Re: [Acme] Fixing the TLS-SNI challenge type
Niklas Keller <me@kelunik.com> Sat, 13 January 2018 08:54 UTC
Return-Path: <me@kelunik.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA4831270AB for <acme@ietfa.amsl.com>; Sat, 13 Jan 2018 00:54:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kelunik.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hwnNv3eHJ7O for <acme@ietfa.amsl.com>; Sat, 13 Jan 2018 00:54:01 -0800 (PST)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D558E124239 for <acme@ietf.org>; Sat, 13 Jan 2018 00:54:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1515833637; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:References: In-Reply-To:X-RZG-CLASS-ID:X-RZG-AUTH; bh=xr3qiyTQzJ2R5r3iJSR0bD52b0kbGr/zMhnDi0tFg2g=; b=Y7tayv+X2doH+fEcg0Bp7vq+2yBcXsZO1tk5fDC9V2yBWGePNRHqT3/gC8cdzey4r9 ITz8iV8cM1jlzLHa2QMrIlELPruMBHbLGdMfXZwautoIW+wxOQbm4+111sQDyoVfYxw8 lk+blhWyGkuDad1EfpNjkJ263pQP99JT/97QI=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mlsGbEv0XHBzMIJSS+jKTzde5mDb8AaBUcZiAtcA==
X-RZG-CLASS-ID: mo00
Received: by mail-yb0-f171.google.com with SMTP id i12so2257829ybj.7 for <acme@ietf.org>; Sat, 13 Jan 2018 00:53:56 -0800 (PST)
X-Gm-Message-State: AKGB3mKEskNckTVhFqjkRbiDce+8YzwjbtMn1U0B9JaGSlj/fYerTnbK zQP8zs3i/7O6Psg9aLz64vqtDyy/6F44CYJrAX0=
X-Google-Smtp-Source: ACJfBosw7/JsoBNubIYVo4y9BvM61Dkad1iUwuXPFK33yqnYhPH0cc4HyZUoycSuRawP3ABa+lamSRl3L5xw7qTRiUI=
X-Received: by 10.37.185.65 with SMTP id s1mr26258959ybm.377.1515833636258; Sat, 13 Jan 2018 00:53:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.188.205 with HTTP; Sat, 13 Jan 2018 00:53:55 -0800 (PST)
In-Reply-To: <20180112190148.GA32468@LK-Perkele-VII>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org> <20180112190148.GA32468@LK-Perkele-VII>
From: Niklas Keller <me@kelunik.com>
Date: Sat, 13 Jan 2018 09:53:55 +0100
X-Gmail-Original-Message-ID: <CANUQDCiWDxdF8SBLCbB_uM7Y0JXA-9cN4bWs3pM-rfLxPHCkKQ@mail.gmail.com>
Message-ID: <CANUQDCiWDxdF8SBLCbB_uM7Y0JXA-9cN4bWs3pM-rfLxPHCkKQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Roland Bracewell Shoemaker <roland@letsencrypt.org>, Jonathan Rudenberg <jonathan@titanous.com>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="089e0826ffdc6d888c0562a48598"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/3HF9NL9RC4mqZ1GA-Kvd7T-MTAg>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jan 2018 08:54:04 -0000
I'm not sure, but I guess a certificate / key selection based on the ALPN value needs integrated support in webservers then. Currently these can be configured with a simple additional virtual host. I'm pretty sure application servers written in PHP wouldn't be able to do that currently. They're probably pretty rare compared to a traditional PHP deployment, but other languages might be similarly affected. How about extending the HTTP challenge instead? Validation via HTTP+TLS on port 443 has been disabled due to shared hosting, which might be configured correctly on port 80, but choose the first virtual host in case of port 443, given not all hosts have a TLS configuration. If we mandate that port 80 must be tried first and result in connection refused / TCP connect timeout (might be unbound port or DROP / REJECT in a firewall, an HTTP timeout doesn't count) before validating via port 443, couldn't that work? I think TLS-SNI mainly makes sense where port 80 is closed and not required for redirects anyway, e.g. APIs like api.github.com. Regards, Niklas
- [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Peter Eckersley
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Patrick Figel
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Niklas Keller
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Richard Barnes
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Salz, Rich
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek