Re: Many capsules don't send TLS close_notify

Posted Sun 18 Dec, 2022.

This is a weird one. According to nervuri:

Gemini capsules:
OpenSSL.SSL.Error: [('SSL routines', '', 'unexpected eof while reading')]
It turns out that this has to with the release of OpenSSL 3. OpenSSL no longer tolerates TLS connections that don't shut down with a close_notify message, as per the TLS specification.

=> Many capsules don't send TLS close_notify

And this is interesting because, as far as I know, SpaceBeans doesn't send close_notify. Or what would be more accurate, the library the server uses, doesn't seem to send it. Or that's what I thought, because I'm wondering now if the tests I was running all this time were wrong (because I can't find any reference to this being changed in any of the recent releases of Akka; or is the JVM?).

nervuri suggests a few ways to test if a server is using "close_notify" properly, for example:

=> this capsule via portal.mozz.us

And it reports:

Weird. Precisely the tool I used to check for "close_notify" is:

=> Gemini Diagnostics

By Michael Lazar, who is the author/maintainer of that proxy.

I also tried the openssl command that nervuri suggests, and I can't really see in the output anything that suggest an issue (although I'm not using OpenSSL 3, so it could be that you need that specific version to check this).

In any case, if turns out SpaceBeans has always used "close_notify" correctly, that's great.

Which is all down to the fact that TLS is complicated. Gemini decided to go that route --that may be good to TLS, even; if this means that the supporting libraries that we use in our servers get better--, and that means we are going to find issues like this. TLS is both a strong point and a weak spot for the Gemini space. As I said before: not sure how much I can influence a library developer to fix an issue like this, specially when I don't have the technical capacity to help fixing it myself.

I will look with interest at this. I'm curious how many of those servers nervuri identified will be fixed!

Previously:

=> Not feeling it (where I comment on "close_notify" and SpaceBeans)

Update (2022-12-19)

More from Alex where SpaceBeans is tested (and passed the test!):

=> Re: Many capsules don't send TLS close_notify

And Alex precisely replied to one of my posts in "flightlog" --that I can't link directly because there aren't anchors in Gemini--. Among other things, there was this part:

At any rate, I wouldn't stress too much about your server being "non-conformant." Writing your own server should be fun and really, at this point no one's going to start blocking capsules that don't properly send it.

Which is a nice takeaway!

=> Back to the index | Back home

Proxy Information
Original URL
gemini://capsule.usebox.net/gemlog/20221218-re-many-capsules-don-t-send-tls-close-notify.gmi
Status Code
Success (20)
Meta
text/gemini; charset=utf-8; lang=en
Capsule Response Time
304.330005 milliseconds
Gemini-to-HTML Time
0.689887 milliseconds

This content has been proxied by September (ba2dc).