From: "Gopher-Project" <gopher-project-bounces+rachael=telefisk.org@lists.alioth.debian.org>
Date: Wed Apr 29 21:34:41 2015
Subject: Re: [gopher] Adding TLS and/or SSL support to Gopher
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3860293773534982703==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="RwH1oDuNcNlCF2cTb0ubaNmDbb9kqlVGu"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--RwH1oDuNcNlCF2cTb0ubaNmDbb9kqlVGu
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 4/23/15 7:40 PM, Philipp Schafft wrote:
> Good morning!
>=20
> On Thu, 2015-04-23 at 12:18 -0700, simple@sdf.org wrote:
>> New thread for an important topic :)
>>
>> Looking in my OS's /etc/services file it appears there are several
>> available ports in the 700-799 range:
>>
>> # 703 Unassigned
>> # 708 Unassigned
>> # 717-728 Unassigned
>> # 703 Unassigned
>> # 708 Unassigned
>> # 717-728 Unassigned
>> # 732-740 Unassigned
>> # 743 Unassigned
>> # 745-746 Unassigned
>> # 755-756 Unassigned
>> # 766 Unassigned
>> # 768 Unassigned
>> # 778-779 Unassigned
>> # 781-785 Unassigned
>> # 786 Unassigned
>> # 787 Unassigned
>> # 788-799 Unassigned
>=20
> I'm not sure another port needs to be assigned.
> Please see RFC2817 and RFC2818 as reference.
> Also consider the way cups does it. Beside supporting RFC2817 it detect=
s
> TLS clients and can handle both kinds on the same port.
CUPS/anything that uses STARTLS, etc.
>=20
>=20
>> As for implementation of the concept, I feel it should be done in a wa=
y
>> that doesn't shut out existing gopher clients/servers.
>>
>> Perhaps adopting some sort of external client+server proxy model would=
be
>> the best starting point such that, for example, someone with a lynx(1)=
>> browser could install a "secure_gopher" proxy on their computer such t=
hat
>> their now local port 70 requests are SSL-wrapped and sent on to a
>> corresponding "secure_gopher" proxy server listening on the new gopher=
S
>> TLS encrypted port (785 maybe?). Probably it's already doable using
>> opensshd and SOCKS, just need to pick a port.
>>
>> The above approach would not preclude others from basically incorporat=
ing
>> the proxy model into their new clients and servers for an all-in-one
>> solution.
>=20
> I think using proxys will not improve the situation much:
> you can already have that. Also it is prone to security problems such a=
s
> that the client is not aware of the TLS link. There are many known
> attacks to such proxified setups.
>=20
>=20
>> For making it officially part of Gopher World I think it means a new R=
FC
>> for "secure gopher" or at least adding the spec to the existing gopher=
>> RFC; I don't know which would be easier.
>=20
> I would kind of implement it in a RFC that is considered an addition to=
> the existing one.
>=20
>=20
> Two little notes:
> * SSL is dead. There is no secure configuration left. So please
> keep it to TLS.
> * Vhosting should be kept in mind. Gopher doesn't really support
> this but there is no reason not to use multiple hostnames for
> the same server. In this case TLS is used this may become
> relevant as certs may differ. See RFC2817 and RFC6066.
HTTP does this with Server Name Indication. That would be a good way to
approach the problem in gopher
(https://en.wikipedia.org/wiki/Server_Name_Indication).
I'd be happy to help implement this in some client/server as well.
LibreSSL has added their libtls family of functions, which aims to
reduce the difficulty of writing software that uses TLS. The API isn't
wholly stable yet, but it's a much better starting point than the
madness which is OpenSSL's API.
>=20
>=20
>=20
> _______________________________________________
> Gopher-Project mailing list
> Gopher-Project@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project
>=20
--RwH1oDuNcNlCF2cTb0ubaNmDbb9kqlVGu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVOx9rAAoJEOWIWopNkblktisP/ApMeft723TNazLoY3b/++bU
3d9RIeopRPhkoA/7kiuW820G30KsRUJNFjy4qzA/KG4HuwZ7KreplOP82od0yg9q
5JOw2QJcekkd+YKWsqYxvU5rmRByuwpgy6sr6TF4aujwOa++nfLa4yITTLNntShC
IdjyU0CsaPyTGavdD8qrlg8nvpqoOKplfJq+6ZfRf5Wp0HOExxSfVyDz9SKcrIoX
T0e47JD+Smtd/I8mJdXxqjHh92dhjvqKuLbMzzQzjFK74PddCzJldN3Ou6Violzo
EL32SZWckVFE8VpbSoswmqljKqap8ascbqyCDrct72y3aH5hpW2dKVIu+8ixs7PL
8TQlqYuImxkIU/ZLJ4vHudH/D2m8vy3b2zen3Xg6vXc9QbmaZp+gK7XB3GpmE5Ta
lclGh4ShwB24IiCYYjjXwjToCfb3iZx2fdjh7CBp0K15OJ+xQSVTqOwnXjvstJYy
DBbBCGIprqnakNLcfn2fax4WJQ8/B9MquIEQdOX3DRpO7FI911RfBskrVRem8KNy
ykw+gq/pMcbV0niK4bES5Tiz8lMmxGWuEb9/3vpmAzrs/FpcjECVVGQRsVzqCixA
eHXPCp/EO0DfVPDRq4TJuWFt0+5s3gQ3lySxzCoiKSIZ/q/d0/ZXeEaSZFgwyaE8
K9FdJpKAjOIgj9WBj+o9
=m+gj
-----END PGP SIGNATURE-----
--RwH1oDuNcNlCF2cTb0ubaNmDbb9kqlVGu--
--===============3860293773534982703==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Gopher-Project mailing list
Gopher-Project@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/gopher-project
--===============3860293773534982703==--
Thread start
(DIR) [gopher] Adding TLS and/or SSL support to Gopher
(DIR) Followup: Re: [gopher] Adding TLS and/or SSL support to Gopher
(DIR) Followup: Re: [gopher] Adding TLS and/or SSL support to Gopher
(DIR) Followup: Re: [gopher] Adding TLS and/or SSL support to Gopher