CGI and client certificate, or do we need a CGI spec

Remco me at rwv.io
Thu Dec 3 16:30:31 GMT 2020

Previous message (by thread): CGI and client certificate, or do we need a CGI spec
Next message (by thread): [SPEC-CHANGE] Mandatory scheme in request and link URLs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2020/11/30 03:32, Michael Lazar:

> On Sun, Nov 29, 2020 at 8:32 PM <colecmac at protonmail.com> wrote:
>>
>> One important thing to standardize is how TLS_CLIENT_HASH is
>> calculated. Otherwise CGI scripts will not be able to recognize
>> clients again if the server software changes.
>>
>> makeworld
>
> I think that jetforce is the odd duckling here. I'm the only one using base64
> for hashes. This was discussed a while ago on the mailing list and I declared
> that I would switch if a consensus was reached [0]. IIRC the discussion kind of
> petered out after that...
>
> So I will say right now, unless there's strong opposition, that I'm going to
> change TLS_CLIENT_HASH to "SHA256:<HASH>" where <HASH> is the uppercase hex
> representation of the certificate hash, with *no* colons in it. This change
> will be made in the next release of jetforce, with TLS_CLIENT_HASH_B64 being
> as a backwards compatible env var to make the transition easier for any existing
> CGI scripts.

I like the TLS_CLIENT_HASH to "SHA256:<HASH>" format and have
implemented that.  Thanks for the link into the archives, I missed that.

BTW, shouldn't your TLS_CLIENT_HASH_B64 be TLS_CLIENT_HASH_SHA256_B64?
I am guessing it is a SHA256 hash?

Cheers,
R.

Previous message (by thread): CGI and client certificate, or do we need a CGI spec
Next message (by thread): [SPEC-CHANGE] Mandatory scheme in request and link URLs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list