Propose backport to prevent crashes during SSL renegotiation with OptRenegotiate set, client certificates available from original handshake but client certs were originaly not verified and should get verified now.
*) mod_ssl: Handle SSL_read() return code 0 similarly to <0. It is needed when using OpenSSL 1.1.1 and should not harm for versions before 1.1.1. Without the patch for 1.1.1 a 0 byte read no longer results in EAGAIN but instead in APR_EOF which leads to HTTP/2 failures. For the changelog: Fix HTTP/2 failures when using OpenSSL 1.1.1. trunk patch: http://svn.apache.org/r1843954 2.4.x patch: svn merge -c 1843954 ^/httpd/httpd/trunk . +1: rjung, druggeri, rpluem