IETF Logo Mail Archive

Re: [Acme] Fixing the TLS-SNI challenge type

Niklas Keller <me@kelunik.com> Sat, 13 January 2018 08:54 UTC

Return-Path: <me@kelunik.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA4831270AB for <acme@ietfa.amsl.com>; Sat, 13 Jan 2018 00:54:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kelunik.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hwnNv3eHJ7O for <acme@ietfa.amsl.com>; Sat, 13 Jan 2018 00:54:01 -0800 (PST)
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D558E124239 for <acme@ietf.org>; Sat, 13 Jan 2018 00:54:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1515833637; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:References: In-Reply-To:X-RZG-CLASS-ID:X-RZG-AUTH; bh=xr3qiyTQzJ2R5r3iJSR0bD52b0kbGr/zMhnDi0tFg2g=; b=Y7tayv+X2doH+fEcg0Bp7vq+2yBcXsZO1tk5fDC9V2yBWGePNRHqT3/gC8cdzey4r9 ITz8iV8cM1jlzLHa2QMrIlELPruMBHbLGdMfXZwautoIW+wxOQbm4+111sQDyoVfYxw8 lk+blhWyGkuDad1EfpNjkJ263pQP99JT/97QI=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mlsGbEv0XHBzMIJSS+jKTzde5mDb8AaBUcZiAtcA==
X-RZG-CLASS-ID: mo00
Received: by mail-yb0-f171.google.com with SMTP id i12so2257829ybj.7 for <acme@ietf.org>; Sat, 13 Jan 2018 00:53:56 -0800 (PST)
X-Gm-Message-State: AKGB3mKEskNckTVhFqjkRbiDce+8YzwjbtMn1U0B9JaGSlj/fYerTnbK zQP8zs3i/7O6Psg9aLz64vqtDyy/6F44CYJrAX0=
X-Google-Smtp-Source: ACJfBosw7/JsoBNubIYVo4y9BvM61Dkad1iUwuXPFK33yqnYhPH0cc4HyZUoycSuRawP3ABa+lamSRl3L5xw7qTRiUI=
X-Received: by 10.37.185.65 with SMTP id s1mr26258959ybm.377.1515833636258; Sat, 13 Jan 2018 00:53:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.188.205 with HTTP; Sat, 13 Jan 2018 00:53:55 -0800 (PST)
In-Reply-To: <20180112190148.GA32468@LK-Perkele-VII>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org> <20180112190148.GA32468@LK-Perkele-VII>
From: Niklas Keller <me@kelunik.com>
Date: Sat, 13 Jan 2018 09:53:55 +0100
X-Gmail-Original-Message-ID: <CANUQDCiWDxdF8SBLCbB_uM7Y0JXA-9cN4bWs3pM-rfLxPHCkKQ@mail.gmail.com>
Message-ID: <CANUQDCiWDxdF8SBLCbB_uM7Y0JXA-9cN4bWs3pM-rfLxPHCkKQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Roland Bracewell Shoemaker <roland@letsencrypt.org>, Jonathan Rudenberg <jonathan@titanous.com>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="089e0826ffdc6d888c0562a48598"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/3HF9NL9RC4mqZ1GA-Kvd7T-MTAg>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jan 2018 08:54:04 -0000

I'm not sure, but I guess a certificate / key selection based on the ALPN
value needs integrated support in webservers then. Currently these can be
configured with a simple additional virtual host. I'm pretty sure
application servers written in PHP wouldn't be able to do that currently.
They're probably pretty rare compared to a traditional PHP deployment, but
other languages might be similarly affected.

How about extending the HTTP challenge instead? Validation via HTTP+TLS on
port 443 has been disabled due to shared hosting, which might be configured
correctly on port 80, but choose the first virtual host in case of port
443, given not all hosts have a TLS configuration. If we mandate that port
80 must be tried first and result in connection refused / TCP connect
timeout (might be unbound port or DROP / REJECT in a firewall, an HTTP
timeout doesn't count) before validating via port 443, couldn't that work?
I think TLS-SNI mainly makes sense where port 80 is closed and not required
for redirects anyway, e.g. APIs like api.github.com.

Regards, Niklas

v2.23.0 | Report a Bug | By Email