You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2019/11/19 12:39:32 UTC

svn commit: r1870020 - in /httpd/httpd/trunk: CHANGES modules/md/md_ocsp.c modules/md/md_version.h modules/md/mod_md.c

Author: icing
Date: Tue Nov 19 12:39:32 2019
New Revision: 1870020

URL: http://svn.apache.org/viewvc?rev=1870020&view=rev
Log:
  *) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in 
     the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01" 
     is configured explicitly (related to #133). [@mkauf, Stefan Eissing]
  

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/md/md_ocsp.c
    httpd/httpd/trunk/modules/md/md_version.h
    httpd/httpd/trunk/modules/md/mod_md.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1870020&r1=1870019&r2=1870020&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Nov 19 12:39:32 2019
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in 
+     the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01" 
+     is configured explicitly (related to #133). [@mkauf, Stefan Eissing]
+  
   *) mod_ssl: Support logging private key material for use with
      wireshark via log file given by SSLKEYLOGFILE environment
      variable.  Requires OpenSSL 1.1.1.  PR 63391.  [Joe Orton]

Modified: httpd/httpd/trunk/modules/md/md_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_ocsp.c?rev=1870020&r1=1870019&r2=1870020&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_ocsp.c (original)
+++ httpd/httpd/trunk/modules/md/md_ocsp.c Tue Nov 19 12:39:32 2019
@@ -32,6 +32,13 @@
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
 
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#define MD_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
+#else /* defined(LIBRESSL_VERSION_NUMBER) */
+#define MD_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#endif
+
 #include "md.h"
 #include "md_crypt.h"
 #include "md_json.h"
@@ -566,7 +573,11 @@ static const char *single_resp_summary(O
     ASN1_GENERALIZEDTIME *bup = NULL, *bnextup = NULL;
     md_timeperiod_t valid;
     
+#if MD_USE_OPENSSL_PRE_1_1_API
+    certid = resp->certId;
+#else
     certid = OCSP_SINGLERESP_get0_id(resp);
+#endif
     status = OCSP_single_get0_status(resp, &reason, NULL, &bup, &bnextup);
     valid.start = bup? md_asn1_generalized_time_get(bup) : apr_time_now();
     valid.end = md_asn1_generalized_time_get(bnextup);

Modified: httpd/httpd/trunk/modules/md/md_version.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_version.h?rev=1870020&r1=1870019&r2=1870020&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_version.h (original)
+++ httpd/httpd/trunk/modules/md/md_version.h Tue Nov 19 12:39:32 2019
@@ -27,7 +27,7 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "2.2.3"
+#define MOD_MD_VERSION "2.2.4"
 
 /**
  * @macro
@@ -35,7 +35,7 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x020203
+#define MOD_MD_VERSION_NUM 0x020204
 
 #define MD_ACME_DEF_URL    "https://acme-v02.api.letsencrypt.org/directory"
 

Modified: httpd/httpd/trunk/modules/md/mod_md.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/mod_md.c?rev=1870020&r1=1870019&r2=1870020&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/mod_md.c (original)
+++ httpd/httpd/trunk/modules/md/mod_md.c Tue Nov 19 12:39:32 2019
@@ -438,18 +438,25 @@ static server_rec *get_public_https_serv
     server_rec *s;
     request_rec r;
     int i;
+    int skip_port_check = 0;
 
     sc = md_config_get(base_server);
     mc = sc->mc;
     memset(&r, 0, sizeof(r));
-    
-    if (!mc->can_https) return NULL;
+
+    if (md->ca_challenges && md->ca_challenges->nelts > 0) {
+        /* skip the port check if "tls-alpn-01" is pre-configured */
+        skip_port_check = md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0;
+    }
+
+    if (!skip_port_check && !mc->can_https) return NULL;
+
     /* find an ssl server matching domain from MD */
     for (s = base_server; s; s = s->next) {
         sc = md_config_get(s);
         if (!sc || !sc->is_ssl || !sc->assigned) continue;
         if (base_server == s && !mc->manage_base_server) continue;
-        if (base_server != s && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
+        if (base_server != s && !skip_port_check && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
         for (i = 0; i < sc->assigned->nelts; ++i) {
             if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) {
                 r.server = s;
@@ -1067,7 +1074,7 @@ static apr_status_t get_certificate(serv
     }
     else if (sc->assigned->nelts != 1) {
         if (!fallback) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10207)
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10042)
                          "conflict: %d MDs match Virtualhost %s which uses SSL, however "
                          "there can be at most 1.",
                          (int)sc->assigned->nelts, s->server_hostname);