From: Stefan Fritsch <sf@apache.org>
Date: Sat, 16 Oct 2010 09:51:44 +0000 (+0000)
Subject: mod_ssl: Log certificate information if client cert verification
X-Git-Tag: 2.3.9~314
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=db980ab45eb9b1077e668ac403b5113f91bbb9b3;p=apache

mod_ssl: Log certificate information if client cert verification
fails.

PR: 50094
Submitted by: Lassi Tuura <lat cern ch>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1023226 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index a083973d29..b2d0be8a08 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,9 @@ Changes with Apache 2.3.9
      Fix a denial of service attack against mod_reqtimeout.
      [Stefan Fritsch]
 
+  *) mod_ssl: Log certificate information if client cert verification
+     fails. PR 50094. [Lassi Tuura <lat cern ch>, Stefan Fritsch]
+
   *) htcacheclean: Teach htcacheclean to limit cache size by number of
      inodes in addition to size of files. Prevents a cache disk from
      running out of space when many small files are cached.
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 82fee24dae..1fa0d4b4f8 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1557,6 +1557,35 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
                       "Certificate Verification: Error (%d): %s",
                       errnum, X509_verify_cert_error_string(errnum));
+        if (APLOGcinfo(conn)) {
+            X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
+            BIO *bio = BIO_new(BIO_s_mem());
+            char buff[512]; /* should be plenty */
+            int n;
+
+            if (bio) {
+                BIO_puts(bio, "Failed certificate: subject: '");
+                X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0,
+                                   XN_FLAG_ONELINE);
+
+                BIO_puts(bio, "', issuer: '");
+                X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0,
+                                XN_FLAG_ONELINE);
+
+                BIO_puts(bio, "', notbefore: ");
+                ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
+
+                BIO_puts(bio, ", notafter: ");
+                ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
+
+                n = BIO_read(bio, buff, sizeof(buff) - 1);
+                BIO_free(bio);
+                if (n > 0) {
+                    buff[n] = '\0';
+                    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, conn, "%s", buff);
+                }
+            }
+        }
 
         if (sslconn->client_cert) {
             X509_free(sslconn->client_cert);