New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/acme/autocert: no way to generate RSA certificates #17744
Comments
@x1ddos, what's the plan here? Didn't you recently change it away from RSA? |
@niemeyer the initial implementation in fact used solely RSA keys. Some code reviewers have been repeatedly suggesting to switch to EC, arguing that most modern clients support EC-based certs now, which I agreed with. I haven't seen a need for RSA since then, except when forced to integrate with a legacy system (which led to things like https://go-review.googlesource.com/27750). To accommodate broader needs, there was another proposal: generate 2 certs, RSA + EC, and provide the one compatible with what ClientHelloInfo indicates. Would that work for your use case? |
Ah @bradfitz no, not recently. Well, quite short after autocert was released. For instance, see this: https://go-review.googlesource.com/28851. |
@bradfitz sorry, yeah I meant we did switch from RSA to EC :) |
@x1ddos, your two-cert proposal works. Or a simple boolean option for now too. (ForceRSA bool) But let's do something soonish so more people can use autocert. |
Ok! I'll work on tomorrow and send a cl for review.
…On 15 Dec 2016 8:46 pm, "Brad Fitzpatrick" ***@***.***> wrote:
@x1ddos <https://github.com/x1ddos>, your two-cert proposal works. Or a
simple boolean option for now too. (ForceRSA bool)
But let's do something soonish so more people can use autocert.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#17744 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABjPaCtgjgPvu43J0kXM4F7uLjE4Fxxks5rIZkrgaJpZM4KnfxL>
.
|
CL https://golang.org/cl/34570 mentions this issue. |
Currently, autocert.Manager always generates EC-based certificates. This change adds an optional field forcing the Manager to use RSA instead. An alternative idea, a "double" certificate, where the Manager presents either RSA or EC certificate based on client's compatibility, doesn't seem to be worth the implementation time given the constant increase in Elliptic Curve cryptography. Fixes golang/go#17744 Change-Id: Idc68abfc698bcff4aad99715baefc06f8fae50ad Reviewed-on: https://go-review.googlesource.com/34570 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Currently, autocert.Manager always generates EC-based certificates. This change adds an optional field forcing the Manager to use RSA instead. An alternative idea, a "double" certificate, where the Manager presents either RSA or EC certificate based on client's compatibility, doesn't seem to be worth the implementation time given the constant increase in Elliptic Curve cryptography. Fixes golang/go#17744 Change-Id: Idc68abfc698bcff4aad99715baefc06f8fae50ad Reviewed-on: https://go-review.googlesource.com/34570 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Currently, autocert.Manager always generates EC-based certificates. This change adds an optional field forcing the Manager to use RSA instead. An alternative idea, a "double" certificate, where the Manager presents either RSA or EC certificate based on client's compatibility, doesn't seem to be worth the implementation time given the constant increase in Elliptic Curve cryptography. Fixes golang/go#17744 Change-Id: Idc68abfc698bcff4aad99715baefc06f8fae50ad Reviewed-on: https://go-review.googlesource.com/34570 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Currently, autocert.Manager always generates EC-based certificates. This change adds an optional field forcing the Manager to use RSA instead. An alternative idea, a "double" certificate, where the Manager presents either RSA or EC certificate based on client's compatibility, doesn't seem to be worth the implementation time given the constant increase in Elliptic Curve cryptography. Fixes golang/go#17744 Change-Id: Idc68abfc698bcff4aad99715baefc06f8fae50ad Reviewed-on: https://go-review.googlesource.com/34570 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Let's Encrypt supports generation of RSA certificates, and the code can be easily adapted to support them by simply changing the private key generation functions, but there's currently no way to enable that from the outside.
The text was updated successfully, but these errors were encountered: