1 files changed, 99 insertions, 0 deletions

diff --git a/httpd-2.4.57-r1825120.patch b/httpd-2.4.57-r1825120.patch
new file mode 100644
index 0000000..4eb0a59
--- /dev/null
+++ b/httpd-2.4.57-r1825120.patch
@@ -0,0 +1,99 @@
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 4e2e80d..10a2c86 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -2256,51 +2256,6 @@ int ssl_proxy_section_post_config(apr_pool_t *p, apr_pool_t *plog,
+     return OK;
+ }
+ 
+-static int ssl_init_FindCAList_X509NameCmp(const X509_NAME * const *a,
+-                                           const X509_NAME * const *b)
+-{
+-    return(X509_NAME_cmp(*a, *b));
+-}
+-
+-static void ssl_init_PushCAList(STACK_OF(X509_NAME) *ca_list,
+-                                server_rec *s, apr_pool_t *ptemp,
+-                                const char *file)
+-{
+-    int n;
+-    STACK_OF(X509_NAME) *sk;
+-
+-    sk = (STACK_OF(X509_NAME) *)
+-             SSL_load_client_CA_file(file);
+-
+-    if (!sk) {
+-        return;
+-    }
+-
+-    for (n = 0; n < sk_X509_NAME_num(sk); n++) {
+-        X509_NAME *name = sk_X509_NAME_value(sk, n);
+-
+-        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02209)
+-                     "CA certificate: %s",
+-                     modssl_X509_NAME_to_string(ptemp, name, 0));
+-
+-        /*
+-         * note that SSL_load_client_CA_file() checks for duplicates,
+-         * but since we call it multiple times when reading a directory
+-         * we must also check for duplicates ourselves.
+-         */
+-
+-        if (sk_X509_NAME_find(ca_list, name) < 0) {
+-            /* this will be freed when ca_list is */
+-            sk_X509_NAME_push(ca_list, name);
+-        }
+-        else {
+-            /* need to free this ourselves, else it will leak */
+-            X509_NAME_free(name);
+-        }
+-    }
+-
+-    sk_X509_NAME_free(sk);
+-}
+ 
+ static apr_status_t ssl_init_ca_cert_path(server_rec *s,
+                                           apr_pool_t *ptemp,
+@@ -2324,7 +2279,7 @@ static apr_status_t ssl_init_ca_cert_path(server_rec *s,
+         }
+         file = apr_pstrcat(ptemp, path, "/", direntry.name, NULL);
+         if (ca_list) {
+-            ssl_init_PushCAList(ca_list, s, ptemp, file);
++            SSL_add_file_cert_subjects_to_stack(ca_list, file);
+         }
+         if (xi_list) {
+             load_x509_info(ptemp, xi_list, file);
+@@ -2341,19 +2296,13 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
+                                          const char *ca_file,
+                                          const char *ca_path)
+ {
+-    STACK_OF(X509_NAME) *ca_list;
+-
+-    /*
+-     * Start with a empty stack/list where new
+-     * entries get added in sorted order.
+-     */
+-    ca_list = sk_X509_NAME_new(ssl_init_FindCAList_X509NameCmp);
++    STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null();;
+ 
+     /*
+      * Process CA certificate bundle file
+      */
+     if (ca_file) {
+-        ssl_init_PushCAList(ca_list, s, ptemp, ca_file);
++        SSL_add_file_cert_subjects_to_stack(ca_list, ca_file);
+         /*
+          * If ca_list is still empty after trying to load ca_file
+          * then the file failed to load, and users should hear about that.
+@@ -2377,11 +2326,6 @@ STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *s,
+         return NULL;
+     }
+ 
+-    /*
+-     * Cleanup
+-     */
+-    (void) sk_X509_NAME_set_cmp_func(ca_list, NULL);
+-
+     return ca_list;
+ }
+