From 7afd53dde8189452ceccb64539f7a7c77be4706e Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Tue, 4 Nov 2025 14:30:49 +0000 Subject: [PATCH] mod_md, update tp v2.6.5 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1929514 13f79535-47bb-0310-9956-ffa450edef68 --- changes-entries/md_v2.6.5.txt | 9 +++++++++ docs/manual/mod/mod_md.xml | 17 +++++++++++++++++ modules/md/md_crypt.c | 6 +++++- modules/md/md_ocsp.c | 1 + modules/md/md_version.h | 4 ++-- modules/md/mod_md_config.c | 21 +++++++++++++++++++++ modules/md/mod_md_config.h | 1 + modules/md/mod_md_drive.c | 2 +- 8 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 changes-entries/md_v2.6.5.txt diff --git a/changes-entries/md_v2.6.5.txt b/changes-entries/md_v2.6.5.txt new file mode 100644 index 0000000000..796bb0e1c1 --- /dev/null +++ b/changes-entries/md_v2.6.5.txt @@ -0,0 +1,9 @@ + *) mod_md: update to version 2.6.5 + - New directive `MDInitialDelay`, controlling how longer to wait after + a server restart before checking certificates for renewal. + [Michael Kaufmann] + - Hardening: when build with OpenSSL older than 1.0.2 or old libressl + versions, the parsing of ASN.1 time strings did not do a length check. + - Hardening: when reading back OCSP responses stored in the local JSON + store, missing 'valid' key led to uninitialized values, resulting in + wrong refresh behaviour. diff --git a/docs/manual/mod/mod_md.xml b/docs/manual/mod/mod_md.xml index db694c3049..d35d32c5ca 100644 --- a/docs/manual/mod/mod_md.xml +++ b/docs/manual/mod/mod_md.xml @@ -1582,4 +1582,21 @@ MDMessageCmd /etc/apache/md-message

+ + + MDInitialDelay + How long to delay the first certificate check. + MDInitialDelay duration + MDInitialDelay 0s + + server config + + Available in version 2.4.66 and later + +

+ The amount of time to wait after the server start to check + renewals of certificates. By default this occurs right away. +

+ + diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c index 23a6fd1188..b06d950490 100644 --- a/modules/md/md_crypt.c +++ b/modules/md/md_crypt.c @@ -206,7 +206,7 @@ static int pem_passwd(char *buf, int size, int rwflag, void *baton) /* Get the apr time (micro seconds, since 1970) from an ASN1 time, as stored in X509 * certificates. OpenSSL now has a utility function, but other *SSL derivatives have - * not caughts up yet or chose to ignore. An alternative is implemented, we prefer + * not caught up yet or chose to ignore. An alternative is implemented, we prefer * however the *SSL to maintain such things. */ static apr_time_t md_asn1_time_get(const ASN1_TIME* time) @@ -220,6 +220,10 @@ static apr_time_t md_asn1_time_get(const ASN1_TIME* time) const char* str = (const char*) time->data; apr_size_t i = 0; + if ((time->length < 12) || ( + (time->type == V_ASN1_GENERALIZEDTIME) && time->length < 16)) + return 0; + memset(&t, 0, sizeof(t)); if (time->type == V_ASN1_UTCTIME) {/* two digit year */ diff --git a/modules/md/md_ocsp.c b/modules/md/md_ocsp.c index af2dd15293..869fbb64b7 100644 --- a/modules/md/md_ocsp.c +++ b/modules/md/md_ocsp.c @@ -190,6 +190,7 @@ static apr_status_t ostat_from_json(md_ocsp_cert_stat_t *pstat, md_timeperiod_t valid; apr_status_t rv = APR_ENOENT; + memset(&valid, 0, sizeof(valid)); memset(resp_der, 0, sizeof(*resp_der)); memset(resp_valid, 0, sizeof(*resp_valid)); s = md_json_dups(p, json, MD_KEY_VALID, MD_KEY_FROM, NULL); diff --git a/modules/md/md_version.h b/modules/md/md_version.h index 46a154432b..858d44d9a3 100644 --- a/modules/md/md_version.h +++ b/modules/md/md_version.h @@ -27,7 +27,7 @@ * @macro * Version number of the md module as c string */ -#define MOD_MD_VERSION "2.6.2" +#define MOD_MD_VERSION "2.6.5-git" /** * @macro @@ -35,7 +35,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_MD_VERSION_NUM 0x020602 +#define MOD_MD_VERSION_NUM 0x020605 #define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory" diff --git a/modules/md/mod_md_config.c b/modules/md/mod_md_config.c index 73292ef94f..d6807c9caf 100644 --- a/modules/md/mod_md_config.c +++ b/modules/md/mod_md_config.c @@ -84,6 +84,7 @@ static md_mod_conf_t defmc = { "crt.sh", /* default cert checker site name */ "https://crt.sh?q=", /* default cert checker site url */ NULL, /* CA cert file to use */ + APR_TIME_C(0), /* initial cert check delay */ apr_time_from_sec(MD_SECS_PER_DAY/2), /* default time between cert checks */ apr_time_from_sec(30), /* minimum delay for retries */ 13, /* retry_failover after 14 errors, with 5s delay ~ half a day */ @@ -676,6 +677,24 @@ static const char *md_config_set_base_server(cmd_parms *cmd, void *dc, const cha return set_on_off(&config->mc->manage_base_server, value, cmd->pool); } +static const char *md_config_set_initial_delay(cmd_parms *cmd, void *dc, const char *value) +{ + md_srv_conf_t *config = md_config_get(cmd->server); + const char *err = md_conf_check_location(cmd, MD_LOC_NOT_MD); + apr_time_t delay; + + (void)dc; + if (err) return err; + if (md_duration_parse(&delay, value, "s") != APR_SUCCESS) { + return "unrecognized duration format"; + } + if (delay < 0) { + return "initial delay must not be negative"; + } + config->mc->initial_delay = delay; + return NULL; +} + static const char *md_config_set_check_interval(cmd_parms *cmd, void *dc, const char *value) { md_srv_conf_t *config = md_config_get(cmd->server); @@ -1377,6 +1396,8 @@ const command_rec md_cmds[] = { "Configure locking of store for updates."), AP_INIT_TAKE1("MDMatchNames", md_config_set_match_mode, NULL, RSRC_CONF, "Determines how DNS names are matched to vhosts."), + AP_INIT_TAKE1("MDInitialDelay", md_config_set_initial_delay, NULL, RSRC_CONF, + "How long to delay the first certificate check."), AP_INIT_TAKE1("MDCheckInterval", md_config_set_check_interval, NULL, RSRC_CONF, "Time between certificate checks."), AP_INIT_TAKE1("MDProfile", md_config_set_profile, NULL, RSRC_CONF, diff --git a/modules/md/mod_md_config.h b/modules/md/mod_md_config.h index a2354354cc..3159ec651f 100644 --- a/modules/md/mod_md_config.h +++ b/modules/md/mod_md_config.h @@ -78,6 +78,7 @@ struct md_mod_conf_t { const char *cert_check_name; /* name of the linked certificate check site */ const char *cert_check_url; /* url "template for" checking a certificate */ const char *ca_certs; /* root certificates to use for connections */ + apr_time_t initial_delay; /* how long to delay the first cert renewal check */ apr_time_t check_interval; /* duration between cert renewal checks */ apr_time_t min_delay; /* minimum delay for retries */ int retry_failover; /* number of errors to trigger CA failover */ diff --git a/modules/md/mod_md_drive.c b/modules/md/mod_md_drive.c index 9dfa93a290..c5d710817c 100644 --- a/modules/md/mod_md_drive.c +++ b/modules/md/mod_md_drive.c @@ -403,7 +403,7 @@ apr_status_t md_renew_start_watching(md_mod_conf_t *mc, server_rec *s, apr_pool_ "create md renew watchdog(%s)", MD_RENEW_WATCHDOG_NAME); return rv; } - rv = wd_register_callback(dctx->watchdog, 0, dctx, run_watchdog); + rv = wd_register_callback(dctx->watchdog, mc->initial_delay, dctx, run_watchdog); ap_log_error(APLOG_MARK, rv? APLOG_CRIT : APLOG_DEBUG, rv, s, APLOGNO(10067) "register md renew watchdog(%s)", MD_RENEW_WATCHDOG_NAME); return rv; -- 2.47.3