Also clear the error queue before calling SSL_CTX_use_certificate[_chain]_file

author Kaspar Brand <kbrand@apache.org>

Fri, 18 Apr 2014 09:07:19 +0000 (09:07 +0000)

committer Kaspar Brand <kbrand@apache.org>

Fri, 18 Apr 2014 09:07:19 +0000 (09:07 +0000)
author Kaspar Brand <kbrand@apache.org>
Fri, 18 Apr 2014 09:07:19 +0000 (09:07 +0000)
committer Kaspar Brand <kbrand@apache.org>
Fri, 18 Apr 2014 09:07:19 +0000 (09:07 +0000)
diff --git a/CHANGES b/CHANGES

index 71b2c25b55e70ac5e433b9c90bbc4fc525a6e6cd..25072b8650f20b55a8941e653089807e2d88a1f5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.0
  
+  *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
+     versions before 0.9.8h and not specifying an SSLCertificateChainFile
+     (regression introduced with 2.4.8). PR 56410. [Kaspar Brand]
+
    *) mod_remoteip: Prevent an external proxy from presenting an internal
       proxy. PR 55962. [Mike Rumph]
  
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c

index 2aef8d6f79a4f5208a6da528a39e15822b7de187..e4f234630e9a5ff8197e5b093e10b8c9959bfe9c 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -913,6 +913,8 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
           i++) {
          key_id = apr_psprintf(ptemp, "%s:%d", vhost_id, i);
  
+        ERR_clear_error();
+
          /* first the certificate (public key) */
          if (mctx->cert_chain) {
              if ((SSL_CTX_use_certificate_file(mctx->ssl_ctx, certfile,
author	Kaspar Brand <kbrand@apache.org>
	Fri, 18 Apr 2014 09:07:19 +0000 (09:07 +0000)
committer	Kaspar Brand <kbrand@apache.org>
	Fri, 18 Apr 2014 09:07:19 +0000 (09:07 +0000)
CHANGES		patch \| blob \| history
modules/ssl/ssl_engine_init.c		patch \| blob \| history