Do you think that a 10s timeout would give your devices enough headroom to complete the required handshakes?
Thanks for the reply. I think so. It seems the best I can do in 5s is complete the tls handshake to 3 of the 4, with the timing of issuing the challenges you discovered I am getting. I don’t get feedback about that though from the server, just the same “timeout” from the one that failed, all I see is we completed them our side before it sends EOF / hangs up on us, except for the last one. I have tried yesterday using the second core on ESP32 to run a second tls accept in parallel, but this doesn’t help much since only one thread can use the crypto acceleration at a time and it’s the signing part of the handshake that takes most of the time (since 2048-bit RSA is mandated by the server, somewhat needlessly in this case since the token is either in the cert’s SAN or not, and the cert is selfsigned).
I don’t think its likely we would relax this restriction on our end
I understood from this thread this is externally mandated, so no point arguing to ignore that. And I understand it’s the job here to err on the side of being conservative. However there is a sort of problem of definition there, coming from X.509 or whatever defined common usage of the CN, certs themselves have no affinity to specific ports. :443 should be especially authoritative for a cert aimed to be used on :443, but it has no inherent authority for a cert intended for use on another port; all issued certs work on any port. Ports below 1024 equally imply the admin set up the listener or at least admins the router (and as such can direct :443 anywhere too).
It’s just an observation: my plan needed the challenge to come on any port which I realize from the discussion isn’t the direction things are going in and you don’t have a free hand to do it even if you wanted to.
Between HTTP-01, TLS-SNI-01 and DNS-01 there’s a pretty good selection of options available that should work for most cases without needing additional challenge ports.
That is true for the scenario of an IP’s single https server aquiring the cert. If something already occupies :443 and :80 and something else wants a cert, it’s beyond home users to configure the DNS challenge I think.
Anyway thanks for considering increasing the timeout, it will be very helpful.