Failed TLS Handshake

[jae1911]

Greetings. A user using the client Elaho (iOS) reported that he couldn't see my Pod. Upon reviewing the logs, I saw this:

gemini_1  | 2021/02/22 15:45:27 gemini: failed TLS handshake from xx.xxx.xxx.xx:50846: tls: client offered only unsupported versions: [303 302 301]

Any way to fix?

[a-h]

I'm taking a look at at it. At first sight, it looks like Elaho is using TLS 1.2. As per the Gemini spec at https://gemini.circumlunar.space/docs/specification.html clients should be using TLS 1.3:

4.1 Version requirements

Servers MUST use TLS version 1.2 or higher and SHOULD use TLS version 1.3 or higher. TLS 1.2 is reluctantly permitted for now to avoid drastically reducing the range of available implementation libraries. Hopefully TLS 1.3 or higher can be specced in the near future. Clients who wish to be "ahead of the curve MAY refuse to connect to servers using TLS version 1.2 or lower.

I'll see if it's possible to offer a way to tune down to support TLS 1.2. I've installed the browser to give it a try out. Elaho looks really nice!

[pitr]

Author of Elaho here. I took a quick look at my networking code and did some experimentation. It doesn't look like CFStream from Foundation framework supports TLS1.3 and it was only enabled in the Network framework which came out in iOS 12. Elaho currently supports iOS 11.

When I have some time I will work on rewriting networking code in Elaho to support TLS 1.3.

[a-h]

I've had chance to look at this, and it looks like it's just a single character change for this server to support TLS 1.2, see the required change here https://github.com/a-h/gemini/compare/support_tls_1_2

The Gemini specification states that the clients can refuse to connect to the server if only 1.2 is available, rather than the server needs to not allow the client to negotiate TLS 1.2 - so I think it's OK for me to make the change to drop minimum TLS support down to TLS 1.2 to enable clients that have difficulty with supporting TLS 1.3, without annoying other users of this server.

4.1 Version requirements

Servers MUST use TLS version 1.2 or higher and SHOULD use TLS version 1.3 or higher. TLS 1.2 is reluctantly permitted for now to avoid drastically reducing the range of available implementation libraries. Hopefully TLS 1.3 or higher can be specced in the near future. Clients who wish to be "ahead of the curve MAY refuse to connect to servers using TLS version 1.2 or lower.

I'll test it as soon as I can, but feel free to give it a try yourself with that change, it's really easy to build Go programs, even if you don't know much about Go...

If people have strong feelings, I'll make TLS 1.3 the default, and add a flag to enable TLS 1.2, otherwise, I'll just make TLS 1.2 be the minimum until the spec changes or TLS 1.2 is broken.

[a-h]

I've tested the change using Elaho on an iPhone connected to a test capsule it now works great, and it looks great on Elaho. @pitr - thanks for taking a look at this.

I've released a new version with the change - https://github.com/a-h/gemini/releases/tag/v0.0.49

Hope you're enjoying the Gemini server. 😀