1/* Licensed to the Apache Software Foundation (ASF) under one or more 2 * contributor license agreements. See the NOTICE file distributed with 3 * this work for additional information regarding copyright ownership. 4 * The ASF licenses this file to You under the Apache License, Version 2.0 5 * (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* _ _ 18 * _ __ ___ ___ __| | ___ ___| | mod_ssl 19 * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL 20 * | | | | | | (_) | (_| | \__ \__ \ | 21 * |_| |_| |_|\___/ \__,_|___|___/___/_| 22 * |_____| 23 * ssl_engine_log.c 24 * Logging Facility 25 */ 26 /* ``The difference between a computer 27 industry job and open-source software 28 hacking is about 30 hours a week.'' 29 -- Ralf S. Engelschall */ 30#include "ssl_private.h" 31 32/* _________________________________________________________________ 33** 34** Logfile Support 35** _________________________________________________________________ 36*/ 37 38static const struct { 39 const char *cpPattern; 40 const char *cpAnnotation; 41} ssl_log_annotate[] = { 42 { "*envelope*bad*decrypt*", "wrong pass phrase!?" }, 43 { "*CLIENT_HELLO*unknown*protocol*", "speaking not SSL to HTTPS port!?" }, 44 { "*CLIENT_HELLO*http*request*", "speaking HTTP to HTTPS port!?" }, 45 { "*SSL3_READ_BYTES:sslv3*alert*bad*certificate*", "Subject CN in certificate not server name or identical to CA!?" }, 46 { "*self signed certificate in certificate chain*", "Client certificate signed by CA not known to server?" }, 47 { "*peer did not return a certificate*", "No CAs known to server for verification?" }, 48 { "*no shared cipher*", "Too restrictive SSLCipherSuite or using DSA server certificate?" }, 49 { "*no start line*", "Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?" }, 50 { "*bad password read*", "You entered an incorrect pass phrase!?" }, 51 { "*bad mac decode*", "Browser still remembered details of a re-created server certificate?" }, 52 { NULL, NULL } 53}; 54 55static const char *ssl_log_annotation(const char *error) 56{ 57 int i = 0; 58 59 while (ssl_log_annotate[i].cpPattern != NULL 60 && ap_strcmp_match(error, ssl_log_annotate[i].cpPattern) != 0) 61 i++; 62 63 return ssl_log_annotate[i].cpAnnotation; 64} 65 66void ssl_die(void) 67{ 68 /* 69 * This is used for fatal errors and here 70 * it is common module practice to really 71 * exit from the complete program. 72 */ 73 exit(1); 74} 75 76/* 77 * Prints the SSL library error information. 78 */ 79void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s) 80{ 81 unsigned long e; 82 83 while ((e = ERR_get_error())) { 84 const char *annotation; 85 char err[256]; 86 87 ERR_error_string_n(e, err, sizeof err); 88 annotation = ssl_log_annotation(err); 89 90 if (annotation) { 91 ap_log_error(file, line, level, 0, s, 92 "SSL Library Error: %lu %s %s", 93 e, err, annotation); 94 } 95 else { 96 ap_log_error(file, line, level, 0, s, 97 "SSL Library Error: %lu %s", 98 e, err); 99 } 100 } 101} 102