On Fri, Jan 12, 2018 at 10:28:31AM -0600, Matthew D. Hardeman wrote: > > > On Jan 12, 2018, at 10:20 AM, Gerd v. Egidy <[email protected]> > > wrote: > > > I did want to say that if an acceptable mechanism is found in this > manner, it does help with some but not all in-band TLS validation > mechanisms. It works for web server cases. It does not fully > replace the mechanisms of the TLS-SNI sort because it would not work > for other protocols running over TLS (like SMTP/TLS). The TLS-SNI > mechanisms do facilitate that. Still, if the risks are otherwise > acceptable, such a challenge mechanism might be a path of least > resistance for those impacted by the TLS-SNI-01 deprecation.
I had actually written code (but ripped it out after LE announced they are dropping support for TLS-SNI) that supported TLS-SNI challenges at TLS level. This code relied on being able to detect validation attempts at ClientHello time and then handling those connections specially. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
