CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)

Sean Conner sean at conman.org
Wed Jun 10 05:38:31 BST 2020

Previous message (by thread): CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)
Next message (by thread): CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It was thus said that the Great Michael Lazar once stated:
> On Tue, Jun 9, 2020 at 10:09 PM Sean Conner <sean at conman.org> wrote:
> >
> > It was thus said that the Great Michael Lazar once stated:
> > >
> > > I have a CGI debug script setup here [2] if anybody wants to poke holes in my
> > > implementation.
> > >
> > > [1] https://tools.ietf.org/html/rfc3875#section-3.3
> > > [2] gemini://mozz.us/cgi-bin/debug.cgi
> 
> >   I notice it doesn't set PATH_TRANSLATED
> 
> I just didn't see a compelling reason to add it.

  I think it may have something to do with Apache's rewrite rules.  My blog
[1] is run via a CGI script, and I make extensive use of it to hide the fact
that I'm using a CGI script [2].  For example, the url:

	http://boston.conman.org/about/technical.html

is routed through the following rewrite rule [3]:

	RewriteRule ^about/(.*) boston.cgi/about/$1 [L]

to give the final (internal) path of:

	/boston.cgi/about/technical.html

  I then use PATH_TRANSLATED to find the actual file to display.  No Gemini
server supports rewriting rules, but I don't see a reason why one couldn't.

> > and it always sets TLS_CIPHER and TLS_VERSION.
> 
> Why not? These are just as useful even if the client doesn't send a
> certificate.

  Fair enough.

> Some other differences in my server's CGI implementation (I used GLV as a
> reference implementation, so there are a lot of similarities too):
> 
> TLS_CLIENT_HASH
> 
> I'm using a base64-encoded representation of the hash. I like your notation of
> SHA256:<HEX> better, but it's too late now and I don't want to break backwards
> compatibility.

  The format I use is from libtls---it was not my choice.  

> TLS_CLIENT_SERIAL_NUMBER
> 
> The client certificate serial number. I'm surprised that this isn't available
> in libtls.

  I'm surprised too when I saw TLS_CLIENT_SERIAL_NUMBER for the first time. 
I may have to make an extention module to do some stuff that libtls can't
do.

> TLS_CLIENT_AUTHORISED
> 
> Even though jetforce accepts unverified client certificates now, it will still
> check if the certificate is authorised anyway. This means both valid and trusted
> by the server's CA store. So this will be set to "1" for trusted and "0" for
> untrusted. I like this variable because it gives each CGI script the option to
> implement authentication however they want.

  That makes sense.  That's another thing that libtls makes a bit difficult.

  -spc

[1]	http://boston.conman.org/

[2]	Not for security reasons, but for aesthetic reasons.  I could change
	the name of the CGI script and *none* of the URLs will change.

[3]	I'd have to look up what the '[L]' does---it's been *that* long
	since I've set this up.

Previous message (by thread): CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)
Next message (by thread): CGI, SCGI and Certificates (was Re: [ANN] Gemini browser for iOS)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list