[Fedora-directory-commits] mod_nss nss.conf.in, 1.8, 1.9 nss_engine_init.c, 1.20, 1.21

Robert Crittenden (rcritten) fedora-directory-commits at redhat.com
Wed Aug 2 15:14:49 UTC 2006 

Author: rcritten

Update of /cvs/dirsec/mod_nss
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21001

Modified Files:
	nss.conf.in nss_engine_init.c 
Log Message:
200855

Defer loading the server certificates until the 2nd module load. Otherwise
any problems with said certificate(s) will not be displayed because
the VirtualHost logging hasn't been turned on yet.

Switch a slew of APLOG_INFO to APLOG_ERR.

And add a default LogLevel to nss.conf.in. This is not inherited from
httpd.conf.



Index: nss.conf.in
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss.conf.in,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- nss.conf.in	2 Mar 2006 19:21:54 -0000	1.8
+++ nss.conf.in	2 Aug 2006 15:14:47 -0000	1.9
@@ -76,8 +76,10 @@
 #ServerAdmin you at example.com
 
 # mod_nss can log to separate log files, you can choose to do that if you'd like
+# LogLevel is not inherited from httpd.conf.
 #ErrorLog @apache_prefix@/logs/error_log
 #TransferLog @apache_prefix@/logs/access_log
+LogLevel warn
 
 #   SSL Engine Switch:
 #   Enable/Disable SSL for this virtual host.


Index: nss_engine_init.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_init.c,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- nss_engine_init.c	21 Jun 2006 14:25:51 -0000	1.20
+++ nss_engine_init.c	2 Aug 2006 15:14:47 -0000	1.21
@@ -831,7 +831,7 @@
             }
         }
     } else {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "Certificate not found: '%s'", nickname);
         nss_die();
     }
@@ -848,7 +848,7 @@
                  * Slot not found. This should never happen because we
                  * already found the cert.
                  */
-                ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "Slot not found");
                 nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
                 free(token);
@@ -866,7 +866,7 @@
     PK11_FreeSlot(slot);
 
     if (*serverkey == NULL) {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "Key not found for: '%s'", nickname);
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
@@ -889,21 +889,21 @@
             /* ok */
             break;
         case secCertTimeExpired:
-            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Server certificate is expired: '%s'", nickname);
             break;
         case secCertTimeNotValidYet:
-            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Certificate is not valid yet '%s'", nickname);
         default:
-            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Unhandled Certificate time type %d for: '%s'", certtimestatus, nickname);
             break;
     }
 
     secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype);
     if (secstatus != SECSuccess) {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "SSL error configuring server: '%s'", nickname);
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
@@ -945,7 +945,7 @@
 
     secstatus = (SECStatus)SSL_SetPKCS11PinArg(mctx->model, NULL);
     if (secstatus != SECSuccess) {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "Error setting PKCS11 pin argument: '%s'", mctx->nickname);
         nss_die();
     }
@@ -953,7 +953,7 @@
     secstatus = (SECStatus)SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback)NSSHandshakeCallback, NULL);
     if (secstatus != SECSuccess)
     {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "SSL error configuring handshake callback: '%s'", mctx->nickname);
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
@@ -965,9 +965,13 @@
                                 apr_pool_t *ptemp,
                                 SSLSrvConfigRec *sc)
 {
+    SSLModConfigRec *mc = myModConfig(s);
+
     nss_init_ctx(s, p, ptemp, sc->proxy);
 
-    nss_init_server_certs(s, p, ptemp, sc->proxy);
+    /* Only try to load the certificates once the server is up */
+    if (mc->nInitCount < 2)
+        nss_init_server_certs(s, p, ptemp, sc->proxy);
 }
 
 static void nss_init_server_ctx(server_rec *s,
@@ -975,11 +979,15 @@
                                 apr_pool_t *ptemp,
                                 SSLSrvConfigRec *sc)
 {
+    SSLModConfigRec *mc = myModConfig(s);
+
     nss_init_server_check(s, p, ptemp, sc->server);
 
     nss_init_ctx(s, p, ptemp, sc->server);
 
-    nss_init_server_certs(s, p, ptemp, sc->server);
+    /* Only try to load the certificates once the server is up */
+    if (mc->nInitCount < 2)
+        nss_init_server_certs(s, p, ptemp, sc->server);
 }
 
 /*

More information about the Fedora-directory-commits mailing list