Closed kellpossible closed 3 months ago
Might be okay to teach webpki about this extension?
I don't think we can teach webpki to accept this critical extension, because that means it would be (quoting the RFC) "inadvertently used by non-ACME software".
Instead I would suggest that an ACME user must avoid the with_single_cert
API, and instead use with_cert_resolver
-- I think you actually want to do that anyway, because with_single_cert
ignores the SNI value?
@ctz thanks, it was my thought to work around this issue using an implementation of ResolvesServerCert
, I'll give it a try
I'm using LazyConfigAcceptor
so already have access to the SNI I think
Instead I would suggest that an ACME user must avoid the with_single_cert API, and instead use with_cert_resolver
I also think this is the correct course of action. I'm going to close this issue for now since I think the consensus is there's no change to be made in webpki
. If you run into any further difficulties reworking your application to use a cert resolver please feel free to open a new issue (perhaps in Rustls instead of webpki if required).
Thanks!
Thanks everyone for the feedback, I was able to work around this using a method similar to what was suggested, and am happy for this issue to be closed
On Mon, 26 Aug 2024, 23:47 Daniel McCarney, @.***> wrote:
Instead I would suggest that an ACME user must avoid the with_single_cert API, and instead use with_cert_resolver
I also think this is the correct course of action. I'm going to close this issue for now since I think the consensus is there's no change to be made in webpki. If you run into any further difficulties reworking your application to use a cert resolver please feel free to open a new issue (perhaps in Rustls instead of webpki if required).
Thanks!
— Reply to this email directly, view it on GitHub https://github.com/rustls/webpki/issues/281#issuecomment-2310261990, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCRJ2SII6PYQYK2ZHEOSBDZTMWY5AVCNFSM6AAAAABMZX5ZMKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJQGI3DCOJZGA . You are receiving this because you authored the thread.Message ID: @.***>
(@kellpossible if you think it would make sense we could consider hosting some of the boring mechanics of this in instant-acme.)
With this commit https://github.com/rustls/rustls/commit/20fdce6ad961c4b2901b42cc8c0289e4d51b3cd2#diff-dd9aec7fb5c3190624000b6f4575f16e932e493437a4a032233db84016e94da7R69 it's no longer possible to use a certificate with the ACME extension with rustls's
ConfigBuilder::with_single_cert()
because it now attempts to parse the certificate as part of thekeys_match()
implementation because it now returns an error:InvalidCertificate(Other(OtherError(UnsupportedCriticalExtension)))
. Perhaps this should be a bug report withrustls
I'm not really sure.I think this is the RFC for the extension: https://www.rfc-editor.org/rfc/rfc8737.html