I generated it on debian with openssl 1.1.1d via:

$ openssl genpkey -algorithm ED25519

gemkey.pem

$ openssl req -x509 -key gemkey.pem -subj "/CN=gem.pwarren.id.au"-reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf"[SAN]\nsubjectAltName=DNS:gem.pwarren.id.au,DNS:gemini.pwarren.id.au,DNS:gemini.lan"))-out gemnew.pem -days 3600

I'm not sure if SANs are required really for gemini, I think with theTOFU idea it's only the hash that matters?

The new cert is 489 bytes vs the 1830 for the old RSA keyed certificate(in PEM format), most of my content so far is < 2000 bytes!

Cheers--Paul

On 27/6/20 6:58 pm, solderpunk wrote:> ----- Forwarded message from solderpunk <solderpunk at SDF.ORG> -----

Date: Fri, 26 Jun 2020 15:57:59 +0000
From: solderpunk <solderpunk at SDF.ORG>
To: Gemini application layer protocol <gemini at lists.orbitalfox.eu>
Subject: Re: TLS certificate sizes in Geminispace
On Fri, Jun 26, 2020 at 05:05:22PM +0200, Felix Queißner wrote:
This makes me think it's an error with the server, as opposed to the ED22519 key; I'd love to try another server with this type of certificate for testing.
Using Kristall works and it's blazingly fast, seems to be a correct
server configuration
Hmm, I think SDF's mail server must be having issues, I'm not seeing
other posts to this thread, even my own replies, but I can see them at
Sloum's Gemini mirror of the list. I'll send this now in the hopes it
gets through eventually...
I think perhaps it is, indeed, the case that older versions of OpenSSL
will choke on this. That *sucks*. I know this is a big problem with
the web, but the web, by virtue of being mostly a commercial enterprise,
needs to support janky old clients because the people using them still
have good money. I figured that since there *are* no janky old Gemini
clients, we would not be bitten by this kind of thing.
Okay, perhaps everybody jumping to ED22519 right now is not viable, but
it should be a medium-term goal and, in the mean time, we can figure out
what the smallest possible widely supported certificate is (without
doing silly things like using tiny key sizes), and build tools / write
docs help folks generate them.
Cheers,
Solderpunk

-------------- next part --------------A non-text attachment was scrubbed...Name: signature.ascType: application/pgp-signatureSize: 1003 bytesDesc: OpenPGP digital signatureURL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200627/d958682b/attachment-0001.sig>