[Pkg-fedora-ds-maintainers] [libapache2-mod-nss] 69/156: 200855

Timo Aaltonen tjaalton-guest at moszumanska.debian.org
Wed Jul 2 13:55:30 UTC 2014


This is an automated email from the git hooks/post-receive script.

tjaalton-guest pushed a commit to branch master
in repository libapache2-mod-nss.

commit 7a9b1dac2b2fecb18cb85d2dc1860df54d4ef4f5
Author: rcritten <>
Date:   Wed Aug 2 15:14:47 2006 +0000

    200855
    
    Defer loading the server certificates until the 2nd module load. Otherwise
    any problems with said certificate(s) will not be displayed because
    the VirtualHost logging hasn't been turned on yet.
    
    Switch a slew of APLOG_INFO to APLOG_ERR.
    
    And add a default LogLevel to nss.conf.in. This is not inherited from
    httpd.conf.
---
 nss.conf.in       |  2 ++
 nss_engine_init.c | 30 +++++++++++++++++++-----------
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/nss.conf.in b/nss.conf.in
index ce5930d..1c8172e 100644
--- a/nss.conf.in
+++ b/nss.conf.in
@@ -76,8 +76,10 @@ NSSRandomSeed startup builtin
 #ServerAdmin you at example.com
 
 # mod_nss can log to separate log files, you can choose to do that if you'd like
+# LogLevel is not inherited from httpd.conf.
 #ErrorLog @apache_prefix@/logs/error_log
 #TransferLog @apache_prefix@/logs/access_log
+LogLevel warn
 
 #   SSL Engine Switch:
 #   Enable/Disable SSL for this virtual host.
diff --git a/nss_engine_init.c b/nss_engine_init.c
index ce2cfce..d265e83 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -831,7 +831,7 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
             }
         }
     } else {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "Certificate not found: '%s'", nickname);
         nss_die();
     }
@@ -848,7 +848,7 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
                  * Slot not found. This should never happen because we
                  * already found the cert.
                  */
-                ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "Slot not found");
                 nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
                 free(token);
@@ -866,7 +866,7 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
     PK11_FreeSlot(slot);
 
     if (*serverkey == NULL) {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "Key not found for: '%s'", nickname);
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
@@ -889,21 +889,21 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
             /* ok */
             break;
         case secCertTimeExpired:
-            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Server certificate is expired: '%s'", nickname);
             break;
         case secCertTimeNotValidYet:
-            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Certificate is not valid yet '%s'", nickname);
         default:
-            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Unhandled Certificate time type %d for: '%s'", certtimestatus, nickname);
             break;
     }
 
     secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype);
     if (secstatus != SECSuccess) {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "SSL error configuring server: '%s'", nickname);
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
@@ -945,7 +945,7 @@ static void nss_init_server_certs(server_rec *s,
 
     secstatus = (SECStatus)SSL_SetPKCS11PinArg(mctx->model, NULL);
     if (secstatus != SECSuccess) {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "Error setting PKCS11 pin argument: '%s'", mctx->nickname);
         nss_die();
     }
@@ -953,7 +953,7 @@ static void nss_init_server_certs(server_rec *s,
     secstatus = (SECStatus)SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback)NSSHandshakeCallback, NULL);
     if (secstatus != SECSuccess)
     {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "SSL error configuring handshake callback: '%s'", mctx->nickname);
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
@@ -965,9 +965,13 @@ static void nss_init_proxy_ctx(server_rec *s,
                                 apr_pool_t *ptemp,
                                 SSLSrvConfigRec *sc)
 {
+    SSLModConfigRec *mc = myModConfig(s);
+
     nss_init_ctx(s, p, ptemp, sc->proxy);
 
-    nss_init_server_certs(s, p, ptemp, sc->proxy);
+    /* Only try to load the certificates once the server is up */
+    if (mc->nInitCount < 2)
+        nss_init_server_certs(s, p, ptemp, sc->proxy);
 }
 
 static void nss_init_server_ctx(server_rec *s,
@@ -975,11 +979,15 @@ static void nss_init_server_ctx(server_rec *s,
                                 apr_pool_t *ptemp,
                                 SSLSrvConfigRec *sc)
 {
+    SSLModConfigRec *mc = myModConfig(s);
+
     nss_init_server_check(s, p, ptemp, sc->server);
 
     nss_init_ctx(s, p, ptemp, sc->server);
 
-    nss_init_server_certs(s, p, ptemp, sc->server);
+    /* Only try to load the certificates once the server is up */
+    if (mc->nInitCount < 2)
+        nss_init_server_certs(s, p, ptemp, sc->server);
 }
 
 /*

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-fedora-ds/libapache2-mod-nss.git



More information about the Pkg-fedora-ds-maintainers mailing list