summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Eissing <icing@apache.org>2017-12-20 14:53:22 +0100
committerStefan Eissing <icing@apache.org>2017-12-20 14:53:22 +0100
commit0397f6a8882d700c8d33853f02874799cecbbe7e (patch)
tree9a494bf386b1b56726ca52300bf775bb6947de48
parentmod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules. (diff)
downloadapache2-0397f6a8882d700c8d33853f02874799cecbbe7e.tar.xz
apache2-0397f6a8882d700c8d33853f02874799cecbbe7e.zip
On the trunk:
mod_md: reverses most of v1.0.5 optimization of post_config init, so that mod_ssl can ask for certiticates without crashing. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1818792 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to '')
-rw-r--r--CHANGES3
-rw-r--r--modules/md/md_acme_drive.c2
-rw-r--r--modules/md/md_crypt.c14
-rw-r--r--modules/md/md_json.c1
-rw-r--r--modules/md/md_version.h4
-rw-r--r--modules/md/mod_md.c13
6 files changed, 22 insertions, 15 deletions
diff --git a/CHANGES b/CHANGES
index 1fc9f35219..a39a79fd1c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_md: reverses most of v1.0.5 optimization of post_config init, so that
+ mod_ssl can ask for certiticates without crashing. [Stefan Eissing]
+
*) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules.
PR 61857. [Yann Ylavic]
diff --git a/modules/md/md_acme_drive.c b/modules/md/md_acme_drive.c
index 518225cc9a..023966ae81 100644
--- a/modules/md/md_acme_drive.c
+++ b/modules/md/md_acme_drive.c
@@ -894,7 +894,7 @@ static apr_status_t acme_stage(md_proto_driver_t *d)
/**
* The MD is complete and un-expired. This is a renewal run.
* Give activation 24 hours leeway (if we have that time) to
- * accomodate for clients with somewhat weird clocks.
+ * accommodate for clients with somewhat weird clocks.
*/
delay_activation = apr_time_from_sec(MD_SECS_PER_DAY);
if (delay_activation > (max_delay = d->md->expires - now)) {
diff --git a/modules/md/md_crypt.c b/modules/md/md_crypt.c
index 1fbc39c52c..7277806fec 100644
--- a/modules/md/md_crypt.c
+++ b/modules/md/md_crypt.c
@@ -1113,16 +1113,16 @@ static apr_status_t add_must_staple(STACK_OF(X509_EXTENSION) *exts, const md_t *
X509_EXTENSION *x;
int nid;
- nid = OBJ_create("1.3.6.1.5.5.7.1.24", "OCSPReq", "OCSP Request");
+ nid = OBJ_create("1.3.6.1.5.5.7.1.24", "tlsfeature", "TLS Feature");
if (NID_undef == nid) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p,
- "%s: unable to get NID for must-staple", md->name);
- return APR_EGENERAL;
+ "%s: unable to get NID for v3 must-staple TLS feature", md->name);
+ return APR_ENOTIMPL;
}
x = X509V3_EXT_conf_nid(NULL, NULL, nid, (char*)"DER:30:03:02:01:05");
if (NULL == x) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p,
- "%s: unable to get x509 extension for must-staple", md->name);
+ "%s: unable to create x509 extension for must-staple", md->name);
return APR_EGENERAL;
}
sk_X509_EXTENSION_push(exts, x);
@@ -1164,7 +1164,11 @@ apr_status_t md_cert_req_create(const char **pcsr_der_64, const md_t *md,
rv = APR_EGENERAL; goto out;
}
if (APR_SUCCESS != (rv = add_must_staple(exts, md, p))) {
- md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: must staple", md->name);
+ md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: you requested that a certificate "
+ "is created with the 'must-staple' extension, however the SSL library was "
+ "unable to initialized that extension. Please file a bug report on which platform "
+ "and with which library this happens. To continue before this problem is resolved, "
+ "configure 'MDMustStaple off' for your domains", md->name);
rv = APR_EGENERAL; goto out;
}
/* add extensions to csr */
diff --git a/modules/md/md_json.c b/modules/md/md_json.c
index 7e79bd919a..ccf1ef6ae2 100644
--- a/modules/md/md_json.c
+++ b/modules/md/md_json.c
@@ -111,6 +111,7 @@ md_json_t *md_json_create_s(apr_pool_t *pool, const char *s)
void md_json_destroy(md_json_t *json)
{
if (json && json->j) {
+ assert(json->j->refcount > 0);
json_decref(json->j);
json->j = NULL;
}
diff --git a/modules/md/md_version.h b/modules/md/md_version.h
index d08b927ab4..f11d130987 100644
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@@ -26,7 +26,7 @@
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "1.1.1"
+#define MOD_MD_VERSION "1.1.2"
/**
* @macro
@@ -34,7 +34,7 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_MD_VERSION_NUM 0x010101
+#define MOD_MD_VERSION_NUM 0x010102
#define MD_ACME_DEF_URL "https://acme-v01.api.letsencrypt.org/directory"
diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c
index 76a92c2ebd..996b5b93ce 100644
--- a/modules/md/mod_md.c
+++ b/modules/md/mod_md.c
@@ -1060,11 +1060,6 @@ static apr_status_t md_post_config(apr_pool_t *p, apr_pool_t *plog,
goto out;
}
- if (dry_run) {
- /* enough done in this case */
- return APR_SUCCESS;
- }
-
if (APR_SUCCESS != (rv = md_reg_sync(reg, p, ptemp, mc->mds))) {
ap_log_error(APLOG_MARK, APLOG_ERR, rv, s, APLOGNO(10073)
"synching %d mds to registry", mc->mds->nelts);
@@ -1072,8 +1067,8 @@ static apr_status_t md_post_config(apr_pool_t *p, apr_pool_t *plog,
/* Determine the managed domains that are in auto drive_mode. For those,
* determine in which state they are:
- * - UNKNOWN: should not happen, report, dont drive
- * - ERROR: something we do not know how to fix, report, dont drive
+ * - UNKNOWN: should not happen, report, don't drive
+ * - ERROR: something we do not know how to fix, report, don't drive
* - INCOMPLETE/EXPIRED: need to drive them right away
* - COMPLETE: determine when cert expires, drive when the time comes
*
@@ -1099,6 +1094,10 @@ static apr_status_t md_post_config(apr_pool_t *p, apr_pool_t *plog,
init_ssl();
+ if (dry_run) {
+ goto out;
+ }
+
/* If there are MDs to drive, start a watchdog to check on them regularly */
if (drive_names->nelts > 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, s, APLOGNO(10074)