Index: head/www/mod_md-devel/files/extra-patch-mod_ssl =================================================================== --- head/www/mod_md-devel/files/extra-patch-mod_ssl (revision 450728) +++ head/www/mod_md-devel/files/extra-patch-mod_ssl (nonexistent) @@ -1,279 +0,0 @@ -Index: modules/ssl/ssl_engine_init.c -=================================================================== ---- modules/ssl/ssl_engine_init.c (revision 1808124) -+++ modules/ssl/ssl_engine_init.c (working copy) -@@ -164,6 +164,41 @@ - modver, AP_SERVER_BASEVERSION, incver); - } - -+/**************************************************************************************************/ -+/* Managed Domains Interface (temporary here) */ -+ -+APR_DECLARE_OPTIONAL_FN(int, -+ md_is_managed, (struct server_rec *)); -+ -+APR_DECLARE_OPTIONAL_FN(apr_status_t, -+ md_get_credentials, (struct server_rec *, apr_pool_t *, -+ const char **pkeyfile, -+ const char **pcertfile, -+ const char **pchainfile)); -+APR_DECLARE_OPTIONAL_FN(apr_status_t, -+ md_get_certificate, (struct server_rec *, apr_pool_t *, -+ const char **pkeyfile, -+ const char **pcertfile)); -+APR_DECLARE_OPTIONAL_FN(int, -+ md_is_challenge, (struct conn_rec *, const char *, -+ X509 **, EVP_PKEY **)); -+ -+static APR_OPTIONAL_FN_TYPE(md_is_managed) *md_is_managed; -+static APR_OPTIONAL_FN_TYPE(md_get_credentials) *md_get_credentials; -+static APR_OPTIONAL_FN_TYPE(md_get_certificate) *md_get_certificate; -+static APR_OPTIONAL_FN_TYPE(md_is_challenge) *md_is_challenge; -+ -+int ssl_is_challenge(conn_rec *c, const char *servername, -+ X509 **pcert, EVP_PKEY **pkey) -+{ -+ if (md_is_challenge) { -+ return md_is_challenge(c, servername, pcert, pkey); -+ } -+ *pcert = NULL; -+ *pkey = NULL; -+ return 0; -+} -+ - /* - * Per-module initialization - */ -@@ -204,6 +239,18 @@ - ssl_config_global_create(base_server); /* just to avoid problems */ - ssl_config_global_fix(mc); - -+ /* Initialize our interface to mod_md, if it is loaded -+ */ -+ md_is_managed = APR_RETRIEVE_OPTIONAL_FN(md_is_managed); -+ md_get_credentials = APR_RETRIEVE_OPTIONAL_FN(md_get_credentials); -+ md_get_certificate = APR_RETRIEVE_OPTIONAL_FN(md_get_certificate); -+ md_is_challenge = APR_RETRIEVE_OPTIONAL_FN(md_is_challenge); -+ if (!md_is_managed || (!md_get_credentials && !md_get_certificate)) { -+ md_is_managed = NULL; -+ md_get_credentials = NULL; -+ md_get_certificate = NULL; -+ } -+ - /* - * try to fix the configuration and open the dedicated SSL - * logfile as early as possible -@@ -1606,6 +1653,57 @@ - return APR_EGENERAL; - } - -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO() -+ "Init: (%s) mod_md support is %s.", ssl_util_vhostid(p, s), -+ md_is_managed? "available" : "unavailable"); -+ if (md_is_managed && md_is_managed(s)) { -+ modssl_pk_server_t *const pks = sc->server->pks; -+ if (pks->cert_files->nelts > 0 || pks->key_files->nelts > 0) { -+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO() -+ "Init: (%s) You configured certificate/key files on this host, but " -+ "is is covered by a Managed Domain. You need to remove these directives " -+ "for the Managed Domain to take over.", ssl_util_vhostid(p, s)); -+ } -+ else { -+ const char *key_file, *cert_file, *chain_file; -+ -+ key_file = cert_file = chain_file = NULL; -+ -+ if (md_get_certificate) { -+ /* mod_md >= v0.9.0 */ -+ rv = md_get_certificate(s, p, &key_file, &cert_file); -+ } -+ else if (md_get_credentials) { -+ /* mod_md < v0.9.0, remove this after a while */ -+ rv = md_get_credentials(s, p, &key_file, &cert_file, &chain_file); -+ } -+ else { -+ rv = APR_ENOTIMPL; -+ } -+ -+ if (key_file && cert_file) { -+ ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, -+ "%s: installing key=%s, cert=%s, chain=%s", -+ ssl_util_vhostid(p, s), key_file, cert_file, chain_file); -+ APR_ARRAY_PUSH(pks->key_files, const char *) = key_file; -+ APR_ARRAY_PUSH(pks->cert_files, const char *) = cert_file; -+ sc->server->cert_chain = chain_file; -+ } -+ -+ if (APR_STATUS_IS_EAGAIN(rv)) { -+ /* Managed Domain not ready yet. This is not a reason to fail the config */ -+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO() -+ "Init: %s will respond with '503 Service Unavailable' for now. This " -+ "host is part of a Managed Domain, but no SSL certificate is " -+ "available (yet).", ssl_util_vhostid(p, s)); -+ pks->service_unavailable = 1; -+ } -+ else if (rv != APR_SUCCESS) { -+ return rv; -+ } -+ } -+ } -+ - if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) { - return rv; - } -Index: modules/ssl/ssl_engine_kernel.c -=================================================================== ---- modules/ssl/ssl_engine_kernel.c (revision 1808124) -+++ modules/ssl/ssl_engine_kernel.c (working copy) -@@ -264,6 +264,15 @@ - return DECLINED; - } - -+ if (sslconn->service_unavailable) { -+ /* This is set when the SSL properties of this connection are -+ * incomplete or if this connection was made to challenge a -+ * particular hostname (ACME). We never serve any request on -+ * such a connection. */ -+ /* TODO: a retry-after indicator would be nice here */ -+ return HTTP_SERVICE_UNAVAILABLE; -+ } -+ - if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) { - apr_table_setn(r->notes, "error-notes", - "Reason: You're speaking plain HTTP to an SSL-enabled " -@@ -2110,6 +2119,8 @@ - static apr_status_t init_vhost(conn_rec *c, SSL *ssl) - { - const char *servername; -+ X509 *cert; -+ EVP_PKEY *key; - - if (c) { - SSLConnRec *sslcon = myConnConfig(c); -@@ -2126,8 +2137,35 @@ - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02043) - "SSL virtual host for servername %s found", - servername); -+ - return APR_SUCCESS; - } -+ else if (ssl_is_challenge(c, servername, &cert, &key)) { -+ -+ sslcon->service_unavailable = 1; -+ if ((SSL_use_certificate(ssl, cert) < 1)) { -+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO() -+ "Failed to configure challenge certificate %s", -+ servername); -+ return APR_EGENERAL; -+ } -+ -+ if (!SSL_use_PrivateKey(ssl, key)) { -+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO() -+ "error '%s' using Challenge key: %s", -+ ERR_error_string(ERR_peek_last_error(), NULL), -+ servername); -+ return APR_EGENERAL; -+ } -+ -+ if (SSL_check_private_key(ssl) < 1) { -+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO() -+ "Challenbge certificate and private key %s " -+ "do not match", servername); -+ return APR_EGENERAL; -+ } -+ -+ } - else { - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044) - "No matching SSL virtual host for servername " -@@ -2233,6 +2271,8 @@ - */ - sslcon->server = s; - sslcon->cipher_suite = sc->server->auth.cipher_suite; -+ sslcon->service_unavailable = sc->server->pks? -+ sc->server->pks->service_unavailable : 0; - - ap_update_child_status_from_server(c->sbh, SERVER_BUSY_READ, c, s); - /* -Index: modules/ssl/ssl_private.h -=================================================================== ---- modules/ssl/ssl_private.h (revision 1808124) -+++ modules/ssl/ssl_private.h (working copy) -@@ -524,6 +524,7 @@ - server_rec *server; - - const char *cipher_suite; /* cipher suite used in last reneg */ -+ int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */ - } SSLConnRec; - - /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is -@@ -600,6 +601,9 @@ - * sent in the CertificateRequest message: */ - const char *ca_name_path; - const char *ca_name_file; -+ -+ /* TLS service for this server is suspended */ -+ int service_unavailable; - } modssl_pk_server_t; - - typedef struct { -@@ -1063,6 +1067,9 @@ - * memory. */ - DH *modssl_get_dh_params(unsigned keylen); - -+int ssl_is_challenge(conn_rec *c, const char *servername, -+ X509 **pcert, EVP_PKEY **pkey); -+ - #endif /* SSL_PRIVATE_H */ - /** @} */ - -Index: modules/ssl/ssl_util_ssl.c -=================================================================== ---- modules/ssl/ssl_util_ssl.c (revision 1808124) -+++ modules/ssl/ssl_util_ssl.c (working copy) -@@ -115,6 +115,33 @@ - return rc; - } - -+typedef struct { -+ const char *pass; -+ int pass_len; -+} pass_ctx; -+ -+static int provide_pass(char *buf, int size, int rwflag, void *baton) -+{ -+ pass_ctx *ctx = baton; -+ if (ctx->pass_len > 0) { -+ if (ctx->pass_len < size) { -+ size = (int)ctx->pass_len; -+ } -+ memcpy(buf, ctx->pass, size); -+ } -+ return ctx->pass_len; -+} -+ -+EVP_PKEY *modssl_read_encrypted_pkey(const char *filename, EVP_PKEY **key, -+ const char *pass, apr_size_t pass_len) -+{ -+ pass_ctx ctx; -+ -+ ctx.pass = pass; -+ ctx.pass_len = pass_len; -+ return modssl_read_privatekey(filename, key, provide_pass, &ctx); -+} -+ - /* _________________________________________________________________ - ** - ** Smart shutdown -Index: modules/ssl/ssl_util_ssl.h -=================================================================== ---- modules/ssl/ssl_util_ssl.h (revision 1808124) -+++ modules/ssl/ssl_util_ssl.h (working copy) -@@ -65,6 +65,7 @@ - void *modssl_get_app_data2(SSL *); - void modssl_set_app_data2(SSL *, void *); - EVP_PKEY *modssl_read_privatekey(const char *, EVP_PKEY **, pem_password_cb *, void *); -+EVP_PKEY *modssl_read_encrypted_pkey(const char *, EVP_PKEY **, const char *, apr_size_t); - int modssl_smart_shutdown(SSL *ssl); - BOOL modssl_X509_getBC(X509 *, int *, int *); - char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne); Property changes on: head/www/mod_md-devel/files/extra-patch-mod_ssl ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/www/mod_md-devel/Makefile =================================================================== --- head/www/mod_md-devel/Makefile (revision 450728) +++ head/www/mod_md-devel/Makefile (revision 450729) @@ -1,53 +1,53 @@ # Created by: Bernard Spil # $FreeBSD$ PORTNAME= mod_md-devel -PORTVERSION= 0.9.6 +PORTVERSION= 0.9.7 DISTVERSIONPREFIX= v CATEGORIES= www MAINTAINER= brnrd@FreeBSD.org COMMENT= Early experience LetsEncrypt module for Apache httpd LICENSE= APACHE20 LICENSE_FILE= ${WRKSRC}/LICENSE LIB_DEPENDS= libcurl.so:ftp/curl \ libjansson.so:devel/jansson USES= autoreconf libtool ssl USE_GITHUB= yes USE_APACHE= 24+ GH_ACCOUNT= icing GH_PROJECT= mod_md GNU_CONFIGURE= yes CONFIGURE_ARGS= --program-prefix=ext- \ --with-openssl=${OPENSSLBASE} CONFIGURE_ENV= CONFIG_SHELL=/bin/sh MODULENAME= ${GH_PROJECT} CFLAGS+= -I${LOCALBASE}/include CPPFLAGS+= -I${LOCALBASE}/include DOCSDIR= share/doc/mod_md PORTDOCS= README README.md PLIST_FILES= ${APACHEMODDIR}/mod_md.so.0.0.0 \ ${APACHEMODDIR}/mod_md.so \ bin/a2md .include .if ${OPSYS} == FreeBSD && ${OSVERSION} < 1100085 && ${SSL_DEFAULT} == base IGNORE= port requires OpenSSL 1.0.2 or later, set DEFAULT_VERSIONS+= ssl=openssl .endif post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/${APACHEMODDIR}/${MODULENAME}.so ${INSTALL} ${WRKSRC}/src/a2md ${STAGEDIR}${PREFIX}/bin/a2md ${RM} ${STAGEDIR}${PREFIX}/share/doc/mod_md/LICENSE ${RM} ${STAGEDIR}${PREFIX}/bin/ext-a2md .include Index: head/www/mod_md-devel/distinfo =================================================================== --- head/www/mod_md-devel/distinfo (revision 450728) +++ head/www/mod_md-devel/distinfo (revision 450729) @@ -1,3 +1,3 @@ -TIMESTAMP = 1505471480 -SHA256 (icing-mod_md-v0.9.6_GH0.tar.gz) = d71ba8c0bdcf7698d547bf4c15209c19df38d066adf4ce8b41fd78ea3f941a7c -SIZE (icing-mod_md-v0.9.6_GH0.tar.gz) = 189299 +TIMESTAMP = 1506505096 +SHA256 (icing-mod_md-v0.9.7_GH0.tar.gz) = b0e5e30deeb014314f6a0207ad055b49aacf171912eabc161f39530e43e212a0 +SIZE (icing-mod_md-v0.9.7_GH0.tar.gz) = 191080