You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Stefan Fritsch <sf...@sfritsch.de> on 2009/09/06 22:03:56 UTC

Better logging for ssl configuration errors

Hi,

it seems there are a number of configurations that used ssl
name based virtual hosts with ssl that broke with 2.2.12. A
frequent problem seems to be missing sslcertificate(key)file
directives for some of the virtual hosts. The logged error
message is not too helpful (at least if all virtual hosts
share the same error log):

[error] Server should be SSL-aware but has no certificate  
configured [Hint: SSLCertificateFile]

The error message should at least give the name or position of
the problematic virtual host definition. Like this:

--- modules/ssl/ssl_engine_pphrase.c.dist       2006-07-23 13:11:58.000000000 +0200
+++ modules/ssl/ssl_engine_pphrase.c    2009-09-06 21:51:26.000000000 +0200
@@ -188,7 +188,8 @@
         if (sc->server->pks->cert_files[0] == NULL) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, pServ,
                          "Server should be SSL-aware but has no certificate "
-                         "configured [Hint: SSLCertificateFile]");
+                         "configured [Hint: SSLCertificateFile] (%s:%d)",
+                         pServ->defn_name, pServ->defn_line_number);
             ssl_die();
         }
         algoCert = SSL_ALGO_UNKNOWN;


If anybody is interested, the original report is at:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541607

Cheers,
Stefan

Re: Better logging for ssl configuration errors

Posted by Graham Leggett <mi...@sharp.fm>.

Niklas Edmundsson wrote:

>> The error message should at least give the name or position of
>> the problematic virtual host definition. Like this:
> <snap>
>> +                         "configured [Hint: SSLCertificateFile]
>> (%s:%d)",
>> +                         pServ->defn_name, pServ->defn_line_number);
> 
> +1
> 
> Error messages in the form of "there is a problem somewhere, haa haa"
> should be evicted from the world, but we'll have to settle with
> expunging the bad ones from httpd for now ;)

Committed to trunk, proposed for backport to v2.2.

Regards,
Graham
--

Re: Better logging for ssl configuration errors

Posted by Niklas Edmundsson <ni...@acc.umu.se>.

On Sun, 6 Sep 2009, Stefan Fritsch wrote:

<snip>
> [error] Server should be SSL-aware but has no certificate
> configured [Hint: SSLCertificateFile]
>
> The error message should at least give the name or position of
> the problematic virtual host definition. Like this:
<snap>
> +                         "configured [Hint: SSLCertificateFile] (%s:%d)",
> +                         pServ->defn_name, pServ->defn_line_number);

+1

Error messages in the form of "there is a problem somewhere, haa haa" 
should be evicted from the world, but we'll have to settle with 
expunging the bad ones from httpd for now ;)

/Nikke
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  Niklas Edmundsson, Admin @ {acc,hpc2n}.umu.se      |     nikke@acc.umu.se
---------------------------------------------------------------------------
  "...You can't lie in front of the buldozer indefinately" "I'm game..."
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=