Just to clear up any potential confusion: the ACME Server and the TLS
Server are not the same entity when conducting TLS-ALPN-01 Validation.

The ACME Server is, during a TLS-ALPN-01 validation, acting as a TLS
Client. According to RFC 8737 Section 3, it must, in its `clientHello`
message, include an ALPN extension containing only the single value
"acme-tls/1".

The ACME Client (or its delegate) is, during a TLS-ALPN-01 validation,
acting as a TLS Server. According to RFC 7301 Section 3.1, it must, in its
`serverHello` message, agree to exactly one of the ALPN protocols offered
in the `clientHello`.

The combination of the requirements from these two RFCs is that yes, *both*
the ACME Server / TLS Client *and* the ACME Client / TLS Server must
include just the single value "acme-tls/1" in their respective ALPN
extensions during the TLS handshake.

It is notable, however, that RFC 7301 does not require that the TLS Client
immediately abort the connection if the TLS Server's ALPN extension
contains more than one entry. It simply requires that the TLS Server behave
in a specific way, and leaves the TLS Client's response to such misbehavior
unspecified.

Aaron

On Fri, Feb 4, 2022 at 11:36 AM Matthew McPherrin <mattm=
40letsencrypt....@dmarc.ietf.org> wrote:

> RFC 7301 section 3.1 says:
> > the "ProtocolNameList" MUST contain exactly one "ProtocolName"
>
>
> On Fri, Feb 4, 2022 at 12:49 PM Salz, Rich <rsalz=
> 40akamai....@dmarc.ietf.org> wrote:
>
>>
>>    - Does "with the single protocol name" mean that it should be
>>    considered an error if the ACME server offers more than a single supported
>>    protocol?
>>
>>
>>
>> Replying with more than one protocol is unspecified behavior.  The
>> recipient could proceed, or treat it as an error.
>>
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org
>> https://www.ietf.org/mailman/listinfo/acme
>>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Reply via email to