Just to clear up any potential confusion: the ACME Server and the TLS Server are not the same entity when conducting TLS-ALPN-01 Validation.
The ACME Server is, during a TLS-ALPN-01 validation, acting as a TLS Client. According to RFC 8737 Section 3, it must, in its `clientHello` message, include an ALPN extension containing only the single value "acme-tls/1". The ACME Client (or its delegate) is, during a TLS-ALPN-01 validation, acting as a TLS Server. According to RFC 7301 Section 3.1, it must, in its `serverHello` message, agree to exactly one of the ALPN protocols offered in the `clientHello`. The combination of the requirements from these two RFCs is that yes, *both* the ACME Server / TLS Client *and* the ACME Client / TLS Server must include just the single value "acme-tls/1" in their respective ALPN extensions during the TLS handshake. It is notable, however, that RFC 7301 does not require that the TLS Client immediately abort the connection if the TLS Server's ALPN extension contains more than one entry. It simply requires that the TLS Server behave in a specific way, and leaves the TLS Client's response to such misbehavior unspecified. Aaron On Fri, Feb 4, 2022 at 11:36 AM Matthew McPherrin <mattm= 40letsencrypt....@dmarc.ietf.org> wrote: > RFC 7301 section 3.1 says: > > the "ProtocolNameList" MUST contain exactly one "ProtocolName" > > > On Fri, Feb 4, 2022 at 12:49 PM Salz, Rich <rsalz= > 40akamai....@dmarc.ietf.org> wrote: > >> >> - Does "with the single protocol name" mean that it should be >> considered an error if the ACME server offers more than a single supported >> protocol? >> >> >> >> Replying with more than one protocol is unspecified behavior. The >> recipient could proceed, or treat it as an error. >> >> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme