VladPolskiy/apache-http-server
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-13 14:40:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

*) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in

Browse Source 
the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01" 
     is configured explicitly (related to #133). [@mkauf, Stefan Eissing]
  


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1870020 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Eissing
2019-11-19 12:39:32 +00:00
parent c3abd83511
commit 17d283e290
4 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -1,6 +1,10 @@
-*- coding: utf-8 -*- -*- coding: utf-8 -*-
Changes with Apache 2.5.1 Changes with Apache 2.5.1
*) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in
the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01"
is configured explicitly (related to #133). [@mkauf, Stefan Eissing]
*) mod_ssl: Support logging private key material for use with *) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton] variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]

11
modules/md/md_ocsp.c
View File

@ -32,6 +32,13 @@
#include <openssl/pem.h> #include <openssl/pem.h>
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
#if defined(LIBRESSL_VERSION_NUMBER)
/* Missing from LibreSSL */
#define MD_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
#else /* defined(LIBRESSL_VERSION_NUMBER) */
#define MD_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
#endif
#include "md.h" #include "md.h"
#include "md_crypt.h" #include "md_crypt.h"
#include "md_json.h" #include "md_json.h"
@ -566,7 +573,11 @@ static const char *single_resp_summary(OCSP_SINGLERESP* resp, apr_pool_t *p)
ASN1_GENERALIZEDTIME *bup = NULL, *bnextup = NULL; ASN1_GENERALIZEDTIME *bup = NULL, *bnextup = NULL;
md_timeperiod_t valid; md_timeperiod_t valid;
#if MD_USE_OPENSSL_PRE_1_1_API
certid = resp->certId;
#else
certid = OCSP_SINGLERESP_get0_id(resp); certid = OCSP_SINGLERESP_get0_id(resp);
#endif
status = OCSP_single_get0_status(resp, &reason, NULL, &bup, &bnextup); status = OCSP_single_get0_status(resp, &reason, NULL, &bup, &bnextup);
valid.start = bup? md_asn1_generalized_time_get(bup) : apr_time_now(); valid.start = bup? md_asn1_generalized_time_get(bup) : apr_time_now();
valid.end = md_asn1_generalized_time_get(bnextup); valid.end = md_asn1_generalized_time_get(bnextup);

4
modules/md/md_version.h
View File

@ -27,7 +27,7 @@
* @macro * @macro
* Version number of the md module as c string * Version number of the md module as c string
*/ */
#define MOD_MD_VERSION "2.2.3" #define MOD_MD_VERSION "2.2.4"
/** /**
* @macro * @macro
@ -35,7 +35,7 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits * release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/ */
#define MOD_MD_VERSION_NUM 0x020203 #define MOD_MD_VERSION_NUM 0x020204
#define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory" #define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory"

15
modules/md/mod_md.c
View File

@ -438,18 +438,25 @@ static server_rec *get_public_https_server(md_t *md, const char *domain, server_
server_rec *s; server_rec *s;
request_rec r; request_rec r;
int i; int i;
int skip_port_check = 0;
sc = md_config_get(base_server); sc = md_config_get(base_server);
mc = sc->mc; mc = sc->mc;
memset(&r, 0, sizeof(r)); memset(&r, 0, sizeof(r));
if (!mc->can_https) return NULL; if (md->ca_challenges && md->ca_challenges->nelts > 0) {
/* skip the port check if "tls-alpn-01" is pre-configured */
skip_port_check = md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0;
}
if (!skip_port_check && !mc->can_https) return NULL;
/* find an ssl server matching domain from MD */ /* find an ssl server matching domain from MD */
for (s = base_server; s; s = s->next) { for (s = base_server; s; s = s->next) {
sc = md_config_get(s); sc = md_config_get(s);
if (!sc || !sc->is_ssl || !sc->assigned) continue; if (!sc || !sc->is_ssl || !sc->assigned) continue;
if (base_server == s && !mc->manage_base_server) continue; if (base_server == s && !mc->manage_base_server) continue;
if (base_server != s && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue; if (base_server != s && !skip_port_check && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
for (i = 0; i < sc->assigned->nelts; ++i) { for (i = 0; i < sc->assigned->nelts; ++i) {
if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) { if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) {
r.server = s; r.server = s;
@ -1067,7 +1074,7 @@ static apr_status_t get_certificate(server_rec *s, apr_pool_t *p, int fallback,
} }
else if (sc->assigned->nelts != 1) { else if (sc->assigned->nelts != 1) {
if (!fallback) { if (!fallback) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10207) ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10042)
"conflict: %d MDs match Virtualhost %s which uses SSL, however " "conflict: %d MDs match Virtualhost %s which uses SSL, however "
"there can be at most 1.", "there can be at most 1.",
(int)sc->assigned->nelts, s->server_hostname); (int)sc->assigned->nelts, s->server_hostname);