Thanks for the replies. I do not plan to make this general behaviour, maybe as an opt-in by an admin.
Cheers, Stefan > Am 16.07.2019 um 20:39 schrieb Jacob Hoffman-Andrews <[email protected]>: > > >> At 11:55 16/07/2019 Tuesday, Stefan Eissing wrote: >>> A user of my Apache ACME client asked about a feature where the security >>> implications are not clear to me: >>> >>> - he has several server instances that may receive the CA's http-01 >>> challenge request. He therefore would like all servers to answer to all >>> challenges like the solution proposed by acme.sh: >>> <https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode> >>> >>> server { >>> .... >>> location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ { >>> default_type text/plain; >>> return 200 "$1.6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd"; >>> } >>> >>> which sends the thumbnail back to anyone asking. Is this an example to >>> follow? It feels very open... > I can't find anything terribly wrong with it. The two most important things > are (a) it binds to the account key fingerprint, so it doesn't let some other > person get a certificate for you, and (b) it filters by a narrow set of valid > characters, which prevents this from being an XSS vector > (https://labs.detectify.com/2018/09/04/xss-using-quirky-implementations-of-acme-http-01/). > > Still, it seems like other clients get along fine with a stateful mode, which > narrows the realm of possible unforeseen problems with this approach. > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
