Bug 52162

Summary: ssl_engine_kernel.c "revoked client certificate" log needs debug level: hardly ok for production use
Product: Apache httpd-2 Reporter: ekp <eprost>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal Keywords: FixedInTrunk, PatchAvailable
Priority: P2    
Version: 2.2.21   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Patch to change "if (s->loglevel >= APLOG_DEBUG)" to APLOG_INFO

Description ekp 2011-11-09 15:29:04 UTC
Created attachment 27913 [details]
Patch to change "if (s->loglevel >= APLOG_DEBUG)" to APLOG_INFO

In order to log attempts to connect with a revoked client certificate, Apache needs to be configured at debug log level. This seems hardly ok for deployment on production servers.

Source code shows that:
- the log is emited with APLOG_INFO, which is ok;
- but this is protected by "if (s->loglevel >= APLOG_DEBUG)"...

In ./modules/ssl/ssl_engine_kernel.c @ 1590:

               if (s->loglevel >= APLOG_DEBUG) {
                    char *cp = X509_NAME_oneline(issuer, NULL, 0);
                    long serial = ASN1_INTEGER_get(sn);

                    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
                                 "Certificate with serial %ld (0x%lX) "
                                 "revoked per CRL from issuer %s",
                                 serial, serial, cp);
                    modssl_free(cp);
                }

Patch attached.
Comment 1 Rainer Jung 2013-02-15 15:55:17 UTC
Applied in r1165056 to trunk/2.4.x and in r1446637 to 2.2.x.
Will be contained in 2.2.24.
Comment 2 Stefan Fritsch 2013-03-03 16:42:50 UTC
2.2.24 is released