Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement TLS-ALPN challenge method #136

Open
mithrandi opened this issue Jul 13, 2018 · 7 comments
Open

Implement TLS-ALPN challenge method #136

mithrandi opened this issue Jul 13, 2018 · 7 comments
Labels
enhancement
Milestone
0.9.4 release

Comments

@mithrandi
Copy link
Contributor

The endpoint should be switched to use this method, too.
@mithrandi mithrandi added this to the 0.9.3 release milestone Jul 13, 2018
@mithrandi mithrandi mentioned this issue Jul 13, 2018
Open
@mithrandi
Copy link
Contributor Author

This is available in LE production: https://community.letsencrypt.org/t/tls-alpn-validation-method/63814

@glyph
Copy link
Member

glyph commented Aug 17, 2018

🙌

@mithrandi
Copy link
Contributor Author

We need to get in here somehow, I guess: https://github.com/glyph/txsni/blob/fc638e8f2f793284eecce606dc0183e57128bbf5/txsni/snimap.py#L137

@dholth
Copy link

dholth commented Mar 20, 2019

What if this was converted to twisted? Then certificate requests could be delegated to dehydrated (a letsencrypt client written in bash). I don't know how to convert this to twisted or add listeners for certain next-protocols. https://github.com/lukas2511/dehydrated/blob/master/docs/tls-alpn.md#example-responder

@dholth
Copy link

dholth commented Mar 21, 2019
edited
Loading

Looks pretty straightforward to me. The magic word is acceptableProtocols. Here's where h2 support is added. https://github.com/twisted/twisted/blob/trunk/src/twisted/web/server.py#L856

Here's where the next protocol speaks https://github.com/twisted/twisted/blob/trunk/src/twisted/web/http.py#L2885

tls-alpn isn't supposed to speak or listen, so it might work without changing that. It should close the connection right after it sends the certificate. Unfortunately IIUC there isn't a callback for 'negotiation done but no data received yet'.

All you'd have to do is add tls-alpn to the end of acceptableProtocols, have a second HostDirectoryMap for an alpn/ directory, and send a different cert if tls-alpn.


    def selectContext(self, connection):
        oldContext = connection.get_context()
        newContext = self.mapping[connection.get_servername()].getContext()

        negotiationData = self._negotiationDataForContext[oldContext]
        negotiationData.negotiateNPN(newContext)
        negotiationData.negotiateALPN(newContext)

        # new code
        if tls-alpn: newContext = self.alpn_mapping[connection.get_servername()].getContext()

        connection.set_context(newContext)

Could prototype with an existing alpn client and then implement the entire flow in Python.

@dholth
Copy link

dholth commented Mar 22, 2019

This is difficult. It looks like the alpn callback fires after selectContext() return even though dehydrated's version seems to manage right after the SNI servername is given.
I was trying to go through txsni to have it provide certificates from a second directory if tls-alpn, having a hard time understanding how or if available next protocols propagate to the switched context.
It might be normal to provide the default certificate with accepted ALPN set, and switch contexts twice during negotation if acme.

@dholth
Copy link

dholth commented Mar 22, 2019
edited
Loading

glyph/txsni#26 sends the alpn / acme certificate if it exists

@mithrandi mithrandi modified the milestones: 0.9.3 release, 0.9.4 release Nov 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
0.9.4 release
Development

No branches or pull requests
3 participants
@dholth @glyph @mithrandi