Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 94E0D200CDE for ; Tue, 8 Aug 2017 16:20:03 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 9336B167568; Tue, 8 Aug 2017 14:20:03 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D84C2167565 for ; Tue, 8 Aug 2017 16:20:02 +0200 (CEST) Received: (qmail 25261 invoked by uid 500); 8 Aug 2017 14:20:00 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 25210 invoked by uid 99); 8 Aug 2017 14:20:00 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Aug 2017 14:20:00 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 5C366C02CF for ; Tue, 8 Aug 2017 14:20:00 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.102 X-Spam-Level: X-Spam-Status: No, score=-0.102 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=greenbytes.de header.b=qhbemFsF; dkim=pass (1024-bit key) header.d=greenbytes.de header.b=qhbemFsF Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id gGzkmRmFPegM for ; Tue, 8 Aug 2017 14:19:58 +0000 (UTC) Received: from mail.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 37B675FE34 for ; Tue, 8 Aug 2017 14:19:53 +0000 (UTC) Received: by mail.greenbytes.de (Postfix, from userid 117) id F17D115A3D17; Tue, 8 Aug 2017 16:19:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=greenbytes.de; s=mail; t=1502201986; bh=HOvuRoO4dobm7WSLIrc2pT+FZBBP7uX4cEF9tHY50dc=; h=From:Subject:Date:To:From; b=qhbemFsF4aX/7QUjku7ti3DuBvajXb3zXjkjzJkJLJX+FFyIJwRamcFRfzuCzuqDt Z7XXY6S0uX1S2JWniJxKUqvnhvWgFtKVN+CWj/zV8djOoARSE8uFwPXpra1Lt9CAg1 j2Ik4IaQAND05losyfr7lwLnqBVstdnWp7TBb1t0= Received: from resistance.greenbytes.local (unknown [217.91.35.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id B689015A3C04 for ; Tue, 8 Aug 2017 16:19:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=greenbytes.de; s=mail; t=1502201986; bh=HOvuRoO4dobm7WSLIrc2pT+FZBBP7uX4cEF9tHY50dc=; h=From:Subject:Date:To:From; b=qhbemFsF4aX/7QUjku7ti3DuBvajXb3zXjkjzJkJLJX+FFyIJwRamcFRfzuCzuqDt Z7XXY6S0uX1S2JWniJxKUqvnhvWgFtKVN+CWj/zV8djOoARSE8uFwPXpra1Lt9CAg1 j2Ik4IaQAND05losyfr7lwLnqBVstdnWp7TBb1t0= From: Stefan Eissing Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: trunk-md merge pending Message-Id: <9F56B539-DE11-4890-98CE-97F22C79B305@greenbytes.de> Date: Tue, 8 Aug 2017 16:19:46 +0200 To: dev@httpd.apache.org X-Mailer: Apple Mail (2.3273) archived-at: Tue, 08 Aug 2017 14:20:03 -0000 FYI: mod_md merge into trunk is incoming, most likely tomorrow.=20 The merge candidate is in ^/httpd/httpd/branches/trunk-md. Existing code has only been changed in mod_ssl. A diff is available via: svn diff ^/httpd/httpd/trunk/modules/ssl = ^/httpd/httpd/branches/trunk-md/modules/ssl Gist of the mod_ssl changes: 1. In post_config: mod_ssl can ask mod_md via optional functions, if a server_rec is = managed.=20 If yes: - it checks if certificates already defined for this server.=20 If so, it logs and ignores mod_md. (Safe route. Can be discussed if = it should override instead.) - it asks mod_md for the key/cert/chain files a) if they are all there, they are added to the server = configuration b) if all or some are missing, a new "service_unavailable"=20 flag is set in the server config. (This is new, a vhost that = does not fail config, but is unavailable for config reasons.) 2. In The mod_ssl read_request hook: mod_ssl checks if the requests server config has = "service_unavailable" set.=20 If so, the request is answered with a 503. This should prevent any = access=20 to a server whose certificate is (not yet) available. 3. In the SNI callback: If no matching virtual host is found for the client supplied server = name, mod_ssl asks mod_md (if available) if this server name is a challenge. When = mod_md answers positive, it will provide certificate and key. mod_ssl sets these in the SSL* of the connection and also sets the = "service_unavailable" for the connection so that change 2.) also gives 503 for all requests = to this domain. (This is for the "tls-sni-01" authorization method of the ACME = protocol.) Cheers, Stefan PS. @Jchampion: I am not sure how to best merge the unit test cases into = httpd. They need to be optional, tied to the availability of mod_md and I do not know how to do that. PPS. Another nit: mod_md also builds an executable, currently named = a2md. I thought about putting it in support/, but since this depends upon the optional mod_md, it is = more natural in=20 modules/md, I thought.