mod_ssl: Pass the server_rec to ssl_die() and use it to log a message to

the main error log, pointing to the appropriate virtual host error log.

Backport of r1348660 from trunk.

Submitted by: sf
Reviewed by: rjung, covener
Backported by: rjung

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1369464 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 1e6e5a6ac1cb6353167619531638f72b1007de4c..2d7102df1a7f60b67ad90ae72c6864bb4747b2b7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,10 @@ Changes with Apache 2.4.3
      possible XSS for a site where untrusted users can upload files to
      a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
 
+  *) mod_ssl: If exiting during initialization because of a fatal error,
+     log a message to the main error log pointing to the appropriate
+     virtual host error log. [Stefan Fritsch]
+
   *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
      one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
 

diff --git a/STATUS b/STATUS
index e9a48e359edc837878034bc81a42d2360c8238da..bee2f487e882fa98445081298a78a3969fd5c7b6 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -88,12 +88,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: Pass the server_rec to ssl_die() and use it to log a message to
-     the main error log, pointing to the appropriate virtual host error log.
-     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1348660
-     2.4.x patch: http://people.apache.org/~rjung/patches/ssl_die-improve_vhost-logging-2_4.patch
-     +1: rjung, covener, sf
-
    * event: Keep track of the number of clogged, lingering, and suspended connections.
      Don't count connections in lingering close state when calculating
      how many additional connections may be accepted

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 5d816478cbff3d456ef3aa1a5ee405a3e767c427..4ba3181f2c9b44fbe568aec55e4607e7b68e479d 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -349,7 +349,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
             else {
                 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed");
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                ssl_die();
+                ssl_die(s);
             }
         }
     }
@@ -438,7 +438,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p)
                          "Init: Failed to load Crypto Device API `%s'",
                          mc->szCryptoDevice);
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            ssl_die();
+            ssl_die(s);
         }
 
         if (strEQ(mc->szCryptoDevice, "chil")) {
@@ -450,7 +450,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p)
                          "Init: Failed to enable Crypto Device API `%s'",
                          mc->szCryptoDevice);
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            ssl_die();
+            ssl_die(s);
         }
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01890)
                      "Init: loaded Crypto Device API `%s'",
@@ -473,7 +473,7 @@ static void ssl_init_server_check(server_rec *s,
     if (!mctx->pks->cert_files[0] && !mctx->pkcs7) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01891)
                 "No SSL Certificate set [hint: SSLCertificateFile]");
-        ssl_die();
+        ssl_die(s);
     }
 
     /*
@@ -489,7 +489,7 @@ static void ssl_init_server_check(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01892)
                 "Illegal attempt to re-initialise SSL for server "
                 "(SSLEngine On should go in the VirtualHost, not in global scope.)");
-        ssl_die();
+        ssl_die(s);
     }
 }
 
@@ -515,7 +515,7 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
                      "Unable to initialize TLS servername extension "
                      "callback (incompatible OpenSSL version?)");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die();
+        ssl_die(s);
     }
 
 #ifdef HAVE_OCSP_STAPLING
@@ -546,7 +546,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
     if (protocol == SSL_PROTOCOL_NONE) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231)
                 "No SSL protocols available [hint: SSLProtocol]");
-        ssl_die();
+        ssl_die(s);
     }
 
     cp = apr_pstrcat(p,
@@ -731,7 +731,7 @@ static void ssl_init_ctx_verify(server_rec *s,
                     "Unable to configure verify locations "
                     "for client authentication");
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-            ssl_die();
+            ssl_die(s);
         }
 
         if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {
@@ -746,7 +746,7 @@ static void ssl_init_ctx_verify(server_rec *s,
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01896)
                     "Unable to determine list of acceptable "
                     "CA certificates for client authentication");
-            ssl_die();
+            ssl_die(s);
         }
 
         SSL_CTX_set_client_CA_list(ctx, ca_list);
@@ -791,7 +791,7 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01898)
                 "Unable to configure permitted SSL ciphers");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die();
+        ssl_die(s);
     }
 }
 
@@ -815,7 +815,7 @@ static void ssl_init_ctx_crl(server_rec *s,
                          "Host %s: CRL checking has been enabled, but "
                          "neither %sCARevocationFile nor %sCARevocationPath "
                          "is configured", mctx->sc->vhost_id, cfgp, cfgp);
-            ssl_die();
+            ssl_die(s);
         }
         return;
     }
@@ -829,7 +829,7 @@ static void ssl_init_ctx_crl(server_rec *s,
                      "Host %s: unable to configure X.509 CRL storage "
                      "for certificate revocation", mctx->sc->vhost_id);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die();
+        ssl_die(s);
     }
 
     switch (mctx->crl_check_mode) {
@@ -915,7 +915,7 @@ static void ssl_init_ctx_cert_chain(server_rec *s,
     if (n < 0) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
                 "Failed to configure CA certificate chain!");
-        ssl_die();
+        ssl_die(s);
     }
 
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01904)
@@ -973,14 +973,14 @@ static int ssl_server_import_cert(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02233)
                 "Unable to import %s server certificate", type);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die();
+        ssl_die(s);
     }
 
     if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02234)
                 "Unable to configure %s server certificate", type);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die();
+        ssl_die(s);
     }
 
 #ifdef HAVE_OCSP_STAPLING
@@ -1029,14 +1029,14 @@ static int ssl_server_import_key(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02237)
                 "Unable to import %s server private key", type);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die();
+        ssl_die(s);
     }
 
     if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02238)
                 "Unable to configure %s server private key", type);
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die();
+        ssl_die(s);
     }
 
     /*
@@ -1188,7 +1188,7 @@ static void ssl_init_server_certs(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01910)
                 "Oops, no " KEYTYPES " server certificate found "
                 "for '%s:%d'?!", s->server_hostname, s->port);
-        ssl_die();
+        ssl_die(s);
     }
 
     for (i = 0; i < SSL_AIDX_MAX; i++) {
@@ -1208,7 +1208,7 @@ static void ssl_init_server_certs(server_rec *s,
           )) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01911)
                 "Oops, no " KEYTYPES " server private key found?!");
-        ssl_die();
+        ssl_die(s);
     }
 }
 
@@ -1238,7 +1238,7 @@ static void ssl_init_ticket_key(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02286)
                      "Failed to open ticket key file %s: (%d) %pm",
                      path, rv, &rv);
-        ssl_die();
+        ssl_die(s);
     }
 
     rv = apr_file_read_full(fp, &buf[0], TLSEXT_TICKET_KEY_LEN, &len);
@@ -1247,7 +1247,7 @@ static void ssl_init_ticket_key(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02287)
                      "Failed to read %d bytes from %s: (%d) %pm",
                      TLSEXT_TICKET_KEY_LEN, path, rv, &rv);
-        ssl_die();
+        ssl_die(s);
     }
 
     memcpy(ticket_key->key_name, buf, 16);
@@ -1260,7 +1260,7 @@ static void ssl_init_ticket_key(server_rec *s,
                      "Unable to initialize TLS session ticket key callback "
                      "(incompatible OpenSSL version?)");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die();
+        ssl_die(s);
     }
 
     ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02288)
@@ -1315,7 +1315,7 @@ static void ssl_init_proxy_certs(server_rec *s,
             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
                          "incomplete client cert configured for SSL proxy "
                          "(missing or encrypted private key?)");
-            ssl_die();
+            ssl_die(s);
             return;
         }
     }
@@ -1338,7 +1338,7 @@ static void ssl_init_proxy_certs(server_rec *s,
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208)
                      "SSL proxy client cert initialization failed");
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-        ssl_die();
+        ssl_die(s);
     }
 
     X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
@@ -1628,7 +1628,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
             ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02211)
                     "Failed to open Certificate Path `%s'",
                     ca_path);
-            ssl_die();
+            ssl_die(s);
         }
 
         while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {

diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
index 31861ca721e0d55755bfd6ebc9ca44b22bb89de6..3f6d6edc91b2ba46ae238698846757c85190b780 100644 (file)
--- a/modules/ssl/ssl_engine_log.c
+++ b/modules/ssl/ssl_engine_log.c
@@ -63,12 +63,23 @@ static const char *ssl_log_annotation(const char *error)
     return ssl_log_annotate[i].cpAnnotation;
 }
 
-void ssl_die(void)
+void ssl_die(server_rec *s)
 {
+    if (s != NULL && s->is_virtual && s->error_fname != NULL)
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02311)
+                     "Fatal error initialising mod_ssl, exiting. "
+                     "See %s for more information",
+                     ap_server_root_relative(s->process->pool,
+                                             s->error_fname));
+    else
+        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02312)
+                     "Fatal error initialising mod_ssl, exiting.");
+
     /*
      * This is used for fatal errors and here
      * it is common module practice to really
      * exit from the complete program.
+     * XXX: The config hooks should return errors instead of calling exit().
      */
     exit(1);
 }

diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c
index 1fa4a2ef7af08139c56776baa34d0abf15069cb7..23ccaf4a2d31028ef21bfbecb6ebc48d24094fae 100644 (file)
--- a/modules/ssl/ssl_engine_pphrase.c
+++ b/modules/ssl/ssl_engine_pphrase.c
@@ -196,7 +196,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                          "Server should be SSL-aware but has no certificate "
                          "configured [Hint: SSLCertificateFile] (%s:%d)",
                          pServ->defn_name, pServ->defn_line_number);
-            ssl_die();
+            ssl_die(pServ);
         }
 
         /* Bitmasks for all key algorithms configured for this server;
@@ -225,14 +225,14 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                     ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02201)
                                  "Init: Can't open server certificate file %s",
                                  szPath);
-                    ssl_die();
+                    ssl_die(s);
                 }
                 if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
                     ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02241)
                                  "Init: Unable to read server certificate from"
                                  " file %s", szPath);
                     ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                    ssl_die();
+                    ssl_die(s);
                 }
                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02202)
                              "Init: Read server certificate from '%s'",
@@ -249,7 +249,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                              "Init: Multiple %s server certificates not "
                              "allowed", an);
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                ssl_die();
+                ssl_die(s);
             }
             algoCert |= at;
 
@@ -328,7 +328,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                      ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02243)
                                   "Init: Can't open server private key file "
                                   "%s",szPath);
-                     ssl_die();
+                     ssl_die(s);
                 }
 
                 /*
@@ -425,7 +425,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                                  "Init: SSLPassPhraseDialog builtin is not "
                                  "supported on Win32 (key file "
                                  "%s)", szPath);
-                    ssl_die();
+                    ssl_die(s);
                 }
 #endif /* WIN32 */
 
@@ -464,7 +464,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                         apr_file_printf(writetty, "**Stopped\n");
                     }
                 }
-                ssl_die();
+                ssl_die(pServ);
             }
 
             /* If a cached private key was found, nothing more to do
@@ -479,7 +479,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                             "file %s [Hint: Perhaps it is in a separate file? "
                             "  See SSLCertificateKeyFile]", szPath);
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                ssl_die();
+                ssl_die(s);
             }
 
             /*
@@ -493,7 +493,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
                              "Init: Multiple %s server private keys not "
                              "allowed", an);
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                ssl_die();
+                ssl_die(s);
             }
             algoKey |= at;
 

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index f393ecfad4d895325a985b5684ba4fc1fb354b19..1ce069eb77d00ae70e526c5b389f971bad0fc2a0 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -906,7 +906,7 @@ int          ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *);
 #define SSL_STAPLING_MUTEX_TYPE "ssl-stapling"
 
 /**  Logfile Support  */
-void         ssl_die(void);
+void         ssl_die(server_rec *);
 void         ssl_log_ssl_error(const char *, int, int, server_rec *);
 
 /* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the

diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c
index 2c8d1bc8ad1aea9165f99af81a8ba10f5e3ab18f..d32f8e1dd6bfaaa8fee14d10faee639b3feac03b 100644 (file)
--- a/modules/ssl/ssl_scache.c
+++ b/modules/ssl/ssl_scache.c
@@ -63,7 +63,7 @@ void ssl_scache_init(server_rec *s, apr_pool_t *p)
         if (rv) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01872)
                          "Could not initialize stapling cache. Exiting.");
-            ssl_die();
+            ssl_die(s);
         }
     }
 #endif
@@ -88,7 +88,7 @@ void ssl_scache_init(server_rec *s, apr_pool_t *p)
     if (rv) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01874)
                      "Could not initialize session cache. Exiting.");
-        ssl_die();
+        ssl_die(s);
     }
 }
 

diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c
index 55b051e99fe09af72626b83c8fbf63c90ca2c6b9..475fe4d2d9a6767e55bbbea143d84a6a51d8608e 100644 (file)
--- a/modules/ssl/ssl_util.c
+++ b/modules/ssl/ssl_util.c
@@ -286,7 +286,7 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
     f = fopen(pkcs7, "r");
     if (!f) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02212) "Can't open %s", pkcs7);
-        ssl_die();
+        ssl_die(s);
     }
 
     p7 = PEM_read_PKCS7(f, NULL, NULL, NULL);
@@ -313,13 +313,13 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
     default:
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02213)
                      "Don't understand PKCS7 file %s", pkcs7);
-        ssl_die();
+        ssl_die(s);
     }
 
     if (!certs) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02214)
                      "No certificates in %s", pkcs7);
-        ssl_die();
+        ssl_die(s);
     }
 
     fclose(f);

diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index 3ff08dcc671d268cd5b34d40a61bb993772c3493..89be7f530e9fa64985ee29b7fa6d2c30326e29ae 100644 (file)
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -662,12 +662,12 @@ void modssl_init_stapling(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
     if (mc->stapling_cache == NULL) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01958)
                      "SSLStapling: no stapling cache available");
-        ssl_die();
+        ssl_die(s);
     }
     if (ssl_stapling_mutex_init(s, ptemp) == FALSE) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01959)
                      "SSLStapling: cannot initialise stapling mutex");
-        ssl_die();
+        ssl_die(s);
     }
     /* Set some default values for parameters if they are not set */
     if (mctx->stapling_resptime_skew == UNSET) {