-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in
+ the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01"
+ is configured explicitly (related to #133). [@mkauf, Stefan Eissing]
+
*) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
#include <openssl/pem.h>
#include <openssl/x509v3.h>
+#if defined(LIBRESSL_VERSION_NUMBER)
+/* Missing from LibreSSL */
+#define MD_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
+#else /* defined(LIBRESSL_VERSION_NUMBER) */
+#define MD_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#endif
+
#include "md.h"
#include "md_crypt.h"
#include "md_json.h"
ASN1_GENERALIZEDTIME *bup = NULL, *bnextup = NULL;
md_timeperiod_t valid;
+#if MD_USE_OPENSSL_PRE_1_1_API
+ certid = resp->certId;
+#else
certid = OCSP_SINGLERESP_get0_id(resp);
+#endif
status = OCSP_single_get0_status(resp, &reason, NULL, &bup, &bnextup);
valid.start = bup? md_asn1_generalized_time_get(bup) : apr_time_now();
valid.end = md_asn1_generalized_time_get(bnextup);
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "2.2.3"
+#define MOD_MD_VERSION "2.2.4"
/**
* @macro
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_MD_VERSION_NUM 0x020203
+#define MOD_MD_VERSION_NUM 0x020204
#define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory"
server_rec *s;
request_rec r;
int i;
+ int skip_port_check = 0;
sc = md_config_get(base_server);
mc = sc->mc;
memset(&r, 0, sizeof(r));
-
- if (!mc->can_https) return NULL;
+
+ if (md->ca_challenges && md->ca_challenges->nelts > 0) {
+ /* skip the port check if "tls-alpn-01" is pre-configured */
+ skip_port_check = md_array_str_index(md->ca_challenges, MD_AUTHZ_TYPE_TLSALPN01, 0, 0) >= 0;
+ }
+
+ if (!skip_port_check && !mc->can_https) return NULL;
+
/* find an ssl server matching domain from MD */
for (s = base_server; s; s = s->next) {
sc = md_config_get(s);
if (!sc || !sc->is_ssl || !sc->assigned) continue;
if (base_server == s && !mc->manage_base_server) continue;
- if (base_server != s && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
+ if (base_server != s && !skip_port_check && mc->local_443 > 0 && !uses_port(s, mc->local_443)) continue;
for (i = 0; i < sc->assigned->nelts; ++i) {
if (md == APR_ARRAY_IDX(sc->assigned, i, md_t*)) {
r.server = s;
}
else if (sc->assigned->nelts != 1) {
if (!fallback) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10207)
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10042)
"conflict: %d MDs match Virtualhost %s which uses SSL, however "
"there can be at most 1.",
(int)sc->assigned->nelts, s->server_hostname);
projects / thirdparty / apache / httpd.git / commitdiff
