You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by je...@apache.org on 2002/05/16 01:10:34 UTC
cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h ssl_engine_init.c ssl_engine_io.c ssl_engine_kernel.c ssl_engine_log.c ssl_engine_pphrase.c
jerenkrantz 02/05/15 16:10:34
Modified: modules/ssl mod_ssl.c mod_ssl.h ssl_engine_init.c
ssl_engine_io.c ssl_engine_kernel.c
ssl_engine_log.c ssl_engine_pphrase.c
Log:
Stop using SSL_ADD_SSLERR option in ssl_log() and replace with new
ssl_log_ssl_error() function that wraps ap_log_error instead.
This begins the migration from ssl_log() -> ap_log_error(). Divorcing
ourselves from the SSL_ADD_SSLERR option is required to make the next
pass easier.
Revision Changes Path
1.65 +16 -8 httpd-2.0/modules/ssl/mod_ssl.c
Index: mod_ssl.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.64
retrieving revision 1.65
diff -u -r1.64 -r1.65
--- mod_ssl.c 30 Apr 2002 17:10:12 -0000 1.64
+++ mod_ssl.c 15 May 2002 23:10:33 -0000 1.65
@@ -327,8 +327,9 @@
* so we can detach later.
*/
if (!(ssl = SSL_new(mctx->ssl_ctx))) {
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"Unable to create a new SSL connection from the SSL context");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
c->aborted = 1;
@@ -340,8 +341,9 @@
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
MD5_DIGESTSIZE*2))
{
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"Unable to set session id context to `%s'", vhost_md5);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
c->aborted = 1;
@@ -408,8 +410,9 @@
if (sslconn->is_proxy) {
if ((n = SSL_connect(filter->pssl)) <= 0) {
ssl_log(c->base_server,
- SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ SSL_LOG_ERROR|SSL_ADD_ERRNO,
"SSL Proxy connect failed");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
return ssl_abort(filter, c);
}
@@ -450,15 +453,17 @@
{
if (errno > 0) {
ssl_log(c->base_server,
- SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ SSL_LOG_ERROR|SSL_ADD_ERRNO,
"SSL handshake interrupted by system "
"[Hint: Stop button pressed in browser?!]");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
else {
ssl_log(c->base_server,
- SSL_LOG_INFO|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ SSL_LOG_INFO|SSL_ADD_ERRNO,
"Spurious SSL handshake interrupt [Hint: "
"Usually just one of those OpenSSL confusions!?]");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
}
}
else {
@@ -466,10 +471,11 @@
* Ok, anything else is a fatal error
*/
ssl_log(c->base_server,
- SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ SSL_LOG_ERROR|SSL_ADD_ERRNO,
"SSL handshake failed (server %s, client %s)",
ssl_util_vhostid(c->pool, c->base_server),
c->remote_ip ? c->remote_ip : "unknown");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
return ssl_abort(filter, c);
@@ -494,19 +500,21 @@
* optional_no_ca doesn't appear to work as advertised
* in 1.x
*/
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL client authentication failed, "
"accepting certificate based on "
"\"SSLVerifyClient optional_no_ca\" configuration");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
else {
const char *error = sslconn->verify_error ?
sslconn->verify_error :
X509_verify_cert_error_string(verify_result);
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL client authentication failed: %s",
error ? error : "unknown");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
return ssl_abort(filter, c);
}
1.116 +1 -0 httpd-2.0/modules/ssl/mod_ssl.h
Index: mod_ssl.h
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.115
retrieving revision 1.116
diff -u -r1.115 -r1.116
--- mod_ssl.h 9 Apr 2002 15:53:09 -0000 1.115
+++ mod_ssl.h 15 May 2002 23:10:33 -0000 1.116
@@ -707,6 +707,7 @@
void ssl_log_open(server_rec *, server_rec *, apr_pool_t *);
void ssl_log(server_rec *, int, const char *, ...);
void ssl_die(void);
+void ssl_log_ssl_error(const char *, int, int, server_rec *);
/* Variables */
void ssl_var_register(void);
1.95 +16 -8 httpd-2.0/modules/ssl/ssl_engine_init.c
Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.94
retrieving revision 1.95
diff -u -r1.94 -r1.95
--- ssl_engine_init.c 2 Apr 2002 21:57:31 -0000 1.94
+++ ssl_engine_init.c 15 May 2002 23:10:33 -0000 1.95
@@ -549,9 +549,10 @@
mctx->auth.ca_cert_file,
mctx->auth.ca_cert_path))
{
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure verify locations "
"for client authentication");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -604,8 +605,9 @@
suite);
if (!SSL_CTX_set_cipher_list(ctx, suite)) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure permitted SSL ciphers");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
}
@@ -631,9 +633,10 @@
(char *)mctx->crl_path);
if (!mctx->crl) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure X.509 CRL storage "
"for certificate revocation");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
}
@@ -730,14 +733,16 @@
ptr = asn1->cpData;
if (!(cert = d2i_X509(NULL, &ptr, asn1->nData))) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to import %s server certificate", type);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure %s server certificate", type);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -768,14 +773,16 @@
ptr = asn1->cpData;
if (!(pkey = d2i_PrivateKey(pkey_type, NULL, &ptr, asn1->nData)))
{
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to import %s server private key", type);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure %s server private key", type);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -788,8 +795,9 @@
if (pubkey && EVP_PKEY_missing_parameters(pubkey)) {
EVP_PKEY_copy_parameters(pubkey, pkey);
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Copying DSA parameters from private key to certificate");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
}
}
1.74 +6 -3 httpd-2.0/modules/ssl/ssl_engine_io.c
Index: ssl_engine_io.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.73
retrieving revision 1.74
diff -u -r1.73 -r1.74
--- ssl_engine_io.c 7 Apr 2002 06:32:21 -0000 1.73
+++ ssl_engine_io.c 15 May 2002 23:10:33 -0000 1.74
@@ -502,8 +502,9 @@
* Log SSL errors
*/
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL error on reading data");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
}
@@ -534,8 +535,9 @@
* Log SSL errors
*/
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL error on writing data");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
/*
* XXX - Just trying to reflect the behaviour in
@@ -763,9 +765,10 @@
switch (status) {
case HTTP_BAD_REQUEST:
/* log the situation */
- ssl_log(f->c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(f->c->base_server, SSL_LOG_ERROR,
"SSL handshake failed: HTTP spoken on HTTPS port; "
"trying to send HTML error page");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server);
/* fake the request line */
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
1.68 +6 -3 httpd-2.0/modules/ssl/ssl_engine_kernel.c
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.67
retrieving revision 1.68
diff -u -r1.67 -r1.68
--- ssl_engine_kernel.c 5 Apr 2002 02:31:04 -0000 1.67
+++ ssl_engine_kernel.c 15 May 2002 23:10:33 -0000 1.68
@@ -411,9 +411,10 @@
/* configure new state */
if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
- ssl_log(r->server, SSL_LOG_WARN|SSL_ADD_SSLERR,
+ ssl_log(r->server, SSL_LOG_WARN,
"Unable to reconfigure (per-directory) "
"permitted SSL ciphers");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
if (cipher_list_old) {
sk_SSL_CIPHER_free(cipher_list_old);
@@ -600,9 +601,10 @@
cert_store = X509_STORE_new();
if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) {
- ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(r->server, SSL_LOG_ERROR,
"Unable to reconfigure verify locations "
"for client authentication");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
X509_STORE_free(cert_store);
@@ -756,8 +758,9 @@
(char *)ssl);
if (!modssl_X509_verify_cert(&cert_store_ctx)) {
- ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation verification step failed");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
}
SSL_set_verify_result(ssl, cert_store_ctx.error);
1.19 +24 -0 httpd-2.0/modules/ssl/ssl_engine_log.c
Index: ssl_engine_log.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_log.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- ssl_engine_log.c 30 Apr 2002 03:47:31 -0000 1.18
+++ ssl_engine_log.c 15 May 2002 23:10:33 -0000 1.19
@@ -321,3 +321,27 @@
exit(1);
}
+/*
+ * Prints the SSL library error information.
+ */
+void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
+{
+ unsigned long e;
+
+ while ((e = ERR_get_error())) {
+ char *err, *annotation;
+ err = ERR_error_string(e, NULL);
+ annotation = ssl_log_annotation(err);
+
+ if (annotation) {
+ ap_log_error(file, line, level|APLOG_NOERRNO, 0, s,
+ "SSL Library Error: %ld %s %s",
+ e, err, annotation);
+ }
+ else {
+ ap_log_error(file, line, level|APLOG_NOERRNO, 0, s,
+ "SSL Library Error: %ld %s",
+ e, err);
+ }
+ }
+}
1.37 +17 -8 httpd-2.0/modules/ssl/ssl_engine_pphrase.c
Index: ssl_engine_pphrase.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_pphrase.c,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- ssl_engine_pphrase.c 1 May 2002 19:28:52 -0000 1.36
+++ ssl_engine_pphrase.c 15 May 2002 23:10:33 -0000 1.37
@@ -230,8 +230,9 @@
ssl_die();
}
if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(s, SSL_LOG_ERROR,
"Init: Unable to read server certificate from file %s", szPath);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -242,8 +243,9 @@
at = ssl_util_algotypeof(pX509Cert, NULL);
an = ssl_util_algotypestr(at);
if (algoCert & at) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(s, SSL_LOG_ERROR,
"Init: Multiple %s server certificates not allowed", an);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
algoCert |= at;
@@ -409,8 +411,9 @@
}
#ifdef WIN32
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(s, SSL_LOG_ERROR,
"Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
#endif /* WIN32 */
@@ -422,12 +425,14 @@
if (nPassPhraseDialogCur && pkey_mtime &&
!(isterm = isatty(fileno(stdout)))) /* XXX: apr_isatty() */
{
- ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(pServ, SSL_LOG_ERROR,
"Init: Unable read passphrase "
"[Hint: key introduced or changed before restart?]");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
}
else {
- ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key not found");
+ ssl_log(pServ, SSL_LOG_ERROR, "Init: Private key not found");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
}
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
@@ -436,7 +441,9 @@
}
}
else {
- ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect");
+ ssl_log(pServ, SSL_LOG_ERROR, "Init: Pass phrase incorrect");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
+
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
@@ -447,8 +454,9 @@
}
if (pPrivateKey == NULL) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(s, SSL_LOG_ERROR,
"Init: Unable to read server private key from file %s [Hint: Perhaps it is in a separate file? See SSLCertificateKeyFile]", szPath);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -459,8 +467,9 @@
at = ssl_util_algotypeof(NULL, pPrivateKey);
an = ssl_util_algotypestr(at);
if (algoKey & at) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(s, SSL_LOG_ERROR,
"Init: Multiple %s server private keys not allowed", an);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
algoKey |= at;
Re: cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h
ssl_engine_init.c ssl_engine_io.c ssl_engine_kernel.c ssl_engine_log.c
ssl_engine_pphrase.c
Posted by Ben Laurie <be...@algroup.co.uk>.
jerenkrantz@apache.org wrote:
>
> jerenkrantz 02/05/15 16:10:34
>
> Modified: modules/ssl mod_ssl.c mod_ssl.h ssl_engine_init.c
> ssl_engine_io.c ssl_engine_kernel.c
> ssl_engine_log.c ssl_engine_pphrase.c
> Log:
> Stop using SSL_ADD_SSLERR option in ssl_log() and replace with new
> ssl_log_ssl_error() function that wraps ap_log_error instead.
>
> This begins the migration from ssl_log() -> ap_log_error(). Divorcing
> ourselves from the SSL_ADD_SSLERR option is required to make the next
> pass easier.
Excellent - this was something I'd been planning to do. BTW, speaking of
error logging, I've recently noticed that somewhere between forking (at
least with prefork) and the server being live, stderr gets detached from
the error log (and appears to go to the bit bucket) then reattached
later. It doesn't happen when debugging in single process mode,
irritatingly. Anyone happen to know why?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
Re: cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h ssl_engine_init.c ssl_engine_io.c ssl_engine_kernel.c ssl_engine_log.c ssl_engine_pphrase.c
Posted by Jeff Trawick <tr...@attglobal.net>.
jerenkrantz@apache.org writes:
> jerenkrantz 02/05/15 16:10:34
>
> Modified: modules/ssl mod_ssl.c mod_ssl.h ssl_engine_init.c
> ssl_engine_io.c ssl_engine_kernel.c
> ssl_engine_log.c ssl_engine_pphrase.c
great stuff...
I'm glad I went to bed early and didn't start playing with it.
--
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...
Re: cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h
ssl_engine_init.c ssl_engine_io.c ssl_engine_kernel.c ssl_engine_log.c
ssl_engine_pphrase.c
Posted by Ben Laurie <be...@algroup.co.uk>.
jerenkrantz@apache.org wrote:
>
> jerenkrantz 02/05/15 16:10:34
>
> Modified: modules/ssl mod_ssl.c mod_ssl.h ssl_engine_init.c
> ssl_engine_io.c ssl_engine_kernel.c
> ssl_engine_log.c ssl_engine_pphrase.c
> Log:
> Stop using SSL_ADD_SSLERR option in ssl_log() and replace with new
> ssl_log_ssl_error() function that wraps ap_log_error instead.
>
> This begins the migration from ssl_log() -> ap_log_error(). Divorcing
> ourselves from the SSL_ADD_SSLERR option is required to make the next
> pass easier.
Excellent - this was something I'd been planning to do. BTW, speaking of
error logging, I've recently noticed that somewhere between forking (at
least with prefork) and the server being live, stderr gets detached from
the error log (and appears to go to the bit bucket) then reattached
later. It doesn't happen when debugging in single process mode,
irritatingly. Anyone happen to know why?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
Re: cvs commit: httpd-2.0/modules/ssl mod_ssl.c mod_ssl.h ssl_engine_init.c ssl_engine_io.c ssl_engine_kernel.c ssl_engine_log.c ssl_engine_pphrase.c
Posted by Jeff Trawick <tr...@attglobal.net>.
jerenkrantz@apache.org writes:
> jerenkrantz 02/05/15 16:10:34
>
> Modified: modules/ssl mod_ssl.c mod_ssl.h ssl_engine_init.c
> ssl_engine_io.c ssl_engine_kernel.c
> ssl_engine_log.c ssl_engine_pphrase.c
great stuff...
I'm glad I went to bed early and didn't start playing with it.
--
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...