Let's Encrypt 撤銷了兩百萬個以 tls-alpn-01 驗證的憑證

前幾天 Let's Encrypt 決定撤銷大約兩百萬個以 tls-alpn-01 簽發的憑證:「2022.01.25 Issue with TLS-ALPN-01 Validation Method」,在 Hacker News 上的討論「Issue with TLS-ALPN-01 Validation Method (letsencrypt.org)」也可以翻一下。

這次主要是有兩個修改,第一個是要 TLSv1.2 以上,不支援舊版的 TLS 驗證:

First, we now guarantee that our client which reaches out to conduct the “acme-tls/1” handshake will negotiate TLS version 1.2 or higher. If your ACME client or integration only supports a maximum TLS version of 1.1 when conducting the TLS-ALPN-01 challenge, it will break. We are not aware of any ACME clients with this limitation.

另外一個是淘汰掉 legacy OID:

Second, we no longer support the legacy 1.3.6.1.5.5.7.1.30.1 OID which was used to identify the acmeIdentifier extension in earlier drafts of RFC 8737. We now only accept the standardized OID 1.3.6.1.5.5.7.1.31. If your client uses the wrong OID when constructing the certificate used for the TLS-ALPN-01 handshake, it will break. Please either update your client, or switch to using a different validation method.

目前還是以 http-01 與 dns-01 為主,暫時不用管,但如果有人用 tls-alpn-01 的稍微注意一下吧...

在 Ubuntu 14.04 上執行支援 ALPN 的 nginx

在「Migrate to Ubuntu 16.04」這邊看到換 16.04 的理由:

支援 http2 是升級到 Ubuntu 16.04 很大的動機。原因是前一版 14.04 裡 openssl 太舊,不支援 ALPN 協定,Chrome 瀏覽器又放棄了 NPN 的舊協定,詳細。你要嘛自己編譯 nginx ,要嘛就是升級到 16.04 才能解決。選哪個方法就看各公司的政策,升了 OS 問題就直接解決了。

不過 Ondřej Surý 包了一個有新版 openssl 的套件出來,所以在 12.04 或是 14.04 都可以使用 ALPN 版本的 nginx:「PPA for NGINX with HTTP/2 on Ubuntu 12.04 LTS and higher」。

目前 16.04 上的 Puppet 爛了不少東西,還是得靠 14.04 吃飯... orz

Chrome 宣佈 SPDY 的退役,只支援 HTTP/2 (ALPN)

Google Chrome 將在今年 (2016) 的五月 15 日讓 SPDYHTTP/2 NPN 退役:「Transitioning from SPDY to HTTP/2」。

主要是依據 Google Chrome 的流量數據,HTTP/2 大約佔了 25% 的流量 (目前檯面上大網站的 HTTPS 都支援了),而 SPDY 只剩下 5% 的量:

Over 25% of resources in Chrome are currently served over HTTP/2, compared to less than 5% over SPDY.

另外一個是對 HTTP/2 NPN 的支援將同一個時間關閉,只支援 ALPN

At the same time, Chrome will stop supporting the TLS protocol extension NPN, which allows servers to negotiate SPDY and HTTP/2 connections with clients. NPN has been superseded by the TLS extension ALPN, published by the IETF in 2014. ALPN is already used 99% of the time to negotiate HTTP/2 with Chrome, and the remaining servers can gain ALPN support by upgrading their SSL library.

所以還有四個月的時間...

nginx 1.9.5:支援 HTTP/2!

前幾天 nginx 釋出 1.9.5 版,支援 HTTP/2 (ngx_http_v2_module):「NGINX Open Source 1.9.5 Released with HTTP/2 Support」。

不過預設是沒有編進去的,需要用 --with-http_v2_module 開起來:

This module is not built by default, it should be enabled with the --with-http_v2_module configuration parameter.

要注意的是,由於是透過 ALPN 實作,需要 OpenSSL 1.0.2 之後的版本:

Note that accepting HTTP/2 connections over TLS requires the “Application-Layer Protocol Negotiation” (ALPN) TLS extension support, which is available only since OpenSSL version 1.0.2. Using the “Next Protocol Negotiation” (NPN) TLS extension for this purpose (available since OpenSSL version 1.0.1) is not guaranteed.

不過 PPANGINX Mainline 這邊還沒更新到 1.9.5,反正 SPDY 現在的佔有率還是比 HTTP/2 高,再等等吧...