I Use This!
Activity Not Available

Commits : Listings

Analyzed about 1 year ago. based on code collected about 1 year ago.
Jul 13, 2020 — Jul 13, 2021
Commit Message Contributor Files Modified Lines Added Lines Removed Code Location Date
Fixing trace logging printf to have the correct args now that we number certs. More... over 1 year ago
mod_md: - MDCertificateFile and MDCertificateKeyFile can now be specified several times to add multiple, static certificates to a MDomain. More... over 1 year ago
fr doc rebuild. More... over 1 year ago
fr doc XML file updates. More... over 1 year ago
mod_ssl: Add base64-encoded DER certificate variables as alternative to PEM, to avoid newline mangling issues when using PEM in header values. More... over 1 year ago
* modules/generators/mod_cgid.c (cgid_server): Register cleanup for socket earlier to avoid possible leaks on error paths. (highlighted by Coverity scan) More... over 1 year ago
* modules/proxy/proxy_util.c (ap_proxy_define_balancer): Fix leak in error path in the do_malloc case, caught by covscan. More... over 1 year ago
Axe modules.apache.org. More... over 1 year ago
* build/config_vars.sh.in: Improve comment language, no functional change. [skip ci] More... over 1 year ago
Fix the fixed timeout, thanks Rüdiger. And set the current_thread of the connection. More... over 1 year ago
Add CPING to health check logic. More... over 1 year ago
Using the new ap_ssl_conn_is_ssl() and ap_ssl_var_lookup() in all internal modules. More... over 1 year ago
lets try ASN1_STRING_data() for openssl 1.0.2 More... over 1 year ago
Use an optional function as adviced by Rüdiger. More... over 1 year ago
refrain from handling ip address alt names in pre 1.1 openssl More... over 1 year ago
Use ASN1_STRING_data() if openssl verison < 1.1. More... over 1 year ago
log tags, my nemesis More... over 1 year ago
*) mod_md: v2.4.0 with improvements and bugfixes - MDPrivateKeys allows the specification of several types. Beside "RSA" plus optional key lengths elliptic curves can be configured. This means you can have multiple certificates for a Managed Domain with different key types. With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA certificate and all modern client will use the shorter ECDSA, while older client will get the RSA certificate. Many thanks to @tlhackque who pushed and helped on this. - Support added for MDomains consisting of a wildcard. Configuring ```MDomain *.host.net``` will match all virtual hosts matching that pattern and obtain one certificate for it (assuming you have 'dns-01' challenge support configured). Addresses #239. - Removed support for ACMEv1 servers. The only known installation used to be Let's Encrypt which has disabled that version more than a year ago for new accounts. - Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the ```renewing``` call to ```MDMessageCmd``` that can deny a certificate renewal attempt. This is useful in clustered installations, as discussed in #233). - New event ```challenge-setup:<type>:<domain>```, triggered when the challenge data for a domain has been created. This is invoked before the ACME server is told to check for it. The type is one of the ACME challenge types. This is invoked for every DNS name in a MDomain. - The max delay for retries has been raised to daily (this is like all retries jittered somewhat to avoid repeats at fixed time of day). - Certain error codes reported by the ACME server that indicate a problem with the configured data now immediately switch to daily retries. For example: if the ACME server rejects a contact email or a domain name, frequent retries will most likely not solve the problem. But daily retries still make sense as there might be an error at the server and un-supervised certificate renewal is the goal. Refs #222. - Test case and work around for domain names > 64 octets. Fixes #227. When the first DNS name of an MD is longer than 63 octets, the certificate request will not contain a CN field, but leave it up to the CA to choose one. Currently, Lets Encrypt looks for a shorter name in the SAN list given and fails the request if none is found. But it is really up to the CA (and what browsers/libs accept here) and may change over the years. That is why the decision is best made at the CA. - Retry delays now have a random +/-[0-50]% modification applied to let retries from several servers spread out more, should they have been restarted at the same time of day. - Fixed several places where the 'badNonce' return code from an ACME server was not handled correctly. The test server 'pebble' simulates this behaviour by default and helps nicely in verifying this behaviour. Thanks, pebble! - Set the default `MDActivationDelay` to 0. This was confusing to users that new certificates were deemed not usably before a day of delay. When clocks are correct, using a new certificate right away should not pose a problem. - When handling ACME authorization resources, the module no longer requires the server to return a "Location" header, as was necessary in ACMEv1. Fixes #216. - Fixed a theoretical uninitialized read when testing for JSON error responses from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>. - ACME problem reports from CAs that include parameters in the Content-Type header are handled correctly. (Previously, the problem text would not be reported and retries could exist CA limits.) - Account Update transactions to V2 CAs now use the correct POST-AS-GET method. Previously, an empty JSON object was sent - which apparently LE accepted, but others reject. More... over 1 year ago
typo in old CHANGES entry More... over 1 year ago
fr doc rebuild. More... over 1 year ago
fr doc XML file update. More... over 1 year ago
Follow-up to r1887244. More... over 1 year ago
Fix a potential duplicated ID generation issue under heavy load. This is due to a non thread safe use of a counter. More... over 1 year ago
* modules/proxy/mod_proxy_balancer.c (balancer_display_page): Include nonce in XML output. More... over 1 year ago
Add balancer_manage() to allow external module to fill workers for balancers. More... over 1 year ago
And the necessary log tags added just shortly afterwards. More... over 1 year ago
Changed ap_ssl_answer_challenge() and its hook to provide PEM data for certificate and key instead of file names. More... over 1 year ago
Synch from mod_md github: More... over 1 year ago
Update to travis-ci.com URLs from .org. [skip ci] More... over 1 year ago
Simplify balancer-manager XSS protection, no functional change: More... over 1 year ago