From cc94935e7e609ff50f009d3bd967cf3581d07dcd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jan=20Kalu=C5=BEa?= Date: Thu, 16 Jan 2014 12:49:37 +0000 Subject: [PATCH] mod_ssl: Do not print content of SSL CA directories during -DDUMP_CA_CERTS, make -DDUMP_CERTS and -DDUMP_CA_CERTS mutually exclusive and document them. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1558775 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/programs/httpd.xml | 6 +++- modules/ssl/ssl_engine_config.c | 51 ++++++--------------------------- 2 files changed, 13 insertions(+), 44 deletions(-) diff --git a/docs/manual/programs/httpd.xml b/docs/manual/programs/httpd.xml index d41333c189..b1740ce9bd 100644 --- a/docs/manual/programs/httpd.xml +++ b/docs/manual/programs/httpd.xml @@ -158,7 +158,11 @@ immediately exits after these syntax parsing tests with either a return code of 0 (Syntax OK) or return code not equal to 0 (Syntax Error). If -D DUMP_VHOSTS is also set, details of the virtual host configuration will be printed. If -D DUMP_MODULES is -set, all loaded modules will be printed. +set, all loaded modules will be printed. If -D DUMP_CERTS +is set and mod_ssl is used, configured SSL certificates will +be printed. If -D DUMP_CA__CERTS is set and +mod_ssl is used, configured SSL CA certificates and configured +directories containing SSL CA certificates will be printed.
-v
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index f194034f31..f69b6bfcae 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -1851,50 +1851,14 @@ const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, #endif /* HAVE_SRP */ -static void dump_ca_cert_file(apr_file_t *out, const char *file) { - X509 *rc; - BIO *bioS; - - if ((bioS=BIO_new_file(file, "r")) == NULL) { - return; - } - - /* ca_cert_file is loaded using SSL_load_client_CA_file(). This method - * loads only file of PEM formatted certificates, so we have to load - * only PEM here too, to stay consistent. - */ - rc = PEM_read_bio_X509 (bioS, NULL, NULL, NULL); - BIO_free(bioS); - if (rc) { - apr_file_printf(out, " %s\n", file); - X509_free(rc); - } -} - -static void dump_ca_cert_path(apr_pool_t *pool, apr_file_t *out, - const char *ca_cert_path) +void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) { - apr_dir_t *dir; - apr_finfo_t direntry; - apr_int32_t finfo_flags = APR_FINFO_TYPE|APR_FINFO_NAME; - - if (apr_dir_open(&dir, ca_cert_path, pool) != APR_SUCCESS) { + apr_file_t *out = NULL; + if (ap_exists_config_define("DUMP_CERTS") && + ap_exists_config_define("DUMP_CA_CERTS")) { return; } - while ((apr_dir_read(&direntry, finfo_flags, dir)) == APR_SUCCESS) { - char *file; - if (direntry.filetype == APR_DIR) { - continue; /* don't try to load directories */ - } - file = apr_pstrcat(pool, ca_cert_path, "/", direntry.name, NULL); - dump_ca_cert_file(out, file); - } -} - -void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) -{ - apr_file_t *out = NULL; if (ap_exists_config_define("DUMP_CERTS")) { apr_file_open_stdout(&out, pconf); apr_file_printf(out, "Server certificates:\n"); @@ -1933,11 +1897,12 @@ void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) if (sc && sc->server) { if (sc->server->auth.ca_cert_path) { - dump_ca_cert_path(pconf, out, - sc->server->auth.ca_cert_path); + apr_file_printf(out, " %s\n", + sc->server->auth.ca_cert_path); } if (sc->server->auth.ca_cert_file) { - dump_ca_cert_file(out, sc->server->auth.ca_cert_file); + apr_file_printf(out, " %s\n", + sc->server->auth.ca_cert_file); } } -- 2.40.0