IETF Logo Mail Archive

Re: [Acme] Fixing the TLS-SNI challenge type

Jonathan Rudenberg <jonathan@titanous.com> Fri, 12 January 2018 01:04 UTC

Return-Path: <jonathan@titanous.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D50212D574 for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 17:04:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=titanous.com header.b=bSXbtQCO; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=YG01w5O8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5g_i_NuX_Ue for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 17:04:39 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDFA11270AB for <acme@ietf.org>; Thu, 11 Jan 2018 17:04:39 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 2B91920C0F; Thu, 11 Jan 2018 20:04:39 -0500 (EST)
Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 11 Jan 2018 20:04:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=titanous.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=lKzxjcW44Zbd/jaUyg+yiS01ydy8s Bz+PE4VmLlYZcI=; b=bSXbtQCOCsdsYxlmmY/fex45TQLCYlcaay1JZho8JSxze +i01/zAMAMOmJdhRyXwnEcgiopleopaHy3zEJN7nfjVGX/0F7wXBAbUJsSE02Lrq XQIom1rAcyaIfboUHtytyPJFEk/v/ntq6gVixH5W4uEi51OvnitSXMtGSKqwv6wS gveOzQZj88GjnTiLqF37cX8um3Rh3NxkoF8ts5u08aBd1HtXFvZhck01juUIYYIo WNxC7gYBq22OlsQCxsiDYGNOJLZmnuC93KivdMZuEGn7o46JZVEDCJpBYxvkSmVk Pxzw1SorHLkIEabAzSDWWFWV1+58It1JCMVAsIcwg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=lKzxjc W44Zbd/jaUyg+yiS01ydy8sBz+PE4VmLlYZcI=; b=YG01w5O8MCcXLKDFxnkorE RBtCnoCyQU9OPiwXfFywCHGn+wK92Re6WUMELDPZKSFNlEcaFqxpoUdgHnrTa3yJ 9Zijcy6JEMS7wDKme+j3hJz491P916Mx8782nGiWNRr1XDwgnbyj02o+3OZMu3gX 8gJvnY+I/LduXbk6TqDWn4JZPlIMCQBTbAhfAEfd5oNXKBnsH2tWELC8wooqmH5h +aPHlSuFaSi17QWnaszr9YiedYPtHwP1u5OOyYXh8VZH5+EGiwMymq7AWbEyTzDJ +8HoFtXSVsNVFiaay0FQf5zpHBE5ycRNSpwmkKNyS4OaNL/aPsRw2wLO5iQu/jwg ==
X-ME-Sender: <xms:pwlYWkNH2SLXx9R4-EogIAHU9fyqAL49hStI3iIrGRoEOpVInPACYw>
Received: from [10.10.10.104] (pool-108-16-208-234.phlapa.fios.verizon.net [108.16.208.234]) by mail.messagingengine.com (Postfix) with ESMTPA id DD2A0246CC; Thu, 11 Jan 2018 20:04:38 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Jonathan Rudenberg <jonathan@titanous.com>
In-Reply-To: <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org>
Date: Thu, 11 Jan 2018 20:04:38 -0500
Cc: IETF ACME <acme@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C8D887C8-BE46-415A-BAEE-7D8B6429F070@titanous.com>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org>
To: Roland Bracewell Shoemaker <roland@letsencrypt.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7UhM2XmzqR2bI-PLH4uCw3zbCVU>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 01:04:41 -0000

> On Jan 11, 2018, at 19:49, Roland Bracewell Shoemaker <roland@letsencrypt.org> wrote:
> 
> This seems like a silver bullet for the problems we’ve been seeing. Given that blindly responding to an unknown ALPN value would be an RFC violation this seems safe (although, hey, who knows what servers/cloud providers actually do). Definitely interested in the results of the scan.

I’ve completed[0] a scan of the Alexa Top 1M list, and no servers repeated back the unknown ALPN protocol of “acme” that I used[1].

I also opened a PR that adds this change to the spec: https://github.com/ietf-wg-acme/acme/pull/389

Jonathan

[0] https://storage.googleapis.com/titanous-acme/alpn_scan.csv.gz
[1] https://gist.github.com/titanous/8daa24ed3375f3c690950e8a97c7527d

v2.23.0 | Report a Bug | By Email