Improve ssl_log_cxerror():

Fix logic of APLOG_IS_LEVEL check.
Use X509_NAME_print_ex() instead of deprecated X509_NAME_oneline().
Use i2a_ASN1_INTEGER for printing the serial number.
Add notBefore and notAfter dates to log line.
Check for null cert argument (addresses PR 47408).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1157712 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 1297f0e50afefe0b9d914cd9f98b3cc53d09f91a..3ac4a45ec82158387e84a326657b76589316a075 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.3.15
 
+  *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
+
   *) mod_authz_groupfile: Increase length limit of lines in the group file to
      16MB. PR 43084. [Stefan Fritsch]
 

diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
index 055020105a889919460f2386b4250169c7728650..a4f52c69314adfd24929d62d175bab717ac7c175 100644 (file)
--- a/modules/ssl/ssl_engine_log.c
+++ b/modules/ssl/ssl_engine_log.c
@@ -114,43 +114,61 @@ void ssl_log_cxerror(const char *file, int line, int level,
 {
     va_list ap;
     char buf[HUGE_STRING_LEN];
-    char *sname, *iname, *serial;
-    BIGNUM *bn;
     
-    if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) {
+    if (!APLOG_IS_LEVEL(mySrvFromConn(c),level)) {
         /* Bail early since the rest of this function is expensive. */
         return;
     }
 
-    sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
-    iname = X509_NAME_oneline(X509_get_issuer_name(cert),  NULL, 0);
-    bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL);
-    serial = bn && !BN_is_zero(bn) ? BN_bn2hex(bn) : NULL;
-    
     va_start(ap, format);
     apr_vsnprintf(buf, sizeof buf, format, ap);
     va_end(ap);
 
-    ap_log_cerror(file, line, APLOG_MODULE_INDEX, level, rv, c,
-                  "%s [subject: %s, issuer: %s, serial: %s]",
-                  buf,
-                  sname ? sname : "-unknown-",
-                  iname ? iname : "-unknown-",
-                  serial ? serial : "-unknown-");
-
-    if (sname) {
-        OPENSSL_free(sname);
-    }
-    
-    if (iname) {
-        OPENSSL_free(iname);
-    }
-    
-    if (serial) {
-        OPENSSL_free(serial);
-    }
+    if (cert) {
+        BIO *bio = BIO_new(BIO_s_mem());
+
+        if (bio) {
+            int n, msglen;
+
+            BIO_puts(bio, " [subject: ");
+            n = X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0,
+                                   XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV);
+            if (n == 0) {
+                BIO_puts(bio, "-empty-");
+            } else if (n < 0) {
+                BIO_puts(bio, "(ERROR)");
+            }
 
-    if (bn) {
-        BN_free(bn);
+            BIO_puts(bio, " / issuer: ");
+            n = X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0,
+                                   XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV);
+            if (n == 0) {
+                BIO_puts(bio, "-empty-");
+            } else if (n < 0) {
+                BIO_puts(bio, "(ERROR)");
+            }
+
+            BIO_puts(bio, " / serial: ");
+            if (i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)) == -1)
+                BIO_puts(bio, "(ERROR)");
+
+            BIO_puts(bio, " / notbefore: ");
+            ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
+
+            BIO_puts(bio, " / notafter: ");
+            ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
+
+            BIO_puts(bio, "]");
+
+            msglen = strlen(buf);
+            n = BIO_read(bio, buf + msglen, sizeof buf - msglen - 1);
+            if (n > 0)
+               buf[msglen + n] = '\0';
+
+            BIO_free(bio);
+        }
     }
+
+    ap_log_cerror(file, line, APLOG_MODULE_INDEX, level, rv, c,
+                  "%s%s", buf, cert ? "" : " [certificate: -not available-]");
 }