Hy, after dns-01 I now want to implement tls-sni-01 in my new client.
So I found this rfc a couple of times in the search. For example the acme-divergences document states that boulder implements tls-sni-01 and not -02. Well, that sounds okay to me.
My problem is that I’m receiving only the token parameter. tls-sni-01 describes an additional n parameter (Number of tls-sni-01 iterations) that is obviously missing. And coincidentally tls-sni-02 describes only a single token again!
And now I really confused
My question is: is there an api documentation for the implementation in boulder?
Does anyone have any hidden documentation?
Or can someone point me to the implementation in the boulder source?
Indeed - as @Osiris (Thanks!) points out there isn’t a draft snapshot that captures the TLS-SNI-01 challenge as it exists in Boulder. Draft-01 is close but there were changes made that weren’t captured before the TLS-SNI-02 challenge replaced TLS-SNI-01 outright in Draft-02. Unfortunate side-effect of the IETF draft process and a living document
Sure! There are two functions you’ll want to look at in the Validation Authority: validateTLSSNI01:
There are also lots of open source ACME clients you could refer to that implement TLS-SNI-01. Certbot, Acme.sh, etc.
I’ll see about updating the divergences document in the Boulder repo to provide a link to a more concrete description of the TLS-SNI-01 challenge implementation since there isn’t a numbered draft that captures it. Thanks for raising the question!