From dev-return-90890-archive-asf-public=cust-asf.ponee.io@httpd.apache.org Wed Jan 17 11:18:49 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 04D1318062C for ; Wed, 17 Jan 2018 11:18:49 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id E9D14160C35; Wed, 17 Jan 2018 10:18:48 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 3BC44160C1B for ; Wed, 17 Jan 2018 11:18:48 +0100 (CET) Received: (qmail 18400 invoked by uid 500); 17 Jan 2018 10:18:46 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 18390 invoked by uid 99); 17 Jan 2018 10:18:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Jan 2018 10:18:46 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 5E7AAD3682 for ; Wed, 17 Jan 2018 10:18:46 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.111 X-Spam-Level: X-Spam-Status: No, score=-0.111 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=greenbytes.de header.b=SCYADnTC; dkim=pass (1024-bit key) header.d=greenbytes.de header.b=CgELG4ZF Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id IPNRUW3mrMwL for ; Wed, 17 Jan 2018 10:18:43 +0000 (UTC) Received: from mail.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 86D1D5FACF for ; Wed, 17 Jan 2018 10:18:43 +0000 (UTC) Received: by mail.greenbytes.de (Postfix, from userid 117) id 2172115A39B1; Wed, 17 Jan 2018 11:18:43 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=greenbytes.de; s=mail; t=1516184323; bh=e/Fe/exyrLKCsX0HJvH96jnha6VniCtOtVO2/eX1aJA=; h=From:Subject:Date:References:To:In-Reply-To:From; b=SCYADnTCTNpqNxogukjGU0PEo4D5PheSzVD/Hkc7Qkx3i/SrNeYuMunb6V60aYoiW UC9ZIl2BFvZmhQG9pBBbgrAv4qqLr/uDXryPrh++mZPLKYkVP2YpML110H8BU4NG3N 4/cyea5cVR81yaXvseV0z4/0yKsoPFAHByX+LPzM= Received: from resistance.greenbytes.local (unknown [217.91.35.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id BDB9F15A381C for ; Wed, 17 Jan 2018 11:18:41 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=greenbytes.de; s=mail; t=1516184321; bh=e/Fe/exyrLKCsX0HJvH96jnha6VniCtOtVO2/eX1aJA=; h=From:Subject:Date:References:To:In-Reply-To:From; b=CgELG4ZF+45AxGrkrykbNHqcsq5QbCroBaj33X+Utk0AfVm0mrK/szyl7kx1sw5KW 6xo1r95BrHtZQ8zYsszk7uyx5jDVpxuAG0alujx+0DYi6AMtKQeTjejK9IEZJgI1Id bUnuEk7wA/Oknw6IE67Ku1mtzFZIgkxapH3BbZPo= From: Stefan Eissing Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: can we haz backports? Date: Wed, 17 Jan 2018 11:18:41 +0100 References: <6239F90D-AA3C-4E31-AE71-23CEA81EE4A8@greenbytes.de> <85996BF0-E3A5-4F1D-842E-92E2D034E357@apachelounge.com> <03521A3F-4F6C-41E9-8D76-A2C26B4963DB@greenbytes.de> <1599ACBF-D10D-4BB3-B478-5BD3BE0685FF@greenbytes.de> To: dev@httpd.apache.org In-Reply-To: Message-Id: <7D93FD20-D221-493D-9CD8-4000ADE999DF@greenbytes.de> X-Mailer: Apple Mail (2.3445.5.20) > Am 17.01.2018 um 10:45 schrieb Yann Ylavic : >=20 > On Wed, Jan 17, 2018 at 10:30 AM, Stefan Eissing > wrote: >>=20 >>> Am 16.01.2018 um 21:26 schrieb William A Rowe Jr = : >>>=20 >>> Color me very confused, but I can't distinguish a difference between = vhost based >>> Host: header selection in the "http-01" case, and SNI identification >>> in the case of >>> "tls-sni-01". Am I missing something? Discussion pointers? >>=20 >> "http-01" makes a request against the dns name to be validated. It is >> usually not (easily) possible to intercept that from the wrong user = account. >>=20 >> "tls-sni-0[12]" just opens a TLS connection with SNI = .acme.invalid >> Some shared hosters have allowed people to upload a certificate for = that. So, >> you sign up via ACME (from anywhere) for a shared hosted = not-my-domain.com >> where you are also customer. Wait for the challenge token, create the = cert and >> upload it to the hoster. >=20 > I think what is missing is simply "https-01", just like "http-01" but > on TLS and a self signed cert (SNI is irrelevant). > It don't see how it's less (nor more) secure than "http-01", but > admins that don't want to or can't use port 80 have their way... Agreed. Maybe they do it that way. But since this security weakness = affects the IETF proposed "tls-sni-02" challenge in the ACMEv2 protocol also, = any fix will first go through the working group there. And then maybe backported be LE to their ACMEv1 offering or not.=