Statement of intent regarding TLS server name identification (SNI)

Drew DeVault <sir (a) cmpwn.com>

Hiya! On behalf of the gmnisrv server software
(https://git.sr.ht/~sircmpwn/gmnisrv), I'm writing to inform client
authors that our intention is to *require* clients to enable server name
identification (SNI) when making TLS connections. We will drop
connections which do not provide SNI.

It's pretty easy to add to your cilent, so please double check that
yours does it! My server, gemini://drewdevault.com, is running gmnisrv
with this requirement enabled if you want something to test against.

Link to individual message.

Omar Polo <op (a) omarpolo.com>


Drew DeVault <sir at cmpwn.com> writes:

> Hiya! On behalf of the gmnisrv server software
> (https://git.sr.ht/~sircmpwn/gmnisrv), I'm writing to inform client
> authors that our intention is to *require* clients to enable server name
> identification (SNI) when making TLS connections. We will drop
> connections which do not provide SNI.
>
> It's pretty easy to add to your cilent, so please double check that
> yours does it! My server, gemini://drewdevault.com, is running gmnisrv
> with this requirement enabled if you want something to test against.

This explain why I wasn't able to visit your server today, as it seems
elpher doesn't do SNI.

(please excuse my ignorance on the matter) what?s the rationale for this
requirement? (other than allowing virtual hosts.)  I'm asking because
I'm curious if I need to follow the same behaviour in my server too.

Link to individual message.

William Casarin <jb55 (a) jb55.com>

Omar Polo <op at omarpolo.com> writes:
> Drew DeVault <sir at cmpwn.com> writes:
>
>> Hiya! On behalf of the gmnisrv server software
>> (https://git.sr.ht/~sircmpwn/gmnisrv), I'm writing to inform client
>> authors that our intention is to *require* clients to enable server name
>> identification (SNI) when making TLS connections. We will drop
>> connections which do not provide SNI.
>>
>> It's pretty easy to add to your cilent, so please double check that
>> yours does it! My server, gemini://drewdevault.com, is running gmnisrv
>> with this requirement enabled if you want something to test against.
>
> This explain why I wasn't able to visit your server today, as it seems
> elpher doesn't do SNI.

The Gemini iOS app?? I was using also doesn't load Drew's server. I get the
error message "The operation couldn't be completed. (OSStatus error -9806.)"

Perhaps this could be clarified in the spec?

Cheers,
Will

? https://testflight.apple.com/join/ln6yTtqK
? https://github.com/pitr/gemini-ios

-- 
https://jb55.com

Link to individual message.

Drew DeVault <sir (a) cmpwn.com>

To enable virtual hosts and automatic certificate generation.

Link to individual message.

Omar Polo <op (a) omarpolo.com>


Drew DeVault <sir at cmpwn.com> writes:

> To enable virtual hosts and automatic certificate generation.

Seems fair.  But, since also another user complained that his client
didn?t support SNI as well, would you mind relaxing this requirement for
a bit?  I really like reading your blog :)

In the meantime I guess I?ll try to figure out how to teach SNI to
elpher.

Link to individual message.

Lokesh Krishna <lokesh (a) low-key.me>

Since their server is meant to be something others can test their clients 
against, I think you could just use an alternative client like amfora 
until elpher can do this?

Link to individual message.

Gary Johnson <lambdatronic (a) disroot.org>

Omar Polo <op at omarpolo.com> writes:

> In the meantime I guess I?ll try to figure out how to teach SNI to
> elpher.

I use elpher as my Gemini client, and gemini://drewdevault.com loads
just fine for me. I'm running elpher version 2.10.0.

Cheers,
  Gary

-- 
GPG Key ID: 7BC158ED
Use `gpg --search-keys lambdatronic' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Why is HTML email a security nightmare? See https://useplaintext.email/

Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Link to individual message.

Alex // nytpu <alex (a) nytpu.com>

See ?4 of the Gemini Specification:
> Use of the Server Name Indication (SNI) extension to TLS is also
> mandatory, to facilitate name-based virtual hosting.

If your client does not support SNI, then it is in violation of the
specification.

I make a motion that SNI should actually be mandatory to ensure clients
are following the specification (as apparently elpher and other clients
aren't). I don't want a flip-flopped version of tag soup where servers
have to cater to the lowest common denominator of clients even though
they are in clear violation of the specification.

-- 
Alex // nytpu
alex at nytpu.com
GPG Key: https://www.nytpu.com/files/pubkey.asc
Key fingerprint: 43A5 890C EE85 EA1F 8C88 9492 ECCD C07B 337B 8F5B
https://useplaintext.email/

Link to individual message.

Omar Polo <op (a) omarpolo.com>


Gary Johnson <lambdatronic at disroot.org> writes:

> Omar Polo <op at omarpolo.com> writes:
>
>> In the meantime I guess I?ll try to figure out how to teach SNI to
>> elpher.
>
> I use elpher as my Gemini client, and gemini://drewdevault.com loads
> just fine for me. I'm running elpher version 2.10.0.
>
> Cheers,
>   Gary

and it?s working indeed.  I don?t know why, but yesterday I was unable
to visit it, and elpher was failing with a timeout error.  Given the
timing, I assumed was related to this.  As I found later, elpher is
doing SNI correctly (lesson learned: when in doubt, first check the
code.)  Must have been a connection error on my end or PEBCAK.

Sorry for the noise I guess?

Link to individual message.

Peter Vernigorov <pitr.vern (a) gmail.com>

Same here with the iOS client. I could not reproduce the error William saw,
everything loads just fine.

On Tue, Nov 10, 2020 at 10:47 Omar Polo <op at omarpolo.com> wrote:

>
> Gary Johnson <lambdatronic at disroot.org> writes:
>
> > Omar Polo <op at omarpolo.com> writes:
> >
> >> In the meantime I guess I?ll try to figure out how to teach SNI to
> >> elpher.
> >
> > I use elpher as my Gemini client, and gemini://drewdevault.com loads
> > just fine for me. I'm running elpher version 2.10.0.
> >
> > Cheers,
> >   Gary
>
> and it?s working indeed.  I don?t know why, but yesterday I was unable
> to visit it, and elpher was failing with a timeout error.  Given the
> timing, I assumed was related to this.  As I found later, elpher is
> doing SNI correctly (lesson learned: when in doubt, first check the
> code.)  Must have been a connection error on my end or PEBCAK.
>
> Sorry for the noise I guess?
>

Link to individual message.

William Casarin <jb55 (a) jb55.com>

Peter Vernigorov <pitr.vern at gmail.com> writes:
> Same here with the iOS client. I could not reproduce the error William
> saw, everything loads just fine.

Yup it looked like a transient issue unrelated to SNI, all good. Also
apparently it's required? by the TLS spec anyways so it seems reasonable
to enforce it.

? id:20201109205606.o44up5kpwv6oqq73 at GLaDOS

Link to individual message.

---

Previous Thread: more juicy gemini content to marinate your brain

Next Thread: Question about TLS certificate policy