From: Rainer Jung <rjung@apache.org>
Date: Thu, 18 Oct 2018 10:06:37 +0000 (+0000)
Subject: mod_ssl: Correctly merge configurations that have client certificates set
X-Git-Tag: 2.4.37~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bba95406ca1d0d6c59fbf0dec997cf7ecc38dac;p=thirdparty%2Fapache%2Fhttpd.git

mod_ssl: Correctly merge configurations that have client certificates set
by SSLProxyMachineCertificate{File|Path}.

The certificates and keys loaded during configuration time got lost during
runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host
level and there was an SSL directive at directory level, e.g. SSLRequire.

This fixes a regression likely introduced in r1740928 (backported in r1824187).

Backport of r1844002 from trunk.

Submitted by: rjung
Reviewed by: rjung, rpluem, jorton


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1844226 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 27cf12257a1..12985c692b0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,9 @@ Changes with Apache 2.4.37
      but were originally not verified and should get verified now.
      This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]
 
+  *) mod_ssl: Correctly merge configurations that have client certificates set
+     by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
+
 Changes with Apache 2.4.36
 
   *) mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
diff --git a/STATUS b/STATUS
index 6bd211c95e5..9f1c1ffb9ed 100644
--- a/STATUS
+++ b/STATUS
@@ -125,15 +125,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: Correctly merge configurations that have client certificates set
-   by SSLProxyMachineCertificate{File|Path}.
-   The certificates and keys loaded during configuration time got lost during
-   runtime if e.g. SSLProxyMachineCertificate{File|Path} was set on virtual host
-   level and there was an SSL directive at directory level, e.g. SSLRequire.
-   This fixes a regression likely introduced in r1740928 (backported in r1824187).
-     trunk patch: http://svn.apache.org/r1844002
-     2.4.x patch: svn merge -c 1844002 ^/httpd/httpd/trunk .
-     +1: rjung, rpluem, jorton
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 29db3d6d535..6c10bb50777 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -467,6 +467,8 @@ static void modssl_ctx_cfg_merge_proxy(apr_pool_t *p,
     cfgMergeString(pkp->cert_file);
     cfgMergeString(pkp->cert_path);
     cfgMergeString(pkp->ca_cert_file);
+    cfgMergeString(pkp->certs);
+    cfgMergeString(pkp->ca_certs);
 }
 
 void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)