On Mar 23, 2019, at 3:39 PM, Daniel Holth <dholth@gmail.com> wrote:

Wow! Such broken. I was starting to get suspicious of openssl myself.
Poor documentation about the rules on context switching and whether
doing things in a certain order should trigger callbacks.

In fairness, they do realize that this is a bit of a mess, and eventually one hopes there will be something better: https://github.com/openssl/openssl/issues/6109

At least you can get a cert when the ALPN / ACME certificate (and
DEFAULT?) is the only one provided by twisted. If the several attempts
they make came from the same IP address that might be one way to hack

What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.

Source: https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server

If it gets that bad I'll put the ClientHello regex next to the
regex-based pkcs parser from my rsalette library :)

Oh no :-(.  Don't do RSA in pure python, that's an invitation to timing attacks.

Fixing the http-01 challenge is a very rational suggestion.

Thanks!  If you could get Warner's patch over the finish line, that would probably be the best, most practical step forward.



Twisted-Python mailing list