Re: [Acme] Fixing the TLS-SNI challenge type
Roland Bracewell Shoemaker <roland@letsencrypt.org> Fri, 12 January 2018 03:06 UTC
Return-Path: <roland@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64CC012D7E2 for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 19:06:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FUZZY_CPILL=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QZiwkyRwb4hv for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 19:06:06 -0800 (PST)
Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F27B126DCA for <acme@ietf.org>; Thu, 11 Jan 2018 19:06:06 -0800 (PST)
Received: by mail-pf0-x230.google.com with SMTP id m26so3373736pfj.11 for <acme@ietf.org>; Thu, 11 Jan 2018 19:06:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=subject:from:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=CWh41bzD5iaDqZeCoQ3FkuAzWVvg1CzibJoaGPtF8RY=; b=cQKkZCchfYu0JrpQOmWGAi1+Jk6HxW+H7ag8kVgHxEslYulWhXb/J1MV/N9j9GaPnI b3E54IFrm8xRlrUJuysmvdTVtqCwFma08wvINqbEIUH11IFy18DVrtfZ4OiyqmPsTeED UmQtxWdQJpPlc5RRRCwk8kRw17beiZnE/slKw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=CWh41bzD5iaDqZeCoQ3FkuAzWVvg1CzibJoaGPtF8RY=; b=d4PYdVAMbARijogxqcE9gzQefLEy0sLsFZxIE0IBrD7mkPKTSDAS+SsrUiaiAbu9jz t2MKghm4xmvY5HvwA7UsRPsKW3kYSKL+nhFQlXXZ+3XA7bP935Zfpy47DlQSa9F2ZcXR SKGEa4Yswjd1Xm8elW6NwDhy1UaW1Q65bIkzE6Cpc5XdulAUn/r7rA53cRpCVj6/YTUM O7WVTNIYerPSwjc7C/60QN1CeKFEdEpYSh5hS0xLXLwRwQ9Y5e3CqFP+h31NQiPMds1W Ak+HfS4pdr3wsz21hKy9DLrl42eZX4N04aimhVrN6+cVGIqOuQADLhFWflsrx3BtTyrp NZ/Q==
X-Gm-Message-State: AKGB3mKUhKdIABWQInM7XJbs6ShvjLyqcpsVR0zumoDE9YJB4ECELqUa EjkZBWEzNK4cJJHc9IdaYE8gU4brD00=
X-Google-Smtp-Source: ACJfBoufL6TlaVgiHbMCaBt7SSEOyMZsuaUMdyZJjMlcvaQrt3qTD4g7nQUyWNJT60GUYBoQBfRiZw==
X-Received: by 10.101.64.72 with SMTP id h8mr19320279pgp.65.1515726365105; Thu, 11 Jan 2018 19:06:05 -0800 (PST)
Received: from ?IPv6:2600:1700:b000:9780:644d:c698:ffb2:607f? ([2600:1700:b000:9780:644d:c698:ffb2:607f]) by smtp.gmail.com with ESMTPSA id e26sm39135554pfi.10.2018.01.11.19.06.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Jan 2018 19:06:04 -0800 (PST)
From: Roland Bracewell Shoemaker <roland@letsencrypt.org>
To: Jonathan Rudenberg <jonathan@titanous.com>
Cc: IETF ACME <acme@ietf.org>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org>
Message-ID: <a506c023-ff44-7f14-71b1-94e4e810cd12@letsencrypt.org>
Date: Thu, 11 Jan 2018 19:06:02 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Q0iH8kofzhKuG3sg1zNQEZn2Yxk>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 03:06:09 -0000
I'm actually going to roll back my thoughts on the SNI value. Thinking about this more I think it does actually make sense to revert to using the actual host name here. In the initial design of the TLS-SNI challenge the XXX.acme.invalid value was used as a way to allow servers to dynamically serve both regular and validation traffic. Since we would be using ALPN here we no longer need a special SNI value in order to differentiate validation traffic from regular traffic so this token value is no longer needed. If we change that I think we can also remove the need to compute a pair of SAN values for the cert contents. The original purpose of this was to prevent a 'dumb' client from simply constructing a certificate on the fly by sticking the SNI value it received into the SAN and automatically allowing validation of anything that hit it. If we switch to using the host name in the SNI then this is no longer necessary as the token value is no longer present in the request. If we make these changes I think the challenge would be different enough that at that point it should probably be given a completely new name in order to differentiate it from the original TLS-SNI challenges. I'd suggest the incredibly imaginative TLS-ALPN (or tls-alpn-01). On 01/11/2018 04:49 PM, Roland Bracewell Shoemaker wrote: > This seems like a silver bullet for the problems we’ve been seeing. Given that blindly responding to an unknown ALPN value would be an RFC violation this seems safe (although, hey, who knows what servers/cloud providers actually do). Definitely interested in the results of the scan. There could still be some argument about ‘misuse’ of the SNI extension but unless we have a concrete reason to the host name being validated I’m not sure I’m convinced we should. > > Does anyone have any objections/spot any major issues with doing this? > >> On Jan 11, 2018, at 2:41 PM, Jonathan Rudenberg <jonathan@titanous.com> wrote: >> >> As many of you are probably aware, Frans Rosén of Detectify discovered a method of exploiting many shared hosting providers to obtain unauthorized certificates using the ACME TLS-SNI-01/02 challenge types[0]. Let’s Encrypt is in the process of removing support for these challenge types[1]. >> >> Obviously this is not ideal, as the TLS-SNI challenge is useful in a variety of use cases. The good news is that TLS-SNI-02 appears to be fixable. >> >> In order to get the ball rolling on a fixed version (aka TLS-SNI-03), here’s a straw proposal, based on something originally publicly suggested by Ryan Sleevi[2]: >> >> Start with the TLS-SNI-02 challenge specification, and add the requirement that the ACME server MUST send an ALPN extension in the ClientHello with a single “acme” protocol name, and the ACME server MUST confirm that the ServerHello also includes an ALPN extension with a single “acme” protocol name. >> >> The only concern I’ve seen about this is the theoretical possibility that servers might just repeat back the ALPN extension with the same protocol name, which I believe we can remedy by doing a scan of the Alexa Top 1M (or similar) to see if this behavior exists in the wild. >> >> Jonathan >> >> [0] https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996 >> [1] https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 >> [2] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08984.html >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >
- [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Peter Eckersley
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Patrick Figel
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Niklas Keller
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Richard Barnes
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Salz, Rich
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek