[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #25346 [Obfuscation/Snowflake]: Adapt snowflake-server to use ACME HTTP-01 challenge for automatic certificates



#25346: Adapt snowflake-server to use ACME HTTP-01 challenge for automatic
certificates
-----------------------------------+------------------------------
 Reporter:  dcf                    |          Owner:  (none)
     Type:  defect                 |         Status:  needs_review
 Priority:  Medium                 |      Milestone:
Component:  Obfuscation/Snowflake  |        Version:
 Severity:  Normal                 |     Resolution:
 Keywords:                         |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+------------------------------
Changes (by dcf):

 * status:  new => needs_review


Comment:

 Here is a simple patch. I started this running on
 https://snowflake.bamsoftware.com/ and it just issued a fresh certificate.

 Because the SNI-based ACME challenge needed HTTPS on port 443, and we were
 going to be listening with HTTPS on other ports anyway, the way it was
 formerly handled is that if there was no listener for port 443, we just
 opened an additional one (as if the parent process had given us an
 additional bindaddr).

 Now we do something similar, except the additional listener we open on
 port 80 only handles HTTP-01 messages; it doesn't implement WebSocket and
 can't be used to reach tor.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25346#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs