On Fri, Jan 08, 2016 at 08:42:57PM +0100, Niklas Keller wrote: > > The current language describing it in the spec is terrible and needs to > > be rewritten, but it's quite simple: add an extra :443 vhost entry to > > your server config, serving a self-signed cert created to pass the > > challenge. > > > Unfortunately, this requires a server configuration reload. http-01 is > still a lot easier, it doesn't require any configuration change. I think > it's best to allow http-01 over HTTPS on port 443 if port 80 is not > reachable. This should eliminate the vulnerability, but allow verifying > HTTPS-only sites with http-01.
That's pretty corner case-y behaviour for a very specialised use case (server *must* have port 80 firewalled, and cannot possibly perform a graceful server reload). Are there other voices in favour of special casing DV behaviour for that use case? -- Peter Eckersley [email protected] Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993 _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
