mod_ssl: Do not print content of SSL CA directories during -DDUMP_CA_CERTS, make

-DDUMP_CERTS and -DDUMP_CA_CERTS mutually exclusive and document them.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1558775 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/manual/programs/httpd.xml b/docs/manual/programs/httpd.xml
index d41333c189a6acb478a9f281d593af12c33bf41a..b1740ce9bd17b113c431ae9e021782eac9826b71 100644 (file)
--- a/docs/manual/programs/httpd.xml
+++ b/docs/manual/programs/httpd.xml
@@ -158,7 +158,11 @@ immediately exits after these syntax parsing tests with either a return code
 of 0 (Syntax OK) or return code not equal to 0 (Syntax Error).  If -D
 <var>DUMP</var>_<var>VHOSTS </var>is also set, details of the virtual host
 configuration will be printed. If -D <var>DUMP</var>_<var>MODULES </var> is
-set, all loaded modules will be printed.</dd>
+set, all loaded modules will be printed. If -D <var>DUMP</var>_<var>CERTS </var>
+is set and <module>mod_ssl</module> is used, configured SSL certificates will
+be printed.  If -D <var>DUMP</var>_<var>CA</var>_<var>_CERTS </var> is set and
+<module>mod_ssl</module> is used, configured SSL CA certificates and configured
+directories containing SSL CA certificates will be printed.</dd>
 
 <dt><code>-v</code></dt>
 

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index f194034f31e7f9a8ad50e72db970768a8cc7d651..f69b6bfcae748dd15dcf46acc66b958871a526f1 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -1851,50 +1851,14 @@ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg,
 
 #endif /* HAVE_SRP */
 
-static void dump_ca_cert_file(apr_file_t *out, const char *file) {
-    X509 *rc;
-    BIO *bioS;
-
-    if ((bioS=BIO_new_file(file, "r")) == NULL) {
-        return;
-    }
-
-    /* ca_cert_file is loaded using SSL_load_client_CA_file(). This method
-     * loads only file of PEM formatted certificates, so we have to load
-     * only PEM here too, to stay consistent.
-     */
-    rc = PEM_read_bio_X509 (bioS, NULL, NULL, NULL);
-    BIO_free(bioS);
-    if (rc) {
-        apr_file_printf(out, "  %s\n", file);
-        X509_free(rc);
-    }
-}
-
-static void dump_ca_cert_path(apr_pool_t *pool, apr_file_t *out,
-                              const char *ca_cert_path)
+void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
 {
-    apr_dir_t *dir;
-    apr_finfo_t direntry;
-    apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME;
-
-    if (apr_dir_open(&dir, ca_cert_path, pool) != APR_SUCCESS) {
+    apr_file_t *out = NULL;
+    if (ap_exists_config_define("DUMP_CERTS") &&
+        ap_exists_config_define("DUMP_CA_CERTS")) {
         return;
     }
 
-    while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) {
-        char *file;
-        if (direntry.filetype == APR_DIR) {
-            continue; /* don't try to load directories */
-        }
-        file = apr_pstrcat(pool, ca_cert_path, "/", direntry.name, NULL);
-        dump_ca_cert_file(out, file);
-    }
-}
-
-void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
-{
-    apr_file_t *out = NULL;
     if (ap_exists_config_define("DUMP_CERTS")) {
         apr_file_open_stdout(&out, pconf);
         apr_file_printf(out, "Server certificates:\n");
@@ -1933,11 +1897,12 @@ void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
 
             if (sc && sc->server) {
                 if (sc->server->auth.ca_cert_path) {
-                    dump_ca_cert_path(pconf, out,
-                                      sc->server->auth.ca_cert_path);
+                    apr_file_printf(out, "  %s\n",
+                                    sc->server->auth.ca_cert_path);
                 }
                 if (sc->server->auth.ca_cert_file) {
-                    dump_ca_cert_file(out, sc->server->auth.ca_cert_file);
+                    apr_file_printf(out, "  %s\n",
+                                    sc->server->auth.ca_cert_file);
                 }
             }