[build] vcs-test: enable ACME ALPN challenge and use autocert RSA fallback
21 views
Skip to first unread message
Filippo Valsorda (Gerrit)
Aug 21, 2018, 11:18:25 AM8/21/18
to Ian Lance Taylor, goph...@pubsubhelper.golang.org, Filippo Valsorda, golang-co...@googlegroups.com
Filippo Valsorda has uploaded this change for review.
vcs-test: enable ACME ALPN challenge and use autocert RSA fallback
The SNI challenge is not supported by Let's Encrypt anymore, replaced by
the ALPN one, which requires an extra config entry.
Also, autocert now knows how to do RSA fallback, so remove that code.
Change-Id: I45f907101a7c7a57d1a8376208dba4afb10ed6fd
---
M go.mod
M go.sum
M vcs-test/vcweb/main.go
3 files changed, 10 insertions(+), 24 deletions(-)
diff --git a/go.mod b/go.mod
index 16fe4ba..2380ddd 100644
--- a/go.mod
+++ b/go.mod
@@ -59,7 +59,7 @@
github.com/tarm/serial v0.0.0-20180114052751-eaafced92e96
go.opencensus.io v0.14.0 // indirect
go4.org v0.0.0-20180417224846-9599cf28b011
- golang.org/x/crypto v0.0.0-20180807104621-f027049dab0a
+ golang.org/x/crypto v0.0.0-20180820150726-614d502a4dac
golang.org/x/net v0.0.0-20180808004115-f9ce57c11b24
golang.org/x/oauth2 v0.0.0-20180724155351-3d292e4d0cdc
golang.org/x/perf v0.0.0-20180704124530-6e6d33e29852
diff --git a/go.sum b/go.sum
index 3afe1f1..82e4528 100644
--- a/go.sum
+++ b/go.sum
@@ -123,6 +123,8 @@
go4.org v0.0.0-20180417224846-9599cf28b011/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
golang.org/x/crypto v0.0.0-20180807104621-f027049dab0a h1:PulT0Y50PcfTWomfsD39bSQyVrjjWdIuJKfyR4nOCJw=
golang.org/x/crypto v0.0.0-20180807104621-f027049dab0a/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20180820150726-614d502a4dac h1:7d7lG9fHOLdL6jZPtnV4LpI41SbohIJ1Atq7U991dMg=
+golang.org/x/crypto v0.0.0-20180820150726-614d502a4dac/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/net v0.0.0-20180808004115-f9ce57c11b24 h1:mEsFm194MmS9vCwxFy+zwu0EU7ZkxxMD1iH++vmGdUY=
golang.org/x/net v0.0.0-20180808004115-f9ce57c11b24/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/oauth2 v0.0.0-20180724155351-3d292e4d0cdc h1:3ElrZeO6IBP+M8kgu5YFwRo92Gqr+zBg3aooYQ6ziqU=
diff --git a/vcs-test/vcweb/main.go b/vcs-test/vcweb/main.go
index c4c28a8..a3d6028 100644
--- a/vcs-test/vcweb/main.go
+++ b/vcs-test/vcweb/main.go
@@ -91,19 +91,16 @@
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist("vcs-test.golang.org"),
}
- mRSA := autocert.Manager{
- Client: &acme.Client{DirectoryURL: dir},
- Cache: autocertcache.NewGoogleCloudStorageCache(client, "vcs-test-autocert-rsa"),
- Prompt: autocert.AcceptTOS,
- HostPolicy: autocert.HostWhitelist("vcs-test.golang.org"),
- ForceRSA: true,
- }
s := &http.Server{
Addr: ":https",
Handler: handler,
TLSConfig: &tls.Config{
MinVersion: tls.VersionSSL30,
- GetCertificate: fallbackSNI(mRSA.GetCertificate, m.GetCertificate, "vcs-test.golang.org"),
+ GetCertificate: fallbackSNI(m.GetCertificate, "vcs-test.golang.org"),
+ NextProtos: []string{
+ "h2", "http/1.1", // enable HTTP/2
+ acme.ALPNProto, // enable tls-alpn ACME challenges
+ },
},
}
@@ -173,7 +170,7 @@
tw.Flush()
}
-func fallbackSNI(getCertRSA, getCert func(*tls.ClientHelloInfo) (*tls.Certificate, error), host string) func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+func fallbackSNI(getCert func(*tls.ClientHelloInfo) (*tls.Certificate, error), host string) func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
return func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
saveHello(hello)
if hello.ServerName == "" {
@@ -181,20 +178,7 @@
hello = &h
hello.ServerName = host
}
- var cert *tls.Certificate
- var err error
- if len(hello.SupportedVersions) > 0 && hello.SupportedVersions[0] >= tls.VersionTLS12 {
- cert, err = getCert(hello)
- if strings.HasSuffix(hello.ServerName, ".acme.invalid") && err != nil {
- cert, err = getCertRSA(hello)
- }
- } else {
- cert, err = getCertRSA(hello)
- }
- if err != nil {
- fmt.Fprintf(os.Stderr, "getCert: %v\n", err)
- }
- return cert, err
+ return getCert(hello)
}
}
To view, visit change 130418. To unsubscribe, or for help writing mail filters, visit settings.
Filippo Valsorda (Gerrit)
Aug 21, 2018, 11:22:56 AM8/21/18
to Filippo Valsorda, Andrew Bonventre, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Filippo Valsorda uploaded patch set #2 to this change.
vcs-test: enable ACME ALPN challenge and use autocert RSA fallback
The SNI challenge is not supported by Let's Encrypt anymore, replaced by
the ALPN one, which requires an extra config entry.
Also, autocert now knows how to do RSA fallback, so remove that code.
Change-Id: I45f907101a7c7a57d1a8376208dba4afb10ed6fd
---
M vcs-test/vcweb/main.go
1 file changed, 7 insertions(+), 23 deletions(-)
To view, visit change 130418. To unsubscribe, or for help writing mail filters, visit settings.
Brad Fitzpatrick (Gerrit)
Aug 21, 2018, 11:53:19 AM8/21/18
to Filippo Valsorda, goph...@pubsubhelper.golang.org, Brad Fitzpatrick, Andrew Bonventre, golang-co...@googlegroups.com
Patch set 2:Code-Review +2
1 comment:
Patch Set #2, Line 7:
vcs-testvcs-test/vcweb: ...
To view, visit change 130418. To unsubscribe, or for help writing mail filters, visit settings.
Filippo Valsorda (Gerrit)
Aug 21, 2018, 2:21:10 PM8/21/18
to Filippo Valsorda, Brad Fitzpatrick, Andrew Bonventre, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Filippo Valsorda uploaded patch set #3 to this change.
vcs-test: enable ACME ALPN challenge and use autocert RSA fallback
The SNI challenge is not supported by Let's Encrypt anymore, replaced by
the ALPN one, which requires an extra config entry.
Also, autocert now knows how to do RSA fallback, so remove that code.
Updates golang/go#27127
Change-Id: I45f907101a7c7a57d1a8376208dba4afb10ed6fd
---
M vcs-test/vcweb/main.go
1 file changed, 7 insertions(+), 23 deletions(-)
To view, visit change 130418. To unsubscribe, or for help writing mail filters, visit settings.
Filippo Valsorda (Gerrit)
Aug 21, 2018, 4:11:59 PM8/21/18
to Filippo Valsorda, Brad Fitzpatrick, Andrew Bonventre, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Filippo Valsorda uploaded patch set #4 to this change.
vcs-test/vcweb: enable ACME ALPN challenge and use autocert RSA fallback
The SNI challenge is not supported by Let's Encrypt anymore, replaced by
the ALPN one, which requires an extra config entry.
Also, autocert now knows how to do RSA fallback, so remove that code.
Updates golang/go#27127
Change-Id: I45f907101a7c7a57d1a8376208dba4afb10ed6fd
---
M vcs-test/vcweb/main.go
1 file changed, 7 insertions(+), 23 deletions(-)
To view, visit change 130418. To unsubscribe, or for help writing mail filters, visit settings.
Filippo Valsorda (Gerrit)
Aug 21, 2018, 4:12:14 PM8/21/18
to Filippo Valsorda, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Brad Fitzpatrick, Andrew Bonventre, golang-co...@googlegroups.com
Filippo Valsorda merged this change.
Approvals:
Brad Fitzpatrick: Looks good to me, approved
vcs-test/vcweb: enable ACME ALPN challenge and use autocert RSA fallback
The SNI challenge is not supported by Let's Encrypt anymore, replaced by
the ALPN one, which requires an extra config entry.
Also, autocert now knows how to do RSA fallback, so remove that code.
Updates golang/go#27127
Change-Id: I45f907101a7c7a57d1a8376208dba4afb10ed6fd
Reviewed-on: https://go-review.googlesource.com/130418
Reviewed-by: Brad Fitzpatrick <brad...@golang.org>
---
M vcs-test/vcweb/main.go
1 file changed, 7 insertions(+), 23 deletions(-)
Reply all
Reply to author
Forward
0 new messages