[gopher] TLS situation in gopher [was: Re: Gophernicus 2.4 "Millennium Edition" released]
James Mills
prologic at shortcircuit.net.au
Sun Feb 12 21:48:49 UTC 2017
On Sun, Feb 12, 2017 at 8:05 AM, Kim Holviala <kim at holviala.com> wrote:
> On 12 Feb 2017, at 14:02, Adam Thompson <arthompson1990 at gmail.com> wrote:
> >
> > I wonder if there's any way to have opportunistic tls here (i.e. a
> starttls
> > equivalent)
>
> I almost started doing STARTTLS for Gophernicus... but it has two huge
> problems: you can always MITM a "silent" STARTTLS which makes the
> encryption useless, and it uses the existing TCP connection which makes
> TLS-wrappers like Stunnel4 hard to do (but I already figured out a way to
> go around that problem).
>
> Also, what should the response to STARTTLS be?
>
> C: opens TCP connection to server
> C: STARTTLS
> S: WTF OMG OMG IT'S ALIVE!!!!
> C: bzzzzz trrr trrr trrr <TLS connection with proper selector request here>
> S: Happily serving the request
>
> So what should server answer instead of WTF? Client needs to know the
> server is OK with the connection, and the client should probably re-request
> without STARTTLS if the server doesn't understand TLS.
>
> Sounds a bit complicated to me - but I don't have a better solution either.
>
This was exactly what I was thinking once on how to support this. I believe
it could be done and backwards compatible. Old clients would never send
this "special resource request".
cheers
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gopher-project/attachments/20170212/e08c0450/attachment.html>
More information about the Gopher-Project
mailing list