Skip to content

Commit 2ef8fdf

Browse files
mholtmholt
committed
Stricter TLS-ALPN challenge matching
According to RFC 8737.
1 parent c0c6186 commit 2ef8fdf

1 file changed

Lines changed: 19 additions & 16 deletions

File tree

handshake.go

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -65,24 +65,27 @@ func (cfg *Config) GetCertificateWithContext(ctx context.Context, clientHello *t
6565
ctx = context.WithValue(ctx, ClientHelloInfoCtxKey, clientHello)
6666

6767
// special case: serve up the certificate for a TLS-ALPN ACME challenge
68-
// (https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05)
69-
for _, proto := range clientHello.SupportedProtos {
70-
if proto == acmez.ACMETLS1Protocol {
71-
challengeCert, distributed, err := cfg.getTLSALPNChallengeCert(clientHello)
72-
if err != nil {
73-
cfg.Logger.Error("tls-alpn challenge",
74-
zap.String("remote_addr", clientHello.Conn.RemoteAddr().String()),
75-
zap.String("server_name", clientHello.ServerName),
76-
zap.Error(err))
77-
return nil, err
78-
}
79-
cfg.Logger.Info("served key authentication certificate",
68+
// (https://www.rfc-editor.org/rfc/rfc8737.html)
69+
// "The ACME server MUST provide an ALPN extension with the single protocol
70+
// name "acme-tls/1" and an SNI extension containing only the domain name
71+
// being validated during the TLS handshake."
72+
if clientHello.ServerName != "" &&
73+
len(clientHello.SupportedProtos) == 1 &&
74+
clientHello.SupportedProtos[0] == acmez.ACMETLS1Protocol {
75+
challengeCert, distributed, err := cfg.getTLSALPNChallengeCert(clientHello)
76+
if err != nil {
77+
cfg.Logger.Error("tls-alpn challenge",
78+
zap.String("remote_addr", clientHello.Conn.RemoteAddr().String()),
8079
zap.String("server_name", clientHello.ServerName),
81-
zap.String("challenge", "tls-alpn-01"),
82-
zap.String("remote", clientHello.Conn.RemoteAddr().String()),
83-
zap.Bool("distributed", distributed))
84-
return challengeCert, nil
80+
zap.Error(err))
81+
return nil, err
8582
}
83+
cfg.Logger.Info("served key authentication certificate",
84+
zap.String("server_name", clientHello.ServerName),
85+
zap.String("challenge", "tls-alpn-01"),
86+
zap.String("remote", clientHello.Conn.RemoteAddr().String()),
87+
zap.Bool("distributed", distributed))
88+
return challengeCert, nil
8689
}
8790

8891
// get the certificate and serve it up

0 commit comments

Comments
 (0)