Add link to ogirinal in readme

Export TLS & remove conn in request struct
This makes it possible to fully create another request outside of this module (which Hnakra will need) and has better parity with net/http.
2023-05-26 00:45:08 -04:00 · 2023-05-26 00:38:12 -04:00 · 2023-05-26 00:37:56 -04:00 · 2023-05-25 18:45:53 -04:00 · 2023-05-25 18:27:52 -04:00 · 2022-05-07 13:54:56 -04:00
34 changed files with 2665 additions and 1213 deletions
--- a/.build.yml
+++ b/.build.yml
@ -0,0 +1,9 @@
 image: alpine/edge
 packages:
 - go
 sources:
 - https://git.sr.ht/~adnano/go-gemini
 tasks:
 - test: |
    cd go-gemini
    go test ./...
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +0,0 @@
 *.crt
 *.key
--- a/64
+++ b/64
@ -1,51 +1,19 @@
-go-gemini is available under the terms of the MIT license:
+Copyright (c) 2020 Adnan Maolood
-	Copyright (c) 2020 Adnan Maolood
+Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-	Permission is hereby granted, free of charge, to any person obtaining a copy
+The above copyright notice and this permission notice shall be included in all
-	of this software and associated documentation files (the "Software"), to deal
+copies or substantial portions of the Software.
 	in the Software without restriction, including without limitation the rights
 	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 	copies of the Software, and to permit persons to whom the Software is
 	furnished to do so, subject to the following conditions:
-	The above copyright notice and this permission notice shall be included in all
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-	copies or substantial portions of the Software.
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+SOFTWARE.
 	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 	SOFTWARE.
 Portions of this program were taken from Go:
 	Copyright (c) 2009 The Go Authors. All rights reserved.
 	Redistribution and use in source and binary forms, with or without
 	modification, are permitted provided that the following conditions are
 	met:
 	   * Redistributions of source code must retain the above copyright
 	notice, this list of conditions and the following disclaimer.
 	   * Redistributions in binary form must reproduce the above
 	copyright notice, this list of conditions and the following disclaimer
 	in the documentation and/or other materials provided with the
 	distribution.
 	   * Neither the name of Google Inc. nor the names of its
 	contributors may be used to endorse or promote products derived from
 	this software without specific prior written permission.
 	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 	LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 	A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 	OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 	SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 	LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 	THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 	(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 	OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/27
+++ b/27
@ -0,0 +1,27 @@
 Copyright (c) 2009 The Go Authors. All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
   * Redistributions of source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.
   * Redistributions in binary form must reproduce the above
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
   * Neither the name of Google Inc. nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/README.md
+++ b/README.md
@ -1,14 +1,21 @@
 # go-gemini
-[![godocs.io](https://godocs.io/git.sr.ht/~adnano/go-gemini?status.svg)](https://godocs.io/git.sr.ht/~adnano/go-gemini)
+This repository is a fork of [go-gemini](https://godocs.io/git.sr.ht/~adnano/go-gemini)
 implementing better parity with net/http and some tweaks required for use in
 [Hnakra](https://git.tebibyte.media/sashakoshka/hnakra).
-Package gemini implements the [Gemini protocol](https://gemini.circumlunar.space) in Go.
+Package gemini implements the [Gemini protocol](https://gemini.circumlunar.space)
 in Go. It provides an API similar to that of net/http to facilitate the
 development of Gemini clients and servers.
-It aims to provide an API similar to that of net/http to make it easy to develop Gemini clients and servers.
+Compatible with version v0.16.0 of the Gemini specification.
 ## Usage
-	import "git.sr.ht/~adnano/go-gemini"
+	import "git.tebibyte.media/sashakoshka/go-gemini"
 Note that some filesystem-related functionality is only available on Go 1.16
 or later as it relies on the io/fs package.
 ## Examples
@ -17,8 +24,8 @@ To run an example:
 	go run examples/server.go
-## Contributing
+## License
-Send patches and questions to [~adnano/go-gemini-devel](https://lists.sr.ht/~adnano/go-gemini-devel).
+go-gemini is licensed under the terms of the MIT license (see LICENSE).
-
+Portions of this library were adapted from Go and are governed by a BSD-style
-Subscribe to release announcements on [~adnano/go-gemini-announce](https://lists.sr.ht/~adnano/go-gemini-announce).
+license (see LICENSE-GO). Those files are marked accordingly.
--- a/certificate/create.go
+++ b/certificate/create.go
@ -1,4 +1,5 @@
-package gemini
+// Package certificate provides functions for creating and storing TLS certificates.
 package certificate
 import (
 	"crypto"
@ -13,113 +14,20 @@ import (
 	"math/big"
 	"net"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
 )
-// CertificateDir maps certificate scopes to certificates.
+// CreateOptions configures the creation of a TLS certificate.
-type CertificateStore map[string]tls.Certificate
+type CreateOptions struct {
 // CertificateDir represents a certificate store optionally loaded from a directory.
 // The zero value of CertificateDir is an empty store ready to use.
 //
 // CertificateDir is safe for concurrent use by multiple goroutines.
 type CertificateDir struct {
 	CertificateStore
 	dir  bool
 	path string
 	mu   sync.RWMutex
 }
 // Add adds a certificate for the given scope to the store.
 // It tries to parse the certificate if it is not already parsed.
 func (c *CertificateDir) Add(scope string, cert tls.Certificate) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	if c.CertificateStore == nil {
 		c.CertificateStore = CertificateStore{}
 	}
 	// Parse certificate if not already parsed
 	if cert.Leaf == nil {
 		parsed, err := x509.ParseCertificate(cert.Certificate[0])
 		if err == nil {
 			cert.Leaf = parsed
 		}
 	}
 	c.CertificateStore[scope] = cert
 }
 // Write writes the provided certificate to the certificate directory.
 func (c *CertificateDir) Write(scope string, cert tls.Certificate) error {
 	c.mu.RLock()
 	defer c.mu.RUnlock()
 	if c.dir {
 		// Escape slash character
 		scope = strings.ReplaceAll(scope, "/", ":")
 		certPath := filepath.Join(c.path, scope+".crt")
 		keyPath := filepath.Join(c.path, scope+".key")
 		if err := WriteCertificate(cert, certPath, keyPath); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // Lookup returns the certificate for the given scope.
 func (c *CertificateDir) Lookup(scope string) (tls.Certificate, bool) {
 	c.mu.RLock()
 	defer c.mu.RUnlock()
 	cert, ok := c.CertificateStore[scope]
 	return cert, ok
 }
 // Load loads certificates from the given path.
 // The path should lead to a directory containing certificates and private keys
 // in the form scope.crt and scope.key.
 // For example, the hostname "localhost" would have the corresponding files
 // localhost.crt (certificate) and localhost.key (private key).
 // New certificates will be written to this directory.
 func (c *CertificateDir) Load(path string) error {
 	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
 	if err != nil {
 		return err
 	}
 	for _, crtPath := range matches {
 		keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
 		cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
 		if err != nil {
 			continue
 		}
 		scope := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
 		// Unescape slash character
 		scope = strings.ReplaceAll(scope, ":", "/")
 		c.Add(scope, cert)
 	}
 	c.SetDir(path)
 	return nil
 }
 // SetDir sets the directory that new certificates will be written to.
 func (c *CertificateDir) SetDir(path string) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	c.dir = true
 	c.path = path
 }
 // CertificateOptions configures the creation of a certificate.
 type CertificateOptions struct {
 	// Subject Alternate Name values.
 	// Should contain the IP addresses that the certificate is valid for.
 	IPAddresses []net.IP
 	// Subject Alternate Name values.
 	// Should contain the DNS names that this certificate is valid for.
 	// E.g. example.com, *.example.com
 	DNSNames []string
 	// Subject Alternate Name values.
 	// Should contain the IP addresses that the certificate is valid for.
 	IPAddresses []net.IP
 	// Subject specifies the certificate Subject.
 	//
 	// Subject.CommonName can contain the DNS name that this certificate
@ -136,8 +44,8 @@ type CertificateOptions struct {
 	Ed25519 bool
 }
-// CreateCertificate creates a new TLS certificate.
+// Create creates a new TLS certificate.
-func CreateCertificate(options CertificateOptions) (tls.Certificate, error) {
+func Create(options CreateOptions) (tls.Certificate, error) {
 	crt, priv, err := newX509KeyPair(options)
 	if err != nil {
 		return tls.Certificate{}, err
@ -150,7 +58,7 @@ func CreateCertificate(options CertificateOptions) (tls.Certificate, error) {
 }
 // newX509KeyPair creates and returns a new certificate and private key.
-func newX509KeyPair(options CertificateOptions) (*x509.Certificate, crypto.PrivateKey, error) {
+func newX509KeyPair(options CreateOptions) (*x509.Certificate, crypto.PrivateKey, error) {
 	var pub crypto.PublicKey
 	var priv crypto.PrivateKey
 	if options.Ed25519 {
@ -206,9 +114,9 @@ func newX509KeyPair(options CertificateOptions) (*x509.Certificate, crypto.Priva
 	return cert, priv, nil
 }
-// WriteCertificate writes the provided certificate and private key
+// Write writes the provided certificate and its private key
 // to certPath and keyPath respectively.
-func WriteCertificate(cert tls.Certificate, certPath, keyPath string) error {
+func Write(cert tls.Certificate, certPath, keyPath string) error {
 	certOut, err := os.OpenFile(certPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return err
--- a/certificate/store.go
+++ b/certificate/store.go
@ -0,0 +1,207 @@
 package certificate
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
 )
 // A Store represents a TLS certificate store.
 // The zero value for Store is an empty store ready to use.
 //
 // Store can be used to store server certificates.
 // Servers should provide a hostname or wildcard pattern as a certificate scope.
 // Servers will most likely use the methods Register, Load and Get.
 //
 // Store can also be used to store client certificates.
 // Clients should provide a hostname as a certificate scope.
 // Clients will most likely use the methods Add, Load, and Lookup.
 //
 // Store is safe for concurrent use by multiple goroutines.
 type Store struct {
 	// CreateCertificate, if not nil, is called by Get to create a new
 	// certificate to replace a missing or expired certificate.
 	// The provided scope is suitable for use in a certificate's DNSNames.
 	CreateCertificate func(scope string) (tls.Certificate, error)
 	scopes map[string]struct{}
 	certs  map[string]tls.Certificate
 	path   string
 	mu     sync.RWMutex
 }
 // Register registers the provided scope with the certificate store.
 // The scope can either be a hostname or a wildcard pattern (e.g. "*.example.com").
 // To accept all hostnames, use the special pattern "*".
 //
 // Calls to Get will only succeed for registered scopes.
 // Other methods are not affected.
 func (s *Store) Register(scope string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if s.scopes == nil {
 		s.scopes = make(map[string]struct{})
 	}
 	s.scopes[scope] = struct{}{}
 }
 // Add registers the certificate for the given scope.
 // If a certificate already exists for scope, Add will overwrite it.
 func (s *Store) Add(scope string, cert tls.Certificate) error {
 	// Parse certificate if not already parsed
 	if cert.Leaf == nil {
 		parsed, err := x509.ParseCertificate(cert.Certificate[0])
 		if err != nil {
 			return err
 		}
 		cert.Leaf = parsed
 	}
 	if err := s.write(scope, cert); err != nil {
 		return err
 	}
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if s.certs == nil {
 		s.certs = make(map[string]tls.Certificate)
 	}
 	s.certs[scope] = cert
 	return nil
 }
 func (s *Store) write(scope string, cert tls.Certificate) error {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	if s.path != "" {
 		certPath := filepath.Join(s.path, scope+".crt")
 		keyPath := filepath.Join(s.path, scope+".key")
 		if err := Write(cert, certPath, keyPath); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // Get retrieves a certificate for the given hostname.
 // If no matching scope has been registered, Get returns an error.
 // Get generates new certificates as needed and rotates expired certificates.
 // It calls CreateCertificate to create a new certificate if it is not nil,
 // otherwise it creates certificates with a duration of 100 years.
 //
 // Get is suitable for use in a gemini.Server's GetCertificate field.
 func (s *Store) Get(hostname string) (*tls.Certificate, error) {
 	s.mu.RLock()
 	_, ok := s.scopes[hostname]
 	if !ok {
 		// Try wildcard
 		wildcard := strings.SplitN(hostname, ".", 2)
 		if len(wildcard) == 2 {
 			hostname = "*." + wildcard[1]
 			_, ok = s.scopes[hostname]
 		}
 	}
 	if !ok {
 		// Try "*"
 		_, ok = s.scopes["*"]
 	}
 	if !ok {
 		s.mu.RUnlock()
 		return nil, errors.New("unrecognized scope")
 	}
 	cert := s.certs[hostname]
 	s.mu.RUnlock()
 	// If the certificate is empty or expired, generate a new one.
 	if cert.Leaf == nil || cert.Leaf.NotAfter.Before(time.Now()) {
 		var err error
 		cert, err = s.createCertificate(hostname)
 		if err != nil {
 			return nil, err
 		}
 		if err := s.Add(hostname, cert); err != nil {
 			return nil, fmt.Errorf("failed to add certificate for %s: %w", hostname, err)
 		}
 	}
 	return &cert, nil
 }
 // Lookup returns the certificate for the provided scope.
 func (s *Store) Lookup(scope string) (tls.Certificate, bool) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	cert, ok := s.certs[scope]
 	return cert, ok
 }
 func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 	if s.CreateCertificate != nil {
 		return s.CreateCertificate(scope)
 	}
 	return Create(CreateOptions{
 		DNSNames: []string{scope},
 		Subject: pkix.Name{
 			CommonName: scope,
 		},
 		Duration: 100 * 365 * 24 * time.Hour,
 	})
 }
 // Load loads certificates from the provided path.
 // New certificates will be written to this path.
 // The path should lead to a directory containing certificates
 // and private keys named "scope.crt" and "scope.key" respectively,
 // where "scope" is the scope of the certificate.
 func (s *Store) Load(path string) error {
 	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
 		return err
 	}
 	path = filepath.Clean(path)
 	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
 	if err != nil {
 		return err
 	}
 	for _, crtPath := range matches {
 		keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
 		cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
 		if err != nil {
 			continue
 		}
 		scope := strings.TrimPrefix(crtPath, path)
 		scope = strings.TrimPrefix(scope, "/")
 		scope = strings.TrimSuffix(scope, ".crt")
 		s.Add(scope, cert)
 	}
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.path = path
 	return nil
 }
 // Entries returns a map of scopes to certificates.
 func (s *Store) Entries() map[string]tls.Certificate {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	certs := make(map[string]tls.Certificate)
 	for key := range s.certs {
 		certs[key] = s.certs[key]
 	}
 	return certs
 }
 // SetPath sets the path that new certificates will be written to.
 func (s *Store) SetPath(path string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.path = filepath.Clean(path)
 }
--- a/client.go
+++ b/client.go
@ -1,55 +1,106 @@
 package gemini
 import (
 	"bufio"
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"net"
-	"strings"
+	"net/url"
-	"time"
+	"unicode/utf8"
 	"golang.org/x/net/idna"
 )
-// Client is a Gemini client.
+// A Client is a Gemini client. Its zero value is a usable client.
 type Client struct {
-	// TrustCertificate is called to determine whether the client
+	// TrustCertificate is called to determine whether the client should
-	// should trust the certificate provided by the server.
+	// trust the certificate provided by the server.
-	// If TrustCertificate is nil, the client will accept any certificate.
+	// If TrustCertificate is nil or returns nil, the client will accept
-	// If the returned error is not nil, the certificate will not be trusted
+	// any certificate. Otherwise, the certificate will not be trusted
 	// and the request will be aborted.
 	//
 	// See the tofu submodule for an implementation of trust on first use.
 	TrustCertificate func(hostname string, cert *x509.Certificate) error
-	// Timeout specifies a time limit for requests made by this
+	// DialContext specifies the dial function for creating TCP connections.
-	// Client. The timeout includes connection time and reading
+	// If DialContext is nil, the client dials using package net.
-	// the response body. The timer remains running after
+	DialContext func(ctx context.Context, network, addr string) (net.Conn, error)
 	// Get and Do return and will interrupt reading of the Response.Body.
 	//
 	// A Timeout of zero means no timeout.
 	Timeout time.Duration
 }
-// Get performs a Gemini request for the given URL.
+// Get sends a Gemini request for the given URL.
-func (c *Client) Get(url string) (*Response, error) {
+// The context controls the entire lifetime of a request and its response:
 // obtaining a connection, sending the request, and reading the response
 // header and body.
 //
 // An error is returned if there was a Gemini protocol error.
 // A non-2x status code doesn't cause an error.
 //
 // If the returned error is nil, the user is expected to close the Response.
 //
 // For more control over requests, use NewRequest and Client.Do.
 func (c *Client) Get(ctx context.Context, url string) (*Response, error) {
 	req, err := NewRequest(url)
 	if err != nil {
 		return nil, err
 	}
-	return c.Do(req)
+	return c.Do(ctx, req)
 }
-// Do performs a Gemini request and returns a Gemini response.
+// Do sends a Gemini request and returns a Gemini response.
-func (c *Client) Do(req *Request) (*Response, error) {
+// The context controls the entire lifetime of a request and its response:
-	// Extract hostname
+// obtaining a connection, sending the request, and reading the response
-	colonPos := strings.LastIndex(req.Host, ":")
+// header and body.
-	if colonPos == -1 {
+//
-		colonPos = len(req.Host)
+// An error is returned if there was a Gemini protocol error.
 // A non-2x status code doesn't cause an error.
 //
 // If the returned error is nil, the user is expected to close the Response.
 func (c *Client) Do(ctx context.Context, req *Request) (*Response, error) {
 	if ctx == nil {
 		panic("nil context")
 	}
-	hostname := req.Host[:colonPos]
+
 	// Punycode request URL host
 	host, port := splitHostPort(req.URL.Host)
 	punycode, err := punycodeHostname(host)
 	if err != nil {
 		return nil, err
 	}
 	if host != punycode {
 		host = punycode
 		// Copy the URL and update the host
 		u := new(url.URL)
 		*u = *req.URL
 		u.Host = net.JoinHostPort(host, port)
 		// Use the new URL in the request so that the server gets
 		// the punycoded hostname
 		r := new(Request)
 		*r = *req
 		r.URL = u
 		req = r
 	}
 	// Use request host if provided
 	if req.Host != "" {
 		host, port = splitHostPort(req.Host)
 		host, err = punycodeHostname(host)
 		if err != nil {
 			return nil, err
 		}
 	}
 	addr := net.JoinHostPort(host, port)
 	// Connect to the host
-	config := &tls.Config{
+	conn, err := c.dialContext(ctx, "tcp", addr)
 	if err != nil {
 		return nil, err
 	}
 	// Setup TLS
 	conn = tls.Client(conn, &tls.Config{
 		InsecureSkipVerify: true,
 		MinVersion:         tls.VersionTLS12,
 		GetClientCertificate: func(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {
@ -59,73 +110,108 @@ func (c *Client) Do(req *Request) (*Response, error) {
 			return &tls.Certificate{}, nil
 		},
 		VerifyConnection: func(cs tls.ConnectionState) error {
-			return c.verifyConnection(req, cs)
+			return c.verifyConnection(cs, host)
 		},
-		ServerName: hostname,
+		ServerName: host,
 	})
 	type result struct {
 		resp *Response
 		err  error
 	}
-	// Set connection context
+
-	ctx := req.Context
+	res := make(chan result, 1)
-	if ctx == nil {
+	go func() {
-		ctx = context.Background()
+		resp, err := c.do(ctx, conn, req)
-	}
+		res <- result{resp, err}
-	netConn, err := (&net.Dialer{}).DialContext(ctx, "tcp", req.Host)
+	}()
-	if err != nil {
+
-		return nil, err
+	select {
-	}
+	case <-ctx.Done():
-	conn := tls.Client(netConn, config)
+		conn.Close()
-	// Set connection deadline
+		return nil, ctx.Err()
-	if c.Timeout != 0 {
+	case r := <-res:
-		err := conn.SetDeadline(time.Now().Add(c.Timeout))
+		if r.err != nil {
-		if err != nil {
+			conn.Close()
 			return nil, fmt.Errorf(
 				"failed to set connection deadline: %w", err)
 		}
 		return r.resp, r.err
 	}
 }
 func (c *Client) do(ctx context.Context, conn net.Conn, req *Request) (*Response, error) {
 	ctx, cancel := context.WithCancel(ctx)
 	done := ctx.Done()
 	w := &contextWriter{
 		ctx:    ctx,
 		done:   done,
 		cancel: cancel,
 		wc:     conn,
 	}
 	rc := &contextReader{
 		ctx:    ctx,
 		done:   done,
 		cancel: cancel,
 		rc:     conn,
 	}
 	// Write the request
-	w := bufio.NewWriter(conn)
+	if _, err := req.WriteTo(w); err != nil {
 	err = req.Write(w)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to write request data: %w", err)
 	}
 	if err := w.Flush(); err != nil {
 		return nil, err
 	}
 	// Read the response
-	resp, err := ReadResponse(conn)
+	resp, err := ReadResponse(rc)
 	if err != nil {
 		return nil, err
 	}
-	// Store connection state
+	resp.conn = conn
 	resp.TLS = conn.ConnectionState()
 	return resp, nil
 }
-func (c *Client) verifyConnection(req *Request, cs tls.ConnectionState) error {
+func (c *Client) dialContext(ctx context.Context, network, addr string) (net.Conn, error) {
-	// Verify the hostname
+	if c.DialContext != nil {
-	var hostname string
+		return c.DialContext(ctx, network, addr)
 	if host, _, err := net.SplitHostPort(req.Host); err == nil {
 		hostname = host
 	} else {
 		hostname = req.Host
 	}
 	cert := cs.PeerCertificates[0]
 	if err := verifyHostname(cert, hostname); err != nil {
 		return err
 	}
 	// Check expiration date
 	if !time.Now().Before(cert.NotAfter) {
 		return errors.New("gemini: certificate expired")
 	}
 	return (&net.Dialer{}).DialContext(ctx, network, addr)
 }
 func (c *Client) verifyConnection(cs tls.ConnectionState, hostname string) error {
 	// See if the client trusts the certificate
 	if c.TrustCertificate != nil {
 		cert := cs.PeerCertificates[0]
 		return c.TrustCertificate(hostname, cert)
 	}
 	return nil
 }
 func splitHostPort(hostport string) (host, port string) {
 	var err error
 	host, port, err = net.SplitHostPort(hostport)
 	if err != nil {
 		// Likely no port
 		host = hostport
 		port = "1965"
 	}
 	return
 }
 func isASCII(s string) bool {
 	for i := 0; i < len(s); i++ {
 		if s[i] >= utf8.RuneSelf {
 			return false
 		}
 	}
 	return true
 }
 // punycodeHostname returns the punycoded version of hostname.
 func punycodeHostname(hostname string) (string, error) {
 	if net.ParseIP(hostname) != nil {
 		return hostname, nil
 	}
 	if isASCII(hostname) {
 		return hostname, nil
 	}
 	return idna.Lookup.ToASCII(hostname)
 }
--- a/doc.go
+++ b/doc.go
@ -1,17 +1,15 @@
 /*
-Package gemini implements the Gemini protocol.
+Package gemini provides Gemini client and server implementations.
 Client is a Gemini client.
 	client := &gemini.Client{}
-	resp, err := client.Get("gemini://example.com")
+	ctx := context.Background()
 	resp, err := client.Get(ctx, "gemini://example.com")
 	if err != nil {
 		// handle error
 	}
-	if resp.Body != nil {
+	defer resp.Body.Close()
 		defer resp.Body.Close()
 		// ...
 	}
 	// ...
 Server is a Gemini server.
@ -23,26 +21,33 @@ Server is a Gemini server.
 Servers should be configured with certificates:
-	err := server.Certificates.Load("/var/lib/gemini/certs")
+	certificates := &certificate.Store{}
 	certificates.Register("localhost")
 	err := certificates.Load("/var/lib/gemini/certs")
 	if err != nil {
 		// handle error
 	}
 	server.GetCertificate = certificates.Get
-Servers can accept requests for multiple hosts and schemes:
+Mux is a Gemini request multiplexer.
 Mux can handle requests for multiple hosts and paths.
-	server.RegisterFunc("example.com", func(w *gemini.ResponseWriter, r *gemini.Request) {
+	mux := &gemini.Mux{}
 	mux.HandleFunc("example.com", func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
 		fmt.Fprint(w, "Welcome to example.com")
 	})
-	server.RegisterFunc("example.org", func(w *gemini.ResponseWriter, r *gemini.Request) {
+	mux.HandleFunc("example.org/about.gmi", func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
-		fmt.Fprint(w, "Welcome to example.org")
+		fmt.Fprint(w, "About example.org")
 	})
-	server.RegisterFunc("http://example.net", func(w *gemini.ResponseWriter, r *gemini.Request) {
+	mux.HandleFunc("/images/", func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
-		fmt.Fprint(w, "Proxied content from http://example.net")
+		w.WriteHeader(gemini.StatusGone, "Gone forever")
 	})
 	server.Handler = mux
 To start the server, call ListenAndServe:
-	err := server.ListenAndServe()
+	ctx := context.Background()
 	err := server.ListenAndServe(ctx)
 	if err != nil {
 		// handle error
 	}
--- a/examples/auth.go
+++ b/examples/auth.go
@ -3,15 +3,15 @@
 package main
 import (
 	"context"
 	"crypto/sha512"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
 	"log"
 	"time"
-	"git.sr.ht/~adnano/go-gemini"
+	"git.tebibyte.media/sashakoshka/go-gemini"
 	"git.tebibyte.media/sashakoshka/go-gemini/certificate"
 )
 type User struct {
@ -24,26 +24,24 @@ var (
 )
 func main() {
-	var mux gemini.ServeMux
+	certificates := &certificate.Store{}
 	certificates.Register("localhost")
 	if err := certificates.Load("/var/lib/gemini/certs"); err != nil {
 		log.Fatal(err)
 	}
 	mux := &gemini.Mux{}
 	mux.HandleFunc("/", profile)
 	mux.HandleFunc("/username", changeUsername)
-	var server gemini.Server
+	server := &gemini.Server{
-	if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
+		Handler:        mux,
-		log.Fatal(err)
+		ReadTimeout:    30 * time.Second,
 		WriteTimeout:   1 * time.Minute,
 		GetCertificate: certificates.Get,
 	}
 	server.CreateCertificate = func(hostname string) (tls.Certificate, error) {
 		return gemini.CreateCertificate(gemini.CertificateOptions{
 			Subject: pkix.Name{
 				CommonName: hostname,
 			},
 			DNSNames: []string{hostname},
 			Duration: time.Hour,
 		})
 	}
 	server.Register("localhost", &mux)
-	if err := server.ListenAndServe(); err != nil {
+	if err := server.ListenAndServe(context.Background()); err != nil {
 		log.Fatal(err)
 	}
 }
@ -53,12 +51,13 @@ func fingerprint(cert *x509.Certificate) string {
 	return string(b[:])
 }
-func profile(w *gemini.ResponseWriter, r *gemini.Request) {
+func profile(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
-	if r.Certificate == nil {
+	tls := r.TLS
-		w.WriteStatus(gemini.StatusCertificateRequired)
+	if len(tls.PeerCertificates) == 0 {
 		w.WriteHeader(gemini.StatusCertificateRequired, "Certificate required")
 		return
 	}
-	fingerprint := fingerprint(r.Certificate.Leaf)
+	fingerprint := fingerprint(tls.PeerCertificates[0])
 	user, ok := users[fingerprint]
 	if !ok {
 		user = &User{}
@ -68,9 +67,10 @@ func profile(w *gemini.ResponseWriter, r *gemini.Request) {
 	fmt.Fprintln(w, "=> /username Change username")
 }
-func changeUsername(w *gemini.ResponseWriter, r *gemini.Request) {
+func changeUsername(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
-	if r.Certificate == nil {
+	tls := r.TLS
-		w.WriteStatus(gemini.StatusCertificateRequired)
+	if len(tls.PeerCertificates) == 0 {
 		w.WriteHeader(gemini.StatusCertificateRequired, "Certificate required")
 		return
 	}
@ -79,7 +79,7 @@ func changeUsername(w *gemini.ResponseWriter, r *gemini.Request) {
 		w.WriteHeader(gemini.StatusInput, "Username")
 		return
 	}
-	fingerprint := fingerprint(r.Certificate.Leaf)
+	fingerprint := fingerprint(tls.PeerCertificates[0])
 	user, ok := users[fingerprint]
 	if !ok {
 		user = &User{}
--- a/examples/cert.go
+++ b/examples/cert.go
@ -11,7 +11,7 @@ import (
 	"os"
 	"time"
-	"git.sr.ht/~adnano/go-gemini"
+	"git.tebibyte.media/sashakoshka/go-gemini/certificate"
 )
 func main() {
@ -24,20 +24,20 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	options := gemini.CertificateOptions{
+	options := certificate.CreateOptions{
 		Subject: pkix.Name{
 			CommonName: host,
 		},
 		DNSNames: []string{host},
 		Duration: duration,
 	}
-	cert, err := gemini.CreateCertificate(options)
+	cert, err := certificate.Create(options)
 	if err != nil {
 		log.Fatal(err)
 	}
 	certPath := host + ".crt"
 	keyPath := host + ".key"
-	if err := gemini.WriteCertificate(cert, certPath, keyPath); err != nil {
+	if err := certificate.Write(cert, certPath, keyPath); err != nil {
 		log.Fatal(err)
 	}
 }
--- a/examples/client.go
+++ b/examples/client.go
@ -6,32 +6,44 @@ package main
 import (
 	"bufio"
 	"context"
 	"crypto/x509"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"log"
 	"net/url"
 	"os"
 	"path/filepath"
 	"time"
-	"git.sr.ht/~adnano/go-gemini"
+	"git.tebibyte.media/sashakoshka/go-gemini"
-	"git.sr.ht/~adnano/go-gemini/tofu"
+	"git.tebibyte.media/sashakoshka/go-gemini/tofu"
 	"git.sr.ht/~adnano/go-xdg"
 )
 var (
-	hosts   tofu.KnownHostsFile
+	hosts     tofu.KnownHosts
-	scanner *bufio.Scanner
+	hostsfile *tofu.HostWriter
 	scanner   *bufio.Scanner
 )
 func xdgDataHome() string {
 	if s, ok := os.LookupEnv("XDG_DATA_HOME"); ok {
 		return s
 	}
 	return filepath.Join(os.Getenv("HOME"), ".local", "share")
 }
 func init() {
 	// Load known hosts file
-	path := filepath.Join(xdg.DataHome(), "gemini", "known_hosts")
+	path := filepath.Join(xdgDataHome(), "gemini", "known_hosts")
 	err := hosts.Load(path)
 	if err != nil {
-		log.Println(err)
+		log.Fatal(err)
 	}
 	hostsfile, err = tofu.OpenHostsFile(path)
 	if err != nil {
 		log.Fatal(err)
 	}
 	scanner = bufio.NewScanner(os.Stdin)
@ -47,32 +59,32 @@ Otherwise, this should be safe to trust.
 => `
 func trustCertificate(hostname string, cert *x509.Certificate) error {
-	fingerprint := tofu.NewFingerprint(cert.Raw, cert.NotAfter)
+	host := tofu.NewHost(hostname, cert.Raw)
 	knownHost, ok := hosts.Lookup(hostname)
-	if ok && time.Now().Before(knownHost.Expires) {
+	if ok {
 		// Check fingerprint
-		if knownHost.Hex == fingerprint.Hex {
+		if knownHost.Fingerprint != host.Fingerprint {
-			return nil
+			return errors.New("error: fingerprint does not match!")
 		}
-		return errors.New("error: fingerprint does not match!")
+		return nil
 	}
-	fmt.Printf(trustPrompt, hostname, fingerprint.Hex)
+	fmt.Printf(trustPrompt, hostname, host.Fingerprint)
 	scanner.Scan()
 	switch scanner.Text() {
 	case "t":
-		hosts.Add(hostname, fingerprint)
+		hosts.Add(host)
-		hosts.Write(hostname, fingerprint)
+		hostsfile.WriteHost(host)
 		return nil
 	case "o":
-		hosts.Add(hostname, fingerprint)
+		hosts.Add(host)
 		return nil
 	default:
 		return errors.New("certificate not trusted")
 	}
 }
-func getInput(prompt string, sensitive bool) (input string, ok bool) {
+func getInput(prompt string) (input string, ok bool) {
 	fmt.Printf("%s ", prompt)
 	scanner.Scan()
 	return scanner.Text(), true
@ -82,14 +94,15 @@ func do(req *gemini.Request, via []*gemini.Request) (*gemini.Response, error) {
 	client := gemini.Client{
 		TrustCertificate: trustCertificate,
 	}
-	resp, err := client.Do(req)
+	ctx := context.Background()
 	resp, err := client.Do(ctx, req)
 	if err != nil {
 		return resp, err
 	}
 	switch resp.Status.Class() {
-	case gemini.StatusClassInput:
+	case gemini.StatusInput:
-		input, ok := getInput(resp.Meta, resp.Status == gemini.StatusSensitiveInput)
+		input, ok := getInput(resp.Meta)
 		if !ok {
 			break
 		}
@ -97,7 +110,7 @@ func do(req *gemini.Request, via []*gemini.Request) (*gemini.Response, error) {
 		req.URL.RawQuery = gemini.QueryEscape(input)
 		return do(req, via)
-	case gemini.StatusClassRedirect:
+	case gemini.StatusRedirect:
 		via = append(via, req)
 		if len(via) > 5 {
 			return resp, errors.New("too many redirects")
@ -137,15 +150,14 @@ func main() {
 		fmt.Println(err)
 		os.Exit(1)
 	}
 	defer resp.Body.Close()
 	// Handle response
-	if resp.Status.Class() == gemini.StatusClassSuccess {
+	if resp.Status.Class() == gemini.StatusSuccess {
-		defer resp.Body.Close()
+		_, err := io.Copy(os.Stdout, resp.Body)
 		body, err := ioutil.ReadAll(resp.Body)
 		if err != nil {
 			log.Fatal(err)
 		}
 		fmt.Print(string(body))
 	} else {
 		fmt.Printf("%d %s\n", resp.Status, resp.Meta)
 		os.Exit(1)
--- a/examples/html.go
+++ b/examples/html.go
@ -10,7 +10,7 @@ import (
 	"io"
 	"os"
-	"git.sr.ht/~adnano/go-gemini"
+	"git.tebibyte.media/sashakoshka/go-gemini"
 )
 func main() {
--- a/examples/server.go
+++ b/examples/server.go
@ -5,36 +5,54 @@
 package main
 import (
-	"crypto/tls"
+	"context"
 	"crypto/x509/pkix"
 	"log"
 	"os"
 	"os/signal"
 	"time"
-	"git.sr.ht/~adnano/go-gemini"
+	"git.tebibyte.media/sashakoshka/go-gemini"
 	"git.tebibyte.media/sashakoshka/go-gemini/certificate"
 )
 func main() {
-	var server gemini.Server
+	certificates := &certificate.Store{}
-	server.ReadTimeout = 30 * time.Second
+	certificates.Register("localhost")
-	server.WriteTimeout = 1 * time.Minute
+	if err := certificates.Load("/var/lib/gemini/certs"); err != nil {
 	if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
 		log.Fatal(err)
 	}
-	server.CreateCertificate = func(hostname string) (tls.Certificate, error) {
+
-		return gemini.CreateCertificate(gemini.CertificateOptions{
+	mux := &gemini.Mux{}
-			Subject: pkix.Name{
+	mux.Handle("/", gemini.FileServer(os.DirFS("/var/www")))
-				CommonName: hostname,
+
-			},
+	server := &gemini.Server{
-			DNSNames: []string{hostname},
+		Handler:        gemini.LoggingMiddleware(mux),
-			Duration: 365 * 24 * time.Hour,
+		ReadTimeout:    30 * time.Second,
-		})
+		WriteTimeout:   1 * time.Minute,
 		GetCertificate: certificates.Get,
 	}
-	var mux gemini.ServeMux
+	// Listen for interrupt signal
-	mux.Handle("/", gemini.FileServer(gemini.Dir("/var/www")))
+	c := make(chan os.Signal, 1)
 	signal.Notify(c, os.Interrupt)
-	server.Register("localhost", &mux)
+	errch := make(chan error)
-	if err := server.ListenAndServe(); err != nil {
+	go func() {
 		ctx := context.Background()
 		errch <- server.ListenAndServe(ctx)
 	}()
 	select {
 	case err := <-errch:
 		log.Fatal(err)
 	case <-c:
 		// Shutdown the server
 		log.Println("Shutting down...")
 		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 		defer cancel()
 		err := server.Shutdown(ctx)
 		if err != nil {
 			log.Fatal(err)
 		}
 	}
 }
--- a/examples/stream.go
+++ b/examples/stream.go
@ -6,65 +6,49 @@ package main
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509/pkix"
 	"fmt"
 	"log"
 	"time"
-	"git.sr.ht/~adnano/go-gemini"
+	"git.tebibyte.media/sashakoshka/go-gemini"
 	"git.tebibyte.media/sashakoshka/go-gemini/certificate"
 )
 func main() {
-	var server gemini.Server
+	certificates := &certificate.Store{}
-	if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
+	certificates.Register("localhost")
 	if err := certificates.Load("/var/lib/gemini/certs"); err != nil {
 		log.Fatal(err)
 	}
-	server.CreateCertificate = func(hostname string) (tls.Certificate, error) {
+
-		return gemini.CreateCertificate(gemini.CertificateOptions{
+	mux := &gemini.Mux{}
-			Subject: pkix.Name{
+	mux.HandleFunc("/", stream)
-				CommonName: hostname,
+
-			},
+	server := &gemini.Server{
-			DNSNames: []string{hostname},
+		Handler:        mux,
-			Duration: 365 * 24 * time.Hour,
+		ReadTimeout:    30 * time.Second,
-		})
+		WriteTimeout:   1 * time.Minute,
 		GetCertificate: certificates.Get,
 	}
-	server.RegisterFunc("localhost", stream)
+	ctx := context.Background()
-	if err := server.ListenAndServe(); err != nil {
+	if err := server.ListenAndServe(ctx); err != nil {
 		log.Fatal(err)
 	}
 }
 // stream writes an infinite stream to w.
-func stream(w *gemini.ResponseWriter, r *gemini.Request) {
+func stream(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
 	ch := make(chan string)
 	ctx, cancel := context.WithCancel(context.Background())
 	go func(ctx context.Context) {
 		for {
 			select {
 			case <-ctx.Done():
 				return
 			default:
 				ch <- fmt.Sprint(time.Now().UTC())
 			}
 			time.Sleep(time.Second)
 		}
 		// Close channel when finished.
 		// In this example this will never be reached.
 		close(ch)
 	}(ctx)
 	for {
-		s, ok := <-ch
+		select {
-		if !ok {
+		case <-ctx.Done():
-			break
+			return
 		default:
 		}
-		fmt.Fprintln(w, s)
+		fmt.Fprintln(w, time.Now().UTC())
 		if err := w.Flush(); err != nil {
 			cancel()
 			return
 		}
 		time.Sleep(time.Second)
 	}
 }
--- a/fs.go
+++ b/fs.go
@ -1,111 +1,186 @@
 // +build go1.16
 package gemini
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"mime"
-	"os"
+	"net/url"
 	"path"
 	"sort"
 	"strings"
 )
-func init() {
+// FileServer returns a handler that serves Gemini requests with the contents
-	// Add Gemini mime types
+// of the provided file system.
-	if err := mime.AddExtensionType(".gmi", "text/gemini"); err != nil {
+//
-		panic(fmt.Errorf("failed to register .gmi extension mimetype: %w", err))
+// To use the operating system's file system implementation, use os.DirFS:
-	}
+//
-
+//     gemini.FileServer(os.DirFS("/tmp"))
-	if err := mime.AddExtensionType(".gemini", "text/gemini"); err != nil {
+func FileServer(fsys fs.FS) Handler {
-		panic(fmt.Errorf("failed to register .gemini extension mimetype: %w", err))
+	return fileServer{fsys}
 	}
 }
-// FileServer takes a filesystem and returns a Responder which uses that filesystem.
+type fileServer struct {
-// The returned Responder sanitizes paths before handling them.
+	fs.FS
 func FileServer(fsys FS) Responder {
 	return fsHandler{fsys}
 }
-type fsHandler struct {
+func (fsys fileServer) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
-	FS
+	const indexPage = "/index.gmi"
 }
-func (fsh fsHandler) Respond(w *ResponseWriter, r *Request) {
+	url := path.Clean(r.URL.Path)
-	p := path.Clean(r.URL.Path)
+
-	f, err := fsh.Open(p)
+	// Redirect .../index.gmi to .../
-	if err != nil {
+	if strings.HasSuffix(url, indexPage) {
-		w.Status(StatusNotFound)
+		w.WriteHeader(StatusPermanentRedirect, strings.TrimSuffix(url, "index.gmi"))
 		return
 	}
-	// Detect mimetype
+
-	ext := path.Ext(p)
+	name := url
 	if name == "/" {
 		name = "."
 	} else {
 		name = strings.TrimPrefix(name, "/")
 	}
 	f, err := fsys.Open(name)
 	if err != nil {
 		w.WriteHeader(toGeminiError(err))
 		return
 	}
 	defer f.Close()
 	stat, err := f.Stat()
 	if err != nil {
 		w.WriteHeader(toGeminiError(err))
 		return
 	}
 	// Redirect to canonical path
 	if len(r.URL.Path) != 0 {
 		if stat.IsDir() {
 			target := url
 			if target != "/" {
 				target += "/"
 			}
 			if len(r.URL.Path) != len(target) || r.URL.Path != target {
 				w.WriteHeader(StatusPermanentRedirect, target)
 				return
 			}
 		} else if r.URL.Path[len(r.URL.Path)-1] == '/' {
 			// Remove trailing slash
 			w.WriteHeader(StatusPermanentRedirect, url)
 			return
 		}
 	}
 	if stat.IsDir() {
 		// Use contents of index.gmi if present
 		name = path.Join(name, indexPage)
 		index, err := fsys.Open(name)
 		if err == nil {
 			defer index.Close()
 			f = index
 		} else {
 			// Failed to find index file
 			dirList(w, f)
 			return
 		}
 	}
 	// Detect mimetype from file extension
 	ext := path.Ext(name)
 	mimetype := mime.TypeByExtension(ext)
-	w.Meta(mimetype)
+	w.SetMediaType(mimetype)
-	// Copy file to response writer
+	io.Copy(w, f)
 	_, _ = io.Copy(w, f)
 }
 // TODO: replace with io/fs.FS when available
 type FS interface {
 	Open(name string) (File, error)
 }
 // TODO: replace with io/fs.File when available
 type File interface {
 	Stat() (os.FileInfo, error)
 	Read([]byte) (int, error)
 	Close() error
 }
 // Dir implements FS using the native filesystem restricted to a specific directory.
 type Dir string
 // Open tries to open the file with the given name.
 // If the file is a directory, it tries to open the index file in that directory.
 func (d Dir) Open(name string) (File, error) {
 	p := path.Join(string(d), name)
 	return openFile(p)
 }
 // ServeFile responds to the request with the contents of the named file
-// or directory.
+// or directory. If the provided name is constructed from user input, it
-// TODO: Use io/fs.FS when available.
+// should be sanitized before calling ServeFile.
-func ServeFile(w *ResponseWriter, fs FS, name string) {
+func ServeFile(w ResponseWriter, fsys fs.FS, name string) {
-	f, err := fs.Open(name)
+	const indexPage = "/index.gmi"
 	// Ensure name is relative
 	if name == "/" {
 		name = "."
 	} else {
 		name = strings.TrimLeft(name, "/")
 	}
 	f, err := fsys.Open(name)
 	if err != nil {
-		w.Status(StatusNotFound)
+		w.WriteHeader(toGeminiError(err))
 		return
 	}
-	// Detect mimetype
+	defer f.Close()
 	ext := path.Ext(name)
 	mimetype := mime.TypeByExtension(ext)
 	w.Meta(mimetype)
 	// Copy file to response writer
 	_, _ = io.Copy(w, f)
 }
-func openFile(p string) (File, error) {
+	stat, err := f.Stat()
 	f, err := os.OpenFile(p, os.O_RDONLY, 0644)
 	if err != nil {
-		return nil, err
+		w.WriteHeader(toGeminiError(err))
 		return
 	}
-	if stat, err := f.Stat(); err == nil {
+	if stat.IsDir() {
-		if stat.IsDir() {
+		// Use contents of index file if present
-			f, err := os.Open(path.Join(p, "index.gmi"))
+		name = path.Join(name, indexPage)
-			if err != nil {
+		index, err := fsys.Open(name)
-				return nil, err
+		if err == nil {
-			}
+			defer index.Close()
-			stat, err := f.Stat()
+			f = index
-			if err != nil {
+		} else {
-				return nil, err
+			// Failed to find index file
-			}
+			dirList(w, f)
-			if stat.Mode().IsRegular() {
+			return
 				return f, nil
 			}
 			return nil, os.ErrNotExist
 		} else if !stat.Mode().IsRegular() {
 			return nil, os.ErrNotExist
 		}
 	}
-	return f, nil
+
 	// Detect mimetype from file extension
 	ext := path.Ext(name)
 	mimetype := mime.TypeByExtension(ext)
 	w.SetMediaType(mimetype)
 	io.Copy(w, f)
 }
 func dirList(w ResponseWriter, f fs.File) {
 	var entries []fs.DirEntry
 	var err error
 	d, ok := f.(fs.ReadDirFile)
 	if ok {
 		entries, err = d.ReadDir(-1)
 	}
 	if !ok || err != nil {
 		w.WriteHeader(StatusTemporaryFailure, "Error reading directory")
 		return
 	}
 	sort.Slice(entries, func(i, j int) bool {
 		return entries[i].Name() < entries[j].Name()
 	})
 	for _, entry := range entries {
 		name := entry.Name()
 		if entry.IsDir() {
 			name += "/"
 		}
 		link := LineLink{
 			Name: name,
 			URL:  "./" + url.PathEscape(name),
 		}
 		fmt.Fprintln(w, link.String())
 	}
 }
 func toGeminiError(err error) (status Status, meta string) {
 	if errors.Is(err, fs.ErrNotExist) {
 		return StatusNotFound, "Not found"
 	}
 	if errors.Is(err, fs.ErrPermission) {
 		return StatusNotFound, "Forbidden"
 	}
 	return StatusTemporaryFailure, "Internal server error"
 }
--- a/gemini.go
+++ b/gemini.go
@ -2,14 +2,33 @@ package gemini
 import (
 	"errors"
 	"mime"
 )
 func init() {
 	// Add Gemini mime types
 	mime.AddExtensionType(".gmi", "text/gemini")
 	mime.AddExtensionType(".gemini", "text/gemini")
 }
 // Errors.
 var (
 	ErrInvalidRequest  = errors.New("gemini: invalid request")
 	ErrInvalidResponse = errors.New("gemini: invalid response")
 	// ErrBodyNotAllowed is returned by ResponseWriter.Write calls
 	// when the response status code does not permit a body.
 	ErrBodyNotAllowed = errors.New("gemini: response status code does not allow body")
 )
 var crlf = []byte("\r\n")
-// Errors.
+func trimCRLF(b []byte) ([]byte, bool) {
-var (
+	// Check for CR
-	ErrInvalidURL      = errors.New("gemini: invalid URL")
+	if len(b) < 2 || b[len(b)-2] != '\r' {
-	ErrInvalidRequest  = errors.New("gemini: invalid request")
+		return nil, false
-	ErrInvalidResponse = errors.New("gemini: invalid response")
+	}
-	ErrBodyNotAllowed  = errors.New("gemini: response body not allowed")
+	// Trim CRLF
-)
+	b = b[:len(b)-2]
 	return b, true
 }
--- a/go.mod
+++ b/go.mod
@ -1,3 +1,5 @@
-module git.sr.ht/~adnano/go-gemini
+module git.tebibyte.media/sashakoshka/go-gemini
 go 1.15
 require golang.org/x/net v0.0.0-20210119194325-5f4716e94777
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,7 @@
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777 h1:003p0dJM77cxMSyCPFphvZf/Y5/NXf5fzg6ufd1/Oew=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/handler.go
+++ b/handler.go
@ -0,0 +1,158 @@
 package gemini
 import (
 	"bytes"
 	"context"
 	"io"
 	"net/url"
 	"strings"
 	"time"
 )
 // A Handler responds to a Gemini request.
 //
 // ServeGemini should write the response header and data to the ResponseWriter
 // and then return. Returning signals that the request is finished; it is not
 // valid to use the ResponseWriter after or concurrently with the completion
 // of the ServeGemini call.
 //
 // The provided context is canceled when the client's connection is closed
 // or the ServeGemini method returns.
 //
 // Handlers should not modify the provided Request.
 type Handler interface {
 	ServeGemini(context.Context, ResponseWriter, *Request)
 }
 // The HandlerFunc type is an adapter to allow the use of ordinary functions
 // as Gemini handlers. If f is a function with the appropriate signature,
 // HandlerFunc(f) is a Handler that calls f.
 type HandlerFunc func(context.Context, ResponseWriter, *Request)
 // ServeGemini calls f(ctx, w, r).
 func (f HandlerFunc) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
 	f(ctx, w, r)
 }
 // StatusHandler returns a request handler that responds to each request
 // with the provided status code and meta.
 func StatusHandler(status Status, meta string) Handler {
 	return HandlerFunc(func(ctx context.Context, w ResponseWriter, r *Request) {
 		w.WriteHeader(status, meta)
 	})
 }
 // NotFoundHandler returns a simple request handler that replies to each
 // request with a “51 Not found” reply.
 func NotFoundHandler() Handler {
 	return StatusHandler(StatusNotFound, "Not found")
 }
 // StripPrefix returns a handler that serves Gemini requests by removing the
 // given prefix from the request URL's Path (and RawPath if set) and invoking
 // the handler h. StripPrefix handles a request for a path that doesn't begin
 // with prefix by replying with a Gemini 51 not found error. The prefix must
 // match exactly: if the prefix in the request contains escaped characters the
 // reply is also a Gemini 51 not found error.
 func StripPrefix(prefix string, h Handler) Handler {
 	if prefix == "" {
 		return h
 	}
 	return HandlerFunc(func(ctx context.Context, w ResponseWriter, r *Request) {
 		p := strings.TrimPrefix(r.URL.Path, prefix)
 		rp := strings.TrimPrefix(r.URL.RawPath, prefix)
 		if len(p) < len(r.URL.Path) && (r.URL.RawPath == "" || len(rp) < len(r.URL.RawPath)) {
 			r2 := new(Request)
 			*r2 = *r
 			r2.URL = new(url.URL)
 			*r2.URL = *r.URL
 			r2.URL.Path = p
 			r2.URL.RawPath = rp
 			h.ServeGemini(ctx, w, r2)
 		} else {
 			w.WriteHeader(StatusNotFound, "Not found")
 		}
 	})
 }
 // TimeoutHandler returns a Handler that runs h with the given time limit.
 //
 // The new Handler calls h.ServeGemini to handle each request, but
 // if a call runs for longer than its time limit, the handler responds with a
 // 40 Temporary Failure status code and the given message in its response meta.
 // After such a timeout, writes by h to its ResponseWriter will return
 // context.DeadlineExceeded.
 func TimeoutHandler(h Handler, dt time.Duration, message string) Handler {
 	return &timeoutHandler{
 		h:   h,
 		dt:  dt,
 		msg: message,
 	}
 }
 type timeoutHandler struct {
 	h   Handler
 	dt  time.Duration
 	msg string
 }
 func (t *timeoutHandler) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
 	ctx, cancel := context.WithTimeout(ctx, t.dt)
 	defer cancel()
 	buf := &bytes.Buffer{}
 	tw := &timeoutWriter{
 		wr: &contextWriter{
 			ctx:    ctx,
 			cancel: cancel,
 			done:   ctx.Done(),
 			wc:     nopCloser{buf},
 		},
 	}
 	done := make(chan struct{})
 	go func() {
 		t.h.ServeGemini(ctx, tw, r)
 		close(done)
 	}()
 	select {
 	case <-done:
 		w.WriteHeader(tw.status, tw.meta)
 		w.Write(buf.Bytes())
 	case <-ctx.Done():
 		w.WriteHeader(StatusTemporaryFailure, t.msg)
 	}
 }
 type timeoutWriter struct {
 	wr          io.Writer
 	status      Status
 	meta        string
 	mediatype   string
 	wroteHeader bool
 }
 func (w *timeoutWriter) SetMediaType(mediatype string) {
 	w.mediatype = mediatype
 }
 func (w *timeoutWriter) Write(b []byte) (int, error) {
 	if !w.wroteHeader {
 		w.WriteHeader(StatusSuccess, w.mediatype)
 	}
 	return w.wr.Write(b)
 }
 func (w *timeoutWriter) WriteHeader(status Status, meta string) {
 	if w.wroteHeader {
 		return
 	}
 	w.status = status
 	w.meta = meta
 	w.wroteHeader = true
 }
 func (w *timeoutWriter) Flush() error {
 	return nil
 }
--- a/io.go
+++ b/io.go
@ -0,0 +1,76 @@
 package gemini
 import (
 	"context"
 	"io"
 )
 type contextReader struct {
 	ctx    context.Context
 	done   <-chan struct{}
 	cancel func()
 	rc     io.ReadCloser
 }
 func (r *contextReader) Read(p []byte) (int, error) {
 	select {
 	case <-r.done:
 		r.rc.Close()
 		return 0, r.ctx.Err()
 	default:
 	}
 	n, err := r.rc.Read(p)
 	if err != nil {
 		r.cancel()
 	}
 	return n, err
 }
 func (r *contextReader) Close() error {
 	r.cancel()
 	return r.rc.Close()
 }
 type contextWriter struct {
 	ctx    context.Context
 	done   <-chan struct{}
 	cancel func()
 	wc     io.WriteCloser
 }
 func (w *contextWriter) Write(b []byte) (int, error) {
 	select {
 	case <-w.done:
 		w.wc.Close()
 		return 0, w.ctx.Err()
 	default:
 	}
 	n, err := w.wc.Write(b)
 	if err != nil {
 		w.cancel()
 	}
 	return n, err
 }
 func (w *contextWriter) Close() error {
 	w.cancel()
 	return w.wc.Close()
 }
 type nopCloser struct {
 	io.Writer
 }
 func (nopCloser) Close() error {
 	return nil
 }
 type nopReadCloser struct{}
 func (nopReadCloser) Read(p []byte) (int, error) {
 	return 0, io.EOF
 }
 func (nopReadCloser) Close() error {
 	return nil
 }
--- a/middleware.go
+++ b/middleware.go
@ -0,0 +1,58 @@
 package gemini
 import (
 	"context"
 	"log"
 )
 // LoggingMiddleware returns a handler that wraps h and logs Gemini requests
 // and their responses to the log package's standard logger.
 // Requests are logged with the format "gemini: {host} {URL} {status code} {bytes written}".
 func LoggingMiddleware(h Handler) Handler {
 	return HandlerFunc(func(ctx context.Context, w ResponseWriter, r *Request) {
 		lw := &logResponseWriter{rw: w}
 		h.ServeGemini(ctx, lw, r)
 		host := r.ServerName()
 		log.Printf("gemini: %s %q %d %d", host, r.URL, lw.Status, lw.Wrote)
 	})
 }
 type logResponseWriter struct {
 	Status      Status
 	Wrote       int
 	rw          ResponseWriter
 	mediatype   string
 	wroteHeader bool
 }
 func (w *logResponseWriter) SetMediaType(mediatype string) {
 	w.mediatype = mediatype
 }
 func (w *logResponseWriter) Write(b []byte) (int, error) {
 	if !w.wroteHeader {
 		meta := w.mediatype
 		if meta == "" {
 			// Use default media type
 			meta = defaultMediaType
 		}
 		w.WriteHeader(StatusSuccess, meta)
 	}
 	n, err := w.rw.Write(b)
 	w.Wrote += n
 	return n, err
 }
 func (w *logResponseWriter) WriteHeader(status Status, meta string) {
 	if w.wroteHeader {
 		return
 	}
 	w.wroteHeader = true
 	w.Status = status
 	w.Wrote += len(meta) + 5
 	w.rw.WriteHeader(status, meta)
 }
 func (w *logResponseWriter) Flush() error {
 	return nil
 }
--- a/mux.go
+++ b/mux.go
@ -1,6 +1,12 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE-GO file.
 package gemini
 import (
 	"context"
 	"net"
 	"net/url"
 	"path"
 	"sort"
@ -8,13 +14,7 @@ import (
 	"sync"
 )
-// The following code is modified from the net/http package.
+// Mux is a Gemini request multiplexer.
 // Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // ServeMux is a Gemini request multiplexer.
 // It matches the URL of each incoming request against a list of registered
 // patterns and calls the handler for the pattern that
 // most closely matches the URL.
@ -32,26 +32,42 @@ import (
 // the pattern "/" matches all paths not matched by other registered
 // patterns, not just the URL with Path == "/".
 //
 // Patterns may optionally begin with a host name, restricting matches to
 // URLs on that host only. Host-specific patterns take precedence over
 // general patterns, so that a handler might register for the two patterns
 // "/search" and "search.example.com/" without also taking over requests
 // for "gemini://example.com/".
 //
 // Wildcard patterns can be used to match multiple hostnames. For example,
 // the pattern "*.example.com" will match requests for "blog.example.com"
 // and "gemini.example.com", but not "example.org".
 //
 // If a subtree has been registered and a request is received naming the
-// subtree root without its trailing slash, ServeMux redirects that
+// subtree root without its trailing slash, Mux redirects that
 // request to the subtree root (adding the trailing slash). This behavior can
 // be overridden with a separate registration for the path without
-// the trailing slash. For example, registering "/images/" causes ServeMux
+// the trailing slash. For example, registering "/images/" causes Mux
 // to redirect a request for "/images" to "/images/", unless "/images" has
 // been registered separately.
 //
-// ServeMux also takes care of sanitizing the URL request path and
+// Mux also takes care of sanitizing the URL request path and
 // redirecting any request containing . or .. elements or repeated slashes
 // to an equivalent, cleaner URL.
-type ServeMux struct {
+type Mux struct {
 	mu sync.RWMutex
-	m  map[string]muxEntry
+	m  map[hostpath]Handler
-	es []muxEntry // slice of entries sorted from longest to shortest.
+	es []muxEntry // slice of entries sorted from longest to shortest
 }
 type hostpath struct {
 	host string
 	path string
 }
 type muxEntry struct {
-	r       Responder
+	handler Handler
-	pattern string
+	host    string
 	path    string
 }
 // cleanPath returns the canonical path for p, eliminating . and .. elements.
@ -78,18 +94,18 @@ func cleanPath(p string) string {
 // Find a handler on a handler map given a path string.
 // Most-specific (longest) pattern wins.
-func (mux *ServeMux) match(path string) Responder {
+func (mux *Mux) match(host, path string) Handler {
 	// Check for exact match first.
-	v, ok := mux.m[path]
+	if h, ok := mux.m[hostpath{host, path}]; ok {
-	if ok {
+		return h
 		return v.r
 	}
 	// Check for longest valid match.  mux.es contains all patterns
 	// that end in / sorted from longest to shortest.
 	for _, e := range mux.es {
-		if strings.HasPrefix(path, e.pattern) {
+		if len(e.host) == len(host) && e.host == host &&
-			return e.r
+			strings.HasPrefix(path, e.path) {
 			return e.handler
 		}
 	}
 	return nil
@ -99,23 +115,21 @@ func (mux *ServeMux) match(path string) Responder {
 // This occurs when a handler for path + "/" was already registered, but
 // not for path itself. If the path needs appending to, it creates a new
 // URL, setting the path to u.Path + "/" and returning true to indicate so.
-func (mux *ServeMux) redirectToPathSlash(path string, u *url.URL) (*url.URL, bool) {
+func (mux *Mux) redirectToPathSlash(host, path string, u *url.URL) (*url.URL, bool) {
 	mux.mu.RLock()
-	shouldRedirect := mux.shouldRedirectRLocked(path)
+	shouldRedirect := mux.shouldRedirectRLocked(host, path)
 	mux.mu.RUnlock()
 	if !shouldRedirect {
 		return u, false
 	}
-	path = path + "/"
+	return u.ResolveReference(&url.URL{Path: path + "/"}), true
 	u = &url.URL{Path: path, RawQuery: u.RawQuery}
 	return u, true
 }
 // shouldRedirectRLocked reports whether the given path and host should be redirected to
 // path+"/". This should happen if a handler is registered for path+"/" but
-// not path -- see comments at ServeMux.
+// not path -- see comments at Mux.
-func (mux *ServeMux) shouldRedirectRLocked(path string) bool {
+func (mux *Mux) shouldRedirectRLocked(host, path string) bool {
-	if _, exist := mux.m[path]; exist {
+	if _, exist := mux.m[hostpath{host, path}]; exist {
 		return false
 	}
@ -123,65 +137,125 @@ func (mux *ServeMux) shouldRedirectRLocked(path string) bool {
 	if n == 0 {
 		return false
 	}
-	if _, exist := mux.m[path+"/"]; exist {
+	if _, exist := mux.m[hostpath{host, path + "/"}]; exist {
 		return path[n-1] != '/'
 	}
 	return false
 }
-// Respond dispatches the request to the responder whose
+func getWildcard(hostname string) (string, bool) {
-// pattern most closely matches the request URL.
+	if net.ParseIP(hostname) == nil {
-func (mux *ServeMux) Respond(w *ResponseWriter, r *Request) {
+		split := strings.SplitN(hostname, ".", 2)
 		if len(split) == 2 {
 			return "*." + split[1], true
 		}
 	}
 	return "", false
 }
 // Handler returns the handler to use for the given request, consulting
 // r.URL.Scheme, r.URL.Host, and r.URL.Path. It always returns a non-nil handler. If
 // the path is not in its canonical form, the handler will be an
 // internally-generated handler that redirects to the canonical path. If the
 // host contains a port, it is ignored when matching handlers.
 func (mux *Mux) Handler(r *Request) Handler {
 	// Disallow non-Gemini schemes
 	if r.URL.Scheme != "gemini" {
 		return NotFoundHandler()
 	}
 	host := r.URL.Hostname()
 	path := cleanPath(r.URL.Path)
 	// If the given path is /tree and its handler is not registered,
 	// redirect for /tree/.
-	if u, ok := mux.redirectToPathSlash(path, r.URL); ok {
+	if u, ok := mux.redirectToPathSlash(host, path, r.URL); ok {
-		w.Header(StatusRedirect, u.String())
+		return StatusHandler(StatusPermanentRedirect, u.String())
 		return
 	}
 	if path != r.URL.Path {
 		u := *r.URL
 		u.Path = path
-		w.Header(StatusRedirect, u.String())
+		return StatusHandler(StatusPermanentRedirect, u.String())
 		return
 	}
 	mux.mu.RLock()
 	defer mux.mu.RUnlock()
-	resp := mux.match(path)
+	h := mux.match(host, path)
-	if resp == nil {
+
-		w.Status(StatusNotFound)
+	if h == nil {
-		return
+		// Try wildcard
 		if wildcard, ok := getWildcard(host); ok {
 			if u, ok := mux.redirectToPathSlash(wildcard, path, r.URL); ok {
 				return StatusHandler(StatusPermanentRedirect, u.String())
 			}
 			h = mux.match(wildcard, path)
 		}
 	}
-	resp.Respond(w, r)
+
 	if h == nil {
 		// Try empty host
 		if u, ok := mux.redirectToPathSlash("", path, r.URL); ok {
 			return StatusHandler(StatusPermanentRedirect, u.String())
 		}
 		h = mux.match("", path)
 	}
 	if h == nil {
 		h = NotFoundHandler()
 	}
 	return h
 }
-// Handle registers the responder for the given pattern.
+// ServeGemini dispatches the request to the handler whose
-// If a responder already exists for pattern, Handle panics.
+// pattern most closely matches the request URL.
-func (mux *ServeMux) Handle(pattern string, responder Responder) {
+func (mux *Mux) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
-	mux.mu.Lock()
+	h := mux.Handler(r)
-	defer mux.mu.Unlock()
+	h.ServeGemini(ctx, w, r)
 }
 // Handle registers the handler for the given pattern.
 // If a handler already exists for pattern, Handle panics.
 func (mux *Mux) Handle(pattern string, handler Handler) {
 	if pattern == "" {
 		panic("gemini: invalid pattern")
 	}
-	if responder == nil {
+	if handler == nil {
-		panic("gemini: nil responder")
+		panic("gemini: nil handler")
 	}
-	if _, exist := mux.m[pattern]; exist {
+
 	mux.mu.Lock()
 	defer mux.mu.Unlock()
 	var host, path string
 	// extract hostname and path
 	cut := strings.Index(pattern, "/")
 	if cut == -1 {
 		host = pattern
 		path = "/"
 	} else {
 		host = pattern[:cut]
 		path = pattern[cut:]
 	}
 	// strip port from hostname
 	if hostname, _, err := net.SplitHostPort(host); err == nil {
 		host = hostname
 	}
 	if _, exist := mux.m[hostpath{host, path}]; exist {
 		panic("gemini: multiple registrations for " + pattern)
 	}
 	if mux.m == nil {
-		mux.m = make(map[string]muxEntry)
+		mux.m = make(map[hostpath]Handler)
 	}
-	e := muxEntry{responder, pattern}
+	mux.m[hostpath{host, path}] = handler
-	mux.m[pattern] = e
+	e := muxEntry{handler, host, path}
-	if pattern[len(pattern)-1] == '/' {
+	if path[len(path)-1] == '/' {
 		mux.es = appendSorted(mux.es, e)
 	}
 }
@ -189,7 +263,7 @@ func (mux *ServeMux) Handle(pattern string, responder Responder) {
 func appendSorted(es []muxEntry, e muxEntry) []muxEntry {
 	n := len(es)
 	i := sort.Search(n, func(i int) bool {
-		return len(es[i].pattern) < len(e.pattern)
+		return len(es[i].path) < len(e.path)
 	})
 	if i == n {
 		return append(es, e)
@ -201,10 +275,7 @@ func appendSorted(es []muxEntry, e muxEntry) []muxEntry {
 	return es
 }
-// HandleFunc registers the responder function for the given pattern.
+// HandleFunc registers the handler function for the given pattern.
-func (mux *ServeMux) HandleFunc(pattern string, responder func(*ResponseWriter, *Request)) {
+func (mux *Mux) HandleFunc(pattern string, handler HandlerFunc) {
-	if responder == nil {
+	mux.Handle(pattern, handler)
 		panic("gemini: nil responder")
 	}
 	mux.Handle(pattern, ResponderFunc(responder))
 }
--- a/mux_test.go
+++ b/mux_test.go
@ -0,0 +1,356 @@
 package gemini
 import (
 	"context"
 	"io"
 	"net/url"
 	"testing"
 )
 type nopHandler struct{}
 func (*nopHandler) ServeGemini(context.Context, ResponseWriter, *Request) {}
 type nopResponseWriter struct {
 	Status Status
 	Meta   string
 }
 func (w *nopResponseWriter) WriteHeader(status Status, meta string) {
 	w.Status = status
 	w.Meta = meta
 }
 func (nopResponseWriter) SetMediaType(mediatype string) {}
 func (nopResponseWriter) Write(b []byte) (int, error)   { return 0, io.EOF }
 func (nopResponseWriter) Flush() error                  { return nil }
 func TestMux(t *testing.T) {
 	type Test struct {
 		URL      string
 		Pattern  string
 		Redirect string
 		NotFound bool
 	}
 	tests := []struct {
 		Patterns []string
 		Tests    []Test
 	}{
 		{
 			Patterns: []string{"/a", "/b/", "/b/c/d", "/b/c/d/"},
 			Tests: []Test{
 				{
 					URL:      "gemini://example.com",
 					Redirect: "gemini://example.com/",
 				},
 				{
 					URL:      "gemini://example.com/",
 					NotFound: true,
 				},
 				{
 					URL:      "gemini://example.com/c",
 					NotFound: true,
 				},
 				{
 					URL:     "gemini://example.com/a",
 					Pattern: "/a",
 				},
 				{
 					URL:      "gemini://example.com/a/",
 					NotFound: true,
 				},
 				{
 					URL:      "gemini://example.com/b",
 					Redirect: "gemini://example.com/b/",
 				},
 				{
 					URL:     "gemini://example.com/b/",
 					Pattern: "/b/",
 				},
 				{
 					URL:     "gemini://example.com/b/c",
 					Pattern: "/b/",
 				},
 				{
 					URL:     "gemini://example.com/b/c/d",
 					Pattern: "/b/c/d",
 				},
 				{
 					URL:     "gemini://example.com/b/c/d/e/",
 					Pattern: "/b/c/d/",
 				},
 			},
 		},
 		{
 			Patterns: []string{
 				"/", "/a", "/b/",
 				"example.com", "example.com/a", "example.com/b/",
 				"*.example.com", "*.example.com/a", "*.example.com/b/",
 			},
 			Tests: []Test{
 				{
 					URL:     "gemini://example.net/",
 					Pattern: "/",
 				},
 				{
 					URL:     "gemini://example.net/a",
 					Pattern: "/a",
 				},
 				{
 					URL:      "gemini://example.net/b",
 					Redirect: "gemini://example.net/b/",
 				},
 				{
 					URL:     "gemini://example.net/b/",
 					Pattern: "/b/",
 				},
 				{
 					URL:     "gemini://example.com/",
 					Pattern: "example.com",
 				},
 				{
 					URL:      "gemini://example.com/b",
 					Redirect: "gemini://example.com/b/",
 				},
 				{
 					URL:     "gemini://example.com/b/",
 					Pattern: "example.com/b/",
 				},
 				{
 					URL:     "gemini://a.example.com/",
 					Pattern: "*.example.com",
 				},
 				{
 					URL:     "gemini://b.example.com/a",
 					Pattern: "*.example.com/a",
 				},
 				{
 					URL:      "gemini://c.example.com/b",
 					Redirect: "gemini://c.example.com/b/",
 				},
 				{
 					URL:     "gemini://d.example.com/b/",
 					Pattern: "*.example.com/b/",
 				},
 			},
 		},
 		{
 			Patterns: []string{"example.net", "*.example.org"},
 			Tests: []Test{
 				{
 					// The following redirect occurs as a result of cleaning
 					// the path provided to the Mux. This happens even if there
 					// are no matching handlers.
 					URL:      "gemini://example.com",
 					Redirect: "gemini://example.com/",
 				},
 				{
 					URL:      "gemini://example.com/",
 					NotFound: true,
 				},
 				{
 					URL:      "gemini://example.net",
 					Redirect: "gemini://example.net/",
 				},
 				{
 					URL:      "gemini://example.org/",
 					NotFound: true,
 				},
 				{
 					URL:      "gemini://gemini.example.org",
 					Redirect: "gemini://gemini.example.org/",
 				},
 			},
 		},
 	}
 	for _, test := range tests {
 		type handler struct {
 			nopHandler
 			Pattern string
 		}
 		mux := &Mux{}
 		for _, pattern := range test.Patterns {
 			mux.Handle(pattern, &handler{
 				Pattern: pattern,
 			})
 		}
 		for _, test := range test.Tests {
 			u, err := url.Parse(test.URL)
 			if err != nil {
 				panic(err)
 			}
 			req := &Request{URL: u}
 			h := mux.Handler(req)
 			if h, ok := h.(*handler); ok {
 				if h.Pattern != test.Pattern {
 					t.Errorf("wrong pattern for %q: expected %q, got %q", test.URL, test.Pattern, h.Pattern)
 				}
 				continue
 			}
 			// Check redirects and NotFounds
 			w := &nopResponseWriter{}
 			h.ServeGemini(context.Background(), w, req)
 			switch w.Status {
 			case StatusNotFound:
 				if !test.NotFound {
 					t.Errorf("expected pattern for %q, got NotFound", test.URL)
 				}
 			case StatusPermanentRedirect:
 				if test.Redirect == "" {
 					t.Errorf("expected pattern for %q, got redirect to %q", test.URL, w.Meta)
 					break
 				}
 				res, err := url.Parse(test.Redirect)
 				if err != nil {
 					panic(err)
 				}
 				if w.Meta != res.String() {
 					t.Errorf("bad redirect for %q: expected %q, got %q", test.URL, res.String(), w.Meta)
 				}
 			default:
 				t.Errorf("unexpected response for %q: %d %s", test.URL, w.Status, w.Meta)
 			}
 		}
 	}
 }
 func TestMuxMatch(t *testing.T) {
 	type Match struct {
 		URL string
 		Ok  bool
 	}
 	tests := []struct {
 		Pattern string
 		Matches []Match
 	}{
 		{
 			// hostname: *, path: /*
 			Pattern: "/",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
 				{"gemini://example.com/", true},
 				{"gemini://example.com/path.gmi", true},
 				{"gemini://example.com/path/", true},
 				{"gemini://example.org/path", true},
 				{"http://example.com/path", false},
 				{"http://example.org/path", false},
 			},
 		},
 		{
 			// hostname: *, path: /path
 			Pattern: "/path",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
 				{"gemini://example.com/", false},
 				{"gemini://example.com/path.gmi", false},
 				{"gemini://example.com/path/", false},
 				{"gemini://example.org/path", true},
 				{"http://example.com/path", false},
 				{"http://example.org/path", false},
 			},
 		},
 		{
 			// hostname: *, path: /subtree/*
 			Pattern: "/subtree/",
 			Matches: []Match{
 				{"gemini://example.com/subtree/", true},
 				{"gemini://example.com/subtree/nested/", true},
 				{"gemini://example.com/subtree/nested/file", true},
 				{"gemini://example.org/subtree/", true},
 				{"gemini://example.org/subtree/nested/", true},
 				{"gemini://example.org/subtree/nested/file", true},
 				{"gemini://example.com/subtree", false},
 				{"gemini://www.example.com/subtree/", true},
 				{"http://example.com/subtree/", false},
 			},
 		},
 		{
 			// hostname: example.com, path: /*
 			Pattern: "example.com",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
 				{"gemini://example.com/", true},
 				{"gemini://example.com/path.gmi", true},
 				{"gemini://example.com/path/", true},
 				{"gemini://example.org/path", false},
 				{"http://example.com/path", false},
 				{"http://example.org/path", false},
 			},
 		},
 		{
 			// hostname: example.com, path: /path
 			Pattern: "example.com/path",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
 				{"gemini://example.com/", false},
 				{"gemini://example.com/path.gmi", false},
 				{"gemini://example.com/path/", false},
 				{"gemini://example.org/path", false},
 				{"http://example.com/path", false},
 				{"http://example.org/path", false},
 			},
 		},
 		{
 			// hostname: example.com, path: /subtree/*
 			Pattern: "example.com/subtree/",
 			Matches: []Match{
 				{"gemini://example.com/subtree/", true},
 				{"gemini://example.com/subtree/nested/", true},
 				{"gemini://example.com/subtree/nested/file", true},
 				{"gemini://example.org/subtree/", false},
 				{"gemini://example.org/subtree/nested/", false},
 				{"gemini://example.org/subtree/nested/file", false},
 				{"gemini://example.com/subtree", false},
 				{"gemini://www.example.com/subtree/", false},
 				{"http://example.com/subtree/", false},
 			},
 		},
 		{
 			// scheme: gemini, hostname: *.example.com, path: /*
 			Pattern: "*.example.com",
 			Matches: []Match{
 				{"gemini://mail.example.com/", true},
 				{"gemini://www.example.com/index.gmi", true},
 				{"gemini://example.com/", false},
 				{"gemini://a.b.example.com/", false},
 				{"http://www.example.com/", false},
 			},
 		},
 	}
 	for _, test := range tests {
 		h := &nopHandler{}
 		var mux Mux
 		mux.Handle(test.Pattern, h)
 		for _, match := range test.Matches {
 			u, err := url.Parse(match.URL)
 			if err != nil {
 				panic(err)
 			}
 			got := mux.Handler(&Request{URL: u})
 			if match.Ok {
 				if h != got {
 					t.Errorf("expected %s to match %s", test.Pattern, match.URL)
 				}
 			} else {
 				if h == got {
 					t.Errorf("expected %s not to match %s", test.Pattern, match.URL)
 				}
 			}
 		}
 	}
 }
--- a/query.go
+++ b/query.go
@ -12,7 +12,8 @@ func QueryEscape(query string) string {
 	return strings.ReplaceAll(url.PathEscape(query), "+", "%2B")
 }
-// QueryUnescape is identical to url.PathUnescape.
+// QueryUnescape unescapes a Gemini URL query.
 // It is identical to url.PathUnescape.
 func QueryUnescape(query string) (string, error) {
 	return url.PathUnescape(query)
 }
--- a/request.go
+++ b/request.go
@ -2,115 +2,106 @@ package gemini
 import (
 	"bufio"
 	"context"
 	"crypto/tls"
 	"io"
 	"net"
 	"net/url"
 )
-// Request represents a Gemini request.
+// A Request represents a Gemini request received by a server or to be sent
 // by a client.
 type Request struct {
 	// URL specifies the URL being requested.
 	URL *url.URL
-	// For client requests, Host specifies the host on which the URL is sought.
+	// For client requests, Host optionally specifies the server to
-	// Host must contain a port.
+	// connect to. It may be of the form "host" or "host:port".
-	//
+	// If empty, the value of URL.Host is used.
-	// This field is ignored by the server.
+	// For international domain names, Host may be in Punycode or
 	// Unicode form. Use golang.org/x/net/idna to convert it to
 	// either format if needed.
 	// This field is ignored by the Gemini server.
 	Host string
-	// Certificate specifies the TLS certificate to use for the request.
+	// For client requests, Certificate optionally specifies the
-	//
+	// TLS certificate to present to the other side of the connection.
-	// On the server side, if the client provided a certificate then
+	// This field is ignored by the Gemini server.
 	// Certificate.Leaf is guaranteed to be non-nil.
 	Certificate *tls.Certificate
-	// RemoteAddr allows servers and other software to record the network
+	TLS *tls.ConnectionState
 	// address that sent the request.
 	//
 	// This field is ignored by the client.
 	RemoteAddr net.Addr
 	// TLS allows servers and other software to record information about the TLS
 	// connection on which the request was received.
 	//
 	// This field is ignored by the client.
 	TLS tls.ConnectionState
 	// Context specifies the context to use for client requests.
 	// If Context is nil, the background context will be used.
 	Context context.Context
 }
-// NewRequest returns a new request. The host is inferred from the URL.
+// NewRequest returns a new request.
 // The returned Request is suitable for use with Client.Do.
 //
 // Callers should be careful that the URL query is properly escaped.
 // See the documentation for QueryEscape for more information.
 func NewRequest(rawurl string) (*Request, error) {
 	u, err := url.Parse(rawurl)
 	if err != nil {
 		return nil, err
 	}
-	return NewRequestFromURL(u), nil
+	return &Request{URL: u}, nil
 }
-// NewRequestFromURL returns a new request for the given URL.
+// ReadRequest reads and parses an incoming request from r.
 // The host is inferred from the URL.
 //
-// Callers should be careful that the URL query is properly escaped.
+// ReadRequest is a low-level function and should only be used
-// See the documentation for QueryEscape for more information.
+// for specialized applications; most code should use the Server
-func NewRequestFromURL(url *url.URL) *Request {
+// to read requests and handle them via the Handler interface.
 	host := url.Host
 	if url.Port() == "" {
 		host += ":1965"
 	}
 	return &Request{
 		URL:  url,
 		Host: host,
 	}
 }
 // ReadRequest reads a Gemini request from the provided io.Reader
 func ReadRequest(r io.Reader) (*Request, error) {
 	// Limit request size
 	r = io.LimitReader(r, 1026)
 	br := bufio.NewReaderSize(r, 1026)
 	b, err := br.ReadBytes('\n')
 	if err != nil {
 		if err == io.EOF {
 			return nil, ErrInvalidRequest
 		}
 		return nil, err
 	}
 	// Read URL
-	br := bufio.NewReader(r)
+	rawurl, ok := trimCRLF(b)
-	rawurl, err := br.ReadString('\r')
+	if !ok {
 	if err != nil {
 		return nil, err
 	}
 	// Read terminating line feed
 	if b, err := br.ReadByte(); err != nil {
 		return nil, err
 	} else if b != '\n' {
 		return nil, ErrInvalidRequest
 	}
-	// Trim carriage return
+	if len(rawurl) == 0 {
 	rawurl = rawurl[:len(rawurl)-1]
 	// Validate URL
 	if len(rawurl) > 1024 {
 		return nil, ErrInvalidRequest
 	}
-	u, err := url.Parse(rawurl)
+	u, err := url.Parse(string(rawurl))
 	if err != nil {
 		return nil, err
 	}
 	if u.User != nil {
 		// User is not allowed
 		return nil, ErrInvalidURL
 	}
 	return &Request{URL: u}, nil
 }
-// Write writes the Gemini request to the provided buffered writer.
+// WriteTo writes r to w in the Gemini request format.
-func (r *Request) Write(w *bufio.Writer) error {
+// This method consults the request URL only.
 func (r *Request) WriteTo(w io.Writer) (int64, error) {
 	bw := bufio.NewWriterSize(w, 1026)
 	url := r.URL.String()
-	// User is invalid
+	if len(url) > 1024 {
-	if r.URL.User != nil || len(url) > 1024 {
+		return 0, ErrInvalidRequest
 		return ErrInvalidURL
 	}
-	if _, err := w.WriteString(url); err != nil {
+	var wrote int64
-		return err
+	n, err := bw.WriteString(url)
 	wrote += int64(n)
 	if err != nil {
 		return wrote, err
 	}
-	if _, err := w.Write(crlf); err != nil {
+	n, err = bw.Write(crlf)
-		return err
+	wrote += int64(n)
 	if err != nil {
 		return wrote, err
 	}
-	return nil
+	return wrote, bw.Flush()
 }
 // ServerName returns the value of the TLS Server Name Indication extension
 // sent by the client.
 // ServerName returns an empty string for client requests.
 func (r *Request) ServerName() string {
 	if tls := r.TLS; tls != nil {
 		return tls.ServerName
 	}
 	return ""
 }
--- a/request_test.go
+++ b/request_test.go
@ -0,0 +1,131 @@
 package gemini
 import (
 	"bufio"
 	"net/url"
 	"strings"
 	"testing"
 )
 // 1024 bytes
 const maxURL = "gemini://example.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 func TestReadRequest(t *testing.T) {
 	tests := []struct {
 		Raw string
 		URL *url.URL
 		Err error
 	}{
 		{
 			Raw: "gemini://example.com\r\n",
 			URL: &url.URL{
 				Scheme: "gemini",
 				Host:   "example.com",
 			},
 		},
 		{
 			Raw: "http://example.org/path/?query#fragment\r\n",
 			URL: &url.URL{
 				Scheme:   "http",
 				Host:     "example.org",
 				Path:     "/path/",
 				RawQuery: "query",
 				Fragment: "fragment",
 			},
 		},
 		{
 			Raw: "\r\n",
 			Err: ErrInvalidRequest,
 		},
 		{
 			Raw: "gemini://example.com\n",
 			Err: ErrInvalidRequest,
 		},
 		{
 			Raw: "gemini://example.com",
 			Err: ErrInvalidRequest,
 		},
 		{
 			// 1030 bytes
 			Raw: maxURL + "xxxxxx",
 			Err: ErrInvalidRequest,
 		},
 		{
 			// 1027 bytes
 			Raw: maxURL + "x" + "\r\n",
 			Err: ErrInvalidRequest,
 		},
 		{
 			// 1024 bytes
 			Raw: maxURL[:len(maxURL)-2] + "\r\n",
 			URL: &url.URL{
 				Scheme: "gemini",
 				Host:   "example.net",
 				Path:   maxURL[len("gemini://example.net") : len(maxURL)-2],
 			},
 		},
 	}
 	for _, test := range tests {
 		t.Logf("%#v", test.Raw)
 		req, err := ReadRequest(strings.NewReader(test.Raw))
 		if err != test.Err {
 			t.Errorf("expected err = %v, got %v", test.Err, err)
 		}
 		if req == nil && test.URL != nil {
 			t.Errorf("expected url = %s, got nil", test.URL)
 		} else if req != nil && test.URL == nil {
 			t.Errorf("expected req = nil, got %v", req)
 		} else if req != nil && *req.URL != *test.URL {
 			t.Errorf("expected url = %v, got %v", *test.URL, *req.URL)
 		}
 	}
 }
 func newRequest(rawurl string) *Request {
 	req, err := NewRequest(rawurl)
 	if err != nil {
 		panic(err)
 	}
 	return req
 }
 func TestWriteRequest(t *testing.T) {
 	tests := []struct {
 		Req *Request
 		Raw string
 		Err error
 	}{
 		{
 			Req: newRequest("gemini://example.com"),
 			Raw: "gemini://example.com\r\n",
 		},
 		{
 			Req: newRequest("gemini://example.com/path/?query#fragment"),
 			Raw: "gemini://example.com/path/?query#fragment\r\n",
 		},
 		{
 			Req: newRequest(maxURL),
 			Raw: maxURL + "\r\n",
 		},
 		{
 			Req: newRequest(maxURL + "x"),
 			Err: ErrInvalidRequest,
 		},
 	}
 	for _, test := range tests {
 		t.Logf("%s", test.Req.URL)
 		var b strings.Builder
 		bw := bufio.NewWriter(&b)
 		_, err := test.Req.WriteTo(bw)
 		if err != test.Err {
 			t.Errorf("expected err = %v, got %v", test.Err, err)
 		}
 		bw.Flush()
 		got := b.String()
 		if got != test.Raw {
 			t.Errorf("expected %#v, got %#v", test.Raw, got)
 		}
 	}
 }
--- a/response.go
+++ b/response.go
@ -3,203 +3,232 @@ package gemini
 import (
 	"bufio"
 	"crypto/tls"
 	"fmt"
 	"io"
 	"net"
 	"strconv"
 )
-// Response is a Gemini response.
+// The default media type for responses.
 const defaultMediaType = "text/gemini"
 // Response represents the response from a Gemini request.
 //
 // The Client returns Responses from servers once the response
 // header has been received. The response body is streamed on demand
 // as the Body field is read.
 type Response struct {
-	// Status contains the response status code.
+	// Status is the response status code.
 	Status Status
-	// Meta contains more information related to the response status.
+	// Meta returns the response meta.
-	// For successful responses, Meta should contain the media type of the response.
+	// For successful responses, the meta should contain the media type of the response.
-	// For failure responses, Meta should contain a short description of the failure.
+	// For failure responses, the meta should contain a short description of the failure.
 	// Meta should not be longer than 1024 bytes.
 	Meta string
-	// Body contains the response body for successful responses.
+	// Body represents the response body.
 	//
 	// The response body is streamed on demand as the Body field
 	// is read. If the network connection fails or the server
 	// terminates the response, Body.Read calls return an error.
 	//
 	// The Gemini client guarantees that Body is always
 	// non-nil, even on responses without a body or responses with
 	// a zero-length body. It is the caller's responsibility to
 	// close Body.
 	Body io.ReadCloser
-	// TLS contains information about the TLS connection on which the response
+	conn net.Conn
 	// was received.
 	TLS tls.ConnectionState
 }
 // ReadResponse reads a Gemini response from the provided io.ReadCloser.
-func ReadResponse(rc io.ReadCloser) (*Response, error) {
+func ReadResponse(r io.ReadCloser) (*Response, error) {
 	resp := &Response{}
 	br := bufio.NewReader(rc)
-	// Read the status
+	// Limit response header size
-	statusB := make([]byte, 2)
+	lr := io.LimitReader(r, 1029)
-	if _, err := br.Read(statusB); err != nil {
+	// Wrap the reader to remove the limit later on
-		return nil, err
+	wr := &struct{ io.Reader }{lr}
-	}
+	br := bufio.NewReader(wr)
-	status, err := strconv.Atoi(string(statusB))
+
 	// Read response header
 	b, err := br.ReadBytes('\n')
 	if err != nil {
 		if err == io.EOF {
 			return nil, ErrInvalidResponse
 		}
 		return nil, err
 	}
-	resp.Status = Status(status)
+	if len(b) < 3 {
 	// Disregard invalid status codes
 	const minStatus, maxStatus = 1, 6
 	statusClass := resp.Status.Class()
 	if statusClass < minStatus || statusClass > maxStatus {
 		return nil, ErrInvalidResponse
 	}
 	// Read the status
 	status, err := strconv.Atoi(string(b[:2]))
 	if err != nil {
 		return nil, ErrInvalidResponse
 	}
 	resp.Status = Status(status)
 	// Read one space
-	if b, err := br.ReadByte(); err != nil {
+	if b[2] != ' ' {
 		return nil, err
 	} else if b != ' ' {
 		return nil, ErrInvalidResponse
 	}
 	// Read the meta
-	meta, err := br.ReadString('\r')
+	meta, ok := trimCRLF(b[3:])
-	if err != nil {
+	if !ok {
 		return nil, err
 	}
 	// Trim carriage return
 	meta = meta[:len(meta)-1]
 	// Ensure meta is less than or equal to 1024 bytes
 	if len(meta) > 1024 {
 		return nil, ErrInvalidResponse
 	}
-	// Default mime type of text/gemini; charset=utf-8
+	if len(meta) == 0 {
 	if statusClass == StatusClassSuccess && meta == "" {
 		meta = "text/gemini; charset=utf-8"
 	}
 	resp.Meta = meta
 	// Read terminating newline
 	if b, err := br.ReadByte(); err != nil {
 		return nil, err
 	} else if b != '\n' {
 		return nil, ErrInvalidResponse
 	}
 	resp.Meta = string(meta)
-	if resp.Status.Class() == StatusClassSuccess {
+	if resp.Status.Class() == StatusSuccess {
-		resp.Body = newReadCloserBody(br, rc)
+		// Use unlimited reader
 		wr.Reader = r
 		type readCloser struct {
 			io.Reader
 			io.Closer
 		}
 		resp.Body = readCloser{br, r}
 	} else {
-		rc.Close()
+		resp.Body = nopReadCloser{}
 		r.Close()
 	}
 	return resp, nil
 }
-type readCloserBody struct {
+// Conn returns the network connection on which the response was received.
-	br *bufio.Reader // used until empty
+func (r *Response) Conn() net.Conn {
-	io.ReadCloser
+	return r.conn
 }
-func newReadCloserBody(br *bufio.Reader, rc io.ReadCloser) io.ReadCloser {
+// TLS returns information about the TLS connection on which the
-	body := &readCloserBody{ReadCloser: rc}
+// response was received.
-	if br.Buffered() != 0 {
+func (r *Response) TLS() *tls.ConnectionState {
-		body.br = br
+	if tlsConn, ok := r.conn.(*tls.Conn); ok {
 		state := tlsConn.ConnectionState()
 		return &state
 	}
-	return body
+	return nil
 }
-func (b *readCloserBody) Read(p []byte) (n int, err error) {
+// WriteTo writes r to w in the Gemini response format, including the
-	if b.br != nil {
+// header and body.
-		if n := b.br.Buffered(); len(p) > n {
+//
-			p = p[:n]
+// This method consults the Status, Meta, and Body fields of the response.
-		}
+// The Response Body is closed after it is sent.
-		n, err = b.br.Read(p)
+func (r *Response) WriteTo(w io.Writer) (int64, error) {
-		if b.br.Buffered() == 0 {
+	var wrote int64
-			b.br = nil
+	n, err := fmt.Fprintf(w, "%02d %s\r\n", r.Status, r.Meta)
-		}
+	wrote += int64(n)
-		return n, err
+	if err != nil {
 		return wrote, err
 	}
-	return b.ReadCloser.Read(p)
+	if r.Body != nil {
 		defer r.Body.Close()
 		n, err := io.Copy(w, r.Body)
 		wrote += n
 		if err != nil {
 			return wrote, err
 		}
 	}
 	return wrote, nil
 }
-// ResponseWriter is used to construct a Gemini response.
+// A ResponseWriter interface is used by a Gemini handler to construct
-type ResponseWriter struct {
+// a Gemini response.
-	b           *bufio.Writer
+//
-	status      Status
+// A ResponseWriter may not be used after the Handler.ServeGemini method
-	meta        string
+// has returned.
-	setHeader   bool
+type ResponseWriter interface {
 	// SetMediaType sets the media type that will be sent by Write for a
 	// successful response. If no media type is set, a default media type of
 	// "text/gemini" will be used.
 	//
 	// Setting the media type after a call to Write or WriteHeader has
 	// no effect.
 	SetMediaType(mediatype string)
 	// Write writes the data to the connection as part of a Gemini response.
 	//
 	// If WriteHeader has not yet been called, Write calls WriteHeader with
 	// StatusSuccess and the media type set in SetMediaType before writing the data.
 	// If no media type was set, Write uses a default media type of
 	// "text/gemini".
 	Write([]byte) (int, error)
 	// WriteHeader sends a Gemini response header with the provided
 	// status code and meta.
 	//
 	// If WriteHeader is not called explicitly, the first call to Write
 	// will trigger an implicit call to WriteHeader with a successful
 	// status code and the media type set in SetMediaType.
 	//
 	// The provided code must be a valid Gemini status code.
 	// The provided meta must not be longer than 1024 bytes.
 	// Only one header may be written.
 	WriteHeader(status Status, meta string)
 	// Flush sends any buffered data to the client.
 	Flush() error
 }
 type responseWriter struct {
 	bw          *bufio.Writer
 	mediatype   string
 	wroteHeader bool
 	bodyAllowed bool
 }
-// NewResponseWriter returns a ResponseWriter that uses the provided io.Writer.
+func newResponseWriter(w io.Writer) *responseWriter {
-func NewResponseWriter(w io.Writer) *ResponseWriter {
+	return &responseWriter{
-	return &ResponseWriter{
+		bw: bufio.NewWriter(w),
 		b: bufio.NewWriter(w),
 	}
 }
-// Header sets the response header.
+func (w *responseWriter) SetMediaType(mediatype string) {
-func (w *ResponseWriter) Header(status Status, meta string) {
+	w.mediatype = mediatype
 	w.status = status
 	w.meta = meta
 }
-// Status sets the response status code.
+func (w *responseWriter) Write(b []byte) (int, error) {
 // It also sets the response meta to status.Meta().
 func (w *ResponseWriter) Status(status Status) {
 	w.status = status
 	w.meta = status.Meta()
 }
 // Meta sets the response meta.
 //
 // For successful responses, meta should contain the media type of the response.
 // For failure responses, meta should contain a short description of the failure.
 // The response meta should not be greater than 1024 bytes.
 func (w *ResponseWriter) Meta(meta string) {
 	w.meta = meta
 }
 // Write writes data to the connection as part of the response body.
 // If the response status does not allow for a response body, Write returns
 // ErrBodyNotAllowed.
 //
 // Write writes the response header if it has not already been written.
 // It writes a successful status code if one is not set.
 func (w *ResponseWriter) Write(b []byte) (int, error) {
 	if !w.wroteHeader {
-		w.writeHeader(StatusSuccess)
+		meta := w.mediatype
 		if meta == "" {
 			// Use default media type
 			meta = defaultMediaType
 		}
 		w.WriteHeader(StatusSuccess, meta)
 	}
 	if !w.bodyAllowed {
 		return 0, ErrBodyNotAllowed
 	}
-	return w.b.Write(b)
+	return w.bw.Write(b)
 }
-func (w *ResponseWriter) writeHeader(defaultStatus Status) {
+func (w *responseWriter) WriteHeader(status Status, meta string) {
-	status := w.status
+	if w.wroteHeader {
-	if status == 0 {
+		return
 		status = defaultStatus
 	}
-	meta := w.meta
+	if status.Class() == StatusSuccess {
 	if status.Class() == StatusClassSuccess {
 		w.bodyAllowed = true
 		if meta == "" {
 			meta = "text/gemini"
 		}
 	}
-	w.b.WriteString(strconv.Itoa(int(status)))
+	w.bw.WriteString(strconv.Itoa(int(status)))
-	w.b.WriteByte(' ')
+	w.bw.WriteByte(' ')
-	w.b.WriteString(meta)
+	w.bw.WriteString(meta)
-	w.b.Write(crlf)
+	w.bw.Write(crlf)
 	w.wroteHeader = true
 }
-// Flush writes any buffered data to the underlying io.Writer.
+func (w *responseWriter) Flush() error {
 //
 // Flush writes the response header if it has not already been written.
 // It writes a failure status code if one is not set.
 func (w *ResponseWriter) Flush() error {
 	if !w.wroteHeader {
-		w.writeHeader(StatusTemporaryFailure)
+		w.WriteHeader(StatusTemporaryFailure, "Temporary failure")
 	}
-	// Write errors from writeHeader will be returned here.
+	// Write errors from WriteHeader will be returned here.
-	return w.b.Flush()
+	return w.bw.Flush()
 }
--- a/response_test.go
+++ b/response_test.go
@ -0,0 +1,135 @@
 package gemini
 import (
 	"io"
 	"io/ioutil"
 	"strings"
 	"testing"
 )
 func TestReadWriteResponse(t *testing.T) {
 	tests := []struct {
 		Raw       string
 		Status    Status
 		Meta      string
 		Body      string
 		Err       error
 		SkipWrite bool
 	}{
 		{
 			Raw:    "20 text/gemini\r\nHello, world!\nWelcome to my capsule.",
 			Status: 20,
 			Meta:   "text/gemini",
 			Body:   "Hello, world!\nWelcome to my capsule.",
 		},
 		{
 			Raw:    "10 Search query\r\n",
 			Status: 10,
 			Meta:   "Search query",
 		},
 		{
 			Raw:    "30 /redirect\r\n",
 			Status: 30,
 			Meta:   "/redirect",
 		},
 		{
 			Raw:       "31 /redirect\r\nThis body is ignored.",
 			Status:    31,
 			Meta:      "/redirect",
 			SkipWrite: true, // skip write test since result won't match Raw
 		},
 		{
 			Raw:    "32 " + maxURL + "\r\n",
 			Status: 32,
 			Meta:   maxURL,
 		},
 		{
 			Raw: "33 " + maxURL + "xxxx" + "\r\n",
 			Err: ErrInvalidResponse,
 		},
 		{
 			Raw:    "99 Unknown status code\r\n",
 			Status: 99,
 			Meta:   "Unknown status code",
 		},
 		{
 			Raw: "\r\n",
 			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "\n",
 			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "1 Bad response\r\n",
 			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "",
 			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "10 Search query",
 			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "20 text/gemini\nHello, world!",
 			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "20 text/gemini\rHello, world!",
 			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "20 text/gemini\r",
 			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "abcdefghijklmnopqrstuvwxyz",
 			Err: ErrInvalidResponse,
 		},
 	}
 	for _, test := range tests {
 		t.Logf("%#v", test.Raw)
 		resp, err := ReadResponse(ioutil.NopCloser(strings.NewReader(test.Raw)))
 		if err != test.Err {
 			t.Errorf("expected err = %v, got %v", test.Err, err)
 		}
 		if err != nil {
 			// No response
 			continue
 		}
 		if resp.Status != test.Status {
 			t.Errorf("expected status = %d, got %d", test.Status, resp.Status)
 		}
 		if resp.Meta != test.Meta {
 			t.Errorf("expected meta = %s, got %s", test.Meta, resp.Meta)
 		}
 		b, _ := ioutil.ReadAll(resp.Body)
 		body := string(b)
 		if body != test.Body {
 			t.Errorf("expected body = %#v, got %#v", test.Body, body)
 		}
 	}
 	for _, test := range tests {
 		if test.Err != nil || test.SkipWrite {
 			continue
 		}
 		var b strings.Builder
 		w := newResponseWriter(nopCloser{&b})
 		w.WriteHeader(test.Status, test.Meta)
 		io.Copy(w, strings.NewReader(test.Body))
 		if err := w.Flush(); err != nil {
 			t.Error(err)
 			continue
 		}
 		got := b.String()
 		if got != test.Raw {
 			t.Errorf("expected %#v, got %#v", test.Raw, got)
 		}
 	}
 }
--- a/server.go
+++ b/server.go
@ -1,112 +1,267 @@
 package gemini
 import (
 	"context"
 	"crypto/tls"
 	"errors"
 	"log"
 	"net"
-	"strings"
+	"sync"
 	"time"
 )
-// Server is a Gemini server.
+// A Server defines parameters for running a Gemini server. The zero value for
 // Server is a valid configuration.
 type Server struct {
-	// Addr specifies the address that the server should listen on.
+	// Addr optionally specifies the TCP address for the server to listen on,
-	// If Addr is empty, the server will listen on the address ":1965".
+	// in the form "host:port". If empty, ":1965" (port 1965) is used.
 	// See net.Dial for details of the address format.
 	Addr string
-	// ReadTimeout is the maximum duration for reading a request.
+	// The Handler to invoke.
 	Handler Handler
 	// ReadTimeout is the maximum duration for reading the entire
 	// request.
 	//
 	// A ReadTimeout of zero means no timeout.
 	ReadTimeout time.Duration
 	// WriteTimeout is the maximum duration before timing out
 	// writes of the response.
 	//
 	// A WriteTimeout of zero means no timeout.
 	WriteTimeout time.Duration
-	// Certificates contains the certificates used by the server.
+	// GetCertificate returns a TLS certificate based on the given
-	Certificates CertificateDir
+	// hostname.
 	//
 	// If GetCertificate is nil or returns nil, then no certificate
 	// will be used and the connection will be aborted.
 	//
 	// See the certificate submodule for a certificate store that creates
 	// and rotates certificates as needed.
 	GetCertificate func(hostname string) (*tls.Certificate, error)
-	// CreateCertificate, if not nil, will be called to create a new certificate
+	// ErrorLog specifies an optional logger for errors accepting connections,
-	// if the current one is expired or missing.
+	// unexpected behavior from handlers, and underlying file system errors.
 	CreateCertificate func(hostname string) (tls.Certificate, error)
 	// ErrorLog specifies an optional logger for errors accepting connections
 	// and file system errors.
 	// If nil, logging is done via the log package's standard logger.
-	ErrorLog *log.Logger
+	ErrorLog interface {
 		Printf(format string, v ...interface{})
 	}
-	// registered responders
+	listeners map[*net.Listener]context.CancelFunc
-	responders map[responderKey]Responder
+	conns     map[*net.Conn]context.CancelFunc
-	hosts      map[string]bool
+	closed    bool // true if Close or Shutdown called
 	shutdown  bool // true if Shutdown called
 	doneChan  chan struct{}
 	mu        sync.Mutex
 }
-type responderKey struct {
+func (srv *Server) isClosed() bool {
-	scheme   string
+	srv.mu.Lock()
-	hostname string
+	defer srv.mu.Unlock()
 	return srv.closed
 }
-// Register registers a responder for the given pattern.
+// done returns a channel that's closed when the server is closed and
 // all listeners and connections are closed.
 func (srv *Server) done() chan struct{} {
 	srv.mu.Lock()
 	defer srv.mu.Unlock()
 	return srv.doneLocked()
 }
 func (srv *Server) doneLocked() chan struct{} {
 	if srv.doneChan == nil {
 		srv.doneChan = make(chan struct{})
 	}
 	return srv.doneChan
 }
 // tryCloseDone closes srv.done() if the server is closed and
 // there are no active listeners or connections.
 func (srv *Server) tryCloseDone() {
 	srv.mu.Lock()
 	defer srv.mu.Unlock()
 	srv.tryCloseDoneLocked()
 }
 func (srv *Server) tryCloseDoneLocked() {
 	if !srv.closed {
 		return
 	}
 	if len(srv.listeners) == 0 && len(srv.conns) == 0 {
 		ch := srv.doneLocked()
 		select {
 		case <-ch:
 		default:
 			close(ch)
 		}
 	}
 }
 // Close immediately closes all active net.Listeners and connections.
 // For a graceful shutdown, use Shutdown.
 func (srv *Server) Close() error {
 	srv.mu.Lock()
 	{
 		if srv.closed {
 			srv.mu.Unlock()
 			return nil
 		}
 		srv.closed = true
 		srv.tryCloseDoneLocked()
 		// Close all active connections and listeners.
 		for _, cancel := range srv.listeners {
 			cancel()
 		}
 		for _, cancel := range srv.conns {
 			cancel()
 		}
 	}
 	srv.mu.Unlock()
 	select {
 	case <-srv.done():
 		return nil
 	}
 }
 // Shutdown gracefully shuts down the server without interrupting any
 // active connections. Shutdown works by first closing all open listeners
 // and then waiting indefinitely for connections to close.
 // If the provided context expires before the shutdown is complete,
 // Shutdown returns the context's error.
 //
-// Patterns must be in the form of "hostname" or "scheme://hostname".
+// When Shutdown is called, Serve and ListenAndServe immediately
-// If no scheme is specified, a scheme of "gemini://" is implied.
+// return an error. Make sure the program doesn't exit and waits instead for
-// Wildcard patterns are supported (e.g. "*.example.com").
+// Shutdown to return.
-func (s *Server) Register(pattern string, responder Responder) {
+//
-	if pattern == "" {
+// Once Shutdown has been called on a server, it may not be reused;
-		panic("gemini: invalid pattern")
+// future calls to methods such as Serve will return an error.
-	}
+func (srv *Server) Shutdown(ctx context.Context) error {
-	if responder == nil {
+	srv.mu.Lock()
-		panic("gemini: nil responder")
+	{
-	}
+		if srv.closed {
-	if s.responders == nil {
+			srv.mu.Unlock()
-		s.responders = map[responderKey]Responder{}
+			return nil
-		s.hosts = map[string]bool{}
+		}
-	}
+		srv.closed = true
 		srv.shutdown = true
-	split := strings.SplitN(pattern, "://", 2)
+		srv.tryCloseDoneLocked()
 	var key responderKey
 	if len(split) == 2 {
 		key.scheme = split[0]
 		key.hostname = split[1]
 	} else {
 		key.scheme = "gemini"
 		key.hostname = split[0]
 	}
-	if _, ok := s.responders[key]; ok {
+		// Close all active listeners.
-		panic("gemini: multiple registrations for " + pattern)
+		for _, cancel := range srv.listeners {
 			cancel()
 		}
 	}
-	s.responders[key] = responder
+	srv.mu.Unlock()
 	s.hosts[key.hostname] = true
 }
-// RegisterFunc registers a responder function for the given pattern.
+	// Wait for active connections to finish.
-func (s *Server) RegisterFunc(pattern string, responder func(*ResponseWriter, *Request)) {
+	select {
-	s.Register(pattern, ResponderFunc(responder))
+	case <-ctx.Done():
 		return ctx.Err()
 	case <-srv.done():
 		return nil
 	}
 }
 // ListenAndServe listens for requests at the server's configured address.
-func (s *Server) ListenAndServe() error {
+// ListenAndServe listens on the TCP network address srv.Addr and then calls
-	addr := s.Addr
+// Serve to handle requests on incoming connections. If the provided
 // context expires, ListenAndServe closes l and returns the context's error.
 //
 // If srv.Addr is blank, ":1965" is used.
 //
 // ListenAndServe always returns a non-nil error.
 // After Shutdown or Closed, the returned error is context.Canceled.
 func (srv *Server) ListenAndServe(ctx context.Context) error {
 	if srv.isClosed() {
 		return context.Canceled
 	}
 	addr := srv.Addr
 	if addr == "" {
 		addr = ":1965"
 	}
-	ln, err := net.Listen("tcp", addr)
+	l, err := net.Listen("tcp", addr)
 	if err != nil {
 		return err
 	}
 	defer ln.Close()
-	return s.Serve(tls.NewListener(ln, &tls.Config{
+	l = tls.NewListener(l, &tls.Config{
 		ClientAuth:     tls.RequestClientCert,
 		MinVersion:     tls.VersionTLS12,
-		GetCertificate: s.getCertificate,
+		GetCertificate: srv.getCertificate,
-	}))
+	})
 	return srv.Serve(ctx, l)
 }
-// Serve listens for requests on the provided listener.
+func (srv *Server) getCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
-func (s *Server) Serve(l net.Listener) error {
+	if srv.GetCertificate == nil {
-	var tempDelay time.Duration // how long to sleep on accept failure
+		return nil, errors.New("gemini: GetCertificate is nil")
 	}
 	return srv.GetCertificate(h.ServerName)
 }
 func (srv *Server) trackListener(l *net.Listener, cancel context.CancelFunc) bool {
 	srv.mu.Lock()
 	defer srv.mu.Unlock()
 	if srv.closed {
 		return false
 	}
 	if srv.listeners == nil {
 		srv.listeners = make(map[*net.Listener]context.CancelFunc)
 	}
 	srv.listeners[l] = cancel
 	return true
 }
 func (srv *Server) deleteListener(l *net.Listener) {
 	srv.mu.Lock()
 	defer srv.mu.Unlock()
 	delete(srv.listeners, l)
 }
 // Serve accepts incoming connections on the Listener l, creating a new
 // service goroutine for each. The service goroutines read the requests and
 // then call the appropriate Handler to reply to them. If the provided
 // context expires, Serve closes l and returns the context's error.
 //
 // Serve always closes l and returns a non-nil error.
 // After Shutdown or Close, the returned error is context.Canceled.
 func (srv *Server) Serve(ctx context.Context, l net.Listener) error {
 	defer l.Close()
 	lnctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 	if !srv.trackListener(&l, cancel) {
 		return context.Canceled
 	}
 	defer srv.tryCloseDone()
 	defer srv.deleteListener(&l)
 	errch := make(chan error, 1)
 	go func() {
 		errch <- srv.serve(ctx, l)
 	}()
 	select {
 	case <-lnctx.Done():
 		return lnctx.Err()
 	case err := <-errch:
 		return err
 	}
 }
 func (srv *Server) serve(ctx context.Context, l net.Listener) error {
 	var tempDelay time.Duration // how long to sleep on accept failure
 	for {
 		rw, err := l.Accept()
 		if err != nil {
@ -120,128 +275,121 @@ func (s *Server) Serve(l net.Listener) error {
 				if max := 1 * time.Second; tempDelay > max {
 					tempDelay = max
 				}
-				s.logf("gemini: Accept error: %v; retrying in %v", err, tempDelay)
+				srv.logf("gemini: Accept error: %v; retrying in %v", err, tempDelay)
 				time.Sleep(tempDelay)
 				continue
 			}
 			// Otherwise, return the error
 			return err
 		}
 		tempDelay = 0
-		go s.respond(rw)
+		go srv.serveConn(ctx, rw, false)
 	}
 }
-func (s *Server) getCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
+func (srv *Server) trackConn(conn *net.Conn, cancel context.CancelFunc, external bool) bool {
-	cert, err := s.getCertificateFor(h.ServerName)
+	srv.mu.Lock()
-	if err != nil {
+	defer srv.mu.Unlock()
-		// Try wildcard
+	// Reject the connection under the following conditions:
-		wildcard := strings.SplitN(h.ServerName, ".", 2)
+	// - Shutdown or Close has been called and conn is external (from ServeConn)
-		if len(wildcard) == 2 {
+	// - Close (not Shutdown) has been called and conn is internal (from Serve)
-			cert, err = s.getCertificateFor("*." + wildcard[1])
+	if srv.closed && (external || !srv.shutdown) {
-		}
+		return false
 	}
-	return cert, err
+	if srv.conns == nil {
 		srv.conns = make(map[*net.Conn]context.CancelFunc)
 	}
 	srv.conns[conn] = cancel
 	return true
 }
-func (s *Server) getCertificateFor(hostname string) (*tls.Certificate, error) {
+func (srv *Server) deleteConn(conn *net.Conn) {
-	if _, ok := s.hosts[hostname]; !ok {
+	srv.mu.Lock()
-		return nil, errors.New("hostname not registered")
+	defer srv.mu.Unlock()
-	}
+	delete(srv.conns, conn)
 	// Generate a new certificate if it is missing or expired
 	cert, ok := s.Certificates.Lookup(hostname)
 	if !ok || cert.Leaf != nil && cert.Leaf.NotAfter.Before(time.Now()) {
 		if s.CreateCertificate != nil {
 			cert, err := s.CreateCertificate(hostname)
 			if err == nil {
 				s.Certificates.Add(hostname, cert)
 				if err := s.Certificates.Write(hostname, cert); err != nil {
 					s.logf("gemini: Failed to write new certificate for %s: %s", hostname, err)
 				}
 			}
 			return &cert, err
 		}
 		return nil, errors.New("no certificate")
 	}
 	return &cert, nil
 }
-// respond responds to a connection.
+// ServeConn serves a Gemini response over the provided connection.
-func (s *Server) respond(conn net.Conn) {
+// It closes the connection when the response has been completed.
 // If the provided context expires before the response has completed,
 // ServeConn closes the connection and returns the context's error.
 func (srv *Server) ServeConn(ctx context.Context, conn net.Conn) error {
 	return srv.serveConn(ctx, conn, true)
 }
 func (srv *Server) serveConn(ctx context.Context, conn net.Conn, external bool) error {
 	defer conn.Close()
-	if d := s.ReadTimeout; d != 0 {
+
-		_ = conn.SetReadDeadline(time.Now().Add(d))
+	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 	if !srv.trackConn(&conn, cancel, external) {
 		return context.Canceled
 	}
-	if d := s.WriteTimeout; d != 0 {
+	defer srv.tryCloseDone()
-		_ = conn.SetWriteDeadline(time.Now().Add(d))
+	defer srv.deleteConn(&conn)
 	if d := srv.ReadTimeout; d != 0 {
 		conn.SetReadDeadline(time.Now().Add(d))
 	}
 	if d := srv.WriteTimeout; d != 0 {
 		conn.SetWriteDeadline(time.Now().Add(d))
 	}
-	w := NewResponseWriter(conn)
+	errch := make(chan error, 1)
-	defer func() {
+	go func() {
-		_ = w.Flush()
+		errch <- srv.goServeConn(ctx, conn)
 	}()
-	req, err := ReadRequest(conn)
+	select {
 	case <-ctx.Done():
 		return ctx.Err()
 	case err := <-errch:
 		return err
 	}
 }
 func (srv *Server) goServeConn(ctx context.Context, conn net.Conn) error {
 	ctx, cancel := context.WithCancel(ctx)
 	done := ctx.Done()
 	cw := &contextWriter{
 		ctx:    ctx,
 		done:   done,
 		cancel: cancel,
 		wc:     conn,
 	}
 	r := &contextReader{
 		ctx:    ctx,
 		done:   done,
 		cancel: cancel,
 		rc:     conn,
 	}
 	w := newResponseWriter(cw)
 	req, err := ReadRequest(r)
 	if err != nil {
-		w.Status(StatusBadRequest)
+		w.WriteHeader(StatusBadRequest, "Bad request")
-		return
+		return w.Flush()
 	}
 	// Store information about the TLS connection
 	if tlsConn, ok := conn.(*tls.Conn); ok {
-		req.TLS = tlsConn.ConnectionState()
+		state := tlsConn.ConnectionState()
-		if len(req.TLS.PeerCertificates) > 0 {
+		req.TLS = &state
 			peerCert := req.TLS.PeerCertificates[0]
 			// Store the TLS certificate
 			req.Certificate = &tls.Certificate{
 				Certificate: [][]byte{peerCert.Raw},
 				Leaf:        peerCert,
 			}
 		}
 	}
-	resp := s.responder(req)
+	h := srv.Handler
-	if resp == nil {
+	if h == nil {
-		w.Status(StatusNotFound)
+		w.WriteHeader(StatusNotFound, "Not found")
-		return
+		return w.Flush()
 	}
-	resp.Respond(w, req)
+	h.ServeGemini(ctx, w, req)
 	return w.Flush()
 }
-func (s *Server) responder(r *Request) Responder {
+func (srv *Server) logf(format string, args ...interface{}) {
-	if h, ok := s.responders[responderKey{r.URL.Scheme, r.URL.Hostname()}]; ok {
+	if srv.ErrorLog != nil {
-		return h
+		srv.ErrorLog.Printf(format, args...)
 	}
 	wildcard := strings.SplitN(r.URL.Hostname(), ".", 2)
 	if len(wildcard) == 2 {
 		if h, ok := s.responders[responderKey{r.URL.Scheme, "*." + wildcard[1]}]; ok {
 			return h
 		}
 	}
 	return nil
 }
 func (s *Server) logf(format string, args ...interface{}) {
 	if s.ErrorLog != nil {
 		s.ErrorLog.Printf(format, args...)
 	} else {
 		log.Printf(format, args...)
 	}
 }
 // A Responder responds to a Gemini request.
 type Responder interface {
 	// Respond accepts a Request and constructs a Response.
 	Respond(*ResponseWriter, *Request)
 }
 // ResponderFunc is a wrapper around a bare function that implements Responder.
 type ResponderFunc func(*ResponseWriter, *Request)
 func (f ResponderFunc) Respond(w *ResponseWriter, r *Request) {
 	f(w, r)
 }
--- a/status.go
+++ b/status.go
@ -1,8 +1,9 @@
 package gemini
-// Status codes.
+// Status represents a Gemini status code.
 type Status int
 // Gemini status codes.
 const (
 	StatusInput                    Status = 10
 	StatusSensitiveInput           Status = 11
@ -24,28 +25,26 @@ const (
 	StatusCertificateNotValid      Status = 62
 )
-// Status code categories.
+// Class returns the status class for the status code.
-type StatusClass int
+// 1x becomes 10, 2x becomes 20, and so on.
-
+func (s Status) Class() Status {
-const (
+	return (s / 10) * 10
 	StatusClassInput               StatusClass = 1
 	StatusClassSuccess             StatusClass = 2
 	StatusClassRedirect            StatusClass = 3
 	StatusClassTemporaryFailure    StatusClass = 4
 	StatusClassPermanentFailure    StatusClass = 5
 	StatusClassCertificateRequired StatusClass = 6
 )
 // Class returns the status class for this status code.
 func (s Status) Class() StatusClass {
 	return StatusClass(s / 10)
 }
-// Meta returns a description of the status code appropriate for use in a response.
+// String returns a text for the status code.
-//
+// It returns the empty string if the status code is unknown.
-// Meta returns an empty string for input, success, and redirect status codes.
+func (s Status) String() string {
 func (s Status) Meta() string {
 	switch s {
 	case StatusInput:
 		return "Input"
 	case StatusSensitiveInput:
 		return "Sensitive input"
 	case StatusSuccess:
 		return "Success"
 	case StatusRedirect:
 		return "Redirect"
 	case StatusPermanentRedirect:
 		return "Permanent redirect"
 	case StatusTemporaryFailure:
 		return "Temporary failure"
 	case StatusServerUnavailable:
--- a/text.go
+++ b/text.go
@ -9,38 +9,39 @@ import (
 // Line represents a line of a Gemini text response.
 type Line interface {
 	// String formats the line for use in a Gemini text response.
 	String() string
 	line() // private function to prevent other packages from implementing Line
 }
-// A link line.
+// LineLink is a link line.
 type LineLink struct {
 	URL  string
 	Name string
 }
-// A preformatting toggle line.
+// LinePreformattingToggle is a preformatting toggle line.
 type LinePreformattingToggle string
-// A preformatted text line.
+// LinePreformattedText is a preformatted text line.
 type LinePreformattedText string
-// A first-level heading line.
+// LineHeading1 is a first-level heading line.
 type LineHeading1 string
-// A second-level heading line.
+// LineHeading2 is a second-level heading line.
 type LineHeading2 string
-// A third-level heading line.
+// LineHeading3 is a third-level heading line.
 type LineHeading3 string
-// An unordered list item line.
+// LineListItem is an unordered list item line.
 type LineListItem string
-// A quote line.
+// LineQuote is a quote line.
 type LineQuote string
-// A text line.
+// LineText is a text line.
 type LineText string
 func (l LineLink) String() string {
@ -124,8 +125,8 @@ func ParseLines(r io.Reader, handler func(Line)) error {
 				name = strings.TrimLeft(name, spacetab)
 				line = LineLink{url, name}
 			}
-		} else if strings.HasPrefix(text, "*") {
+		} else if strings.HasPrefix(text, "* ") {
-			text = text[1:]
+			text = text[2:]
 			text = strings.TrimLeft(text, spacetab)
 			line = LineListItem(text)
 		} else if strings.HasPrefix(text, "###") {
--- a/tofu/tofu.go
+++ b/tofu/tofu.go
@ -3,156 +3,334 @@ package tofu
 import (
 	"bufio"
-	"crypto/sha512"
+	"bytes"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
 	"io"
 	"os"
-	"strconv"
+	"path/filepath"
 	"sort"
 	"strings"
 	"sync"
 	"time"
 )
-// KnownHosts maps hosts to fingerprints.
+// KnownHosts represents a list of known hosts.
-type KnownHosts map[string]Fingerprint
+// The zero value for KnownHosts represents an empty list ready to use.
 // KnownHostsFile represents a list of known hosts optionally loaded from a file.
 // The zero value for KnownHostsFile represents an empty list ready to use.
 //
-// KnownHostsFile is safe for concurrent use by multiple goroutines.
+// KnownHosts is safe for concurrent use by multiple goroutines.
-type KnownHostsFile struct {
+type KnownHosts struct {
-	KnownHosts
+	hosts map[string]Host
-	out io.Writer
+	mu    sync.RWMutex
 	mu  sync.RWMutex
 }
-// SetOutput sets the output to which new known hosts will be written to.
+// Add adds a host to the list of known hosts.
-func (k *KnownHostsFile) SetOutput(w io.Writer) {
+func (k *KnownHosts) Add(h Host) {
 	k.mu.Lock()
 	defer k.mu.Unlock()
-	k.out = w
+	if k.hosts == nil {
-}
+		k.hosts = map[string]Host{}
 // Add adds a known host to the list of known hosts.
 func (k *KnownHostsFile) Add(hostname string, fingerprint Fingerprint) {
 	k.mu.Lock()
 	defer k.mu.Unlock()
 	if k.KnownHosts == nil {
 		k.KnownHosts = KnownHosts{}
 	}
-	k.KnownHosts[hostname] = fingerprint
+
 	k.hosts[h.Hostname] = h
 }
-// Lookup returns the fingerprint of the certificate corresponding to
+// Lookup returns the known host entry corresponding to the given hostname.
-// the given hostname.
+func (k *KnownHosts) Lookup(hostname string) (Host, bool) {
 func (k *KnownHostsFile) Lookup(hostname string) (Fingerprint, bool) {
 	k.mu.RLock()
 	defer k.mu.RUnlock()
-	c, ok := k.KnownHosts[hostname]
+	c, ok := k.hosts[hostname]
 	return c, ok
 }
-// Write writes a known hosts entry to the configured output.
+// Entries returns the known host entries sorted by hostname.
-func (k *KnownHostsFile) Write(hostname string, fingerprint Fingerprint) error {
+func (k *KnownHosts) Entries() []Host {
 	keys := make([]string, 0, len(k.hosts))
 	for key := range k.hosts {
 		keys = append(keys, key)
 	}
 	sort.Strings(keys)
 	hosts := make([]Host, 0, len(k.hosts))
 	for _, key := range keys {
 		hosts = append(hosts, k.hosts[key])
 	}
 	return hosts
 }
 // WriteTo writes the list of known hosts to the provided io.Writer.
 func (k *KnownHosts) WriteTo(w io.Writer) (int64, error) {
 	k.mu.RLock()
 	defer k.mu.RUnlock()
-	if k.out != nil {
+
-		_, err := k.writeKnownHost(k.out, hostname, fingerprint)
+	var written int
 	bw := bufio.NewWriter(w)
 	for _, h := range k.hosts {
 		n, err := bw.WriteString(h.String())
 		written += n
 		if err != nil {
-			return fmt.Errorf("failed to write to known host file: %w", err)
+			return int64(written), err
 		}
 		bw.WriteByte('\n')
 		written += 1
 	}
-	return nil
+	return int64(written), bw.Flush()
 }
-// WriteAll writes all of the known hosts to the provided io.Writer.
+// Load loads the known hosts entries from the provided path.
-func (k *KnownHostsFile) WriteAll(w io.Writer) error {
+func (k *KnownHosts) Load(path string) error {
-	k.mu.RLock()
+	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
-	defer k.mu.RUnlock()
+		return err
 	for h, c := range k.KnownHosts {
 		if _, err := k.writeKnownHost(w, h, c); err != nil {
 			return err
 		}
 	}
 	return nil
 }
-// writeKnownHost writes a known host to the provided io.Writer.
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDONLY, 0644)
 func (k *KnownHostsFile) writeKnownHost(w io.Writer, hostname string, f Fingerprint) (int, error) {
 	return fmt.Fprintf(w, "%s %s %s %d\n", hostname, f.Algorithm, f.Hex, f.Expires.Unix())
 }
 // Load loads the known hosts from the provided path.
 // It creates the file if it does not exist.
 // New known hosts will be appended to the file.
 func (k *KnownHostsFile) Load(path string) error {
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, 0644)
 	if err != nil {
 		return err
 	}
-	k.Parse(f)
+	defer f.Close()
-	k.SetOutput(f)
+
-	return nil
+	return k.Parse(f)
 }
-// Parse parses the provided reader and adds the parsed known hosts to the list.
+// Parse parses the provided io.Reader and adds the parsed hosts to the list.
 // Invalid entries are ignored.
-func (k *KnownHostsFile) Parse(r io.Reader) {
+//
 // For more control over errors encountered during parsing, use bufio.Scanner
 // in combination with ParseHost. For example:
 //
 //    var knownHosts tofu.KnownHosts
 //    scanner := bufio.NewScanner(r)
 //    for scanner.Scan() {
 //        host, err := tofu.ParseHost(scanner.Bytes())
 //        if err != nil {
 //            // handle error
 //        } else {
 //            knownHosts.Add(host)
 //        }
 //    }
 //    err := scanner.Err()
 //    if err != nil {
 //        // handle error
 //    }
 //
 func (k *KnownHosts) Parse(r io.Reader) error {
 	k.mu.Lock()
 	defer k.mu.Unlock()
-	if k.KnownHosts == nil {
+
-		k.KnownHosts = map[string]Fingerprint{}
+	if k.hosts == nil {
 		k.hosts = map[string]Host{}
 	}
 	scanner := bufio.NewScanner(r)
 	for scanner.Scan() {
-		text := scanner.Text()
+		text := scanner.Bytes()
-		parts := strings.Split(text, " ")
+		if len(text) == 0 {
 		if len(parts) < 4 {
 			continue
 		}
-		hostname := parts[0]
+		h, err := ParseHost(text)
 		algorithm := parts[1]
 		if algorithm != "SHA-512" {
 			continue
 		}
 		hex := parts[2]
 		unix, err := strconv.ParseInt(parts[3], 10, 0)
 		if err != nil {
 			continue
 		}
-		expires := time.Unix(unix, 0)
+		if h.Algorithm != "sha256" {
-
+			continue
 		k.KnownHosts[hostname] = Fingerprint{
 			Algorithm: algorithm,
 			Hex:       hex,
 			Expires:   expires,
 		}
 		k.hosts[h.Hostname] = h
 	}
 	return scanner.Err()
 }
 // TOFU implements basic trust on first use.
 //
 // If the host is not on file, it is added to the list.
 // If the fingerprint does not match the one on file, an error is returned.
 func (k *KnownHosts) TOFU(hostname string, cert *x509.Certificate) error {
 	host := NewHost(hostname, cert.Raw)
 	knownHost, ok := k.Lookup(hostname)
 	if !ok {
 		k.Add(host)
 		return nil
 	}
 	if host.Fingerprint != knownHost.Fingerprint {
 		return fmt.Errorf("fingerprint for %q does not match", hostname)
 	}
 	return nil
 }
 // HostWriter writes host entries to an io.WriteCloser.
 //
 // HostWriter is safe for concurrent use by multiple goroutines.
 type HostWriter struct {
 	bw *bufio.Writer
 	cl io.Closer
 	mu sync.Mutex
 }
 // NewHostWriter returns a new host writer that writes to
 // the provided io.WriteCloser.
 func NewHostWriter(w io.WriteCloser) *HostWriter {
 	return &HostWriter{
 		bw: bufio.NewWriter(w),
 		cl: w,
 	}
 }
-// Fingerprint represents a fingerprint using a certain algorithm.
+// OpenHostsFile returns a new host writer that appends to the file at the given path.
-type Fingerprint struct {
+// The file is created if it does not exist.
-	Algorithm string    // fingerprint algorithm e.g. SHA-512
+func OpenHostsFile(path string) (*HostWriter, error) {
-	Hex       string    // fingerprint in hexadecimal, with ':' between each octet
+	f, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
-	Expires   time.Time // unix time of the fingerprint expiration date
+	if err != nil {
 		return nil, err
 	}
 	return NewHostWriter(f), nil
 }
-// NewFingerprint returns the SHA-512 fingerprint of the provided raw data.
+// WriteHost writes the host to the underlying io.Writer.
-func NewFingerprint(raw []byte, expires time.Time) Fingerprint {
+func (h *HostWriter) WriteHost(host Host) error {
-	sum512 := sha512.Sum512(raw)
+	h.mu.Lock()
 	defer h.mu.Unlock()
 	h.bw.WriteString(host.String())
 	h.bw.WriteByte('\n')
 	if err := h.bw.Flush(); err != nil {
 		return fmt.Errorf("failed to write host: %w", err)
 	}
 	return nil
 }
 // Close closes the underlying io.Closer.
 func (h *HostWriter) Close() error {
 	h.mu.Lock()
 	defer h.mu.Unlock()
 	return h.cl.Close()
 }
 // PersistentHosts represents a persistent set of known hosts.
 type PersistentHosts struct {
 	hosts  *KnownHosts
 	writer *HostWriter
 }
 // NewPersistentHosts returns a new persistent set of known hosts that stores
 // known hosts in hosts and writes new hosts to writer.
 func NewPersistentHosts(hosts *KnownHosts, writer *HostWriter) *PersistentHosts {
 	return &PersistentHosts{
 		hosts,
 		writer,
 	}
 }
 // LoadPersistentHosts loads persistent hosts from the file at the given path.
 func LoadPersistentHosts(path string) (*PersistentHosts, error) {
 	hosts := &KnownHosts{}
 	if err := hosts.Load(path); err != nil {
 		return nil, err
 	}
 	writer, err := OpenHostsFile(path)
 	if err != nil {
 		return nil, err
 	}
 	return &PersistentHosts{
 		hosts,
 		writer,
 	}, nil
 }
 // Add adds a host to the list of known hosts.
 // It returns an error if the host could not be persisted.
 func (p *PersistentHosts) Add(h Host) error {
 	err := p.writer.WriteHost(h)
 	if err != nil {
 		return fmt.Errorf("failed to persist host: %w", err)
 	}
 	p.hosts.Add(h)
 	return nil
 }
 // Lookup returns the known host entry corresponding to the given hostname.
 func (p *PersistentHosts) Lookup(hostname string) (Host, bool) {
 	return p.hosts.Lookup(hostname)
 }
 // Entries returns the known host entries sorted by hostname.
 func (p *PersistentHosts) Entries() []Host {
 	return p.hosts.Entries()
 }
 // TOFU implements trust on first use with a persistent set of known hosts.
 //
 // If the host is not on file, it is added to the list.
 // If the fingerprint does not match the one on file, an error is returned.
 func (p *PersistentHosts) TOFU(hostname string, cert *x509.Certificate) error {
 	host := NewHost(hostname, cert.Raw)
 	knownHost, ok := p.Lookup(hostname)
 	if !ok {
 		return p.Add(host)
 	}
 	if host.Fingerprint != knownHost.Fingerprint {
 		return fmt.Errorf("fingerprint for %q does not match", hostname)
 	}
 	return nil
 }
 // Close closes the underlying HostWriter.
 func (p *PersistentHosts) Close() error {
 	return p.writer.Close()
 }
 // Host represents a host entry with a fingerprint using a certain algorithm.
 type Host struct {
 	Hostname    string // hostname
 	Algorithm   string // fingerprint algorithm e.g. sha256
 	Fingerprint string // fingerprint
 }
 // NewHost returns a new host with a SHA256 fingerprint of
 // the provided raw data.
 func NewHost(hostname string, raw []byte) Host {
 	sum := sha256.Sum256(raw)
 	return Host{
 		Hostname:    hostname,
 		Algorithm:   "sha256",
 		Fingerprint: base64.StdEncoding.EncodeToString(sum[:]),
 	}
 }
 // ParseHost parses a host from the provided text.
 func ParseHost(text []byte) (Host, error) {
 	var h Host
 	err := h.UnmarshalText(text)
 	return h, err
 }
 // String returns a string representation of the host.
 func (h Host) String() string {
 	var b strings.Builder
-	for i, f := range sum512 {
+	b.WriteString(h.Hostname)
-		if i > 0 {
+	b.WriteByte(' ')
-			b.WriteByte(':')
+	b.WriteString(h.Algorithm)
-		}
+	b.WriteByte(' ')
-		fmt.Fprintf(&b, "%02X", f)
+	b.WriteString(h.Fingerprint)
-	}
+	return b.String()
-	return Fingerprint{
+}
-		Algorithm: "SHA-512",
+
-		Hex:       b.String(),
+// UnmarshalText unmarshals the host from the provided text.
-		Expires:   expires,
+func (h *Host) UnmarshalText(text []byte) error {
-	}
+	parts := bytes.Split(text, []byte(" "))
 	if len(parts) != 3 {
 		return fmt.Errorf("expected the format 'hostname algorithm fingerprint'")
 	}
 	h.Hostname = string(parts[0])
 	h.Algorithm = string(parts[1])
 	h.Fingerprint = string(parts[2])
 	return nil
 }
--- a/vendor.go
+++ b/vendor.go
@ -1,212 +0,0 @@
 // Hostname verification code from the crypto/x509 package.
 // Modified to allow Common Names in the short term, until new certificates
 // can be issued with SANs.
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package gemini
 import (
 	"crypto/x509"
 	"net"
 	"strings"
 	"unicode/utf8"
 )
 var oidExtensionSubjectAltName = []int{2, 5, 29, 17}
 func hasSANExtension(c *x509.Certificate) bool {
 	for _, e := range c.Extensions {
 		if e.Id.Equal(oidExtensionSubjectAltName) {
 			return true
 		}
 	}
 	return false
 }
 func validHostnamePattern(host string) bool { return validHostname(host, true) }
 func validHostnameInput(host string) bool   { return validHostname(host, false) }
 // validHostname reports whether host is a valid hostname that can be matched or
 // matched against according to RFC 6125 2.2, with some leniency to accommodate
 // legacy values.
 func validHostname(host string, isPattern bool) bool {
 	if !isPattern {
 		host = strings.TrimSuffix(host, ".")
 	}
 	if len(host) == 0 {
 		return false
 	}
 	for i, part := range strings.Split(host, ".") {
 		if part == "" {
 			// Empty label.
 			return false
 		}
 		if isPattern && i == 0 && part == "*" {
 			// Only allow full left-most wildcards, as those are the only ones
 			// we match, and matching literal '*' characters is probably never
 			// the expected behavior.
 			continue
 		}
 		for j, c := range part {
 			if 'a' <= c && c <= 'z' {
 				continue
 			}
 			if '0' <= c && c <= '9' {
 				continue
 			}
 			if 'A' <= c && c <= 'Z' {
 				continue
 			}
 			if c == '-' && j != 0 {
 				continue
 			}
 			if c == '_' {
 				// Not a valid character in hostnames, but commonly
 				// found in deployments outside the WebPKI.
 				continue
 			}
 			return false
 		}
 	}
 	return true
 }
 // commonNameAsHostname reports whether the Common Name field should be
 // considered the hostname that the certificate is valid for. This is a legacy
 // behavior, disabled by default or if the Subject Alt Name extension is present.
 //
 // It applies the strict validHostname check to the Common Name field, so that
 // certificates without SANs can still be validated against CAs with name
 // constraints if there is no risk the CN would be matched as a hostname.
 // See NameConstraintsWithoutSANs and issue 24151.
 func commonNameAsHostname(c *x509.Certificate) bool {
 	return !hasSANExtension(c) && validHostnamePattern(c.Subject.CommonName)
 }
 func matchExactly(hostA, hostB string) bool {
 	if hostA == "" || hostA == "." || hostB == "" || hostB == "." {
 		return false
 	}
 	return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB)
 }
 func matchHostnames(pattern, host string) bool {
 	pattern = toLowerCaseASCII(pattern)
 	host = toLowerCaseASCII(strings.TrimSuffix(host, "."))
 	if len(pattern) == 0 || len(host) == 0 {
 		return false
 	}
 	patternParts := strings.Split(pattern, ".")
 	hostParts := strings.Split(host, ".")
 	if len(patternParts) != len(hostParts) {
 		return false
 	}
 	for i, patternPart := range patternParts {
 		if i == 0 && patternPart == "*" {
 			continue
 		}
 		if patternPart != hostParts[i] {
 			return false
 		}
 	}
 	return true
 }
 // toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use
 // an explicitly ASCII function to avoid any sharp corners resulting from
 // performing Unicode operations on DNS labels.
 func toLowerCaseASCII(in string) string {
 	// If the string is already lower-case then there's nothing to do.
 	isAlreadyLowerCase := true
 	for _, c := range in {
 		if c == utf8.RuneError {
 			// If we get a UTF-8 error then there might be
 			// upper-case ASCII bytes in the invalid sequence.
 			isAlreadyLowerCase = false
 			break
 		}
 		if 'A' <= c && c <= 'Z' {
 			isAlreadyLowerCase = false
 			break
 		}
 	}
 	if isAlreadyLowerCase {
 		return in
 	}
 	out := []byte(in)
 	for i, c := range out {
 		if 'A' <= c && c <= 'Z' {
 			out[i] += 'a' - 'A'
 		}
 	}
 	return string(out)
 }
 // verifyHostname returns nil if c is a valid certificate for the named host.
 // Otherwise it returns an error describing the mismatch.
 //
 // IP addresses can be optionally enclosed in square brackets and are checked
 // against the IPAddresses field. Other names are checked case insensitively
 // against the DNSNames field. If the names are valid hostnames, the certificate
 // fields can have a wildcard as the left-most label.
 //
 // The legacy Common Name field is ignored unless it's a valid hostname, the
 // certificate doesn't have any Subject Alternative Names, and the GODEBUG
 // environment variable is set to "x509ignoreCN=0". Support for Common Name is
 // deprecated will be entirely removed in the future.
 func verifyHostname(c *x509.Certificate, h string) error {
 	// IP addresses may be written in [ ].
 	candidateIP := h
 	if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' {
 		candidateIP = h[1 : len(h)-1]
 	}
 	if ip := net.ParseIP(candidateIP); ip != nil {
 		// We only match IP addresses against IP SANs.
 		// See RFC 6125, Appendix B.2.
 		for _, candidate := range c.IPAddresses {
 			if ip.Equal(candidate) {
 				return nil
 			}
 		}
 		return x509.HostnameError{c, candidateIP}
 	}
 	names := c.DNSNames
 	if commonNameAsHostname(c) {
 		names = []string{c.Subject.CommonName}
 	}
 	candidateName := toLowerCaseASCII(h) // Save allocations inside the loop.
 	validCandidateName := validHostnameInput(candidateName)
 	for _, match := range names {
 		// Ideally, we'd only match valid hostnames according to RFC 6125 like
 		// browsers (more or less) do, but in practice Go is used in a wider
 		// array of contexts and can't even assume DNS resolution. Instead,
 		// always allow perfect matches, and only apply wildcard and trailing
 		// dot processing to valid hostnames.
 		if validCandidateName && validHostnamePattern(match) {
 			if matchHostnames(match, candidateName) {
 				return nil
 			}
 		} else {
 			if matchExactly(match, candidateName) {
 				return nil
 			}
 		}
 	}
 	return x509.HostnameError{c, h}
 }