From: Stefan Eissing <icing@apache.org>
Date: Tue, 6 Aug 2019 12:16:14 +0000 (+0000)
Subject: Merged /httpd/httpd/trunk:r1864428 from trunk
X-Git-Tag: 2.4.41~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c670ccc1a6590b81bc4f4833e6aa4b414a08f07;p=thirdparty%2Fapache%2Fhttpd.git

Merged /httpd/httpd/trunk:r1864428 from trunk

  *) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1864513 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 6afb2eff52c..ff34b511a99 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@ Changes with Apache 2.4.41
   *) modules/filters: PR 63633: Fix broken compilation when using old GCC (<4.2.x).
      [Rainer Jung, Joe Orton]
 
+  *) mod_ssl: reverting a 2.4.40 change where a superfluous SSLCertificateChainFile configuration
+     for a domain managed by mod_md could cause a startup error. [Stefan Eissing]
+
 Changes with Apache 2.4.40
 
   *) core, mod_rewrite: Set PCRE_DOTALL by default. Revert via 
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 1644739e8c2..f54c922fc79 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1770,19 +1770,21 @@ static apr_status_t ssl_init_server_ctx(server_rec *s,
     n = pks->cert_files->nelts;
     ssl_run_add_cert_files(s, p, pks->cert_files, pks->key_files);
 
-    if (n < pks->cert_files->nelts) {
-        /* this overrides any old chain configuration */
-        sc->server->cert_chain = NULL;
+    if (apr_is_empty_array(pks->cert_files)) {
+        /* does someone propose a certiciate to fall back on here? */
+        ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files);
+        if (n < pks->cert_files->nelts) {
+            pks->service_unavailable = 1;
+            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085)
+                         "Init: %s will respond with '503 Service Unavailable' for now. There "
+                         "are no SSL certificates configured and no other module contributed any.",
+                         ssl_util_vhostid(p, s));
+        }
     }
     
-    if (apr_is_empty_array(pks->cert_files) && !sc->server->cert_chain) {
-        ssl_run_add_fallback_cert_files(s, p, pks->cert_files, pks->key_files);
-        
-        pks->service_unavailable = 1;
-        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, APLOGNO(10085)
-                     "Init: %s will respond with '503 Service Unavailable' for now. There "
-                     "are no SSL certificates configured and no other module contributed any.",
-                     ssl_util_vhostid(p, s));
+    if (n < pks->cert_files->nelts) {
+        /* additionally installed certs overrides any old chain configuration */
+        sc->server->cert_chain = NULL;
     }
     
     if ((rv = ssl_init_ctx(s, p, ptemp, sc->server)) != APR_SUCCESS) {