2 ** _ __ ___ ___ __| | ___ ___| | mod_ssl
3 ** | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
4 ** | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
5 ** |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
11 /* ====================================================================
12 * The Apache Software License, Version 1.1
14 * Copyright (c) 2000-2002 The Apache Software Foundation. All rights
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
21 * 1. Redistributions of source code must retain the above copyright
22 * notice, this list of conditions and the following disclaimer.
24 * 2. Redistributions in binary form must reproduce the above copyright
25 * notice, this list of conditions and the following disclaimer in
26 * the documentation and/or other materials provided with the
29 * 3. The end-user documentation included with the redistribution,
30 * if any, must include the following acknowledgment:
31 * "This product includes software developed by the
32 * Apache Software Foundation (http://www.apache.org/)."
33 * Alternately, this acknowledgment may appear in the software itself,
34 * if and wherever such third-party acknowledgments normally appear.
36 * 4. The names "Apache" and "Apache Software Foundation" must
37 * not be used to endorse or promote products derived from this
38 * software without prior written permission. For written
39 * permission, please contact apache@apache.org.
41 * 5. Products derived from this software may not be called "Apache",
42 * nor may "Apache" appear in their name, without prior written
43 * permission of the Apache Software Foundation.
45 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
46 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
47 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
48 * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
49 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
50 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
51 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
52 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
53 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
54 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
55 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
57 * ====================================================================
59 /* ``The difference between a computer
60 industry job and open-source software
61 hacking is about 30 hours a week.''
62 -- Ralf S. Engelschall */
65 /* _________________________________________________________________
68 ** _________________________________________________________________
72 * Open the SSL logfile
74 void ssl_log_open(server_rec *s_main, server_rec *s, apr_pool_t *p)
76 const char *szLogFile;
77 SSLSrvConfigRec *sc_main = mySrvConfig(s_main);
78 SSLSrvConfigRec *sc = mySrvConfig(s);
82 * Short-circuit for inherited logfiles in order to save
83 * filedescriptors in mass-vhost situation. Be careful, this works
84 * fine because the close happens implicitly by the pool facility.
87 (sc_main->log_file != NULL) &&
88 ((sc->log_file_name == NULL) ||
89 ((sc->log_file_name != NULL) &&
90 (sc_main->log_file_name != NULL) &&
91 strEQ(sc->log_file_name, sc_main->log_file_name))))
93 sc->log_file = sc_main->log_file;
95 else if (sc->log_file_name != NULL) {
96 if (strEQ(sc->log_file_name, "/dev/null"))
98 else if (sc->log_file_name[0] == '|') {
99 szLogFile = sc->log_file_name + 1;
100 if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) {
101 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
102 "Cannot open reliable pipe to SSL logfile filter %s", szLogFile);
105 sc->log_file = ap_piped_log_write_fd(pl);
108 szLogFile = ap_server_root_relative(p, sc->log_file_name);
110 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
111 "Invalid SSL logfile path %s", sc->log_file_name);
114 if ((apr_file_open(&(sc->log_file), szLogFile,
115 APR_WRITE|APR_APPEND|APR_CREATE, APR_OS_DEFAULT, p))
117 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
118 "Cannot open SSL logfile %s", szLogFile);
129 } ssl_log_level2string[] = {
130 { SSL_LOG_ERROR, "error" },
131 { SSL_LOG_WARN, "warn" },
132 { SSL_LOG_INFO, "info" },
133 { SSL_LOG_TRACE, "trace" },
134 { SSL_LOG_DEBUG, "debug" },
141 } ssl_log_annotate[] = {
142 { "*envelope*bad*decrypt*", "wrong pass phrase!?" },
143 { "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" },
144 { "*CLIENT_HELLO*http*request*", "speaking HTTP to HTTPS port!?" },
145 { "*SSL3_READ_BYTES:sslv3*alert*bad*certificate*", "Subject CN in certificate not server name or identical to CA!?" },
146 { "*self signed certificate in certificate chain*", "Client certificate signed by CA not known to server?" },
147 { "*peer did not return a certificate*", "No CAs known to server for verification?" },
148 { "*no shared cipher*", "Too restrictive SSLCipherSuite or using DSA server certificate?" },
149 { "*no start line*", "Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?" },
150 { "*bad password read*", "You entered an incorrect pass phrase!?" },
151 { "*bad mac decode*", "Browser still remembered details of a re-created server certificate?" },
155 static char *ssl_log_annotation(char *error)
161 for (i = 0; ssl_log_annotate[i].cpPattern != NULL; i++) {
162 if (ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) == 0) {
163 errstr = ssl_log_annotate[i].cpAnnotation;
170 void ssl_log(server_rec *s, int level, const char *msg, ...)
193 /* strip out additional flags */
194 add = (level & ~SSL_LOG_MASK);
195 level = (level & SSL_LOG_MASK);
197 /* reduce flags when not reasonable in context */
198 if (add & SSL_ADD_ERRNO && errno == 0)
199 add &= ~SSL_ADD_ERRNO;
200 if (add & SSL_ADD_SSLERR && ERR_peek_error() == 0)
201 add &= ~SSL_ADD_SSLERR;
203 /* we log only levels below, except for errors */
204 if ( sc->log_file == NULL
205 && !(level & SSL_LOG_ERROR))
207 if ( level > sc->log_level
208 && !(level & SSL_LOG_ERROR))
211 /* determine the time entry string */
212 if (add & SSL_NO_TIMESTAMP)
215 apr_explode_localtime(&t, apr_time_now());
216 apr_strftime(tstr, &len, 80, "[%d/%b/%Y %H:%M:%S", &t);
217 apr_snprintf(tstr + strlen(tstr), 80 - strlen(tstr), " %05d] ",
218 (unsigned int)getpid());
221 /* determine whether newline should be written */
222 if (add & SSL_NO_NEWLINE)
228 /* determine level name */
230 if (!(add & SSL_NO_LEVELID)) {
231 for (i = 0; ssl_log_level2string[i].nLevel != 0; i++) {
232 if (ssl_log_level2string[i].nLevel == level) {
233 apr_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel);
237 for (i = strlen(lstr); i <= 7; i++)
242 if (add & SSL_INIT) {
244 apr_snprintf(&lstr[len], sizeof(lstr) - len,
245 "Init: (%s) ", sc->vhost_id);
248 /* create custom message */
250 apr_vsnprintf(vstr, sizeof(vstr), msg, ap);
253 /* write out SSLog message */
254 if ((add & SSL_ADD_ERRNO) && (add & SSL_ADD_SSLERR))
255 astr = " (System and " SSL_LIBRARY_NAME " library errors follow)";
256 else if (add & SSL_ADD_ERRNO)
257 astr = " (System error follows)";
258 else if (add & SSL_ADD_SSLERR)
259 astr = " (" SSL_LIBRARY_NAME " library error follows)";
262 if (level <= sc->log_level && sc->log_file != NULL) {
263 apr_snprintf(str, sizeof(str), "%s%s%s%s%s",
264 tstr, lstr, vstr, astr, nstr);
265 apr_file_printf(sc->log_file, "%s", str);
267 if (level & SSL_LOG_ERROR)
268 ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
269 "mod_ssl: %s%s", vstr, astr);
271 /* write out additional attachment messages */
272 if (add & SSL_ADD_ERRNO) {
273 if (level <= sc->log_level && sc->log_file != NULL) {
274 apr_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s",
275 tstr, lstr, strerror(safe_errno), safe_errno, nstr);
276 apr_file_printf(sc->log_file, "%s", str);
278 if (level & SSL_LOG_ERROR)
279 ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
280 "System: %s (errno: %d)",
281 strerror(safe_errno), safe_errno);
283 if (add & SSL_ADD_SSLERR) {
284 while ((e = ERR_get_error())) {
285 cpE = ERR_error_string(e, NULL);
286 cpA = ssl_log_annotation(cpE);
287 if (level <= sc->log_level && sc->log_file != NULL) {
288 apr_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s",
289 tstr, lstr, SSL_LIBRARY_NAME, cpE,
290 cpA != NULL ? " [Hint: " : "",
291 cpA != NULL ? cpA : "", cpA != NULL ? "]" : "",
293 apr_file_printf(sc->log_file, "%s", str);
295 if (level & SSL_LOG_ERROR)
296 ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
297 "%s: %s%s%s%s", SSL_LIBRARY_NAME, cpE,
298 cpA != NULL ? " [Hint: " : "",
299 cpA != NULL ? cpA : "", cpA != NULL ? "]" : "");
302 /* make sure the next log starts from a clean base */
303 /* ERR_clear_error(); */
305 /* cleanup and return */
306 if (sc->log_file != NULL)
307 apr_file_flush(sc->log_file);
315 * This is used for fatal errors and here
316 * it is common module practice to really
317 * exit from the complete program.