[ANN] tanelorn.city: a public gemini host for writers

solderpunk solderpunk at SDF.ORG
Fri Jun 12 17:43:25 BST 2020

Previous message (by thread): [ANN] tanelorn.city: a public gemini host for writers
Next message (by thread): [ANN] tanelorn.city: a public gemini host for writers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 12, 2020 at 06:39:22PM +0200, tastytea wrote:

> If I interpret the output from `openssl s_client`¹ correctly, the CN of
> the certificate is set to “Matthew Graybosch”, not a “tanelorn.city”,
> as it is custom for HTTPS. However, while the specification states in
> 4.2 that “Clients can validate TLS connections however they like”, it
> recommends a “lightweight "TOFU" certificate-pinning system” without
> mentioning hostname validation.

I guess various best practices for non-conventional certificate
validation should be hashed out in, well, the best practices doc, or
even a dedicated document.

For what it's worth, AV-98 expects either the Subject CN or one of the
SubjectAlternativeNames to match the hostname in the URL it's trying to
fetch and will complain otherwise.  I can visit tanelorn.city just fine,
so I guess there's a valid SAN that perhaps Bombadillo isn't seeing?

Cheers,
Solderpunk

Previous message (by thread): [ANN] tanelorn.city: a public gemini host for writers
Next message (by thread): [ANN] tanelorn.city: a public gemini host for writers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list