# Gemini without a cient?! Yeah, it turns out the simplicity of the gemini protocol lends itself to using common unix tools from the command line without too much headache. Here's a couple of them that you can use if you end up on a computer without a proper gemini client but you still want to browse around the wonderful world of Gemini. If you can think of any others send me an email at ingrix at sdf dot org, I'll add them here. ## Quick list of topics * openssl s_client * nmap's ncat * client certificates ## openssl s_client A tool included with the openssl package. It is installed almost everywhere ``` echo -en 'gemini://ingrix.info/index.gmi\r\n' | openssl s_client -ign_eof -servername ingrix.info -connect ingrix.info:1965 | less # or echo 'gemini://ingrix.info/index.gmi' | openssl s_client -ign_eof -crlf -servername ingrix.info -connect ingrix.info:1965 | less ``` NOTE: including either a \r\n or the `-crlf` option is essential. You also need `-servername` per the gemini protocol (it's the TLS SNI hostname, if that means anything to you), but a lot of gemini servers don't require it including ingrix.info. You'll get a extra information about the connection, certificates, and stuff as well, so it's not well suited for non-text transfers. You can also use the `-quiet` and `-verify_quiet` flags to reduce extra output too. Note: some versions of echo handle escapes and newlines differently. If you're using bash you can also use the `$''` motif to get the proper characters: ``` echo $'gemini://ingrix.info/cgi/ip\r\n' | ... ``` ## ncat (from the nmap project) If you've got nmap installed on your machine you can use ncat, which supports TLS connections: ``` echo $'gemini://ingrix.info/index.gmi | ncat --ssl --ssl-servername ingrix.info --no-shutdown ingrix.info 1965 ``` This one is better suited to non-text transfers because it doesn't provide any extra output except what you receive over the wire. It does not do much certificate validation, though, so beware of that. Note: `--no-shutdown` is not strictly necessary but ncat will print a warning to stderr about a closed connection (even on a clean TLS shutdown) if you don't use it. ## Client certificates Both of the clients listed above support using client certificates if those are needed for your particular page: ``` # openssl s_client echo 'gemini://ingrix.info/index.gmi' | openssl s_client -cert cert.pem -key key.pem -ign_eof -crlf -servername ingrix.info -connect ingrix.info:1965 | less # ncat echo $'gemini://ingrix.info/index.gmi | ncat --ssl --ssl-cert cert.pem --ssl-key key.pem --ssl-servername ingrix.info --no-shutdown ingrix.info 1965 ``` If you need to generate a certificate you can use openssl (which you'd probably do anyway) ``` # generates a 4096-bit RSA key openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -subj "/" # generates an ed25519 key openssl req -x509 -newkey ed25519 -keyout key.pem -out cert.pem -sha256 -days 3650 -subj "/" ```