From c31703b89585c255153631cacbab4a935009fdfd Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Fri, 5 Jul 2019 16:23:29 +0200
Subject: [PATCH] Implements #5007 Remove SSL bundle files if present on an
 apache 2.4 server

---
 server/conf/vhost.conf.master                   | 8 ++++----
 server/plugins-available/apache2_plugin.inc.php | 5 +++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/server/conf/vhost.conf.master b/server/conf/vhost.conf.master
index a259c29906..ee7dcac076 100644
--- a/server/conf/vhost.conf.master
+++ b/server/conf/vhost.conf.master
@@ -75,15 +75,15 @@
 		# </IfModule>
 		SSLCertificateFile <tmpl_var name='ssl_crt_file'>
 		SSLCertificateKeyFile <tmpl_var name='ssl_key_file'>
-<tmpl_if name='has_bundle_cert'>
-		<tmpl_if name='apache_version' op='<' value='2.4.8' format='version'>
-		SSLCertificateChainFile <tmpl_var name='ssl_bundle_file'>
-		</tmpl_if>
 		<tmpl_if name='apache_version' op='>=' value='2.4' format='version'>
 		SSLUseStapling on
 		SSLStaplingResponderTimeout 5
 		SSLStaplingReturnResponderErrors off
 		</tmpl_if>
+<tmpl_if name='has_bundle_cert'>
+		<tmpl_if name='apache_version' op='<' value='2.4.8' format='version'>
+		SSLCertificateChainFile <tmpl_var name='ssl_bundle_file'>
+		</tmpl_if>
 </tmpl_if>
 </tmpl_if>
 		</IfModule>
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 3aa851f649..6fa3101ed7 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -1223,8 +1223,9 @@ class apache2_plugin {
 				$app->dbmaster->query("UPDATE web_domain SET `ssl` = ?, `ssl_letsencrypt` = ? WHERE `domain` = ? AND `server_id` = ?", $data['new']['ssl'], 'n', $data['new']['domain'], $conf['server_id']);
  			}
 		}
-
-		if(@is_file($bundle_file)) $vhost_data['has_bundle_cert'] = 1;
+		
+		// Use separate bundle file only for apache versions < 2.4.8
+		if(@is_file($bundle_file) && version_compare($app->system->getapacheversion(true), '2.4.8', '<')) $vhost_data['has_bundle_cert'] = 1;
 
 		// HTTP/2.0 ?
 		$vhost_data['enable_http2']  = 'n';
-- 
GitLab