IETF Logo Mail Archive

Re: [Acme] Fixing the TLS-SNI challenge type

Roland Bracewell Shoemaker <roland@letsencrypt.org> Fri, 12 January 2018 00:49 UTC

Return-Path: <roland@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7146912D7F9 for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 16:49:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FUZZY_CPILL=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3E2CnAyMhvyT for <acme@ietfa.amsl.com>; Thu, 11 Jan 2018 16:49:47 -0800 (PST)
Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com [IPv6:2607:f8b0:400e:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB8621270AB for <acme@ietf.org>; Thu, 11 Jan 2018 16:49:47 -0800 (PST)
Received: by mail-pf0-x236.google.com with SMTP id y89so3092854pfk.0 for <acme@ietf.org>; Thu, 11 Jan 2018 16:49:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xsHqgQfrMgGwxwOY7Pl/V5eSmAHX5UPvseJen8xMSaY=; b=ObX9r2q75X1vs6wtz7r1jwG53Ks9DIgbRQ6cKkK3s2zf3uAqtorWddQZSQhNGT2tFj 7Tm4M8KLqTdmycLPgXkBGapnzy/gn1544krZlzo4q7iZeO4OiDB3vjdppaUe2IaO1Nyz 5fkCX/wCK+mcQERfQS9jzPjcqOoL/WgsbiOec=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xsHqgQfrMgGwxwOY7Pl/V5eSmAHX5UPvseJen8xMSaY=; b=Qhf0s8DH4AD2u/AANxWNphSJ+bm6sUTa8JmfuEJKnzFmWsVMAjuKx5uKpKD+UjcYYI 5uBy+Br76EE0TpPynPlgl1PH1LwOZxv1oFudVBszkD7HJyfsJENvdlwjtY7ziy5VKMmE IzwUafHp0I4p7MdPlxdj1ZJqfkUFMoqaM1AEnn4QLOteBFL5DjV/K6t3Drz3M4SPy8XA c3DVVgFEJ0h3dcKWtOijyXSs7YwRsi5WuOGA3LKw7E3PwZR3TTO8yHwhX9h3yRInnK3h 1byJzRbnIeUO9JHYK6PFOgXDl8NBI6WJJa8VBKrESyroMZpzVSvgAHCzS9oBw2O3fbFv qBAA==
X-Gm-Message-State: AKwxytcoiicoEKwQY2iPf0IbRfEA5oF+g6tlg+evWWDEA4IwQAWE8ruT +8neD1X8uDN7GKp4d6F/94EIsQ==
X-Google-Smtp-Source: ACJfBouF9vpYaCzhzUb/C20+UH7T+hzSpH88HwhEygErPLvD6YLojfLHJ+4OlRulZT8KApUekHjn0A==
X-Received: by 10.101.85.15 with SMTP id f15mr8025860pgr.153.1515718187335; Thu, 11 Jan 2018 16:49:47 -0800 (PST)
Received: from [10.120.0.77] (gw-mb.eff.org. [208.90.213.162]) by smtp.gmail.com with ESMTPSA id e12sm16345747pgq.8.2018.01.11.16.49.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Jan 2018 16:49:46 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Roland Bracewell Shoemaker <roland@letsencrypt.org>
In-Reply-To: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com>
Date: Thu, 11 Jan 2018 16:49:45 -0800
Cc: IETF ACME <acme@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com>
To: Jonathan Rudenberg <jonathan@titanous.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/W-qzFbzUBFf3P5Py9-Y3rE8kEek>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 00:49:50 -0000

This seems like a silver bullet for the problems we’ve been seeing. Given that blindly responding to an unknown ALPN value would be an RFC violation this seems safe (although, hey, who knows what servers/cloud providers actually do). Definitely interested in the results of the scan. There could still be some argument about ‘misuse’ of the SNI extension but unless we have a concrete reason to the host name being validated I’m not sure I’m convinced we should.

Does anyone have any objections/spot any major issues with doing this?

> On Jan 11, 2018, at 2:41 PM, Jonathan Rudenberg <jonathan@titanous.com> wrote:
> 
> As many of you are probably aware, Frans Rosén of Detectify discovered a method of exploiting many shared hosting providers to obtain unauthorized certificates using the ACME TLS-SNI-01/02 challenge types[0]. Let’s Encrypt is in the process of removing support for these challenge types[1].
> 
> Obviously this is not ideal, as the TLS-SNI challenge is useful in a variety of use cases. The good news is that TLS-SNI-02 appears to be fixable.
> 
> In order to get the ball rolling on a fixed version (aka TLS-SNI-03), here’s a straw proposal, based on something originally publicly suggested by Ryan Sleevi[2]:
> 
> Start with the TLS-SNI-02 challenge specification, and add the requirement that the ACME server MUST send an ALPN extension in the ClientHello with a single “acme” protocol name, and the ACME server MUST confirm that the ServerHello also includes an ALPN extension with a single “acme” protocol name.
> 
> The only concern I’ve seen about this is the theoretical possibility that servers might just repeat back the ALPN extension with the same protocol name, which I believe we can remedy by doing a scan of the Alexa Top 1M (or similar) to see if this behavior exists in the wild.
> 
> Jonathan
> 
> [0] https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996
> [1] https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188
> [2] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08984.html
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email