letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add logging of "oldTLS" bit (#6008) 

That causes the VA to emit ValidationRecords with the OldTLS bit set if
it observes a redirect to HTTPS that negotiates TLS < 1.2.

I've manually tested but there is not yet an integration test. I need
to make a parallel change in challtestsrv and then incorporate here.
This commit is contained in:
Jacob Hoffman-Andrews 2022-03-21 11:34:03 -07:00 committed by GitHub
parent 4cb3afc9a3
commit 07cb1179d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/objects.go
View File

@ -169,6 +169,11 @@ type ValidationRecord struct {
// ...
// }
AddressesTried []net.IP `json:"addressesTried,omitempty"`
// OldTLS is true if any request in the validation chain used HTTPS and negotiated
// a TLS version lower than 1.2.
// TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone.
OldTLS bool `json:"oldTLS,omitempty"`
}
func looksLikeKeyAuthorization(str string) error {

15
va/http.go
View File

@ -494,6 +494,7 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
// addresses explicitly, not following redirects to ports != [80,443], etc)
records := []core.ValidationRecord{baseRecord}
numRedirects := 0
var oldTLS bool
processRedirect := func(req *http.Request, via []*http.Request) error {
va.log.Debugf("processing a HTTP redirect from the server to %q", req.URL.String())
// Only process up to maxRedirect redirects
@ -503,6 +504,11 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
numRedirects++
va.metrics.http01Redirects.Inc()
// TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone.
if req.Response.TLS != nil && req.Response.TLS.Version < tls.VersionTLS12 {
oldTLS = true
}
// If the response contains an HTTP 303 or any other forbidden redirect,
// do not follow it. The four allowed redirect status codes are defined
// explicitly in BRs Section 3.2.2.4.19. Although the go stdlib currently
@ -618,6 +624,15 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
records[len(records)-1].URL, records[len(records)-1].AddressUsed, httpResponse.StatusCode)
}
// TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone.
if httpResponse.TLS != nil && httpResponse.TLS.Version < tls.VersionTLS12 {
oldTLS = true
}
if oldTLS {
records[len(records)-1].OldTLS = true
}
// At this point we've made a successful request (be it from a retry or
// otherwise) and can read and process the response body.
body, err := ioutil.ReadAll(&io.LimitedReader{R: httpResponse.Body, N: maxResponseSize})