FYI: mod_md merge into trunk is incoming, most likely tomorrow. 

The merge candidate is in ^/httpd/httpd/branches/trunk-md. Existing code
has only been changed in mod_ssl. A diff is available via:

svn diff ^/httpd/httpd/trunk/modules/ssl 
^/httpd/httpd/branches/trunk-md/modules/ssl

Gist of the mod_ssl changes:

1. In post_config:
   mod_ssl can ask mod_md via optional functions, if a server_rec is managed. 
   If yes:
   - it checks if certificates already defined for this server. 
     If so, it logs and ignores mod_md. (Safe route. Can be discussed if it 
should
     override instead.)
   - it asks mod_md for the key/cert/chain files
     a) if they are all there, they are added to the server configuration
     b) if all or some are missing, a new "service_unavailable" 
        flag is set in the server config. (This is new, a vhost that does not 
fail
        config, but is unavailable for config reasons.)

2. In The mod_ssl read_request hook:
   mod_ssl checks if the requests server config has "service_unavailable" set. 
   If so, the request is answered with a 503. This should prevent any access 
   to a server whose certificate is (not yet) available.

3. In the SNI callback:
   If no matching virtual host is found for the client supplied server name, 
mod_ssl
   asks mod_md (if available) if this server name is a challenge. When mod_md 
answers
   positive, it will provide certificate and key.
   mod_ssl sets these in the SSL* of the connection and also sets the 
"service_unavailable"
   for the connection so that change 2.) also gives 503 for all requests to 
this domain.
   (This is for the "tls-sni-01" authorization method of the ACME protocol.)

Cheers,

Stefan

PS. @Jchampion: I am not sure how to best merge the unit test cases into httpd. 
They need to be optional,
tied to the availability of mod_md and I do not know how to do that.

PPS. Another nit: mod_md also builds an executable, currently named a2md. I 
thought about putting
it in support/, but since this depends upon the optional mod_md, it is more 
natural in 
modules/md, I thought.


Reply via email to