Tls-sni-01 documentation


Hy, after dns-01 I now want to implement tls-sni-01 in my new client.
So I found this rfc a couple of times in the search. For example the acme-divergences document states that boulder implements tls-sni-01 and not -02. Well, that sounds okay to me.

My problem is that I’m receiving only the token parameter. tls-sni-01 describes an additional n parameter (Number of tls-sni-01 iterations) that is obviously missing. And coincidentally tls-sni-02 describes only a single token again!
And now I really confused :confused:

My question is: is there an api documentation for the implementation in boulder?
Does anyone have any hidden documentation?
Or can someone point me to the implementation in the boulder source?


The Boulder divergences page refers to the draft version used. Currently it’s linking to the 7th version of the draft, but you’re using the very first one.

Much has changed, including, apparently, the removal of n.


Are you sure?
Because thats tls-sni-02 you’re referring to.


I was sure, now I’m very sure I was incorrect :stuck_out_tongue:

Now I’m confident you’re correct :wink:


Don’t be too sure about that either :rofl:
Maybe everyone implements tls-sni-02 and just forgot to change the name. Maybe just to confuse the russian…


I think the last remark is quite correct. See:

and more importantly:

There’s a discussion about the whole version bump. It was decided not to do that.

Now we don’t have a valid tls-sni-01 documented unfortunately :disappointed:


Thanks for the effort @Osiris!

Following your links, I will go with this for now:


Indeed - as @Osiris (Thanks!) points out there isn’t a draft snapshot that captures the TLS-SNI-01 challenge as it exists in Boulder. Draft-01 is close but there were changes made that weren’t captured before the TLS-SNI-02 challenge replaced TLS-SNI-01 outright in Draft-02. Unfortunate side-effect of the IETF draft process and a living document :frowning:

Sure! There are two functions you’ll want to look at in the Validation Authority: validateTLSSNI01:

and validateTLSSNI01WithZName:

There are also lots of open source ACME clients you could refer to that implement TLS-SNI-01. Certbot,, etc.

I’ll see about updating the divergences document in the Boulder repo to provide a link to a more concrete description of the TLS-SNI-01 challenge implementation since there isn’t a numbered draft that captures it. Thanks for raising the question!


Thank you for your helpful replies! :+1:
I will look into it.


@cpu is it possible to fix some typos in there?
A full documentation maintainable by Let’s Encrypt would be great!


@lbehm Can you be more specific about where you found the typos? If it was in then please submit a pull request to with the fixes. If it was with then please check if the typo still exists in the current draft: - if it does, submit a pull request with fixes to If it only exists in the specific blob you linked then there isn’t any way to fix it retroactively.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.