[Twisted-Python] txsni + alpn + acme (letsencrypt)

[Glyph]

> On Mar 23, 2019, at 3:39 PM, Daniel Holth <dholth at gmail.com> wrote:
> 
> Wow! Such broken. I was starting to get suspicious of openssl myself.
> Poor documentation about the rules on context switching and whether
> doing things in a certain order should trigger callbacks.

In fairness, they do realize that this is a bit of a mess, and eventually one hopes there will be something better: https://github.com/openssl/openssl/issues/6109 <https://github.com/openssl/openssl/issues/6109>
> At least you can get a cert when the ALPN / ACME certificate (and
> DEFAULT?) is the only one provided by twisted. If the several attempts
> they make came from the same IP address that might be one way to hack
> it.


What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.

Source: https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server <https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server>

> If it gets that bad I'll put the ClientHello regex next to the
> regex-based pkcs parser from my rsalette library :)

Oh no :-(.  Don't do RSA in pure python, that's an invitation to timing attacks.

> Fixing the http-01 challenge is a very rational suggestion.

Thanks!  If you could get Warner's patch over the finish line, that would probably be the best, most practical step forward.

> Thanks!
> 
> Daniel
> 
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20190323/6a97821b/attachment-0002.html>