A certain irony in linking to this blog post from lobsters!
The site that then started breaking in 1.3 was freaking Lobste.rs. Thanks, Lobste.rs administrators, um, for making my code better! Yeah! And drop dead! The original problem was that it insisted on RSA-PSS-RSAE even when I didn’t offer it in the client hello as an acceptable signature algorithm. TLSe (the crypto library of which Cryanc is essentially a hard fork) didn’t understand or expect this, so I had to add that support, and libtomcrypt apparently doesn’t know how to handle a zero salt length either (this would indicate you need to compute it yourself), so I had to add that too. It took a couple days poring over wire dumps to figure out what was actually going on, especially because of all the changing nonces and values.
But even after this was working, Lobste.rs via carl was still broken on big-endian because it would complain there were no common ciphers if I didn’t offer CHACHA20-POLY1305-SHA256 (haven’t you guys heard of AES-256-GCM-SHA384??). After labouriously vetting the third-party implementations I use, I found the endian issue in connecting glue code and was able to make it work. Now everything passed, on both my little-endian Linux POWER9 and my big-endian AIX POWER6.
Because of the requirement that a client should be easy to code, the entire PKI infrastructure undergirding TLS on the web was ditched. Instead, the culture is to use long-lived self-signed certs that are trusted on first use.
Maybe DANE could have solved these issues but considering that the instructions on how to set up a self-signed cert are already fragmented and obscure I don’t see DANE being a huge step forward for server operators.
It should be possible for the same protocol-agnostic browsers that work with carl for HTTPS-over-HTTP to set up Gemini-over-HTTP. You’d “just” have to write the Gemini client, and either send Gemtext as text/plain or translate it to HTML. Then you teach the browser about a new protocol proxy gemini on localhost:port.
A certain irony in linking to this blog post from lobsters!
Yes, I’m giving the administration a hard time for the hard time their server gave me. ;)
This is great! Does anyone have Gemini stuff for retro platforms yet? The lack of TLS on those platforms was keeping Gemini off.
TLS for Gemini never made much sense to me.
Because of the requirement that a client should be easy to code, the entire PKI infrastructure undergirding TLS on the web was ditched. Instead, the culture is to use long-lived self-signed certs that are trusted on first use.
I’ve written more about this here: gemini://gerikson.com/gemlog/gemini-sux/TLS-and-its-discontents.gmi
Maybe DANE could have solved these issues but considering that the instructions on how to set up a self-signed cert are already fragmented and obscure I don’t see DANE being a huge step forward for server operators.
It should be possible for the same protocol-agnostic browsers that work with carl for HTTPS-over-HTTP to set up Gemini-over-HTTP. You’d “just” have to write the Gemini client, and either send Gemtext as
text/plainor translate it to HTML. Then you teach the browser about a new protocol proxygeminionlocalhost:port.