Discussion:
Gopher over TLS
Alex Schröder
2018-01-21 19:03:22 UTC
Permalink
I've recently added a Gopher interface to my wiki at alexschroeder.ch. As
an experiment, I added TLS support to the server and added it to a client,
too. The client I picked was the simple VF-1 client written in Python.
Basically it has two modes: TLS mode and normal mode. In normal mode, all
connections are considered to be normal; in TLS mode all connections are
considered to be encrypted. I get the feeling that this is better and more
obvious than having gopher and gophers URL schemas, and figuring out how to
integrate SSL into existing Gopher menus.
What do you think?
You can try it yourself: alexschroeder.ch is the normal site, test it using
your favorite Gopher client. alexschroeder.ch:7070 is the encrypted site,
test it using the following:
echo About | gnutls-cli alexschroeder.ch:7070
Or use the TLS enabled branch of VF-1,
https://github.com/kensanata/VF-1/tree/ssl
vf1 --tls alexschroeder.ch:7070/0About

Cheers
Alex
SiMpLe MaChInEs
2018-01-21 19:59:16 UTC
Permalink
Post by Alex Schröder
I've recently added a Gopher interface to my wiki at alexschroeder.ch. As
an experiment, I added TLS support to the server and added it to a client,
too. The client I picked was the simple VF-1 client written in Python.
Basically it has two modes: TLS mode and normal mode. In normal mode, all
connections are considered to be normal; in TLS mode all connections are
considered to be encrypted. I get the feeling that this is better and more
obvious than having gopher and gophers URL schemas, and figuring out how to
integrate SSL into existing Gopher menus.
What do you think?
You can try it yourself: alexschroeder.ch is the normal site, test it using
your favorite Gopher client. alexschroeder.ch:7070 is the encrypted site,
echo About | gnutls-cli alexschroeder.ch:7070
Or use the TLS enabled branch of VF-1,
https://github.com/kensanata/VF-1/tree/ssl
vf1 --tls alexschroeder.ch:7070/0About
Nice! I had to add '--insecure' to gnutls-cli but other than that it works.
Adding TLS to gopher has been talked about on and off for years but usually
the conversation died when it came to extending the gopher std(s). Perhaps
it's time to revisit it again?
Alex Schröder
2018-01-21 21:24:23 UTC
Permalink
Post by SiMpLe MaChInEs
Post by Alex Schröder
echo About | gnutls-cli alexschroeder.ch:7070
Adding TLS to gopher has been talked about on and off for years but
usually the conversation died when it came to extending the gopher
std(s). Perhaps it's time to revisit it again?
Do you have a good link to a previous discussion?
Post by SiMpLe MaChInEs
I had to add '--insecure' to gnutls-cli but other than that it works.
Strange that you had to add --insecure. The server uses the full chain
of certificates and the private key I also use for the website itself,
and I made sure that ~/.gnutls was empty (no known-hosts file), and it
still works on my system. Sadly, I don't really knows the ins and outs
of SSL and TLS so I don't know where I'd start. All I know is that you
need to trust Let's Encrypt, since they signed my certificate so I guess
gnutls-cli needs to know where all the CAs are on your system?

Alternatively, I looked at my logs and found the following:

Could not finalize SSL connection with client handle (SSL accept at
tempt failed because of handshake problems error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certifica te)

I think currently
https://docs.python.org/3/library/ssl.html?highlight=ssl#ssl.create_default_context
will disable SSL2 and SSL3, so perhaps that's the problem. You should be
using TLS 1.2, I think.

Cheers
Alex
--
Public Key Fingerprint = DF94 46EB 7B78 4638 7CCC 018B C78C A29B ACEC FEAE
barana .
2018-01-22 03:11:17 UTC
Permalink
Ok so I see people wanting to innovate with gopher and that is very cool, its part of the reason this group exists.
The problem as I see it is that some of the innovators are talking innovation only in x86/64 and winmacnix world and THE VERY STRENGTH of gopher which is low cpu use low bandwidth gets THROWN out the window in favour of innovations that cannot be utilised on platforms that are perfectly suited for gopher examples being c64 amiga500 palm devices newton devices first gen iphone/blackberry/symbian devices/android devices.
By extending gopher in ways only using x86 cutting edge stuff to void the very strengths of gopher.
I do not oppose innovation and development ,what i oppose is an insular pc is all that matters fanboy unthinking approach that excludes these platforms that utilize gopher perfectly because the innovator doesnt have a clue.
Nb. Not scathing here, but i think im seeing the same pattern that tried to update www , the result being its only a two horse race these days.
Gopher was left behind because of this attitude, dont leave gopher behind again.
________________________________
From: Alex Schröder <***@gmail.com>
Sent: Monday, 22 January 2018 7:24:23 AM
To: gopher-***@other.debian.org
Subject: Re: Gopher over TLS
Post by SiMpLe MaChInEs
Post by Alex Schröder
echo About | gnutls-cli alexschroeder.ch:7070
Adding TLS to gopher has been talked about on and off for years but
usually the conversation died when it came to extending the gopher
std(s). Perhaps it's time to revisit it again?
Do you have a good link to a previous discussion?
Post by SiMpLe MaChInEs
I had to add '--insecure' to gnutls-cli but other than that it works.
Strange that you had to add --insecure. The server uses the full chain
of certificates and the private key I also use for the website itself,
and I made sure that ~/.gnutls was empty (no known-hosts file), and it
still works on my system. Sadly, I don't really knows the ins and outs
of SSL and TLS so I don't know where I'd start. All I know is that you
need to trust Let's Encrypt, since they signed my certificate so I guess
gnutls-cli needs to know where all the CAs are on your system?

Alternatively, I looked at my logs and found the following:

Could not finalize SSL connection with client handle (SSL accept at
tempt failed because of handshake problems error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certifica te)

I think currently
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.python.org%2F3%2Flibrary%2Fssl.html%3Fhighlight%3Dssl%23ssl.create_default_context&data=02%7C01%7C%7C28e30574f5b54b477e9808d561156cf9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636521667003175796&sdata=iaUXcKB7t2aZM8LvKekv81gpsMFjxCMr1e%2BLDOs2pHc%3D&reserved=0
will disable SSL2 and SSL3, so perhaps that's the problem. You should be
using TLS 1.2, I think.

Cheers
Alex
--
Public Key Fingerprint = DF94 46EB 7B78 4638 7CCC 018B C78C A29B ACEC FEAE
barana .
2018-01-22 04:48:05 UTC
Permalink
What i see , for those that are interested in it, whichbis also a big drive of the big two (1+1/2 +1/2 maybe)
Is numbers our biggest strength imo can be .....utilised by picking up those machines that the mainstreem ports have left behind with little effort,
Say for example an example of earlier version of android such as icecream sandwich has been sunsetted.
3rd party devs are no longer supporting it.the browser starts showing its age . Certain advanced features or simple rendering breaks.
We as a community can come on in and provide ports of some gopher client with included bookmarks that enables people to do the things that their unsupported browser wont allow anymore eg. Gopherpedia, www browsing via a proxy, etc etc
Its little work to push out new versions that fix issues etc, but you are now growing your community that has been left behind by the latest and greatest community.
Cameron has shown that this works to a degree with his classilla and 10.4fx projects.
As long as theres a few youtubes on how it can be utilised on older devices to do basics of which we have several services in the gophersphere already that qualify,
And a new application pops up on old device's appstores and webcommunity...
To convince people, all youll have to do is show some coloured text and a nice gui and theyre onboard.
________________________________
From: barana . <***@hotmail.com>
Sent: Monday, 22 January 2018 1:11:17 PM
To: Alex Schröder; gopher-***@other.debian.org
Subject: Re: Gopher over TLS

Ok so I see people wanting to innovate with gopher and that is very cool, its part of the reason this group exists.
The problem as I see it is that some of the innovators are talking innovation only in x86/64 and winmacnix world and THE VERY STRENGTH of gopher which is low cpu use low bandwidth gets THROWN out the window in favour of innovations that cannot be utilised on platforms that are perfectly suited for gopher examples being c64 amiga500 palm devices newton devices first gen iphone/blackberry/symbian devices/android devices.
By extending gopher in ways only using x86 cutting edge stuff to void the very strengths of gopher.
I do not oppose innovation and development ,what i oppose is an insular pc is all that matters fanboy unthinking approach that excludes these platforms that utilize gopher perfectly because the innovator doesnt have a clue.
Nb. Not scathing here, but i think im seeing the same pattern that tried to update www , the result being its only a two horse race these days.
Gopher was left behind because of this attitude, dont leave gopher behind again.
________________________________
From: Alex Schröder <***@gmail.com>
Sent: Monday, 22 January 2018 7:24:23 AM
To: gopher-***@other.debian.org
Subject: Re: Gopher over TLS
Post by SiMpLe MaChInEs
Post by Alex Schröder
echo About | gnutls-cli alexschroeder.ch:7070
Adding TLS to gopher has been talked about on and off for years but
usually the conversation died when it came to extending the gopher
std(s). Perhaps it's time to revisit it again?
Do you have a good link to a previous discussion?
Post by SiMpLe MaChInEs
I had to add '--insecure' to gnutls-cli but other than that it works.
Strange that you had to add --insecure. The server uses the full chain
of certificates and the private key I also use for the website itself,
and I made sure that ~/.gnutls was empty (no known-hosts file), and it
still works on my system. Sadly, I don't really knows the ins and outs
of SSL and TLS so I don't know where I'd start. All I know is that you
need to trust Let's Encrypt, since they signed my certificate so I guess
gnutls-cli needs to know where all the CAs are on your system?

Alternatively, I looked at my logs and found the following:

Could not finalize SSL connection with client handle (SSL accept at
tempt failed because of handshake problems error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certifica te)

I think currently
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.python.org%2F3%2Flibrary%2Fssl.html%3Fhighlight%3Dssl%23ssl.create_default_context&data=02%7C01%7C%7C28e30574f5b54b477e9808d561156cf9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636521667003175796&sdata=iaUXcKB7t2aZM8LvKekv81gpsMFjxCMr1e%2BLDOs2pHc%3D&reserved=0
will disable SSL2 and SSL3, so perhaps that's the problem. You should be
using TLS 1.2, I think.

Cheers
Alex
--
Public Key Fingerprint = DF94 46EB 7B78 4638 7CCC 018B C78C A29B ACEC FEAE
barana .
2018-01-22 05:34:36 UTC
Permalink
Ok ive forked this thread, the first half of it is on the tls gopher thread.

All you have to do to start the ball rolling with worldwide coverage is to port a few gopher clients to some exotic(when it comes to the internet) but produced in large numbers devices that cover a broad range of communities. When the gopher community devs these devices and releases a bunch of clients at once eg say 10. Slashdot/slashdot clones will pick it up and the world will know.
An example portlist
Consoles previously unuseable on the net
Bandai pippin
Sony playstation 1 https://www.psxhax.com/threads/connect-playstation-ps1-to-the-internet-with-psxnet-library.216/
Phones eol
Symbian phones 1/2
1st gen iphone
Android v2x phone

Tablets
First ipad
A Palm device

Laptop
Some x86 machine that isnt supported anymore with a current browser
An early pre os9 mac laptop
A few iot devices.
Youll find outside of america that many asian, african pacific island nations will routinely use machines that are no longer supported often only with dialup technologies.
Theres a huge gopherclient userbase that is out there waiting for a solution to a broken browser.
We innovate and have many solutions from wiki to streaming video to all the innovations we have done sofar(you authors know who you are)
It takes a few ports to orphan machines/retro machines to get in the headlines and a few client updates to existing clients to have a _mass_client_release to make the news on slashdot/slashdot clones , a few youtubes showing how easy it is to use gopherpedia/www proxy to make their device useable again

By this weve just informed people that while ff/ie/chrome/safari has abandoned you, we here have a viable service and will embrace you.
________________________________
From: barana . <***@hotmail.com>
Sent: Monday, 22 January 2018 2:48:05 PM
To: Alex Schröder; gopher-***@other.debian.org
Subject: Re: Gopher over TLS

What i see , for those that are interested in it, whichbis also a big drive of the big two (1+1/2 +1/2 maybe)
Is numbers our biggest strength imo can be .....utilised by picking up those machines that the mainstreem ports have left behind with little effort,
Say for example an example of earlier version of android such as icecream sandwich has been sunsetted.
3rd party devs are no longer supporting it.the browser starts showing its age . Certain advanced features or simple rendering breaks.
We as a community can come on in and provide ports of some gopher client with included bookmarks that enables people to do the things that their unsupported browser wont allow anymore eg. Gopherpedia, www browsing via a proxy, etc etc
Its little work to push out new versions that fix issues etc, but you are now growing your community that has been left behind by the latest and greatest community.
Cameron has shown that this works to a degree with his classilla and 10.4fx projects.
As long as theres a few youtubes on how it can be utilised on older devices to do basics of which we have several services in the gophersphere already that qualify,
And a new application pops up on old device's appstores and webcommunity...
To convince people, all youll have to do is show some coloured text and a nice gui and theyre onboard.
________________________________
From: barana . <***@hotmail.com>
Sent: Monday, 22 January 2018 1:11:17 PM
To: Alex Schröder; gopher-***@other.debian.org
Subject: Re: Gopher over TLS

Ok so I see people wanting to innovate with gopher and that is very cool, its part of the reason this group exists.
The problem as I see it is that some of the innovators are talking innovation only in x86/64 and winmacnix world and THE VERY STRENGTH of gopher which is low cpu use low bandwidth gets THROWN out the window in favour of innovations that cannot be utilised on platforms that are perfectly suited for gopher examples being c64 amiga500 palm devices newton devices first gen iphone/blackberry/symbian devices/android devices.
By extending gopher in ways only using x86 cutting edge stuff to void the very strengths of gopher.
I do not oppose innovation and development ,what i oppose is an insular pc is all that matters fanboy unthinking approach that excludes these platforms that utilize gopher perfectly because the innovator doesnt have a clue.
Nb. Not scathing here, but i think im seeing the same pattern that tried to update www , the result being its only a two horse race these days.
Gopher was left behind because of this attitude, dont leave gopher behind again.
________________________________
From: Alex Schröder <***@gmail.com>
Sent: Monday, 22 January 2018 7:24:23 AM
To: gopher-***@other.debian.org
Subject: Re: Gopher over TLS
Post by SiMpLe MaChInEs
Post by Alex Schröder
echo About | gnutls-cli alexschroeder.ch:7070
Adding TLS to gopher has been talked about on and off for years but
usually the conversation died when it came to extending the gopher
std(s). Perhaps it's time to revisit it again?
Do you have a good link to a previous discussion?
Post by SiMpLe MaChInEs
I had to add '--insecure' to gnutls-cli but other than that it works.
Strange that you had to add --insecure. The server uses the full chain
of certificates and the private key I also use for the website itself,
and I made sure that ~/.gnutls was empty (no known-hosts file), and it
still works on my system. Sadly, I don't really knows the ins and outs
of SSL and TLS so I don't know where I'd start. All I know is that you
need to trust Let's Encrypt, since they signed my certificate so I guess
gnutls-cli needs to know where all the CAs are on your system?

Alternatively, I looked at my logs and found the following:

Could not finalize SSL connection with client handle (SSL accept at
tempt failed because of handshake problems error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certifica te)

I think currently
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.python.org%2F3%2Flibrary%2Fssl.html%3Fhighlight%3Dssl%23ssl.create_default_context&data=02%7C01%7C%7C28e30574f5b54b477e9808d561156cf9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636521667003175796&sdata=iaUXcKB7t2aZM8LvKekv81gpsMFjxCMr1e%2BLDOs2pHc%3D&reserved=0
will disable SSL2 and SSL3, so perhaps that's the problem. You should be
using TLS 1.2, I think.

Cheers
Alex
--
Public Key Fingerprint = DF94 46EB 7B78 4638 7CCC 018B C78C A29B ACEC FEAE
Christoph Lohmann
2018-01-21 21:24:45 UTC
Permalink
Greetings.
Post by Alex Schröder
I've recently added a Gopher interface to my wiki at alexschroeder.ch. As
an experiment, I added TLS support to the server and added it to a client,
too. The client I picked was the simple VF-1 client written in Python.
Basically it has two modes: TLS mode and normal mode. In normal mode, all
connections are considered to be normal; in TLS mode all connections are
considered to be encrypted. I get the feeling that this is better and more
obvious than having gopher and gophers URL schemas, and figuring out how to
integrate SSL into existing Gopher menus.
What do you think?
Your proposal is: Switch over the whole gopherspace to TLS at once. This
removes an easy way to transition between encrypted and unencrypted go‐
pherspace and may create a split.
* proposal to have a separate port
* proposal to have gophers://
* everyone agreed on this one
* I proposed to sniff on port 70 for the first bytes to be TLS, so no new port
is needed.
* I proposed to simply use tor, which adds encryption (onion services) and
anonymity without any extra software.

We did not get as far as discussing how to apply TLS to the menus.

With a new port assigned we would either only have TLS on that specific
port or reuse gopher+ for some TLS logic. If my sniffing proposal is ap‐
plied the client could first try TLS, then plain gopher. If tor is used,
nothing of the above is needed.

For now no need was there to move any content over to any TLS solution.
Instead I have worked on promoting onion services for everyone. This al‐
so reduces the burden for implementing TLS in clients. Have you ever
tried using the openssl API?


Which path do _you_ choose?


Sincerely,

Christoph Lohmann
Cameron Kaiser
2018-01-22 02:46:11 UTC
Permalink
Post by Alex Schröder
You can try it yourself: alexschroeder.ch is the normal site, test it using
your favorite Gopher client. alexschroeder.ch:7070 is the encrypted site,
I think we sorta semiofficially kinda settled on 7443 for gopher over TLS
(7070 I see at least as often as a test port, like 8080 for webservers
back when HTTP was a new thing).
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * ***@floodgap.com
-- Due to budget cuts, the light at the end of the tunnel will be turned off. -
kroovy
2018-01-23 11:37:35 UTC
Permalink
hi folks,

in my humble opinion the onion-service is the better way to chose.
no need to repeat the pro-arguments over TLS that have already been
mentioned here [1].

in addition to that, onion services have a low-bandwidth nature which is
a point at which gopher really shines.

i also think that making gopher popular within the tor-community could
act as a multiplicator to gopher's pupularity: they have the low
bandwidth problem that is kinda unsexy and we have the missing-crypto
problem that is kinda unsexy.

a strong synergy could sprout out of that.

greetings,

kroovy

p.s.:
how to set up an onion service is documented here [1][2].
if someone would like to setup an onion service and still has questions,
i can offer some handholding. so if you have questions feel free to
contact me.

[1] gopher://bitreich.org/1/onion
[2] https://www.torproject.org/docs/tor-onion-service.html.en

Loading...