mod_ssl: Log certificate information if client cert verification

author Stefan Fritsch <sf@apache.org>

Sat, 16 Oct 2010 09:51:44 +0000 (09:51 +0000)

committer Stefan Fritsch <sf@apache.org>

Sat, 16 Oct 2010 09:51:44 +0000 (09:51 +0000)
author Stefan Fritsch <sf@apache.org>
Sat, 16 Oct 2010 09:51:44 +0000 (09:51 +0000)
committer Stefan Fritsch <sf@apache.org>
Sat, 16 Oct 2010 09:51:44 +0000 (09:51 +0000)
diff --git a/CHANGES b/CHANGES

index a083973d291ce43d3d9e3e552bf32cc77d3b2633..b2d0be8a08ed2c336809b180828990a127b3c56a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,9 @@ Changes with Apache 2.3.9
       Fix a denial of service attack against mod_reqtimeout.
       [Stefan Fritsch]
  
+  *) mod_ssl: Log certificate information if client cert verification
+     fails. PR 50094. [Lassi Tuura <lat cern ch>, Stefan Fritsch]
+
    *) htcacheclean: Teach htcacheclean to limit cache size by number of
       inodes in addition to size of files. Prevents a cache disk from
       running out of space when many small files are cached.
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c

index 82fee24daebd89087b71713c25f83ae7dde70015..1fa0d4b4f8676fa7489d538f781606cd2b03699c 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1557,6 +1557,35 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
          ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
                        "Certificate Verification: Error (%d): %s",
                        errnum, X509_verify_cert_error_string(errnum));
+        if (APLOGcinfo(conn)) {
+            X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
+            BIO *bio = BIO_new(BIO_s_mem());
+            char buff[512]; /* should be plenty */
+            int n;
+
+            if (bio) {
+                BIO_puts(bio, "Failed certificate: subject: '");
+                X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0,
+                                   XN_FLAG_ONELINE);
+
+                BIO_puts(bio, "', issuer: '");
+                X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0,
+                                XN_FLAG_ONELINE);
+
+                BIO_puts(bio, "', notbefore: ");
+                ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
+
+                BIO_puts(bio, ", notafter: ");
+                ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
+
+                n = BIO_read(bio, buff, sizeof(buff) - 1);
+                BIO_free(bio);
+                if (n > 0) {
+                    buff[n] = '\0';
+                    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, conn, "%s", buff);
+                }
+            }
+        }
  
          if (sslconn->client_cert) {
              X509_free(sslconn->client_cert);
author	Stefan Fritsch <sf@apache.org>
	Sat, 16 Oct 2010 09:51:44 +0000 (09:51 +0000)
committer	Stefan Fritsch <sf@apache.org>
	Sat, 16 Oct 2010 09:51:44 +0000 (09:51 +0000)
CHANGES		patch \| blob \| history
modules/ssl/ssl_engine_kernel.c		patch \| blob \| history