You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by kb...@apache.org on 2011/08/15 07:15:17 UTC
svn commit: r1157712 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_log.c
Author: kbrand
Date: Mon Aug 15 05:15:17 2011
New Revision: 1157712
URL: http://svn.apache.org/viewvc?rev=1157712&view=rev
Log:
Improve ssl_log_cxerror():
Fix logic of APLOG_IS_LEVEL check.
Use X509_NAME_print_ex() instead of deprecated X509_NAME_oneline().
Use i2a_ASN1_INTEGER for printing the serial number.
Add notBefore and notAfter dates to log line.
Check for null cert argument (addresses PR 47408).
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1157712&r1=1157711&r2=1157712&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Aug 15 05:15:17 2011
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache 2.3.15
+ *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
+
*) mod_authz_groupfile: Increase length limit of lines in the group file to
16MB. PR 43084. [Stefan Fritsch]
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_log.c?rev=1157712&r1=1157711&r2=1157712&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_log.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_log.c Mon Aug 15 05:15:17 2011
@@ -114,43 +114,61 @@ void ssl_log_cxerror(const char *file, i
{
va_list ap;
char buf[HUGE_STRING_LEN];
- char *sname, *iname, *serial;
- BIGNUM *bn;
- if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) {
+ if (!APLOG_IS_LEVEL(mySrvFromConn(c),level)) {
/* Bail early since the rest of this function is expensive. */
return;
}
- sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
- iname = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
- bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL);
- serial = bn && !BN_is_zero(bn) ? BN_bn2hex(bn) : NULL;
-
va_start(ap, format);
apr_vsnprintf(buf, sizeof buf, format, ap);
va_end(ap);
- ap_log_cerror(file, line, APLOG_MODULE_INDEX, level, rv, c,
- "%s [subject: %s, issuer: %s, serial: %s]",
- buf,
- sname ? sname : "-unknown-",
- iname ? iname : "-unknown-",
- serial ? serial : "-unknown-");
+ if (cert) {
+ BIO *bio = BIO_new(BIO_s_mem());
- if (sname) {
- OPENSSL_free(sname);
- }
-
- if (iname) {
- OPENSSL_free(iname);
- }
-
- if (serial) {
- OPENSSL_free(serial);
- }
+ if (bio) {
+ int n, msglen;
+
+ BIO_puts(bio, " [subject: ");
+ n = X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0,
+ XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV);
+ if (n == 0) {
+ BIO_puts(bio, "-empty-");
+ } else if (n < 0) {
+ BIO_puts(bio, "(ERROR)");
+ }
- if (bn) {
- BN_free(bn);
+ BIO_puts(bio, " / issuer: ");
+ n = X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0,
+ XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV);
+ if (n == 0) {
+ BIO_puts(bio, "-empty-");
+ } else if (n < 0) {
+ BIO_puts(bio, "(ERROR)");
+ }
+
+ BIO_puts(bio, " / serial: ");
+ if (i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)) == -1)
+ BIO_puts(bio, "(ERROR)");
+
+ BIO_puts(bio, " / notbefore: ");
+ ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
+
+ BIO_puts(bio, " / notafter: ");
+ ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
+
+ BIO_puts(bio, "]");
+
+ msglen = strlen(buf);
+ n = BIO_read(bio, buf + msglen, sizeof buf - msglen - 1);
+ if (n > 0)
+ buf[msglen + n] = '\0';
+
+ BIO_free(bio);
+ }
}
+
+ ap_log_cerror(file, line, APLOG_MODULE_INDEX, level, rv, c,
+ "%s%s", buf, cert ? "" : " [certificate: -not available-]");
}