https://issues.apache.org/bugzilla/show_bug.cgi?id=52162
Bug #: 52162
Summary: ssl_engine_kernel.c "revoked client certificate" log
needs debug level: hardly ok for production use
Product: Apache httpd-2
Version: 2.2.21
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
Created attachment 27913
--> https://issues.apache.org/bugzilla/attachment.cgi?id=27913
Patch to change "if (s->loglevel >= APLOG_DEBUG)" to APLOG_INFO
In order to log attempts to connect with a revoked client certificate, Apache
needs to be configured at debug log level. This seems hardly ok for deployment
on production servers.
Source code shows that:
- the log is emited with APLOG_INFO, which is ok;
- but this is protected by "if (s->loglevel >= APLOG_DEBUG)"...
In ./modules/ssl/ssl_engine_kernel.c @ 1590:
if (s->loglevel >= APLOG_DEBUG) {
char *cp = X509_NAME_oneline(issuer, NULL, 0);
long serial = ASN1_INTEGER_get(sn);
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
"Certificate with serial %ld (0x%lX) "
"revoked per CRL from issuer %s",
serial, serial, cp);
modssl_free(cp);
}
Patch attached.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
