Re: [Acme] Well Known CA->client poll on port 80/443 in http-acme
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 15 January 2017 14:03 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F86D129432 for <acme@ietfa.amsl.com>; Sun, 15 Jan 2017 06:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.099
X-Spam-Level:
X-Spam-Status: No, score=-5.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HdgrZeJ9D9WV for <acme@ietfa.amsl.com>; Sun, 15 Jan 2017 06:03:34 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id 62C49129565 for <acme@ietf.org>; Sun, 15 Jan 2017 06:03:34 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id B10EB156FF; Sun, 15 Jan 2017 16:03:32 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id JcveZ97hPpXi; Sun, 15 Jan 2017 16:03:32 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id EE6E2C4; Sun, 15 Jan 2017 16:03:31 +0200 (EET)
Date: Sun, 15 Jan 2017 16:03:30 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Dirk-Willem van Gulik <dirkx@webweaving.org>
Message-ID: <20170115140330.GA26429@LK-Perkele-V2.elisa-laajakaista.fi>
References: <9099A621-D460-47B6-9172-0984CF3A0DC8@webweaving.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <9099A621-D460-47B6-9172-0984CF3A0DC8@webweaving.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/h5qKDBmWucjQndjvCoZRozeCh8A>
Cc: acme@ietf.org
Subject: Re: [Acme] Well Known CA->client poll on port 80/443 in http-acme
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 14:03:37 -0000
On Sun, Jan 15, 2017 at 02:50:37PM +0100, Dirk-Willem van Gulik wrote: > W.r.t. http-acme — as far as I understand; the current 0.4 draft (https://tools.ietf.org/html/draft-ietf-acme-acme-04) has the Well known fetch going to port 80: > > Section 7.2, page 47 > > 3. Dereference the URI using an HTTP GET request. > > This request MUST be sent to TCP port 80 on the server. > > The new draft: (https://letsencrypt.github.io/acme-spec/ also numbered > '04') in section 7.1 ‘Simple HTTP’, does a 180 degree change on this > ‘default’: to an httpS default with an option to explicitly move it to > HTTP with: > > "tls": false / false That's not a new version. It is pre-WG version, published about 1.5 years ago. The reason HTTPS support for HTTP authentication was removed was that many webservers handle HTTPS in odd manner, making alphabetically first HTTPS vhost the default, which would let one get certificates for vhosts one should not. Currently in acme spec, the only ways to do verification without port 80 are TLS-SNI-02 (uses port 443) and DNS-01 (no connections at all, relies on DNS exclusively). -Ilari
- [Acme] Well Known CA->client poll on port 80/443 … Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Salz, Rich
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara
- Re: [Acme] Well Known CA->client poll on port 80/… Dirk-Willem van Gulik
- Re: [Acme] Well Known CA->client poll on port 80/… Ilari Liusvaara