Author: icing
Date: Wed Nov 24 11:08:47 2021
New Revision: 1895290
URL: http://svn.apache.org/viewvc?rev=1895290&view=rev
Log:
integration of CHANGES [skip ci]
Removed:
httpd/httpd/branches/2.4.x/changes-entries/md_2.4.8.txt
httpd/httpd/branches/2.4.x/changes-entries/md_2.4.9.txt
httpd/httpd/branches/2.4.x/changes-entries/pr65620.txt
Modified:
httpd/httpd/branches/2.4.x/CHANGES
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1895290&r1=1895289&r2=1895290&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Wed Nov 24 11:08:47 2021
@@ -1,6 +1,46 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.52
+ *) mod_md: Fix memory leak in case of failures to load the private key.
+ PR 65620 [ Filipe Casal <filipe.casal@trailofbits.com> ]
+
+ *) mod_md: adding v2.4.8 with the following changes
+ - Added support for ACME External Account Binding (EAB).
+ Use the new directive `MDExternalAccountBinding` to provide the
+ server with the value for key identifier and hmac as provided by
+ your CA.
+ While working on some servers, EAB handling is not uniform
+ across CAs. First tests with a Sectigo Certificate Manager in
+ demo mode are successful. But ZeroSSL, for example, seems to
+ regard EAB values as a one-time-use-only thing, which makes them
+ fail if you create a seconde account or retry the creation of the
+ first account with the same EAB.
+ - The directive 'MDCertificateAuthority' now checks if its parameter
+ is a http/https url or one of a set of known names. Those are
+ 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
+ for now and they are not case-sensitive.
+ The default of LetsEncrypt is unchanged.
+ - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
+ section.
+ - Treating 401 HTTP status codes for orders like 403, since some ACME
+ servers seem to prefer that for accessing oders from other accounts.
+ - When retrieving certificate chains, try to read the repsonse even
+ if the HTTP Content-Type is unrecognized.
+ - Fixed a bug that reset the error counter of a certificate renewal
+ and prevented the increasing delays in further attempts.
+ - Fixed the renewal process giving up every time on an already existing
+ order with some invalid domains. Now, if such are seen in a previous
+ order, a new order is created for a clean start over again.
+ See <https://github.com/icing/mod_md/issues/268>
+ - Fixed a mixup in md-status handler when static certificate files
+ and renewal was configured at the same time.
+
+ *) mod_md: values for External Account Binding (EAB) can
+ now also be configured to be read from a separate JSON
+ file. This allows to keep server configuration permissions
+ world readable without exposing secrets.
+ [Stefan Eissing]
+
*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
PR 65616. [Ruediger Pluem]
Date: Wed Nov 24 11:08:47 2021
New Revision: 1895290
URL: http://svn.apache.org/viewvc?rev=1895290&view=rev
Log:
integration of CHANGES [skip ci]
Removed:
httpd/httpd/branches/2.4.x/changes-entries/md_2.4.8.txt
httpd/httpd/branches/2.4.x/changes-entries/md_2.4.9.txt
httpd/httpd/branches/2.4.x/changes-entries/pr65620.txt
Modified:
httpd/httpd/branches/2.4.x/CHANGES
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1895290&r1=1895289&r2=1895290&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Wed Nov 24 11:08:47 2021
@@ -1,6 +1,46 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.52
+ *) mod_md: Fix memory leak in case of failures to load the private key.
+ PR 65620 [ Filipe Casal <filipe.casal@trailofbits.com> ]
+
+ *) mod_md: adding v2.4.8 with the following changes
+ - Added support for ACME External Account Binding (EAB).
+ Use the new directive `MDExternalAccountBinding` to provide the
+ server with the value for key identifier and hmac as provided by
+ your CA.
+ While working on some servers, EAB handling is not uniform
+ across CAs. First tests with a Sectigo Certificate Manager in
+ demo mode are successful. But ZeroSSL, for example, seems to
+ regard EAB values as a one-time-use-only thing, which makes them
+ fail if you create a seconde account or retry the creation of the
+ first account with the same EAB.
+ - The directive 'MDCertificateAuthority' now checks if its parameter
+ is a http/https url or one of a set of known names. Those are
+ 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
+ for now and they are not case-sensitive.
+ The default of LetsEncrypt is unchanged.
+ - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
+ section.
+ - Treating 401 HTTP status codes for orders like 403, since some ACME
+ servers seem to prefer that for accessing oders from other accounts.
+ - When retrieving certificate chains, try to read the repsonse even
+ if the HTTP Content-Type is unrecognized.
+ - Fixed a bug that reset the error counter of a certificate renewal
+ and prevented the increasing delays in further attempts.
+ - Fixed the renewal process giving up every time on an already existing
+ order with some invalid domains. Now, if such are seen in a previous
+ order, a new order is created for a clean start over again.
+ See <https://github.com/icing/mod_md/issues/268>
+ - Fixed a mixup in md-status handler when static certificate files
+ and renewal was configured at the same time.
+
+ *) mod_md: values for External Account Binding (EAB) can
+ now also be configured to be read from a separate JSON
+ file. This allows to keep server configuration permissions
+ world readable without exposing secrets.
+ [Stefan Eissing]
+
*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
PR 65616. [Ruediger Pluem]