You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2019/11/19 12:39:32 UTC
svn commit: r1870020 - in /httpd/httpd/trunk: CHANGES modules/md/md_ocsp.c
modules/md/md_version.h modules/md/mod_md.c
Author: icing
Date: Tue Nov 19 12:39:32 2019
New Revision: 1870020
URL: http://svn.apache.org/viewvc?rev=1870020&view=rev
Log:
*) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in
the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01"
is configured explicitly (related to #133). [@mkauf, Stefan Eissing]
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/md/md_ocsp.c
httpd/httpd/trunk/modules/md/md_version.h
httpd/httpd/trunk/modules/md/mod_md.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1870020&r1=1870019&r2=1870020&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Nov 19 12:39:32 2019
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in
+ the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01"
+ is configured explicitly (related to #133). [@mkauf, Stefan Eissing]
+
*) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
Modified: httpd/httpd/trunk/modules/md/md_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_ocsp.c?rev=1870020&r1=1870019&r2=1870020&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_ocsp.c (original)
+++ httpd/httpd/trunk/modules/md/md_ocsp.c Tue Nov 19 12:39:32 2019
@@ -32,6 +32,13 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#define MD_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
+#else /* defined(LIBRESSL_VERSION_NUMBER) */
+#define MD_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#endif
+
#include "md.h"
#include "md_crypt.h"
#include "md_json.h"
@@ -566,7 +573,11 @@ static const char *single_resp_summary(O
ASN1_GENERALIZEDTIME *bup = NULL, *bnextup = NULL;
md_timeperiod_t valid;
+#if MD_USE_OPENSSL_PRE_1_1_API
+ certid = resp->certId;
+#else
certid = OCSP_SINGLERESP_get0_id(resp);
+#endif
status = OCSP_single_get0_status(resp, &reason, NULL, &bup, &bnextup);
valid.start = bup? md_asn1_generalized_time_get(bup) : apr_time_now();
valid.end = md_asn1_generalized_time_get(bnextup);
Modified: httpd/httpd/trunk/modules/md/md_version.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_version.h?rev=1870020&r1=1870019&r2=1870020&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_version.h (original)
+++ httpd/httpd/trunk/modules/md/md_version.h Tue Nov 19 12:39:32 2019
@@ -27,7 +27,7 @@
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "2.2.3"
+#define MOD_MD_VERSION "2.2.4"
/**
* @macro
@@ -35,7 +35,7 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_MD_VERSION_NUM 0x020203
+#define MOD_MD_VERSION_NUM 0x020204
#define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory"
Modified: httpd/httpd/trunk/modules/md/mod_md.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/mod_md.c?rev=1870020&r1=1870019&r2=1870020&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/mod_md.c (original)
+++ httpd/httpd/trunk/modules/md/mod_md.c Tue Nov 19 12:39:32 2019
@@ -438,18 +438,25 @@ static server_rec *get_public_https_serv
server_rec *s;
request_rec r;
int i;
+ int skip_port_check = 0;
sc = md_config_get(base_server);
mc = sc->mc;
memset(&r, 0, sizeof(r));
-
- if (!mc->can_https) return NULL;
+
+ if (md->ca_challenges && md->ca_challenges->nelts > 0) {
+ /* skip the port check if "tls-alpn-01" is pre-configured */
+ skip_port_check = md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0;
+ }
+
+ if (!skip_port_check && !mc->can_https) return NULL;
+
/* find an ssl server matching domain from MD */
for (s = base_server; s; s = s->next) {
sc = md_config_get(s);
if (!sc || !sc->is_ssl || !sc->assigned) continue;
if (base_server == s && !mc->manage_base_server) continue;
- if (base_server != s && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
+ if (base_server != s && !skip_port_check && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
for (i = 0; i < sc->assigned->nelts; ++i) {
if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) {
r.server = s;
@@ -1067,7 +1074,7 @@ static apr_status_t get_certificate(serv
}
else if (sc->assigned->nelts != 1) {
if (!fallback) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10207)
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10042)
"conflict: %d MDs match Virtualhost %s which uses SSL, however "
"there can be at most 1.",
(int)sc->assigned->nelts, s->server_hostname);