On 3/2/21 3:21 PM, ic...@apache.org wrote:
> Author: icing
> Date: Tue Mar 2 14:21:18 2021
> New Revision: 1887085
>
> URL: http://svn.apache.org/viewvc?rev=1887085&view=rev
> Log:
> Adding more ap_ssl_* functions and hooks to the core server.
>
> - ap_ssl_add_cert_files() to enable other modules like mod_md to provide
> certificate and keys for an SSL module like mod_ssl.
> - ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
> provide a fallback certificate in case no 'proper' certificate is
> available for an SSL module like mod_ssl.
> - ap_ssl_answer_challenge() to enable other modules like mod_md to
> provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
> for the ACME protocol for an SSL module like mod_ssl.
> - Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
> 'ssl_answer_challenge' where modules like mod_md can provide providers
> to the above mentioned functions.
>
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/include/ap_mmn.h
> httpd/httpd/trunk/include/http_protocol.h
> httpd/httpd/trunk/modules/md/mod_md.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/server/protocol.c
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1887085&r1=1887084&r2=1887085&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Mar 2 14:21:18 2021
> @@ -2316,11 +2316,29 @@ void ssl_callback_Info(const SSL *ssl, i
> #ifdef HAVE_TLSEXT
>
> static apr_status_t set_challenge_creds(conn_rec *c, const char *servername,
> - SSL *ssl, X509 *cert, EVP_PKEY *key)
> + SSL *ssl, X509 *cert, EVP_PKEY *key,
> + const char *cert_file, const char
> *key_file)
> {
> SSLConnRec *sslcon = myConnConfig(c);
>
> sslcon->service_unavailable = 1;
> + if (cert_file) {
> + if (SSL_use_certificate_chain_file(ssl, cert_file) < 1) {
As noted by the failure of build #1461 (
https://travis-ci.com/github/apache/httpd/jobs/487481449)
SSL_use_certificate_chain_file is not available with OpenSSL 1.0.2 which is
still the OS
provided standard version with Ubuntu 16 LTS and RedHat / Centos 7.
Regards
RĂ¼diger