fsebugoutzone.org:9999

       Post A3oR3bFWq2OfjvtAp6 by kelbot@fosstodon.org
 (DIR) More posts by kelbot@fosstodon.org
 (DIR) Post #A3oR3bFWq2OfjvtAp6 by kelbot@fosstodon.org
       2021-01-31T23:58:10Z
       
       0 likes, 0 repeats
       
       Still trying to figure out what the deal is with the handshake errors in some clients trying to load my #gemini capsule. Tried two different servers and have redone the ssl certs. The same clients have the issue with both. I&#39;m getting this in the log which makes it look like its the client&#39;s fault. gemini: failed TLS handshake from ***.***.***.***:****: tls: client offered only unsupported versions: [303 302 301]
       
 (DIR) Post #A3oaOn3R2foi1MPZWy by splatt9990@fosstodon.org
       2021-02-01T01:42:51Z
       
       0 likes, 0 repeats
       
       @kelbot does your server support TLS 1.3? It sounds like some of those clients might be expecting it to (assuming that&#39;s what the 301, 302, and 303 mean although it may be sslv3 in which case those clients are woefully outdated)
       
 (DIR) Post #A3oe0JGiX6ceVbCrCq by kelbot@fosstodon.org
       2021-02-01T02:23:11Z
       
       0 likes, 0 repeats
       
       @splatt9990 I get this error from one of the clients that fails:SSLV3_ALERT_HANDSHAKE_FAILURE(tls_record.cc:587)I don&#39;t know a lot about SSL/TLS  honestly.
       
 (DIR) Post #A3oh13Z8hWnrxWs3Lk by kelbot@fosstodon.org
       2021-02-01T02:56:59Z
       
       0 likes, 0 repeats
       
       gemini-diagnostics is telling me it can&#39;t verify the certificate when I use satellite but I don&#39;t know why. When I use a-h/gemini the SSL cert verfies correctly. The same clients still cannot connect in either case.  :thaenkin:[TLSVerified] Certificate should be self-signed or have a trusted issuerConnecting over verified SSL socket  x [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)
       
 (DIR) Post #A3ojV83YlklgTyZDuq by architect@linuxrocks.online
       2021-02-01T03:24:48Z
       
       0 likes, 0 repeats
       
       @kelbot That one sounds like it&#39;s trying to verify the certificate against your local trust store and failing.
       
 (DIR) Post #A3okAt94bAW6Oo3gS8 by kelbot@fosstodon.org
       2021-02-01T03:32:24Z
       
       0 likes, 0 repeats
       
       @architect Well, I think it is fixed but don&#39;t fully understand why it was having a problem in the first place :).
       
 (DIR) Post #A3okLT5tnRlGmvcPa4 by thumb@fosstodon.org
       2021-02-01T03:34:16Z
       
       0 likes, 0 repeats
       
       @kelbot What was the fix?@architect
       
 (DIR) Post #A3oktSZAGY76zqW2Do by kelbot@fosstodon.org
       2021-02-01T03:40:27Z
       
       1 likes, 0 repeats
       
       @thumb @architect I guess the certs I had generated were not generated correctly and apparently the server software I was using that autogenerates them also did it incorrectly somehow. After I regenerated the certs again using a different command the errors went away.
       
 (DIR) Post #A3pfS8QIkAcO5oTt2G by splatt9990@fosstodon.org
       2021-02-01T14:14:13Z
       
       0 likes, 0 repeats
       
       @kelbot sounds like the client only supports sslv3 which is pretty ancient. Its possible your server could support that but is configured not to as its very old and insecure. You can either ignore such errors or attempt to configure your server to accept sslv3 (if it can.) The only issue there is allowing such an outdated protocol would enable a downgrade attack where a bad actor forces the connection to be sslv3 so they can break the encryption.
       
 (DIR) Post #A3pk9qMPf3tOd9l9wO by FiXato@toot.cat
       2021-02-01T15:06:50Z
       
       0 likes, 0 repeats
       
       @kelbot at least #TOFU (Trust On First Sight) seems to be working in #Lagrance as it detected you&#39;d changed your #gemini server&#39;s #SSL / #TLS certs. :)
       
 (DIR) Post #A3plXglb5AHDmQTQ4e by FiXato@toot.cat
       2021-02-01T15:22:25Z
       
       0 likes, 0 repeats
       
       @kelbot at least #TOFU (Trust On First Sight) seems to be working in #Lagrange as it detected you&#39;d changed your #gemini server&#39;s #SSL / #TLS certs. :)
       
 (DIR) Post #A3qBiuynB3MHr0f0yW by jpfox@m.g3l.org
       2021-02-01T20:15:53Z
       
       0 likes, 0 repeats
       
       @FiXato @kelbot So, it&#39;s a bad idea to use a Let&#39;s encrypt cert with its short time validity :think:
       
 (DIR) Post #A3qF1e0QoBd0Zm33GC by FiXato@toot.cat
       2021-02-01T20:52:53Z
       
       0 likes, 0 repeats
       
       @jpfox not sure how it reacts when a cert is replaced shortly before or after is expiration date. :) @kelbot
       
 (DIR) Post #A3qFqzaIL8bAGkJ8ZU by jpfox@m.g3l.org
       2021-02-01T21:02:11Z
       
       0 likes, 0 repeats
       
       @FiXatoEffectively, if stored one is expired or close to be, maybe there is no alert@kelbot