I do see quite some random errors from various ip ranges which appear to probe the tls alpn challenge mechanism. As I use the DNS challenge exclusively, is there a way to turn of any of these unused challenge responders?
If you already configured the DNS challenge, Caddy won’t even attempt the TLS-ALPN challenge. However, the responder is still enabled because another Caddy instance (in a cluster, for example) may have initiated a TLS-ALPN challenge and it’s possible this Caddy instance can solve it.
Has the log been redacted at all? Is the error message really "no information found to solve challenge for identifier: " and the "server_name" is actually blank?
I think legit TLS-ALPN challenge connections have SNI set. If that’s the case, I think we can probably be smarter about it by at least ignoring those with an empty SNI. Would that work?
It is in my logs as is, and it is on several caddy instances, the IP numbers this is coming from are not mine. I think this is just some of the random probes for infrastructure and security issues. As I do just use only DNS challenges, I thought turning off my unused responders might reduce my attack surface.
RFC 8737 which defines the TLS-ALPN challenge does have pretty specific requirements for a challenge handshake: SNI cannot be empty, and ALPN must have a single value only. So I’ve implemented a stricter check before trying to solve the challenge:
That should hopefully take care of it for you… probably the next Caddy release will have it.
Alas, there’s no security benefit here AFAICT, but I was able to see how we could be a little more correct in our implementation, so I took a sec to fix it up.