diff --git a/ChangeLog b/ChangeLog index 9fd8270..d9378c4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,5 @@ +v2.6.6 +---------------------------------------------------------------------------------------------------- * Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler] * Fix reuse of curl easy handles by resetting them. [Michael Kaufmann] diff --git a/configure.ac b/configure.ac index 28cc8ce..e3f0d3e 100644 --- a/configure.ac +++ b/configure.ac @@ -14,7 +14,7 @@ # AC_PREREQ([2.69]) -AC_INIT([mod_md], [2.6.5], [stefan@eissing.org]) +AC_INIT([mod_md], [2.6.6], [stefan@eissing.org]) LT_PREREQ([2.2.6]) LT_INIT() diff --git a/src/md_version.h b/src/md_version.h index 858d44d..7dc1992 100644 --- a/src/md_version.h +++ b/src/md_version.h @@ -27,7 +27,7 @@ * @macro * Version number of the md module as c string */ -#define MOD_MD_VERSION "2.6.5-git" +#define MOD_MD_VERSION "2.6.6-git" /** * @macro @@ -35,7 +35,7 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define MOD_MD_VERSION_NUM 0x020605 +#define MOD_MD_VERSION_NUM 0x020606 #define MD_ACME_DEF_URL "https://acme-v02.api.letsencrypt.org/directory" diff --git a/src/mod_md_config.c b/src/mod_md_config.c index d6807c9..9688714 100644 --- a/src/mod_md_config.c +++ b/src/mod_md_config.c @@ -282,6 +282,7 @@ static void *md_config_merge(apr_pool_t *pool, void *basev, void *addv) nsc->profile = add->profile? add->profile : base->profile; nsc->profile_mandatory = (add->profile_mandatory != DEF_VAL)? add->profile_mandatory : base->profile_mandatory; nsc->stapling = (add->stapling != DEF_VAL)? add->stapling : base->stapling; + nsc->staple_others = (add->staple_others != DEF_VAL)? add->staple_others : base->staple_others; nsc->ari_renewals = (add->ari_renewals != DEF_VAL)? add->ari_renewals : base->ari_renewals; nsc->dns01_cmd = (add->dns01_cmd)? add->dns01_cmd : base->dns01_cmd; nsc->current = NULL; diff --git a/src/mod_md_ocsp.c b/src/mod_md_ocsp.c index 1d1e282..78d0ace 100644 --- a/src/mod_md_ocsp.c +++ b/src/mod_md_ocsp.c @@ -61,8 +61,18 @@ int md_ocsp_prime_status(server_rec *s, apr_pool_t *p, apr_array_header_t *chain; apr_status_t rv = APR_ENOENT; + ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "ocsp prime status call for: %s", + s->server_hostname); sc = md_config_get(s); - if (!staple_here(sc)) goto cleanup; + if (!staple_here(sc)) { + ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, + "ocsp prime does not apply here: server=%s, sc=%d" + "ocsp=%d, conf-ocsp=%d conf-others=%d", + s->server_hostname, !!sc, sc? !!sc->mc->ocsp : 0, + md_config_geti(sc, MD_CONFIG_STAPLING), + md_config_geti(sc, MD_CONFIG_STAPLE_OTHERS)); + goto cleanup; + } md = ((sc->assigned && sc->assigned->nelts == 1)? APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL); diff --git a/test/modules/md/test_801_stapling.py b/test/modules/md/test_801_stapling.py index 3348572..326e93a 100644 --- a/test/modules/md/test_801_stapling.py +++ b/test/modules/md/test_801_stapling.py @@ -1,6 +1,7 @@ # test mod_md stapling support import os +import re import time from datetime import timedelta import pytest @@ -37,10 +38,11 @@ def _method_scope(self, env, request): yield env.apache_stop() - def configure_httpd(self, env, domains=None, add_lines="", ssl_stapling=False): + def configure_httpd(self, env, domains=None, add_lines="", ssl_stapling=False, + std_vhosts=True): if not isinstance(domains, list): domains = [domains] if domains else [] - conf = MDConf(env) + conf = MDConf(env, std_vhosts=std_vhosts) conf.add(""" LogLevel tls:trace4 @@ -423,3 +425,29 @@ def test_md_801_011(self, env): stat = env.await_ocsp_status(domain) assert stat['ocsp'] == "successful (0x0)" assert stat['verify'] == "0 (ok)" + + # test MDStapleOthers setting + def test_md_801_012(self, env): + # turn stapling on, wait for it to appear in connections + md = self.mdA + conf = self.configure_httpd(env, std_vhosts=False) + conf.add("MDStapling on") + conf.add("MDStapleOthers on") + conf.add("LogLevel md:debug") + conf.start_vhost(md) + conf.add_certificate(env.store_domain_file(md, 'pubcert.pem'), + env.store_domain_file(md, 'privkey.pem')) + conf.end_vhost() + conf.install() + env.httpd_error_log.clear_log() + assert env.apache_restart() == 0, f'{env.apachectl_stderr}' + try: + stat = env.await_ocsp_status(md, timeout=1) + except TimeoutError: + pass + if env.lacks_ocsp(): + assert env.httpd_error_log.scan_recent( + pattern=re.compile(r'.*md\[other]: certificate with serial .* has no OCSP responder URL')) + else: + assert stat['ocsp'] == "successful (0x0)" + assert stat['verify'] == "0 (ok)"