Client certificate musings

Sean Conner sean at conman.org
Thu May 28 23:13:44 BST 2020

Previous message (by thread): Client certificate musings
Next message (by thread): Client certificate musings
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It was thus said that the Great solderpunk once stated:
> As some of you may have read at
> gemini://gemini.circumlunar.space/users/solderpunk/cornedbeef/the-mercury-protocol.gmi,

  Ooh, I did not know this.

  Anyway, I just read it, and having written both a gopher server [1] and a
Gemini server [2], I think I can answer the questions you posed.

> How much more difficult is Gemini to implement than Mercury?

  This, I think will depend upon the TLS libries used.  It would take me
less than five minutes to adapt my Gemini server to a Mercury server.  At a
minimum, I would just have to change

	local tls = require "org.conman.nfl.tls"

	local okay,err = tls.listen(addr,port,main,function(conf)
	  -- options for TLS 
	  ...
	end)

to

	local tcp = require "org.conman.nfl.tcp"

	local okay,err = tcp.listen(addr,post,main)

and remove the authentication block from the configuration, and ta-daaah!  I
have Mercury running.  But I was careful in my selection of TLS library and
I specifically picked the one I used [3] because of the ease it made using
TLS.  For the record, both my gopher server and Gemini server are *very*
similar in construction, and largely have feature-parity (sans TLS).

  I can't say for other TLS libraries---only the writers of other Gemini
servers (or clients) can say for sure how much complexity was added due to
TLS.  And as we're finding out, the client certificate support is a bit of
a mess, regardless of TLS library.

> What are the things Gemini can do which Mercury cannot?

  TLS.  And protection of an area of a Gemini site.

> How much do we value those things?

  TLS is valued quite a bit from what I see.  People are *still*
experiementing with TLS and gopher.

  I don't have much else to say about your post, or this message.  I think
the ease (or not) of TLS is an interesting conversation on its own right.

  -spc

[1]	https://github.com/spc476/port70

[2]	https://github.com/spc476/GLV-1.12556

[3]	It was a pain to install, but only because:

	1. it's a fork of OpenSSL
	2. I didn't want to blow out my current installation of OpenSSL

	It can be done thouygh, and I should probably do a write up on it so
	others may have a change of using GLV-1.12556, or even just know the
	joys of using libtls.

Previous message (by thread): Client certificate musings
Next message (by thread): Client certificate musings
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list