git.ipfire.org Git - thirdparty/apache/httpd.git/commit

author	Joe Orton <jorton@apache.org>
	Wed, 3 Mar 2021 14:53:12 +0000 (14:53 +0000)
committer	Joe Orton <jorton@apache.org>
	Wed, 3 Mar 2021 14:53:12 +0000 (14:53 +0000)
commit	33af74c29fbd85890f1f6e6454a81bab7a01de41
tree	163a9ad36c5df8a9188d1ed6241a5ddee6794000	tree
parent	dec9480c3e5fc9571dd8d337568cdf9d21602ca4	commit \| diff

Synch from mod_md github:

mod_md: tolerate missing revokeCert or keyChange resource

RFC 8555 §7.1 states:

  The server MUST provide "directory" and "newNonce" resources.

But RFC 8555 makes no explicit statement anywhere whether other
resources are, or are not, required (with the exception of
"newAuthz" which is optional).

Therefore it is possible that some ACME server implementations may
omit some resources; in particular those that are not an essential
part of the "order" workflow.  Indeed, I am working with one such
server implementation, which does not at this time implement
"keyChange".  mod_md refuses to interact with this server because it
is checking that a certain set of resources are defined in the
directory object - despite some of those resources not currently
being used.

Update the check to require only "newNonce", "newAccount" and
"newOrder".  Omit from the check and therefore tolerate the absense
of resources which are not always required: "revokeCert" and
"keyChange".

If mod_md implements revocation and/or key rollover in the future,
the availability of those features should be predicated on the
server's advertised capabilities.

https://github.com/icing/mod_md/commit/38ff597f3ccb3c942e68701fb185c6a68f0708e4

Submitted by: Fraser Tweedale <ftweedal redhat.com>
Github: closes #122

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887148 13f79535-47bb-0310-9956-ffa450edef68

changes-entries/mod_md-missing-resources.txt	[new file with mode: 0644]	blob
modules/md/md_acme.c		diff \| blob \| blame \| history