I’m actually working on my Master’s thesis (protocol acme, automation, …) and I can’t find answer to one of my question.
I generate a certificate through tls-alpn-01 challenge with acme.sh client I took some traces but there are some info I can’t find.
In the RFC draft draft-ietf-acme-tls-alpn-01 it’s mentioned the following:
- Verify that the ServerHello contains a ALPN extension containing the value “acme-tls/1” and that the certificate returned contains a subjectAltName extension containing the dNSName being validated and no other entries and a critical acmeValidation extension containing the digest computed in step 1. The comparison of dNSNames MUST be case insensitive [RFC4343]. Note that as ACME doesn’t support Unicode identifiers all dNSNames MUST be encoded using the [RFC3492] rules.
In the tcpdump traces I see the “Client Hello” and it’s containing the extension “application_layer_protocol_negotiation” but in the answer from the server, “Server Hello” I can’t find the extension but in the RFC it’s mandatory.
Does this part of the ciphered data or is it simply missing ? Can someone can help me to figure out if it’s normal ?
Thanks a lot for your help.