solderpunk solderpunk at SDF.ORG
Mon May 11 09:18:16 BST 2020
- - - - - - - - - - - - - - - - - - - ``` Haha, this was me! In order to get a 1.0.0 release of AV-98 out thedoor and into PyPI quickly so that there's an easy to install client forcurious newcomers, I spent some time yesterday hacking away on clientcertificate support. Mozz added some basic support a few weeks back tofacilitate the astrobotany game, but I am working on something slightlymore user-friendly. As long as the `openssl` command line tool isinstalled, it will soon be possible to generate certs from within AV-98in response to status codes wanting them. Once you navigate to adifferent domain other than the one for which the cert was generated,you'll get a privacy warning and the option to stop using that cert.It's certainly still rough around the edges, but it's usable enough andwill facilitate more experimentation on the server side with clientcertificates. I'll post lots more about this work here in the nearfuture. Anyway, at some point yesterday I got tired of filling out `openssl`sprompts when making new certs and just gave blank answers to everything,which would be the requests you noticed. Are you quite sure that yourserver handled them just fine as the logs indicate? If I rememberrightly the SSL handshake seemed to fail when I did this so I quicklyreverted to putting something non-zero in there. We should talk about logging formats some time. Molly Brown keeps logstoo (I keep meaning to make a nice graph showing the wave of trafficethat came in after we hit HN), in an ad-hoc format that doesn't matchyours below at all (unsurprisingly). Having a standard format wouldfacilitate tools to monitor/visualise logs. Cheers,Solderpunk On Sun, May 10, 2020 at 08:18:21PM -0400, Sean Conner wrote: > > I know logging isn't popular here, but I still do it anyway, in order to > track down issues that might come up, either bugs in the server. Early on, > I decided also log certificates that might be used to hit the "/private" > directory on my server. I'm seeing a bit more activity there, which is > nice, the latest one being: > > remote=---.---.---.--- status=20 request="gemini://gemini.conman.org/private/" bytes=213 subject="/CN=AV-98 cert test" issuer="/CN=AV-98 cert test" > > But the following requests had me seriously puzzled: > > remote=---.---.---.--- status=20 request="gemini://gemini.conman.org/private/" bytes=213 subject="" issuer="" > remote=---.---.---.--- status=20 request="gemini://gemini.conman.org/private/mondrian.gif" bytes=3082 subject="" issuer="" > > After quite a bit of testing and thinking on this, I can only conclude > that whomever sent this request did have a certificate, but the certificate > did not include the issuer or subject fields. As I stated, I accept any > certificate (as long as the dates are valid). I did not expect a > certificate sans issuer/subject could be valid as well. Perhaps it's not, I > don't actually know, but kudos to the requestor. I was not expecting this. > > -spc > >