mirror of https://git.sr.ht/~oppen/ariane
log server certs, add link to drews tofu notes
This commit is contained in:
parent
5e7faedc7d
commit
50cf425a5b
|
@ -37,6 +37,8 @@ Ariane uses TLS but does not implement TOFU at all:
|
||||||
|
|
||||||
> Clients can validate TLS connections however they like (including not at all) but the strongly RECOMMENDED approach is to implement a lightweight "TOFU" certificate-pinning system which treats self-signed certificates as first- class citizens
|
> Clients can validate TLS connections however they like (including not at all) but the strongly RECOMMENDED approach is to implement a lightweight "TOFU" certificate-pinning system which treats self-signed certificates as first- class citizens
|
||||||
|
|
||||||
|
See [Drew's note on TOFU](https://drewdevault.com/2020/09/21/Gemini-TOFU.html)
|
||||||
|
|
||||||
## Client TLS
|
## Client TLS
|
||||||
|
|
||||||
> Although rarely seen on the web, TLS permits clients to identify themselves to servers using certificates
|
> Although rarely seen on the web, TLS permits clients to identify themselves to servers using certificates
|
||||||
|
|
|
@ -25,10 +25,13 @@ class GeminiDatasourceTests {
|
||||||
"gemini://idiomdrottning.org"
|
"gemini://idiomdrottning.org"
|
||||||
)
|
)
|
||||||
|
|
||||||
private val capsuleIndex = 3
|
private var capsuleIndex = 0
|
||||||
|
|
||||||
@Before
|
@Before
|
||||||
private fun setup(){
|
fun setup(){
|
||||||
|
val capsule = capsules.random()
|
||||||
|
println("Using $capsule for Gemini tests")
|
||||||
|
capsuleIndex = capsules.indexOf(capsule)
|
||||||
gemini = Datasource.factory(InstrumentationRegistry.getInstrumentation().targetContext)
|
gemini = Datasource.factory(InstrumentationRegistry.getInstrumentation().targetContext)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -37,7 +37,6 @@ class GeminiDatasource(
|
||||||
|
|
||||||
when (uri.scheme) {
|
when (uri.scheme) {
|
||||||
GEMINI_SCHEME -> {
|
GEMINI_SCHEME -> {
|
||||||
|
|
||||||
val cached = RuntimeCache.get(uri)
|
val cached = RuntimeCache.get(uri)
|
||||||
if(cached != null){
|
if(cached != null){
|
||||||
last = uri
|
last = uri
|
||||||
|
@ -100,10 +99,9 @@ class GeminiDatasource(
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* This was largely copied from
|
* This was originally largely copied from:
|
||||||
|
|
||||||
https://framagit.org/waweic/gemini-client/-/blob/master/app/src/main/java/rocks/ism/decentral/geminiclient/GeminiConnection.kt
|
https://framagit.org/waweic/gemini-client/-/blob/master/app/src/main/java/rocks/ism/decentral/geminiclient/GeminiConnection.kt
|
||||||
|
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
@ -113,7 +111,11 @@ class GeminiDatasource(
|
||||||
}
|
}
|
||||||
|
|
||||||
override fun checkServerTrusted(chain: Array<out X509Certificate>?, authType: String?) {
|
override fun checkServerTrusted(chain: Array<out X509Certificate>?, authType: String?) {
|
||||||
|
println("checkServerTrusted()")
|
||||||
|
println("checkServerTrusted() authType: $authType")
|
||||||
|
chain?.forEach { cert ->
|
||||||
|
println("checkServerTrusted() cert: ${cert.subjectDN}")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
override fun getAcceptedIssuers(): Array<X509Certificate> {
|
override fun getAcceptedIssuers(): Array<X509Certificate> {
|
||||||
|
|
Loading…
Reference in New Issue