Remove RSA KEX tracking from validation (#7629)

We used this data to inform our decision making, and have now fully
turned off support for RSA KEX during validation. This log event field
will now never be set, so it can be removed.

Part of #7321
Fixes #7628

core/objects.go

@@ -148,13 +148,6 @@ type ValidationRecord struct {
 	// lookup for AddressUsed. During recursive A and AAAA lookups, a record may
 	// instead look like A:host:port or AAAA:host:port
 	ResolverAddrs []string `json:"resolverAddrs,omitempty"`
-	// UsedRSAKEX is a *temporary* addition to the validation record, so we can
-	// see how many servers that we reach out to during HTTP-01 and TLS-ALPN-01
-	// validation are only willing to negotiate RSA key exchange mechanisms. The
-	// field is not included in the serialized json to avoid cluttering the
-	// database and log lines.
-	// TODO(#7321): Remove this when we have collected sufficient data.
-	UsedRSAKEX bool `json:"-"`
 }
 
 // Challenge is an aggregate of all data needed for any challenges.

va/http.go

@@ -494,13 +494,6 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
 		numRedirects++
 		va.metrics.http01Redirects.Inc()
 
-		// If TLS was used, record the negotiated key exchange mechanism in the most
-		// recent validationRecord.
-		// TODO(#7321): Remove this when we have collected enough data.
-		if req.Response.TLS != nil {
-			records[len(records)-1].UsedRSAKEX = usedRSAKEX(req.Response.TLS.CipherSuite)
-		}
-
 		if req.Response.TLS != nil && req.Response.TLS.Version < tls.VersionTLS12 {
 			return berrors.ConnectionFailureError(
 				"validation attempt was redirected to an HTTPS server that doesn't " +
@@ -643,13 +636,6 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
 			records[len(records)-1].URL, body))
 	}
 
-	// We were successful, so record the negotiated key exchange mechanism in the
-	// last validationRecord.
-	// TODO(#7321): Remove this when we have collected enough data.
-	if httpResponse.TLS != nil {
-		records[len(records)-1].UsedRSAKEX = usedRSAKEX(httpResponse.TLS.CipherSuite)
-	}
-
 	return body, records, nil
 }
 

va/tlsalpn.go

@@ -289,10 +289,6 @@ func (va *ValidationAuthorityImpl) validateTLSALPN01(ctx context.Context, identi
 					hex.EncodeToString(h[:]),
 				))
 			}
-			// We were successful, so record the negotiated key exchange mechanism in
-			// the validationRecord.
-			// TODO(#7321): Remove this when we have collected enough data.
-			validationRecord.UsedRSAKEX = usedRSAKEX(cs.CipherSuite)
 			return validationRecords, nil
 		}
 	}

va/va.go

@@ -312,7 +312,6 @@ type verificationRequestEvent struct {
 	Hostname          string         `json:",omitempty"`
 	Challenge         core.Challenge `json:",omitempty"`
 	ValidationLatency float64
-	UsedRSAKEX        bool   `json:",omitempty"`
 	Error             string `json:",omitempty"`
 	InternalError     string `json:",omitempty"`
 }
@@ -713,15 +712,6 @@ func (va *ValidationAuthorityImpl) PerformValidation(ctx context.Context, req *v
 		err = errors.New("records from local validation failed sanity check")
 	}
 
-	// Copy the "UsedRSAKEX" value from the last validationRecord into the log
-	// event. Only the last record should have this bool set, because we only
-	// record it if/when validation is finally successful, but we use the loop
-	// just in case that assumption changes.
-	// TODO(#7321): Remove this when we have collected enough data.
-	for _, record := range records {
-		logEvent.UsedRSAKEX = record.UsedRSAKEX || logEvent.UsedRSAKEX
-	}
-
 	if err != nil {
 		logEvent.InternalError = err.Error()
 		prob = detailedError(err)
@@ -736,10 +726,3 @@ func (va *ValidationAuthorityImpl) PerformValidation(ctx context.Context, req *v
 	prob = va.performRemoteValidation(ctx, req)
 	return bgrpc.ValidationResultToPB(records, filterProblemDetails(prob))
 }
-
-// usedRSAKEX returns true if the given cipher suite involves the use of an
-// RSA key exchange mechanism.
-// TODO(#7321): Remove this when we have collected enough data.
-func usedRSAKEX(cs uint16) bool {
-	return strings.HasPrefix(tls.CipherSuiteName(cs), "TLS_RSA_")
-}