From fb48d1308d2f63f8e9b23c5d1d921783fa0dacbe Mon Sep 17 00:00:00 2001 From: Gab Virebent Date: Fri, 26 Jun 2026 19:20:00 +0200 Subject: Serve CA full chain (Let's Encrypt), TLS 1.3, fix handshake buffer overflow - tls.c/config.h: read full PEM chain into STACK_OF(X509), send via SSL_set1_chain - tls.c: minimum protocol TLS 1.2 -> TLS 1.3 - server.c: drain handshake output via local buffer loop instead of staging into the fixed 4 KB client buffer (a full CA chain overflowed it -> assert) - FORK.md: describe the fork --- FORK.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 FORK.md (limited to 'FORK.md') diff --git a/FORK.md b/FORK.md new file mode 100644 index 0000000..fc3f889 --- /dev/null +++ b/FORK.md @@ -0,0 +1,40 @@ +# Virebent fork of gmnisrv + +This is a fork of [gmnisrv](https://git.sr.ht/~sircmpwn/gmnisrv), a small +Gemini server, with three patches that let it serve **CA-signed certificates +(e.g. Let's Encrypt)** instead of being limited to self-signed TOFU certs. + +## Why + +Upstream gmnisrv reads only the leaf certificate from the cert file +(`PEM_read_X509`) and never sends the intermediate chain, so clients cannot +build a path to a trusted root — CA validation always fails and you are stuck +with TOFU. agate has the same limitation by design. This fork makes a Gemini +capsule verifiable with a normal Let's Encrypt certificate. + +## Patches + +1. **Full certificate chain** — `tls_host_init` now reads every certificate in + the PEM (leaf + intermediates) into a `STACK_OF(X509)`, and `tls_set_host` + sends it with `SSL_set1_chain`. (`src/tls.c`, `include/config.h`) +2. **TLS 1.3 only** — minimum protocol bumped from TLS 1.2 to TLS 1.3. + (`src/tls.c`) +3. **Handshake buffer overflow fix** — the handshake flush staged the whole + TLS output into a fixed 4 KB buffer. A full CA chain (~5 KB) overflowed it + and aborted the process on an `assert` — a crash loop on any public port hit + by scanners. The flush now drains the write BIO through a local buffer in a + loop, like the response path already does. (`src/server.c`) + +## Build + +``` +./configure +# OpenSSL 3.x emits deprecation warnings for the EC self-signed generator; +# allow them through: +echo 'CFLAGS += -Wno-error=deprecated-declarations' >> .build/config.mk +make gmnisrv +``` + +Put the Let's Encrypt `fullchain.pem` as `/.crt` and +`privkey.pem` as `/.key`, and refresh them from a certbot +deploy hook on renewal. -- cgit v1.2.3