~sircmpwn/gmni-devel

Upcoming changes to TLS support in gmni & gmnisrv

Details
Message ID
<C9OP3QNDE38Y.2X56ETVQZRR7L@taiga>
DKIM signature
pass
Download raw message
Hello! There are soon to be some changes to my Gemini software's TLS
support. I am rewriting both to use BearSSL instead of OpenSSL, and
making some refinements while I'm at it. Some of these will affect
end-users.

Naturally, when you pull down the code again, you'll have to install
BearSSL's development package. BearSSL is not yet widely available:

https://repology.org/project/bearssl/versions

But your distro will probably add it if you ask nicely.

Additionally, the format of known_hosts is changing. The hashes are the
same, but we're no longer using the expiration time. Server operators
are advised to generate long-lived certificates - a few hundred years
should do the trick. In order to avoid breaking compatibility with any
software which reads our known hosts file at
~/.local/share/gemini/known_hosts, we're moving it to our private
directory at ~/.local/share/gmni/. The software will tolerate the old
format, so you can copy your known_hosts file over, or you can simply
start fresh and re-trust hosts as you encounter them in geminispace.

Many breaking changes have been made to libgmni, and a few more may be
in store. If you're a downstream user, you'll have to make some changes,
and prepare for more in the foreseeable future. The plan is to abstract
most, if not all, of the TLS details away from library users entirely.
With the completion of this API work, and the addition of client-side
certificate support in the near future, I will be tagging gmni 1.0.

gmnisrv has not yet been migrated to BearSSL, and it's not a high
priority for me right now, but I intend to put in the work before
calling it 1.0 (patches welcome if you want to help). I have already
changed the default certificate expiration to the far future, so if
you're up to date, when your certificates roll over next you'll get a
long-lived cert.
Reply to thread Export thread (mbox)