httpd-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <>
Subject [GitHub] [httpd] icing commented on a change in pull request #179: core ap_ssl_() support, related changes, latest mod_md
Date Tue, 20 Apr 2021 10:04:51 GMT

icing commented on a change in pull request #179:

File path: modules/ssl/ssl_engine_kernel.c
@@ -2376,15 +2394,6 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl, const char *servername)
                 sslcon->vhost_found = +1;
                 return APR_SUCCESS;
-            else if (ssl_is_challenge(c, servername, &cert, &key)) {
-                /* With ACMEv1 we can have challenge connections to a unknown domains
-                 * that need to be answered with a special certificate and will
-                 * otherwise not answer any requests. */
-                if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
-                    return APR_EGENERAL;
-                }
-                SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify);
-            }

Review comment:
       This was a challenge situation in the ACMEv1 protocol for the alpn https verification.
That used a new hostname which led to people being able to get certificates for domain they
do not own in shared hosting setups. It has been disabled ever since that was found out.
   Since the new mod_md no longer supports ACMEv1, this seems superfluous to keep in the server.

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message