CGI and client certificate, or do we need a CGI spec

Michael Lazar lazar.michael22 at gmail.com
Mon Nov 30 02:32:41 GMT 2020

Previous message (by thread): CGI and client certificate, or do we need a CGI spec
Next message (by thread): CGI and client certificate, or do we need a CGI spec
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Nov 29, 2020 at 8:32 PM <colecmac at protonmail.com> wrote:
>
> One important thing to standardize is how TLS_CLIENT_HASH is
> calculated. Otherwise CGI scripts will not be able to recognize
> clients again if the server software changes.
>
> makeworld

I think that jetforce is the odd duckling here. I'm the only one using base64
for hashes. This was discussed a while ago on the mailing list and I declared
that I would switch if a consensus was reached [0]. IIRC the discussion kind of
petered out after that...

So I will say right now, unless there's strong opposition, that I'm going to
change TLS_CLIENT_HASH to "SHA256:<HASH>" where <HASH> is the uppercase hex
representation of the certificate hash, with *no* colons in it. This change
will be made in the next release of jetforce, with TLS_CLIENT_HASH_B64 being
as a backwards compatible env var to make the transition easier for any existing
CGI scripts.

Is anybody currently using the certificate hash in their CGI scripts? I am very
curious because I haven't seen many real uses of client certs in gemini thus
far.

- Michael

[0] https://lists.orbitalfox.eu/archives/gemini/2020/001529.html

Previous message (by thread): CGI and client certificate, or do we need a CGI spec
Next message (by thread): CGI and client certificate, or do we need a CGI spec
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list