IETF Logo Mail Archive

Re: [Acme] Server on >= 1024 port

Yoav Nir <ynir.ietf@gmail.com> Thu, 26 November 2015 11:20 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 824DE1A02AB for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 03:20:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_25=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ud6fuCTtxzm0 for <acme@ietfa.amsl.com>; Thu, 26 Nov 2015 03:20:48 -0800 (PST)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 738CD1A028A for <acme@ietf.org>; Thu, 26 Nov 2015 03:20:48 -0800 (PST)
Received: by wmec201 with SMTP id c201so26478882wme.0 for <acme@ietf.org>; Thu, 26 Nov 2015 03:20:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BqkxLbcCFZMrFg5LfALmXJQNbUuaM/gPJCIWD2UvItE=; b=REfJDPBVC59weF4KP2+E8yAbllcfKxdS4ngNWdlADEhOx3mP77b+v2xXbzygabd9qr bZ5dQQu/SI/lcpAd4Rxh3V5J3US1L4lVYLM8drMQ/Whq/k9kgfYjOe/HldGRE9qSJyw+ Ji/8xwcDb2qx3fuKtK1Ux0RDnyp6+vQOlcxByLy6xrDT25x8v1081KxqitcNFOcR9LgI 6DMVNGOSPYvMh7O1xGaxnKdfGFhS0voirqqP3XEZHpzFqmCwypL2RQvMz3iTLZFBRZGV /QiW2sPHEELKzMx2SmEO3326BpeKb2P6DCI2Q9FIsBGaFsiH6OpB1Xa7gRnEOAhaGo8o P0UA==
X-Received: by 10.28.142.205 with SMTP id q196mr3293978wmd.42.1448536847103; Thu, 26 Nov 2015 03:20:47 -0800 (PST)
Received: from [172.24.251.173] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id m11sm2245374wma.5.2015.11.26.03.20.45 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Nov 2015 03:20:46 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <m2lh9lko2j.wl%randy@psg.com>
Date: Thu, 26 Nov 2015 13:20:44 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <5D0426D4-683C-46DF-B44C-B3F048536236@gmail.com>
References: <565589E4.2030107@desy.de> <5655EC72.7060300@moparisthebest.com> <CABcZeBOJ6O+P3U1EJoRkKaHaJVVBtLiQwpRp5aNOa+fX-noPjQ@mail.gmail.com> <5655EFCF.9090403@moparisthebest.com> <5655FC50.7000508@zinks.de> <m2lh9lko2j.wl%randy@psg.com>
To: Randy Bush <randy@psg.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/qdvfSasYZFxg-kRe6V22kT2wYs4>
Cc: acme WG <acme@ietf.org>, Roland Zink <roland@zinks.de>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 11:20:49 -0000

> On 26 Nov 2015, at 1:16 PM, Randy Bush <randy@psg.com> wrote:
> 
>> The resolution of a certificate is the domain name, e.g. it is valid for 
>> all services on the machine.
> 
>        X509v3 extensions:
>            X509v3 Key Usage: critical
>                Digital Signature, Key Encipherment
>            X509v3 Extended Key Usage: 
>                TLS Web Server Authentication, TLS Web Client Authentication
>            X509v3 Basic Constraints: critical
>                CA:FALSE
> 
> from a soon very popular ca

The other CAs do the same. Notice how it says “Web server authentication”, not “port 443 server authentication”.  Another thing is that I don’t get why some CAs have the web *client* authentication EKU thrown in there.  Either way, that certificate is just as good for port 5000 (python flask’s default port) as it is for port 443, and vice versa.

Yoav

v2.23.0 | Report a Bug | By Email