Re: Bug #269499 apache-ssl CustomLog problems
On Thu, Jan 12, 2006 at 10:38:29AM -0500, jef e wrote:
> apache-ssl bug #269499 "apache-ssl: SSL log directives don't work"
>
> I'm wondering if anyone has found or is using an easy workaround for
> this particular bug that doesn't require a recompile/source code change
> of the package as mentioned in the bug report correspondence.
>
> It seems that the syntax given to get the ciper info, etc is broken. The
> supplied httpd.conf syntax doesn't work.
>
> CustomLog /var/log/apache-ssl/ssl.log "%t %{version}c %{cipher}c
> %{clientcert}c"
>
> Output to the log file only returns output like this:
> [12/Jan/2006:09:34:42 -0500] - - -
> [12/Jan/2006:09:34:42 -0500] + + +
> [12/Jan/2006:09:34:42 -0500] + + +
>
>
> This bug has been outstanding for over a year and was apparently kicked
> back upstream to apache-ssl. However, their page also references the
> broken syntax.
>
> Anyone have any ideas or experiences short of rebuilding it?
You might try using mod_ssl-supplied environment variables instead.
The following log directive should give approximately the same info:
"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x CERT:%{SSL_CLIENT_CERT}x"
Unfortunately, the certificate gets split across several lines, which
could make parsing a little ugly, e.g.
[12/Jan/2006:18:45:38 +0100] TLSv1 RC4-MD5 -----BEGIN CERTIFICATE-----
CzAJBgNVBAgTAkJXMRIwEAYDVQQHEwlUdWViaW5nZW4xHzAdBgNVBAoTFnNjaWVu
... rest of PEM encoded certificate here ...
6ZcBaCqLrMk=
-----END CERTIFICATE-----
but maybe you don't actually want the full certificate, but rather its
DN or something... (for which there are specific variables).
See here for details:
http://www.modssl.org/docs/2.8/ssl_reference.html#table4
http://www.modssl.org/docs/2.8/ssl_compat.html#ToC2
Cheers,
Almut
Reply to: