X.509 is the standard format of public key certificates which are used, among other uses, in TLS. The format has 3 versions, each one adding functionality that the previous one lacked.
While the most popular library for processing these certificates, OpenSSL, supports all versions, this is starting to not be the case anymore for other libraries. In 2022, when I first heard about Gemini, I decided to write a client for it as an excuse to learn Rust. To make things easier, I chose to use only rust-native libraries, which ruled OpenSSL out for handling TLS. The best alternative was (and is, I think) rustls' webpki, and they have stated that they don't plan to support older versions of X.509:
=> https://github.com/rustls/webpki/issues/29#issuecomment-1453783741
I don't know the state of libraries in other langagues, maybe they all rely on OpenSSL, but with the age of X.509 v1 (I don't think v2 is used) it should come to no surprise that developers may choose to not support it in their new libraries. The impact of supporting older versions is minimal if I had to guess, but oh well.
I ran a quick test on the geminispace, or the known part of it at least :), using the 2458 known hosts of geminispace.info: 396 of them are using a v1 certificate.
Download the certificate from your server if you don't have it at hand:
openssl s_client -servername YOUR_SERVER_NAME -connect YOUR_SERVER_NAME:YOUR_PORT -showcerts </dev/null | openssl x509 -outform pem > cert.pem
Next, print the certificate's body and grep the version field:
openssl x509 -in cert.pem -noout -text | grep Version
I'm running OpenSSL 3.3.2 and I haven't managed to create a v1 certificate, so either it changed its default or v1 certificates were created using a different tool. I'll appreciate your feedback if you get to create a v1 cert.
=> Posted in: s/Gemini | 🛰️ lufte
2024-05-14 · 8 months ago · 👍 norayr, Acidus, gemalaya, blah_blah_blah
text/gemini; charset=utf-8
This content has been proxied by September (ba2dc).