Awesome, thank you all for your quick responses! On Fri, Feb 4, 2022 at 2:36 PM Aaron Gable <[email protected]> wrote:
> Just to clear up any potential confusion: the ACME Server and the TLS > Server are not the same entity when conducting TLS-ALPN-01 Validation. > > The ACME Server is, during a TLS-ALPN-01 validation, acting as a TLS > Client. According to RFC 8737 Section 3, it must, in its `clientHello` > message, include an ALPN extension containing only the single value > "acme-tls/1". > > The ACME Client (or its delegate) is, during a TLS-ALPN-01 validation, > acting as a TLS Server. According to RFC 7301 Section 3.1, it must, in its > `serverHello` message, agree to exactly one of the ALPN protocols offered > in the `clientHello`. > > The combination of the requirements from these two RFCs is that yes, > *both* the ACME Server / TLS Client *and* the ACME Client / TLS Server must > include just the single value "acme-tls/1" in their respective ALPN > extensions during the TLS handshake. > > It is notable, however, that RFC 7301 does not require that the TLS Client > immediately abort the connection if the TLS Server's ALPN extension > contains more than one entry. It simply requires that the TLS Server behave > in a specific way, and leaves the TLS Client's response to such misbehavior > unspecified. > > Aaron > > On Fri, Feb 4, 2022 at 11:36 AM Matthew McPherrin <mattm= > [email protected]> wrote: > >> RFC 7301 section 3.1 says: >> > the "ProtocolNameList" MUST contain exactly one "ProtocolName" >> >> >> On Fri, Feb 4, 2022 at 12:49 PM Salz, Rich <rsalz= >> [email protected]> wrote: >> >>> >>> - Does "with the single protocol name" mean that it should be >>> considered an error if the ACME server offers more than a single >>> supported >>> protocol? >>> >>> >>> >>> Replying with more than one protocol is unspecified behavior. The >>> recipient could proceed, or treat it as an error. >>> >>> >>> _______________________________________________ >>> Acme mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/acme >>> >> _______________________________________________ >> Acme mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/acme >> >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
