mirror of
https://github.com/apache/httpd.git
synced 2025-08-08 15:02:10 +03:00
Stop using SSL_ADD_SSLERR option in ssl_log() and replace with new
ssl_log_ssl_error() function that wraps ap_log_error instead. This begins the migration from ssl_log() -> ap_log_error(). Divorcing ourselves from the SSL_ADD_SSLERR option is required to make the next pass easier. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95122 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Justin Erenkrantz
@@ -327,8 +327,9 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
|
|||||||
* so we can detach later.
|
* so we can detach later.
|
||||||
*/
|
*/
|
||||||
if (!(ssl = SSL_new(mctx->ssl_ctx))) {
|
if (!(ssl = SSL_new(mctx->ssl_ctx))) {
|
||||||
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(c->base_server, SSL_LOG_ERROR,
|
||||||
"Unable to create a new SSL connection from the SSL context");
|
"Unable to create a new SSL connection from the SSL context");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
|
||||||
|
|
||||||
c->aborted = 1;
|
c->aborted = 1;
|
||||||
|
|
||||||
@@ -340,8 +341,9 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
|
|||||||
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
|
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
|
||||||
MD5_DIGESTSIZE*2))
|
MD5_DIGESTSIZE*2))
|
||||||
{
|
{
|
||||||
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(c->base_server, SSL_LOG_ERROR,
|
||||||
"Unable to set session id context to `%s'", vhost_md5);
|
"Unable to set session id context to `%s'", vhost_md5);
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
|
||||||
|
|
||||||
c->aborted = 1;
|
c->aborted = 1;
|
||||||
|
|
||||||
@@ -408,8 +410,9 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
|
|||||||
if (sslconn->is_proxy) {
|
if (sslconn->is_proxy) {
|
||||||
if ((n = SSL_connect(filter->pssl)) <= 0) {
|
if ((n = SSL_connect(filter->pssl)) <= 0) {
|
||||||
ssl_log(c->base_server,
|
ssl_log(c->base_server,
|
||||||
SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
|
SSL_LOG_ERROR|SSL_ADD_ERRNO,
|
||||||
"SSL Proxy connect failed");
|
"SSL Proxy connect failed");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
|
||||||
return ssl_abort(filter, c);
|
return ssl_abort(filter, c);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -450,15 +453,17 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
|
|||||||
{
|
{
|
||||||
if (errno > 0) {
|
if (errno > 0) {
|
||||||
ssl_log(c->base_server,
|
ssl_log(c->base_server,
|
||||||
SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
|
SSL_LOG_ERROR|SSL_ADD_ERRNO,
|
||||||
"SSL handshake interrupted by system "
|
"SSL handshake interrupted by system "
|
||||||
"[Hint: Stop button pressed in browser?!]");
|
"[Hint: Stop button pressed in browser?!]");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
ssl_log(c->base_server,
|
ssl_log(c->base_server,
|
||||||
SSL_LOG_INFO|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
|
SSL_LOG_INFO|SSL_ADD_ERRNO,
|
||||||
"Spurious SSL handshake interrupt [Hint: "
|
"Spurious SSL handshake interrupt [Hint: "
|
||||||
"Usually just one of those OpenSSL confusions!?]");
|
"Usually just one of those OpenSSL confusions!?]");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
@@ -466,10 +471,11 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
|
|||||||
* Ok, anything else is a fatal error
|
* Ok, anything else is a fatal error
|
||||||
*/
|
*/
|
||||||
ssl_log(c->base_server,
|
ssl_log(c->base_server,
|
||||||
SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
|
SSL_LOG_ERROR|SSL_ADD_ERRNO,
|
||||||
"SSL handshake failed (server %s, client %s)",
|
"SSL handshake failed (server %s, client %s)",
|
||||||
ssl_util_vhostid(c->pool, c->base_server),
|
ssl_util_vhostid(c->pool, c->base_server),
|
||||||
c->remote_ip ? c->remote_ip : "unknown");
|
c->remote_ip ? c->remote_ip : "unknown");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
|
||||||
}
|
}
|
||||||
|
|
||||||
return ssl_abort(filter, c);
|
return ssl_abort(filter, c);
|
||||||
@@ -494,19 +500,21 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
|
|||||||
* optional_no_ca doesn't appear to work as advertised
|
* optional_no_ca doesn't appear to work as advertised
|
||||||
* in 1.x
|
* in 1.x
|
||||||
*/
|
*/
|
||||||
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(c->base_server, SSL_LOG_ERROR,
|
||||||
"SSL client authentication failed, "
|
"SSL client authentication failed, "
|
||||||
"accepting certificate based on "
|
"accepting certificate based on "
|
||||||
"\"SSLVerifyClient optional_no_ca\" configuration");
|
"\"SSLVerifyClient optional_no_ca\" configuration");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
const char *error = sslconn->verify_error ?
|
const char *error = sslconn->verify_error ?
|
||||||
sslconn->verify_error :
|
sslconn->verify_error :
|
||||||
X509_verify_cert_error_string(verify_result);
|
X509_verify_cert_error_string(verify_result);
|
||||||
|
|
||||||
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(c->base_server, SSL_LOG_ERROR,
|
||||||
"SSL client authentication failed: %s",
|
"SSL client authentication failed: %s",
|
||||||
error ? error : "unknown");
|
error ? error : "unknown");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
|
||||||
|
|
||||||
return ssl_abort(filter, c);
|
return ssl_abort(filter, c);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -707,6 +707,7 @@ int ssl_mutex_off(server_rec *);
|
|||||||
void ssl_log_open(server_rec *, server_rec *, apr_pool_t *);
|
void ssl_log_open(server_rec *, server_rec *, apr_pool_t *);
|
||||||
void ssl_log(server_rec *, int, const char *, ...);
|
void ssl_log(server_rec *, int, const char *, ...);
|
||||||
void ssl_die(void);
|
void ssl_die(void);
|
||||||
|
void ssl_log_ssl_error(const char *, int, int, server_rec *);
|
||||||
|
|
||||||
/* Variables */
|
/* Variables */
|
||||||
void ssl_var_register(void);
|
void ssl_var_register(void);
|
||||||
|
|||||||
@@ -549,9 +549,10 @@ static void ssl_init_ctx_verify(server_rec *s,
|
|||||||
mctx->auth.ca_cert_file,
|
mctx->auth.ca_cert_file,
|
||||||
mctx->auth.ca_cert_path))
|
mctx->auth.ca_cert_path))
|
||||||
{
|
{
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
|
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
|
||||||
"Unable to configure verify locations "
|
"Unable to configure verify locations "
|
||||||
"for client authentication");
|
"for client authentication");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -604,8 +605,9 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
|
|||||||
suite);
|
suite);
|
||||||
|
|
||||||
if (!SSL_CTX_set_cipher_list(ctx, suite)) {
|
if (!SSL_CTX_set_cipher_list(ctx, suite)) {
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
|
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
|
||||||
"Unable to configure permitted SSL ciphers");
|
"Unable to configure permitted SSL ciphers");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -631,9 +633,10 @@ static void ssl_init_ctx_crl(server_rec *s,
|
|||||||
(char *)mctx->crl_path);
|
(char *)mctx->crl_path);
|
||||||
|
|
||||||
if (!mctx->crl) {
|
if (!mctx->crl) {
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
|
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
|
||||||
"Unable to configure X.509 CRL storage "
|
"Unable to configure X.509 CRL storage "
|
||||||
"for certificate revocation");
|
"for certificate revocation");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -730,14 +733,16 @@ static int ssl_server_import_cert(server_rec *s,
|
|||||||
|
|
||||||
ptr = asn1->cpData;
|
ptr = asn1->cpData;
|
||||||
if (!(cert = d2i_X509(NULL, &ptr, asn1->nData))) {
|
if (!(cert = d2i_X509(NULL, &ptr, asn1->nData))) {
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
|
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
|
||||||
"Unable to import %s server certificate", type);
|
"Unable to import %s server certificate", type);
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) {
|
if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) {
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
|
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
|
||||||
"Unable to configure %s server certificate", type);
|
"Unable to configure %s server certificate", type);
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -768,14 +773,16 @@ static int ssl_server_import_key(server_rec *s,
|
|||||||
ptr = asn1->cpData;
|
ptr = asn1->cpData;
|
||||||
if (!(pkey = d2i_PrivateKey(pkey_type, NULL, &ptr, asn1->nData)))
|
if (!(pkey = d2i_PrivateKey(pkey_type, NULL, &ptr, asn1->nData)))
|
||||||
{
|
{
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
|
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
|
||||||
"Unable to import %s server private key", type);
|
"Unable to import %s server private key", type);
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) {
|
if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) {
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
|
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
|
||||||
"Unable to configure %s server private key", type);
|
"Unable to configure %s server private key", type);
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -788,8 +795,9 @@ static int ssl_server_import_key(server_rec *s,
|
|||||||
|
|
||||||
if (pubkey && EVP_PKEY_missing_parameters(pubkey)) {
|
if (pubkey && EVP_PKEY_missing_parameters(pubkey)) {
|
||||||
EVP_PKEY_copy_parameters(pubkey, pkey);
|
EVP_PKEY_copy_parameters(pubkey, pkey);
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
|
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
|
||||||
"Copying DSA parameters from private key to certificate");
|
"Copying DSA parameters from private key to certificate");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -502,8 +502,9 @@ static int ssl_io_hook_read(SSL *ssl, char *buf, int len)
|
|||||||
* Log SSL errors
|
* Log SSL errors
|
||||||
*/
|
*/
|
||||||
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
|
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
|
||||||
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(c->base_server, SSL_LOG_ERROR,
|
||||||
"SSL error on reading data");
|
"SSL error on reading data");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -534,8 +535,9 @@ static int ssl_io_hook_write(SSL *ssl, unsigned char *buf, int len)
|
|||||||
* Log SSL errors
|
* Log SSL errors
|
||||||
*/
|
*/
|
||||||
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
|
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
|
||||||
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(c->base_server, SSL_LOG_ERROR,
|
||||||
"SSL error on writing data");
|
"SSL error on writing data");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
|
||||||
}
|
}
|
||||||
/*
|
/*
|
||||||
* XXX - Just trying to reflect the behaviour in
|
* XXX - Just trying to reflect the behaviour in
|
||||||
@@ -763,9 +765,10 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
|
|||||||
switch (status) {
|
switch (status) {
|
||||||
case HTTP_BAD_REQUEST:
|
case HTTP_BAD_REQUEST:
|
||||||
/* log the situation */
|
/* log the situation */
|
||||||
ssl_log(f->c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(f->c->base_server, SSL_LOG_ERROR,
|
||||||
"SSL handshake failed: HTTP spoken on HTTPS port; "
|
"SSL handshake failed: HTTP spoken on HTTPS port; "
|
||||||
"trying to send HTML error page");
|
"trying to send HTML error page");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server);
|
||||||
|
|
||||||
/* fake the request line */
|
/* fake the request line */
|
||||||
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
|
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
|
||||||
|
|||||||
@@ -411,9 +411,10 @@ int ssl_hook_Access(request_rec *r)
|
|||||||
|
|
||||||
/* configure new state */
|
/* configure new state */
|
||||||
if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
|
if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
|
||||||
ssl_log(r->server, SSL_LOG_WARN|SSL_ADD_SSLERR,
|
ssl_log(r->server, SSL_LOG_WARN,
|
||||||
"Unable to reconfigure (per-directory) "
|
"Unable to reconfigure (per-directory) "
|
||||||
"permitted SSL ciphers");
|
"permitted SSL ciphers");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
|
||||||
|
|
||||||
if (cipher_list_old) {
|
if (cipher_list_old) {
|
||||||
sk_SSL_CIPHER_free(cipher_list_old);
|
sk_SSL_CIPHER_free(cipher_list_old);
|
||||||
@@ -600,9 +601,10 @@ int ssl_hook_Access(request_rec *r)
|
|||||||
cert_store = X509_STORE_new();
|
cert_store = X509_STORE_new();
|
||||||
|
|
||||||
if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) {
|
if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) {
|
||||||
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(r->server, SSL_LOG_ERROR,
|
||||||
"Unable to reconfigure verify locations "
|
"Unable to reconfigure verify locations "
|
||||||
"for client authentication");
|
"for client authentication");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
|
||||||
|
|
||||||
X509_STORE_free(cert_store);
|
X509_STORE_free(cert_store);
|
||||||
|
|
||||||
@@ -756,8 +758,9 @@ int ssl_hook_Access(request_rec *r)
|
|||||||
(char *)ssl);
|
(char *)ssl);
|
||||||
|
|
||||||
if (!modssl_X509_verify_cert(&cert_store_ctx)) {
|
if (!modssl_X509_verify_cert(&cert_store_ctx)) {
|
||||||
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(r->server, SSL_LOG_ERROR,
|
||||||
"Re-negotiation verification step failed");
|
"Re-negotiation verification step failed");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
|
||||||
}
|
}
|
||||||
|
|
||||||
SSL_set_verify_result(ssl, cert_store_ctx.error);
|
SSL_set_verify_result(ssl, cert_store_ctx.error);
|
||||||
|
|||||||
@@ -321,3 +321,27 @@ void ssl_die(void)
|
|||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Prints the SSL library error information.
|
||||||
|
*/
|
||||||
|
void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
|
||||||
|
{
|
||||||
|
unsigned long e;
|
||||||
|
|
||||||
|
while ((e = ERR_get_error())) {
|
||||||
|
char *err, *annotation;
|
||||||
|
err = ERR_error_string(e, NULL);
|
||||||
|
annotation = ssl_log_annotation(err);
|
||||||
|
|
||||||
|
if (annotation) {
|
||||||
|
ap_log_error(file, line, level|APLOG_NOERRNO, 0, s,
|
||||||
|
"SSL Library Error: %ld %s %s",
|
||||||
|
e, err, annotation);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
ap_log_error(file, line, level|APLOG_NOERRNO, 0, s,
|
||||||
|
"SSL Library Error: %ld %s",
|
||||||
|
e, err);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -230,8 +230,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
|
|||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
|
if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(s, SSL_LOG_ERROR,
|
||||||
"Init: Unable to read server certificate from file %s", szPath);
|
"Init: Unable to read server certificate from file %s", szPath);
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -242,8 +243,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
|
|||||||
at = ssl_util_algotypeof(pX509Cert, NULL);
|
at = ssl_util_algotypeof(pX509Cert, NULL);
|
||||||
an = ssl_util_algotypestr(at);
|
an = ssl_util_algotypestr(at);
|
||||||
if (algoCert & at) {
|
if (algoCert & at) {
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(s, SSL_LOG_ERROR,
|
||||||
"Init: Multiple %s server certificates not allowed", an);
|
"Init: Multiple %s server certificates not allowed", an);
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
algoCert |= at;
|
algoCert |= at;
|
||||||
@@ -409,8 +411,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
|
|||||||
}
|
}
|
||||||
#ifdef WIN32
|
#ifdef WIN32
|
||||||
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
|
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(s, SSL_LOG_ERROR,
|
||||||
"Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath);
|
"Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath);
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
#endif /* WIN32 */
|
#endif /* WIN32 */
|
||||||
@@ -422,12 +425,14 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
|
|||||||
if (nPassPhraseDialogCur && pkey_mtime &&
|
if (nPassPhraseDialogCur && pkey_mtime &&
|
||||||
!(isterm = isatty(fileno(stdout)))) /* XXX: apr_isatty() */
|
!(isterm = isatty(fileno(stdout)))) /* XXX: apr_isatty() */
|
||||||
{
|
{
|
||||||
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(pServ, SSL_LOG_ERROR,
|
||||||
"Init: Unable read passphrase "
|
"Init: Unable read passphrase "
|
||||||
"[Hint: key introduced or changed before restart?]");
|
"[Hint: key introduced or changed before restart?]");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key not found");
|
ssl_log(pServ, SSL_LOG_ERROR, "Init: Private key not found");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
|
||||||
}
|
}
|
||||||
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|
||||||
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
||||||
@@ -436,7 +441,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect");
|
ssl_log(pServ, SSL_LOG_ERROR, "Init: Pass phrase incorrect");
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
|
||||||
|
|
||||||
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|
||||||
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
|
||||||
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
|
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
|
||||||
@@ -447,8 +454,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (pPrivateKey == NULL) {
|
if (pPrivateKey == NULL) {
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(s, SSL_LOG_ERROR,
|
||||||
"Init: Unable to read server private key from file %s [Hint: Perhaps it is in a separate file? See SSLCertificateKeyFile]", szPath);
|
"Init: Unable to read server private key from file %s [Hint: Perhaps it is in a separate file? See SSLCertificateKeyFile]", szPath);
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -459,8 +467,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
|
|||||||
at = ssl_util_algotypeof(NULL, pPrivateKey);
|
at = ssl_util_algotypeof(NULL, pPrivateKey);
|
||||||
an = ssl_util_algotypestr(at);
|
an = ssl_util_algotypestr(at);
|
||||||
if (algoKey & at) {
|
if (algoKey & at) {
|
||||||
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
|
ssl_log(s, SSL_LOG_ERROR,
|
||||||
"Init: Multiple %s server private keys not allowed", an);
|
"Init: Multiple %s server private keys not allowed", an);
|
||||||
|
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
|
||||||
ssl_die();
|
ssl_die();
|
||||||
}
|
}
|
||||||
algoKey |= at;
|
algoKey |= at;
|
||||||
|
|||||||
Reference in New Issue
Block a user