x/crypto/acme/autocert: handle RSA-only clients better #22066
Comments
|
Hey Russ, why not just use
But agree either way, autocert should handle RSA-only clients. |
|
@x1ddos, maybe the code is just unclear with everything else going on, but that's the test I do use for SNI (the five lines starting at |
bradfitz
added
help wanted
NeedsFix
|
Some other discussion is in #23698. |
|
Obtaining two certificates off the bat sounds like a waste of quota, but how about we issue a RSA certificate automatically if a TLS handshake from a client that doesn't support ECDSA comes? |
|
@FiloSottile, SGTM. But I also don't think 2 cert requests every 2-3 months per domain name is too bad either. |
|
Change https://golang.org/cl/114501 mentions this issue: |
|
this commit broke our builds
|
|
Wow, that was fast. And sorry, that symbol was added in Go 1.10. I'll fix it ASAP, in the meantime you can workaround by updating to 1.10 if that's possible for you. |
|
Change https://golang.org/cl/116496 mentions this issue: |
|
Oh I see it's only for go 1.9. we haven't migrated our pipelines yet which explains why it works on my laptop :) |
Updates golang/go#22066 Change-Id: I7eb6a60deb6680003245815760e2ce6a8f7d8b15 Reviewed-on: https://go-review.googlesource.com/116496 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com>
|
Should be fixed now. @primalmotion can you confirm? |
|
yep it works now, thanks, that was fast too ;) |
GetCertificate has all the information it needs to know if a client supports ECDSA in ClientHelloInfo. Deprecate and ignore ForceRSA, and just obtain a RSA certificate on the fly when a client that doesn't support ECDSA connects. This changes the cache key format to have a "+rsa" suffix for RSA certificates. The default (ForceRSA = false) cache key is unchanged, so most DirCache instances will still be valid. Caches created with ForceRSA set will be silently ignored and certificates reissued. The cache keys for HTTP tokens and the account key are changed to be guaranteed not to overlap with valid domain names as well. Note that ECDSA support detection is more strict in following RFC 5246 than crypto/tls, which ignores signature_algorithms. Fixes golang/go#22066 Change-Id: I70227747b563d6849cb693f83a950d57040b3f39 Reviewed-on: https://go-review.googlesource.com/114501 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
GetCertificate has all the information it needs to know if a client supports ECDSA in ClientHelloInfo. Deprecate and ignore ForceRSA, and just obtain a RSA certificate on the fly when a client that doesn't support ECDSA connects. This changes the cache key format to have a "+rsa" suffix for RSA certificates. The default (ForceRSA = false) cache key is unchanged, so most DirCache instances will still be valid. Caches created with ForceRSA set will be silently ignored and certificates reissued. The cache keys for HTTP tokens and the account key are changed to be guaranteed not to overlap with valid domain names as well. Note that ECDSA support detection is more strict in following RFC 5246 than crypto/tls, which ignores signature_algorithms. Fixes golang/go#22066 Change-Id: I70227747b563d6849cb693f83a950d57040b3f39 Reviewed-on: https://go-review.googlesource.com/114501 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
GetCertificate has all the information it needs to know if a client supports ECDSA in ClientHelloInfo. Deprecate and ignore ForceRSA, and just obtain a RSA certificate on the fly when a client that doesn't support ECDSA connects. This changes the cache key format to have a "+rsa" suffix for RSA certificates. The default (ForceRSA = false) cache key is unchanged, so most DirCache instances will still be valid. Caches created with ForceRSA set will be silently ignored and certificates reissued. The cache keys for HTTP tokens and the account key are changed to be guaranteed not to overlap with valid domain names as well. Note that ECDSA support detection is more strict in following RFC 5246 than crypto/tls, which ignores signature_algorithms. Fixes golang/go#22066 Change-Id: I70227747b563d6849cb693f83a950d57040b3f39 Reviewed-on: https://go-review.googlesource.com/114501 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
GetCertificate has all the information it needs to know if a client supports ECDSA in ClientHelloInfo. Deprecate and ignore ForceRSA, and just obtain a RSA certificate on the fly when a client that doesn't support ECDSA connects. This changes the cache key format to have a "+rsa" suffix for RSA certificates. The default (ForceRSA = false) cache key is unchanged, so most DirCache instances will still be valid. Caches created with ForceRSA set will be silently ignored and certificates reissued. The cache keys for HTTP tokens and the account key are changed to be guaranteed not to overlap with valid domain names as well. Note that ECDSA support detection is more strict in following RFC 5246 than crypto/tls, which ignores signature_algorithms. Fixes golang/go#22066 Change-Id: I70227747b563d6849cb693f83a950d57040b3f39 Reviewed-on: https://go-review.googlesource.com/114501 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
GetCertificate has all the information it needs to know if a client supports ECDSA in ClientHelloInfo. Deprecate and ignore ForceRSA, and just obtain a RSA certificate on the fly when a client that doesn't support ECDSA connects. This changes the cache key format to have a "+rsa" suffix for RSA certificates. The default (ForceRSA = false) cache key is unchanged, so most DirCache instances will still be valid. Caches created with ForceRSA set will be silently ignored and certificates reissued. The cache keys for HTTP tokens and the account key are changed to be guaranteed not to overlap with valid domain names as well. Note that ECDSA support detection is more strict in following RFC 5246 than crypto/tls, which ignores signature_algorithms. Fixes golang/go#22066 Change-Id: I70227747b563d6849cb693f83a950d57040b3f39 Reviewed-on: https://go-review.googlesource.com/114501 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
https://letsencrypt.org/docs/integration-guide/ says "Our recommendation is to serve a dual-cert config, offering an RSA certificate by default, and a (much smaller) ECDSA certificate to those clients that indicate support."
Today, autocert can only use one kind of cert. I think we should fix that and make it manage both a cached ECDSA cert and a cached RSA cert, offering the RSA certificate to clients that don't support ECDSA. Otherwise you just get weird "no supported cipher suite" errors with older clients. I'm using ruby on an up-to-date Mac and it wants to do TLS 1.0 with RSA. I spent way too long debugging why it was failing, because the failures were very non-obvious. (I don't know why Ruby on my Mac wants TLS 1.0 with RSA, but surely there are other clients like mine out there. And maybe there are RSA-only TLS 1.2 clients out there too.)
I see the ForceRSA flag in the Manager, but that doesn't do what the integration guide suggests: it uses RSA always, not just when the client doesn't support ECDSA.
As a workaround, I am using two managers, with two separate clients and caches, and a custom GetCertificate that figures out which to use:
This code also includes a workaround for #18785, and the RSA decision is wrong (it should look at the supported ciphers etc) but was good enough for my purposes.
/cc @x1ddos @bradfitz
The text was updated successfully, but these errors were encountered: