From: Jim Jagielski <jim@apache.org>
Date: Wed, 7 May 2014 12:51:38 +0000 (+0000)
Subject: Merge r1588851 from trunk:
X-Git-Tag: 2.4.10~255
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5f2e0d27abfb46eb1379bca6eda917c23ee0e5d2;p=apache

Merge r1588851 from trunk:

ssl_callback_TmpDH: for OpenSSL 1.0.2 and later, set the current cert to the
one actually used for the connection before calling SSL_get_privatekey(ssl)

Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1593001 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index aca381f59c..733b4be9b9 100644
--- a/STATUS
+++ b/STATUS
@@ -100,12 +100,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: set the current cert in ssl_callback_TmpDH before calling
-     SSL_get_privatekey(ssl)
-     trunk patch: https://svn.apache.org/r1588851
-     2.4.x patch: trunk patch works
-     +1: kbrand, ylavic, jim
-
    * mod_ssl: make SSL stapling init more robust for certs w/o responder URI
      trunk patch: https://svn.apache.org/r1588853
      2.4.x patch: trunk patch works (w/o docs/log-message-tags/next-number)
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 178a7cb7ed..3c649a069d 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1331,8 +1331,19 @@ make_get_dh(rfc3526, 4096, 2)
 DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
 {
     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
-    EVP_PKEY *pkey = SSL_get_privatekey(ssl);
-    int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+    EVP_PKEY *pkey;
+    int type;
+
+#ifdef SSL_CERT_SET_SERVER
+    /*
+     * When multiple certs/keys are configured for the SSL_CTX: make sure
+     * that we get the private key which is indeed used for the current
+     * SSL connection (available in OpenSSL 1.0.2 or later only)
+     */
+    SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
+#endif
+    pkey = SSL_get_privatekey(ssl);
+    type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
 
     /*
      * OpenSSL will call us with either keylen == 512 or keylen == 1024