New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/acme/autocert: make hybrid ecc-rsa certificates possible #23698
Comments
a bit related to #19265 |
You kinda jumped to a solution without explaining the problem. I also don't see enough of your code to see how you're using your I suppose the subject is a reasonable problem statement ("make hybrid ecc-rsa certificates possible"), but if this is an important problem to solve (@agl, @x1ddos?), and we can detect it (e.g. your |
ECDSA certificates issued from an RSA CA are a reasonable thing to desire: the ECDSA operation is much faster. Google's services, for example, often have both and select ECDSA when possible, and RSA as a fallback. To do this, you would check the On niggle is that crypto/tls doesn't export its knowledge of ciphersuites, so the map of uint16 cipher suite ID to whether it's ECDSA would have to be maintained externally. |
As far as I understand this issue is not about supporting ECDSA+RSA on the crypto/tls side (which is done as @agl suggests and partially hidden in The expectation is that it would work because of the fallback mechanism, but the outer HTTPHandler doesn't fallback if the path is I think the full solution is to check for the token first, fallback if not found, and then apply the host policy. Seems reasonable to me. Title suggestion: "x/crypto/acme/autocert: support running multiple HTTPHandler" |
@FiloSottile, what I was trying to say was that if ECDSA+RSA is something that enough people want, we should just do it automatically, rather than make this bug about easing an obscure workaround for us not supporting their real need. |
Oh I see. You're right, we can implement ECDSA+RSA without any API change since GetCertificate takes the ClientHelloInfo. However I think this will count double against the per-domain Let's Encrypt rate-limit, which is probably not what users want by default. |
It is reasonable to say this is a duplicate of #22066? |
@x1ddos, yes. I'll close this one. |
I manage to implement a go https server to support hybird ecc-rsa certificats. [1]
Here're my codes
It does not work because of autocert http-01 HTTPHandler does not fallback as I expected.
A quick patch is
Is this requirement/change reasonable? Thought?
The text was updated successfully, but these errors were encountered: