From: William A. Rowe Jr Date: Thu, 22 Jun 2006 06:13:07 +0000 (+0000) Subject: New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ] X-Git-Tag: 2.3.0~2326 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e18e19091bc91b380d4da1c5babeb13f252e340;p=thirdparty%2Fapache%2Fhttpd.git New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ] configures the I/O Dump of SSL traffic, when LogLevel is set to Debug. The default is none as this is far greater debugging resolution than the typical administrator is prepared to untangle. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@416265 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index f799fd157ee..f7b334060b6 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -145,6 +145,9 @@ static const command_rec ssl_config_cmds[] = { "Use the server's cipher ordering preference") SSL_CMD_ALL(UserName, TAKE1, "Set user name to SSL variable value") + SSL_CMD_SRV(LogLevelDebugDump, TAKE1, + "Include I/O Dump when LogLevel is set to Debug " + "([ None (default) | IO (not bytes) | Bytes ])") /* * Proxy configuration for remote SSL connections diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index b635e62def3..dd0ccc7f188 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -169,6 +169,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) sc->vhost_id_len = 0; /* set during module init */ sc->session_cache_timeout = UNSET; sc->cipher_server_pref = UNSET; + sc->ssl_log_level = SSL_LOG_UNSET; modssl_ctx_init_proxy(sc, p); @@ -257,6 +258,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) cfgMergeBool(proxy_enabled); cfgMergeInt(session_cache_timeout); cfgMergeBool(cipher_server_pref); + cfgMerge(ssl_log_level, SSL_LOG_UNSET); modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); @@ -1094,6 +1096,30 @@ const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *cmd, return NULL; } +const char *ssl_cmd_SSLLogLevelDebugDump(cmd_parms *cmd, + void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + if (strcEQ(arg, "none") || strcEQ(arg, "off")) { + sc->ssl_log_level = SSL_LOG_NONE; + } + else if (strcEQ(arg, "io") || strcEQ(arg, "i/o")) { + sc->ssl_log_level = SSL_LOG_IO; + } + else if (strcEQ(arg, "bytes") || strcEQ(arg, "on")) { + sc->ssl_log_level = SSL_LOG_BYTES; + } + else { + return apr_pstrcat(cmd->temp_pool, cmd->cmd->name, + ": Invalid argument '", arg, "'", + NULL); + } + + return NULL; +} + const char *ssl_cmd_SSLOptions(cmd_parms *cmd, void *dcfg, const char *arg) diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 16bc979cf19..14b3eb041a6 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1655,6 +1655,8 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, void ssl_io_filter_init(conn_rec *c, SSL *ssl) { ssl_filter_ctx_t *filter_ctx; + server_rec *s = c->base_server; + SSLSrvConfigRec *sc = mySrvConfig(s); filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t)); @@ -1673,7 +1675,8 @@ void ssl_io_filter_init(conn_rec *c, SSL *ssl) apr_pool_cleanup_register(c->pool, (void*)filter_ctx, ssl_io_filter_cleanup, apr_pool_cleanup_null); - if (c->base_server->loglevel >= APLOG_DEBUG) { + if ((s->loglevel >= APLOG_DEBUG) + && (sc->ssl_log_level >= SSL_LOG_IO)) { BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl); } @@ -1776,12 +1779,14 @@ long ssl_io_data_cb(BIO *bio, int cmd, SSL *ssl; conn_rec *c; server_rec *s; + SSLSrvConfigRec *sc; if ((ssl = (SSL *)BIO_get_callback_arg(bio)) == NULL) return rc; if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL) return rc; s = c->base_server; + sc = mySrvConfig(s); if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN) || cmd == (BIO_CB_READ |BIO_CB_RETURN) ) { @@ -1793,7 +1798,7 @@ long ssl_io_data_cb(BIO *bio, int cmd, rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"), bio, argp, (argp != NULL ? "(BIO dump follows)" : "(Oops, no memory buffer?)")); - if (argp != NULL) + if ((argp != NULL) && (sc->ssl_log_level >= SSL_LOG_BYTES)) ssl_io_data_dump(s, argp, rc); } else { diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 6e248d4e469..cecee5e69a6 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -140,6 +140,18 @@ ap_set_module_config(c->conn_config, &ssl_module, val) #define SSL_SESSION_CACHE_TIMEOUT 300 #endif +/** + * Define the per-server SSLLogLevel constants which provide + * finer-than-debug resolution to decide if logs are to be + * assulted with tens of thousands of characters per request. + */ +typedef enum { + SSL_LOG_UNSET = UNSET, + SSL_LOG_NONE = 0, + SSL_LOG_IO = 6, + SSL_LOG_BYTES = 7 +} ssl_log_level_e; + /** * Support for MM library */ @@ -244,7 +256,7 @@ typedef enum { SSL_PPTYPE_UNSET = UNSET, SSL_PPTYPE_BUILTIN = 0, SSL_PPTYPE_FILTER = 1, - SSL_PPTYPE_PIPE = 2 + SSL_PPTYPE_PIPE = 2 } ssl_pphrase_t; /** @@ -284,7 +296,7 @@ typedef enum { SSL_ENABLED_UNSET = UNSET, SSL_ENABLED_FALSE = 0, SSL_ENABLED_TRUE = 1, - SSL_ENABLED_OPTIONAL = 3 + SSL_ENABLED_OPTIONAL = 3 } ssl_enabled_t; /** @@ -449,6 +461,7 @@ struct SSLSrvConfigRec { BOOL cipher_server_pref; modssl_ctx_t *server; modssl_ctx_t *proxy; + ssl_log_level_e ssl_log_level; }; /** @@ -513,6 +526,7 @@ const char *ssl_cmd_SSLOptions(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *); const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLLogLevelDebugDump(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);