www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

mod_ssl: Log certificate information if client cert verification

Browse Source 
fails.

PR: 50094
Submitted by: Lassi Tuura <lat cern ch>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1023226 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Fritsch
2010-10-16 09:51:44 +00:00
parent 8a9e6cd208
commit db980ab45e
2 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -6,6 +6,9 @@ Changes with Apache 2.3.9
Fix a denial of service attack against mod_reqtimeout. Fix a denial of service attack against mod_reqtimeout.
[Stefan Fritsch] [Stefan Fritsch]
*) mod_ssl: Log certificate information if client cert verification
fails. PR 50094. [Lassi Tuura <lat cern ch>, Stefan Fritsch]
*) htcacheclean: Teach htcacheclean to limit cache size by number of *) htcacheclean: Teach htcacheclean to limit cache size by number of
inodes in addition to size of files. Prevents a cache disk from inodes in addition to size of files. Prevents a cache disk from
running out of space when many small files are cached. running out of space when many small files are cached.

29
modules/ssl/ssl_engine_kernel.c
View File

@@ -1557,6 +1557,35 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
"Certificate Verification: Error (%d): %s", "Certificate Verification: Error (%d): %s",
errnum, X509_verify_cert_error_string(errnum)); errnum, X509_verify_cert_error_string(errnum));
if (APLOGcinfo(conn)) {
X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
BIO *bio = BIO_new(BIO_s_mem());
char buff[512]; /* should be plenty */
int n;
if (bio) {
BIO_puts(bio, "Failed certificate: subject: '");
X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0,
XN_FLAG_ONELINE);
BIO_puts(bio, "', issuer: '");
X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0,
XN_FLAG_ONELINE);
BIO_puts(bio, "', notbefore: ");
ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
BIO_puts(bio, ", notafter: ");
ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
n = BIO_read(bio, buff, sizeof(buff) - 1);
BIO_free(bio);
if (n > 0) {
buff[n] = '\0';
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, conn, "%s", buff);
}
}
}
if (sslconn->client_cert) { if (sslconn->client_cert) {
X509_free(sslconn->client_cert); X509_free(sslconn->client_cert);