Elpher client certificates -------------------------- Prelude: I'm tempted to apologize once more for adding yet _another_ Elpher-related post to this phlog. It's difficult to avoid though, as this is my main platform for announcing major changes. I've been considering using tags or something to split the entries into elpher/non-elpher categories, so that people not interested in this seemingly never-ending tirade of Elpher updates can leave early with their sanity and temper intact. So, to those people: be warned, this is another of "those" posts. -=-=-=-=- In a recent [1,2] *log entry, I lamented being unable to get Elpher to use client certificates---which are an integral component of the Gemini protocol---in establishing TLS connections using the native Emacs network functions. Several people have subsequently pointed out that this limitation seems to be lifted by Emacs 27, whenever that gets released. While encouraging, the Emacs release schedule is a slow, methodical, and mysterious target of numerologists [3], and thus it seemed the present situation was likely to remain in place for a while longer. On the weekend though, I was fiddling around with the networking code in an effort to (a) consolidate the network code related to gopher, gemini and finger into one method, and to (b) solve a handful of minor bugs relating to conflicts between forcing use of IPv4 and server name identification (SNI) for TLS connections. To solve these issues I wound up needing to switch out the use of the `open-network-stream` procedure with the lower-level `make-network-process` function, as this allows directly selecting the IP protocol version and specifying the host name to use for SNI. (For anybody interested, previously forcing IPv4, when requested, was achieved using an ugly hack involving performing a separate DNS lookup to retrieve the IPv4 address of a server, then using this as the host in the open-network-stream call.) On a whim I then decided to try attaching my astrobotany [4] TLS client certificates to the make-network-process call and connect to the astrobotany server... ... and bam, I was looking at a dead virtual plant. I don't think I will ever be as happy to see virtual botanical tragedy as I was at that moment! So, with this discovery, Elpher v2.9.0 supports client certificates. I've tried to make the interface as frictionless as possible, but of course I'm open to suggestions. The info manual (installed automatically when you install Elpher from MELPA) goes through the gory details of this, but I'll try to quickly summarize here. * When a Gemini server requests a certificate, Elpher presents a small menu in the minibuffer. Pressing "?" presents a description of the available options, which are "t" to create and use a "throwaway" single-use certificate, "p" to create a permanent (or use an existing one), and "a" to abort the connection. * Certificate creation uses the "openssl" command line program which is part of OpenSSL and is probably already installed on your machine. If it's not, you'll need to install it. If it is installed but the command line tool is not in your PATH (whatever that means on your system) you can specify the location of the tool by customizing the elpher-openssl-command variable. * Temporary certificates are stored in the system temp directory and are deleted when the certificate is "forgotten", as described below. * Permanent certificates are stored in the directory `elpher-certificate-directory', which by default is the directory "elpher-certificates/" inside the emacs configuration directory. * When choosing the "p" option to use a permanent certificate, choosing a name which does not correspond to an existing certificate will cause a new one to be created and added to that directory. * The prompt for the certificate name autocompletes to existing certificates, so just hit TAB to see a list of all available certificates (really just the contents of the `elpher-certificate-directory' directory. * Certificates are "forgotten" by pressing "F", or when you try to establish a connection to a host other than the one for which the certificate was created). That's pretty much it! It's the initial release, so there may be some rough edges. (One that I already know about but haven't addressed yet is that the "certificate name" you choose has to be a valid filename - there's no sanitization yet.) If you encounter any others please let me know either by email or via the feedback button on the Elpher project page. Remember to water those plants!! --- [1]: gemini://thelambdalab.xyz/phlog/2020-05-31-Inanity-3:-Virtual-Gardening.txt [2]: gopher://thelambdalab.xyz/0/phlog/2020-05-31-Inanity-3:-Virtual-Gardening.txt [3]: https://www.emacswiki.org/emacs/EmacsReleaseDates [4]: gemini://astrobotany.mozz.us/