commit 9d9fb3d31becaa37ecfb6a3a30acc1d0f40b3c8b
parent 309da06208513a3d62dd3edf65c95352739738ad
Author: Johann150 <johann.galle@protonmail.com>
Date: Tue, 9 Feb 2021 19:52:29 +0100
resolve merge conflicts
Diffstat:
3 files changed, 67 insertions(+), 0 deletions(-)
diff --git a/README.md b/README.md
@@ -52,6 +52,10 @@ When a client requests the URL `gemini://example.com/foo/bar`, Agate will respon
## Configuration
+### TLS versions
+
+Agate by default supports TLSv1.2 and TLSv1.3. You can disable support for TLSv1.2 by using the flag `--only-tls13` (or its short version `-3`). This is *NOT RECOMMENDED* as it may break compatibility with some clients. The Gemini specification requires compatibility with TLSv1.2 "for now" because not all platforms have good support for TLSv1.3 (cf. ยง4.1 of the specification).
+
### Directory listing
You can enable a basic directory listing for a directory by putting a file called `.directory-listing-ok` in that directory. This does not have an effect on subdirectories.
diff --git a/src/main.rs b/src/main.rs
@@ -74,6 +74,7 @@ struct Args {
silent: bool,
serve_secret: bool,
log_ips: bool,
+ only_tls13: bool,
}
fn args() -> Result<Args> {
@@ -118,6 +119,11 @@ fn args() -> Result<Args> {
opts.optflag("s", "silent", "Disable logging output");
opts.optflag("h", "help", "Print this help menu");
opts.optflag(
+ "3",
+ "only-tls13",
+ "Only use TLSv1.3 (default also allows TLSv1.2)",
+ );
+ opts.optflag(
"",
"serve-secret",
"Enable serving secret files (files/directories starting with a dot)",
@@ -153,6 +159,7 @@ fn args() -> Result<Args> {
silent: matches.opt_present("s"),
serve_secret: matches.opt_present("serve-secret"),
log_ips: matches.opt_present("log-ip"),
+ only_tls13: matches.opt_present("only-tls13"),
})
}
@@ -175,6 +182,9 @@ fn acceptor() -> Result<TlsAcceptor> {
let mut keys = pkcs8_private_keys(&mut BufReader::new(key_file)).or(Err("bad key"))?;
let mut config = ServerConfig::new(NoClientAuth::new());
+ if ARGS.only_tls13 {
+ config.versions = vec![rustls::ProtocolVersion::TLSv1_3];
+ }
config.set_single_cert(certs, keys.remove(0))?;
Ok(TlsAcceptor::from(Arc::new(config)))
}
diff --git a/tools/freebsd/startup.sh b/tools/freebsd/startup.sh
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# $FreeBSD$
+#
+# PROVIDE: agate
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+#
+# Add these lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# agate_enable (bool): Set to NO by default.
+# Set it to YES to enable agate.
+# agate_user: default www
+# agate_content: default /usr/local/www/gemini
+# agate_key: default /usr/local/etc/gemini/ssl/key.rsa
+# agate_cert: default /usr/local/etc/gemini/ssl/cert.pem
+# agate_hostname: e.g., gemini.example.tld, default hostname
+# agate_addr: default [::], listen on IPV4 and IPV6
+# agate_port: default 1965
+# agate_lang: default en_US
+# agate_logfile: default /var/log/gemini/agate.log
+
+. /etc/rc.subr
+
+desc="Agate Gemini server"
+name=agate
+rcvar=$name_enable
+
+load_rc_config $name
+
+: ${agate_enable:="NO"}
+: ${agate_user:="www"}
+: ${agate_content:="/usr/local/www/gemini/"}
+: ${agate_key:="/usr/local/etc/gemini/ssl/key.rsa"}
+: ${agate_cert:="/usr/local/etc/gemini/ssl/cert.pem"}
+: ${agate_hostname:=`uname -n`}
+: ${agate_addr:="[::]"}
+: ${agate_port:="1965"}
+: ${agate_lang:="en-US"}
+: ${agate_logfile:="/var/log/gemini/agate.log"}
+
+agate_user=${agate_user}
+
+command="/usr/local/bin/agate"
+command_args="--content ${agate_content} \
+ --key ${agate_key} \
+ --cert ${agate_cert} \
+ --addr ${agate_addr}:${agate_port} \
+ --hostname ${agate_hostname} \
+ --lang ${agate_lang} >> ${agate_logfile} 2>&1 &"
+
+run_rc_command "$1"
