CGI and client certificate, or do we need a CGI spec

[Sean Conner]

It was thus said that the Great Remco once stated:
> Here's what the expose.
> 
> # GLV-1.12556
> 
> => https://github.com/spc476/GLV-1.12556/blob/13d52b63/Lua/GLV-1/gateway.lua#L156
> 
> * AUTH_TYPE : "Certificate"
> * REMOTE_USER : client certificate X509 subject common name
> * TLS_CLIENT_HASH : certificate fingerprint
> * TLS_CLIENT_ISSUER : certificate X509 issuer
> * TLS_CLIENT_ISSUER_* : certificate X509 issuer sub fields
> * TLS_CLIENT_NOT_AFTER : certificate end date
> * TLS_CLIENT_NOT_BEFORE : certificate start date
> * TLS_CLIENT_REMAIN : certificate days left
> * TLS_CLIENT_SUBJECT : certificate X509 subject
> * TLS_CLIENT_SUBJECT_* : certificate X509 subject sub fields

  When I wrote the CGI module for GLV-1.12556, I modelled mine after what
Apache did, but renamed the TLS environment variables to better names.  I
figured why not?  And it's not as if all of it is needed, but I was able to
send it.

  Another aspect of GLV-1.12556 is that unless configured otherwise, a CGI
script called with a client certificate will *only* get AUTH_TYPE and
REMOTE_USER set.  AUTH_TYPE and REMOTE_USER are required by the CGI spec.

> But that brings me to the real question here.  Does gemini need a CGI
> spec?  Given status code 42 for CGI errors, it kinda committed to
> something CGI-ish without actually stating what that is.  The only
> server making the effort to implement CGI/1.1 is GLV but, IMHO, that
> isn't the kind of simplicity I am here for and it's a bit of a hack to
> be honest.

  Don't be mislead by GLV-1.12556.  Supporting CGI/1.1 isn't hard---the
complexity I have is in supporting CGI scripts meant for the web and
possibly Apache.  I did add the following variables for convenience:

	GEMINI_DOCUMENT_ROOT   = directory
	GEMINI_SCRIPT_FILENAME = full_path_to_script
	GEMINI_URL_PATH        = location.path
	GEMINI_URL             = request

> GLV does manage to make CGI scripts more portable, whereas other servers
> don't really make the effort.  For instance, some don't provide
> PATH_INFO but do provide PATH_TRANSLATED and others provide neither.  I
> would like to share my CGI-scripts and have them run anywhere but to
> make sharing easier something like a spec would be nice.  What do you
> think?

  I think it's easy enough to follow RFC-3875 (the CGI/1.1 spec).  It's not
that hard.  It's just:

	GATEWAY_INTERFACE      = "CGI/1.1"
	QUERY_STRING           = location.query or "" -- Must be set
	REMOTE_ADDR            = auth._remote
	REMOTE_HOST            = auth._remote
	SCRIPT_NAME            = base
	SERVER_NAME            = location.host
	SERVER_PORT            = tostring(location.port)
	SERVER_SOFTWARE        = "GLV-1.12556/1"
	AUTH_TYPE              = "Certificate" -- only if client cert
	REMOTE_USER            = auth.subject.CN or "" -- only if client cert
	PATH_INFO              = ... okay, some explanation required [1]
	PATH_TRANSLATED        = ... okay, some explanation required [1]

  Other variables are possible, but should be prefixed by the protocol name.

  -spc

[1]	These last two require a bit more explanation to set correctly that
	I don't have time for in this message.  I'll circle back to this
	later tonight when I have a bit more time.