svn commit: r451377 - head/www/mod_md-devel/files
Bernard Spil
brnrd at FreeBSD.org
Fri Oct 6 11:16:44 UTC 2017
Author: brnrd
Date: Fri Oct 6 11:16:42 2017
New Revision: 451377
URL: https://svnweb.freebsd.org/changeset/ports/451377
Log:
www/mod_md-devel: Add missing patch for Apache 2.4
Added:
head/www/mod_md-devel/files/
head/www/mod_md-devel/files/extra-patch-mod_ssl (contents, props changed)
Added: head/www/mod_md-devel/files/extra-patch-mod_ssl
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/www/mod_md-devel/files/extra-patch-mod_ssl Fri Oct 6 11:16:42 2017 (r451377)
@@ -0,0 +1,284 @@
+https://github.com/icing/mod_md/blob/master/patches/mod_ssl_md-2.4.x-v5.diff
+
+Fix for using a fallback certificate on initial signup of a
+Managed Domain. Requires also a changed mod_ssl patch (v5) to take effect.
+
+Index: modules/ssl/ssl_engine_init.c
+===================================================================
+--- modules/ssl/ssl_engine_init.c (revision 1808124)
++++ modules/ssl/ssl_engine_init.c (working copy)
+@@ -164,6 +164,41 @@
+ modver, AP_SERVER_BASEVERSION, incver);
+ }
+
++/**************************************************************************************************/
++/* Managed Domains Interface (temporary here) */
++
++APR_DECLARE_OPTIONAL_FN(int,
++ md_is_managed, (struct server_rec *));
++
++APR_DECLARE_OPTIONAL_FN(apr_status_t,
++ md_get_credentials, (struct server_rec *, apr_pool_t *,
++ const char **pkeyfile,
++ const char **pcertfile,
++ const char **pchainfile));
++APR_DECLARE_OPTIONAL_FN(apr_status_t,
++ md_get_certificate, (struct server_rec *, apr_pool_t *,
++ const char **pkeyfile,
++ const char **pcertfile));
++APR_DECLARE_OPTIONAL_FN(int,
++ md_is_challenge, (struct conn_rec *, const char *,
++ X509 **, EVP_PKEY **));
++
++static APR_OPTIONAL_FN_TYPE(md_is_managed) *md_is_managed;
++static APR_OPTIONAL_FN_TYPE(md_get_credentials) *md_get_credentials;
++static APR_OPTIONAL_FN_TYPE(md_get_certificate) *md_get_certificate;
++static APR_OPTIONAL_FN_TYPE(md_is_challenge) *md_is_challenge;
++
++int ssl_is_challenge(conn_rec *c, const char *servername,
++ X509 **pcert, EVP_PKEY **pkey)
++{
++ if (md_is_challenge) {
++ return md_is_challenge(c, servername, pcert, pkey);
++ }
++ *pcert = NULL;
++ *pkey = NULL;
++ return 0;
++}
++
+ /*
+ * Per-module initialization
+ */
+@@ -204,6 +239,18 @@
+ ssl_config_global_create(base_server); /* just to avoid problems */
+ ssl_config_global_fix(mc);
+
++ /* Initialize our interface to mod_md, if it is loaded
++ */
++ md_is_managed = APR_RETRIEVE_OPTIONAL_FN(md_is_managed);
++ md_get_credentials = APR_RETRIEVE_OPTIONAL_FN(md_get_credentials);
++ md_get_certificate = APR_RETRIEVE_OPTIONAL_FN(md_get_certificate);
++ md_is_challenge = APR_RETRIEVE_OPTIONAL_FN(md_is_challenge);
++ if (!md_is_managed || (!md_get_credentials && !md_get_certificate)) {
++ md_is_managed = NULL;
++ md_get_credentials = NULL;
++ md_get_certificate = NULL;
++ }
++
+ /*
+ * try to fix the configuration and open the dedicated SSL
+ * logfile as early as possible
+@@ -1606,6 +1653,57 @@
+ return APR_EGENERAL;
+ }
+
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO()
++ "Init: (%s) mod_md support is %s.", ssl_util_vhostid(p, s),
++ md_is_managed? "available" : "unavailable");
++ if (md_is_managed && md_is_managed(s)) {
++ modssl_pk_server_t *const pks = sc->server->pks;
++ if (pks->cert_files->nelts > 0 || pks->key_files->nelts > 0) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO()
++ "Init: (%s) You configured certificate/key files on this host, but "
++ "is is covered by a Managed Domain. You need to remove these directives "
++ "for the Managed Domain to take over.", ssl_util_vhostid(p, s));
++ }
++ else {
++ const char *key_file, *cert_file, *chain_file;
++
++ key_file = cert_file = chain_file = NULL;
++
++ if (md_get_certificate) {
++ /* mod_md >= v0.9.0 */
++ rv = md_get_certificate(s, p, &key_file, &cert_file);
++ }
++ else if (md_get_credentials) {
++ /* mod_md < v0.9.0, remove this after a while */
++ rv = md_get_credentials(s, p, &key_file, &cert_file, &chain_file);
++ }
++ else {
++ rv = APR_ENOTIMPL;
++ }
++
++ if (key_file && cert_file) {
++ ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
++ "%s: installing key=%s, cert=%s, chain=%s",
++ ssl_util_vhostid(p, s), key_file, cert_file, chain_file);
++ APR_ARRAY_PUSH(pks->key_files, const char *) = key_file;
++ APR_ARRAY_PUSH(pks->cert_files, const char *) = cert_file;
++ sc->server->cert_chain = chain_file;
++ }
++
++ if (APR_STATUS_IS_EAGAIN(rv)) {
++ /* Managed Domain not ready yet. This is not a reason to fail the config */
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO()
++ "Init: %s will respond with '503 Service Unavailable' for now. This "
++ "host is part of a Managed Domain, but no SSL certificate is "
++ "available (yet).", ssl_util_vhostid(p, s));
++ pks->service_unavailable = 1;
++ }
++ else if (rv != APR_SUCCESS) {
++ return rv;
++ }
++ }
++ }
++
+ if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) {
+ return rv;
+ }
+Index: modules/ssl/ssl_engine_kernel.c
+===================================================================
+--- modules/ssl/ssl_engine_kernel.c (revision 1808124)
++++ modules/ssl/ssl_engine_kernel.c (working copy)
+@@ -264,6 +264,15 @@
+ return DECLINED;
+ }
+
++ if (sslconn->service_unavailable) {
++ /* This is set when the SSL properties of this connection are
++ * incomplete or if this connection was made to challenge a
++ * particular hostname (ACME). We never serve any request on
++ * such a connection. */
++ /* TODO: a retry-after indicator would be nice here */
++ return HTTP_SERVICE_UNAVAILABLE;
++ }
++
+ if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) {
+ apr_table_setn(r->notes, "error-notes",
+ "Reason: You're speaking plain HTTP to an SSL-enabled "
+@@ -2110,6 +2119,8 @@
+ static apr_status_t init_vhost(conn_rec *c, SSL *ssl)
+ {
+ const char *servername;
++ X509 *cert;
++ EVP_PKEY *key;
+
+ if (c) {
+ SSLConnRec *sslcon = myConnConfig(c);
+@@ -2126,8 +2137,35 @@
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02043)
+ "SSL virtual host for servername %s found",
+ servername);
++
+ return APR_SUCCESS;
+ }
++ else if (ssl_is_challenge(c, servername, &cert, &key)) {
++
++ sslcon->service_unavailable = 1;
++ if ((SSL_use_certificate(ssl, cert) < 1)) {
++ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO()
++ "Failed to configure challenge certificate %s",
++ servername);
++ return APR_EGENERAL;
++ }
++
++ if (!SSL_use_PrivateKey(ssl, key)) {
++ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO()
++ "error '%s' using Challenge key: %s",
++ ERR_error_string(ERR_peek_last_error(), NULL),
++ servername);
++ return APR_EGENERAL;
++ }
++
++ if (SSL_check_private_key(ssl) < 1) {
++ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO()
++ "Challenbge certificate and private key %s "
++ "do not match", servername);
++ return APR_EGENERAL;
++ }
++
++ }
+ else {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
+ "No matching SSL virtual host for servername "
+@@ -2233,6 +2271,8 @@
+ */
+ sslcon->server = s;
+ sslcon->cipher_suite = sc->server->auth.cipher_suite;
++ sslcon->service_unavailable = sc->server->pks?
++ sc->server->pks->service_unavailable : 0;
+
+ ap_update_child_status_from_server(c->sbh, SERVER_BUSY_READ, c, s);
+ /*
+Index: modules/ssl/ssl_private.h
+===================================================================
+--- modules/ssl/ssl_private.h (revision 1808124)
++++ modules/ssl/ssl_private.h (working copy)
+@@ -524,6 +524,7 @@
+ server_rec *server;
+
+ const char *cipher_suite; /* cipher suite used in last reneg */
++ int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */
+ } SSLConnRec;
+
+ /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
+@@ -600,6 +601,9 @@
+ * sent in the CertificateRequest message: */
+ const char *ca_name_path;
+ const char *ca_name_file;
++
++ /* TLS service for this server is suspended */
++ int service_unavailable;
+ } modssl_pk_server_t;
+
+ typedef struct {
+@@ -1063,6 +1067,9 @@
+ * memory. */
+ DH *modssl_get_dh_params(unsigned keylen);
+
++int ssl_is_challenge(conn_rec *c, const char *servername,
++ X509 **pcert, EVP_PKEY **pkey);
++
+ #endif /* SSL_PRIVATE_H */
+ /** @} */
+
+Index: modules/ssl/ssl_util_ssl.c
+===================================================================
+--- modules/ssl/ssl_util_ssl.c (revision 1808124)
++++ modules/ssl/ssl_util_ssl.c (working copy)
+@@ -115,6 +115,33 @@
+ return rc;
+ }
+
++typedef struct {
++ const char *pass;
++ int pass_len;
++} pass_ctx;
++
++static int provide_pass(char *buf, int size, int rwflag, void *baton)
++{
++ pass_ctx *ctx = baton;
++ if (ctx->pass_len > 0) {
++ if (ctx->pass_len < size) {
++ size = (int)ctx->pass_len;
++ }
++ memcpy(buf, ctx->pass, size);
++ }
++ return ctx->pass_len;
++}
++
++EVP_PKEY *modssl_read_encrypted_pkey(const char *filename, EVP_PKEY **key,
++ const char *pass, apr_size_t pass_len)
++{
++ pass_ctx ctx;
++
++ ctx.pass = pass;
++ ctx.pass_len = pass_len;
++ return modssl_read_privatekey(filename, key, provide_pass, &ctx);
++}
++
+ /* _________________________________________________________________
+ **
+ ** Smart shutdown
+Index: modules/ssl/ssl_util_ssl.h
+===================================================================
+--- modules/ssl/ssl_util_ssl.h (revision 1808124)
++++ modules/ssl/ssl_util_ssl.h (working copy)
+@@ -65,6 +65,7 @@
+ void *modssl_get_app_data2(SSL *);
+ void modssl_set_app_data2(SSL *, void *);
+ EVP_PKEY *modssl_read_privatekey(const char *, EVP_PKEY **, pem_password_cb *, void *);
++EVP_PKEY *modssl_read_encrypted_pkey(const char *, EVP_PKEY **, const char *, apr_size_t);
+ int modssl_smart_shutdown(SSL *ssl);
+ BOOL modssl_X509_getBC(X509 *, int *, int *);
+ char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
More information about the svn-ports-head
mailing list