*) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in

the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01" is configured explicitly (related to #133). [@mkauf, Stefan Eissing] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1870020 13f79535-47bb-0310-9956-ffa450edef68
2025-08-10 02:56:11 +00:00 · 2019-11-19 12:39:32 +00:00
parent c3abd83511
commit 17d283e290
4 changed files with 28 additions and 6 deletions
--- a/4
+++ b/4
@ -1,6 +1,10 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.5.1

+  *) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in 
+     the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01" 
+     is configured explicitly (related to #133). [@mkauf, Stefan Eissing]
+  
  *) mod_ssl: Support logging private key material for use with
     wireshark via log file given by SSLKEYLOGFILE environment
     variable.  Requires OpenSSL 1.1.1.  PR 63391.  [Joe Orton]
--- a/modules/md/md_ocsp.c
+++ b/modules/md/md_ocsp.c
@ -32,6 +32,13 @@
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>

+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#define MD_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
+#else /* defined(LIBRESSL_VERSION_NUMBER) */
+#define MD_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#endif
+
 #include "md.h"
 #include "md_crypt.h"
 #include "md_json.h"
@ -566,7 +573,11 @@ static const char *single_resp_summary(OCSP_SINGLERESP* resp, apr_pool_t *p)
    ASN1_GENERALIZEDTIME *bup = NULL, *bnextup = NULL;
    md_timeperiod_t valid;
    
+#if MD_USE_OPENSSL_PRE_1_1_API
+    certid = resp->certId;
+#else
    certid = OCSP_SINGLERESP_get0_id(resp);
+#endif
    status = OCSP_single_get0_status(resp, &reason, NULL, &bup, &bnextup);
    valid.start = bup? md_asn1_generalized_time_get(bup) : apr_time_now();
    valid.end = md_asn1_generalized_time_get(bnextup);
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@ -27,7 +27,7 @@
 * @macro
 * Version number of the md module as c string
 */
-#define MOD_MD_VERSION "2.2.3"
+#define MOD_MD_VERSION "2.2.4"

 /**
 * @macro
@ -35,7 +35,7 @@
 * release. This is a 24 bit number with 8 bits for major number, 8 bits
 * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
 */
-#define MOD_MD_VERSION_NUM 0x020203
+#define MOD_MD_VERSION_NUM 0x020204

 #define MD_ACME_DEF_URL    "https://acme-v02.api.letsencrypt.org/directory"

--- a/modules/md/mod_md.c
+++ b/modules/md/mod_md.c
@ -438,18 +438,25 @@ static server_rec *get_public_https_server(md_t *md, const char *domain, server_
    server_rec *s;
    request_rec r;
    int i;
+    int skip_port_check = 0;

    sc = md_config_get(base_server);
    mc = sc->mc;
    memset(&r, 0, sizeof(r));
-    
-    if (!mc->can_https) return NULL;
+
+    if (md->ca_challenges && md->ca_challenges->nelts > 0) {
+        /* skip the port check if "tls-alpn-01" is pre-configured */
+        skip_port_check = md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0;
+    }
+
+    if (!skip_port_check && !mc->can_https) return NULL;
+
    /* find an ssl server matching domain from MD */
    for (s = base_server; s; s = s->next) {
        sc = md_config_get(s);
        if (!sc || !sc->is_ssl || !sc->assigned) continue;
        if (base_server == s && !mc->manage_base_server) continue;
-        if (base_server != s && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
+        if (base_server != s && !skip_port_check && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
        for (i = 0; i < sc->assigned->nelts; ++i) {
            if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) {
                r.server = s;
@ -1067,7 +1074,7 @@ static apr_status_t get_certificate(server_rec *s, apr_pool_t *p, int fallback,
    }
    else if (sc->assigned->nelts != 1) {
        if (!fallback) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10207)
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10042)
                         "conflict: %d MDs match Virtualhost %s which uses SSL, however "
                         "there can be at most 1.",
                         (int)sc->assigned->nelts, s->server_hostname);