* modules/ssl/ssl_engine_log.c (ssl_log_cxerror): New function,

factored out from ssl_callback_SSLVerify.

* modules/ssl/ssl_private: Add prototype.

* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Use it.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@597651 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 5da75c1c98013a29bcb2fad3d13a5c22d5f290df..b3fcbe9df80f5cf702d0d5a4b51c1c177ba7e114 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1256,26 +1256,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     /*
      * Log verification information
      */
-    if (s->loglevel >= APLOG_DEBUG) {
-        X509 *cert  = X509_STORE_CTX_get_current_cert(ctx);
-        char *sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
-        char *iname = X509_NAME_oneline(X509_get_issuer_name(cert),  NULL, 0);
-
-        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
-                      "Certificate Verification: "
-                      "depth: %d, subject: %s, issuer: %s",
-                      errdepth,
-                      sname ? sname : "-unknown-",
-                      iname ? iname : "-unknown-");
-
-        if (sname) {
-            modssl_free(sname);
-        }
-
-        if (iname) {
-            modssl_free(iname);
-        }
-    }
+    ssl_log_cxerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
+                    X509_STORE_CTX_get_current_cert(ctx),
+                    "Certificate Verification, depth %d",
+                    errdepth);
 
     /*
      * Check for optionally acceptable non-verifiable issuer situation

diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
index d573a7312c279fae031d033f42798498e7ab75a3..b3ca90df2eb011ad3eab9f0b2d9c72c2cbff57a8 100644 (file)
--- a/modules/ssl/ssl_engine_log.c
+++ b/modules/ssl/ssl_engine_log.c
@@ -107,3 +107,38 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
         ERR_get_error();
     }
 }
+
+void ssl_log_cxerror(const char *file, int line, int level, 
+                     apr_status_t rv, conn_rec *c, X509 *cert,
+                     const char *format, ...)
+{
+    va_list ap;
+    char buf[HUGE_STRING_LEN];
+    char *sname, *iname;
+    
+    if (c->base_server->loglevel < level) {
+        /* Bail early since the rest of this function is expensive. */
+        return;
+    }
+
+    sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
+    iname = X509_NAME_oneline(X509_get_issuer_name(cert),  NULL, 0);
+    
+    va_start(ap, format);
+    apr_vsnprintf(buf, sizeof buf, format, ap);
+    va_end(ap);
+
+    ap_log_cerror(file, line, level, rv, c, 
+                  "%s [peer subject: %s, issuer: %s]",
+                  buf,
+                  sname ? sname : "-unknown-",
+                  iname ? iname : "-unknown-");
+
+    if (sname) {
+        modssl_free(sname);
+    }
+    
+    if (iname) {
+        modssl_free(iname);
+    }
+}

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 4d30dafe4d8a4d54f1fca21d6e5912c81ebe34f5..e1c0515e570c36554ef9d3ba0cf2b2337166ccf6 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -679,6 +679,16 @@ int          ssl_mutex_off(server_rec *);
 void         ssl_die(void);
 void         ssl_log_ssl_error(const char *, int, int, server_rec *);
 
+/* ssl_log_cxerror is a wrapper for ap_log_cerror which takes the peer
+ * certificate as an additional argument and appends details of that
+ * cert to the log message.  All other arguments interpreted exactly
+ * as ap_log_cerror. */
+void ssl_log_cxerror(const char *file, int line, int level, 
+                     apr_status_t rv, conn_rec *c, X509 *cert,
+                     const char *format, ...)
+    __attribute__((format(printf,7,8)));
+
+
 /**  Variables  */
 
 /* Register variables for the lifetime of the process pool 'p'. */