* so we can detach later.
*/
if (!(ssl = SSL_new(mctx->ssl_ctx))) {
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"Unable to create a new SSL connection from the SSL context");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
c->aborted = 1;
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
MD5_DIGESTSIZE*2))
{
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"Unable to set session id context to `%s'", vhost_md5);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
c->aborted = 1;
if (sslconn->is_proxy) {
if ((n = SSL_connect(filter->pssl)) <= 0) {
ssl_log(c->base_server,
- SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ SSL_LOG_ERROR|SSL_ADD_ERRNO,
"SSL Proxy connect failed");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
return ssl_abort(filter, c);
}
{
if (errno > 0) {
ssl_log(c->base_server,
- SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ SSL_LOG_ERROR|SSL_ADD_ERRNO,
"SSL handshake interrupted by system "
"[Hint: Stop button pressed in browser?!]");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
else {
ssl_log(c->base_server,
- SSL_LOG_INFO|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ SSL_LOG_INFO|SSL_ADD_ERRNO,
"Spurious SSL handshake interrupt [Hint: "
"Usually just one of those OpenSSL confusions!?]");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
}
}
else {
* Ok, anything else is a fatal error
*/
ssl_log(c->base_server,
- SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
+ SSL_LOG_ERROR|SSL_ADD_ERRNO,
"SSL handshake failed (server %s, client %s)",
ssl_util_vhostid(c->pool, c->base_server),
c->remote_ip ? c->remote_ip : "unknown");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
return ssl_abort(filter, c);
* optional_no_ca doesn't appear to work as advertised
* in 1.x
*/
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL client authentication failed, "
"accepting certificate based on "
"\"SSLVerifyClient optional_no_ca\" configuration");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
else {
const char *error = sslconn->verify_error ?
sslconn->verify_error :
X509_verify_cert_error_string(verify_result);
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL client authentication failed: %s",
error ? error : "unknown");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
return ssl_abort(filter, c);
}
void ssl_log_open(server_rec *, server_rec *, apr_pool_t *);
void ssl_log(server_rec *, int, const char *, ...);
void ssl_die(void);
+void ssl_log_ssl_error(const char *, int, int, server_rec *);
/* Variables */
void ssl_var_register(void);
mctx->auth.ca_cert_file,
mctx->auth.ca_cert_path))
{
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure verify locations "
"for client authentication");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
suite);
if (!SSL_CTX_set_cipher_list(ctx, suite)) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure permitted SSL ciphers");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
}
(char *)mctx->crl_path);
if (!mctx->crl) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure X.509 CRL storage "
"for certificate revocation");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
}
ptr = asn1->cpData;
if (!(cert = d2i_X509(NULL, &ptr, asn1->nData))) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to import %s server certificate", type);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure %s server certificate", type);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
ptr = asn1->cpData;
if (!(pkey = d2i_PrivateKey(pkey_type, NULL, &ptr, asn1->nData)))
{
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to import %s server private key", type);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure %s server private key", type);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
if (pubkey && EVP_PKEY_missing_parameters(pubkey)) {
EVP_PKEY_copy_parameters(pubkey, pkey);
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
+ ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Copying DSA parameters from private key to certificate");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
}
}
* Log SSL errors
*/
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL error on reading data");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
}
* Log SSL errors
*/
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL error on writing data");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
/*
* XXX - Just trying to reflect the behaviour in
switch (status) {
case HTTP_BAD_REQUEST:
/* log the situation */
- ssl_log(f->c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(f->c->base_server, SSL_LOG_ERROR,
"SSL handshake failed: HTTP spoken on HTTPS port; "
"trying to send HTML error page");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server);
/* fake the request line */
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
/* configure new state */
if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
- ssl_log(r->server, SSL_LOG_WARN|SSL_ADD_SSLERR,
+ ssl_log(r->server, SSL_LOG_WARN,
"Unable to reconfigure (per-directory) "
"permitted SSL ciphers");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
if (cipher_list_old) {
sk_SSL_CIPHER_free(cipher_list_old);
cert_store = X509_STORE_new();
if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) {
- ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(r->server, SSL_LOG_ERROR,
"Unable to reconfigure verify locations "
"for client authentication");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
X509_STORE_free(cert_store);
(char *)ssl);
if (!modssl_X509_verify_cert(&cert_store_ctx)) {
- ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation verification step failed");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
}
SSL_set_verify_result(ssl, cert_store_ctx.error);
exit(1);
}
+/*
+ * Prints the SSL library error information.
+ */
+void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
+{
+ unsigned long e;
+
+ while ((e = ERR_get_error())) {
+ char *err, *annotation;
+ err = ERR_error_string(e, NULL);
+ annotation = ssl_log_annotation(err);
+
+ if (annotation) {
+ ap_log_error(file, line, level|APLOG_NOERRNO, 0, s,
+ "SSL Library Error: %ld %s %s",
+ e, err, annotation);
+ }
+ else {
+ ap_log_error(file, line, level|APLOG_NOERRNO, 0, s,
+ "SSL Library Error: %ld %s",
+ e, err);
+ }
+ }
+}
ssl_die();
}
if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(s, SSL_LOG_ERROR,
"Init: Unable to read server certificate from file %s", szPath);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
at = ssl_util_algotypeof(pX509Cert, NULL);
an = ssl_util_algotypestr(at);
if (algoCert & at) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(s, SSL_LOG_ERROR,
"Init: Multiple %s server certificates not allowed", an);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
algoCert |= at;
}
#ifdef WIN32
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(s, SSL_LOG_ERROR,
"Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
#endif /* WIN32 */
if (nPassPhraseDialogCur && pkey_mtime &&
!(isterm = isatty(fileno(stdout)))) /* XXX: apr_isatty() */
{
- ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(pServ, SSL_LOG_ERROR,
"Init: Unable read passphrase "
"[Hint: key introduced or changed before restart?]");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
}
else {
- ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key not found");
+ ssl_log(pServ, SSL_LOG_ERROR, "Init: Private key not found");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
}
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
}
}
else {
- ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect");
+ ssl_log(pServ, SSL_LOG_ERROR, "Init: Pass phrase incorrect");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
+
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
}
if (pPrivateKey == NULL) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(s, SSL_LOG_ERROR,
"Init: Unable to read server private key from file %s [Hint: Perhaps it is in a separate file? See SSLCertificateKeyFile]", szPath);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
at = ssl_util_algotypeof(NULL, pPrivateKey);
an = ssl_util_algotypestr(at);
if (algoKey & at) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ ssl_log(s, SSL_LOG_ERROR,
"Init: Multiple %s server private keys not allowed", an);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
algoKey |= at;
projects / apache / commitdiff