> On Mar 23, 2019, at 3:39 PM, Daniel Holth <dho...@gmail.com> wrote: > > Wow! Such broken. I was starting to get suspicious of openssl myself. > Poor documentation about the rules on context switching and whether > doing things in a certain order should trigger callbacks.
In fairness, they do realize that this is a bit of a mess, and eventually one hopes there will be something better: https://github.com/openssl/openssl/issues/6109 <https://github.com/openssl/openssl/issues/6109> > At least you can get a cert when the ALPN / ACME certificate (and > DEFAULT?) is the only one provided by twisted. If the several attempts > they make came from the same IP address that might be one way to hack > it. What IP addresses does Let’s Encrypt use to validate my web server? We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once. Source: https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server <https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server> > If it gets that bad I'll put the ClientHello regex next to the > regex-based pkcs parser from my rsalette library :) Oh no :-(. Don't do RSA in pure python, that's an invitation to timing attacks. > Fixing the http-01 challenge is a very rational suggestion. Thanks! If you could get Warner's patch over the finish line, that would probably be the best, most practical step forward. > Thanks! > > Daniel > > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
