From ef5ad69ab6c5c1d749591a6955dad38d783ac0a4 Mon Sep 17 00:00:00 2001
From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Tue, 22 Jan 2013 17:23:46 -0500
Subject: [PATCH] SSLCertificateChainFile support Like kerberos auth, this
 works around non-SSL vhosts by printing a warning and ignore the directive.

---
 lib/apache.dtl         |  7 +++++++
 src/plugins/apache.sml | 18 ++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/lib/apache.dtl b/lib/apache.dtl
index 8b7051c..98dca55 100644
--- a/lib/apache.dtl
+++ b/lib/apache.dtl
@@ -26,6 +26,9 @@ For others, it has only one value, [true].}}
 extern type ssl_cert_path;
 {{Filesystem path to an SSL certificate in your 'cert' list}}
 
+extern type ssl_cacert_path;
+{{Filesystem path to an intermediate CA certificate in your 'cacert' list}}
+
 extern type ssl;
 extern val no_ssl : ssl;
 extern val use_cert : ssl_cert_path -> ssl;
@@ -87,3 +90,7 @@ extern val serverAliasDefault : [Vhost];
   instead of any of their hosts/"subdomains".}}
 
 extern val testNoHtaccess : [Location];
+
+extern val sslCertificateChainFile : ssl_cacert_path -> [Vhost];
+{{Intermediate file to serve as part of the chain of authority for
+  your ssl certificate}}
\ No newline at end of file
diff --git a/src/plugins/apache.sml b/src/plugins/apache.sml
index b5edd64..d53d687 100644
--- a/src/plugins/apache.sml
+++ b/src/plugins/apache.sml
@@ -118,10 +118,18 @@ fun validCert s = Acl.query {user = Domain.getUser (),
 			     class = "cert",
 			     value = s}
 
+fun validCaCert s = Acl.query {user = Domain.getUser (),
+			       class = "cacert",
+			       value = s}
+
 val _ = Env.type_one "ssl_cert_path"
 	Env.string
 	validCert
 
+val _ = Env.type_one "ssl_cacert_path"
+	Env.string
+	validCaCert
+
 fun ssl e = case e of
 		(EVar "no_ssl", _) => SOME NONE
 	      | (EApp ((EVar "use_cert", _), s), _) => Option.map SOME (Env.string s)
@@ -1127,6 +1135,16 @@ val () = Env.action_two "addOutputFilter"
 	      write "\n")
 	   | _ => ())
 
+val () = Env.action_one "sslCertificateChainFile"
+	 ("ssl_cacert_path", Env.string)
+	 (fn cacert =>
+	     if !sslEnabled then
+		 (write "\tSSLCertificateChainFile \"";
+		  write cacert;
+		  write "\"\n")
+	     else
+		 print "WARNING: Skipped sslCertificateChainFile because this isn't an SSL vhost.\n")
+
 val () = Domain.registerResetLocal (fn () =>
 				       ignore (OS.Process.system (Config.rm ^ " -rf /var/domtool/vhosts/*")))
 
-- 
2.20.1