httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r1023226 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_kernel.c
Date Sat, 16 Oct 2010 09:51:45 GMT
Author: sf
Date: Sat Oct 16 09:51:44 2010
New Revision: 1023226

URL: http://svn.apache.org/viewvc?rev=1023226&view=rev
Log:
mod_ssl: Log certificate information if client cert verification
fails.

PR: 50094
Submitted by: Lassi Tuura <lat cern ch>

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1023226&r1=1023225&r2=1023226&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat Oct 16 09:51:44 2010
@@ -6,6 +6,9 @@ Changes with Apache 2.3.9
      Fix a denial of service attack against mod_reqtimeout.
      [Stefan Fritsch]
 
+  *) mod_ssl: Log certificate information if client cert verification
+     fails. PR 50094. [Lassi Tuura <lat cern ch>, Stefan Fritsch]
+
   *) htcacheclean: Teach htcacheclean to limit cache size by number of
      inodes in addition to size of files. Prevents a cache disk from
      running out of space when many small files are cached.

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1023226&r1=1023225&r2=1023226&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sat Oct 16 09:51:44 2010
@@ -1557,6 +1557,35 @@ int ssl_callback_SSLVerify(int ok, X509_
         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
                       "Certificate Verification: Error (%d): %s",
                       errnum, X509_verify_cert_error_string(errnum));
+        if (APLOGcinfo(conn)) {
+            X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
+            BIO *bio = BIO_new(BIO_s_mem());
+            char buff[512]; /* should be plenty */
+            int n;
+
+            if (bio) {
+                BIO_puts(bio, "Failed certificate: subject: '");
+                X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0,
+                                   XN_FLAG_ONELINE);
+
+                BIO_puts(bio, "', issuer: '");
+                X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0,
+                                XN_FLAG_ONELINE);
+
+                BIO_puts(bio, "', notbefore: ");
+                ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
+
+                BIO_puts(bio, ", notafter: ");
+                ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
+
+                n = BIO_read(bio, buff, sizeof(buff) - 1);
+                BIO_free(bio);
+                if (n > 0) {
+                    buff[n] = '\0';
+                    ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, conn, "%s", buff);
+                }
+            }
+        }
 
         if (sslconn->client_cert) {
             X509_free(sslconn->client_cert);



Mime
View raw message