[gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]
Kim Holviala
kim at holviala.com
Sun Feb 12 16:05:02 UTC 2017
On 12 Feb 2017, at 14:02, Adam Thompson <arthompson1990 at gmail.com> wrote:
>
> I wonder if there's any way to have opportunistic tls here (i.e. a starttls
> equivalent)
I almost started doing STARTTLS for Gophernicus... but it has two huge problems: you can always MITM a "silent" STARTTLS which makes the encryption useless, and it uses the existing TCP connection which makes TLS-wrappers like Stunnel4 hard to do (but I already figured out a way to go around that problem).
Also, what should the response to STARTTLS be?
C: opens TCP connection to server
C: STARTTLS
S: WTF OMG OMG IT'S ALIVE!!!!
C: bzzzzz trrr trrr trrr <TLS connection with proper selector request here>
S: Happily serving the request
So what should server answer instead of WTF? Client needs to know the server is OK with the connection, and the client should probably re-request without STARTTLS if the server doesn't understand TLS.
Sounds a bit complicated to me - but I don't have a better solution either.
- Kim
More information about the Gopher-Project
mailing list