From 07cb1179d01431ae277b3d8b5c5bf3e84adce608 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 21 Mar 2022 11:34:03 -0700 Subject: [PATCH] Add logging of "oldTLS" bit (#6008) That causes the VA to emit ValidationRecords with the OldTLS bit set if it observes a redirect to HTTPS that negotiates TLS < 1.2. I've manually tested but there is not yet an integration test. I need to make a parallel change in challtestsrv and then incorporate here. --- core/objects.go | 5 +++++ va/http.go | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/core/objects.go b/core/objects.go index 215af4889..9e328e823 100644 --- a/core/objects.go +++ b/core/objects.go @@ -169,6 +169,11 @@ type ValidationRecord struct { // ... // } AddressesTried []net.IP `json:"addressesTried,omitempty"` + + // OldTLS is true if any request in the validation chain used HTTPS and negotiated + // a TLS version lower than 1.2. + // TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone. + OldTLS bool `json:"oldTLS,omitempty"` } func looksLikeKeyAuthorization(str string) error { diff --git a/va/http.go b/va/http.go index e42d2b47a..3af9f906d 100644 --- a/va/http.go +++ b/va/http.go @@ -494,6 +494,7 @@ func (va *ValidationAuthorityImpl) processHTTPValidation( // addresses explicitly, not following redirects to ports != [80,443], etc) records := []core.ValidationRecord{baseRecord} numRedirects := 0 + var oldTLS bool processRedirect := func(req *http.Request, via []*http.Request) error { va.log.Debugf("processing a HTTP redirect from the server to %q", req.URL.String()) // Only process up to maxRedirect redirects @@ -503,6 +504,11 @@ func (va *ValidationAuthorityImpl) processHTTPValidation( numRedirects++ va.metrics.http01Redirects.Inc() + // TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone. + if req.Response.TLS != nil && req.Response.TLS.Version < tls.VersionTLS12 { + oldTLS = true + } + // If the response contains an HTTP 303 or any other forbidden redirect, // do not follow it. The four allowed redirect status codes are defined // explicitly in BRs Section 3.2.2.4.19. Although the go stdlib currently @@ -618,6 +624,15 @@ func (va *ValidationAuthorityImpl) processHTTPValidation( records[len(records)-1].URL, records[len(records)-1].AddressUsed, httpResponse.StatusCode) } + // TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone. + if httpResponse.TLS != nil && httpResponse.TLS.Version < tls.VersionTLS12 { + oldTLS = true + } + + if oldTLS { + records[len(records)-1].OldTLS = true + } + // At this point we've made a successful request (be it from a retry or // otherwise) and can read and process the response body. body, err := ioutil.ReadAll(&io.LimitedReader{R: httpResponse.Body, N: maxResponseSize})