subject:"\[Acme\] tls\-sni\-01 validation compromise"

Re: [Acme] tls-sni-01 validation compromise

2016-01-22 Thread Thomas Lußnig

Hi, these problem is not new. I raised the roblem with letsencrypt over an month ago. Better Would be: Client Send clientnone,ECDSA-SHA256(servernonce,clientnonce) The cert for .challenge.amce contain the public key. So the client had proved he control the server

Re: [Acme] tls-sni-01 validation compromise

2016-01-22 Thread Peter Eckersley

On Thu, Jan 21, 2016 at 09:38:24PM -0500, Jehiah Czebotar wrote: > Because the server initiating the validation request is presenting the > full ServerName expected back, it is thus untrusted and can not be > used to imply any relation to the party requesting validation. It is > possible to

[Acme] tls-sni-01 validation compromise

2016-01-21 Thread Jehiah Czebotar

In working to implemented LetsEncrypt at Bitly, I uncovered an issue with the tls-sni-01 validation that limits its trustworthiness in validation. Issue: The tls-sni-01 validation is intended to prove control over a domain name. The challenge relies on presenting a

Re: [Acme] tls-sni-01 validation compromise

2016-01-21 Thread Martin Thomson

On 22 January 2016 at 13:38, Jehiah Czebotar wrote: > 1) Change the requirement that the self signed cert have one DNSName, > and require the response to have TWO DNS names. One that matches the > requested hostname, and a second that is secret which proves it can > only be

Re: [Acme] tls-sni-01 validation compromise

Re: [Acme] tls-sni-01 validation compromise

[Acme] tls-sni-01 validation compromise

Re: [Acme] tls-sni-01 validation compromise

4 matches

Site Navigation

Mail list logo

Footer information