From bdad52f9e21ad4a009863964c9e57ebb7f43a964 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jan=20Kalu=C5=BEa?= Date: Wed, 11 Dec 2013 07:16:28 +0000 Subject: [PATCH] mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all configured SSL CA certificates to stdout the same way as DUMP_CERTS does. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1550060 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 ++ modules/ssl/ssl_engine_config.c | 93 ++++++++++++++++++++++++++++----- 2 files changed, 82 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index 25224923a2..4a868ea903 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all + configured SSL CA certificates to stdout the same way as DUMP_CERTS does. + [Jan Kaluza] *) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk. PR55833. [Eric Covener] diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 4a01ef0d63..4f9db0b362 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -1870,30 +1870,95 @@ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, #endif /* HAVE_SRP */ +static void dump_ca_cert_file(apr_file_t *out, const char *file) { + X509 *rc; + BIO *bioS; + + if ((bioS=BIO_new_file(file, "r")) == NULL) { + return; + } + + /* ca_cert_file is loaded using SSL_load_client_CA_file(). This method + * loads only file of PEM formatted certificates, so we have to load + * only PEM here too, to stay consistent. + */ + rc = PEM_read_bio_X509 (bioS, NULL, NULL, NULL); + BIO_free(bioS); + if (rc) { + apr_file_printf(out, " %s\n", file); + X509_free(rc); + } +} + +static void dump_ca_cert_path(apr_pool_t *pool, apr_file_t *out, + const char *ca_cert_path) +{ + apr_dir_t *dir; + apr_finfo_t direntry; + apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME; + + if (apr_dir_open(&dir, ca_cert_path, pool) != APR_SUCCESS) { + return; + } + + while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) { + char *file; + if (direntry.filetype == APR_DIR) { + continue; /* don't try to load directories */ + } + file = apr_pstrcat(pool, ca_cert_path, "/", direntry.name, NULL); + dump_ca_cert_file(out, file); + } +} + void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) { apr_file_t *out = NULL; - if (!ap_exists_config_define("DUMP_CERTS")) { + if (ap_exists_config_define("DUMP_CERTS")) { + apr_file_open_stdout(&out, pconf); + apr_file_printf(out, "Server certificates:\n"); + + /* Dump the filenames of all configured server certificates to + * stdout. */ + while (s) { + SSLSrvConfigRec *sc = mySrvConfig(s); + + if (sc && sc->server && sc->server->pks) { + modssl_pk_server_t *const pks = sc->server->pks; + int i; + + for (i = 0; (i < SSL_AIDX_MAX) && pks->cert_files[i]; i++) { + apr_file_printf(out, " %s\n", pks->cert_files[i]); + } + } + + s = s->next; + } return; } - apr_file_open_stdout(&out, pconf); - apr_file_printf(out, "Server certificates:\n"); - /* Dump the filenames of all configured server certificates to - * stdout. */ - while (s) { - SSLSrvConfigRec *sc = mySrvConfig(s); + if (ap_exists_config_define("DUMP_CA_CERTS")) { + apr_file_open_stdout(&out, pconf); + apr_file_printf(out, "Server CA certificates:\n"); - if (sc && sc->server && sc->server->pks) { - modssl_pk_server_t *const pks = sc->server->pks; - int i; + /* Dump the filenames of all configured server CA certificates to + * stdout. */ + while (s) { + SSLSrvConfigRec *sc = mySrvConfig(s); - for (i = 0; (i < SSL_AIDX_MAX) && pks->cert_files[i]; i++) { - apr_file_printf(out, " %s\n", pks->cert_files[i]); + if (sc && sc->server) { + if (sc->server->auth.ca_cert_path) { + dump_ca_cert_path(pconf, out, + sc->server->auth.ca_cert_path); + } + if (sc->server->auth.ca_cert_file) { + dump_ca_cert_file(out, sc->server->auth.ca_cert_file); + } } - } - s = s->next; + s = s->next; + } + return; } } -- 2.40.0