Changes with Apache 2.0.37
+ *) Remove SSLLog and SSLLogLevel directives in favor of having
+ mod_ssl use the standard ErrorLog directives. [Justin Erenkrantz]
+
*) OS/390: LIBPATH no longer has to be manually uncommented in
envvars to get apachectl to set up httpd properly. [Jeff Trawick]
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
-# Logging:
-# The home of the dedicated SSL protocol logfile. Errors are
-# additionally duplicated in the general error log file. Put
-# this somewhere where it cannot be used for symlink attacks on
-# a real server (i.e. somewhere where only root can write).
-# Log levels are (ascending order: higher ones include lower ones):
-# none, error, warn, info, trace, debug.
-SSLLog logs/ssl_engine_log
-SSLLogLevel info
-
##
## SSL Virtual Host Context
##
</usage>
</directivesynopsis>
-<directivesynopsis>
-<name>SSLLog</name>
-<description>Where to write the dedicated SSL engine logfile</description>
-<syntax>SSLLog <em>file-path</em></syntax>
-<contextlist><context>server config</context>
-<context>virtual host</context></contextlist>
-
-<usage>
-<p>
-This directive sets the name of the dedicated SSL protocol engine logfile.
-Error type messages are additionally duplicated to the general Apache error
-log file (directive <code>ErrorLog</code>). Put this somewhere where it cannot
-be used for symlink attacks on a real server (i.e. somewhere where only root
-can write). If the <em>file-path</em> does not begin with a slash
-('<code>/</code>') then it is assumed to be relative to the <em>Server
-Root</em>. If <em>file-path</em> begins with a bar ('<code>|</code>') then the
-following string is assumed to be a path to an executable program to which a
-reliable pipe can be established. The directive should occur only once per
-virtual server config.</p>
-<example><title>Example</title>
-SSLLog /usr/local/apache/logs/ssl_engine_log
-</example>
-</usage>
-</directivesynopsis>
-
-<directivesynopsis>
-<name>SSLLogLevel</name>
-<description>Logging level for the dedicated SSL engine
-logfile</description>
-<syntax>SSLLogLevel <em>level</em></syntax>
-<default>SSLLogLevel none</default>
-<contextlist><context>server config</context>
-<context>virtual host</context></contextlist>
-
-<usage>
-<p>
-This directive sets the verbosity degree of the dedicated SSL protocol engine
-logfile. The <em>level</em> is one of the following (in ascending order where
-higher levels include lower levels):</p>
-<ul>
-<li><code>none</code><br />
- no dedicated SSL logging is done, but messages of level
- ``<code>error</code>'' are still written to the general Apache error
- logfile.
-</li>
-<li><code>error</code><br />
- log messages of error type only, i.e. messages which show fatal situations
- (processing is stopped). Those messages are also duplicated to the
- general Apache error logfile.
-</li>
-<li><code>warn</code><br />
- log also warning messages, i.e. messages which show non-fatal problems
- (processing is continued).
-</li>
-<li><code>info</code><br />
- log also informational messages, i.e. messages which show major
- processing steps.
-</li>
-<li><code>trace</code><br />
- log also trace messages, i.e. messages which show minor processing steps.
-</li>
-<li><code>debug</code><br />
- log also debugging messages, i.e. messages which show development and
- low-level I/O information.
-</li>
-</ul>
-<example><title>Example</title>
-SSLLogLevel warn
-</example>
-</usage>
-</directivesynopsis>
-
<directivesynopsis>
<name>SSLOptions</name>
<description>Configure various SSL engine run-time options</description>
SSL_CMD_SRV(SessionCacheTimeout, TAKE1,
"SSL Session Cache object lifetime "
"(`N' - number of seconds)")
- SSL_CMD_SRV(Log, TAKE1,
- "SSL logfile for SSL-related messages "
- "(`/path/to/file', `|/path/to/program')")
- SSL_CMD_SRV(LogLevel, TAKE1,
- "SSL logfile verbosity level "
- "(`none', `error', `warn', `info', `debug')")
SSL_CMD_SRV(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols"
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
"Require a boolean expression to evaluate to true for granting access"
"(arbitrary complex boolean expression - see manual)")
+ /* Deprecated directives. */
+ AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
+ "SSLLog directive is no longer supported - use ErrorLog."),
+ AP_INIT_RAW_ARGS("SSLLogLevel", ap_set_deprecated, NULL, OR_ALL,
+ "SSLLogLevel directive is no longer supported - use LogLevel."),
+
AP_END_CMD
};
return DECLINED;
}
- sslconn->log_level = sc->log_level;
-
/*
* Remember the connection information for
* later access inside callback functions
#define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val
#define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num)
-/*
- * SSL Logging
- */
-#define SSL_LOG_NONE (1<<0)
-#define SSL_LOG_ERROR (1<<1)
-#define SSL_LOG_WARN (1<<2)
-#define SSL_LOG_INFO (1<<3)
-#define SSL_LOG_TRACE (1<<4)
-#define SSL_LOG_DEBUG (1<<5)
-#define SSL_LOG_MASK (SSL_LOG_ERROR|SSL_LOG_WARN|SSL_LOG_INFO|SSL_LOG_TRACE|SSL_LOG_DEBUG)
-
-#define SSL_ADD_NONE (1<<8)
-#define SSL_ADD_ERRNO (1<<9)
-#define SSL_ADD_SSLERR (1<<10)
-#define SSL_NO_TIMESTAMP (1<<11)
-#define SSL_NO_LEVELID (1<<12)
-#define SSL_NO_NEWLINE (1<<13)
-#define SSL_INIT (1<<14)
-
/*
* Defaults for the configuration
*/
const char *verify_info;
const char *verify_error;
int verify_depth;
- int log_level; /* for avoiding expensive logging */
int is_proxy;
int disabled;
} SSLConnRec;
-#define SSLConnLogApplies(sslconn, level) (sslconn->log_level >= level)
-
typedef struct {
pid_t pid;
apr_pool_t *pPool;
BOOL proxy_enabled;
const char *vhost_id;
int vhost_id_len;
- const char *log_file_name;
- apr_file_t *log_file;
- int log_level;
int session_cache_timeout;
modssl_ctx_t *server;
modssl_ctx_t *proxy;
const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
-const char *ssl_cmd_SSLLog(cmd_parms *, void *, const char *);
-const char *ssl_cmd_SSLLogLevel(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
int ssl_mutex_off(server_rec *);
/* Logfile Support */
-void ssl_log_open(server_rec *, server_rec *, apr_pool_t *);
-void ssl_log(server_rec *, int, const char *, ...);
void ssl_die(void);
void ssl_log_ssl_error(const char *, int, int, server_rec *);
sc->proxy_enabled = UNSET;
sc->vhost_id = NULL; /* set during module init */
sc->vhost_id_len = 0; /* set during module init */
- sc->log_file_name = NULL;
- sc->log_file = NULL; /* set during module init */
- sc->log_level = SSL_LOG_NONE;
sc->session_cache_timeout = UNSET;
modssl_ctx_init_proxy(sc, p);
cfgMerge(mc, NULL);
cfgMergeBool(enabled);
cfgMergeBool(proxy_enabled);
- cfgMergeString(log_file_name);
- cfgMerge(log_level, SSL_LOG_NONE);
cfgMergeInt(session_cache_timeout);
modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
return NULL;
}
-#define SSL_FLAGS_LOG_CONTEXT \
- (NOT_IN_LIMIT|NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES)
-
-const char *ssl_cmd_SSLLog(cmd_parms *cmd,
- void *dcfg,
- const char *arg)
-{
- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *err;
-
- if ((err = ap_check_cmd_context(cmd, SSL_FLAGS_LOG_CONTEXT))) {
- return err;
- }
-
- sc->log_file_name = arg;
-
- return NULL;
-}
-
-const char *ssl_cmd_SSLLogLevel(cmd_parms *cmd,
- void *dcfg,
- const char *level)
-{
- SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
- const char *err;
-
- if ((err = ap_check_cmd_context(cmd, SSL_FLAGS_LOG_CONTEXT))) {
- return err;
- }
-
- if (strcEQ(level, "none")) {
- sc->log_level = SSL_LOG_NONE;
- }
- else if (strcEQ(level, "error")) {
- sc->log_level = SSL_LOG_ERROR;
- }
- else if (strcEQ(level, "warn")) {
- sc->log_level = SSL_LOG_WARN;
- }
- else if (strcEQ(level, "info")) {
- sc->log_level = SSL_LOG_INFO;
- }
- else if (strcEQ(level, "trace")) {
- sc->log_level = SSL_LOG_TRACE;
- }
- else if (strcEQ(level, "debug")) {
- sc->log_level = SSL_LOG_DEBUG;
- }
- else {
- return "SSLLogLevel: Invalid argument";
- }
-
- return NULL;
-}
-
const char *ssl_cmd_SSLOptions(cmd_parms *cmd,
void *dcfg,
const char *arg)
sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN;
}
- /* Open the dedicated SSL logfile */
- ssl_log_open(base_server, s, p);
}
ssl_init_SSLLibrary(base_server);
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
- if (mctx->sc->log_level >= SSL_LOG_INFO) {
- /* this callback only logs if SSLLogLevel >= info */
+ if (s->loglevel >= APLOG_DEBUG) {
+ /* this callback only logs if LogLevel >= info */
SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
}
}
void ssl_io_filter_init(conn_rec *c, SSL *ssl)
{
- SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
SSLFilterRec *filter;
filter = apr_palloc(c->pool, sizeof(SSLFilterRec));
apr_pool_cleanup_register(c->pool, (void*)filter,
ssl_io_filter_cleanup, apr_pool_cleanup_null);
- if (sc->log_level >= SSL_LOG_DEBUG) {
+ if (c->base_server->loglevel >= APLOG_DEBUG) {
BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);
}
SSL_smart_shutdown(ssl);
/* and finally log the fact that we've closed the connection */
- if (SSLConnLogApplies(sslconn, SSL_LOG_INFO)) {
+ if (conn->base_server->loglevel >= APLOG_INFO) {
ap_log_error(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, conn->base_server,
"Connection to child %ld closed with %s shutdown"
"(server %s, client %s)",
/*
* Log information about incoming HTTPS requests
*/
- if (SSLConnLogApplies(sslconn, SSL_LOG_INFO) && ap_is_initial_req(r)) {
+ if (r->server->loglevel >= APLOG_INFO && ap_is_initial_req(r)) {
ap_log_error(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r->server,
"%s HTTPS request received for child %ld (server %s)",
(r->connection->keepalives <= 0 ?
/*
* Log verification information
*/
- if (sc->log_level >= SSL_LOG_TRACE) {
+ if (s->loglevel >= APLOG_DEBUG) {
X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
char *sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
char *iname = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
* Log information about CRL
* (A little bit complicated because of ASN.1 and BIOs...)
*/
- if (sc->log_level >= SSL_LOG_TRACE) {
+ if (s->loglevel >= APLOG_DEBUG) {
char buff[512]; /* should be plenty */
BIO *bio = BIO_new(BIO_s_mem());
ASN1_INTEGER *sn = X509_REVOKED_get_serialNumber(revoked);
if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
- if (sc->log_level >= SSL_LOG_INFO) {
+ if (s->loglevel >= APLOG_DEBUG) {
char *cp = X509_NAME_oneline(issuer, NULL, 0);
long serial = ASN1_INTEGER_get(sn);
X509_NAME *name;
const char *dn;
- if (sc->log_level < SSL_LOG_TRACE) {
+ if (s->loglevel < APLOG_DEBUG) {
return;
}
const char *result,
long timeout)
{
- SSLSrvConfigRec *sc = mySrvConfig(s);
char buf[SSL_SESSION_ID_STRING_LEN];
char timeout_str[56] = {'\0'};
- if (sc->log_level < SSL_LOG_TRACE) {
+ if (s->loglevel < APLOG_DEBUG) {
return;
}
/*
* create the various trace messages
*/
- if (sc->log_level >= SSL_LOG_TRACE) {
+ if (s->loglevel >= APLOG_DEBUG) {
if (where & SSL_CB_HANDSHAKE_START) {
ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, s,
"%s: Handshake: start", SSL_LIBRARY_NAME);
** _________________________________________________________________
*/
-/*
- * Open the SSL logfile
- */
-void ssl_log_open(server_rec *s_main, server_rec *s, apr_pool_t *p)
-{
- const char *szLogFile;
- SSLSrvConfigRec *sc_main = mySrvConfig(s_main);
- SSLSrvConfigRec *sc = mySrvConfig(s);
- piped_log *pl;
-
- /*
- * Short-circuit for inherited logfiles in order to save
- * filedescriptors in mass-vhost situation. Be careful, this works
- * fine because the close happens implicitly by the pool facility.
- */
- if ((s != s_main) &&
- (sc_main->log_file != NULL) &&
- ((sc->log_file_name == NULL) ||
- ((sc->log_file_name != NULL) &&
- (sc_main->log_file_name != NULL) &&
- strEQ(sc->log_file_name, sc_main->log_file_name))))
- {
- sc->log_file = sc_main->log_file;
- }
- else if (sc->log_file_name != NULL) {
- if (strEQ(sc->log_file_name, "/dev/null"))
- return;
- else if (sc->log_file_name[0] == '|') {
- szLogFile = sc->log_file_name + 1;
- while (*szLogFile == ' ' || *szLogFile == '\t')
- szLogFile++;
- if ((pl = ap_open_piped_log(p, szLogFile)) == NULL) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
- "Cannot open reliable pipe to SSL logfile filter %s", szLogFile);
- ssl_die();
- }
- sc->log_file = ap_piped_log_write_fd(pl);
- }
- else {
- szLogFile = ap_server_root_relative(p, sc->log_file_name);
- if (!szLogFile) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
- "Invalid SSL logfile path %s", sc->log_file_name);
- ssl_die();
- }
- if ((apr_file_open(&(sc->log_file), szLogFile,
- APR_WRITE|APR_APPEND|APR_CREATE, APR_OS_DEFAULT, p))
- != APR_SUCCESS) {
- ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO,
- "Cannot open SSL logfile %s", szLogFile);
- ssl_die();
- }
- }
- }
- return;
-}
-
-static struct {
- int nLevel;
- char *szLevel;
-} ssl_log_level2string[] = {
- { SSL_LOG_ERROR, "error" },
- { SSL_LOG_WARN, "warn" },
- { SSL_LOG_INFO, "info" },
- { SSL_LOG_TRACE, "trace" },
- { SSL_LOG_DEBUG, "debug" },
- { 0, NULL }
-};
-
static struct {
char *cpPattern;
char *cpAnnotation;
return errstr;
}
-void ssl_log(server_rec *s, int level, const char *msg, ...)
-{
- char tstr[80];
- char lstr[256];
- char vstr[1024];
- char str[1024];
- char *nstr;
- apr_size_t len;
- apr_time_exp_t t;
- va_list ap;
- int add;
- int i;
- char *astr;
- int safe_errno;
- unsigned long e;
- SSLSrvConfigRec *sc;
- char *cpE;
- char *cpA;
-
- /* initialization */
- safe_errno = errno;
- sc = mySrvConfig(s);
-
- /* strip out additional flags */
- add = (level & ~SSL_LOG_MASK);
- level = (level & SSL_LOG_MASK);
-
- /* reduce flags when not reasonable in context */
- if (add & SSL_ADD_ERRNO && errno == 0)
- add &= ~SSL_ADD_ERRNO;
- if (add & SSL_ADD_SSLERR && ERR_peek_error() == 0)
- add &= ~SSL_ADD_SSLERR;
-
- /* we log only levels below, except for errors */
- if ( sc->log_file == NULL
- && !(level & SSL_LOG_ERROR))
- return;
- if ( level > sc->log_level
- && !(level & SSL_LOG_ERROR))
- return;
-
- /* determine the time entry string */
- if (add & SSL_NO_TIMESTAMP)
- tstr[0] = NUL;
- else {
- apr_time_exp_lt(&t, apr_time_now());
- apr_strftime(tstr, &len, 80, "[%d/%b/%Y %H:%M:%S", &t);
- apr_snprintf(tstr + strlen(tstr), 80 - strlen(tstr), " %05d] ",
- (unsigned int)getpid());
- }
-
- /* determine whether newline should be written */
- if (add & SSL_NO_NEWLINE)
- nstr = "";
- else {
- nstr = APR_EOL_STR;
- }
-
- /* determine level name */
- lstr[0] = NUL;
- if (!(add & SSL_NO_LEVELID)) {
- for (i = 0; ssl_log_level2string[i].nLevel != 0; i++) {
- if (ssl_log_level2string[i].nLevel == level) {
- apr_snprintf(lstr, sizeof(lstr), "[%s]", ssl_log_level2string[i].szLevel);
- break;
- }
- }
- for (i = strlen(lstr); i <= 7; i++)
- lstr[i] = ' ';
- lstr[i] = NUL;
- }
-
- if (add & SSL_INIT) {
- len = strlen(lstr);
- apr_snprintf(&lstr[len], sizeof(lstr) - len,
- "Init: (%s) ", sc->vhost_id);
- }
-
- /* create custom message */
- va_start(ap, msg);
- apr_vsnprintf(vstr, sizeof(vstr), msg, ap);
- va_end(ap);
-
- /* write out SSLog message */
- if ((add & SSL_ADD_ERRNO) && (add & SSL_ADD_SSLERR))
- astr = " (System and " SSL_LIBRARY_NAME " library errors follow)";
- else if (add & SSL_ADD_ERRNO)
- astr = " (System error follows)";
- else if (add & SSL_ADD_SSLERR)
- astr = " (" SSL_LIBRARY_NAME " library error follows)";
- else
- astr = "";
- if (level <= sc->log_level && sc->log_file != NULL) {
- apr_snprintf(str, sizeof(str), "%s%s%s%s%s",
- tstr, lstr, vstr, astr, nstr);
- apr_file_printf(sc->log_file, "%s", str);
- }
- if (level & SSL_LOG_ERROR)
- ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
- "mod_ssl: %s%s", vstr, astr);
-
- /* write out additional attachment messages */
- if (add & SSL_ADD_ERRNO) {
- if (level <= sc->log_level && sc->log_file != NULL) {
- apr_snprintf(str, sizeof(str), "%s%sSystem: %s (errno: %d)%s",
- tstr, lstr, strerror(safe_errno), safe_errno, nstr);
- apr_file_printf(sc->log_file, "%s", str);
- }
- if (level & SSL_LOG_ERROR)
- ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
- "System: %s (errno: %d)",
- strerror(safe_errno), safe_errno);
- }
- if (add & SSL_ADD_SSLERR) {
- while ((e = ERR_get_error())) {
- cpE = ERR_error_string(e, NULL);
- cpA = ssl_log_annotation(cpE);
- if (level <= sc->log_level && sc->log_file != NULL) {
- apr_snprintf(str, sizeof(str), "%s%s%s: %s%s%s%s%s",
- tstr, lstr, SSL_LIBRARY_NAME, cpE,
- cpA != NULL ? " [Hint: " : "",
- cpA != NULL ? cpA : "", cpA != NULL ? "]" : "",
- nstr);
- apr_file_printf(sc->log_file, "%s", str);
- }
- if (level & SSL_LOG_ERROR)
- ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, s,
- "%s: %s%s%s%s", SSL_LIBRARY_NAME, cpE,
- cpA != NULL ? " [Hint: " : "",
- cpA != NULL ? cpA : "", cpA != NULL ? "]" : "");
- }
- }
- /* make sure the next log starts from a clean base */
- /* ERR_clear_error(); */
-
- /* cleanup and return */
- if (sc->log_file != NULL)
- apr_file_flush(sc->log_file);
- errno = safe_errno;
- return;
-}
-
void ssl_die(void)
{
/*
projects / apache / commitdiff