* modules/ssl/ssl_engine_log.c (ssl_log_cxerror): New function,

factored out from ssl_callback_SSLVerify.

* modules/ssl/ssl_private: Add prototype.

* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Use it.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@597651 13f79535-47bb-0310-9956-ffa450edef68

modules/ssl/ssl_engine_kernel.c

@@ -1256,26 +1256,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     /*
      * Log verification information
      */
-    if (s->loglevel >= APLOG_DEBUG) {
-        X509 *cert  = X509_STORE_CTX_get_current_cert(ctx);
-        char *sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
-        char *iname = X509_NAME_oneline(X509_get_issuer_name(cert),  NULL, 0);
-
-        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
-                      "Certificate Verification: "
-                      "depth: %d, subject: %s, issuer: %s",
-                      errdepth,
-                      sname ? sname : "-unknown-",
-                      iname ? iname : "-unknown-");
-
-        if (sname) {
-            modssl_free(sname);
-        }
-
-        if (iname) {
-            modssl_free(iname);
-        }
-    }
+    ssl_log_cxerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
+                    X509_STORE_CTX_get_current_cert(ctx),
+                    "Certificate Verification, depth %d",
+                    errdepth);
 
     /*
      * Check for optionally acceptable non-verifiable issuer situation

modules/ssl/ssl_engine_log.c

@@ -107,3 +107,38 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
         ERR_get_error();
     }
 }
+
+void ssl_log_cxerror(const char *file, int line, int level, 
+                     apr_status_t rv, conn_rec *c, X509 *cert,
+                     const char *format, ...)
+{
+    va_list ap;
+    char buf[HUGE_STRING_LEN];
+    char *sname, *iname;
+    
+    if (c->base_server->loglevel < level) {
+        /* Bail early since the rest of this function is expensive. */
+        return;
+    }
+
+    sname = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
+    iname = X509_NAME_oneline(X509_get_issuer_name(cert),  NULL, 0);
+    
+    va_start(ap, format);
+    apr_vsnprintf(buf, sizeof buf, format, ap);
+    va_end(ap);
+
+    ap_log_cerror(file, line, level, rv, c, 
+                  "%s [peer subject: %s, issuer: %s]",
+                  buf,
+                  sname ? sname : "-unknown-",
+                  iname ? iname : "-unknown-");
+
+    if (sname) {
+        modssl_free(sname);
+    }
+    
+    if (iname) {
+        modssl_free(iname);
+    }
+}

modules/ssl/ssl_private.h

@@ -679,6 +679,16 @@ int          ssl_mutex_off(server_rec *);
 void         ssl_die(void);
 void         ssl_log_ssl_error(const char *, int, int, server_rec *);
 
+/* ssl_log_cxerror is a wrapper for ap_log_cerror which takes the peer
+ * certificate as an additional argument and appends details of that
+ * cert to the log message.  All other arguments interpreted exactly
+ * as ap_log_cerror. */
+void ssl_log_cxerror(const char *file, int line, int level, 
+                     apr_status_t rv, conn_rec *c, X509 *cert,
+                     const char *format, ...)
+    __attribute__((format(printf,7,8)));
+
+
 /**  Variables  */
 
 /* Register variables for the lifetime of the process pool 'p'. */