On Mar 23, 2019, at 3:39 PM, Daniel Holth firstname.lastname@example.org wrote:
Wow! Such broken. I was starting to get suspicious of openssl myself. Poor documentation about the rules on context switching and whether doing things in a certain order should trigger callbacks.
In fairness, they do realize that this is a bit of a mess, and eventually one hopes there will be something better: https://github.com/openssl/openssl/issues/6109 https://github.com/openssl/openssl/issues/6109
At least you can get a cert when the ALPN / ACME certificate (and DEFAULT?) is the only one provided by twisted. If the several attempts they make came from the same IP address that might be one way to hack it.
What IP addresses does Let’s Encrypt use to validate my web server?
We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.
If it gets that bad I'll put the ClientHello regex next to the regex-based pkcs parser from my rsalette library :)
Oh no :-(. Don't do RSA in pure python, that's an invitation to timing attacks.
Fixing the http-01 challenge is a very rational suggestion.
Thanks! If you could get Warner's patch over the finish line, that would probably be the best, most practical step forward.
Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python