mod_md version 2

[Stefan Eissing <st...@greenbytes.de>]

Heya,

the beautiful people at MOSS, Mozilla's Open Source Support, decided to give me a grant for Let's Encrypt and Stapling improvements in Apache! Big thanks!

I described what I plan to do here: https://github.com/icing/mod_md/wiki/V2Design

There are also github issues for collecting feedback and I pointed people to the Apache users mailing list as well.

Besides the support for ACMEv2, which is in-scope of the module, I plan to add a new OCSP stapling implementation in the module as well. That may lead to some head scratching here and I want to explain my reasoning and, ideally, get feedback from you.

- Any new OCSP stapling implementation must, in the 2.4.x release line, live along side the existing one. We will, with out backward compatibility requirements, never be able to switch that one off in 2.4.x.

- We need a new implementation in the near future. OCSP responder downtimes become more threatening for the web, just because everyone goes https: if you look at browser statistics.

- The infrastructure is there in mod_md. A curl http client, proxy configuration and the dependency on mod_watchdog already exist. Linkage to openssl (or its cousins) is there as well.

- OCSP answers will be persisted in mod_md's file system store and shared between child processes that way.

- Of course, the plan is to have it inactive by default, as shipped by us. Admins need to turn it on. If that can be done per
  vhost, MDomain or globally remains to be discussed.

Cheers,

Stefan

Re: mod_md version 2

[Stefan Eissing <st...@greenbytes.de>]

Thanks!

> Am 14.05.2019 um 09:02 schrieb Ruediger Pluem <rp...@apache.org>:
> 
> 
> 
> On 05/06/2019 02:53 PM, Stefan Eissing wrote:
>> Heya,
>> 
>> the beautiful people at MOSS, Mozilla's Open Source Support, decided to give me a grant for Let's Encrypt and Stapling improvements in Apache! Big thanks!
>> 
>> I described what I plan to do here: https://github.com/icing/mod_md/wiki/V2Design
>> 
>> There are also github issues for collecting feedback and I pointed people to the Apache users mailing list as well.
>> 
>> Besides the support for ACMEv2, which is in-scope of the module, I plan to add a new OCSP stapling implementation in the module as well. That may lead to some head scratching here and I want to explain my reasoning and, ideally, get feedback from you.
> 
> Great to hear this. I digged out some discussions from the past that might be useful (some even started by you :-)):
> 
> https://lists.apache.org/thread.html/1a61e9dfbd685c4102b097e8189bccb7d5da39bf9f32fcbe7407a760@%3Cdev.httpd.apache.org%3E
> 
> https://lists.apache.org/thread.html/040a5ef30dbe7649b88c24cd9716eaf4c47d2d800f4a6858508d4fab@%3Cdev.httpd.apache.org%3E
> 
> 
> Regards
> 
> Rüdiger
> 

Re: mod_md version 2

[Ruediger Pluem <rp...@apache.org>]

On 05/06/2019 02:53 PM, Stefan Eissing wrote:
> Heya,
> 
> the beautiful people at MOSS, Mozilla's Open Source Support, decided to give me a grant for Let's Encrypt and Stapling improvements in Apache! Big thanks!
> 
> I described what I plan to do here: https://github.com/icing/mod_md/wiki/V2Design
> 
> There are also github issues for collecting feedback and I pointed people to the Apache users mailing list as well.
> 
> Besides the support for ACMEv2, which is in-scope of the module, I plan to add a new OCSP stapling implementation in the module as well. That may lead to some head scratching here and I want to explain my reasoning and, ideally, get feedback from you.

Great to hear this. I digged out some discussions from the past that might be useful (some even started by you :-)):

https://lists.apache.org/thread.html/1a61e9dfbd685c4102b097e8189bccb7d5da39bf9f32fcbe7407a760@%3Cdev.httpd.apache.org%3E

https://lists.apache.org/thread.html/040a5ef30dbe7649b88c24cd9716eaf4c47d2d800f4a6858508d4fab@%3Cdev.httpd.apache.org%3E


Regards

Rüdiger