On 17.09.2011 18:25, [email protected] wrote:
> + if (res == 1) {
> + /* Removing the client cert if verification is OK
> + * could save a loop when choosing which cert to send
> + * when more than one is available */
> + /* XXX: This is not needed if we collapse the two
> + * checks in ssl_engine_kernel in the future */
> + X509_free(sk_X509_shift(chain));
IMO, you can always drop the first element of the chain, since you only
want to remember CA certs in pkp->ca_certs.
> + else {
> + int n=X509_STORE_CTX_get_error(sctx);
> + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
> + "SSL proxy client cert chain verification failed
> for %s: %s",
> + cert_cn, X509_verify_cert_error_string(n));
> + }
Here, cert_cn holds the X509_NAME_oneline() string of the subject DN.
Either the variable name is a misnomer or a typo (did you mean cert_dn
instead of cert_cn?), but more importantly, we should not add new code
which still calls X509_NAME_oneline(), at least for trunk... as its
OpenSSL man page states: its use "is strongly discouraged in new
applications".
I have just added ssl_log_xerror() and SSL_X509_NAME_to_string() in
r1172797, can you adapt the code in ssl_callback_proxy_cert() to make
use of these where applicable/possible? Hopefully this makes logging
cert details in mod_ssl more straightforward.
Kaspar
