On the trunk: (d55e1d8c) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+23 −1

Original line number	Diff line number	Diff line
		-- coding: utf-8 --
		Changes with Apache 2.5.0

		*) mod_md: v0.7.0:
		*) mod_md: v0.8.1:
		- New directive ```MDPrivateKeys``` to specify the type and parameter to private key generation.
		Currently only 'RSA' is supported as type with an option number of bits >= 2048 as parameter.
		Simple test cases for config handling added.
		- Private RSA keys are now generated with 2048 bits by default. Use ```MDPrivateKeys``` for
		higher security.
		- IMPORTANT: store format change. The following changes will be made to an existing md store on
		first start with a new version (be it by mod_md in the server or a run by a new 'a2md'):
		- pkey.pem will be renamed to privkey.pem
		- cert.pem and chain.pem will be concatenated to pubcert.pem. The former files will remain,
		but no longer be used. They will disappear on next renewal.
		ADVICE: If the current store data is vital to you, please make a backup first!
		- Fixed test case clearing of store to keep key alive, enabling true random store key again.
		- Removed pun "Something, like certbot" from the User-Agent request header. Refs issue #34
		- Cleaned up reporting of missing/mismatched MDCertificateAgreement in the logs. This will
		no longer trigger early retries.
		- badNonce encounters are no longer reported as errors. Retries are attempted now silently.
		Refs github issue #35
		- new default MDRenewWindow. Instead of 14 days, the default is now a third before the end of
		the certificates lifetime. For the usual 90 days of Let's Encrypt certificates, this makes
		an effective renewal window of 30 days - as recommended by LE. Refs issue #30
		- Enabled conversion warnings if supported by compiler, eliminated several signed/unsigned
		warnings.
		- LIVE: the real Let's Encrypt CA is now live by default! If you need to experiment, configure
		MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
		- When existing, complete certificates are renewed, the activation of the new ones is

docs/manual/mod/mod_md.xml

+34 −0

Original line number	Diff line number	Diff line
		@@ -341,6 +341,40 @@ MDPortMap 80:- 443:5002
		</usage>
		</directivesynopsis>

		<directivesynopsis>
		<name>MDPrivateKeys</name>
		<description></description>
		<syntax>MDPrivateKeys type [ params... ]</syntax>
		<default>MDPrivateKeys RSA 2048</default>
		<contextlist>
		<context>server config</context>
		</contextlist>
		<usage>
		<p>
		Defines what kind of private keys are generated for a managed domain and with
		what parameters. The only supported type right now is 'RSA' and the only parameter
		it takes is the number of bits used for the key.
		</p><p>
		The current (2017) recommendation is at least 2048 bits and a smaller number is
		not accepted here. Higher numbers offer longer security, but are computationally more
		expensive, e.g. increase the load on your server. That might or might not be an
		issue for you.
		</p><p>
		Other key types will be defined in the future.
		</p>
		<example><title>Example</title>
		<highlight language="config">
		MDPrivateKeys RSA 3072
		</highlight>
		</example>
		<p>
		Please note that this setting only has an effect on new keys. Any existing
		private key you have remains unaffected. Also, this only affects private keys
		generated for certificates. ACME account keys are unaffected by this.
		</p>
		</usage>
		</directivesynopsis>

		<directivesynopsis>
		<name>MDRenewWindow</name>
		<description></description>

modules/md/md.h

+12 −3

Original line number	Diff line number	Diff line
		@@ -25,8 +25,10 @@ struct md_cert_t;
		struct md_pkey_t;
		struct md_store_t;
		struct md_srv_conf_t;
		struct md_pkey_spec_t;

		#define MD_TLSSNI01_DNS_SUFFIX ".acme.invalid"
		#define MD_PKEY_RSA_BITS_DEF 2048U

		typedef enum {
		MD_S_UNKNOWN, /* MD has not been analysed yet */
		@@ -34,6 +36,7 @@ typedef enum {
		MD_S_COMPLETE, /* MD has all necessary information, can go live */
		MD_S_EXPIRED, /* MD is complete, but credentials have expired */
		MD_S_ERROR, /* MD data is flawed, unable to be processed as is */
		MD_S_MISSING, /* MD is missing config information, cannot proceed */
		} md_state_t;

		typedef enum {
		@@ -70,7 +73,9 @@ struct md_t {

		int transitive; /* != 0 iff VirtualHost names/aliases are auto-added */
		int drive_mode; /* mode of obtaining credentials */
		struct md_pkey_spec_t pkey_spec;/ specification for generating new private keys */
		int must_staple; /* certificates should set the OCSP Must Staple extension */
		apr_interval_time_t renew_norm; /* if > 0, normalized cert lifetime */
		apr_interval_time_t renew_window;/* time before expiration that starts renewal */

		const char ca_url; / url of CA certificate service */
		@@ -91,6 +96,7 @@ struct md_t {

		#define MD_KEY_ACCOUNT "account"
		#define MD_KEY_AGREEMENT "agreement"
		#define MD_KEY_BITS "bits"
		#define MD_KEY_CA "ca"
		#define MD_KEY_CA_URL "ca-url"
		#define MD_KEY_CERT "cert"
		@@ -112,8 +118,10 @@ struct md_t {
		#define MD_KEY_KEYAUTHZ "keyAuthorization"
		#define MD_KEY_LOCATION "location"
		#define MD_KEY_NAME "name"
		#define MD_KEY_PKEY "privkey"
		#define MD_KEY_PROTO "proto"
		#define MD_KEY_REGISTRATION "registration"
		#define MD_KEY_RENEW_NORM "renew-norm"
		#define MD_KEY_RENEW_WINDOW "renew-window"
		#define MD_KEY_RESOURCE "resource"
		#define MD_KEY_STATE "state"
		@@ -129,7 +137,8 @@ struct md_t {
		#define MD_KEY_VERSION "version"

		#define MD_FN_MD "md.json"
		#define MD_FN_PKEY "pkey.pem"
		#define MD_FN_PRIVKEY "privkey.pem"
		#define MD_FN_PUBCERT "pubcert.pem"
		#define MD_FN_CERT "cert.pem"
		#define MD_FN_CHAIN "chain.pem"
		#define MD_FN_HTTPD_JSON "httpd.json"
		@@ -230,9 +239,9 @@ md_t md_from_json(struct md_json_t json, apr_pool_t *p);

		typedef struct md_creds_t md_creds_t;
		struct md_creds_t {
		struct md_pkey_t *privkey;
		struct apr_array_header_t pubcert; / complete md_cert* chain */
		struct md_cert_t *cert;
		struct md_pkey_t *pkey;
		struct apr_array_header_t chain; / list of md_cert* */
		int expired;
		};

modules/md/md_acme.c

+10 −5

Original line number	Diff line number	Diff line
		@@ -111,9 +111,8 @@ apr_status_t md_acme_create(md_acme_t *pacme, apr_pool_t p, const char *url)
		acme = apr_pcalloc(p, sizeof(*acme));
		acme->url = url;
		acme->p = p;
		acme->user_agent = apr_psprintf(p, "%s mod_md/%s (Something, like certbot)",
		acme->user_agent = apr_psprintf(p, "%s mod_md/%s",
		base_product, MOD_MD_VERSION);
		acme->pkey_bits = 4096;
		acme->max_retries = 3;

		if (APR_SUCCESS != (rv = apr_uri_parse(p, url, &uri_parsed))) {
		@@ -261,8 +260,14 @@ static apr_status_t inspect_problem(md_acme_req_t *req, const md_http_response_t
		pdetail = md_json_gets(problem, "detail", NULL);
		req->rv = problem_status_get(ptype);

		if (APR_STATUS_IS_EAGAIN(req->rv)) {
		md_log_perror(MD_LOG_MARK, MD_LOG_DEBUG, req->rv, req->p,
		"acme reports %s: %s", ptype, pdetail);
		}
		else {
		md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, req->rv, req->p,
		"acme problem %s: %s", ptype, pdetail);
		}
		return req->rv;
		}
		}

modules/md/md_acme.h

+5 −2

Original line number	Diff line number	Diff line
		@@ -62,7 +62,6 @@ struct md_acme_t {

		const char *nonce;
		int max_retries;
		unsigned int pkey_bits;
		};

		/**
		@@ -126,8 +125,12 @@ apr_status_t md_acme_agree(md_acme_t acme, apr_pool_t p, const char *tos);
		* accounces the Tos URL it wants. If this is equal to the agreement specified,
		* the server is notified of this. If the server requires a ToS that the account
		* thinks it has already given, it is resend.
		*
		* If an agreement is required, different from the current one, APR_INCOMPLETE is
		* returned and the agreement url is returned in the parameter.
		*/
		apr_status_t md_acme_check_agreement(md_acme_t acme, apr_pool_t p, const char *agreement);
		apr_status_t md_acme_check_agreement(md_acme_t acme, apr_pool_t p,
		const char agreement, const char *prequired);

		/**
		* Get the ToS agreement for current account.

Admin message