You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2012/08/04 23:22:39 UTC
svn commit: r1369464 - in /httpd/httpd/branches/2.4.x: ./ modules/ssl/
Author: rjung
Date: Sat Aug 4 21:22:38 2012
New Revision: 1369464
URL: http://svn.apache.org/viewvc?rev=1369464&view=rev
Log:
mod_ssl: Pass the server_rec to ssl_die() and use it to log a message to
the main error log, pointing to the appropriate virtual host error log.
Backport of r1348660 from trunk.
Submitted by: sf
Reviewed by: rjung, covener
Backported by: rjung
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_log.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_pphrase.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
httpd/httpd/branches/2.4.x/modules/ssl/ssl_scache.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_util.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1348660
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1369464&r1=1369463&r2=1369464&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sat Aug 4 21:22:38 2012
@@ -7,6 +7,10 @@ Changes with Apache 2.4.3
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+ *) mod_ssl: If exiting during initialization because of a fatal error,
+ log a message to the main error log pointing to the appropriate
+ virtual host error log. [Stefan Fritsch]
+
*) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1369464&r1=1369463&r2=1369464&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Sat Aug 4 21:22:38 2012
@@ -88,12 +88,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: Pass the server_rec to ssl_die() and use it to log a message to
- the main error log, pointing to the appropriate virtual host error log.
- trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1348660
- 2.4.x patch: http://people.apache.org/~rjung/patches/ssl_die-improve_vhost-logging-2_4.patch
- +1: rjung, covener, sf
-
* event: Keep track of the number of clogged, lingering, and suspended connections.
Don't count connections in lingering close state when calculating
how many additional connections may be accepted
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1369464&r1=1369463&r2=1369464&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Sat Aug 4 21:22:38 2012
@@ -349,7 +349,7 @@ int ssl_init_Module(apr_pool_t *p, apr_p
else {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
}
}
@@ -438,7 +438,7 @@ void ssl_init_Engine(server_rec *s, apr_
"Init: Failed to load Crypto Device API `%s'",
mc->szCryptoDevice);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
if (strEQ(mc->szCryptoDevice, "chil")) {
@@ -450,7 +450,7 @@ void ssl_init_Engine(server_rec *s, apr_
"Init: Failed to enable Crypto Device API `%s'",
mc->szCryptoDevice);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01890)
"Init: loaded Crypto Device API `%s'",
@@ -473,7 +473,7 @@ static void ssl_init_server_check(server
if (!mctx->pks->cert_files[0] && !mctx->pkcs7) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01891)
"No SSL Certificate set [hint: SSLCertificateFile]");
- ssl_die();
+ ssl_die(s);
}
/*
@@ -489,7 +489,7 @@ static void ssl_init_server_check(server
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01892)
"Illegal attempt to re-initialise SSL for server "
"(SSLEngine On should go in the VirtualHost, not in global scope.)");
- ssl_die();
+ ssl_die(s);
}
}
@@ -515,7 +515,7 @@ static void ssl_init_ctx_tls_extensions(
"Unable to initialize TLS servername extension "
"callback (incompatible OpenSSL version?)");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
#ifdef HAVE_OCSP_STAPLING
@@ -546,7 +546,7 @@ static void ssl_init_ctx_protocol(server
if (protocol == SSL_PROTOCOL_NONE) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
"No SSL protocols available [hint: SSLProtocol]");
- ssl_die();
+ ssl_die(s);
}
cp = apr_pstrcat(p,
@@ -731,7 +731,7 @@ static void ssl_init_ctx_verify(server_r
"Unable to configure verify locations "
"for client authentication");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {
@@ -746,7 +746,7 @@ static void ssl_init_ctx_verify(server_r
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01896)
"Unable to determine list of acceptable "
"CA certificates for client authentication");
- ssl_die();
+ ssl_die(s);
}
SSL_CTX_set_client_CA_list(ctx, ca_list);
@@ -791,7 +791,7 @@ static void ssl_init_ctx_cipher_suite(se
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01898)
"Unable to configure permitted SSL ciphers");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
}
@@ -815,7 +815,7 @@ static void ssl_init_ctx_crl(server_rec
"Host %s: CRL checking has been enabled, but "
"neither %sCARevocationFile nor %sCARevocationPath "
"is configured", mctx->sc->vhost_id, cfgp, cfgp);
- ssl_die();
+ ssl_die(s);
}
return;
}
@@ -829,7 +829,7 @@ static void ssl_init_ctx_crl(server_rec
"Host %s: unable to configure X.509 CRL storage "
"for certificate revocation", mctx->sc->vhost_id);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
switch (mctx->crl_check_mode) {
@@ -915,7 +915,7 @@ static void ssl_init_ctx_cert_chain(serv
if (n < 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
"Failed to configure CA certificate chain!");
- ssl_die();
+ ssl_die(s);
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01904)
@@ -973,14 +973,14 @@ static int ssl_server_import_cert(server
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02233)
"Unable to import %s server certificate", type);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02234)
"Unable to configure %s server certificate", type);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
#ifdef HAVE_OCSP_STAPLING
@@ -1029,14 +1029,14 @@ static int ssl_server_import_key(server_
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02237)
"Unable to import %s server private key", type);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02238)
"Unable to configure %s server private key", type);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
/*
@@ -1188,7 +1188,7 @@ static void ssl_init_server_certs(server
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01910)
"Oops, no " KEYTYPES " server certificate found "
"for '%s:%d'?!", s->server_hostname, s->port);
- ssl_die();
+ ssl_die(s);
}
for (i = 0; i < SSL_AIDX_MAX; i++) {
@@ -1208,7 +1208,7 @@ static void ssl_init_server_certs(server
)) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01911)
"Oops, no " KEYTYPES " server private key found?!");
- ssl_die();
+ ssl_die(s);
}
}
@@ -1238,7 +1238,7 @@ static void ssl_init_ticket_key(server_r
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02286)
"Failed to open ticket key file %s: (%d) %pm",
path, rv, &rv);
- ssl_die();
+ ssl_die(s);
}
rv = apr_file_read_full(fp, &buf[0], TLSEXT_TICKET_KEY_LEN, &len);
@@ -1247,7 +1247,7 @@ static void ssl_init_ticket_key(server_r
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02287)
"Failed to read %d bytes from %s: (%d) %pm",
TLSEXT_TICKET_KEY_LEN, path, rv, &rv);
- ssl_die();
+ ssl_die(s);
}
memcpy(ticket_key->key_name, buf, 16);
@@ -1260,7 +1260,7 @@ static void ssl_init_ticket_key(server_r
"Unable to initialize TLS session ticket key callback "
"(incompatible OpenSSL version?)");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02288)
@@ -1315,7 +1315,7 @@ static void ssl_init_proxy_certs(server_
ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
"incomplete client cert configured for SSL proxy "
"(missing or encrypted private key?)");
- ssl_die();
+ ssl_die(s);
return;
}
}
@@ -1338,7 +1338,7 @@ static void ssl_init_proxy_certs(server_
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208)
"SSL proxy client cert initialization failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
@@ -1628,7 +1628,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList
ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02211)
"Failed to open Certificate Path `%s'",
ca_path);
- ssl_die();
+ ssl_die(s);
}
while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_log.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_log.c?rev=1369464&r1=1369463&r2=1369464&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_log.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_log.c Sat Aug 4 21:22:38 2012
@@ -63,12 +63,23 @@ static const char *ssl_log_annotation(co
return ssl_log_annotate[i].cpAnnotation;
}
-void ssl_die(void)
+void ssl_die(server_rec *s)
{
+ if (s != NULL && s->is_virtual && s->error_fname != NULL)
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02311)
+ "Fatal error initialising mod_ssl, exiting. "
+ "See %s for more information",
+ ap_server_root_relative(s->process->pool,
+ s->error_fname));
+ else
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02312)
+ "Fatal error initialising mod_ssl, exiting.");
+
/*
* This is used for fatal errors and here
* it is common module practice to really
* exit from the complete program.
+ * XXX: The config hooks should return errors instead of calling exit().
*/
exit(1);
}
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_pphrase.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_pphrase.c?rev=1369464&r1=1369463&r2=1369464&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_pphrase.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_pphrase.c Sat Aug 4 21:22:38 2012
@@ -196,7 +196,7 @@ void ssl_pphrase_Handle(server_rec *s, a
"Server should be SSL-aware but has no certificate "
"configured [Hint: SSLCertificateFile] (%s:%d)",
pServ->defn_name, pServ->defn_line_number);
- ssl_die();
+ ssl_die(pServ);
}
/* Bitmasks for all key algorithms configured for this server;
@@ -225,14 +225,14 @@ void ssl_pphrase_Handle(server_rec *s, a
ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02201)
"Init: Can't open server certificate file %s",
szPath);
- ssl_die();
+ ssl_die(s);
}
if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02241)
"Init: Unable to read server certificate from"
" file %s", szPath);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02202)
"Init: Read server certificate from '%s'",
@@ -249,7 +249,7 @@ void ssl_pphrase_Handle(server_rec *s, a
"Init: Multiple %s server certificates not "
"allowed", an);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
algoCert |= at;
@@ -328,7 +328,7 @@ void ssl_pphrase_Handle(server_rec *s, a
ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02243)
"Init: Can't open server private key file "
"%s",szPath);
- ssl_die();
+ ssl_die(s);
}
/*
@@ -425,7 +425,7 @@ void ssl_pphrase_Handle(server_rec *s, a
"Init: SSLPassPhraseDialog builtin is not "
"supported on Win32 (key file "
"%s)", szPath);
- ssl_die();
+ ssl_die(s);
}
#endif /* WIN32 */
@@ -464,7 +464,7 @@ void ssl_pphrase_Handle(server_rec *s, a
apr_file_printf(writetty, "**Stopped\n");
}
}
- ssl_die();
+ ssl_die(pServ);
}
/* If a cached private key was found, nothing more to do
@@ -479,7 +479,7 @@ void ssl_pphrase_Handle(server_rec *s, a
"file %s [Hint: Perhaps it is in a separate file? "
" See SSLCertificateKeyFile]", szPath);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
/*
@@ -493,7 +493,7 @@ void ssl_pphrase_Handle(server_rec *s, a
"Init: Multiple %s server private keys not "
"allowed", an);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- ssl_die();
+ ssl_die(s);
}
algoKey |= at;
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1369464&r1=1369463&r2=1369464&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Sat Aug 4 21:22:38 2012
@@ -906,7 +906,7 @@ int ssl_stapling_mutex_reinit(s
#define SSL_STAPLING_MUTEX_TYPE "ssl-stapling"
/** Logfile Support */
-void ssl_die(void);
+void ssl_die(server_rec *);
void ssl_log_ssl_error(const char *, int, int, server_rec *);
/* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_scache.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_scache.c?rev=1369464&r1=1369463&r2=1369464&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_scache.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_scache.c Sat Aug 4 21:22:38 2012
@@ -63,7 +63,7 @@ void ssl_scache_init(server_rec *s, apr_
if (rv) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01872)
"Could not initialize stapling cache. Exiting.");
- ssl_die();
+ ssl_die(s);
}
}
#endif
@@ -88,7 +88,7 @@ void ssl_scache_init(server_rec *s, apr_
if (rv) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01874)
"Could not initialize session cache. Exiting.");
- ssl_die();
+ ssl_die(s);
}
}
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_util.c?rev=1369464&r1=1369463&r2=1369464&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_util.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_util.c Sat Aug 4 21:22:38 2012
@@ -286,7 +286,7 @@ STACK_OF(X509) *ssl_read_pkcs7(server_re
f = fopen(pkcs7, "r");
if (!f) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02212) "Can't open %s", pkcs7);
- ssl_die();
+ ssl_die(s);
}
p7 = PEM_read_PKCS7(f, NULL, NULL, NULL);
@@ -313,13 +313,13 @@ STACK_OF(X509) *ssl_read_pkcs7(server_re
default:
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02213)
"Don't understand PKCS7 file %s", pkcs7);
- ssl_die();
+ ssl_die(s);
}
if (!certs) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02214)
"No certificates in %s", pkcs7);
- ssl_die();
+ ssl_die(s);
}
fclose(f);
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c?rev=1369464&r1=1369463&r2=1369464&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c Sat Aug 4 21:22:38 2012
@@ -662,12 +662,12 @@ void modssl_init_stapling(server_rec *s,
if (mc->stapling_cache == NULL) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01958)
"SSLStapling: no stapling cache available");
- ssl_die();
+ ssl_die(s);
}
if (ssl_stapling_mutex_init(s, ptemp) == FALSE) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01959)
"SSLStapling: cannot initialise stapling mutex");
- ssl_die();
+ ssl_die(s);
}
/* Set some default values for parameters if they are not set */
if (mctx->stapling_resptime_skew == UNSET) {