At 11:55 16/07/2019 Tuesday, Stefan Eissing wrote:
A user of my Apache ACME client asked about a feature where the security
implications are not clear to me:
- he has several server instances that may receive the CA's http-01 challenge
request. He therefore would like all servers to answer to all challenges like the
solution proposed by acme.sh:
<https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode>
server {
....
location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ {
default_type text/plain;
return 200 "$1.6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd";
}
which sends the thumbnail back to anyone asking. Is this an example to follow?
It feels very open...
I can't find anything terribly wrong with it. The two most important
things are (a) it binds to the account key fingerprint, so it doesn't
let some other person get a certificate for you, and (b) it filters by a
narrow set of valid characters, which prevents this from being an XSS
vector
(https://labs.detectify.com/2018/09/04/xss-using-quirky-implementations-of-acme-http-01/).
Still, it seems like other clients get along fine with a stateful mode,
which narrows the realm of possible unforeseen problems with this approach.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
