Re: [Acme] Fixing the TLS-SNI challenge type
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 19 January 2018 15:38 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E23B812D962 for <acme@ietfa.amsl.com>; Fri, 19 Jan 2018 07:38:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0wURK3sx8hK5 for <acme@ietfa.amsl.com>; Fri, 19 Jan 2018 07:38:46 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1DF412D967 for <acme@ietf.org>; Fri, 19 Jan 2018 07:38:40 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 9F5D420F66; Fri, 19 Jan 2018 17:38:38 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id V3qoGETxB-yV; Fri, 19 Jan 2018 17:38:38 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 1A52E79; Fri, 19 Jan 2018 17:38:33 +0200 (EET)
Date: Fri, 19 Jan 2018 17:38:32 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Daniel McCarney <cpu@letsencrypt.org>
Cc: Patrick Figel <patrick@figel.email>, Jonathan Rudenberg <jonathan@titanous.com>, IETF ACME <acme@ietf.org>, Roland Bracewell Shoemaker <roland@letsencrypt.org>
Message-ID: <20180119153832.GA28022@LK-Perkele-VII>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org> <a506c023-ff44-7f14-71b1-94e4e810cd12@letsencrypt.org> <0603b570-f790-88a7-5514-b324eff4f087@figel.email> <CAKnbcLj=eYhm8qRj0B0U5FOu=UMn0wY+5apkJ-aHhhfh+mS-uw@mail.gmail.com> <CAKnbcLj+UaUbu=EDbPU8UWwm9hUefXBKmtS=ZwSy7_2zCA=pmg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAKnbcLj+UaUbu=EDbPU8UWwm9hUefXBKmtS=ZwSy7_2zCA=pmg@mail.gmail.com>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/b95lX_bcJvHDSeSN0Z-d4n7Ewwc>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2018 15:38:49 -0000
On Fri, Jan 19, 2018 at 09:51:33AM -0500, Daniel McCarney wrote: > > > > I agree this approach will limit compatible TLS servers but luckily > > HAProxy should be fully compatible. > > > Alas, there's nothing like hitting send on a message to a mailing list to > make you think a little bit harder. > > I overlooked the fact that it doesn't seem possible to select the > certificate based on the ALPN, just the backend. That's not really the > primary difficulty at hand. I suspect matching the request to the `bind` > with the correct alpn is still going to be problematic if the server needs > to respond to requests for the real identifier with both a certificate and > a challenge response certificate. > > I would be happy to be corrected :-) Basically, for security, one needs to put the domain to be validated to the SNI field. Not doing that was the reason for the TLS-SNI-01/02 vulernability. AFAICT, the hard constraints are: - No taking site offline when validating. - The validation certificates are not publically trusted. - SNI needs to be set to the domain being validated. - Compliant with reasonably strict reading of "10 methods" (which essentially impiles the third point and using certificate to transmit data). (I do not consider compatiblity with present software a hard requirment). Few ways that come to mind: - Have "acme" ALPN and send validation certificate for that. - Have some new TLS extension and send validation certificate for that. - Have "acme" ALPN, establish data link and exchange an exported authenticator request/response over it (response carries an X.509 certificate). One also wants as good assurance as possible that the entity terminating the TLS link approves the certificate. This entity may be the applicatnt themselves (e.g., applicant's VPS with direct IP- layer connectivity, or with SNI-level routing of unterminated TLS connections), or it might not be (shared hosting). The first and second method are much better there than the third (any provoder that lets users claim ALPN protocols runs into trouble). And of the first two, the second would be slightly more safe, but probably not enough for it to be worth trouble. However, one should keep in mind that if hosting provoder allows claiming https hosts regardless of http ones (some provoders have problems of this sort[1]), they would probably also approve the certificate requests for the owner of the https host. [1] The Detectify article started with one unnamed such provoder I think it would have been easy to find a CA that would have validated the domain as-is, and it was only due to author's fixation at using LE that the TLS-SNI issue was discovered. -Ilari
- [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Roland Bracewell Shoemaker
- Re: [Acme] Fixing the TLS-SNI challenge type Peter Eckersley
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Martin Thomson
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Jonathan Rudenberg
- Re: [Acme] Fixing the TLS-SNI challenge type Patrick Figel
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Matthew D. Hardeman
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Niklas Keller
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Daniel McCarney
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Richard Barnes
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek
- Re: [Acme] Fixing the TLS-SNI challenge type Ilari Liusvaara
- Re: [Acme] Fixing the TLS-SNI challenge type Salz, Rich
- Re: [Acme] Fixing the TLS-SNI challenge type Tim Hollebeek