-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_md: reverses most of v1.0.5 optimization of post_config init, so that
+ mod_ssl can ask for certiticates without crashing. [Stefan Eissing]
+
*) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
PR 61857. [Yann Ylavic]
/**
* The MD is complete and un-expired. This is a renewal run.
* Give activation 24 hours leeway (if we have that time) to
- * accomodate for clients with somewhat weird clocks.
+ * accommodate for clients with somewhat weird clocks.
*/
delay_activation = apr_time_from_sec(MD_SECS_PER_DAY);
if (delay_activation > (max_delay = d->md->expires - now)) {
X509_EXTENSION *x;
int nid;
- nid = OBJ_create("1.3.6.1.5.5.7.1.24", "OCSPReq", "OCSP Request");
+ nid = OBJ_create("1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature");
if (NID_undef == nid) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p,
- "%s: unable to get NID for must-staple", md->name);
- return APR_EGENERAL;
+ "%s: unable to get NID for v3 must-staple TLS feature", md->name);
+ return APR_ENOTIMPL;
}
x = X509V3_EXT_conf_nid(NULL, NULL, nid, (char*)"DER:30:03:02:01:05");
if (NULL == x) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p,
- "%s: unable to get x509 extension for must-staple", md->name);
+ "%s: unable to create x509 extension for must-staple", md->name);
return APR_EGENERAL;
}
sk_X509_EXTENSION_push(exts, x);
rv = APR_EGENERAL; goto out;
}
if (APR_SUCCESS != (rv = add_must_staple(exts, md, p))) {
- md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: must staple", md->name);
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: you requested that a certificate "
+ "is created with the 'must-staple' extension, however the SSL library was "
+ "unable to initialized that extension. Please file a bug report on which platform "
+ "and with which library this happens. To continue before this problem is resolved, "
+ "configure 'MDMustStaple off' for your domains", md->name);
rv = APR_EGENERAL; goto out;
}
/* add extensions to csr */
void md_json_destroy(md_json_t *json)
{
if (json && json->j) {
+ assert(json->j->refcount > 0);
json_decref(json->j);
json->j = NULL;
}
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "1.1.1"
+#define MOD_MD_VERSION "1.1.2"
/**
* @macro
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_MD_VERSION_NUM 0x010101
+#define MOD_MD_VERSION_NUM 0x010102
#define MD_ACME_DEF_URL "https://acme-v01.api.letsencrypt.org/directory"
goto out;
}
- if (dry_run) {
- /* enough done in this case */
- return APR_SUCCESS;
- }
-
if (APR_SUCCESS != (rv = md_reg_sync(reg, p, ptemp, mc->mds))) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10073)
"synching %d mds to registry", mc->mds->nelts);
/* Determine the managed domains that are in auto drive_mode. For those,
* determine in which state they are:
- * - UNKNOWN: should not happen, report, dont drive
- * - ERROR: something we do not know how to fix, report, dont drive
+ * - UNKNOWN: should not happen, report, don't drive
+ * - ERROR: something we do not know how to fix, report, don't drive
* - INCOMPLETE/EXPIRED: need to drive them right away
* - COMPLETE: determine when cert expires, drive when the time comes
*
init_ssl();
+ if (dry_run) {
+ goto out;
+ }
+
/* If there are MDs to drive, start a watchdog to check on them regularly */
if (drive_names->nelts > 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, APLOGNO(10074)
projects / thirdparty / apache / httpd.git / commitdiff
