From: Kaspar Brand Date: Mon, 15 Aug 2011 05:15:17 +0000 (+0000) Subject: Improve ssl_log_cxerror(): X-Git-Tag: 2.3.15~380 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4011df375e0a24ede54da11fecfc16f4251e62fa;p=apache Improve ssl_log_cxerror(): Fix logic of APLOG_IS_LEVEL check. Use X509_NAME_print_ex() instead of deprecated X509_NAME_oneline(). Use i2a_ASN1_INTEGER for printing the serial number. Add notBefore and notAfter dates to log line. Check for null cert argument (addresses PR 47408). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1157712 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 1297f0e50a..3ac4a45ec8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.3.15 + *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand] + *) mod_authz_groupfile: Increase length limit of lines in the group file to 16MB. PR 43084. [Stefan Fritsch] diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c index 055020105a..a4f52c6931 100644 --- a/modules/ssl/ssl_engine_log.c +++ b/modules/ssl/ssl_engine_log.c @@ -114,43 +114,61 @@ void ssl_log_cxerror(const char *file, int line, int level, { va_list ap; char buf[HUGE_STRING_LEN]; - char *sname, *iname, *serial; - BIGNUM *bn; - if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) { + if (!APLOG_IS_LEVEL(mySrvFromConn(c),level)) { /* Bail early since the rest of this function is expensive. */ return; } - sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); - iname = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0); - bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL); - serial = bn && !BN_is_zero(bn) ? BN_bn2hex(bn) : NULL; - va_start(ap, format); apr_vsnprintf(buf, sizeof buf, format, ap); va_end(ap); - ap_log_cerror(file, line, APLOG_MODULE_INDEX, level, rv, c, - "%s [subject: %s, issuer: %s, serial: %s]", - buf, - sname ? sname : "-unknown-", - iname ? iname : "-unknown-", - serial ? serial : "-unknown-"); - - if (sname) { - OPENSSL_free(sname); - } - - if (iname) { - OPENSSL_free(iname); - } - - if (serial) { - OPENSSL_free(serial); - } + if (cert) { + BIO *bio = BIO_new(BIO_s_mem()); + + if (bio) { + int n, msglen; + + BIO_puts(bio, " [subject: "); + n = X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, + XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV); + if (n == 0) { + BIO_puts(bio, "-empty-"); + } else if (n < 0) { + BIO_puts(bio, "(ERROR)"); + } - if (bn) { - BN_free(bn); + BIO_puts(bio, " / issuer: "); + n = X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, + XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV); + if (n == 0) { + BIO_puts(bio, "-empty-"); + } else if (n < 0) { + BIO_puts(bio, "(ERROR)"); + } + + BIO_puts(bio, " / serial: "); + if (i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)) == -1) + BIO_puts(bio, "(ERROR)"); + + BIO_puts(bio, " / notbefore: "); + ASN1_UTCTIME_print(bio, X509_get_notBefore(cert)); + + BIO_puts(bio, " / notafter: "); + ASN1_UTCTIME_print(bio, X509_get_notAfter(cert)); + + BIO_puts(bio, "]"); + + msglen = strlen(buf); + n = BIO_read(bio, buf + msglen, sizeof buf - msglen - 1); + if (n > 0) + buf[msglen + n] = '\0'; + + BIO_free(bio); + } } + + ap_log_cerror(file, line, APLOG_MODULE_INDEX, level, rv, c, + "%s%s", buf, cert ? "" : " [certificate: -not available-]"); }