www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Stop using SSL_ADD_SSLERR option in ssl_log() and replace with new

Browse Source 
ssl_log_ssl_error() function that wraps ap_log_error instead.

This begins the migration from ssl_log() -> ap_log_error().  Divorcing
ourselves from the SSL_ADD_SSLERR option is required to make the next
pass easier.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95122 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Justin Erenkrantz
2002-05-15 23:10:33 +00:00
parent b9ecba8a50
commit d28c4dae36
7 changed files with 86 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
modules/ssl/mod_ssl.c
View File

@@ -327,8 +327,9 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
* so we can detach later.
*/
if (!(ssl = SSL_new(mctx->ssl_ctx))) {
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(c->base_server, SSL_LOG_ERROR,
"Unable to create a new SSL connection from the SSL context");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
c->aborted = 1;
@@ -340,8 +341,9 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd)
if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
MD5_DIGESTSIZE*2))
{
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(c->base_server, SSL_LOG_ERROR,
"Unable to set session id context to `%s'", vhost_md5);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
c->aborted = 1;
@@ -408,8 +410,9 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
if (sslconn->is_proxy) {
if ((n = SSL_connect(filter->pssl)) <= 0) {
ssl_log(c->base_server,
SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
SSL_LOG_ERROR|SSL_ADD_ERRNO,
"SSL Proxy connect failed");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
return ssl_abort(filter, c);
}
@@ -450,15 +453,17 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
{
if (errno > 0) {
ssl_log(c->base_server,
SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
SSL_LOG_ERROR|SSL_ADD_ERRNO,
"SSL handshake interrupted by system "
"[Hint: Stop button pressed in browser?!]");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
else {
ssl_log(c->base_server,
SSL_LOG_INFO|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
SSL_LOG_INFO|SSL_ADD_ERRNO,
"Spurious SSL handshake interrupt [Hint: "
"Usually just one of those OpenSSL confusions!?]");
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
}
}
else {
@@ -466,10 +471,11 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
* Ok, anything else is a fatal error
*/
ssl_log(c->base_server,
SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_ADD_ERRNO,
SSL_LOG_ERROR|SSL_ADD_ERRNO,
"SSL handshake failed (server %s, client %s)",
ssl_util_vhostid(c->pool, c->base_server),
c->remote_ip ? c->remote_ip : "unknown");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
return ssl_abort(filter, c);
@@ -494,19 +500,21 @@ int ssl_hook_process_connection(SSLFilterRec *filter)
* optional_no_ca doesn't appear to work as advertised
* in 1.x
*/
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL client authentication failed, "
"accepting certificate based on "
"\"SSLVerifyClient optional_no_ca\" configuration");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
else {
const char *error = sslconn->verify_error ?
sslconn->verify_error :
X509_verify_cert_error_string(verify_result);
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL client authentication failed: %s",
error ? error : "unknown");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
return ssl_abort(filter, c);
}

1
modules/ssl/mod_ssl.h
View File

@@ -707,6 +707,7 @@ int ssl_mutex_off(server_rec *);
void ssl_log_open(server_rec *, server_rec *, apr_pool_t *);
void ssl_log(server_rec *, int, const char *, ...);
void ssl_die(void);
void ssl_log_ssl_error(const char *, int, int, server_rec *);
/* Variables */
void ssl_var_register(void);

24
modules/ssl/ssl_engine_init.c
View File

@@ -549,9 +549,10 @@ static void ssl_init_ctx_verify(server_rec *s,
mctx->auth.ca_cert_file,
mctx->auth.ca_cert_path))
{
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure verify locations "
"for client authentication");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -604,8 +605,9 @@ static void ssl_init_ctx_cipher_suite(server_rec *s,
suite);
if (!SSL_CTX_set_cipher_list(ctx, suite)) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure permitted SSL ciphers");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
}
@@ -631,9 +633,10 @@ static void ssl_init_ctx_crl(server_rec *s,
(char *)mctx->crl_path);
if (!mctx->crl) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure X.509 CRL storage "
"for certificate revocation");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
}
@@ -730,14 +733,16 @@ static int ssl_server_import_cert(server_rec *s,
ptr = asn1->cpData;
if (!(cert = d2i_X509(NULL, &ptr, asn1->nData))) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to import %s server certificate", type);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure %s server certificate", type);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -768,14 +773,16 @@ static int ssl_server_import_key(server_rec *s,
ptr = asn1->cpData;
if (!(pkey = d2i_PrivateKey(pkey_type, NULL, &ptr, asn1->nData)))
{
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to import %s server private key", type);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) <= 0) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Unable to configure %s server private key", type);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -788,8 +795,9 @@ static int ssl_server_import_key(server_rec *s,
if (pubkey && EVP_PKEY_missing_parameters(pubkey)) {
EVP_PKEY_copy_parameters(pubkey, pkey);
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT,
ssl_log(s, SSL_LOG_ERROR|SSL_INIT,
"Copying DSA parameters from private key to certificate");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
}
}

9
modules/ssl/ssl_engine_io.c
View File

@@ -502,8 +502,9 @@ static int ssl_io_hook_read(SSL *ssl, char *buf, int len)
* Log SSL errors
*/
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL error on reading data");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
}
@@ -534,8 +535,9 @@ static int ssl_io_hook_write(SSL *ssl, unsigned char *buf, int len)
* Log SSL errors
*/
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL error on writing data");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
}
/*
* XXX - Just trying to reflect the behaviour in
@@ -763,9 +765,10 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
switch (status) {
case HTTP_BAD_REQUEST:
/* log the situation */
ssl_log(f->c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(f->c->base_server, SSL_LOG_ERROR,
"SSL handshake failed: HTTP spoken on HTTPS port; "
"trying to send HTML error page");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server);
/* fake the request line */
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);

9
modules/ssl/ssl_engine_kernel.c
View File

@@ -411,9 +411,10 @@ int ssl_hook_Access(request_rec *r)
/* configure new state */
if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
ssl_log(r->server, SSL_LOG_WARN|SSL_ADD_SSLERR,
ssl_log(r->server, SSL_LOG_WARN,
"Unable to reconfigure (per-directory) "
"permitted SSL ciphers");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
if (cipher_list_old) {
sk_SSL_CIPHER_free(cipher_list_old);
@@ -600,9 +601,10 @@ int ssl_hook_Access(request_rec *r)
cert_store = X509_STORE_new();
if (!X509_STORE_load_locations(cert_store, ca_file, ca_path)) {
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(r->server, SSL_LOG_ERROR,
"Unable to reconfigure verify locations "
"for client authentication");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
X509_STORE_free(cert_store);
@@ -756,8 +758,9 @@ int ssl_hook_Access(request_rec *r)
(char *)ssl);
if (!modssl_X509_verify_cert(&cert_store_ctx)) {
ssl_log(r->server, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation verification step failed");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, r->server);
}
SSL_set_verify_result(ssl, cert_store_ctx.error);

24
modules/ssl/ssl_engine_log.c
View File

@@ -321,3 +321,27 @@ void ssl_die(void)
exit(1);
}
/*
* Prints the SSL library error information.
*/
void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
{
unsigned long e;
while ((e = ERR_get_error())) {
char *err, *annotation;
err = ERR_error_string(e, NULL);
annotation = ssl_log_annotation(err);
if (annotation) {
ap_log_error(file, line, level|APLOG_NOERRNO, 0, s,
"SSL Library Error: %ld %s %s",
e, err, annotation);
}
else {
ap_log_error(file, line, level|APLOG_NOERRNO, 0, s,
"SSL Library Error: %ld %s",
e, err);
}
}
}

25
modules/ssl/ssl_engine_pphrase.c
View File

@@ -230,8 +230,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
ssl_die();
}
if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(s, SSL_LOG_ERROR,
"Init: Unable to read server certificate from file %s", szPath);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -242,8 +243,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
at = ssl_util_algotypeof(pX509Cert, NULL);
an = ssl_util_algotypestr(at);
if (algoCert & at) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(s, SSL_LOG_ERROR,
"Init: Multiple %s server certificates not allowed", an);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
algoCert |= at;
@@ -409,8 +411,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
}
#ifdef WIN32
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(s, SSL_LOG_ERROR,
"Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
#endif /* WIN32 */
@@ -422,12 +425,14 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
if (nPassPhraseDialogCur && pkey_mtime &&
!(isterm = isatty(fileno(stdout)))) /* XXX: apr_isatty() */
{
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(pServ, SSL_LOG_ERROR,
"Init: Unable read passphrase "
"[Hint: key introduced or changed before restart?]");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
}
else {
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key not found");
ssl_log(pServ, SSL_LOG_ERROR, "Init: Private key not found");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
}
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
@@ -436,7 +441,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
}
}
else {
ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect");
ssl_log(pServ, SSL_LOG_ERROR, "Init: Pass phrase incorrect");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, pServ);
if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN
|| sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) {
apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n");
@@ -447,8 +454,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
}
if (pPrivateKey == NULL) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(s, SSL_LOG_ERROR,
"Init: Unable to read server private key from file %s [Hint: Perhaps it is in a separate file? See SSLCertificateKeyFile]", szPath);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
@@ -459,8 +467,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
at = ssl_util_algotypeof(NULL, pPrivateKey);
an = ssl_util_algotypestr(at);
if (algoKey & at) {
ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
ssl_log(s, SSL_LOG_ERROR,
"Init: Multiple %s server private keys not allowed", an);
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
algoKey |= at;