You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2020/02/17 14:42:09 UTC
svn commit: r1874134 - in /httpd/httpd/branches/2.4.x: ./ docs/manual/mod/
modules/md/
Author: icing
Date: Mon Feb 17 14:42:09 2020
New Revision: 1874134
URL: http://svn.apache.org/viewvc?rev=1874134&view=rev
Log:
Merged /httpd/httpd/trunk:r1870020,1874133
*) mod_md:
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/docs/manual/mod/mod_md.xml
httpd/httpd/branches/2.4.x/modules/md/md_acme_drive.c
httpd/httpd/branches/2.4.x/modules/md/md_ocsp.c
httpd/httpd/branches/2.4.x/modules/md/md_result.c
httpd/httpd/branches/2.4.x/modules/md/md_version.h
httpd/httpd/branches/2.4.x/modules/md/mod_md.c
httpd/httpd/branches/2.4.x/modules/md/mod_md_config.c
httpd/httpd/branches/2.4.x/modules/md/mod_md_config.h
httpd/httpd/branches/2.4.x/modules/md/mod_md_ocsp.c
httpd/httpd/branches/2.4.x/modules/md/mod_md_os.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1870020,1874133
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Feb 17 14:42:09 2020
@@ -1,6 +1,19 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.42
+ *) mod_md:
+ - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
+ thanks to Timothe Litt (@tlhackque).
+ - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
+ check all matching virtual hosts for protocol support. Thanks to @mkauf.
+ - Corrected a check when OCSP stapling was configured for hosts
+ where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
+ - Softening the restrictions where mod_md configuration directives may appear. This should
+ allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
+ you wanted in the first place, is another matter.
+ [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
+ Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
+
*) test: Added continuous testing with Travis CI.
This tests various scenarios on Ubuntu with the full test suite.
Architectures tested: amd64, s390x, ppc64le, arm64
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_md.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_md.xml?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_md.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_md.xml Mon Feb 17 14:42:09 2020
@@ -304,7 +304,7 @@ MDChallengeDns01 /usr/bin/acme-setup-dns
the <directive module="mod_md" type="section">MDomainSet</directive>.
</p><p>
There are 2 additional settings that are necessary for a Managed Domain:
- <directive module="core">ServerAdmin</directive>
+ a contact Email address (via <directive module="mod_md">MDContactEmail</directive> or <directive module="core">ServerAdmin</directive>)
and <directive module="mod_md">MDCertificateAgreement</directive>.
The mail address of <directive module="core">ServerAdmin</directive>
is used to register at the CA (Let's Encrypt by default).
@@ -317,7 +317,7 @@ MDChallengeDns01 /usr/bin/acme-setup-dns
</p>
<example><title>Example</title>
<highlight language="config">
-ServerAdmin mailto:admin@example.org
+MDContactEmail admin@example.org
MDCertificateAgreement accepted
MDomain example.org www.example.org
@@ -1215,5 +1215,24 @@ MDMessageCmd /etc/apache/md-message
</p>
</usage>
</directivesynopsis>
-
+
+ <directivesynopsis>
+ <name>MDContactEmail</name>
+ <description></description>
+ <syntax>MDContactEmail address</syntax>
+ <contextlist>
+ <context>server config</context>
+ </contextlist>
+ <usage>
+ <p>
+ The ACME protocol requires you to give a contact url when you sign up. Currently,
+ Let's Encrypt wants an email address (and it will use it to inform you about renewals
+ or changed terms of service). mod_md uses the MDContactEmail directive email in
+ your Apache configuration, so please specify the correct address there.
+ If MDContactEmail is not present, mod_md will use the
+ <directive module="core">ServerAdmin</directive> directive.
+ </p>
+ </usage>
+ </directivesynopsis>
+
</modulesynopsis>
Modified: httpd/httpd/branches/2.4.x/modules/md/md_acme_drive.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/md/md_acme_drive.c?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/md/md_acme_drive.c (original)
+++ httpd/httpd/branches/2.4.x/modules/md/md_acme_drive.c Mon Feb 17 14:42:09 2020
@@ -132,7 +132,7 @@ apr_status_t md_acme_drive_set_acct(md_p
if (!ad->md->contacts || apr_is_empty_array(md->contacts)) {
rv = APR_EINVAL;
md_result_printf(result, rv, "No contact information is available for MD %s. "
- "Configure one using the ServerAdmin directive.", md->name);
+ "Configure one using the MDContactEmail or ServerAdmin directive.", md->name);
md_result_log(result, MD_LOG_ERR);
goto leave;
}
Modified: httpd/httpd/branches/2.4.x/modules/md/md_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/md/md_ocsp.c?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/md/md_ocsp.c (original)
+++ httpd/httpd/branches/2.4.x/modules/md/md_ocsp.c Mon Feb 17 14:42:09 2020
@@ -32,6 +32,13 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#define MD_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
+#else /* defined(LIBRESSL_VERSION_NUMBER) */
+#define MD_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#endif
+
#include "md.h"
#include "md_crypt.h"
#include "md_json.h"
@@ -566,7 +573,11 @@ static const char *single_resp_summary(O
ASN1_GENERALIZEDTIME *bup = NULL, *bnextup = NULL;
md_timeperiod_t valid;
+#if MD_USE_OPENSSL_PRE_1_1_API
+ certid = resp->certId;
+#else
certid = OCSP_SINGLERESP_get0_id(resp);
+#endif
status = OCSP_single_get0_status(resp, &reason, NULL, &bup, &bnextup);
valid.start = bup? md_asn1_generalized_time_get(bup) : apr_time_now();
valid.end = md_asn1_generalized_time_get(bnextup);
Modified: httpd/httpd/branches/2.4.x/modules/md/md_result.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/md/md_result.c?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/md/md_result.c (original)
+++ httpd/httpd/branches/2.4.x/modules/md/md_result.c Mon Feb 17 14:42:09 2020
@@ -32,7 +32,7 @@
static const char *dup_trim(apr_pool_t *p, const char *s)
{
char *d = apr_pstrdup(p, s);
- apr_collapse_spaces(d, d);
+ if (d) apr_collapse_spaces(d, d);
return d;
}
Modified: httpd/httpd/branches/2.4.x/modules/md/md_version.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/md/md_version.h?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/md/md_version.h (original)
+++ httpd/httpd/branches/2.4.x/modules/md/md_version.h Mon Feb 17 14:42:09 2020
@@ -27,7 +27,7 @@
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "2.2.3"
+#define MOD_MD_VERSION "2.2.7-git"
/**
* @macro
@@ -35,7 +35,7 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_MD_VERSION_NUM 0x020203
+#define MOD_MD_VERSION_NUM 0x020207
#define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory"
Modified: httpd/httpd/branches/2.4.x/modules/md/mod_md.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/md/mod_md.c?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/md/mod_md.c (original)
+++ httpd/httpd/branches/2.4.x/modules/md/mod_md.c Mon Feb 17 14:42:09 2020
@@ -297,6 +297,8 @@ leave:
static void merge_srv_config(md_t *md, md_srv_conf_t *base_sc, apr_pool_t *p)
{
+ const char *contact;
+
if (!md->sc) {
md->sc = base_sc;
}
@@ -310,9 +312,14 @@ static void merge_srv_config(md_t *md, m
if (!md->ca_agreement) {
md->ca_agreement = md_config_gets(md->sc, MD_CONFIG_CA_AGREEMENT);
}
- if (md->sc->s->server_admin && strcmp(DEFAULT_ADMIN, md->sc->s->server_admin)) {
+ contact = md_config_gets(md->sc, MD_CONFIG_CA_CONTACT);
+ if (contact && contact[0]) {
+ apr_array_clear(md->contacts);
+ APR_ARRAY_PUSH(md->contacts, const char *) =
+ md_util_schemify(p, contact, "mailto");
+ } else if( md->sc->s->server_admin && strcmp(DEFAULT_ADMIN, md->sc->s->server_admin)) {
apr_array_clear(md->contacts);
- APR_ARRAY_PUSH(md->contacts, const char *) =
+ APR_ARRAY_PUSH(md->contacts, const char *) =
md_util_schemify(p, md->sc->s->server_admin, "mailto");
}
if (md->renew_mode == MD_RENEW_DEFAULT) {
@@ -436,30 +443,48 @@ static server_rec *get_public_https_serv
md_srv_conf_t *sc;
md_mod_conf_t *mc;
server_rec *s;
+ server_rec *res = NULL;
request_rec r;
int i;
+ int check_port = 1;
sc = md_config_get(base_server);
mc = sc->mc;
memset(&r, 0, sizeof(r));
-
- if (!mc->can_https) return NULL;
+
+ if (md->ca_challenges && md->ca_challenges->nelts > 0) {
+ /* skip the port check if "tls-alpn-01" is pre-configured */
+ check_port = !(md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0);
+ }
+
+ if (check_port && !mc->can_https) return NULL;
+
/* find an ssl server matching domain from MD */
for (s = base_server; s; s = s->next) {
sc = md_config_get(s);
if (!sc || !sc->is_ssl || !sc->assigned) continue;
if (base_server == s && !mc->manage_base_server) continue;
- if (base_server != s && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
+ if (base_server != s && check_port && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
for (i = 0; i < sc->assigned->nelts; ++i) {
if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) {
r.server = s;
if (ap_matches_request_vhost(&r, domain, s->port)) {
- return s;
+ if (check_port) {
+ return s;
+ }
+ else {
+ /* there may be multiple matching servers because we ignore the port.
+ if possible, choose a server that supports the acme-tls/1 protocol */
+ if (ap_is_allowed_protocol(NULL, NULL, s, PROTO_ACME_TLS_1)) {
+ return s;
+ }
+ res = s;
+ }
}
}
}
}
- return NULL;
+ return res;
}
static apr_status_t auto_add_domains(md_t *md, server_rec *base_server, apr_pool_t *p)
@@ -556,10 +581,17 @@ static apr_status_t link_md_to_servers(m
s->server_hostname, s->port, md->name, sc->name,
domain, (int)sc->assigned->nelts);
- if (s->server_admin && strcmp(DEFAULT_ADMIN, s->server_admin)) {
+ if (sc->ca_contact && sc->ca_contact[0]) {
+ uri = md_util_schemify(p, sc->ca_contact, "mailto");
+ if (md_array_str_index(md->contacts, uri, 0, 0) < 0) {
+ APR_ARRAY_PUSH(md->contacts, const char *) = uri;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(10044)
+ "%s: added contact %s", md->name, uri);
+ }
+ } else if (s->server_admin && strcmp(DEFAULT_ADMIN, s->server_admin)) {
uri = md_util_schemify(p, s->server_admin, "mailto");
if (md_array_str_index(md->contacts, uri, 0, 0) < 0) {
- APR_ARRAY_PUSH(md->contacts, const char *) = uri;
+ APR_ARRAY_PUSH(md->contacts, const char *) = uri;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server, APLOGNO(10044)
"%s: added contact %s", md->name, uri);
}
@@ -683,7 +715,7 @@ static apr_status_t check_invalid_duplic
md_srv_conf_t *sc;
ap_log_error( APLOG_MARK, APLOG_TRACE1, 0, base_server,
- "cecking duplicate ssl assignments");
+ "checking duplicate ssl assignments");
for (s = base_server; s; s = s->next) {
sc = md_config_get(s);
if (!sc || !sc->assigned) continue;
@@ -1067,7 +1099,7 @@ static apr_status_t get_certificate(serv
}
else if (sc->assigned->nelts != 1) {
if (!fallback) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10207)
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10042)
"conflict: %d MDs match Virtualhost %s which uses SSL, however "
"there can be at most 1.",
(int)sc->assigned->nelts, s->server_hostname);
Modified: httpd/httpd/branches/2.4.x/modules/md/mod_md_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/md/mod_md_config.c?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/md/mod_md_config.c (original)
+++ httpd/httpd/branches/2.4.x/modules/md/mod_md_config.c Mon Feb 17 14:42:09 2020
@@ -105,6 +105,7 @@ static md_srv_conf_t defconf = {
&def_renew_window, /* renew window */
&def_warn_window, /* warn window */
NULL, /* ca url */
+ NULL, /* ca contact (email) */
"ACME", /* ca protocol */
NULL, /* ca agreemnent */
NULL, /* ca challenges array */
@@ -156,6 +157,7 @@ static void srv_conf_props_clear(md_srv_
sc->renew_window = NULL;
sc->warn_window = NULL;
sc->ca_url = NULL;
+ sc->ca_contact = NULL;
sc->ca_proto = NULL;
sc->ca_agreement = NULL;
sc->ca_challenges = NULL;
@@ -173,6 +175,7 @@ static void srv_conf_props_copy(md_srv_c
to->warn_window = from->warn_window;
to->renew_window = from->renew_window;
to->ca_url = from->ca_url;
+ to->ca_contact = from->ca_contact;
to->ca_proto = from->ca_proto;
to->ca_agreement = from->ca_agreement;
to->ca_challenges = from->ca_challenges;
@@ -229,6 +232,7 @@ static void *md_config_merge(apr_pool_t
nsc->warn_window = add->warn_window? add->warn_window : base->warn_window;
nsc->ca_url = add->ca_url? add->ca_url : base->ca_url;
+ nsc->ca_contact = add->ca_contact? add->ca_contact : base->ca_contact;
nsc->ca_proto = add->ca_proto? add->ca_proto : base->ca_proto;
nsc->ca_agreement = add->ca_agreement? add->ca_agreement : base->ca_agreement;
nsc->ca_challenges = (add->ca_challenges? apr_array_copy(pool, add->ca_challenges)
@@ -267,6 +271,30 @@ static const char *md_section_check(cmd_
return NULL;
}
+#define MD_LOC_GLOBAL (0x01)
+#define MD_LOC_MD (0x02)
+#define MD_LOC_ELSE (0x04)
+#define MD_LOC_ALL (0x07)
+#define MD_LOC_NOT_MD (0x102)
+
+static const char *md_conf_check_location(cmd_parms *cmd, int flags)
+{
+ if (MD_LOC_GLOBAL == flags) {
+ return ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ }
+ if (MD_LOC_NOT_MD == flags && inside_md_section(cmd)) {
+ return apr_pstrcat(cmd->pool, cmd->cmd->name, " is not allowed inside an '",
+ MD_CMD_MD_SECTION, "' context", NULL);
+ }
+ if (MD_LOC_MD == flags) {
+ return md_section_check(cmd);
+ }
+ else if ((MD_LOC_MD & flags) && inside_md_section(cmd)) {
+ return NULL;
+ }
+ return ap_check_cmd_context(cmd, NOT_IN_DIRECTORY|NOT_IN_LOCATION);
+}
+
static const char *set_on_off(int *pvalue, const char *s, apr_pool_t *p)
{
if (!apr_strnatcasecmp("off", s)) {
@@ -314,7 +342,7 @@ static const char *md_config_sec_start(c
int transitive = -1;
(void)mconfig;
- if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
@@ -400,8 +428,7 @@ static const char *md_config_set_names(c
int i, transitive = -1;
(void)dc;
- err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
@@ -436,20 +463,33 @@ static const char *md_config_set_ca(cmd_
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
sc->ca_url = value;
return NULL;
}
+static const char *md_config_set_contact(cmd_parms *cmd, void *dc, const char *value)
+{
+ md_srv_conf_t *sc = md_config_get(cmd->server);
+ const char *err;
+
+ (void)dc;
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
+ return err;
+ }
+ sc->ca_contact = value;
+ return NULL;
+}
+
static const char *md_config_set_ca_proto(cmd_parms *cmd, void *dc, const char *value)
{
md_srv_conf_t *config = md_config_get(cmd->server);
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
config->ca_proto = value;
@@ -462,7 +502,7 @@ static const char *md_config_set_agreeme
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
config->ca_agreement = value;
@@ -489,7 +529,7 @@ static const char *md_config_set_renew_m
return apr_pstrcat(cmd->pool, "unknown MDDriveMode ", value, NULL);
}
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
config->renew_mode = renew_mode;
@@ -502,7 +542,7 @@ static const char *md_config_set_must_st
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
return set_on_off(&config->must_staple, value, cmd->pool);
@@ -514,7 +554,7 @@ static const char *md_config_set_staplin
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
return set_on_off(&config->stapling, value, cmd->pool);
@@ -526,7 +566,7 @@ static const char *md_config_set_staple_
const char *err;
(void)dc;
- if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
return set_on_off(&config->staple_others, value, cmd->pool);
@@ -535,7 +575,7 @@ static const char *md_config_set_staple_
static const char *md_config_set_base_server(cmd_parms *cmd, void *dc, const char *value)
{
md_srv_conf_t *config = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err = md_conf_check_location(cmd, MD_LOC_NOT_MD);
(void)dc;
if (err) return err;
@@ -547,11 +587,10 @@ static const char *md_config_set_require
md_srv_conf_t *config = md_config_get(cmd->server);
const char *err;
- (void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
-
+ (void)dc;
if (!apr_strnatcasecmp("off", value)) {
config->require_https = MD_REQUIRE_OFF;
}
@@ -574,8 +613,7 @@ static const char *md_config_set_renew_w
const char *err;
(void)dc;
- if (!inside_md_section(cmd)
- && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
err = md_timeslice_parse(&config->renew_window, cmd->pool, value, MD_TIME_LIFE_NORM);
@@ -593,8 +631,7 @@ static const char *md_config_set_warn_wi
const char *err;
(void)dc;
- if (!inside_md_section(cmd)
- && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
err = md_timeslice_parse(&config->warn_window, cmd->pool, value, MD_TIME_LIFE_NORM);
@@ -609,9 +646,9 @@ static const char *md_config_set_warn_wi
static const char *md_config_set_proxy(cmd_parms *cmd, void *arg, const char *value)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
md_util_abs_http_uri_check(cmd->pool, value, &err);
@@ -626,9 +663,9 @@ static const char *md_config_set_proxy(c
static const char *md_config_set_store_dir(cmd_parms *cmd, void *arg, const char *value)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
sc->mc->base_dir = value;
@@ -686,10 +723,10 @@ static const char *md_config_set_port_ma
const char *v1, const char *v2)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
(void)arg;
- if (!err) {
+ if (!(err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
err = set_port_map(sc->mc, v1);
}
if (!err && v2) {
@@ -707,8 +744,7 @@ static const char *md_config_set_cha_tye
int i;
(void)dc;
- if (!inside_md_section(cmd)
- && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
pcha = &config->ca_challenges;
@@ -735,8 +771,7 @@ static const char *md_config_set_pkeys(c
apr_int64_t bits;
(void)dc;
- if (!inside_md_section(cmd)
- && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
if (argc <= 0) {
@@ -784,9 +819,9 @@ static const char *md_config_set_pkeys(c
static const char *md_config_set_notify_cmd(cmd_parms *cmd, void *mconfig, const char *arg)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
sc->mc->notify_cmd = arg;
@@ -797,9 +832,9 @@ static const char *md_config_set_notify_
static const char *md_config_set_msg_cmd(cmd_parms *cmd, void *mconfig, const char *arg)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
sc->mc->message_cmd = arg;
@@ -810,9 +845,9 @@ static const char *md_config_set_msg_cmd
static const char *md_config_set_dns01_cmd(cmd_parms *cmd, void *mconfig, const char *arg)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
apr_table_set(sc->mc->env, MD_KEY_CMD_DNS01, arg);
@@ -826,7 +861,7 @@ static const char *md_config_set_cert_fi
const char *err;
(void)mconfig;
- if (NULL != (err = md_section_check(cmd))) return err;
+ if ((err = md_conf_check_location(cmd, MD_LOC_MD))) return err;
assert(sc->current);
sc->current->cert_file = arg;
return NULL;
@@ -838,7 +873,7 @@ static const char *md_config_set_key_fil
const char *err;
(void)mconfig;
- if (NULL != (err = md_section_check(cmd))) return err;
+ if ((err = md_conf_check_location(cmd, MD_LOC_MD))) return err;
assert(sc->current);
sc->current->pkey_file = arg;
return NULL;
@@ -850,7 +885,7 @@ static const char *md_config_set_server_
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
return set_on_off(&sc->mc->server_status_enabled, value, cmd->pool);
@@ -862,7 +897,7 @@ static const char *md_config_set_certifi
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
return set_on_off(&sc->mc->certificate_status_enabled, value, cmd->pool);
@@ -874,7 +909,7 @@ static const char *md_config_set_ocsp_ke
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
err = md_timeslice_parse(&sc->mc->ocsp_keep_window, cmd->pool, value, MD_TIME_OCSP_KEEP_NORM);
@@ -888,7 +923,7 @@ static const char *md_config_set_ocsp_re
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
err = md_timeslice_parse(&sc->mc->ocsp_renew_window, cmd->pool, value, MD_TIME_LIFE_NORM);
@@ -907,7 +942,7 @@ static const char *md_config_set_cert_ch
const char *err;
(void)dc;
- if (!inside_md_section(cmd) && (err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_ALL))) {
return err;
}
sc->mc->cert_check_name = name;
@@ -918,11 +953,11 @@ static const char *md_config_set_cert_ch
static const char *md_config_set_activation_delay(cmd_parms *cmd, void *mconfig, const char *arg)
{
md_srv_conf_t *sc = md_config_get(cmd->server);
- const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ const char *err;
apr_interval_time_t delay;
(void)mconfig;
- if (err) {
+ if ((err = md_conf_check_location(cmd, MD_LOC_NOT_MD))) {
return err;
}
if (md_duration_parse(&delay, arg, "d") != APR_SUCCESS) {
@@ -941,6 +976,8 @@ const command_rec md_cmds[] = {
"A list of challenge types to be used."),
AP_INIT_TAKE1("MDCertificateProtocol", md_config_set_ca_proto, NULL, RSRC_CONF,
"Protocol used to obtain/renew certificates"),
+ AP_INIT_TAKE1("MDContactEmail", md_config_set_contact, NULL, RSRC_CONF,
+ "Email address used for account registration"),
AP_INIT_TAKE1("MDDriveMode", md_config_set_renew_mode, NULL, RSRC_CONF,
"deprecated, older name for MDRenewMode"),
AP_INIT_TAKE1("MDRenewMode", md_config_set_renew_mode, NULL, RSRC_CONF,
@@ -972,7 +1009,7 @@ const command_rec md_cmds[] = {
"the directory for file system storage of managed domain data."),
AP_INIT_TAKE1("MDRenewWindow", md_config_set_renew_window, NULL, RSRC_CONF,
"Time length for renewal before certificate expires (defaults to days)."),
- AP_INIT_TAKE1("MDRequireHttps", md_config_set_require_https, NULL, RSRC_CONF,
+ AP_INIT_TAKE1("MDRequireHttps", md_config_set_require_https, NULL, RSRC_CONF|OR_AUTHCFG,
"Redirect non-secure requests to the https: equivalent."),
AP_INIT_RAW_ARGS("MDNotifyCmd", md_config_set_notify_cmd, NULL, RSRC_CONF,
"Set the command to run when signup/renew of domain is complete."),
@@ -1065,6 +1102,8 @@ const char *md_config_gets(const md_srv_
switch (var) {
case MD_CONFIG_CA_URL:
return sc->ca_url? sc->ca_url : defconf.ca_url;
+ case MD_CONFIG_CA_CONTACT:
+ return sc->ca_contact? sc->ca_contact : defconf.ca_contact;
case MD_CONFIG_CA_PROTO:
return sc->ca_proto? sc->ca_proto : defconf.ca_proto;
case MD_CONFIG_BASE_DIR:
Modified: httpd/httpd/branches/2.4.x/modules/md/mod_md_config.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/md/mod_md_config.h?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/md/mod_md_config.h (original)
+++ httpd/httpd/branches/2.4.x/modules/md/mod_md_config.h Mon Feb 17 14:42:09 2020
@@ -25,6 +25,7 @@ struct md_pkey_spec_t;
typedef enum {
MD_CONFIG_CA_URL,
+ MD_CONFIG_CA_CONTACT,
MD_CONFIG_CA_PROTO,
MD_CONFIG_BASE_DIR,
MD_CONFIG_CA_AGREEMENT,
@@ -85,6 +86,7 @@ typedef struct md_srv_conf_t {
md_timeslice_t *warn_window; /* time before expiration that warning are sent out */
const char *ca_url; /* url of CA certificate service */
+ const char *ca_contact; /* contact email registered to account */
const char *ca_proto; /* protocol used vs CA (e.g. ACME) */
const char *ca_agreement; /* accepted agreement uri between CA and user */
struct apr_array_header_t *ca_challenges; /* challenge types configured */
Modified: httpd/httpd/branches/2.4.x/modules/md/mod_md_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/md/mod_md_ocsp.c?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/md/mod_md_ocsp.c (original)
+++ httpd/httpd/branches/2.4.x/modules/md/mod_md_ocsp.c Mon Feb 17 14:42:09 2020
@@ -62,7 +62,7 @@ apr_status_t md_ocsp_init_stapling_statu
sc = md_config_get(s);
if (!staple_here(sc)) goto declined;
- md = ((sc->assigned || sc->assigned->nelts == 1)?
+ md = ((sc->assigned && sc->assigned->nelts == 1)?
APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL);
rv = md_ocsp_prime(sc->mc->ocsp, md_cert_wrap(p, cert),
md_cert_wrap(p, issuer), md);
@@ -85,7 +85,7 @@ apr_status_t md_ocsp_get_stapling_status
sc = md_config_get(s);
if (!staple_here(sc)) goto declined;
- md = ((sc->assigned || sc->assigned->nelts == 1)?
+ md = ((sc->assigned && sc->assigned->nelts == 1)?
APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL);
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "get stapling for: %s",
md? md->name : s->server_hostname);
Modified: httpd/httpd/branches/2.4.x/modules/md/mod_md_os.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/md/mod_md_os.c?rev=1874134&r1=1874133&r2=1874134&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/md/mod_md_os.c (original)
+++ httpd/httpd/branches/2.4.x/modules/md/mod_md_os.c Mon Feb 17 14:42:09 2020
@@ -25,9 +25,6 @@
#if APR_HAVE_UNISTD_H
#include <unistd.h>
#endif
-#ifdef WIN32
-#include "mpm_winnt.h"
-#endif
#if AP_NEED_SET_MUTEX_PERMS
#include "unixd.h"
#endif