* modules/ssl/ssl_engine_io.c, modules/ssl/ssl_engine_kernel.c, (1dc2d046) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

mod_ssl.c

+11 −12

Original line number	Diff line number	Diff line
		@@ -298,7 +298,7 @@ int ssl_proxy_enable(conn_rec *c)
		SSLConnRec *sslconn = ssl_init_connection_ctx(c);

		if (!sc->proxy_enabled) {
		ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
		"SSL Proxy requested for %s but not enabled "
		"[Hint: SSLProxyEngine]", sc->vhost_id);

		@@ -353,7 +353,7 @@ int ssl_init_ssl_connection(conn_rec *c)
		* so we can detach later.
		*/
		if (!(ssl = SSL_new(mctx->ssl_ctx))) {
		ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
		"Unable to create a new SSL connection from the SSL "
		"context");
		ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
		@@ -369,7 +369,7 @@ int ssl_init_ssl_connection(conn_rec *c)
		if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5,
		APR_MD5_DIGESTSIZE*2))
		{
		ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
		"Unable to set session id context to `%s'", vhost_md5);
		ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);

		@@ -448,10 +448,9 @@ static int ssl_hook_pre_connection(conn_rec c, void csd)
		* later access inside callback functions
		*/

		ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
		"Connection to child %ld established "
		"(server %s, client %s)", c->id, sc->vhost_id,
		c->remote_ip ? c->remote_ip : "unknown");
		"(server %s)", c->id, sc->vhost_id);

		return ssl_init_ssl_connection(c);
		}

ssl_engine_io.c

+42 −50

Original line number	Diff line number	Diff line
		@@ -680,7 +680,7 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
		continue; /* Blocking and nothing yet? Try again. */
		}
		else {
		ap_log_error(APLOG_MARK, APLOG_INFO, inctx->rc, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c,
		"SSL input filter read failed.");
		}
		}
		@@ -688,7 +688,7 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
		/*
		* Log SSL errors and any unexpected conditions.
		*/
		ap_log_error(APLOG_MARK, APLOG_INFO, inctx->rc, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c,
		"SSL library error %d reading data", ssl_err);
		ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);

		@@ -785,14 +785,14 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
		outctx->rc = APR_EAGAIN;
		}
		else if (ssl_err == SSL_ERROR_SYSCALL) {
		ap_log_error(APLOG_MARK, APLOG_INFO, outctx->rc, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c,
		"SSL output filter write failed.");
		}
		else /* if (ssl_err == SSL_ERROR_SSL) */ {
		/*
		* Log SSL errors
		*/
		ap_log_error(APLOG_MARK, APLOG_INFO, outctx->rc, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c,
		"SSL library error %d writing data", ssl_err);
		ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
		}
		@@ -809,7 +809,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
		reason = "likely due to failed renegotiation";
		}

		ap_log_error(APLOG_MARK, APLOG_INFO, outctx->rc, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c,
		"failed to write %" APR_SSIZE_T_FMT
		" of %" APR_SIZE_T_FMT " bytes (%s)",
		len - (apr_size_t)res, len, reason);
		@@ -853,8 +853,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
		switch (status) {
		case HTTP_BAD_REQUEST:
		/* log the situation */
		ap_log_error(APLOG_MARK, APLOG_INFO, 0,
		f->c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c,
		"SSL handshake failed: HTTP spoken on HTTPS port; "
		"trying to send HTML error page");
		ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, f->c->base_server);
		@@ -967,12 +966,10 @@ static apr_status_t ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx,

		/* and finally log the fact that we've closed the connection */
		if (c->base_server->loglevel >= APLOG_INFO) {
		ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
		"Connection to child %ld closed with %s shutdown"
		"(server %s, client %s)",
		c->id, type,
		ssl_util_vhostid(c->pool, c->base_server),
		c->remote_ip ? c->remote_ip : "unknown");
		ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
		"Connection closed to child %ld with %s shutdown "
		"(server %s)",
		c->id, type, ssl_util_vhostid(c->pool, c->base_server));
		}

		/* deallocate the SSL connection */
		@@ -1000,7 +997,7 @@ static apr_status_t ssl_io_filter_cleanup(void *data)
		conn_rec c = (conn_rec )SSL_get_app_data(filter_ctx->pssl);
		SSLConnRec *sslconn = myConnConfig(c);

		ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
		ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
		"SSL connection destroyed without being closed");

		SSL_free(filter_ctx->pssl);
		@@ -1033,8 +1030,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)

		if (sslconn->is_proxy) {
		if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
		ap_log_error(APLOG_MARK, APLOG_INFO, 0,
		c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
		"SSL Proxy connect failed");
		ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
		/* ensure that the SSL structures etc are freed, etc: */
		@@ -1059,8 +1055,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
		* was transferred. That's not a real error and can occur
		* sporadically with some clients.
		*/
		ap_log_error(APLOG_MARK, APLOG_INFO, rc,
		c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c,
		"SSL handshake stopped: connection was closed");
		}
		else if (ssl_err == SSL_ERROR_WANT_READ) {
		@@ -1083,7 +1078,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
		return HTTP_BAD_REQUEST;
		}
		else if (ssl_err == SSL_ERROR_SYSCALL) {
		ap_log_error(APLOG_MARK, APLOG_INFO, rc, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c,
		"SSL handshake interrupted by system "
		"[Hint: Stop button pressed in browser?!]");
		}
		@@ -1091,11 +1086,10 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
		/*
		* Log SSL errors and any unexpected conditions.
		*/
		ap_log_error(APLOG_MARK, APLOG_INFO, rc, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c,
		"SSL library error %d in handshake "
		"(server %s, client %s)", ssl_err,
		ssl_util_vhostid(c->pool, c->base_server),
		c->remote_ip ? c->remote_ip : "unknown");
		"(server %s)", ssl_err,
		ssl_util_vhostid(c->pool, c->base_server));
		ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);

		}
		@@ -1125,8 +1119,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
		* optional_no_ca doesn't appear to work as advertised
		* in 1.x
		*/
		ap_log_error(APLOG_MARK, APLOG_INFO, 0,
		c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
		"SSL client authentication failed, "
		"accepting certificate based on "
		"\"SSLVerifyClient optional_no_ca\" "
		@@ -1138,8 +1131,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
		sslconn->verify_error :
		X509_verify_cert_error_string(verify_result);

		ap_log_error(APLOG_MARK, APLOG_INFO, 0,
		c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
		"SSL client authentication failed: %s",
		error ? error : "unknown");
		ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
		@@ -1166,7 +1158,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
		if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) &&
		!sslconn->client_cert)
		{
		ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
		"No acceptable peer certificate available");

		return ssl_filter_io_shutdown(filter_ctx, c, 1);
		@@ -1252,7 +1244,7 @@ static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f,

		ssl_init_ssl_connection(f->c);

		ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
		ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
		"Awaiting re-negotiation handshake");

		sslconn = myConnConfig(f->c);
		@@ -1266,7 +1258,7 @@ static apr_status_t ssl_io_filter_Upgrade(ap_filter_t *f,
		SSL_do_handshake(ssl);

		if (SSL_get_state(ssl) != SSL_ST_OK) {
		ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
		"TLS Upgrade handshake failed: "
		"Not accepted by client!?");

		@@ -1435,7 +1427,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
		filter_ctx->nobuffer = 1;
		status = ssl_filter_io_shutdown(filter_ctx, f->c, 0);
		if (status != APR_SUCCESS) {
		ap_log_error(APLOG_MARK, APLOG_INFO, status, NULL,
		ap_log_cerror(APLOG_MARK, APLOG_INFO, status, f->c,
		"SSL filter error shutting down I/O");
		}
		if ((status = ap_pass_brigade(f->next, bb)) != APR_SUCCESS) {

ssl_engine_kernel.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -1148,7 +1148,7 @@ RSA ssl_callback_TmpRSA(SSL ssl, int export, int keylen)
		SSLModConfigRec *mc = myModConfig(c->base_server);
		int idx;

		ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
		"handing out temporary %d bit RSA key", keylen);

		/* doesn't matter if export flag is on,
		@@ -1180,7 +1180,7 @@ DH ssl_callback_TmpDH(SSL ssl, int export, int keylen)
		SSLModConfigRec *mc = myModConfig(c->base_server);
		int idx;

		ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, c->base_server,
		ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
		"handing out temporary %d bit DH key", keylen);

		switch (keylen) {