From eced8a0d15f9b4d6bc7deb509bb6853cc5211c03 Mon Sep 17 00:00:00 2001
From: Kaspar Brand <kbrand@apache.org>
Date: Mon, 21 Apr 2014 06:39:24 +0000
Subject: [PATCH] ssl_callback_TmpDH: for OpenSSL 1.0.2 and later, set the
 current cert to the one actually used for the connection before calling
 SSL_get_privatekey(ssl)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1588851 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/ssl/ssl_engine_kernel.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index db1ceba68f..70f836fa4e 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1344,8 +1344,19 @@ make_get_dh(rfc3526, 4096, 2)
 DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
 {
     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
-    EVP_PKEY *pkey = SSL_get_privatekey(ssl);
-    int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+    EVP_PKEY *pkey;
+    int type;
+
+#ifdef SSL_CERT_SET_SERVER
+    /*
+     * When multiple certs/keys are configured for the SSL_CTX: make sure
+     * that we get the private key which is indeed used for the current
+     * SSL connection (available in OpenSSL 1.0.2 or later only)
+     */
+    SSL_set_current_cert(ssl, SSL_CERT_SET_SERVER);
+#endif
+    pkey = SSL_get_privatekey(ssl);
+    type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
 
     /*
      * OpenSSL will call us with either keylen == 512 or keylen == 1024
-- 
2.40.0