remove old ACME tls-sni-01 stuff that LetsEncrypt removed March 2019

bradfitz · bradfitz · commit 91f861402626 · 2022-10-16T18:56:27.000-07:00
No point keeping it around. We can look at the git history to do
something similar later if we end up doing TLS-ALPN-01 in a similar
way.
diff --git a/cmd/tlsrouter/acme.go b/cmd/tlsrouter/acme.go
diff --git a/cmd/tlsrouter/config.go b/cmd/tlsrouter/config.go
@@ -37,7 +37,6 @@ type Route struct {
 type Config struct {
 	mu     sync.Mutex
 	routes []Route
-	acme   *ACME
 }
 
 func dnsRegex(s string) (*regexp.Regexp, error) {
@@ -64,10 +63,6 @@ func (c *Config) Match(hostname string) (string, bool) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
-	if strings.HasSuffix(hostname, ".acme.invalid") {
-		return c.acme.Match(hostname), false
-	}
-
 	for _, r := range c.routes {
 		if r.match.MatchString(hostname) {
 			return r.backend, r.proxyInfo
@@ -123,10 +118,6 @@ func (c *Config) Read(r io.Reader) error {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	c.routes = routes
-	c.acme = &ACME{
-		backends: backends,
-		cache:    make(map[string]acmeCacheEntry),
-	}
 	return nil
 }
 
diff --git a/cmd/tlsrouter/e2e_test.go b/cmd/tlsrouter/e2e_test.go
@@ -34,12 +34,6 @@ func TestRouting(t *testing.T) {
 	}
 	defer s2.Close()
 
-	s3, err := serveTLS(t, "server3", false, "blarghblargh.acme.invalid")
-	if err != nil {
-		t.Fatalf("server TLS server3: %s", err)
-	}
-	defer s3.Close()
-
 	s4, err := serveTLS(t, "server4", true, "proxy.design")
 	if err != nil {
 		t.Fatalf("server TLS server4: %s", err)
@@ -58,9 +52,8 @@ func TestRouting(t *testing.T) {
 	if err := p.Config.ReadString(fmt.Sprintf(`
 test.com %s
 foo.net %s
-borkbork.tf %s
 proxy.design %s PROXY
-`, s1.Addr(), s2.Addr(), s3.Addr(), s4.Addr())); err != nil {
+`, s1.Addr(), s2.Addr(), s4.Addr())); err != nil {
 		t.Fatalf("configure proxy: %s", err)
 	}
 
@@ -73,7 +66,6 @@ proxy.design %s PROXY
 		{"test.com", "server1", s1.Pool, true, false},
 		{"foo.net", "server2", s2.Pool, true, false},
 		{"bar.org", "", s1.Pool, false, false},
-		{"blarghblargh.acme.invalid", "server3", s3.Pool, true, false},
 		{"proxy.design", "server4", s4.Pool, true, true},
 	} {
 		res, transparent, err := getTLS(l.Addr().String(), test.N, test.P)
diff --git a/sni.go b/sni.go
@@ -21,18 +21,13 @@ import (
 	"crypto/tls"
 	"io"
 	"net"
-	"strings"
 )
 
 // AddSNIRoute appends a route to the ipPort listener that routes to
 // dest if the incoming TLS SNI server name is sni. If it doesn't
 // match, rule processing continues for any additional routes on
 // ipPort.
 //
-// By default, the proxy will route all ACME tls-sni-01 challenges
-// received on ipPort to all SNI dests. You can disable ACME routing
-// with AddStopACMESearch.
-//
 // The ipPort is any valid net.Listen TCP address.
 func (p *Proxy) AddSNIRoute(ipPort, sni string, dest Target) {
 	p.AddSNIMatchRoute(ipPort, equals(sni), dest)
@@ -43,20 +38,8 @@ func (p *Proxy) AddSNIRoute(ipPort, sni string, dest Target) {
 // matcher. If it doesn't match, rule processing continues for any
 // additional routes on ipPort.
 //
-// By default, the proxy will route all ACME tls-sni-01 challenges
-// received on ipPort to all SNI dests. You can disable ACME routing
-// with AddStopACMESearch.
-//
 // The ipPort is any valid net.Listen TCP address.
 func (p *Proxy) AddSNIMatchRoute(ipPort string, matcher Matcher, dest Target) {
-	cfg := p.configFor(ipPort)
-	if !cfg.stopACME {
-		if len(cfg.acmeTargets) == 0 {
-			p.addRoute(ipPort, &acmeMatch{cfg})
-		}
-		cfg.acmeTargets = append(cfg.acmeTargets, dest)
-	}
-
 	p.addRoute(ipPort, sniMatch{matcher: matcher, target: dest})
 }
 
@@ -69,14 +52,6 @@ func (p *Proxy) AddSNIRouteFunc(ipPort string, fn SNITargetFunc) {
 	p.addRoute(ipPort, sniMatch{targetFunc: fn})
 }
 
-// AddStopACMESearch prevents ACME probing of subsequent SNI routes.
-// Any ACME challenges on ipPort for SNI routes previously added
-// before this call will still be proxied to all possible SNI
-// backends.
-func (p *Proxy) AddStopACMESearch(ipPort string) {
-	p.configFor(ipPort).stopACME = true
-}
-
 type sniMatch struct {
 	matcher Matcher
 	target  Target
@@ -102,79 +77,6 @@ func (m sniMatch) match(br *bufio.Reader) (Target, string) {
 	return nil, ""
 }
 
-// acmeMatch matches "*.acme.invalid" ACME tls-sni-01 challenges and
-// searches for a Target in cfg.acmeTargets that has the challenge
-// response.
-type acmeMatch struct {
-	cfg *config
-}
-
-func (m *acmeMatch) match(br *bufio.Reader) (Target, string) {
-	sni := clientHelloServerName(br)
-	if !strings.HasSuffix(sni, ".acme.invalid") {
-		return nil, ""
-	}
-
-	// TODO: cache. ACME issuers will hit multiple times in a short
-	// burst for each issuance event. A short TTL cache + singleflight
-	// should have an excellent hit rate.
-	// TODO: maybe an acme-specific timeout as well?
-	// TODO: plumb context upwards?
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	ch := make(chan Target, len(m.cfg.acmeTargets))
-	for _, target := range m.cfg.acmeTargets {
-		go tryACME(ctx, ch, target, sni)
-	}
-	for range m.cfg.acmeTargets {
-		if target := <-ch; target != nil {
-			return target, sni
-		}
-	}
-
-	// No target was happy with the provided challenge.
-	return nil, ""
-}
-
-func tryACME(ctx context.Context, ch chan<- Target, dest Target, sni string) {
-	var ret Target
-	defer func() { ch <- ret }()
-
-	conn, targetConn := net.Pipe()
-	defer conn.Close()
-	go dest.HandleConn(targetConn)
-
-	deadline, ok := ctx.Deadline()
-	if ok {
-		conn.SetDeadline(deadline)
-	}
-
-	client := tls.Client(conn, &tls.Config{
-		ServerName:         sni,
-		InsecureSkipVerify: true,
-	})
-	if err := client.Handshake(); err != nil {
-		// TODO: log?
-		return
-	}
-	certs := client.ConnectionState().PeerCertificates
-	if len(certs) == 0 {
-		// TODO: log?
-		return
-	}
-	// acme says the first cert offered by the server must match the
-	// challenge hostname.
-	if err := certs[0].VerifyHostname(sni); err != nil {
-		// TODO: log?
-		return
-	}
-
-	// Target presented what looks like a valid challenge
-	// response, send it back to the matcher.
-	ret = dest
-}
-
 // clientHelloServerName returns the SNI server name inside the TLS ClientHello,
 // without consuming any bytes from br.
 // On any error, the empty string is returned.
diff --git a/tcpproxy.go b/tcpproxy.go
@@ -93,9 +93,7 @@ func equals(want string) Matcher {
 
 // config contains the proxying state for one listener.
 type config struct {
-	routes      []route
-	acmeTargets []Target // accumulates targets that should be probed for acme.
-	stopACME    bool     // if true, AddSNIRoute doesn't add targets to acmeTargets.
+	routes []route
 }
 
 // A route matches a connection to a target.
diff --git a/tcpproxy_test.go b/tcpproxy_test.go

Original file line number	Diff line number	Diff line change
`@@ -93,9 +93,7 @@ func equals(want string) Matcher {`
`93`	`93`
`94`	`94`	`// config contains the proxying state for one listener.`
`95`	`95`	`type config struct {`
`96`		`- routes []route`
`97`		`- acmeTargets []Target // accumulates targets that should be probed for acme.`
`98`		`- stopACME bool // if true, AddSNIRoute doesn't add targets to acmeTargets.`
	`96`	`+ routes []route`
`99`	`97`	`}`
`100`	`98`
`101`	`99`	`// A route matches a connection to a target.`