Turn off ALPN challenge responder?

1. The problem I’m having:

I do see quite some random errors from various ip ranges which appear to probe the tls alpn challenge mechanism. As I use the DNS challenge exclusively, is there a way to turn of any of these unused challenge responders?

2. Error messages and/or full log output:

Example error:


{
  "insertId": "1v5d780fd9hn8j",
  "jsonPayload": {
    "message": "tls-alpn challenge",
    "server_name": "",
    "instance": {
      "name": "amun"
    },
    "remote_addr": "172.105.246.139:58096",
    "logger": "tls",
    "error": "no information found to solve challenge for identifier: ",
    "container": {
      "name": "/caddy",
      "imageId": "sha256:d9fbaae3076b1fa228a653fdaa7617e8d7d709245f6bfad16f7cc76fd337279d",
      "id": "18d6df174b37996550964a880a1d10ffe617a7c782486285ae1b77edbefc09a9",
      "created": "2024-05-03T23:37:01.873615668Z",
      "imageName": "jumager/caddy:release"
    }
  },
  "resource": {
    "type": "gce_instance",
    "labels": {
      "project_id": "hosting-349701",
      "zone": "",
      "instance_id": ""
    }
  },
  "timestamp": "2024-05-08T22:37:36.164451669Z",
  "severity": "ERROR",
  "logName": "projects/hosting-349701/logs/ngcplogs-docker-driver",
  "receiveTimestamp": "2024-05-08T22:37:37.188727461Z"
}

3. Caddy version:

4. How I installed and ran Caddy:

a. System environment:

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

5. Links to relevant resources:

If you already configured the DNS challenge, Caddy won’t even attempt the TLS-ALPN challenge. However, the responder is still enabled because another Caddy instance (in a cluster, for example) may have initiated a TLS-ALPN challenge and it’s possible this Caddy instance can solve it.

Has the log been redacted at all? Is the error message really "no information found to solve challenge for identifier: " and the "server_name" is actually blank?

I think legit TLS-ALPN challenge connections have SNI set. If that’s the case, I think we can probably be smarter about it by at least ignoring those with an empty SNI. Would that work?

Also, what problems is this causing exactly?

1 Like

It is in my logs as is, and it is on several caddy instances, the IP numbers this is coming from are not mine. I think this is just some of the random probes for infrastructure and security issues. As I do just use only DNS challenges, I thought turning off my unused responders might reduce my attack surface.

Ok, thanks.

RFC 8737 which defines the TLS-ALPN challenge does have pretty specific requirements for a challenge handshake: SNI cannot be empty, and ALPN must have a single value only. So I’ve implemented a stricter check before trying to solve the challenge:

That should hopefully take care of it for you… probably the next Caddy release will have it.

1 Like

Almost forgot:

Alas, there’s no security benefit here AFAICT, but I was able to see how we could be a little more correct in our implementation, so I took a sec to fix it up.

1 Like

Thanks for looking into it!