From: Rainer Jung Date: Sat, 4 Aug 2012 21:22:38 +0000 (+0000) Subject: mod_ssl: Pass the server_rec to ssl_die() and use it to log a message to X-Git-Tag: 2.4.3~120 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2b159659a7c63aa7dfdba0f67bb4664aa6dd492a;p=apache mod_ssl: Pass the server_rec to ssl_die() and use it to log a message to the main error log, pointing to the appropriate virtual host error log. Backport of r1348660 from trunk. Submitted by: sf Reviewed by: rjung, covener Backported by: rjung git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1369464 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 1e6e5a6ac1..2d7102df1a 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,10 @@ Changes with Apache 2.4.3 possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. [Niels Heinen ] + *) mod_ssl: If exiting during initialization because of a fatal error, + log a message to the main error log pointing to the appropriate + virtual host error log. [Stefan Fritsch] + *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on one connection. PR 52275. [Naohiro Ooiwa ] diff --git a/STATUS b/STATUS index e9a48e359e..bee2f487e8 100644 --- a/STATUS +++ b/STATUS @@ -88,12 +88,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_ssl: Pass the server_rec to ssl_die() and use it to log a message to - the main error log, pointing to the appropriate virtual host error log. - trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1348660 - 2.4.x patch: http://people.apache.org/~rjung/patches/ssl_die-improve_vhost-logging-2_4.patch - +1: rjung, covener, sf - * event: Keep track of the number of clogged, lingering, and suspended connections. Don't count connections in lingering close state when calculating how many additional connections may be accepted diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 5d816478cb..4ba3181f2c 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -349,7 +349,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, else { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS mode failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } } } @@ -438,7 +438,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p) "Init: Failed to load Crypto Device API `%s'", mc->szCryptoDevice); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } if (strEQ(mc->szCryptoDevice, "chil")) { @@ -450,7 +450,7 @@ void ssl_init_Engine(server_rec *s, apr_pool_t *p) "Init: Failed to enable Crypto Device API `%s'", mc->szCryptoDevice); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01890) "Init: loaded Crypto Device API `%s'", @@ -473,7 +473,7 @@ static void ssl_init_server_check(server_rec *s, if (!mctx->pks->cert_files[0] && !mctx->pkcs7) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01891) "No SSL Certificate set [hint: SSLCertificateFile]"); - ssl_die(); + ssl_die(s); } /* @@ -489,7 +489,7 @@ static void ssl_init_server_check(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01892) "Illegal attempt to re-initialise SSL for server " "(SSLEngine On should go in the VirtualHost, not in global scope.)"); - ssl_die(); + ssl_die(s); } } @@ -515,7 +515,7 @@ static void ssl_init_ctx_tls_extensions(server_rec *s, "Unable to initialize TLS servername extension " "callback (incompatible OpenSSL version?)"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } #ifdef HAVE_OCSP_STAPLING @@ -546,7 +546,7 @@ static void ssl_init_ctx_protocol(server_rec *s, if (protocol == SSL_PROTOCOL_NONE) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02231) "No SSL protocols available [hint: SSLProtocol]"); - ssl_die(); + ssl_die(s); } cp = apr_pstrcat(p, @@ -731,7 +731,7 @@ static void ssl_init_ctx_verify(server_rec *s, "Unable to configure verify locations " "for client authentication"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) { @@ -746,7 +746,7 @@ static void ssl_init_ctx_verify(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01896) "Unable to determine list of acceptable " "CA certificates for client authentication"); - ssl_die(); + ssl_die(s); } SSL_CTX_set_client_CA_list(ctx, ca_list); @@ -791,7 +791,7 @@ static void ssl_init_ctx_cipher_suite(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01898) "Unable to configure permitted SSL ciphers"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } } @@ -815,7 +815,7 @@ static void ssl_init_ctx_crl(server_rec *s, "Host %s: CRL checking has been enabled, but " "neither %sCARevocationFile nor %sCARevocationPath " "is configured", mctx->sc->vhost_id, cfgp, cfgp); - ssl_die(); + ssl_die(s); } return; } @@ -829,7 +829,7 @@ static void ssl_init_ctx_crl(server_rec *s, "Host %s: unable to configure X.509 CRL storage " "for certificate revocation", mctx->sc->vhost_id); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } switch (mctx->crl_check_mode) { @@ -915,7 +915,7 @@ static void ssl_init_ctx_cert_chain(server_rec *s, if (n < 0) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903) "Failed to configure CA certificate chain!"); - ssl_die(); + ssl_die(s); } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01904) @@ -973,14 +973,14 @@ static int ssl_server_import_cert(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02233) "Unable to import %s server certificate", type); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02234) "Unable to configure %s server certificate", type); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } #ifdef HAVE_OCSP_STAPLING @@ -1029,14 +1029,14 @@ static int ssl_server_import_key(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02237) "Unable to import %s server private key", type); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02238) "Unable to configure %s server private key", type); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } /* @@ -1188,7 +1188,7 @@ static void ssl_init_server_certs(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01910) "Oops, no " KEYTYPES " server certificate found " "for '%s:%d'?!", s->server_hostname, s->port); - ssl_die(); + ssl_die(s); } for (i = 0; i < SSL_AIDX_MAX; i++) { @@ -1208,7 +1208,7 @@ static void ssl_init_server_certs(server_rec *s, )) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01911) "Oops, no " KEYTYPES " server private key found?!"); - ssl_die(); + ssl_die(s); } } @@ -1238,7 +1238,7 @@ static void ssl_init_ticket_key(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02286) "Failed to open ticket key file %s: (%d) %pm", path, rv, &rv); - ssl_die(); + ssl_die(s); } rv = apr_file_read_full(fp, &buf[0], TLSEXT_TICKET_KEY_LEN, &len); @@ -1247,7 +1247,7 @@ static void ssl_init_ticket_key(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02287) "Failed to read %d bytes from %s: (%d) %pm", TLSEXT_TICKET_KEY_LEN, path, rv, &rv); - ssl_die(); + ssl_die(s); } memcpy(ticket_key->key_name, buf, 16); @@ -1260,7 +1260,7 @@ static void ssl_init_ticket_key(server_rec *s, "Unable to initialize TLS session ticket key callback " "(incompatible OpenSSL version?)"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02288) @@ -1315,7 +1315,7 @@ static void ssl_init_proxy_certs(server_rec *s, ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252) "incomplete client cert configured for SSL proxy " "(missing or encrypted private key?)"); - ssl_die(); + ssl_die(s); return; } } @@ -1338,7 +1338,7 @@ static void ssl_init_proxy_certs(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208) "SSL proxy client cert initialization failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); @@ -1628,7 +1628,7 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02211) "Failed to open Certificate Path `%s'", ca_path); - ssl_die(); + ssl_die(s); } while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) { diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index 31861ca721..3f6d6edc91 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -63,12 +63,23 @@ static const char *ssl_log_annotation(const char *error) return ssl_log_annotate[i].cpAnnotation; } -void ssl_die(void) +void ssl_die(server_rec *s) { + if (s != NULL && s->is_virtual && s->error_fname != NULL) + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02311) + "Fatal error initialising mod_ssl, exiting. " + "See %s for more information", + ap_server_root_relative(s->process->pool, + s->error_fname)); + else + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, NULL, APLOGNO(02312) + "Fatal error initialising mod_ssl, exiting."); + /* * This is used for fatal errors and here * it is common module practice to really * exit from the complete program. + * XXX: The config hooks should return errors instead of calling exit(). */ exit(1); } diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index 1fa4a2ef7a..23ccaf4a2d 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -196,7 +196,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) "Server should be SSL-aware but has no certificate " "configured [Hint: SSLCertificateFile] (%s:%d)", pServ->defn_name, pServ->defn_line_number); - ssl_die(); + ssl_die(pServ); } /* Bitmasks for all key algorithms configured for this server; @@ -225,14 +225,14 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02201) "Init: Can't open server certificate file %s", szPath); - ssl_die(); + ssl_die(s); } if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02241) "Init: Unable to read server certificate from" " file %s", szPath); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02202) "Init: Read server certificate from '%s'", @@ -249,7 +249,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) "Init: Multiple %s server certificates not " "allowed", an); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } algoCert |= at; @@ -328,7 +328,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02243) "Init: Can't open server private key file " "%s",szPath); - ssl_die(); + ssl_die(s); } /* @@ -425,7 +425,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) "Init: SSLPassPhraseDialog builtin is not " "supported on Win32 (key file " "%s)", szPath); - ssl_die(); + ssl_die(s); } #endif /* WIN32 */ @@ -464,7 +464,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) apr_file_printf(writetty, "**Stopped\n"); } } - ssl_die(); + ssl_die(pServ); } /* If a cached private key was found, nothing more to do @@ -479,7 +479,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) "file %s [Hint: Perhaps it is in a separate file? " " See SSLCertificateKeyFile]", szPath); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } /* @@ -493,7 +493,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) "Init: Multiple %s server private keys not " "allowed", an); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - ssl_die(); + ssl_die(s); } algoKey |= at; diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index f393ecfad4..1ce069eb77 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -906,7 +906,7 @@ int ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *); #define SSL_STAPLING_MUTEX_TYPE "ssl-stapling" /** Logfile Support */ -void ssl_die(void); +void ssl_die(server_rec *); void ssl_log_ssl_error(const char *, int, int, server_rec *); /* ssl_log_xerror, ssl_log_cxerror and ssl_log_rxerror are wrappers for the diff --git a/modules/ssl/ssl_scache.c b/modules/ssl/ssl_scache.c index 2c8d1bc8ad..d32f8e1dd6 100644 --- a/modules/ssl/ssl_scache.c +++ b/modules/ssl/ssl_scache.c @@ -63,7 +63,7 @@ void ssl_scache_init(server_rec *s, apr_pool_t *p) if (rv) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01872) "Could not initialize stapling cache. Exiting."); - ssl_die(); + ssl_die(s); } } #endif @@ -88,7 +88,7 @@ void ssl_scache_init(server_rec *s, apr_pool_t *p) if (rv) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01874) "Could not initialize session cache. Exiting."); - ssl_die(); + ssl_die(s); } } diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c index 55b051e99f..475fe4d2d9 100644 --- a/modules/ssl/ssl_util.c +++ b/modules/ssl/ssl_util.c @@ -286,7 +286,7 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7) f = fopen(pkcs7, "r"); if (!f) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02212) "Can't open %s", pkcs7); - ssl_die(); + ssl_die(s); } p7 = PEM_read_PKCS7(f, NULL, NULL, NULL); @@ -313,13 +313,13 @@ STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7) default: ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02213) "Don't understand PKCS7 file %s", pkcs7); - ssl_die(); + ssl_die(s); } if (!certs) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02214) "No certificates in %s", pkcs7); - ssl_die(); + ssl_die(s); } fclose(f); diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index 3ff08dcc67..89be7f530e 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -662,12 +662,12 @@ void modssl_init_stapling(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, if (mc->stapling_cache == NULL) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01958) "SSLStapling: no stapling cache available"); - ssl_die(); + ssl_die(s); } if (ssl_stapling_mutex_init(s, ptemp) == FALSE) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01959) "SSLStapling: cannot initialise stapling mutex"); - ssl_die(); + ssl_die(s); } /* Set some default values for parameters if they are not set */ if (mctx->stapling_resptime_skew == UNSET) {