diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2021-02-14 23:46:40 +0100 | 
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2021-02-15 01:31:29 +0100 | 
| commit | f62a66c6ce82d9a1af241dc3952250362e601d45 (patch) | |
| tree | 454cbfef10eab4063ac8234fc808b426eab94b65 | |
| parent | 5dcb74302029ffcfd076f9ab10329e2196f17f85 (diff) | |
Add support for TLS Feature extension from RFC 7633.
This is mostly useful for OCSP Must-Staple.
| -rw-r--r-- | Changelog | 2 | ||||
| -rwxr-xr-x | lacme | 5 | ||||
| -rw-r--r-- | lacme.8.md | 33 | 
3 files changed, 25 insertions, 15 deletions
| @@ -21,6 +21,8 @@ lacme (0.7.1) upstream;     This change bumps the minimum OpenSSL version to 1.1.0.   + Improve nginx/apache2 snippets for direct serving of challenge files     (with the new 'challenge-directory' logic symlinks can be disabled). + + Add support for TLS Feature extension from RFC 7633; this is mostly +   useful for OCSP Must-Staple.   - lacme: delay webserver socket shutdown to after the process has     terminated.   - documentation: suggest to generate private key material with @@ -159,6 +159,7 @@ sub gen_csr(%) {      );      $config->print("keyUsage = critical, $args{keyUsage}\n")   if defined $args{keyUsage};      $config->print("subjectAltName = $args{subjectAltName}\n") if defined $args{subjectAltName}; +    $config->print("tlsfeature = $args{tlsfeature}\n") if defined $args{tlsfeature};      $config->close() or die "Can't close: $!";      my @args = (qw/-new -batch -key/, $args{'certificate-key'}); @@ -703,7 +704,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {              my $def = delete $h->{_} // {};              $defaults{$_} = $def->{$_} foreach keys %$def;              my @valid = qw/certificate certificate-chain certificate-key min-days CAfile -                           hash keyUsage subject subjectAltName chown chmod notify/; +                           hash keyUsage subject subjectAltName tlsfeature chown chmod notify/;              foreach my $s (keys %$h) {                  $conf->{$s} = { map { $_ => delete $h->{$s}->{$_} } @valid };                  die "Unknown option(s) in [$s]: ".join(', ', keys %{$h->{$s}})."\n" if %{$h->{$s}}; @@ -744,7 +745,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') {          }          # generate the CSR -        my $csr = gen_csr(map {$_ => $conf->{$_}} qw/certificate-key subject subjectAltName keyUsage hash/) // do { +        my $csr = gen_csr(map {$_ => $conf->{$_}} qw/certificate-key keyUsage subject subjectAltName tlsfeature hash/) // do {              print STDERR "[$s] Warning: Couldn't generate CSR, skipping\n";              $rv = 1;              next; @@ -368,6 +368,18 @@ Valid options are:      Default: the value of the CLI option `--min-days`, or `21` if there      is no such option. +*subject* + +:   Subject field of the Certificate Signing Request, in the form +    `/type0=value0/type1=value1/type2=…`.  This option is required. + +*subjectAltName* + +:   Comma-separated list of Subject Alternative Names, in the form +    `type0:value1,type1:value1,type2:…` +    The only `type` currently supported is `DNS`, to specify an +    alternative domain name. +  *CAfile*  :   Path to the bundle of trusted issuer certificates.  This is used for @@ -384,21 +396,15 @@ Valid options are:  :   Comma-separated list of Key Usages, for instance `digitalSignature,      keyEncipherment`, to include in the Certificate Signing Request. -    See [`x509v3_config`(5ssl)] for a list of possible values. -    See x509v3_config(5ssl) for a list of possible values.  Note that -    the ACME might override the value provided here. - -*subject* +    See [`x509v3_config`(5ssl)] for a list of possible values.  Note +    that the ACME server might override the value provided here. -:   Subject field of the Certificate Signing Request, in the form -    `/type0=value0/type1=value1/type2=…`.  This option is required. +*tlsfeature* -*subjectAltName* - -:   Comma-separated list of Subject Alternative Names, in the form -    `type0:value1,type1:value1,type2:…` -    The only `type` currently supported is `DNS`, to specify an -    alternative domain name. +:   Comma-separated list of [TLS extension][TLS Feature extension] +    identifiers, such as `status_request` for OCSP Must-Staple. +    See [`x509v3_config`(5ssl)] for a list of possible values.  Note +    that the ACME server might override the value provided here.  *chown* @@ -429,6 +435,7 @@ See also  [`lacme-accountd`(1)]  [ACME]: https://tools.ietf.org/html/rfc8555 +[TLS Feature extension]: https://tools.ietf.org/html/rfc7633  [`lacme-accountd`(1)]: lacme-accountd.1.html  [`iptables`(8)]: https://linux.die.net/man/8/iptables  [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html | 
