trunk-md merge pending

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

trunk-md merge pending

Stefan Eissing
FYI: mod_md merge into trunk is incoming, most likely tomorrow.

The merge candidate is in ^/httpd/httpd/branches/trunk-md. Existing code
has only been changed in mod_ssl. A diff is available via:

svn diff ^/httpd/httpd/trunk/modules/ssl ^/httpd/httpd/branches/trunk-md/modules/ssl

Gist of the mod_ssl changes:

1. In post_config:
   mod_ssl can ask mod_md via optional functions, if a server_rec is managed.
   If yes:
   - it checks if certificates already defined for this server.
     If so, it logs and ignores mod_md. (Safe route. Can be discussed if it should
     override instead.)
   - it asks mod_md for the key/cert/chain files
     a) if they are all there, they are added to the server configuration
     b) if all or some are missing, a new "service_unavailable"
        flag is set in the server config. (This is new, a vhost that does not fail
        config, but is unavailable for config reasons.)

2. In The mod_ssl read_request hook:
   mod_ssl checks if the requests server config has "service_unavailable" set.
   If so, the request is answered with a 503. This should prevent any access
   to a server whose certificate is (not yet) available.

3. In the SNI callback:
   If no matching virtual host is found for the client supplied server name, mod_ssl
   asks mod_md (if available) if this server name is a challenge. When mod_md answers
   positive, it will provide certificate and key.
   mod_ssl sets these in the SSL* of the connection and also sets the "service_unavailable"
   for the connection so that change 2.) also gives 503 for all requests to this domain.
   (This is for the "tls-sni-01" authorization method of the ACME protocol.)

Cheers,

Stefan

PS. @Jchampion: I am not sure how to best merge the unit test cases into httpd. They need to be optional,
tied to the availability of mod_md and I do not know how to do that.

PPS. Another nit: mod_md also builds an executable, currently named a2md. I thought about putting
it in support/, but since this depends upon the optional mod_md, it is more natural in
modules/md, I thought.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: trunk-md merge pending

Jacob Champion-2
On 08/08/2017 07:19 AM, Stefan Eissing wrote:
> PS. @Jchampion: I am not sure how to best merge the unit test cases
> into httpd. They need to be optional, tied to the availability of
> mod_md and I do not know how to do that.

I need to solve this problem for another module as well (mod_auth_digest
has a regression unit test case), but I haven't decided how to tackle it
yet.

> PPS. Another nit: mod_md also builds an executable, currently named
> a2md. I thought about putting it in support/, but since this depends
> upon the optional mod_md, it is more natural in modules/md, I
> thought.

I don't think having an optional support executable would be a bad
thing. That said, I don't have strong opinions either way.

FYI I'll be somewhat inactive here on dev@ for a couple of weeks as I
adjust to a new job, so don't be afraid to ping me multiple times if you
need me. :D

--Jacob
Loading...