httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <>
Subject Re: can we haz backports?
Date Wed, 17 Jan 2018 09:45:13 GMT
On Wed, Jan 17, 2018 at 10:30 AM, Stefan Eissing
<> wrote:
>> Am 16.01.2018 um 21:26 schrieb William A Rowe Jr <>:
>> Color me very confused, but I can't distinguish a difference between vhost based
>> Host: header selection in the "http-01" case, and SNI identification
>> in the case of
>> "tls-sni-01". Am I missing something? Discussion pointers?
> "http-01" makes a request against the dns name to be validated. It is
> usually not (easily) possible to intercept that from the wrong user account.
> "tls-sni-0[12]" just opens a TLS connection with SNI <challenge>.acme.invalid
> Some shared hosters have allowed people to upload a certificate for that. So,
> you sign up via ACME (from anywhere) for a shared hosted
> where you are also customer. Wait for the challenge token, create the cert and
> upload it to the hoster.

I think what is missing is simply "https-01", just like "http-01" but
on TLS and a self signed cert (SNI is irrelevant).
It don't see how it's less (nor more) secure than "http-01", but
admins that don't want to or can't use port 80 have their way...

View raw message