httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <stefan.eiss...@greenbytes.de>
Subject trunk-md merge pending
Date Tue, 08 Aug 2017 14:19:46 GMT
FYI: mod_md merge into trunk is incoming, most likely tomorrow. 

The merge candidate is in ^/httpd/httpd/branches/trunk-md. Existing code
has only been changed in mod_ssl. A diff is available via:

svn diff ^/httpd/httpd/trunk/modules/ssl ^/httpd/httpd/branches/trunk-md/modules/ssl

Gist of the mod_ssl changes:

1. In post_config:
   mod_ssl can ask mod_md via optional functions, if a server_rec is managed. 
   If yes:
   - it checks if certificates already defined for this server. 
     If so, it logs and ignores mod_md. (Safe route. Can be discussed if it should
     override instead.)
   - it asks mod_md for the key/cert/chain files
     a) if they are all there, they are added to the server configuration
     b) if all or some are missing, a new "service_unavailable" 
        flag is set in the server config. (This is new, a vhost that does not fail
        config, but is unavailable for config reasons.)

2. In The mod_ssl read_request hook:
   mod_ssl checks if the requests server config has "service_unavailable" set. 
   If so, the request is answered with a 503. This should prevent any access 
   to a server whose certificate is (not yet) available.

3. In the SNI callback:
   If no matching virtual host is found for the client supplied server name, mod_ssl
   asks mod_md (if available) if this server name is a challenge. When mod_md answers
   positive, it will provide certificate and key.
   mod_ssl sets these in the SSL* of the connection and also sets the "service_unavailable"
   for the connection so that change 2.) also gives 503 for all requests to this domain.
   (This is for the "tls-sni-01" authorization method of the ACME protocol.)

Cheers,

Stefan

PS. @Jchampion: I am not sure how to best merge the unit test cases into httpd. They need
to be optional,
tied to the availability of mod_md and I do not know how to do that.

PPS. Another nit: mod_md also builds an executable, currently named a2md. I thought about
putting
it in support/, but since this depends upon the optional mod_md, it is more natural in 
modules/md, I thought.



Mime
View raw message