upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-06 23:32:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
certbot/acme
History
Adrien Ferrand 07abe7a8d6
Reimplement tls-alpn-01 in acme (#6886) 
This PR is the first part of work described in #6724.

It reintroduces the tls-alpn-01 challenge in `acme` module, that was introduced by #5894 and reverted by #6100. The reason it was removed in the past is because some tests showed that with `1.0.2` branch of OpenSSL, the self-signed certificate containing the authorization key is sent to the requester even if the ALPN protocol `acme-tls/1` was not declared as supported by the requester during the TLS handshake.

However recent discussions lead to the conclusion that this behavior was not a security issue, because first it is coherent with the behavior with servers that do not support ALPN at all, and second it cannot make a tls-alpn-01 challenge be validated in this kind of corner case.

On top of the original modifications given by #5894, I merged the code to be up-to-date with our `master`, and fixed tests to match recent evolution about not displaying the `keyAuthorization` in the deserialized JSON form of an ACME challenge.

I also move the logic to verify if ALPN is available on the current system, and so that the tls-alpn-01 challenge can be used, to a dedicated static function `is_available` in `acme.challenge.TLSALPN01`. This function is used in the related tests to skip them, and will be used in the future from Certbot plugins to trigger or not the logic related to tls-alpn-01, depending on the OpenSSL version available to Python.

* Reimplement TLS-ALPN-01 challenge and standalone TLS-ALPN server from #5894.

* Setup a class method to check if tls-alpn-01 is supported.

* Add potential missing parameter in validation for tls-alpn

* Improve comments

* Make a class private

* Handle old versions of openssl that do not terminate the handshake when they should do.

* Add changelog

* Explicitly close the TLS connection by the book.

* Remove unused exception

* Fix lint
2020-03-12 13:53:19 -07:00
..
acme Reimplement tls-alpn-01 in acme (#6886) 2020-03-12 13:53:19 -07:00
docs Don't display todo comments in docs (#7753) 2020-02-06 15:39:47 -08:00
examples Reorganize imports (#7616) 2019-12-09 15:50:20 -05:00
tests Reimplement tls-alpn-01 in acme (#6886) 2020-03-12 13:53:19 -07:00
LICENSE.txt Update Copyright notice in subpackages LICENSE. 2015-10-04 10:10:41 +00:00
MANIFEST.in Refactor tests out of packaged module for acme plugin (#7600) 2019-11-26 15:25:41 -08:00
pytest.ini Fixes #6085. (#6091) 2018-06-12 17:31:22 -07:00
README.rst Fix ACME module description 2015-10-21 17:06:35 -07:00
readthedocs.org.requirements.txt Refactor certbot/ and certbot/tests/ to use the same structure as the other packages (#7544) 2019-11-25 14:28:05 -08:00
setup.cfg Make wheel universal 2016-01-21 10:11:23 +01:00
setup.py Bump version to 1.4.0 2020-03-03 12:43:04 -08:00

README.rst 

ACME protocol implementation in Python