diff options
| author | Joe Orton <jorton@apache.org> | 2021-03-03 14:53:12 +0000 |
|---|---|---|
| committer | Joe Orton <jorton@apache.org> | 2021-03-03 14:53:12 +0000 |
| commit | 33af74c29fbd85890f1f6e6454a81bab7a01de41 (patch) | |
| tree | 163a9ad36c5df8a9188d1ed6241a5ddee6794000 /CHANGES | |
| parent | dec9480c3e5fc9571dd8d337568cdf9d21602ca4 (diff) | |
| download | httpd-33af74c29fbd85890f1f6e6454a81bab7a01de41.tar.gz | |
Synch from mod_md github:
mod_md: tolerate missing revokeCert or keyChange resource
RFC 8555 ยง7.1 states:
The server MUST provide "directory" and "newNonce" resources.
But RFC 8555 makes no explicit statement anywhere whether other
resources are, or are not, required (with the exception of
"newAuthz" which is optional).
Therefore it is possible that some ACME server implementations may
omit some resources; in particular those that are not an essential
part of the "order" workflow. Indeed, I am working with one such
server implementation, which does not at this time implement
"keyChange". mod_md refuses to interact with this server because it
is checking that a certain set of resources are defined in the
directory object - despite some of those resources not currently
being used.
Update the check to require only "newNonce", "newAccount" and
"newOrder". Omit from the check and therefore tolerate the absense
of resources which are not always required: "revokeCert" and
"keyChange".
If mod_md implements revocation and/or key rollover in the future,
the availability of those features should be predicated on the
server's advertised capabilities.
https://github.com/icing/mod_md/commit/38ff597f3ccb3c942e68701fb185c6a68f0708e4
Submitted by: Fraser Tweedale <ftweedal redhat.com>
Github: closes #122
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887148 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'CHANGES')
0 files changed, 0 insertions, 0 deletions