IETF Logo Mail Archive

Re: [Acme] Fixing the TLS-SNI challenge type

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 12 January 2018 19:01 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3532F126D0C for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 11:01:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AqcsGBHCHVWN for <acme@ietfa.amsl.com>; Fri, 12 Jan 2018 11:01:53 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8B3012D852 for <acme@ietf.org>; Fri, 12 Jan 2018 11:01:53 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 8EB9FB5343; Fri, 12 Jan 2018 21:01:51 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id oyGCRFPZQ0Lb; Fri, 12 Jan 2018 21:01:51 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 27B1072; Fri, 12 Jan 2018 21:01:48 +0200 (EET)
Date: Fri, 12 Jan 2018 21:01:48 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Roland Bracewell Shoemaker <roland@letsencrypt.org>
Cc: Jonathan Rudenberg <jonathan@titanous.com>, IETF ACME <acme@ietf.org>
Message-ID: <20180112190148.GA32468@LK-Perkele-VII>
References: <FC8545A9-4D43-4BCC-ADB1-40A0F92461E8@titanous.com> <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <F2551BE5-0866-4F03-972E-E223E8D60001@letsencrypt.org>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/mFi2x2bdNRMvS5QxiT17Do0y2p8>
Subject: Re: [Acme] Fixing the TLS-SNI challenge type
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2018 19:01:56 -0000

On Thu, Jan 11, 2018 at 04:49:45PM -0800, Roland Bracewell Shoemaker wrote:
> This seems like a silver bullet for the problems we’ve been seeing.
> Given that blindly responding to an unknown ALPN value would be an
> RFC violation this seems safe (although, hey, who knows what servers/
> cloud providers actually do). Definitely interested in the results of
> the scan. There could still be some argument about ‘misuse’ of the
> SNI extension but unless we have a concrete reason to the host name
> being validated I’m not sure I’m convinced we should.

Note that method 10 definition seems to require the name to be
validated to appear in the certificate. The name appearing in either
the request or response is also required for validation to be
deputizable (and I regard any non-deputizable validation to not be
proper domain validation; both HTTP-01 and DNS-01 are deputizable).


And I guess the reason why there is no blind echoing of ALPN has more
to do with the horrible breakage rates it would cause (due to HTTP/2).

Also, even if one used the name to be validated in the SNI, there is
still a concern that there is some horribly broken hoster, that:

- Allows claiming arbitrary https name, even if there is existing http
  site there (apparently these exist). And,
- Allows claiming arbitrary ALPN values.

Note that there is no requirement to be able to serve different
certificate for given ALPN, because other ALPNs are not checked, so
those might have the spoofed validation certificate.


AFAICT, these are not common. Most provoders that let one claim
arbitrary names (which would make TLS-SNI vulernable) do not let
one claim name in use for http.

And I suppose provoders that let one claim arbitrary ALPN values
without forwarding the entiere connection are extremely rare
(also, any such setup would need off-band signaling for ALPN, e.g.,
via PROXY/HAPROXY protocol).


With "squatting" for SNI, one obtains weaker security bounds, as
this drops the "even if" condition. So any provoder that is
vulernable to TLS-SNI misissuance and lets one claim arbitrary
ALPNs (and then presumably signals those off-band).



-Ilari

v2.23.0 | Report a Bug | By Email