mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all

author Jan Kaluža <jkaluza@apache.org>

Wed, 11 Dec 2013 07:16:28 +0000 (07:16 +0000)

committer Jan Kaluža <jkaluza@apache.org>

Wed, 11 Dec 2013 07:16:28 +0000 (07:16 +0000)
author Jan Kaluža <jkaluza@apache.org>
Wed, 11 Dec 2013 07:16:28 +0000 (07:16 +0000)
committer Jan Kaluža <jkaluza@apache.org>
Wed, 11 Dec 2013 07:16:28 +0000 (07:16 +0000)
diff --git a/CHANGES b/CHANGES

index 25224923a26e401437576665b8fcc2d979b032f5..4a868ea903fff21a6713006497bd5545399771e9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.0
+  *) mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all
+     configured SSL CA certificates to stdout the same way as DUMP_CERTS does.
+     [Jan Kaluza]
  
    *) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk. 
       PR55833. [Eric Covener]
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c

index 4a01ef0d639b8561e7296de772201bd095d90953..4f9db0b36238dd78aa1edd0680891600eff1829c 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -1870,30 +1870,95 @@ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg,
  
  #endif /* HAVE_SRP */
  
+static void dump_ca_cert_file(apr_file_t *out, const char *file) {
+    X509 *rc;
+    BIO *bioS;
+
+    if ((bioS=BIO_new_file(file, "r")) == NULL) {
+        return;
+    }
+
+    /* ca_cert_file is loaded using SSL_load_client_CA_file(). This method
+     * loads only file of PEM formatted certificates, so we have to load
+     * only PEM here too, to stay consistent.
+     */
+    rc = PEM_read_bio_X509 (bioS, NULL, NULL, NULL);
+    BIO_free(bioS);
+    if (rc) {
+        apr_file_printf(out, "  %s\n", file);
+        X509_free(rc);
+    }
+}
+
+static void dump_ca_cert_path(apr_pool_t *pool, apr_file_t *out,
+                              const char *ca_cert_path)
+{
+    apr_dir_t *dir;
+    apr_finfo_t direntry;
+    apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
+
+    if (apr_dir_open(&dir, ca_cert_path, pool) != APR_SUCCESS) {
+        return;
+    }
+
+    while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
+        char *file;
+        if (direntry.filetype == APR_DIR) {
+            continue; /* don't try to load directories */
+        }
+        file = apr_pstrcat(pool, ca_cert_path, "/", direntry.name, NULL);
+        dump_ca_cert_file(out, file);
+    }
+}
+
  void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
  {
      apr_file_t *out = NULL;
-    if (!ap_exists_config_define("DUMP_CERTS")) {
+    if (ap_exists_config_define("DUMP_CERTS")) {
+        apr_file_open_stdout(&out, pconf);
+        apr_file_printf(out, "Server certificates:\n");
+
+        /* Dump the filenames of all configured server certificates to
+        * stdout. */
+        while (s) {
+            SSLSrvConfigRec *sc = mySrvConfig(s);
+
+            if (sc && sc->server && sc->server->pks) {
+                modssl_pk_server_t *const pks = sc->server->pks;
+                int i;
+
+                for (i = 0; (i < SSL_AIDX_MAX) && pks->cert_files[i]; i++) {
+                    apr_file_printf(out, "  %s\n", pks->cert_files[i]);
+                }
+            }
+
+            s = s->next;
+        }
          return;
      }
-    apr_file_open_stdout(&out, pconf);
-    apr_file_printf(out, "Server certificates:\n");
  
-    /* Dump the filenames of all configured server certificates to
-     * stdout. */
-    while (s) {
-        SSLSrvConfigRec *sc = mySrvConfig(s);
+    if (ap_exists_config_define("DUMP_CA_CERTS")) {
+        apr_file_open_stdout(&out, pconf);
+        apr_file_printf(out, "Server CA certificates:\n");
  
-        if (sc && sc->server && sc->server->pks) {
-            modssl_pk_server_t *const pks = sc->server->pks;
-            int i;
+        /* Dump the filenames of all configured server CA certificates to
+        * stdout. */
+        while (s) {
+            SSLSrvConfigRec *sc = mySrvConfig(s);
  
-            for (i = 0; (i < SSL_AIDX_MAX) && pks->cert_files[i]; i++) {
-                apr_file_printf(out, "  %s\n", pks->cert_files[i]);
+            if (sc && sc->server) {
+                if (sc->server->auth.ca_cert_path) {
+                    dump_ca_cert_path(pconf, out,
+                                      sc->server->auth.ca_cert_path);
+                }
+                if (sc->server->auth.ca_cert_file) {
+                    dump_ca_cert_file(out, sc->server->auth.ca_cert_file);
+                }
              }
-        }
  
-        s = s->next;
+            s = s->next;
+        }
+        return;
      }
  
  }
author	Jan Kaluža <jkaluza@apache.org>
	Wed, 11 Dec 2013 07:16:28 +0000 (07:16 +0000)
committer	Jan Kaluža <jkaluza@apache.org>
	Wed, 11 Dec 2013 07:16:28 +0000 (07:16 +0000)
CHANGES		patch \| blob \| history
modules/ssl/ssl_engine_config.c		patch \| blob \| history