starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-14 07:33:34 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

TLS-ALPN-01 support uses obsolete id-pe-acmeIdentifier OID #395

New Issue
Closed
opened 2025-12-29 01:24:23 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:24:23 +01:00
Owner
Copy Link

Originally created by @cpu on GitHub (Jan 4, 2019).

👋 Hi folks,

Its very cool that dehydrated has TLS-ALPN-01 support! Thank you for implementing this, I know it's a very new standard.

I noticed however that you're using the obsolete/incorrect id-pe-acmeIdentifier OID (1.3.6.1.5.5.7.1.30.1) that was specified in draft-ietf-acme-tls-alpn-01:

92aa1ecd5a/dehydrated (L936)

That value was in conflict with another IANA assignment and the most-current TLS-ALPN-01 draft (draft-ietf-tls-alpn-05) uses a different OID: 1.3.6.1.5.5.7.1.31. See Section 5.1.

Let's Encrypt/Boulder presently allow TLS-ALPN-01 validation for either OID but we will be removing support for the obsolete OID at an unspecified future date. The sooner you're using the new OID the better :-)

You can test that you're using the correct OID by performing a TLS-ALPN-01 challenge against a Pebble ACME server running with the -strict argument. This implementation will reject the obsolete OID.

Thanks again!

Originally created by @cpu on GitHub (Jan 4, 2019). :wave: Hi folks, Its very cool that `dehydrated` has TLS-ALPN-01 support! Thank you for implementing this, I know it's a very new standard. I noticed however that you're using the obsolete/incorrect `id-pe-acmeIdentifier` OID (`1.3.6.1.5.5.7.1.30.1`) that was specified in [draft-ietf-acme-tls-alpn-01](https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-01): https://github.com/lukas2511/dehydrated/blob/92aa1ecd5ae27f9fb72aaae13a40cfe32770a8f5/dehydrated#L936 That value was in conflict with another IANA assignment and the most-current TLS-ALPN-01 draft ([draft-ietf-tls-alpn-05](https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05)) uses a different OID: `1.3.6.1.5.5.7.1.31`. See [Section 5.1](https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1). Let's Encrypt/Boulder presently [allow TLS-ALPN-01 validation for either OID](https://github.com/letsencrypt/boulder/blob/9afa0f7f1967fd4b8c63f4a100a2795461b36609/va/va.go#L801) but we will be removing support for the obsolete OID at an unspecified future date. The sooner you're using the new OID the better :-) You can test that you're using the correct OID by performing a TLS-ALPN-01 challenge against a [Pebble](https://github.com/letsencrypt/pebble) ACME server running with the `-strict` argument. This implementation will reject the obsolete OID. Thanks again!
adam closed this issue 2025-12-29 01:24:23 +01:00
adam commented 2025-12-29 01:24:24 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jan 18, 2019):

Thanks!

@lukas2511 commented on GitHub (Jan 18, 2019): Thanks!
adam commented 2025-12-29 01:24:25 +01:00
Author
Owner
Copy Link

@cpu commented on GitHub (Jan 18, 2019):

Thanks for the fix!

@cpu commented on GitHub (Jan 18, 2019): Thanks for the fix!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#395
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?