FYI: Use X509 v3 certificates for Gemini capsules to comply with RFC 8446

I've been working on upgrading TLS code for TLGS. One of the improvments is that besides OpenSSL, Botan can also be used as the underlying TLS library. In the process I discovered one thing. According to RFC, a TLS 1.3 server must send X509 v3 certificates unless explicitly negotiated.

RFC 8446 4.4.2.2
The certificate type MUST be X.509v3 [RFC5280], unless explicitly
negotiated otherwise (e.g., [RFC7250]).

And Botan cares about this. It will not allow v1 certificates to pass the handshake.

During a test run of TLGS with Botan. I constantly get Botan complaining about not getting a v3 certificate. Please upgrade your capsule to be compliant with the RFC. TLGS will still be running with OpenSSL in the future, so it's probably not a big deal. But it's still, please comply with the RFC.


Also, who is abusing TLGS' search API? I keep no logs but I still keep erros. I'm getting a lot of these:

Someone sending a heck of a lot of requests with weird query strings.
Image: Someone sending a heck of a lot of requests with weird query strings.

I don't know who is doing this or where it's coming from. But please stop. I'll start sending 44 Slow Down responses if you keep sending requests like this.

Author's profile. Photo taken in VRChat by my friend Tast+
Martin Chang
Systems software, HPC, GPGPU and AI. I mostly write stupid C++ code. Sometimes does AI research. Chronic VRChat addict

I run TLGS, a major search engine on Gemini. Used by Buran by default.


  • marty1885 \at protonmail.com
  • Matrix: @clehaxze:matrix.clehaxze.tw
  • Jami: a72b62ac04a958ca57739247aa1ed4fe0d11d2df