IETF Logo Mail Archive

[Acme] Well Known CA->client poll on port 80/443 in http-acme

Dirk-Willem van Gulik <dirkx@webweaving.org> Sun, 15 January 2017 13:51 UTC

Return-Path: <dirkx@webweaving.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCF74129553 for <acme@ietfa.amsl.com>; Sun, 15 Jan 2017 05:51:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Level:
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z2IYckLErb-W for <acme@ietfa.amsl.com>; Sun, 15 Jan 2017 05:51:56 -0800 (PST)
Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1A1A129432 for <acme@ietf.org>; Sun, 15 Jan 2017 05:51:55 -0800 (PST)
Received: from beeb.leiden.webweaving.org (5ED29A06.cm-7-3c.dynamic.ziggo.nl [94.210.154.6]) (authenticated bits=0) by weser.webweaving.org (8.15.2/8.15.2) with ESMTPSA id v0FDocHp043905 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <acme@ietf.org>; Sun, 15 Jan 2017 14:50:38 +0100 (CET) (envelope-from dirkx@webweaving.org)
X-Authentication-Warning: weser.webweaving.org: Host 5ED29A06.cm-7-3c.dynamic.ziggo.nl [94.210.154.6] claimed to be beeb.leiden.webweaving.org
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Message-Id: <9099A621-D460-47B6-9172-0984CF3A0DC8@webweaving.org>
Date: Sun, 15 Jan 2017 14:50:37 +0100
To: acme@ietf.org
X-Mailer: Apple Mail (2.3259)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (weser.webweaving.org [148.251.234.232]); Sun, 15 Jan 2017 14:50:38 +0100 (CET)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/n4R3XGZVg3XevFanbRne7vwhqcM>
Subject: [Acme] Well Known CA->client poll on port 80/443 in http-acme
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2017 13:51:58 -0000

W.r.t. http-acme — as far as I understand; the current 0.4 draft (https://tools.ietf.org/html/draft-ietf-acme-acme-04) has the Well known fetch going to port 80:

	Section	7.2, page 47

	   3.  Dereference the URI using an HTTP GET request.  

		This request MUST be sent to TCP port 80 on the server.

The new draft: (https://letsencrypt.github.io/acme-spec/ also numbered ‘’04”) in section 7.1 ‘Simple HTTP’, does a 180 degree change on this ‘default’: to an httpS default with an option to explicitly move it to HTTP with:

	  "tls": false / false

With the explanation that:

	If this attribute is present and set to “false”, the server will perform its validation check over unencrypted HTTP (on port 80) rather than over HTTPS. Otherwise the check will be done over HTTPS, on port 443.

without the clarity of a MUST. And it then continues 3 paragraphs down with solving* the bootstrap issue by

	If using HTTPS, the ACME server MUST ignore the certificate provided by the HTTPS server.

I am currently puzzling over an implementation that makes it as easy as possible to bring up an HTTPS webserver if you do ‘nothing’ but flag the VirtualHost config with something like 'letsencrypt on’ - and then defers to sane ‘SSLLabs A+’ level SSl defaults.

What I’d like to understand is

-	What is the value of doing the exchange over HTTPS (as this is made the default as opposed to the current 80) when one does not check the certificate nor retains the ACME Servers its view of that cert in the further exchange (or uses the RSA key of the challenge to self sign) ?

-	Would there be any good reason to not allow the specification of a port number ?

The reason for the first question is that keeping the process simple is desirable from an implementers point of view - as you want it relatively robust because some of the backend server config processes need to hark back to pre-chroot and pre-fork/pre-setuid() as to get secure persistence of state and (private) keys (which you want be a social-internet citizen that does not willy nilly overload the lets encrypt infra every startup).

The reason for the latter question is that it 1) allows for non-root > 1024 settings and 2)  may be more ‘robust’ to allow the server to open a relatively random high ephemeral port for a short time during startup that does not give a false sense of having the actual virtual host yet up; or a HTTPS only virtualhost shortly seeming to be misconfigured and appearing on port 80.

Thanks,

Dw.

* Well not ‘solving’ it - as the cert seen by the ACME server or the session key negotiated are not mixed into the response as to allow the Client to verify that there was no MITM during this exchange — as this is sort of deferred to later - when you find out that the cert signed is not one you have a private key for. Or by for exampling insisting that this certificate that is ‘ignored’ is in fact one self-signed by the same RSA key used in the token dance (which would be probably easiest for implementors if HTTPS was a strong default/guidance/best-practice).

v2.23.0 | Report a Bug | By Email