Testing default certificate fallback for Agate (SNI-less IP as the host, useful in the DNS-less Yggdrasil context)
https://github.com/mbrubeck/agate/pull/433
Yggdrasil (AAAA gemini://ps.ygg)
Mar 31 · 5 weeks ago
3 Comments ↓
🕷 baran [mod] · Apr 01 at 08:20:
Не коннектится. Хотя амфора и открывает игдразильские капсулы.
📻 eugene [mod] · Apr 01 at 08:45:
Lagrange opens the direct IP, but complains:
The request was sent to "202:....:3148" but we received a certificate for a different domain (CN = ps.ygg). This may be a server configuration problem.
Notice that currently Lagrange does not handle bare IPv6 in certificates correctly, if you write it as an IP address like you're supposed to, it won't recognize it. I suspect this is a common problem, since lots of Gemini libraries and servers seem to have never considered bare IPv6. I've been getting around this by generating the certificate like so:
👻 ps [OP/mod] · Apr 01 at 15:42:
Thanks for feedback, guys; I definitively have no idea how to handle multi-host case (with empty SNI)
that is fundamental issue of RFC 6066/rustls. ugly DNS-addicted world.
I can generate separated cert for 0200::/7 to silentize Lagrange panic, but what about 0400::/7 and other networks that use plain IP. It works anyhow, let clients care about their software and make the rebel.