Subj : binkps
To   : NuSkooler
From : Oli
Date : Sat Apr 11 2020 09:49 pm

NuSkooler wrote (2020-04-11):

 N> On Saturday, April 11th Oli muttered...
 Ol>> TLS support in binkd would be nice, but for incoming connections I
 Ol>> would still use nginx or haproxy for TLS termination.

 N> +1 for TLS termination. nginx/HAProxy/Caddy/etc. are all heavily peer
 N> reviewed in terms of security. Various BBS packages are not. I had to
 N> enable some older cipher suites and lessen security just to allow some
 N> paritcular BBS terminals to connect to my b

A Mystic hub truncated the line again ...

 N> ..just kind of jumping in
 N> here. What did the "binkps" proto end up looking like? Just bink proxied
 N> over TLS?

Yes, but besides that we haven't agreed on anything. If I had to define it, it 
would most likely like this:

- must support TLS 1.3
- client must not send an unencrypted hostname (SNI) without prior agreement
- it shouldn't rely on CAs. Pinned certs with TOFU, DANE or nodelist flag


 N> I'd like to get this set up (I'll be TLS terminating with Caddy
 N> personally)

I haven't used Caddy as a TCP proxy, only nginx, haproxy and stunnel. Would be 
nice, if you could try it with binkp.

---
 * Origin:  (21:3/102)

.