From: Joe Orton <jorton@apache.org>
Date: Tue, 15 Dec 2020 09:52:43 +0000 (+0000)
Subject: * modules/ssl/ssl_engine_init.c (ssl_init_ctx_cert_chain): Log the
X-Git-Tag: 2.5.0-alpha2-ci-test-only~1085
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0498c4f193084b5b90d02f341ec226735b84564;p=thirdparty%2Fapache%2Fhttpd.git

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_cert_chain): Log the
  OpenSSL errors if CA certs cannot be loaded.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884452 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 2bd0502fbb5..bcb8c8aca15 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -1161,7 +1161,9 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
 /*
  * Read a file that optionally contains the server certificate in PEM
  * format, possibly followed by a sequence of CA certificates that
- * should be sent to the peer in the SSL Certificate message.
+ * should be sent to the peer in the SSL Certificate message.  Returns
+ * 0 on success, otherwise the OpenSSL error stack contents should be
+ * reported.
  */
 static int use_certificate_chain(
     SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
@@ -1258,6 +1260,7 @@ static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
     if (n < 0) {
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
                 "Failed to configure CA certificate chain!");
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
         return ssl_die(s);
     }