plugd plugd at thelambdalab.xyz
Fri May 15 09:38:07 BST 2020
- - - - - - - - - - - - - - - - - - - ``` Hi Ben, Ben writes: > I'm having an issue with elpher where it asks me to approve the site's > SSL cert because it says something like the issuer not being > recognized... well that can't be right, so either I set up Jetforce a > little bit wrong (specified the wrong files?), or this is some issue > with elpher, which I noticed complains about the certs of most Gemini > sites. My issuer is LetsEncrypt, which should be fine. Elpher just relies on Emacs' default Network Security Manager behaviour,as described in the manual:https://www.gnu.org/software/emacs/manual/html_node/emacs/Network-Security.html.I'm not sure why this is claiming your cert is invalid. I'll look intoit, but I suspect the issue will be upstream from elpher. That aside, elpher (or rather the NSM) does tend to raise warnings about every new geminisite you visit since it's common to use self-signed certificates. Whilethe spec-spec suggests a trust-on-first-use behaviour, this doesn't seemto be possible with the NSM. This exposes three security levels: "low",which doesn't do any security checks, "medium", which is the defaultlevel and is what you're experiencing, and "high", which is even more stringent. Thus I've had to choose between no certificate validation at all and thecurrent system. Seeing as (a) the number of gemini sites has (untilrecently) been extremely small, (b) emacs remembers acceptedself-signed/invalid certificates and doesn't ask again, and (c) at leastone person has expressed a preference for more security rather thanless, I've stuck with the "medium" setting. However, I suspect I'mgoing to have to reconsider this stance the near future due to theamazing number of new gemini hosts appearing. Cheers, Tim-------------- next part --------------A non-text attachment was scrubbed...Name: signature.ascType: application/pgp-signatureSize: 487 bytesDesc: not availableURL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200515/91dce597/attachment.sig>