Index: modules/ssl/ssl_engine_config.c =================================================================== --- modules/ssl/ssl_engine_config.c (revision 1587799) +++ modules/ssl/ssl_engine_config.c (working copy) @@ -311,6 +311,39 @@ static void modssl_ctx_cfg_merge_proxy(apr_pool_t cfgMergeString(pkp->ca_cert_file); } +#ifdef HAVE_ECC +#define CERTKEYS_IDX_MAX 2 +#else +#define CERTKEYS_IDX_MAX 1 +#endif + +static void modssl_ctx_cfg_merge_certkeys_array(apr_pool_t *p, + apr_array_header_t *base, + apr_array_header_t *add, + apr_array_header_t *mrg) +{ + int i; + + /* + * pick up to CERTKEYS_IDX_MAX+1 entries from "add" (in which case they + * they "knock out" their corresponding entries in "base") + */ + for (i = 0; i < add->nelts && i <= CERTKEYS_IDX_MAX; i++) { + APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(add, i, const char *); + } + + /* add remaining ones from "base" */ + while (i < base->nelts) { + APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(base, i, const char *); + i++; + } + + /* and finally, append the rest of "add" (if there are any) */ + for (i = CERTKEYS_IDX_MAX+1; i < add->nelts; i++) { + APR_ARRAY_PUSH(mrg, const char *) = APR_ARRAY_IDX(add, i, const char *); + } +} + static void modssl_ctx_cfg_merge_server(apr_pool_t *p, modssl_ctx_t *base, modssl_ctx_t *add, @@ -318,8 +351,12 @@ static void modssl_ctx_cfg_merge_server(apr_pool_t { modssl_ctx_cfg_merge(p, base, add, mrg); - cfgMergeArray(pks->cert_files); - cfgMergeArray(pks->key_files); + modssl_ctx_cfg_merge_certkeys_array(p, base->pks->cert_files, + add->pks->cert_files, + mrg->pks->cert_files); + modssl_ctx_cfg_merge_certkeys_array(p, base->pks->key_files, + add->pks->key_files, + mrg->pks->key_files); cfgMergeString(pks->ca_name_path); cfgMergeString(pks->ca_name_file);