aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2021-02-14 23:46:40 +0100
committerGuilhem Moulin <guilhem@fripost.org>2021-02-15 01:31:29 +0100
commitf62a66c6ce82d9a1af241dc3952250362e601d45 (patch)
tree454cbfef10eab4063ac8234fc808b426eab94b65
parent5dcb74302029ffcfd076f9ab10329e2196f17f85 (diff)
Add support for TLS Feature extension from RFC 7633.
This is mostly useful for OCSP Must-Staple.
-rw-r--r--Changelog2
-rwxr-xr-xlacme5
-rw-r--r--lacme.8.md33
3 files changed, 25 insertions, 15 deletions
diff --git a/Changelog b/Changelog
index 7cef63c..a622803 100644
--- a/Changelog
+++ b/Changelog
@@ -21,6 +21,8 @@ lacme (0.7.1) upstream;
This change bumps the minimum OpenSSL version to 1.1.0.
+ Improve nginx/apache2 snippets for direct serving of challenge files
(with the new 'challenge-directory' logic symlinks can be disabled).
+ + Add support for TLS Feature extension from RFC 7633; this is mostly
+ useful for OCSP Must-Staple.
- lacme: delay webserver socket shutdown to after the process has
terminated.
- documentation: suggest to generate private key material with
diff --git a/lacme b/lacme
index bd4bd73..045c5b4 100755
--- a/lacme
+++ b/lacme
@@ -159,6 +159,7 @@ sub gen_csr(%) {
);
$config->print("keyUsage = critical, $args{keyUsage}\n") if defined $args{keyUsage};
$config->print("subjectAltName = $args{subjectAltName}\n") if defined $args{subjectAltName};
+ $config->print("tlsfeature = $args{tlsfeature}\n") if defined $args{tlsfeature};
$config->close() or die "Can't close: $!";
my @args = (qw/-new -batch -key/, $args{'certificate-key'});
@@ -703,7 +704,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
my $def = delete $h->{_} // {};
$defaults{$_} = $def->{$_} foreach keys %$def;
my @valid = qw/certificate certificate-chain certificate-key min-days CAfile
- hash keyUsage subject subjectAltName chown chmod notify/;
+ hash keyUsage subject subjectAltName tlsfeature chown chmod notify/;
foreach my $s (keys %$h) {
$conf->{$s} = { map { $_ => delete $h->{$s}->{$_} } @valid };
die "Unknown option(s) in [$s]: ".join(', ', keys %{$h->{$s}})."\n" if %{$h->{$s}};
@@ -744,7 +745,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {
}
# generate the CSR
- my $csr = gen_csr(map {$_ => $conf->{$_}} qw/certificate-key subject subjectAltName keyUsage hash/) // do {
+ my $csr = gen_csr(map {$_ => $conf->{$_}} qw/certificate-key keyUsage subject subjectAltName tlsfeature hash/) // do {
print STDERR "[$s] Warning: Couldn't generate CSR, skipping\n";
$rv = 1;
next;
diff --git a/lacme.8.md b/lacme.8.md
index 76cdd0d..00a62a2 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -368,6 +368,18 @@ Valid options are:
Default: the value of the CLI option `--min-days`, or `21` if there
is no such option.
+*subject*
+
+: Subject field of the Certificate Signing Request, in the form
+ `/type0=value0/type1=value1/type2=…`. This option is required.
+
+*subjectAltName*
+
+: Comma-separated list of Subject Alternative Names, in the form
+ `type0:value1,type1:value1,type2:…`
+ The only `type` currently supported is `DNS`, to specify an
+ alternative domain name.
+
*CAfile*
: Path to the bundle of trusted issuer certificates. This is used for
@@ -384,21 +396,15 @@ Valid options are:
: Comma-separated list of Key Usages, for instance `digitalSignature,
keyEncipherment`, to include in the Certificate Signing Request.
- See [`x509v3_config`(5ssl)] for a list of possible values.
- See x509v3_config(5ssl) for a list of possible values. Note that
- the ACME might override the value provided here.
-
-*subject*
+ See [`x509v3_config`(5ssl)] for a list of possible values. Note
+ that the ACME server might override the value provided here.
-: Subject field of the Certificate Signing Request, in the form
- `/type0=value0/type1=value1/type2=…`. This option is required.
+*tlsfeature*
-*subjectAltName*
-
-: Comma-separated list of Subject Alternative Names, in the form
- `type0:value1,type1:value1,type2:…`
- The only `type` currently supported is `DNS`, to specify an
- alternative domain name.
+: Comma-separated list of [TLS extension][TLS Feature extension]
+ identifiers, such as `status_request` for OCSP Must-Staple.
+ See [`x509v3_config`(5ssl)] for a list of possible values. Note
+ that the ACME server might override the value provided here.
*chown*
@@ -429,6 +435,7 @@ See also
[`lacme-accountd`(1)]
[ACME]: https://tools.ietf.org/html/rfc8555
+[TLS Feature extension]: https://tools.ietf.org/html/rfc7633
[`lacme-accountd`(1)]: lacme-accountd.1.html
[`iptables`(8)]: https://linux.die.net/man/8/iptables
[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html