Re: [Acme] Fixing the TLS-SNI challenge type
Patrick Figel <patrick@figel.email> Fri, 12 January 2018 15:29 UTC
Return-Path: <patrick@figel.email>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07E5A12E854 for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 07:29:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=figel.email
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jJXeLBAt2Era for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 07:29:15 -0800 (PST)
Received: from mail-wr0-x22d.google.com (mail-wr0-x22d.google.com [IPv6:2a00:1450:400c:c0c::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCC45127775 for <acme@ietf.org>; Fri, 12 Jan 2018 07:29:14 -0800 (PST)
Received: by mail-wr0-x22d.google.com with SMTP id w50so5600536wrc.11 for <acme@ietf.org>; Fri, 12 Jan 2018 07:29:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=figel.email; s=google; h=subject:to:cc:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=dFCa2wPHa0b7YwluaFoPVAC/qkskahmUoVyeczzxBk8=; b=czuaJDl1peEtismzIR2BuN1gwrvb+Rxk6XNu8wWSQ5YXrwtrf5D8b0wX5AB+sWxltb nC8Tj958P48Wj3V7d+KjzsgSdjKM0BDDmsz5NenmfO1h7a9Hpwv8wrTNIM3cgQsdfwQ/ d8CpLHBbmpYE1oDZcMdXmrkXtiKPFPMKTxhK7SV3HzhXVCC3je4T9v8JWpDhrHC3sof3 UFsdjI9uSGVPRteD/a2Lcuodnhf3TxWBYLuGmh7GaHNY8hcrcoqrJjTvvfprJxXqe1eU 998rUIUb+9g0tM/xYe5wjYt2d+R24BPv7BDeFKPvjhN0Yor4DkkqsGx4gy1iR9TnoRGk r4oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=dFCa2wPHa0b7YwluaFoPVAC/qkskahmUoVyeczzxBk8=; b=aDuQpz5Z5BC6AHjBHuzSgEcoo8I9xJh6D+jpPALprSKkvzbSgq+A7DYY04UH8mBBOC DjE/DhlcN4laBmU4UmYphdziQ9KsIoAZmxwBJRLaIGd80QgrFWzYYwSZwmNmyocjJNG+ 3HI8AMDjgXbLhXDxjA5dS9FovZ1AWNsiNBB3P4Jh4G06fVlDhCD+BCt+ZKUdSGdGISXN X0httLVav64LMyD6amXzBU9hlp10ko7fKpkrrYBGT+XNN3yI/YtD+r2HOERkFwfx0F6I u+N4RKpLW+0eQEzOF1dU0xMpVmk47fC3Xh2ed6TfnzhbZRconE0fXzNOwUHjJ9ha5lM4 uLHA==
X-Gm-Message-State: AKwxytdFCYGL55LpWAZy2EamW70haFrl3e2eLufIII+5gWJ0PtfYBXCw lIqgbVOGcJyROJjF5iwiHImgzh4HIdM=
X-Google-Smtp-Source: ACJfBos48Yl92jISfUfFvijtFMKe0Zo2q/88aUfWJhT9fxI2bf4lb+TCEItBtKOcicesdGZ51bckAA==
X-Received: by 10.223.136.218 with SMTP id g26mr5601361wrg.184.1515770953098; Fri, 12 Jan 2018 07:29:13 -0800 (PST)
Received: from Patricks-MacBook-Pro.local (213-47-56-124.cable.dynamic.surfer.at. [213.47.56.124]) by smtp.gmail.com with ESMTPSA id s20sm3031733wma.45.2018.01.12.07.29.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Jan 2018 07:29:11 -0800 (PST)
To: Roland Bracewell Shoemaker <roland@letsencrypt.org>, Jonathan Rudenberg <jonathan@titanous.com>
Cc: IETF ACME <acme@ietf.org>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org> <a506c023-ff44-7f14-71b1-94e4e810cd12@letsencrypt.org>
From: Patrick Figel <patrick@figel.email>
Openpgp: preference=signencrypt
Message-ID: <0603b570-f790-88a7-5514-b324eff4f087@figel.email>
Date: Fri, 12 Jan 2018 16:29:10 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Thunderbird/58.0
MIME-Version: 1.0
In-Reply-To: <a506c023-ff44-7f14-71b1-94e4e810cd12@letsencrypt.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/HyCEXvsYcS73a5QzhJ0hngxbnZA>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 15:29:17 -0000
On 12.01.18 04:06, Roland Bracewell Shoemaker wrote: > I'm actually going to roll back my thoughts on the SNI value. Thinking > about this more I think it does actually make sense to revert to using > the actual host name here. > > In the initial design of the TLS-SNI challenge the XXX.acme.invalid > value was used as a way to allow servers to dynamically serve both > regular and validation traffic. Since we would be using ALPN here we no > longer need a special SNI value in order to differentiate validation > traffic from regular traffic so this token value is no longer needed. One minor advantage of keeping the current acme.invalid scheme is that it allows people to use SNI-based routing. Web servers like HAProxy allow you to proxy requests (on the TCP layer) based on the SNI value, so you could match "*.acme.invalid" and forward it to a validation server that supports the new challenge and the ALPN ACME protocol, even if the web server itself doesn't. If we use the "real" identifier for SNI, we'd limit that option to web servers that natively support the ALPN value for ACME and can route based on it. Not sure how common this kind of setup is, if it's just a small subset of HAProxy deployments it'd probably not have much of an impact. Patrick [1]: https://www.cloudoptimizedsmb.com/articles/20160409-00/using-haproxy-to-split-letsencrypt-acme-challenges-from-regular-traffic
- [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Peter Eckersley
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Patrick Figel
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Niklas Keller
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Richard Barnes
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Salz, Rich
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek