repo: gemini-site
action: commit
revision: 
path_from: 
revision_from: 1654da9db10e96e330a03f4e2aa0f9c7334b64d6:
path_to: 
revision_to:
git.thebackupbox.net
gemini-site
git clone git://git.thebackupbox.net/gemini-site
commit 1654da9db10e96e330a03f4e2aa0f9c7334b64d6
Author: Solderpunk 
Date:   Sun Nov 7 13:30:00 2021 +0100

    Mandate use of TLS close_notify.

diff --git a/docs/specification.gmi b/docs/specification.gmi
index c4a2c64c5298036c6c8bc1ffd60d229b90bd74e9..
index ..02f87105141dca9c9b0e4b3a26798d5acbb83e55 100644
--- a/docs/specification.gmi
+++ b/docs/specification.gmi
@@ -26,7 +26,7 @@ C:   Sends request (one CRLF terminated line) (see section 2)
 S:   Sends response header (one CRLF terminated line), closes connection
      under non-success conditions (see 3.1 and 3.2)
 S:   Sends response body (text or binary data) (see 3.3)
-S:   Closes connection
+S:   Closes connection (including TLS close_notify, see section 4)
 C:   Handles response (see 3.4)

 ## 1.2 Gemini URI scheme
@@ -141,6 +141,8 @@ Use of TLS for Gemini transactions is mandatory.

 Use of the Server Name Indication (SNI) extension to TLS is also mandatory, to facilitate name-based virtual hosting.

+As per RFCs 5246 and 8446, Gemini servers MUST send a TLS `close_notify` prior to closing the connection after sending a complete response.  This is essential to disambiguate completed responses from responses closed prematurely due to network error or attack.
+
 ## 4.1 Version requirements

 Servers MUST use TLS version 1.2 or higher and SHOULD use TLS version 1.3 or higher.  TLS 1.2 is reluctantly permitted for now to avoid drastically reducing the range of available implementation libraries.  Hopefully TLS 1.3 or higher can be specced in the near future.  Clients who wish to be "ahead of the curve MAY refuse to connect to servers using TLS version 1.2 or lower.

-----END OF PAGE-----