[ANN] tanelorn.city: a public gemini host for writers

[tastytea]

On 2020-06-12 11:36-0400 Matthew Graybosch <hello at matthewgraybosch.com>
wrote:

> On Fri, 12 Jun 2020 15:08:36 +0000
> colecmac at protonmail.com wrote:
> 
> > Amen. Happy to have another server!  
> 
> Thanks.
> 
> > However, in Bombadillo I get the error "Cert hostname does not
> > match". Make sure you're serving up the right certificate!  
> 
> Sorry to hear that!
> 
> I just downloaded Bombadillo so I could see for myself, and checked my
> Gemserv config on kanajana. As far as I can tell my config is OK and
> I'm using the correct cert for each hostname, but the problem might be
> that kanajana isn't only serving tanelorn.city but demifiend.org and
> starbreaker.org as well.
> 
> I'm not sure what to do about it, though since all three sites are
> accessible using Castor and bollux.
> 

If I interpret the output from `openssl s_client`¹ correctly, the CN of
the certificate is set to “Matthew Graybosch”, not a “tanelorn.city”,
as it is custom for HTTPS. However, while the specification states in
4.2 that “Clients can validate TLS connections however they like”, it
recommends a “lightweight "TOFU" certificate-pinning system” without
mentioning hostname validation.

Kristall and elpher also show no error, by the way.

Kind regards, tastytea

¹ echo -e 'gemini://tanelorn.city\r\n\r\n' \
  | openssl s_client -verify_hostname tanelorn.city tanelorn.city:1965

-- 
Get my PGP key with `gpg --locate-keys tastytea at tastytea.de` or at
<https://tastytea.de/tastytea.asc>.