From a21c417bc04e5ee29a9c38e3cd4e950a0f5fb1ca Mon Sep 17 00:00:00 2001
From: Aaron Gable <aaron@letsencrypt.org>
Date: Fri, 26 Jul 2024 09:36:29 -0700
Subject: [PATCH] Remove RSA KEX tracking from validation (#7629)

We used this data to inform our decision making, and have now fully
turned off support for RSA KEX during validation. This log event field
will now never be set, so it can be removed.

Part of https://github.com/letsencrypt/boulder/issues/7321
Fixes https://github.com/letsencrypt/boulder/issues/7628
---
 core/objects.go |  7 -------
 va/http.go      | 14 --------------
 va/tlsalpn.go   |  4 ----
 va/va.go        | 17 -----------------
 4 files changed, 42 deletions(-)

diff --git a/core/objects.go b/core/objects.go
index c01f551abd8..13c5572eca6 100644
--- a/core/objects.go
+++ b/core/objects.go
@@ -148,13 +148,6 @@ type ValidationRecord struct {
 	// lookup for AddressUsed. During recursive A and AAAA lookups, a record may
 	// instead look like A:host:port or AAAA:host:port
 	ResolverAddrs []string `json:"resolverAddrs,omitempty"`
-	// UsedRSAKEX is a *temporary* addition to the validation record, so we can
-	// see how many servers that we reach out to during HTTP-01 and TLS-ALPN-01
-	// validation are only willing to negotiate RSA key exchange mechanisms. The
-	// field is not included in the serialized json to avoid cluttering the
-	// database and log lines.
-	// TODO(#7321): Remove this when we have collected sufficient data.
-	UsedRSAKEX bool `json:"-"`
 }
 
 // Challenge is an aggregate of all data needed for any challenges.
diff --git a/va/http.go b/va/http.go
index 5702e66bd81..1133ef9526c 100644
--- a/va/http.go
+++ b/va/http.go
@@ -494,13 +494,6 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
 		numRedirects++
 		va.metrics.http01Redirects.Inc()
 
-		// If TLS was used, record the negotiated key exchange mechanism in the most
-		// recent validationRecord.
-		// TODO(#7321): Remove this when we have collected enough data.
-		if req.Response.TLS != nil {
-			records[len(records)-1].UsedRSAKEX = usedRSAKEX(req.Response.TLS.CipherSuite)
-		}
-
 		if req.Response.TLS != nil && req.Response.TLS.Version < tls.VersionTLS12 {
 			return berrors.ConnectionFailureError(
 				"validation attempt was redirected to an HTTPS server that doesn't " +
@@ -643,13 +636,6 @@ func (va *ValidationAuthorityImpl) processHTTPValidation(
 			records[len(records)-1].URL, body))
 	}
 
-	// We were successful, so record the negotiated key exchange mechanism in the
-	// last validationRecord.
-	// TODO(#7321): Remove this when we have collected enough data.
-	if httpResponse.TLS != nil {
-		records[len(records)-1].UsedRSAKEX = usedRSAKEX(httpResponse.TLS.CipherSuite)
-	}
-
 	return body, records, nil
 }
 
diff --git a/va/tlsalpn.go b/va/tlsalpn.go
index f4a23e79357..41e046581ad 100644
--- a/va/tlsalpn.go
+++ b/va/tlsalpn.go
@@ -289,10 +289,6 @@ func (va *ValidationAuthorityImpl) validateTLSALPN01(ctx context.Context, identi
 					hex.EncodeToString(h[:]),
 				))
 			}
-			// We were successful, so record the negotiated key exchange mechanism in
-			// the validationRecord.
-			// TODO(#7321): Remove this when we have collected enough data.
-			validationRecord.UsedRSAKEX = usedRSAKEX(cs.CipherSuite)
 			return validationRecords, nil
 		}
 	}
diff --git a/va/va.go b/va/va.go
index d43346bbc14..c935f8d2530 100644
--- a/va/va.go
+++ b/va/va.go
@@ -312,7 +312,6 @@ type verificationRequestEvent struct {
 	Hostname          string         `json:",omitempty"`
 	Challenge         core.Challenge `json:",omitempty"`
 	ValidationLatency float64
-	UsedRSAKEX        bool   `json:",omitempty"`
 	Error             string `json:",omitempty"`
 	InternalError     string `json:",omitempty"`
 }
@@ -713,15 +712,6 @@ func (va *ValidationAuthorityImpl) PerformValidation(ctx context.Context, req *v
 		err = errors.New("records from local validation failed sanity check")
 	}
 
-	// Copy the "UsedRSAKEX" value from the last validationRecord into the log
-	// event. Only the last record should have this bool set, because we only
-	// record it if/when validation is finally successful, but we use the loop
-	// just in case that assumption changes.
-	// TODO(#7321): Remove this when we have collected enough data.
-	for _, record := range records {
-		logEvent.UsedRSAKEX = record.UsedRSAKEX || logEvent.UsedRSAKEX
-	}
-
 	if err != nil {
 		logEvent.InternalError = err.Error()
 		prob = detailedError(err)
@@ -736,10 +726,3 @@ func (va *ValidationAuthorityImpl) PerformValidation(ctx context.Context, req *v
 	prob = va.performRemoteValidation(ctx, req)
 	return bgrpc.ValidationResultToPB(records, filterProblemDetails(prob))
 }
-
-// usedRSAKEX returns true if the given cipher suite involves the use of an
-// RSA key exchange mechanism.
-// TODO(#7321): Remove this when we have collected enough data.
-func usedRSAKEX(cs uint16) bool {
-	return strings.HasPrefix(tls.CipherSuiteName(cs), "TLS_RSA_")
-}