mod_ssl: Log certificate information if client cert verification

fails. PR: 50094 Submitted by: Lassi Tuura <lat cern ch> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1023226 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2010-10-16 09:51:44 +00:00
parent 8a9e6cd208
commit db980ab45e
2 changed files with 32 additions and 0 deletions
--- a/3
+++ b/3
@@ -6,6 +6,9 @@ Changes with Apache 2.3.9
     Fix a denial of service attack against mod_reqtimeout.
     [Stefan Fritsch]

+  *) mod_ssl: Log certificate information if client cert verification
+     fails. PR 50094. [Lassi Tuura <lat cern ch>, Stefan Fritsch]
+
  *) htcacheclean: Teach htcacheclean to limit cache size by number of
     inodes in addition to size of files. Prevents a cache disk from
     running out of space when many small files are cached.
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1557,6 +1557,35 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
                      "Certificate Verification: Error (%d): %s",
                      errnum, X509_verify_cert_error_string(errnum));
+        if (APLOGcinfo(conn)) {
+            X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
+            BIO *bio = BIO_new(BIO_s_mem());
+            char buff[512]; /* should be plenty */
+            int n;
+
+            if (bio) {
+                BIO_puts(bio, "Failed certificate: subject: '");
+                X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0,
+                                   XN_FLAG_ONELINE);
+
+                BIO_puts(bio, "', issuer: '");
+                X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0,
+                                XN_FLAG_ONELINE);
+
+                BIO_puts(bio, "', notbefore: ");
+                ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
+
+                BIO_puts(bio, ", notafter: ");
+                ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
+
+                n = BIO_read(bio, buff, sizeof(buff) - 1);
+                BIO_free(bio);
+                if (n > 0) {
+                    buff[n] = '\0';
+                    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, conn, "%s", buff);
+                }
+            }
+        }

        if (sslconn->client_cert) {
            X509_free(sslconn->client_cert);