~fsiefken

the netherlands

https://olin.monster

board games, dance, wearable computing, vr, buddhism

Trackers

~fsiefken/anamnesis

Last active 1 year, 10 days ago

#63 ssl accept error: [..] session id context uninitialized 1 year, 5 days ago

Ticket created by ~fsiefken on ~sircmpwn/gmni

when I query a local gmniserv server with gemini client diohsc version 0.1.6.1, in the browser I get: ! HandshakeFailed Error_EOF when quering a second document after a first successful load of index.gmi gmniserv shows:

127.0.0.1 anamnesis.org / 38ms 228 20 text/gemini

127.0.0.1 SSL accept error: error:140D9115:SSL routines:ssl_get_prev_session:session id context uninitialized

Other gemini clients work fine.

Search results for this error pointed to a TLS 1.3 incompatibility somewhere, either in diohsc or gmniserv. As there was a similar issue with another gemini server (dezhemini) i suspect it is gmnisrv perhaps in combination with my linux distribution (pop_os 21.04) with OpenSSL 1.1.1j 16 Feb 2021. I could not reproduce this issue when browsing with diohsc to my gemini://fsiefken.srht.site - where I assume gmniserv is running as well.

See: https://todo.sr.ht/~rwv/dezhemini/1

And it's solution as rwv relates it:

"the problem occurred when using a client which supports TLS 1.3 "session reuse" aka resumption, causing the second hit on a dʒɛmɪni hosted capsule to fail at the handshake. Apparently I forgot to do a move in the OpenSSL ceremonial dance, namely set the session ID.

SSL_CTX_set_session_id_context

Fortunately racket does it for you when calling ssl-set-verify! but I didn't bother with it because I don't want verification because of TOFU. I was wrong and, have to admit, did not RTFM.

racket/openssl/ssl-set-verify! This also seems to fix a similar issue I was having when running dʒɛmɪni on OpenBSD and using the Ariane client for Android, second hit going bad at handshake. Weird thing was: it did not occur on capsules hosted on a GNU/Linux distribution."

https://gemini.susa.net:1993/cgi-bin/Proxy.sh?url=gemini%3A%2F%2Frwv%2Eio%2F2021-03-22-ann-dezhemini-bugfix%2Egmi

With another gemini server - gemserv (rust) - diohsc works ok.

Does gmniserv set the Session ID correctly?

#18 Switch to some other TLS implementation 1 year, 5 days ago

Comment by ~fsiefken on ~sircmpwn/gmni

mbed, it's small, maintained, in use by the dutch gov and it has an interesting background

https://en.wikipedia.org/wiki/Mbed_TLS

https://os.mbed.com/questions/82073/TLS-13-is-now-official/

#1 create gemini index page 1 year, 10 days ago

~fsiefken assigned ~fsiefken to #1 on ~fsiefken/anamnesis

#1 create gemini index page 1 year, 10 days ago

Ticket created by ~fsiefken on ~fsiefken/anamnesis