diff --git a/CHANGES b/CHANGES index ca5cef33d7..d655a0b8ec 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in + the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01" + is configured explicitly (related to #133). [@mkauf, Stefan Eissing] + *) mod_ssl: Support logging private key material for use with wireshark via log file given by SSLKEYLOGFILE environment variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton] diff --git a/modules/md/md_ocsp.c b/modules/md/md_ocsp.c index 90fb332905..dc95393249 100644 --- a/modules/md/md_ocsp.c +++ b/modules/md/md_ocsp.c @@ -32,6 +32,13 @@ #include #include +#if defined(LIBRESSL_VERSION_NUMBER) +/* Missing from LibreSSL */ +#define MD_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f) +#else /* defined(LIBRESSL_VERSION_NUMBER) */ +#define MD_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) +#endif + #include "md.h" #include "md_crypt.h" #include "md_json.h" @@ -566,7 +573,11 @@ static const char *single_resp_summary(OCSP_SINGLERESP* resp, apr_pool_t *p) ASN1_GENERALIZEDTIME *bup = NULL, *bnextup = NULL; md_timeperiod_t valid; +#if MD_USE_OPENSSL_PRE_1_1_API + certid = resp->certId; +#else certid = OCSP_SINGLERESP_get0_id(resp); +#endif status = OCSP_single_get0_status(resp, &reason, NULL, &bup, &bnextup); valid.start = bup? md_asn1_generalized_time_get(bup) : apr_time_now(); valid.end = md_asn1_generalized_time_get(bnextup); diff --git a/modules/md/md_version.h b/modules/md/md_version.h index 331e403d72..be5dbd5cfb 100644 --- a/modules/md/md_version.h +++ b/modules/md/md_version.h @@ -27,7 +27,7 @@ * @macro * Version number of the md module as c string */ -#define MOD_MD_VERSION "2.2.3" +#define MOD_MD_VERSION "2.2.4" /** * @macro @@ -35,7 +35,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_MD_VERSION_NUM 0x020203 +#define MOD_MD_VERSION_NUM 0x020204 #define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory" diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c index 1c83d4a3bf..33ef383a47 100644 --- a/modules/md/mod_md.c +++ b/modules/md/mod_md.c @@ -438,18 +438,25 @@ static server_rec *get_public_https_server(md_t *md, const char *domain, server_ server_rec *s; request_rec r; int i; + int skip_port_check = 0; sc = md_config_get(base_server); mc = sc->mc; memset(&r, 0, sizeof(r)); - - if (!mc->can_https) return NULL; + + if (md->ca_challenges && md->ca_challenges->nelts > 0) { + /* skip the port check if "tls-alpn-01" is pre-configured */ + skip_port_check = md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0; + } + + if (!skip_port_check && !mc->can_https) return NULL; + /* find an ssl server matching domain from MD */ for (s = base_server; s; s = s->next) { sc = md_config_get(s); if (!sc || !sc->is_ssl || !sc->assigned) continue; if (base_server == s && !mc->manage_base_server) continue; - if (base_server != s && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue; + if (base_server != s && !skip_port_check && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue; for (i = 0; i < sc->assigned->nelts; ++i) { if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) { r.server = s; @@ -1067,7 +1074,7 @@ static apr_status_t get_certificate(server_rec *s, apr_pool_t *p, int fallback, } else if (sc->assigned->nelts != 1) { if (!fallback) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10207) + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10042) "conflict: %d MDs match Virtualhost %s which uses SSL, however " "there can be at most 1.", (int)sc->assigned->nelts, s->server_hostname);