Elpher client certificates

Prelude:

I'm tempted to apologize once more for adding yet another

Elpher-related post to this phlog. It's difficult to avoid though, as

this is my main platform for announcing major changes. I've been

considering using tags or something to split the entries into

elpher/non-elpher categories, so that people not interested in this

seemingly never-ending tirade of Elpher updates can leave early with

their sanity and temper intact.

So, to those people: be warned, this is another of "those" posts.

-=-=-=-=-

In a recent [1,2] *log entry, I lamented being unable to get Elpher to

use client certificates---which are an integral component of the

Gemini protocol---in establishing TLS connections using the native

Emacs network functions. Several people have subsequently pointed out

that this limitation seems to be lifted by Emacs 27, whenever that

gets released. While encouraging, the Emacs release schedule is a

slow, methodical, and mysterious target of numerologists [3], and thus

it seemed the present situation was likely to remain in place for a

while longer.

On the weekend though, I was fiddling around with the networking code

in an effort to (a) consolidate the network code related to gopher,

gemini and finger into one method, and to (b) solve a handful of minor

bugs relating to conflicts between forcing use of IPv4 and server name

identification (SNI) for TLS connections. To solve these issues I

wound up needing to switch out the use of the open-network-stream

procedure with the lower-level make-network-process function, as

this allows directly selecting the IP protocol version and specifying

the host name to use for SNI. (For anybody interested, previously

forcing IPv4, when requested, was achieved using an ugly hack

involving performing a separate DNS lookup to retrieve the IPv4

address of a server, then using this as the host in the

open-network-stream call.)

On a whim I then decided to try attaching my astrobotany [4] TLS

client certificates to the make-network-process call and connect to

the astrobotany server...

... and bam, I was looking at a dead virtual plant.

I don't think I will ever be as happy to see virtual botanical tragedy

as I was at that moment!

So, with this discovery, Elpher v2.9.0 supports client certificates.

I've tried to make the interface as frictionless as possible, but of

course I'm open to suggestions. The info manual (installed

automatically when you install Elpher from MELPA) goes through the

gory details of this, but I'll try to quickly summarize here.

• When a Gemini server requests a certificate, Elpher presents a small

menu in the minibuffer. Pressing "?" presents a description of the

available options, which are "t" to create and use a "throwaway"

single-use certificate, "p" to create a permanent (or use an

existing one), and "a" to abort the connection.

• Certificate creation uses the "openssl" command line program which

is part of OpenSSL and is probably already installed on your

machine. If it's not, you'll need to install it. If it is

installed but the command line tool is not in your PATH (whatever

that means on your system) you can specify the location of the tool

by customizing the elpher-openssl-command variable.

• Temporary certificates are stored in the system temp directory and

are deleted when the certificate is "forgotten", as described below.

• Permanent certificates are stored in the directory

`elpher-certificate-directory', which by default is the directory

"elpher-certificates/" inside the emacs configuration directory.

• When choosing the "p" option to use a permanent certificate,

choosing a name which does not correspond to an existing certificate

will cause a new one to be created and added to that directory.

• The prompt for the certificate name autocompletes to existing

certificates, so just hit TAB to see a list of all available

certificates (really just the contents of the

`elpher-certificate-directory' directory.

• Certificates are "forgotten" by pressing "F", or when you try to

establish a connection to a host other than the one for which the

certificate was created).

That's pretty much it! It's the initial release, so there may be some

rough edges. (One that I already know about but haven't addressed yet

is that the "certificate name" you choose has to be a valid filename -

there's no sanitization yet.) If you encounter any others please let

me know either by email or via the feedback button on the Elpher

project page.

Remember to water those plants!!