httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52162] New: ssl_engine_kernel.c "revoked client certificate" log needs debug level: hardly ok for production use
Date Wed, 09 Nov 2011 15:29:04 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52162

             Bug #: 52162
           Summary: ssl_engine_kernel.c "revoked client certificate" log
                    needs debug level: hardly ok for production use
           Product: Apache httpd-2
           Version: 2.2.21
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: eprost@orpheus.fr
    Classification: Unclassified


Created attachment 27913
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=27913
Patch to change "if (s->loglevel >= APLOG_DEBUG)" to APLOG_INFO

In order to log attempts to connect with a revoked client certificate, Apache
needs to be configured at debug log level. This seems hardly ok for deployment
on production servers.

Source code shows that:
- the log is emited with APLOG_INFO, which is ok;
- but this is protected by "if (s->loglevel >= APLOG_DEBUG)"...

In ./modules/ssl/ssl_engine_kernel.c @ 1590:

               if (s->loglevel >= APLOG_DEBUG) {
                    char *cp = X509_NAME_oneline(issuer, NULL, 0);
                    long serial = ASN1_INTEGER_get(sn);

                    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
                                 "Certificate with serial %ld (0x%lX) "
                                 "revoked per CRL from issuer %s",
                                 serial, serial, cp);
                    modssl_free(cp);
                }

Patch attached.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message