Revert "Implement TLS-ALPN-01 challenge and standalone TLS-ALPN server (#5894)" #6100
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ohemorange
approved these changes
Jun 13, 2018
felixfontein
added a commit
to felixfontein/ansible-acme-test
that referenced
this pull request
Jun 30, 2018
References: - ansible/ansible#41435 - https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01 I copied (and modified) code from Certbot's ACME library (https://github.com/certbot/certbot/tree/master/acme) since it is about to be removed (see certbot/certbot#6100 and certbot/certbot#6144). The code for this is separated into acme_tlsalpn.py and comes with its own license (Apache v2).
bmw
pushed a commit
that referenced
this pull request
Mar 12, 2020
This PR is the first part of work described in #6724. It reintroduces the tls-alpn-01 challenge in `acme` module, that was introduced by #5894 and reverted by #6100. The reason it was removed in the past is because some tests showed that with `1.0.2` branch of OpenSSL, the self-signed certificate containing the authorization key is sent to the requester even if the ALPN protocol `acme-tls/1` was not declared as supported by the requester during the TLS handshake. However recent discussions lead to the conclusion that this behavior was not a security issue, because first it is coherent with the behavior with servers that do not support ALPN at all, and second it cannot make a tls-alpn-01 challenge be validated in this kind of corner case. On top of the original modifications given by #5894, I merged the code to be up-to-date with our `master`, and fixed tests to match recent evolution about not displaying the `keyAuthorization` in the deserialized JSON form of an ACME challenge. I also move the logic to verify if ALPN is available on the current system, and so that the tls-alpn-01 challenge can be used, to a dedicated static function `is_available` in `acme.challenge.TLSALPN01`. This function is used in the related tests to skip them, and will be used in the future from Certbot plugins to trigger or not the logic related to tls-alpn-01, depending on the OpenSSL version available to Python. * Reimplement TLS-ALPN-01 challenge and standalone TLS-ALPN server from #5894. * Setup a class method to check if tls-alpn-01 is supported. * Add potential missing parameter in validation for tls-alpn * Improve comments * Make a class private * Handle old versions of openssl that do not terminate the handshake when they should do. * Add changelog * Explicitly close the TLS connection by the book. * Remove unused exception * Fix lint
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This reverts commit 15f1405.
This was a clean revert with no conflicts.
The reason we're reverting this is in some versions of openssl, we're hitting issues where the challenge cert is used even if the CA requests the wrong protocol through ALPN. This is on top of the issues we were already aware of with using the challenge cert if ALPN isn't used. Since we can't provide a correct implementation and its only purpose is to help boulder with their testing, let's rip it out and have boulder implement the code for their tests.