200855

Defer loading the server certificates until the 2nd module load. Otherwise any problems with said certificate(s) will not be displayed because the VirtualHost logging hasn't been turned on yet. Switch a slew of APLOG_INFO to APLOG_ERR. And add a default LogLevel to nss.conf.in. This is not inherited from httpd.conf.
author: rcritten <> 2006-08-02 15:14:47 +0000
committer: rcritten <> 2006-08-02 15:14:47 +0000
commit: 7a9b1dac2b2fecb18cb85d2dc1860df54d4ef4f5 (patch)
tree: 08ac3b5a816ac6a0ca1305d9022af54ee56826be
parent: 12d492fc36fc11abf080d93edd9597571974bd13 (diff)
2 files changed, 21 insertions, 11 deletions
diff --git a/nss.conf.in b/nss.conf.in
index ce5930d..1c8172e 100644
--- a/nss.conf.in
+++ b/nss.conf.in
@@ -76,8 +76,10 @@ NSSRandomSeed startup builtin
 #ServerAdmin you@example.com
 
 # mod_nss can log to separate log files, you can choose to do that if you'd like
+# LogLevel is not inherited from httpd.conf.
 #ErrorLog @apache_prefix@/logs/error_log
 #TransferLog @apache_prefix@/logs/access_log
+LogLevel warn
 
 #   SSL Engine Switch:
 #   Enable/Disable SSL for this virtual host.
diff --git a/nss_engine_init.c b/nss_engine_init.c
index ce2cfce..d265e83 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -831,7 +831,7 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
             }
         }
     } else {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "Certificate not found: '%s'", nickname);
         nss_die();
     }
@@ -848,7 +848,7 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
                  * Slot not found. This should never happen because we
                  * already found the cert.
                  */
-                ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "Slot not found");
                 nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
                 free(token);
@@ -866,7 +866,7 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
     PK11_FreeSlot(slot);
 
     if (*serverkey == NULL) {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "Key not found for: '%s'", nickname);
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
@@ -889,21 +889,21 @@ static void nss_init_certificate(server_rec *s, const char *nickname,
             /* ok */
             break;
         case secCertTimeExpired:
-            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Server certificate is expired: '%s'", nickname);
             break;
         case secCertTimeNotValidYet:
-            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Certificate is not valid yet '%s'", nickname);
         default:
-            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                 "Unhandled Certificate time type %d for: '%s'", certtimestatus, nickname);
             break;
     }
 
     secstatus = SSL_ConfigSecureServer(model, *servercert, *serverkey, *KEAtype);
     if (secstatus != SECSuccess) {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "SSL error configuring server: '%s'", nickname);
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
@@ -945,7 +945,7 @@ static void nss_init_server_certs(server_rec *s,
 
     secstatus = (SECStatus)SSL_SetPKCS11PinArg(mctx->model, NULL);
     if (secstatus != SECSuccess) {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "Error setting PKCS11 pin argument: '%s'", mctx->nickname);
         nss_die();
     }
@@ -953,7 +953,7 @@ static void nss_init_server_certs(server_rec *s,
     secstatus = (SECStatus)SSL_HandshakeCallback(mctx->model, (SSLHandshakeCallback)NSSHandshakeCallback, NULL);
     if (secstatus != SECSuccess)
     {
-        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
             "SSL error configuring handshake callback: '%s'", mctx->nickname);
         nss_log_nss_error(APLOG_MARK, APLOG_ERR, s);
         nss_die();
@@ -965,9 +965,13 @@ static void nss_init_proxy_ctx(server_rec *s,
                                 apr_pool_t *ptemp,
                                 SSLSrvConfigRec *sc)
 {
+    SSLModConfigRec *mc = myModConfig(s);
+
     nss_init_ctx(s, p, ptemp, sc->proxy);
 
-    nss_init_server_certs(s, p, ptemp, sc->proxy);
+    /* Only try to load the certificates once the server is up */
+    if (mc->nInitCount < 2)
+        nss_init_server_certs(s, p, ptemp, sc->proxy);
 }
 
 static void nss_init_server_ctx(server_rec *s,
@@ -975,11 +979,15 @@ static void nss_init_server_ctx(server_rec *s,
                                 apr_pool_t *ptemp,
                                 SSLSrvConfigRec *sc)
 {
+    SSLModConfigRec *mc = myModConfig(s);
+
     nss_init_server_check(s, p, ptemp, sc->server);
 
     nss_init_ctx(s, p, ptemp, sc->server);
 
-    nss_init_server_certs(s, p, ptemp, sc->server);
+    /* Only try to load the certificates once the server is up */
+    if (mc->nInitCount < 2)
+        nss_init_server_certs(s, p, ptemp, sc->server);
 }
 
 /*
author	rcritten <>	2006-08-02 15:14:47 +0000
committer	rcritten <>	2006-08-02 15:14:47 +0000
commit	7a9b1dac2b2fecb18cb85d2dc1860df54d4ef4f5 (patch)
tree	08ac3b5a816ac6a0ca1305d9022af54ee56826be
parent	12d492fc36fc11abf080d93edd9597571974bd13 (diff)