Charles E. Lehner cel at celehner.com
Sat Jun 27 00:47:50 BST 2020
- - - - - - - - - - - - - - - - - - -
Hi Philip,
Nice work. I like the certificate pinning feature.
The other plugin (dillo-gemini) works with the current protocol, except for client certificates or any server certificate management. Maybe you were missing a dependency. I added a link to yours in its readme.
Regards,Charles L.
On Fri, 26 Jun 2020 23:32:08 +0200Philip Linde <linde.philip at gmail.com> wrote:
Hi all,
I tried the existing Dillo plugin but couldn't get it to work.
Perhaps it got the job done at some iteration of the protocol.
I've written my own according to the current spec for anyone
interested:
https://github.com/boomlinde/gemini.filter.dpi
I've decided that in my client you explicitly have to pin invalid
certificates and certificates with unknown authorities. On the first
request to a site with a self-signed or invalid certificate, an error
description will be displayed and you'll be given the option to pin it
and continue anyway. After the certificate is pinned, you won't get a
warning again until it changes.
The certificate pins are stored in $HOME/.dillo/gemini/pinned as
base64 encoded sha1 sums of the entire certificate chain used.
For now it doesn't undersand client certificate status codes and will
show them as it does errors (simply outputting the header in plain
text). It will display an error on any encoding except utf-8 and
us-ascii.
Input works fine!
The project has also yielded two interesting libraries:
https://github.com/boomlinde/gemini is a protocol implementation, for
now only a client, in Go. The client library makes it easy to set up a
pin database and verifies connections by default.
https://github.com/boomlinde/dpi implements a Dillo plugin server, in
Go. It can be used to build both filter and server plugins.
Neither of these libraries are really versioned yet. I want to
dog-food the plugin for a while to weed any issues out before I will
say that the APIs are stable.
I hope someone else finds some use for this!
--
Philip
-------------- next part --------------A non-text attachment was scrubbed...Name: not availableType: application/pgp-signatureSize: 833 bytesDesc: OpenPGP digital signatureURL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200626/24f4ba06/attachment.sig>