From: Jim Jagielski <jim@apache.org>
Date: Fri, 18 Apr 2014 15:29:20 +0000 (+0000)
Subject: Merge r1588427 from trunk:
X-Git-Tag: 2.4.10~305
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=db0e033a135f4fbc9be15fc4b105da5be710483b;p=apache

Merge r1588427 from trunk:

Also clear the error queue before calling SSL_CTX_use_certificate[_chain]_file
(workaround for OpenSSL versions before 0.9.8h, see
https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1513).

PR 56410.

Submitted by: kbrand
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1588496 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index fa61a0e205..e8ab7f466f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.4.10
 
+  *) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
+     versions before 0.9.8h and not specifying an SSLCertificateChainFile
+     (regression introduced with 2.4.8). PR 56410. [Kaspar Brand]
+
   *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
      no longer send warning-level unrecognized_name(112) alerts,
      and limit startup warnings to cases where an OpenSSL version
diff --git a/STATUS b/STATUS
index f06743b154..750243d3e2 100644
--- a/STATUS
+++ b/STATUS
@@ -100,12 +100,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: workaround for SSLCertificateFile in 2.4.8 or later,
-     when used with OpenSSL prior to 0.9.8h and not specifying
-     an SSLCertificateChainFile (PR 56410)
-     trunk patch: https://svn.apache.org/r1588427
-     2.4.x patch: trunk patch works (modulo CHANGES)
-     +1: kbrand, ylavic, jim
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 6512992dae..8744181d04 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -884,6 +884,8 @@ static apr_status_t ssl_init_server_certs(server_rec *s,
          i++) {
         key_id = apr_psprintf(ptemp, "%s:%d", vhost_id, i);
 
+        ERR_clear_error();
+
         /* first the certificate (public key) */
         if (mctx->cert_chain) {
             if ((SSL_CTX_use_certificate_file(mctx->ssl_ctx, certfile,