You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@httpd.apache.org by GitBox <gi...@apache.org> on 2021/04/20 10:04:51 UTC
[GitHub] [httpd] icing commented on a change in pull request #179: core ap_ssl_() support, related changes, latest mod_md
icing commented on a change in pull request #179:
URL: https://github.com/apache/httpd/pull/179#discussion_r616536885
##########
File path: modules/ssl/ssl_engine_kernel.c
##########
@@ -2376,15 +2394,6 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl, const char *servername)
sslcon->vhost_found = +1;
return APR_SUCCESS;
}
- else if (ssl_is_challenge(c, servername, &cert, &key)) {
- /* With ACMEv1 we can have challenge connections to a unknown domains
- * that need to be answered with a special certificate and will
- * otherwise not answer any requests. */
- if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
- return APR_EGENERAL;
- }
- SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
- }
Review comment:
This was a challenge situation in the ACMEv1 protocol for the alpn https verification. That used a new hostname which led to people being able to get certificates for domain they do not own in shared hosting setups. It has been disabled ever since that was found out.
Since the new mod_md no longer supports ACMEv1, this seems superfluous to keep in the server.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org
For additional commands, e-mail: notifications-help@httpd.apache.org