Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log warning about TLS-SNI deprecation in Certbot #6468

Merged
merged 6 commits into from Nov 5, 2018
Merged

Log warning about TLS-SNI deprecation in Certbot #6468

merged 6 commits into from Nov 5, 2018

Conversation

ohemorange
Copy link
Contributor

Be sure to edit the master section of CHANGELOG.md with a line describing this PR before it gets merged.

For #6319.

@bmw
Copy link
Member

bmw commented Nov 3, 2018
edited

I was initially thinking of something like 20bcb11. We could instead do it in challb_to_achall where it logs each challenge we're doing, but I'm not sure if we want to log it for every challenge rather than just the first occurrence of it.

What do you think? Do you prefer your approach?

EDIT: After logging the message in my example though, I think we'd want to return.

@ohemorange
Copy link
Contributor Author

I really don't think it matters either way.

bmw
bmw requested changes Nov 5, 2018
View reviewed changes
Copy link
Member

@bmw bmw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason I prefer doing things directly in Certbot is it should result in less code and it benefits all plugins. The latter is nice for 3rd party plugins (which perhaps I care too much about) as well as us because it's less error prone (e.g. the manual plugin also supports TLS-SNI-01).

If moved into Certbot directly, I'd also personally like us to stop assuming --preferred-challenges is set because it may not be for third party plugins. If we wanted to add a conditional check about this, the AuthHandler has self.pref_challs or a separate/additional warning about that could be moved directly into the parsing for the flag.

certbot-apache/certbot_apache/configurator.py Outdated
@@ -2276,6 +2276,9 @@ def perform(self, achalls):
http_doer.add_chall(achall, i)
else: # tls-sni-01
sni_doer.add_chall(achall, i)
logger.warning("TLS-SNI-01 is deprecated, and will stop working in February 2019. "
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a strong preference, but I'd personally like us to remove the date here as things like that can change but a released version of Certbot cannot.

@ohemorange
Copy link
Contributor Author

I'm seeing that we do check if pref_challs is set before using it, where are you talking about?

bmw
bmw approved these changes Nov 5, 2018
View reviewed changes
Copy link
Member

@bmw bmw left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

I'm seeing that we do check if pref_challs is set before using it, where are you talking about?

I just meant that if the warning message is in Certbot's core, it probably shouldn't be mentioning --preferred-challenges without first checking that the flag is set because some third party plugins may still be preferring TLS-SNI so their users don't have to set the flag for the challenge to be used.

I think you made the right call here though as adding this check doesn't seem worth the little value it adds.

@bmw bmw merged commit cbdc2ee into master Nov 5, 2018
@bmw bmw deleted the tls-sni-deprecation-warning branch November 5, 2018 23:01
@bmw bmw added this to the 0.28.0 milestone Nov 5, 2018
@adferrand adferrand mentioned this pull request Jan 23, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmw bmw bmw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.28.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ohemorange @bmw