md_crypt.c

Checkout Tools
  • last updated 6 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
*) mod_md: Adding the several new features.

The module offers an implementation of OCSP Stapling that can replace fully or

for a limited set of domains the existing one from mod_ssl. OCSP handling

is part of mod_md's monitoring and message notifications. If can be used

for sites that do not have ACME certificates.

The url for a CTLog Monitor can be configured. It is used in the server-status

to link to the external status page of a certicate.

The MDMessageCmd is called with argument "installed" when a new certificate

has been activated on server restart/reload. This allows for processing of

the new certificate, for example to applications that require it in different

locations or formats.

  1. … 50 more files in changeset.
* mod_md: fix compiler warnings

  1. … 7 more files in changeset.
Wrap get_ct_scts_nid() in preproc in order to avoid error: unused function 'get_ct_scts_nid' [-Werror,-Wunused-function] in maint mode

*) mod_md: bringing over v2.0.6 from github.

- supports the ACMEv2 protocol

- supports the new challenge method 'tls-alpn-01'

- supports command configuration to setup/teardown 'dns-01' challenges

- supports wildcard certificates when dns challenges are configured

- ACMEv2 is the new default and will be used on the next certificate renewal,

unless another MDCertificateAuthority is configured

- challenge type 'tls-sni-01' has been removed as CAs do not offer this any longer

- a domain exposes its status at https://<domain>/.httpd/certificate-status

- Managed Domains are now in Apache's 'server-status' page

- A new handler 'md-status' exposes verbose status information in JSON format

- new directives "MDCertificateFile" and "MDCertificateKeyFile" to configure a

Managed Domain that uses static files. Auto-renewal is turned off for those.

- new MDMessageCmd that is invoked on several events: 'renewed', 'expiring' and

'errored'. New 'MDWarnWindow' directive to configure when expiration warnings

shall be issued.

- ACMEv2 endpoints use the GET via empty POST way of accessing resources, see

announcement by Let's Encrypt:

https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380

  1. … 48 more files in changeset.
* using the, hopefully correct, ever elusive libressl version numbering check for the new openssl API calls, fixes PR 62548.

mod_md: more robust handling of http-01 challenges and hands-off when module

should not be involved, e.g. challenge setup by another ACME client.

  1. … 3 more files in changeset.
mod_ssl: build with LibreSSL.

LibreSSL seems to be openssl-1.1 API compatible only in version 2.8 (master).

So use that for MODSSL_USE_OPENSSL_PRE_1_1_API instead of 2.7, the two 2.7

compatibility-exceptions are handled explicitely but overall it's simpler.

Regarding CRYPTO_malloc_init vs OPENSSL_malloc_init, libreSSL uses none, the

former used to be a no-op but depends is LIBRESSL_INTERNAL in latest versions,

while the latter has never been (and will never be) defined. So don't call any

with LibreSSL.

  1. … 3 more files in changeset.
On the trunk:

mod_ssl: proper checks for libressl 2.07/8 and its TLSv1_3 support, see PR 62236.

[Bernard Spil <brnrd@freebsd.org>]

  1. … 4 more files in changeset.
mod_md: Fix compilation with OpenSSL before version 1.0.2.

Symbol ASN1_TIME_diff is only available for 1.0.2+,

but luckily alternative code we can use is already

available, originally written for the LibreSSL case.

  1. … 1 more file in changeset.
On the trunk:

mod_md: removing comments that documented that greenbytes has untransferable copyright to the sources. The rights, of course, remain unaffected, but maybe some people can sleep better.

  1. … 36 more files in changeset.
On the trunk:

Fixed gcc warnings in latest mod_md version.

  1. … 1 more file in changeset.
On the trunk:

mod_md v1.1.7 changes

  1. … 10 more files in changeset.
mod_md: fix leaks in md_cert_get_issuers_uri() and md_cert_get_alt_names().

On the trunk:

mod_md: reverses most of v1.0.5 optimization of post_config init, so that

mod_ssl can ask for certiticates without crashing.

  1. … 5 more files in changeset.
"It is better to light a candle than curse the darkness."

  1. … 17 more files in changeset.
spelling fixes from Josh Soref via github
  1. … 12 more files in changeset.
On the trunk:

mod_md: v0.9.7

- Use of the new module flag

- Removed obsolete function from interface to mod_ssl.

- Fallback certificates has version set and no longer claims to be a CA. (re issue #32)

- MDRequireHttps now happens before any Redirect.

  1. … 23 more files in changeset.
On the trunk:

mod_md: v0.9.5:

- New directive (srly: what do you expect at this point?) "MDMustStaple on|off" to control if

new certificates are requested with the OCSP Must Staple extension.

- Known limitation: when the server is configured to ditch and restart child processes, for example

after a certain number of connections/requests, the mod_md watchdog instance might migrate

to a new child process. Since not all its state is persisted, some messsages might appear a

second time in the logs.

- Adding checks when 'MDRequireHttps' is used. It is considered an error when 'MDPortMap 443:-'

is used - which negates that a https: port exists. Also, a warning is logged if no

VirtualHost can be found for a Managed Domain that has port 443 (or the mapped one) in

its address list.

- New directive 'MDRequireHttps' for redirecting http: traffic to a Managed Domain, permanently

or temporarily.

- Fix for using a fallback certificate on initial signup of a Managed Domain. Requires also

a changed mod_ssl patch (v5) to take effect.

- compatibility with libressl

  1. … 14 more files in changeset.
On the trunk:

*) mod_md: v0.9.1:

- various fixes in MDRenewWindow handling when specifying percent. Serialization changed. If

someone already used percent configurations, it is advised to change these to a new value,

reload and change back to the wanted ones.

- various fixes in handling of MDPrivateKeys when specifying 2048 bits (the default) explicitly.

- mod_md version removed from top level md_store.json file. The store has its own format version

to facilitate upgrades.

  1. … 10 more files in changeset.
On the trunk:

mod_md: v0.8.1 from github, new feats in CHANGES

  1. … 26 more files in changeset.
On the trunk:

mod_md v0.7.0:

- LIVE: the real Let's Encrypt CA is now live by default! If you need to experiment, configure

MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory

- When existing, complete certificates are renewed, the activation of the new ones is

delayed by 24 hours (or until the existing ones expire, whatever is earler) to accomodate

for clients with weird clocks, refs #1.

- Fixed store sync when MDCAChallenges was removed again from an MD.

- Fixed crash when MD matched the base server, fixes #23

- Fixed watchgod resetting staging when server processes disappeared (e.g. reached

max requests or other limits).

  1. … 14 more files in changeset.