IETF Logo Mail Archive

Re: [Acme] Fixing the TLS-SNI challenge type

Daniel McCarney <cpu@letsencrypt.org> Fri, 19 January 2018 14:43 UTC

Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C11AC12D947 for <acme@ietfa.amsl.com>; Fri, 19 Jan 2018 06:43:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQ2pjuvpvlB1 for <acme@ietfa.amsl.com>; Fri, 19 Jan 2018 06:43:57 -0800 (PST)
Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09AAE12D942 for <acme@ietf.org>; Fri, 19 Jan 2018 06:43:56 -0800 (PST)
Received: by mail-it0-x233.google.com with SMTP id m11so5221670iti.1 for <acme@ietf.org>; Fri, 19 Jan 2018 06:43:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=6TAMCkAsASkmCRWnOBxPD+9BGI4NewH01C2J8IhX1ws=; b=e0M1MEkDqyJncZkvGijNGZidUgrRzYwbZQTO6pmA2dRLdsGDvpMuvyZrObDVWyOaP+ v5ViyBtj4/ZpdQy3kF3no0tPKsLkbZr1OHLE9jxQL7wQNoOsmnSWbFXywmwPAPZb3qgf IV4x3AJqR+J4CoMUp2JQajZWDqgFzPB4uf8Hg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=6TAMCkAsASkmCRWnOBxPD+9BGI4NewH01C2J8IhX1ws=; b=j30X576GXJvb2kMk0LA0tKXQYGFRZCeMrdCniK9VrMn7Ucr3x9DvRNIrnlqyWETYL3 fX67WN20ujBIWnXlZnCVLnqtmdllzP1LgDBQcNs3v7Le/6O06M2rjvZ1oC/Q7RXFaJ0x SEuGT93ys8/D+h8DsJI42t/gFpxabXRrLW0TmFk+G9LxPwwAZO/NnLnJGg/WmZ/MWdA7 RdbjB12uHQm3v2llF/6qqf7OXc5U+u9E/PPbXaOkmZMGQQQMZ5i4MA9a5g5LQLB5WvcS qk1dB0Na/BsEau3WpNpROoOtEZ+7wxarI/M9g7QdwRVcYHWAC428SNuGVdH8wtUTHzpi N1vw==
X-Gm-Message-State: AKwxytc277U+UTnxq5VgFphxhShk4YiQWgcR7i/M7Co5e9qlfsVw45TT 6DFUCw/mCPHh/ioWUipm7casS9Wx5NxMCF1Sq5CVxg==
X-Google-Smtp-Source: ACJfBosu+/KedL+p2qiExdvZ2WMuV7Nh8eg8d0H0t2tgWGM+woo1j0w9yFdG70UPPYBM0RxWzky5jJknR8GVxX4Ke8k=
X-Received: by 10.36.243.7 with SMTP id t7mr30859864ith.139.1516373036107; Fri, 19 Jan 2018 06:43:56 -0800 (PST)
MIME-Version: 1.0
Reply-To: cpu@letsencrypt.org
Received: by 10.107.8.26 with HTTP; Fri, 19 Jan 2018 06:43:55 -0800 (PST)
In-Reply-To: <0603b570-f790-88a7-5514-b324eff4f087@figel.email>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org> <a506c023-ff44-7f14-71b1-94e4e810cd12@letsencrypt.org> <0603b570-f790-88a7-5514-b324eff4f087@figel.email>
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Fri, 19 Jan 2018 09:43:55 -0500
Message-ID: <CAKnbcLj=eYhm8qRj0B0U5FOu=UMn0wY+5apkJ-aHhhfh+mS-uw@mail.gmail.com>
To: Patrick Figel <patrick@figel.email>
Cc: Roland Bracewell Shoemaker <roland@letsencrypt.org>, Jonathan Rudenberg <jonathan@titanous.com>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="f403045fb3c02a1dc00563221cef"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/3_D9bTuYxGxkkJi8AIH8E1K8LMQ>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2018 14:44:00 -0000

>
> If we use the "real" identifier for SNI, we'd limit that option to web
> servers that natively support the ALPN value for ACME and can route based
> on it.
> Not sure how common this kind of setup is, if it's just a small subset of
> HAProxy deployments it'd probably not have much of an impact.


I agree this approach will limit compatible TLS servers but luckily HAProxy
should be fully compatible.

HAProxy has a "ssl_fc_alpn"[0] layer 5 fetch method that can be referenced
in a "use_backend" directive to route based on the negotiated ALPN from the
handshake. It looks like the feature has been present since HAProxy version
1.5 which hopefully means most HAProxy deployments will have access to it.
As one data-point Ubuntu 16.04 LTS packages HAProxy 1.6.3 and should be
able to build a ALPN-based routing solution similar to what was done for
SNI.

[0] -
http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc_alpn


On Fri, Jan 12, 2018 at 10:29 AM, Patrick Figel <patrick@figel.email> wrote:

> On 12.01.18 04:06, Roland Bracewell Shoemaker wrote:
> > I'm actually going to roll back my thoughts on the SNI value. Thinking
> > about this more I think it does actually make sense to revert to using
> > the actual host name here.
> >
> > In the initial design of the TLS-SNI challenge the XXX.acme.invalid
> > value was used as a way to allow servers to dynamically serve both
> > regular and validation traffic. Since we would be using ALPN here we no
> > longer need a special SNI value in order to differentiate validation
> > traffic from regular traffic so this token value is no longer needed.
>
> One minor advantage of keeping the current acme.invalid scheme is that
> it allows people to use SNI-based routing. Web servers like HAProxy
> allow you to proxy requests (on the TCP layer) based on the SNI value,
> so you could match "*.acme.invalid" and forward it to a validation
> server that supports the new challenge and the ALPN ACME protocol, even
> if the web server itself doesn't. If we use the "real" identifier for
> SNI, we'd limit that option to web servers that natively support the
> ALPN value for ACME and can route based on it.
>
> Not sure how common this kind of setup is, if it's just a small subset
> of HAProxy deployments it'd probably not have much of an impact.
>
> Patrick
>
> [1]:
> https://www.cloudoptimizedsmb.com/articles/20160409-00/
> using-haproxy-to-split-letsencrypt-acme-challenges-from-regular-traffic
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email