TLS certificate sizes in Geminispace

[Paul Warren]

G'day!

I've put an ed25519 based cert on gemini://gem.pwarren.id.au/ which is
being served out by the latest gemserv.

I generated it on debian with openssl 1.1.1d via:

$ openssl genpkey -algorithm ED25519 > gemkey.pem

$ openssl req -x509 -key gemkey.pem -subj "/CN=gem.pwarren.id.au"
-reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf
"[SAN]\nsubjectAltName=DNS:gem.pwarren.id.au,DNS:gemini.pwarren.id.au,DNS:gemini.lan"))
-out gemnew.pem -days 3600

I'm not sure if SANs are required really for gemini, I think with the
TOFU idea it's only the hash that matters?

The new cert is 489 bytes vs the 1830 for the old RSA keyed certificate
(in PEM format), most of my content so far is < 2000 bytes!

Cheers
--
Paul


On 27/6/20 6:58 pm, solderpunk wrote:
> ----- Forwarded message from solderpunk <solderpunk at SDF.ORG> -----
> 
> Date: Fri, 26 Jun 2020 15:57:59 +0000
> From: solderpunk <solderpunk at SDF.ORG>
> To: Gemini application layer protocol <gemini at lists.orbitalfox.eu>
> Subject: Re: TLS certificate sizes in Geminispace
> 
> On Fri, Jun 26, 2020 at 05:05:22PM +0200, Felix Queißner wrote:
>>> This makes me think it's an error with the server, as opposed to the ED22519 key; I'd love to try another server with this type of certificate for testing.
>> Using Kristall works and it's blazingly fast, seems to be a correct
>> server configuration
>>
> 
> Hmm, I think SDF's mail server must be having issues, I'm not seeing
> other posts to this thread, even my own replies, but I can see them at
> Sloum's Gemini mirror of the list.  I'll send this now in the hopes it
> gets through eventually...
> 
> I think perhaps it is, indeed, the case that older versions of OpenSSL
> will choke on this.  That *sucks*.  I know this is a big problem with
> the web, but the web, by virtue of being mostly a commercial enterprise,
> needs to support janky old clients because the people using them still
> have good money.  I figured that since there *are* no janky old Gemini
> clients, we would not be bitten by this kind of thing.
> 
> Okay, perhaps everybody jumping to ED22519 right now is not viable, but
> it should be a medium-term goal and, in the mean time, we can figure out
> what the smallest possible widely supported certificate is (without
> doing silly things like using tiny key sizes), and build tools / write
> docs help folks generate them.
> 
> Cheers,
> Solderpunk
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1003 bytes
Desc: OpenPGP digital signature
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200627/d958682b/attachment-0001.sig>