]> granicus.if.org Git - apache/commitdiff
projects / apache / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3051222)
Merge r1588427 from trunk:
authorJim Jagielski <jim@apache.org>
Fri, 18 Apr 2014 15:29:20 +0000 (15:29 +0000)
committerJim Jagielski <jim@apache.org>
Fri, 18 Apr 2014 15:29:20 +0000 (15:29 +0000)
Also clear the error queue before calling SSL_CTX_use_certificate[_chain]_file
(workaround for OpenSSL versions before 0.9.8h, see
https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1513).

PR 56410.

Submitted by: kbrand
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588496 13f79535-47bb-0310-9956-ffa450edef68

CHANGES patch | blob | history
STATUS patch | blob | history
modules/ssl/ssl_engine_init.c patch | blob | history

diff --git a/CHANGES b/CHANGES
index fa61a0e2055f1632a092cd9729f8cb360f3016f8..e8ab7f466f8611cd32069c2f1924c377ae7912c6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.4.10
 
+  *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
+     versions before 0.9.8h and not specifying an SSLCertificateChainFile
+     (regression introduced with 2.4.8). PR 56410. [Kaspar Brand]
+
   *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
      no longer send warning-level unrecognized_name(112) alerts,
      and limit startup warnings to cases where an OpenSSL version
diff --git a/STATUS b/STATUS
index f06743b1546bad50aca004ec78a4248b20b91ff5..750243d3e2e88e30eeb0a9f7025d25020387fd58 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -100,12 +100,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: workaround for SSLCertificateFile in 2.4.8 or later,
-     when used with OpenSSL prior to 0.9.8h and not specifying
-     an SSLCertificateChainFile (PR 56410)
-     trunk patch: https://svn.apache.org/r1588427
-     2.4.x patch: trunk patch works (modulo CHANGES)
-     +1: kbrand, ylavic, jim
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 6512992daec546befd6dadc4c0f9181ac4903b27..8744181d0469fffdc3af64d9bf59552c98086f9a 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -884,6 +884,8 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
          i++) {
         key_id = apr_psprintf(ptemp, "%s:%d", vhost_id, i);
 
+        ERR_clear_error();
+
         /* first the certificate (public key) */
         if (mctx->cert_chain) {
             if ((SSL_CTX_use_certificate_file(mctx->ssl_ctx, certfile,
Unnamed repository; edit this file 'description' to name the repository.