IETF Logo Mail Archive

Re: [Acme] Alternative proposal for fixing TLS-SNI / revisiting HTTPS-01 authorization

"Matthew D. Hardeman" <mhardeman@ipifony.com> Fri, 12 January 2018 16:36 UTC

Return-Path: <mhardeman@ipifony.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1921A12E89D for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 08:36:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T84WRsxVCs5N for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 08:36:09 -0800 (PST)
Received: from mail.ipifony.com (mail.ipifony.com [199.71.210.39]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E71FF12420B for <acme@ietf.org>; Fri, 12 Jan 2018 08:36:08 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.ipifony.com (Postfix) with ESMTP id 5C1C4B40911; Fri, 12 Jan 2018 10:36:08 -0600 (CST)
X-Virus-Scanned: amavisd-new at ipifony.com
Received: from mail.ipifony.com ([127.0.0.1]) by localhost (mail.ipifony.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZsiIeH3hxtv; Fri, 12 Jan 2018 10:36:07 -0600 (CST)
Received: from [10.47.52.51] (68-117-162-146.dhcp.unas.al.charter.com [68.117.162.146]) by mail.ipifony.com (Postfix) with ESMTPSA id A8920B408C7; Fri, 12 Jan 2018 10:36:07 -0600 (CST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: "Matthew D. Hardeman" <mhardeman@ipifony.com>
In-Reply-To: <2324058.FQg2fvf6N7@thunder.m.i2n>
Date: Fri, 12 Jan 2018 10:36:06 -0600
Cc: acme@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <82A5A77C-4ACA-4051-B9E7-952A726096C6@ipifony.com>
References: <1812883.r3FRolLa0t@thunder.m.i2n> <6BFE35AF-898A-4C0E-9780-C9178FF1D381@ipifony.com> <2324058.FQg2fvf6N7@thunder.m.i2n>
To: "Gerd v. Egidy" <gerd.von.egidy@intra2net.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/F559k2woyMnewYDbQ87eyOQxEuA>
Subject: Re: [Acme] Alternative proposal for fixing TLS-SNI / revisiting HTTPS-01 authorization
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 16:36:10 -0000

Yes.

But there are people forwarding that to the other service port so their application only has one real listener and then that non HTTP TLS server still manages to complete the TLS-SNI challenge (via port 443).

> On Jan 12, 2018, at 10:33 AM, Gerd v. Egidy <gerd.von.egidy@intra2net.com> wrote:
> 
>> I did want to say that if an acceptable mechanism is found in this manner,
>> it does help with some but not all in-band TLS validation mechanisms.  It
>> works for web server cases.  It does not fully replace the mechanisms of
>> the TLS-SNI sort because it would not work for other protocols running over
>> TLS (like SMTP/TLS).  The TLS-SNI mechanisms do facilitate that.
> 
> Really? Isn't TLS-SNI-01/-02 just allowed over TCP port 443?
> 
> "This connection MUST be sent to TCP port 443 on the TLS server"
>

v2.23.0 | Report a Bug | By Email