From 7c1d6d82b4e27340bfdfa0707421f202f4e00c77 Mon Sep 17 00:00:00 2001
From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Thu, 12 Jul 2018 22:58:02 -0600
Subject: [PATCH 1/3] Restored support for the https_port clientca option

Probably missing since commit 621f429.
---
 src/security/ServerOptions.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
index 0f67f4f8d25..2765bb5e3c2 100644
--- a/src/security/ServerOptions.cc
+++ b/src/security/ServerOptions.cc
@@ -61,7 +61,9 @@ Security::ServerOptions::parse(const char *token)
     }
 
     // parse the server-only options
-    if (strncmp(token, "dh=", 3) == 0) {
+    if (strncmp(token, "clientca=", 9) == 0) {
+        clientCaFile = SBuf(token + 9);
+    } else if (strncmp(token, "dh=", 3) == 0) {
         // clear any previous Diffi-Helman configuration
         dh.clear();
         dhParamsFile.clear();

From 971b3e317d4ee6b80f8b9ebcdca49c6238ad1673 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <yadij@users.noreply.github.com>
Date: Wed, 18 Jul 2018 03:01:16 +1200
Subject: [PATCH 2/3] Move loading of clientca file

Loading the clientca file does not help if the context is already fully initialized first.
---
 src/security/ServerOptions.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
index 2765bb5e3c2..a9f53b13c0e 100644
--- a/src/security/ServerOptions.cc
+++ b/src/security/ServerOptions.cc
@@ -266,13 +266,13 @@ Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &port)
         }
 #endif
 
+        if (!loadClientCaFile())
+            return false;
+
         if (!updateContextConfig(t)) {
             debugs(83, DBG_CRITICAL, "ERROR: Configuring static TLS context");
             return false;
         }
-
-        if (!loadClientCaFile())
-            return false;
     }
 
     staticContext = std::move(t);

From 6896562e7641f361c5b7229d863287e2bd65ba1b Mon Sep 17 00:00:00 2001
From: Amos Jeffries <yadij@users.noreply.github.com>
Date: Wed, 18 Jul 2018 05:25:13 +1200
Subject: [PATCH 3/3] add comment to mention all files must be loaded before
 context created

---
 src/security/ServerOptions.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
index a9f53b13c0e..bad120662f6 100644
--- a/src/security/ServerOptions.cc
+++ b/src/security/ServerOptions.cc
@@ -269,6 +269,7 @@ Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &port)
         if (!loadClientCaFile())
             return false;
 
+        // by this point all config related files must be loaded
         if (!updateContextConfig(t)) {
             debugs(83, DBG_CRITICAL, "ERROR: Configuring static TLS context");
             return false;