Opened 6 months ago

Closed 5 months ago

#25346 closed defect (fixed)

Adapt snowflake-server to use ACME HTTP-01 challenge for automatic certificates

Reported by: dcf Owned by:
Priority: Medium Milestone:
Component: Obfuscation/Snowflake Version:
Severity: Normal Keywords:
Cc: dcf, arlolra Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

As with the broker (#25345), we need to make the Snowflake server transport plugin use the HTTP-01 challenge.

Child Tickets

Attachments (1)

0001-Use-Manager.HTTPHandler-for-automatic-TLS-support-in.patch (4.7 KB) - added by dcf 5 months ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 5 months ago by dcf

Status: newneeds_review

Here is a simple patch. I started this running on https://snowflake.bamsoftware.com/ and it just issued a fresh certificate.

Because the SNI-based ACME challenge needed HTTPS on port 443, and we were going to be listening with HTTPS on other ports anyway, the way it was formerly handled is that if there was no listener for port 443, we just opened an additional one (as if the parent process had given us an additional bindaddr).

Now we do something similar, except the additional listener we open on port 80 only handles HTTP-01 messages; it doesn't implement WebSocket and can't be used to reach tor.

comment:2 Changed 5 months ago by arlolra

Status: needs_reviewmerge_ready

Look good. Hopefully nobody running this wants to enable TLS on port 80.

comment:3 Changed 5 months ago by dcf

Resolution: fixed
Status: merge_readyclosed

Thanks, merged as d0686b1c8d.

Note: See TracTickets for help on using tickets.