← Internet Security Research Group cases
Bugzilla #1751984
Certificate Problem Report
Let's Encrypt: TLS Using ALPN TLS Version and OID
RESOLVED
FIXED
Internet Security Research Group
AI Summary
On January 25, 2022, Let's Encrypt was notified of two compliance issues in their TLS-ALPN-01 challenge implementation, which allowed clients to negotiate TLS versions lower than 1.2 and accepted an outdated OID. Both issues were confirmed and led to the temporary disabling of the TLS-ALPN-01 challenge type. Let's Encrypt initiated revocation of approximately 2 million affected certificates, with a commitment to complete this by January 30, 2022. The issues were addressed with code fixes, and a comprehensive review of the validation method was undertaken to prevent future occurrences.
Chronology
- Received bug report regarding TLS-ALPN-01 compliance issues.
- Disabled TLS-ALPN-01 challenge type and began revocation process.
- Completed revocation of all affected certificates.
- Completed review of TLS Using ALPN validation method.
Participants
Aaron Gable
Ryan Sleevi
Charles Wang
Jr Moir
Rob
Matthias
External References
Similar Local Cases
Entrust: SSL Certificates issued with Un-verified IP Addresses
Let's Encrypt: Failure to revoke for Certificate Lifetime Incident
Let's Encrypt: Delay updating OCSP responses
Sectigo: CPR response issues
Let's Encrypt: Failure to provide OCSP Responses for some certificates
Let's Encrypt: Failure to revoke key-compromised certificates within 24 hours
Let's Encrypt: Incomplete and Inconsistent CRLs
Let's Encrypt: keyCompromise key blocking deviation from CP/CPS