Adding close_notify to the spec ?

[Michael Lazar]

On Sat, Nov 7, 2020 at 8:19 PM Scot <gmi1 at scotdoyle.com> wrote:
>
> Does anyone have any concerns about amending the spec to state that a TLS
> close_notify message should be sent before closing the TCP connection?
> While TLS guarantees the integrity of the data from the server, it does
> not guarantee completeness until a close_notify is received by the client.
> Interested and able clients could then determine that they received a
> complete response.
>
> The sending of close_notify is discussed in section 6.1 of RFC 8446 [1].
>
> This approach was previously discussed on the list by Michael Lazar and
> solderpunk [2] [3] and kooda [4].
>
> <snip>
>
> You can inspect the TLS messages received from any server, including
> the close_notify message, with the included Python script [6].
>
> 130 out of 208 servers listed on GUS [5] send the close_notify
> message before disconnecting.

Thank you so much for this fantastic writeup! I agree with your conclusion
that close_notify should be explicitly called out in the gemini spec,
particularly in the transaction diagram under section 1.1.

I don't fault server authors for not implementing this correctly. If anything,
it just goes to show that TLS libraries are almost universally crappy and
unintuitive. We can't expect newcomers to gemini, many of whom are writing
their first server or trying out a new language, to know the inner workings of
TLS.

I took your code snippet and added to my gemini portal at https://portal.mozz.us
Now anyone can view their TLS connection details, including if the `send_alert`
message was sent, by clicking on the [view cert] link at the top of the page.
Hopefully this helps out as a quick way to test connections.

- mozz