[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]

On Sun, Feb 12, 2017 at 8:05 AM, Kim Holviala <kim@holviala.com> wrote:
On 12 Feb 2017, at 14:02, Adam Thompson <arthompson1990@gmail.com> wrote:
>
> I wonder if there's any way to have opportunistic tls here (i.e. a starttls
> equivalent)

I almost started doing STARTTLS for Gophernicus... but it has two huge problems: you can always MITM a "silent" STARTTLS which makes the encryption useless, and it uses the existing TCP connection which makes TLS-wrappers like Stunnel4 hard to do (but I already figured out a way to go around that problem).

Also, what should the response to STARTTLS be?

C: opens TCP connection to server
C: STARTTLS
S: WTF OMG OMG IT'S ALIVE!!!!
C: bzzzzz trrr trrr trrr <TLS connection with proper selector request here>
S: Happily serving the request

So what should server answer instead of WTF? Client needs to know the server is OK with the connection, and the client should probably re-request without STARTTLS if the server doesn't understand TLS.

Sounds a bit complicated to me - but I don't have a better solution either.

This was exactly what I was thinking once on how to support this. I believe it could be done and backwards compatible. Old clients would never send this "special resource request".

cheers
James
_______________________________________________
Gopher-Project mailing list
Gopher-Project@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project
Reply to: