httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <stefan.eiss...@greenbytes.de>
Subject Re: can we haz backports?
Date Wed, 17 Jan 2018 10:18:41 GMT


> Am 17.01.2018 um 10:45 schrieb Yann Ylavic <ylavic.dev@gmail.com>:
> 
> On Wed, Jan 17, 2018 at 10:30 AM, Stefan Eissing
> <stefan.eissing@greenbytes.de> wrote:
>> 
>>> Am 16.01.2018 um 21:26 schrieb William A Rowe Jr <wrowe@rowe-clan.net>:
>>> 
>>> Color me very confused, but I can't distinguish a difference between vhost based
>>> Host: header selection in the "http-01" case, and SNI identification
>>> in the case of
>>> "tls-sni-01". Am I missing something? Discussion pointers?
>> 
>> "http-01" makes a request against the dns name to be validated. It is
>> usually not (easily) possible to intercept that from the wrong user account.
>> 
>> "tls-sni-0[12]" just opens a TLS connection with SNI <challenge>.acme.invalid
>> Some shared hosters have allowed people to upload a certificate for that. So,
>> you sign up via ACME (from anywhere) for a shared hosted not-my-domain.com
>> where you are also customer. Wait for the challenge token, create the cert and
>> upload it to the hoster.
> 
> I think what is missing is simply "https-01", just like "http-01" but
> on TLS and a self signed cert (SNI is irrelevant).
> It don't see how it's less (nor more) secure than "http-01", but
> admins that don't want to or can't use port 80 have their way...

Agreed. Maybe they do it that way. But since this security weakness affects
the IETF proposed "tls-sni-02" challenge in the ACMEv2 protocol also, any
fix will first go through the working group there. And then maybe
backported be LE to their ACMEv1 offering or not.
Mime
View raw message