From owner-svn-ports-all@freebsd.org Sun Sep 10 11:49:51 2017 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 298A5E0C362; Sun, 10 Sep 2017 11:49:51 +0000 (UTC) (envelope-from brnrd@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 004876FF5A; Sun, 10 Sep 2017 11:49:50 +0000 (UTC) (envelope-from brnrd@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v8ABnoxd079787; Sun, 10 Sep 2017 11:49:50 GMT (envelope-from brnrd@FreeBSD.org) Received: (from brnrd@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v8ABnoFa079785; Sun, 10 Sep 2017 11:49:50 GMT (envelope-from brnrd@FreeBSD.org) Message-Id: <201709101149.v8ABnoFa079785@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: brnrd set sender to brnrd@FreeBSD.org using -f From: Bernard Spil Date: Sun, 10 Sep 2017 11:49:50 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r449538 - in head/www/mod_md-devel: . files X-SVN-Group: ports-head X-SVN-Commit-Author: brnrd X-SVN-Commit-Paths: in head/www/mod_md-devel: . files X-SVN-Commit-Revision: 449538 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Sep 2017 11:49:51 -0000 Author: brnrd Date: Sun Sep 10 11:49:49 2017 New Revision: 449538 URL: https://svnweb.freebsd.org/changeset/ports/449538 Log: www/mod_md-devel: Add relevant Apache 2.4 patch - And tell users how to automate the patch Added: head/www/mod_md-devel/files/extra-patch-mod_ssl (contents, props changed) Modified: head/www/mod_md-devel/pkg-message Added: head/www/mod_md-devel/files/extra-patch-mod_ssl ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/mod_md-devel/files/extra-patch-mod_ssl Sun Sep 10 11:49:49 2017 (r449538) @@ -0,0 +1,280 @@ +Index: modules/ssl/ssl_engine_init.c +24c84dc from https://github.com/icing/mod_md/blob/master/patches/mod_ssl_md-2.4.x-v4.diff +=================================================================== +--- modules/ssl/ssl_engine_init.c (revision 1807228) ++++ modules/ssl/ssl_engine_init.c (working copy) +@@ -164,6 +164,41 @@ + modver, AP_SERVER_BASEVERSION, incver); + } + ++/**************************************************************************************************/ ++/* Managed Domains Interface (temporary here) */ ++ ++APR_DECLARE_OPTIONAL_FN(int, ++ md_is_managed, (struct server_rec *)); ++ ++APR_DECLARE_OPTIONAL_FN(apr_status_t, ++ md_get_credentials, (struct server_rec *, apr_pool_t *, ++ const char **pkeyfile, ++ const char **pcertfile, ++ const char **pchainfile)); ++APR_DECLARE_OPTIONAL_FN(apr_status_t, ++ md_get_certificate, (struct server_rec *, apr_pool_t *, ++ const char **pkeyfile, ++ const char **pcertfile)); ++APR_DECLARE_OPTIONAL_FN(int, ++ md_is_challenge, (struct conn_rec *, const char *, ++ X509 **, EVP_PKEY **)); ++ ++static APR_OPTIONAL_FN_TYPE(md_is_managed) *md_is_managed; ++static APR_OPTIONAL_FN_TYPE(md_get_credentials) *md_get_credentials; ++static APR_OPTIONAL_FN_TYPE(md_get_certificate) *md_get_certificate; ++static APR_OPTIONAL_FN_TYPE(md_is_challenge) *md_is_challenge; ++ ++int ssl_is_challenge(conn_rec *c, const char *servername, ++ X509 **pcert, EVP_PKEY **pkey) ++{ ++ if (md_is_challenge) { ++ return md_is_challenge(c, servername, pcert, pkey); ++ } ++ *pcert = NULL; ++ *pkey = NULL; ++ return 0; ++} ++ + /* + * Per-module initialization + */ +@@ -204,6 +224,18 @@ + ssl_config_global_create(base_server); /* just to avoid problems */ + ssl_config_global_fix(mc); + ++ /* Initialize our interface to mod_md, if it is loaded ++ */ ++ md_is_managed = APR_RETRIEVE_OPTIONAL_FN(md_is_managed); ++ md_get_credentials = APR_RETRIEVE_OPTIONAL_FN(md_get_credentials); ++ md_get_certificate = APR_RETRIEVE_OPTIONAL_FN(md_get_certificate); ++ md_is_challenge = APR_RETRIEVE_OPTIONAL_FN(md_is_challenge); ++ if (!md_is_managed || (!md_get_credentials && !md_get_certificate)) { ++ md_is_managed = NULL; ++ md_get_credentials = NULL; ++ md_get_certificate = NULL; ++ } ++ + /* + * try to fix the configuration and open the dedicated SSL + * logfile as early as possible +@@ -1606,6 +1638,57 @@ + return APR_EGENERAL; + } + ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO() ++ "Init: (%s) mod_md support is %s.", ssl_util_vhostid(p, s), ++ md_is_managed? "available" : "unavailable"); ++ if (md_is_managed && md_is_managed(s)) { ++ modssl_pk_server_t *const pks = sc->server->pks; ++ if (pks->cert_files->nelts > 0 || pks->key_files->nelts > 0) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO() ++ "Init: (%s) You configured certificate/key files on this host, but " ++ "is is covered by a Managed Domain. You need to remove these directives " ++ "for the Managed Domain to take over.", ssl_util_vhostid(p, s)); ++ } ++ else { ++ const char *key_file, *cert_file, *chain_file; ++ ++ key_file = cert_file = chain_file = NULL; ++ ++ if (md_get_certificate) { ++ /* mod_md >= v0.9.0 */ ++ rv = md_get_certificate(s, p, &key_file, &cert_file); ++ } ++ else if (md_get_credentials) { ++ /* mod_md < v0.9.0, remove this after a while */ ++ rv = md_get_credentials(s, p, &key_file, &cert_file, &chain_file); ++ } ++ else { ++ rv = APR_ENOTIMPL; ++ } ++ ++ if (key_file && cert_file) { ++ APR_ARRAY_PUSH(pks->key_files, const char *) = key_file; ++ APR_ARRAY_PUSH(pks->cert_files, const char *) = cert_file; ++ if (chain_file) { ++ sc->server->cert_chain = chain_file; ++ } ++ } ++ ++ if (APR_STATUS_IS_EAGAIN(rv)) { ++ /* Managed Domain not ready yet. This is not a reason to fail the config */ ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO() ++ "Init: %s will respond with '503 Service Unavailable' for now. This " ++ "host is part of a Managed Domain, but no SSL certificate is " ++ "available (yet).", ssl_util_vhostid(p, s)); ++ pks->service_unavailable = 1; ++ return APR_SUCCESS; ++ } ++ else if (rv != APR_SUCCESS) { ++ return rv; ++ } ++ } ++ } ++ + if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) { + return rv; + } +Index: modules/ssl/ssl_engine_kernel.c +=================================================================== +--- modules/ssl/ssl_engine_kernel.c (revision 1807581) ++++ modules/ssl/ssl_engine_kernel.c (working copy) +@@ -264,6 +264,15 @@ + return DECLINED; + } + ++ if (sslconn->service_unavailable) { ++ /* This is set when the SSL properties of this connection are ++ * incomplete or if this connection was made to challenge a ++ * particular hostname (ACME). We never serve any request on ++ * such a connection. */ ++ /* TODO: a retry-after indicator would be nice here */ ++ return HTTP_SERVICE_UNAVAILABLE; ++ } ++ + if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) { + apr_table_setn(r->notes, "error-notes", + "Reason: You're speaking plain HTTP to an SSL-enabled " +@@ -2110,6 +2119,8 @@ + static apr_status_t init_vhost(conn_rec *c, SSL *ssl) + { + const char *servername; ++ X509 *cert; ++ EVP_PKEY *key; + + if (c) { + SSLConnRec *sslcon = myConnConfig(c); +@@ -2126,8 +2137,35 @@ + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02043) + "SSL virtual host for servername %s found", + servername); ++ + return APR_SUCCESS; + } ++ else if (ssl_is_challenge(c, servername, &cert, &key)) { ++ ++ sslcon->service_unavailable = 1; ++ if ((SSL_use_certificate(ssl, cert) < 1)) { ++ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO() ++ "Failed to configure challenge certificate %s", ++ servername); ++ return APR_EGENERAL; ++ } ++ ++ if (!SSL_use_PrivateKey(ssl, key)) { ++ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO() ++ "error '%s' using Challenge key: %s", ++ ERR_error_string(ERR_peek_last_error(), NULL), ++ servername); ++ return APR_EGENERAL; ++ } ++ ++ if (SSL_check_private_key(ssl) < 1) { ++ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO() ++ "Challenbge certificate and private key %s " ++ "do not match", servername); ++ return APR_EGENERAL; ++ } ++ ++ } + else { + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044) + "No matching SSL virtual host for servername " +@@ -2233,6 +2271,8 @@ + */ + sslcon->server = s; + sslcon->cipher_suite = sc->server->auth.cipher_suite; ++ sslcon->service_unavailable = sc->server->pks? ++ sc->server->pks->service_unavailable : 0; + + ap_update_child_status_from_server(c->sbh, SERVER_BUSY_READ, c, s); + /* +Index: modules/ssl/ssl_private.h +=================================================================== +--- modules/ssl/ssl_private.h (revision 1807581) ++++ modules/ssl/ssl_private.h (working copy) +@@ -505,6 +505,7 @@ + server_rec *server; + + const char *cipher_suite; /* cipher suite used in last reneg */ ++ int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */ + } SSLConnRec; + + /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is +@@ -581,6 +582,9 @@ + * sent in the CertificateRequest message: */ + const char *ca_name_path; + const char *ca_name_file; ++ ++ /* TLS service for this server is suspended */ ++ int service_unavailable; + } modssl_pk_server_t; + + typedef struct { +@@ -1046,6 +1050,9 @@ + * memory. */ + DH *modssl_get_dh_params(unsigned keylen); + ++int ssl_is_challenge(conn_rec *c, const char *servername, ++ X509 **pcert, EVP_PKEY **pkey); ++ + #endif /* SSL_PRIVATE_H */ + /** @} */ + +Index: modules/ssl/ssl_util_ssl.c +=================================================================== +--- modules/ssl/ssl_util_ssl.c (revision 1807581) ++++ modules/ssl/ssl_util_ssl.c (working copy) +@@ -115,6 +115,33 @@ + return rc; + } + ++typedef struct { ++ const char *pass; ++ int pass_len; ++} pass_ctx; ++ ++static int provide_pass(char *buf, int size, int rwflag, void *baton) ++{ ++ pass_ctx *ctx = baton; ++ if (ctx->pass_len > 0) { ++ if (ctx->pass_len < size) { ++ size = (int)ctx->pass_len; ++ } ++ memcpy(buf, ctx->pass, size); ++ } ++ return ctx->pass_len; ++} ++ ++EVP_PKEY *modssl_read_encrypted_pkey(const char *filename, EVP_PKEY **key, ++ const char *pass, apr_size_t pass_len) ++{ ++ pass_ctx ctx; ++ ++ ctx.pass = pass; ++ ctx.pass_len = pass_len; ++ return modssl_read_privatekey(filename, key, provide_pass, &ctx); ++} ++ + /* _________________________________________________________________ + ** + ** Smart shutdown +Index: modules/ssl/ssl_util_ssl.h +=================================================================== +--- modules/ssl/ssl_util_ssl.h (revision 1807581) ++++ modules/ssl/ssl_util_ssl.h (working copy) +@@ -65,6 +65,7 @@ + void *modssl_get_app_data2(SSL *); + void modssl_set_app_data2(SSL *, void *); + EVP_PKEY *modssl_read_privatekey(const char *, EVP_PKEY **, pem_password_cb *, void *); ++EVP_PKEY *modssl_read_encrypted_pkey(const char *, EVP_PKEY **, const char *, apr_size_t); + int modssl_smart_shutdown(SSL *ssl); + BOOL modssl_X509_getBC(X509 *, int *, int *); + char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne); Modified: head/www/mod_md-devel/pkg-message ============================================================================== --- head/www/mod_md-devel/pkg-message Sun Sep 10 11:34:31 2017 (r449537) +++ head/www/mod_md-devel/pkg-message Sun Sep 10 11:49:49 2017 (r449538) @@ -6,6 +6,12 @@ # to the www/apache24 port and rebuild/reinstall apache. # #################################################################### +Add the following to your make.conf to apply the patch to www/apache24 + +.if ${.CURDIR:M*/www/apache24} +EXTRA_PATCHES+=../mod_md-devel/files/extra-patch-mod_ssl +.endif + If you want to have the md module enabled in your apache installation, you need to add