Many capsules don't send TLS close_notify

Recently, Agunua started to throw an error when connecting to certain Gemini capsules:

OpenSSL.SSL.Error: [('SSL routines', '', 'unexpected eof while reading')]

It turns out that this has to with the release of OpenSSL 3. OpenSSL no longer tolerates TLS connections that don't shut down with a close_notify message, as per the TLS specification. So now things will break (as they should!) until people fix their servers. This is hitting Gemini hard, and it's affecting the web as well:

OpenSSL can not tell that all data was received or not if the close_notify is not received. It looks like a truncation attack to OpenSSL, so it's reporting that error.

Stéphane Bortzmeyer graciously added detection of this issue to Lupa, which now provides a list of affected hosts:

Lupa's list of affected hosts

The list is not yet complete, since this is a new feature and Lupa didn't get to check most of Geminispace. But I did. Here is a more complete list, for the time being:

My list of affected hosts

That's 115 hosts, around 5%-10% of known hosts in Geminispace (depending on whether you count subdomains for services like flounder.online). Lupa currently estimates 3.3% of capsules are affected, and that number is growing as the scan progresses:

Lupa stats

Call to action

If your capsule is on the list, first make sure that your server software is up to date. If it is, then please:

report this issue to its developer
let me know, so that I can make a list of broken server software

Contact me

You can test your server using Agunua's command line tool:

pip install agunua
agunua tilde.team

You can also use this command:

printf "gemini://tilde.team/\r\n" |
  openssl s_client -ign_eof -connect tilde.team:1965

(The last line should say "closed" to indicate that close_notify was sent. Otherwise, you should get an error: "...unexpected eof while reading...".)

Or you can check from a web browser, using:

You'll need to click "[view cert]". Example:

Let's fix this!