Google Git
Sign in
go / build / 0cb088d56464aed9fde562cf25e7041b13e50768^! / .
commit0cb088d56464aed9fde562cf25e7041b13e50768[log] [tgz]
authorFilippo Valsorda <filippo@golang.org>Tue Aug 21 12:20:32 2018 -0600
committerFilippo Valsorda <filippo@golang.org>Tue Aug 21 20:12:12 2018 +0000
tree540853487277301f134fcee96bbb3ab5888fca71
parent08651b16afea911cf0db1260c3d6178ecacc42e7 [diff]
vcs-test/vcweb: enable ACME ALPN challenge and use autocert RSA fallback

The SNI challenge is not supported by Let's Encrypt anymore, replaced by
the ALPN one, which requires an extra config entry.

Also, autocert now knows how to do RSA fallback, so remove that code.

Updates golang/go#27127

Change-Id: I45f907101a7c7a57d1a8376208dba4afb10ed6fd
Reviewed-on: https://go-review.googlesource.com/130418
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/vcs-test/vcweb/main.go b/vcs-test/vcweb/main.go
index c4c28a8..a3d6028 100644
--- a/vcs-test/vcweb/main.go
+++ b/vcs-test/vcweb/main.go

@@ -91,19 +91,16 @@
 			Prompt:     autocert.AcceptTOS,
 			HostPolicy: autocert.HostWhitelist("vcs-test.golang.org"),
 		}
-		mRSA := autocert.Manager{
-			Client:     &acme.Client{DirectoryURL: dir},
-			Cache:      autocertcache.NewGoogleCloudStorageCache(client, "vcs-test-autocert-rsa"),
-			Prompt:     autocert.AcceptTOS,
-			HostPolicy: autocert.HostWhitelist("vcs-test.golang.org"),
-			ForceRSA:   true,
-		}
 		s := &http.Server{
 			Addr:    ":https",
 			Handler: handler,
 			TLSConfig: &tls.Config{
 				MinVersion:     tls.VersionSSL30,
-				GetCertificate: fallbackSNI(mRSA.GetCertificate, m.GetCertificate, "vcs-test.golang.org"),
+				GetCertificate: fallbackSNI(m.GetCertificate, "vcs-test.golang.org"),
+				NextProtos: []string{
+					"h2", "http/1.1", // enable HTTP/2
+					acme.ALPNProto, // enable tls-alpn ACME challenges
+				},
 			},
 		}
 
@@ -173,7 +170,7 @@
 	tw.Flush()
 }
 
-func fallbackSNI(getCertRSA, getCert func(*tls.ClientHelloInfo) (*tls.Certificate, error), host string) func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+func fallbackSNI(getCert func(*tls.ClientHelloInfo) (*tls.Certificate, error), host string) func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 	return func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 		saveHello(hello)
 		if hello.ServerName == "" {
@@ -181,20 +178,7 @@
 			hello = &h
 			hello.ServerName = host
 		}
-		var cert *tls.Certificate
-		var err error
-		if len(hello.SupportedVersions) > 0 && hello.SupportedVersions[0] >= tls.VersionTLS12 {
-			cert, err = getCert(hello)
-			if strings.HasSuffix(hello.ServerName, ".acme.invalid") && err != nil {
-				cert, err = getCertRSA(hello)
-			}
-		} else {
-			cert, err = getCertRSA(hello)
-		}
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "getCert: %v\n", err)
-		}
-		return cert, err
+		return getCert(hello)
 	}
 }