Skip to content

Commit

Permalink
Add logging of "oldTLS" bit (letsencrypt#6008)
Browse files Browse the repository at this point in the history 
That causes the VA to emit ValidationRecords with the OldTLS bit set if
it observes a redirect to HTTPS that negotiates TLS < 1.2.

I've manually tested but there is not yet an integration test. I need
to make a parallel change in challtestsrv and then incorporate here.
  • Loading branch information
@jsha
jsha authored Mar 21, 2022
1 parent 4cb3afc commit 07cb117
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
5 changes: 5 additions & 0 deletions core/objects.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,11 @@ type ValidationRecord struct {
// ...
// }
AddressesTried []net.IP `json:"addressesTried,omitempty"`

// OldTLS is true if any request in the validation chain used HTTPS and negotiated
// a TLS version lower than 1.2.
// TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone.
OldTLS bool `json:"oldTLS,omitempty"`
}

func looksLikeKeyAuthorization(str string) error {
Expand Down
15 changes: 15 additions & 0 deletions va/http.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -494,6 +494,7 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
// addresses explicitly, not following redirects to ports != [80,443], etc)
records := []core.ValidationRecord{baseRecord}
numRedirects := 0
var oldTLS bool
processRedirect := func(req *http.Request, via []*http.Request) error {
va.log.Debugf("processing a HTTP redirect from the server to %q", req.URL.String())
// Only process up to maxRedirect redirects
Expand All @@ -503,6 +504,11 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
numRedirects++
va.metrics.http01Redirects.Inc()

// TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone.
if req.Response.TLS != nil && req.Response.TLS.Version < tls.VersionTLS12 {
oldTLS = true
}

// If the response contains an HTTP 303 or any other forbidden redirect,
// do not follow it. The four allowed redirect status codes are defined
// explicitly in BRs Section 3.2.2.4.19. Although the go stdlib currently
Expand Down Expand Up @@ -618,6 +624,15 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
records[len(records)-1].URL, records[len(records)-1].AddressUsed, httpResponse.StatusCode)
}

// TODO(#6011): Remove once TLS 1.0 and 1.1 support is gone.
if httpResponse.TLS != nil && httpResponse.TLS.Version < tls.VersionTLS12 {
oldTLS = true
}

if oldTLS {
records[len(records)-1].OldTLS = true
}

// At this point we've made a successful request (be it from a retry or
// otherwise) and can read and process the response body.
body, err := ioutil.ReadAll(&io.LimitedReader{R: httpResponse.Body, N: maxResponseSize})
Expand Down

0 comments on commit 07cb117

Please sign in to comment.