boulder

boulder copied to clipboard

Check via zlint if a domain's TLD is valid

3

If there's discrepencies between the PSL and Zlint TLD list, this will take the most conservative option of rejecting if either list doesn't have a TLD.

mcpherrinm

wfe: change error-handling paradigm

1

Right now our HTTP handlers in wfe and wfe2 follow the API used by `net/http`: To return an error, you have to set the status code and write the error...

jsha

Right now when a log serves an error, the goroutine submitting to that log will retry and backoff. We should track which CT logs have thrown errors recently and have...

jsha

After an ACME account's key is rolled over, WFE instances that have cached the account will continue to expect its old key until the cache entry has expired (currently 5s...

jprenken

`GetAuthorizations2`, `GetValidAuthorizations2`, and `GetValidOrderAuthorizations2` all construct and return maps of authzs. These might be refactorable so that we can pass less data over gRPC. This was originally noted in a...

jprenken

Remove python integration test in-the-past scaffolding

1

Delete test_ocsp_resigning and test_ocsp_exp_unauth. Although these tests are not replicated in our Go integration tests, they are testing very stable parts of our code that we do not plan to...

aarongable

allow integration clock to be altered during runtime

4

Currently `Clock()` in cmd/clock_integration.go returns a clock that always returns the time specified in the envvar FAKECLOCK. This means that if we want to change the time we need to...

rolandshoemaker

We currently disallow connections to reserved IP addresses by excluding them from DNS lookup results in `bdns.LookupHost`, and (as of #8020) checking bare IP address redirect targets in HTTP-01. When...

jprenken

The crlShards table schema is currently https://github.com/letsencrypt/boulder/blob/a2141cb695de88970bd843aaee91bd8a3c605be5/sa/db/boulder_sa/20230519000000_CrlShards.sql#L4-L13 I now believe that this schema was a mistake. This table does not grow arbitrarily and does not need to be partitioned, so...

aarongable

When performing an HTTP-01 validation, the VA will try to fall back from IPv6 to IPv4 if the connection fails; and it will follow HTTP(S) redirects. However, the current structure...

jprenken