Re: can we haz backports?

2018-01-17 Thread William A Rowe Jr
On Wed, Jan 17, 2018 at 4:18 AM, Stefan Eissing wrote: > >> Am 17.01.2018 um 10:45 schrieb Yann Ylavic : >> >> On Wed, Jan 17, 2018 at 10:30 AM, Stefan Eissing >> wrote: >>> Am 16.01.2018 um 21:26 schrieb

Re: can we haz backports?

2018-01-17 Thread Stefan Eissing
> Am 17.01.2018 um 10:45 schrieb Yann Ylavic : > > On Wed, Jan 17, 2018 at 10:30 AM, Stefan Eissing > wrote: >> >>> Am 16.01.2018 um 21:26 schrieb William A Rowe Jr : >>> >>> Color me very confused, but I can't

Re: can we haz backports?

2018-01-17 Thread Yann Ylavic
On Wed, Jan 17, 2018 at 10:30 AM, Stefan Eissing wrote: > >> Am 16.01.2018 um 21:26 schrieb William A Rowe Jr : >> >> Color me very confused, but I can't distinguish a difference between vhost >> based >> Host: header selection in the "http-01"

Re: can we haz backports?

2018-01-17 Thread Stefan Eissing
> Am 16.01.2018 um 21:26 schrieb William A Rowe Jr : > > Color me very confused, but I can't distinguish a difference between vhost > based > Host: header selection in the "http-01" case, and SNI identification > in the case of > "tls-sni-01". Am I missing something?

Re: can we haz backports?

2018-01-16 Thread William A Rowe Jr
Color me very confused, but I can't distinguish a difference between vhost based Host: header selection in the "http-01" case, and SNI identification in the case of "tls-sni-01". Am I missing something? Discussion pointers? For protocol reasons, "dns-01" seems outside the scope of any mod_md

Re: can we haz backports?

2018-01-12 Thread Jim Jagielski
Vetos must be justified... for solid, technical reasons. One cannot just cast a -1 vote because one doesn't like something. Way too often I see being blocking stuff instead of working to *unblock* stuff. > On Jan 12, 2018, at 6:32 AM, Steffen wrote: > > Now mod_md

Re: can we haz backports?

2018-01-12 Thread Stefan Eissing
I try a high level, short summary of the current ACME "TLS-SNI" issue: 1. There are 3 basic ways to verify domain ownership: a) "http-01" on port 80 requests /.well-known/acme-challenge/ response: signed token as base64url b) "tls-sni-01" on port 443 client hello with SNI for

Re: can we haz backports?

2018-01-12 Thread Ruediger Pluem
On 01/12/2018 01:50 PM, Eric Covener wrote: > On Fri, Jan 12, 2018 at 7:38 AM, Steffen wrote: >> Yann: it is not working (anymore) when you have only port 443 open. >> Yann: I am/was testing in real live, no boulder. >> Eric: proposed change: to begin with warns/errors

Re: can we haz backports?

2018-01-12 Thread Eric Covener
> Generally, we don't use -1 for something like that. Although not all > -1's are actually "vetoes" -- it is still reserved for something > actively detrimental. Whoops, they are actuallt vetoes for code or backports.

Re: can we haz backports?

2018-01-12 Thread Eric Covener
On Fri, Jan 12, 2018 at 7:38 AM, Steffen wrote: > Yann: it is not working (anymore) when you have only port 443 open. > Yann: I am/was testing in real live, no boulder. > Eric: proposed change: to begin with warns/errors user > > I am talking about SSL configurations

Re: can we haz backports?

2018-01-12 Thread Steffen

Re: can we haz backports?

2018-01-12 Thread Yann Ylavic
On Fri, Jan 12, 2018 at 12:32 PM, Steffen wrote: > > Propose to change mod_md regarding above, now I vote -1. Could you please elaborate on what isn't working for Windows/you? Is it a general failure for Windows users or something that can be addressed as follow up? I

Re: can we haz backports?

2018-01-12 Thread Eric Covener
On Fri, Jan 12, 2018 at 6:14 AM, Stefan Eissing wrote: > Team, > > the frequency that people keep on asking me when ACME > support in Apache will be released is going up. For > this to happen, two backports need 1(!) more vote: > > 1. core/mod_ssl: Add new flag int

Re: can we haz backports?

2018-01-12 Thread Eric Covener
On Fri, Jan 12, 2018 at 6:32 AM, Steffen wrote: > Now mod_md contains features which are not supported anymore ! > > For SSL only config mod_md is not usable anymore, see >

Re: can we haz backports?

2018-01-12 Thread Stefan Eissing
> Am 12.01.2018 um 13:07 schrieb Yann Ylavic : > > On Fri, Jan 12, 2018 at 12:14 PM, Stefan Eissing > wrote: >> >> Is anyone planning to review this in the next days? > > I plan to do so, is there a strong need to own a domain for tesing or

Re: can we haz backports?

2018-01-12 Thread Yann Ylavic
On Fri, Jan 12, 2018 at 12:14 PM, Stefan Eissing wrote: > > Is anyone planning to review this in the next days? I plan to do so, is there a strong need to own a domain for tesing or can I use a "standalone" thingy (if that's ever relevant)?

Re: can we haz backports?

2018-01-12 Thread Yann Ylavic
On Fri, Jan 12, 2018 at 12:32 PM, Steffen wrote: > Now mod_md contains features which are not supported anymore ! > > For SSL only config mod_md is not usable anymore, see >

Re: can we haz backports?

2018-01-12 Thread Stefan Eissing
> Am 12.01.2018 um 12:32 schrieb Steffen : > > Now mod_md contains features which are not supported anymore ! > > For SSL only config mod_md is not usable anymore, see >

Re: can we haz backports?

2018-01-12 Thread Steffen
Now mod_md contains features which are not supported anymore ! For SSL only config mod_md is not usable anymore, see https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 Propose to change mod_md regarding above, now I vote -1.