From f62a66c6ce82d9a1af241dc3952250362e601d45 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 23:46:40 +0100 Subject: Add support for TLS Feature extension from RFC 7633. This is mostly useful for OCSP Must-Staple. --- Changelog | 2 ++ lacme | 5 +++-- lacme.8.md | 33 ++++++++++++++++++++------------- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/Changelog b/Changelog index 7cef63c..a622803 100644 --- a/Changelog +++ b/Changelog @@ -21,6 +21,8 @@ lacme (0.7.1) upstream; This change bumps the minimum OpenSSL version to 1.1.0. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + + Add support for TLS Feature extension from RFC 7633; this is mostly + useful for OCSP Must-Staple. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with diff --git a/lacme b/lacme index bd4bd73..045c5b4 100755 --- a/lacme +++ b/lacme @@ -159,6 +159,7 @@ sub gen_csr(%) { ); $config->print("keyUsage = critical, $args{keyUsage}\n") if defined $args{keyUsage}; $config->print("subjectAltName = $args{subjectAltName}\n") if defined $args{subjectAltName}; + $config->print("tlsfeature = $args{tlsfeature}\n") if defined $args{tlsfeature}; $config->close() or die "Can't close: $!"; my @args = (qw/-new -batch -key/, $args{'certificate-key'}); @@ -703,7 +704,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') { my $def = delete $h->{_} // {}; $defaults{$_} = $def->{$_} foreach keys %$def; my @valid = qw/certificate certificate-chain certificate-key min-days CAfile - hash keyUsage subject subjectAltName chown chmod notify/; + hash keyUsage subject subjectAltName tlsfeature chown chmod notify/; foreach my $s (keys %$h) { $conf->{$s} = { map { $_ => delete $h->{$s}->{$_} } @valid }; die "Unknown option(s) in [$s]: ".join(', ', keys %{$h->{$s}})."\n" if %{$h->{$s}}; @@ -744,7 +745,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') { } # generate the CSR - my $csr = gen_csr(map {$_ => $conf->{$_}} qw/certificate-key subject subjectAltName keyUsage hash/) // do { + my $csr = gen_csr(map {$_ => $conf->{$_}} qw/certificate-key keyUsage subject subjectAltName tlsfeature hash/) // do { print STDERR "[$s] Warning: Couldn't generate CSR, skipping\n"; $rv = 1; next; diff --git a/lacme.8.md b/lacme.8.md index 76cdd0d..00a62a2 100644 --- a/lacme.8.md +++ b/lacme.8.md @@ -368,6 +368,18 @@ Valid options are: Default: the value of the CLI option `--min-days`, or `21` if there is no such option. +*subject* + +: Subject field of the Certificate Signing Request, in the form + `/type0=value0/type1=value1/type2=…`. This option is required. + +*subjectAltName* + +: Comma-separated list of Subject Alternative Names, in the form + `type0:value1,type1:value1,type2:…` + The only `type` currently supported is `DNS`, to specify an + alternative domain name. + *CAfile* : Path to the bundle of trusted issuer certificates. This is used for @@ -384,21 +396,15 @@ Valid options are: : Comma-separated list of Key Usages, for instance `digitalSignature, keyEncipherment`, to include in the Certificate Signing Request. - See [`x509v3_config`(5ssl)] for a list of possible values. - See x509v3_config(5ssl) for a list of possible values. Note that - the ACME might override the value provided here. - -*subject* + See [`x509v3_config`(5ssl)] for a list of possible values. Note + that the ACME server might override the value provided here. -: Subject field of the Certificate Signing Request, in the form - `/type0=value0/type1=value1/type2=…`. This option is required. +*tlsfeature* -*subjectAltName* - -: Comma-separated list of Subject Alternative Names, in the form - `type0:value1,type1:value1,type2:…` - The only `type` currently supported is `DNS`, to specify an - alternative domain name. +: Comma-separated list of [TLS extension][TLS Feature extension] + identifiers, such as `status_request` for OCSP Must-Staple. + See [`x509v3_config`(5ssl)] for a list of possible values. Note + that the ACME server might override the value provided here. *chown* @@ -429,6 +435,7 @@ See also [`lacme-accountd`(1)] [ACME]: https://tools.ietf.org/html/rfc8555 +[TLS Feature extension]: https://tools.ietf.org/html/rfc7633 [`lacme-accountd`(1)]: lacme-accountd.1.html [`iptables`(8)]: https://linux.die.net/man/8/iptables [`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html -- cgit v1.2.3