From: Stefan Eissing Date: Mon, 5 Nov 2018 10:37:32 +0000 (+0000) Subject: *) mod_ssl: clear *SSL errors before loading certificates and checking X-Git-Tag: 2.5.0-alpha2-ci-test-only~2251 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=505cf744a8bf0aabe2db52b27bcf0bbc1d90991a;p=thirdparty%2Fapache%2Fhttpd.git *) mod_ssl: clear *SSL errors before loading certificates and checking afterwards. Otherwise errors are reported when other SSL using modules are in play. Fixes PR 62880. [Michael Kaufmann] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1845768 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 5e4d4d49cfc..bc0d220193e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: clear *SSL errors before loading certificates and checking + afterwards. Otherwise errors are reported when other SSL using modules + are in play. Fixes PR 62880. [Michael Kaufmann] + *) mod_ssl: Correctly merge configurations that have client certificates set by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem] diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 654ea052a73..972ce1adc48 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1063,8 +1063,10 @@ static int use_certificate_chain( ctx->extra_certs = NULL; } #endif + /* create new extra chain by loading the certs */ n = 0; + ERR_clear_error(); while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) { if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) { X509_free(x509); diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index b11a6e924e5..b66e15146c8 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -363,7 +363,9 @@ static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file) BIO_free(bio); return NULL; } + /* create new extra chain by loading the certs */ + ERR_clear_error(); while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) { if (!other_certs) { other_certs = sk_X509_new_null();