CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)

Sean Conner sean at conman.org
Wed Jun 10 00:14:04 BST 2020

Previous message (by thread): [ANN] Gemini browser for iOS
Next message (by thread): CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It was thus said that the Great solderpunk once stated:
> 
> (following Sean's lead for now, although I need to bring up some points
> for discussion about this in the near future).

  So I have two CGI scripts set up.  Both are in a "protected" area of the
server (on my development machine) that requires a client certificate.  One
receives *just* the RFC-3875 defined variables:

AUTH_TYPE=Certificate
GEMINI_DOCUMENT_ROOT=/home/spc/projects/gemini/non-checkin/cgi-bin
GEMINI_URL=gemini://lucy.roswell.area51/cgi-bin/beta/foobar?one=1&two=2
GEMINI_URL_PATH=/cgi-bin/beta/foobar
PATH_INFO=/foobar
PATH_TRANSLATED=/home/spc/projects/gemini/non-checkin/cgi-bin/foobar
QUERY_STRING=one=1&two=2
REMOTE_ADDR=::ffff:192.168.1.10
REMOTE_HOST=::ffff:192.168.1.10
REMOTE_USER=Sean Conner
REQUEST_METHOD=
SCRIPT_NAME=/home/spc/projects/gemini/non-checkin/cgi-bin/./beta
SERVER_NAME=lucy.roswell.area51
SERVER_PORT=1965
SERVER_PROTOCOL=GEMINI
SERVER_SOFTWARE=GLV-1.12556/1

  The AUTH_TYPE is "Certificate".  I choose that form because I'm following
the form of HTTP (RFC-2617, updated by RFC-7616) which defines "Basic" and
"Digest".  I know of another Gemini server that sets this to "CERTIFICATE".

  The REMOTE_USER is taken from the Common Name of the certificate subject. 
Right now, if a common name is not supplied, it won't be set (quirk of the
Lua language---I should probably do something about that).  I suppose as a
backup the certificate subject could be used, or perhaps the empty string
(allowed by the RFC---I just checked).

  The rest of the variables I've discussed elsewhere.

  So here's what happens when I enable TLS variables to be set (it's an
option for GLV-1.12556):

AUTH_TYPE=Certificate
GEMINI_DOCUMENT_ROOT=/home/spc/projects/gemini/non-checkin/cgi-bin
GEMINI_URL=gemini://lucy.roswell.area51/cgi-bin/alpha/foobar?one=1&two=2
GEMINI_URL_PATH=/cgi-bin/alpha/foobar
PATH_INFO=/foobar
PATH_TRANSLATED=/home/spc/projects/gemini/non-checkin/cgi-bin/foobar
QUERY_STRING=one=1&two=2
REMOTE_ADDR=::ffff:192.168.1.10
REMOTE_HOST=::ffff:192.168.1.10
REMOTE_USER=Sean Conner
REQUEST_METHOD=
SCRIPT_NAME=/home/spc/projects/gemini/non-checkin/cgi-bin/./alpha
SERVER_NAME=lucy.roswell.area51
SERVER_PORT=1965
SERVER_PROTOCOL=GEMINI
SERVER_SOFTWARE=GLV-1.12556/1
TLS_CIPHER=ECDHE-RSA-CHACHA20-POLY1305
TLS_CLIENT_HASH=SHA256:0eab5867fcb5b30046120e4c29562e31b88c51b167b091aee4b4e66221645a20
TLS_CLIENT_ISSUER=/C=US/ST=FL/O=Conman Laboratories/OU=Security Division/CN=Conman Laboratories CA/emailAddress=ca at conman.org
TLS_CLIENT_ISSUER_C=US
TLS_CLIENT_ISSUER_CN=Conman Laboratories CA
TLS_CLIENT_ISSUER_O=Conman Laboratories
TLS_CLIENT_ISSUER_OU=Security Division
TLS_CLIENT_ISSUER_ST=FL
TLS_CLIENT_ISSUER_emailAddress=ca at conman.org
TLS_CLIENT_NOT_AFTER=2020-06-18T23:54:56Z
TLS_CLIENT_NOT_BEFORE=2019-06-19T23:54:56Z
TLS_CLIENT_REMAIN=9
TLS_CLIENT_SUBJECT=/C=US/ST=FL/L=Boca Raton/CN=Sean Conner/emailAddress=sean at conman.org
TLS_CLIENT_SUBJECT_C=US
TLS_CLIENT_SUBJECT_CN=Sean Conner
TLS_CLIENT_SUBJECT_L=Boca Raton
TLS_CLIENT_SUBJECT_ST=FL
TLS_CLIENT_SUBJECT_emailAddress=sean at conman.org
TLS_VERSION=TLSv1.2

  I modeled this behavior from Apache.  Apache uses the prefix "SSL_" for
these, I decided to change them to "TLS_".  I included most of what Apache
sends, but decided against the following fields:

	SSL_CIPHER_ALGKEYSIZE		no way to get this via libtls
	SSL_CIPHER_EXPORT			"
	SSL_CIPHER_USERKEYSIZE			"
	SSL_CLIENT_A_KEY			"
	SSL_CLIENT_A_SIG			"
	SSL_CLIENT_CERT			a copy of the client certificate
	SSL_CLIENT_CERT_CHAIN_n		one (of n) certificates in the
					client certificate chain
	SSL_CLIENT_M_SERIAL		no way to get this via libtls
	SSL_CLIENT_M_VERSION			"
	SSL_COMPRESS_METHOD			"
	SSL_SECURE_RENEG			"
	SSL_SERVER_A_KEY			"
	SSL_SERVER_A_SIG			"
	SSL_SERVER_CERT			a copy of the server certificate
	SSL_SERVER_M_SERIAL		no way to get this via libtls
	SSL_SERVER_M_VERSION			"
	SSL_SESSION_RESUMED			"
	SSL_TLS_SNI			covered by SERVER_NAME
	SSL_VERSION_INTERFACE		didn't care
	SSL_VERSION_LIBRARY		didn't care

  I copied what I thought was most important, dropped what I didn't
understand nor cared for, and that's that.  Certainly most of what I suspect
Gemini will be used for can probably be covered with just AUTH_TYPE and
REMOTE_USER, which is why I made the TLS_ variables optional.

  This also applies to my SCGI implementation, as they both share the same
code to generate the variables.  I will not be upset if the TLS_ variables
are deemed "off limits" and are not to be set at all.  I just added them as
a point of discussion.

  -spc

Previous message (by thread): [ANN] Gemini browser for iOS
Next message (by thread): CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list