<feed xmlns='http://www.w3.org/2005/Atom'>
<title>gmnisrv/src/tls.c, branch main</title>
<subtitle>Fork of gmnisrv (Gemini server): full CA certificate chain (Lets Encrypt), TLS 1.3 only, handshake buffer-overflow fix
</subtitle>
<id>https://git.virebent.art/virebent/gmnisrv/atom?h=main</id>
<link rel='self' href='https://git.virebent.art/virebent/gmnisrv/atom?h=main'/>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/'/>
<updated>2026-06-26T17:20:00+00:00</updated>
<entry>
<title>Serve CA full chain (Let's Encrypt), TLS 1.3, fix handshake buffer overflow</title>
<updated>2026-06-26T17:20:00+00:00</updated>
<author>
<name>Gab Virebent</name>
<email>gab@virebent.art</email>
</author>
<published>2026-06-26T17:20:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/commit/?id=fb48d1308d2f63f8e9b23c5d1d921783fa0dacbe'/>
<id>urn:sha1:fb48d1308d2f63f8e9b23c5d1d921783fa0dacbe</id>
<content type='text'>
- tls.c/config.h: read full PEM chain into STACK_OF(X509), send via SSL_set1_chain
- tls.c: minimum protocol TLS 1.2 -&gt; TLS 1.3
- server.c: drain handshake output via local buffer loop instead of staging
  into the fixed 4 KB client buffer (a full CA chain overflowed it -&gt; assert)
- FORK.md: describe the fork
</content>
</entry>
<entry>
<title>set session id context</title>
<updated>2021-08-27T07:48:07+00:00</updated>
<author>
<name>mbays</name>
<email>mbays@sdf.org</email>
</author>
<published>2021-08-26T16:52:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/commit/?id=57835017523fbd269594bb63c2628017e11eb423'/>
<id>urn:sha1:57835017523fbd269594bb63c2628017e11eb423</id>
<content type='text'>
This is necessary now client certificates are supported.
Without it, an attempt to resume a session fails with
"ssl_get_prev_session:session id context uninitialized".
</content>
</entry>
<entry>
<title>Create certificates which last 68 years (INT32_MAX seconds)</title>
<updated>2021-05-16T18:10:57+00:00</updated>
<author>
<name>Thomas Karpiniec</name>
<email>tkarpiniec@icloud.com</email>
</author>
<published>2021-05-15T03:38:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/commit/?id=53e4ce4abd53ced1a9b527cbcddebdc3f58ab0a9'/>
<id>urn:sha1:53e4ce4abd53ced1a9b527cbcddebdc3f58ab0a9</id>
<content type='text'>
This avoids integer overflow on 32-bit architectures.
</content>
</entry>
<entry>
<title>Fix integer overflow error in tls.c</title>
<updated>2021-03-24T12:02:48+00:00</updated>
<author>
<name>bacardi55</name>
<email>bac@rdi55.pl</email>
</author>
<published>2021-03-23T19:04:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/commit/?id=8b65e303b01fc573cb1c40a365fb5db166146a37'/>
<id>urn:sha1:8b65e303b01fc573cb1c40a365fb5db166146a37</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Move certificate expiration into the far future</title>
<updated>2021-03-04T16:04:46+00:00</updated>
<author>
<name>Drew DeVault</name>
<email>sir@cmpwn.com</email>
</author>
<published>2021-03-04T16:04:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/commit/?id=f23ec10a6d66c574bbf718c4b10f2cf91ea8daef'/>
<id>urn:sha1:f23ec10a6d66c574bbf718c4b10f2cf91ea8daef</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Send client certificate hash for CGI scripts.</title>
<updated>2021-02-11T14:19:16+00:00</updated>
<author>
<name>nytpu</name>
<email>alex@nytpu.com</email>
</author>
<published>2021-02-11T01:14:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/commit/?id=ae7ca3db3983321c0ada8416cc19f17190802f38'/>
<id>urn:sha1:ae7ca3db3983321c0ada8416cc19f17190802f38</id>
<content type='text'>
Set SSL_VERIFY_PEER to request a client certificate from the server,
when available.  Have to shim the certificate verification function or
else it will fail on self-signed client certs.

In serve_cgi retrieve client certificate, create a fingerprint, and set
proper environment variables.  It's pretty barebones, it doesn't parse
the certificate to give any other useful info like the common name, but
it's acceptable IMO.  For most CGI uses the fingerprint is the only
thing that is needed anyways.
</content>
</entry>
<entry>
<title>Use v3 X509 certificate</title>
<updated>2021-02-05T15:39:21+00:00</updated>
<author>
<name>Matt Keeter</name>
<email>matt.j.keeter@gmail.com</email>
</author>
<published>2021-02-03T01:33:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/commit/?id=d1ccb60a52d2f6d91ec65d575927afc7039df0b6'/>
<id>urn:sha1:d1ccb60a52d2f6d91ec65d575927afc7039df0b6</id>
<content type='text'>
This fixes an issue where rustls failed to validate the X509v1 certificate.

Tested with Amfora, av-98, and titan (https://github.com/mkeeter/titan)

This requires fresh certificates, which could break clients with strict
trust-on-first-use policies; unfortunately, it doesn't appear to be possible
to migrate v1 certificates to v3.
</content>
</entry>
<entry>
<title>Switch to using ECDSA (secp384r1) keys</title>
<updated>2020-11-21T14:12:16+00:00</updated>
<author>
<name>Mark Dain</name>
<email>mark@markdain.net</email>
</author>
<published>2020-11-21T13:56:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/commit/?id=cb2c84b0ad9aadd4c92d8ef978c2bfca578cd3c4'/>
<id>urn:sha1:cb2c84b0ad9aadd4c92d8ef978c2bfca578cd3c4</id>
<content type='text'>
</content>
</entry>
<entry>
<title>tls: fix crash when opening priv key for writing</title>
<updated>2020-11-08T14:38:04+00:00</updated>
<author>
<name>William Casarin</name>
<email>jb55@jb55.com</email>
</author>
<published>2020-11-07T18:57:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/commit/?id=ea40fb5a534d6e78d403140307b48f966e3d0719'/>
<id>urn:sha1:ea40fb5a534d6e78d403140307b48f966e3d0719</id>
<content type='text'>
The open syscall will return a negative value if the call fails. Switch
the check to look for this instead of 0.

before:

[gmnisrv] generating certificate for localhost
gmnisrv: src/tls.c:68: tls_host_gencert: Assertion `pf' failed.
abort (core dumped)  ./gmnisrv -C config.ini

after:

[gmnisrv] generating certificate for localhost
[gmnisrv] opening private key for writing failed: No such file or directory
[gmnisrv] TLS initialization failed

Signed-off-by: William Casarin &lt;jb55@jb55.com&gt;
</content>
</entry>
<entry>
<title>Overhaul network I/O to be async for real</title>
<updated>2020-10-25T18:50:07+00:00</updated>
<author>
<name>Drew DeVault</name>
<email>sir@cmpwn.com</email>
</author>
<published>2020-10-25T18:50:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.virebent.art/virebent/gmnisrv/commit/?id=1fe107875b05cc07cf62c714c0136026eef7b93a'/>
<id>urn:sha1:1fe107875b05cc07cf62c714c0136026eef7b93a</id>
<content type='text'>
Had to totally cut off OpenSSL from the network fd because obviously
OpenSSL is just going to wreck our shit
</content>
</entry>
</feed>
