Minimal client

[defdefred]

netcat ?

freD.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday 2 July 2020 00:06, Phil Leblanc <philanc at gmail.com> wrote:

> Hi all,
>
> I am looking for a solution to build a small, statically linked,
> minimal gemini client. My focus at the moment is to implement the
> basic communication layer (including TLS!): just enough to send a
> request to a gemini host and receive a response.
>
> Has anybody already built such a client? any pointer or suggestion?
>
> Where I stand as of now:
>
> --- I discarded OpenSSL. Bad memories of building small static
> executables a long time ago. Maybe it has improved and I am just
> prejudiced.
>
> --- LibreSSL:
>
> -   not TLS v1.3 yet, but definitely alive and moving there.
> -   easily builds static libraries, but no modular build: I mean I
>     found no way to build libraries/executable with only a limited set of
>     crypto algorithms
>     => executables are large: The openssl command (similar to the
>
>
> OpenSSL one) is 2.5 MB (built on Linux with Musl libc, fully static,
> -Os, stripped). They also include the OpenBSD 'nc' command which
> supports TLS connections - 2 MB (for reference I have a small static
> nc without TLS support which is 50KB)
>
> --- BearSSL
>
> -   very nice code. An impressive feat for a one-man project (Thomas Pornin)
> -   not yet at TLS-1.3. The code looks maintained but I don't know if
>     it is actively developed. I saw no sign of ed25519 cert signing, but
>     may be wrong here.
>
> -   code size: the whole libbearssl.a is ~ 860KB, basic client and
>     server examples are in the 150KB range, which is very nice.
>
>     --- WolfSSL
>
> -   supports TLS-1.3. Is actively maintained by a company targeting
>     embedded systems (but the code is GPL)
>
> -   I don't know yet how to properly build small code, but with a
>     default support for only TLS-1.3, and no ed25519 cert support, I could
>     build basic client/server examples at ~ 260 KB.
>
>     --- MatrixSSL
>
> -   supports TLS-1.3 but the code of the last public (GPL) version
>     hasn't changed in the last 6 months.
>
> -   I have not yet succeeded in building static working examples with
>     a cross compiler. So I don't have ballpark code size figures.
>
>     --- Busybox ssl_client
>
> -   some TLS support has been added in the recent busybox trees, based
>     on MatrixSSLcode. As they say, "enough TLS to allow the busybox wget
>     applet to retrieve a kernel source" from https://kernel.org/
>
> -   I built the ssl_client applet as a standalone static exe: 71 KB
> -   it supports TLS-1.2 with a very limited set of crypto algos. and
>     no cert validation.
>
> -   I tried for fun to retrieve with it the root pages from all the
>     gemini sites listed on Gus / known hosts: On a total of 116 sites, it
>     managed to
>     get 98 root pages and 18 TLS errors (I lack detailed error causes, but
>     apparently mostly missing algos, and maybe some unsupported curves for
>     ECDH(E).-- not so bad for such a small "client" - but clearly not
>     enough for real use.
>
>     Obviously, a big part of the equation is the evil number of
>     combinations of ciphers, hashes and key exchange algos. Any guideline
>     or best practice document about what ciphers/algos Gemini servers
>     should minimally support would help immensely!
>
>     Again, any suggestion on how to build a small, static SSL client is
>     more than welcome.Thanks in advance,
>
>     Phil
>