PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: set the current cert in ssl_callback_TmpDH before calling
- SSL_get_privatekey(ssl)
- trunk patch: https://svn.apache.org/r1588851
- 2.4.x patch: trunk patch works
- +1: kbrand, ylavic, jim
-
* mod_ssl: make SSL stapling init more robust for certs w/o responder URI
trunk patch: https://svn.apache.org/r1588853
2.4.x patch: trunk patch works (w/o docs/log-message-tags/next-number)
DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
{
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
- EVP_PKEY *pkey = SSL_get_privatekey(ssl);
- int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+ EVP_PKEY *pkey;
+ int type;
+
+#ifdef SSL_CERT_SET_SERVER
+ /*
+ * When multiple certs/keys are configured for the SSL_CTX: make sure
+ * that we get the private key which is indeed used for the current
+ * SSL connection (available in OpenSSL 1.0.2 or later only)
+ */
+ SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
+#endif
+ pkey = SSL_get_privatekey(ssl);
+ type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
/*
* OpenSSL will call us with either keylen == 512 or keylen == 1024
projects / apache / commitdiff