[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Using Let's Encrypt for meek bridges

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Using Let's Encrypt for meek bridges
From: David Fifield <david@xxxxxxxxxxxxxxx>
Date: Fri, 8 Apr 2016 20:20:24 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 08 Apr 2016 23:20:44 -0400
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bamsoftware.com; s=mail; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=AkFb41gCyuJ5gt/XcDpJQizn9fMR3latFGv9rxiFnNQ=; b=sCrjar4LGVP4WkUkrlyBbiPV1y7mdSsbc3Fq8JqH4aZNL8fZgzzwv5gXslQRcYJbDp3sutCTPh2CGCwXgc/ba8wKpjJr4YZmzaPwmIA98Iy5IRR9hBx6GcYf4p6j0Lqsazk9LAA+ox4OiLNNwSBLTW172Lbj53XgSmjPbqDDQbM=;
In-reply-to: <CAMwVh_H5+9dur0WZxWi9onFnWfG8FU+A4zWY6=qZyyntcu+BEA@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Mail-followup-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
References: <20160325205432.GG4139@xxxxxxxxxxxxxxxxxxxxx> <CAMwVh_H5+9dur0WZxWi9onFnWfG8FU+A4zWY6=qZyyntcu+BEA@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.24 (2015-08-30)

On Fri, Apr 08, 2016 at 05:28:45PM -0700, George Tankersley wrote:
> > I'm looking for ideas of good ways to handle TLS certificates and their
> > renewal for meek bridges. I want to use Let's Encrypt for this process,
> > and I hope that someone who knows Let's Encrypt well can contribute some
> > ideas.
> 
> >Âideally not requiring newÂcomplicated code in meek-server itself
> 
> If you're OK with some amount of new code, there are Go client libraries that
> might be sufficiently flexible:
> 
> -Âhttps://github.com/xenolf/lego
> -Âhttps://ericchiang.github.io/go/tls/lets/encrypt/letsencrypt/2015/11/13/
> a-letsencrypt-client-for-go.html
> 
> I'll give this a try soon if you haven't already.

Thanks. You are welcome to try. I haven't done anything yet.

My ideal situation would be that I can run an acme client *outside* of
meek-server, the same way I can do for Apache. Something like this:
	letsencrypt-auto certonly [some other arguments, maybe --webroot] meek.bamsoftware.com

Adding acme code to meek-server seems less desirable to me. I am trying
to keep the feature count low to keep the bug count low. meek-server is
under 500 lines and I wouldn't want to add more than, say, 200 lines for
acme support. It might have to write new certificate files to the
filesystem, which means worrying about privileges. It's possible,
though, that I don't properly understand how an acme library should work
and these concerns aren't appropriate.

My current inclination is to add an --acme-webroot option to
meek-server, and install a restricted http.Handler that allows serving
files from that directory. It will only serve files whose names are in
the specific format that acme requires. Maybe it can only serve files
whose creation time is recent, as an additional safeguard against
accidentally serving non-acme files.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- Re: [tor-dev] Using Let's Encrypt for meek bridges
  - From: George Tankersley

Prev by Author: Re: [tor-dev] iObfs: obfs4proxy on iOS
Next by Author: [tor-dev] meek-server performance improvements?
Previous by thread: Re: [tor-dev] Using Let's Encrypt for meek bridges
Next by thread: [tor-dev] txtorcon: fixing APIs, painting bikesheds
Index(es):
- Author
- Thread