diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c

index 9811af8..568627f 100644

--- a/modules/ssl/ssl_engine_init.c

+++ b/modules/ssl/ssl_engine_init.c

@@ -276,7 +276,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,

         return HTTP_INTERNAL_SERVER_ERROR;

     }

 #ifdef HAVE_OCSP_STAPLING

-    ssl_stapling_ex_init();

+    ssl_stapling_certinfo_hash_init(p);

 #endif

     /*

@@ -899,6 +899,8 @@ static void ssl_init_ctx(server_rec *s,

 }

 static int ssl_server_import_cert(server_rec *s,

+                                  apr_pool_t *p,

+                                  apr_pool_t *ptemp,

                                   modssl_ctx_t *mctx,

                                   const char *id,

                                   int idx)

@@ -933,7 +935,7 @@ static int ssl_server_import_cert(server_rec *s,

 #ifdef HAVE_OCSP_STAPLING

     if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) {

-        if (!ssl_stapling_init_cert(s, mctx, cert)) {

+        if (!ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) {

             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02235)

                          "Unable to configure server certificate for stapling");

         }

@@ -1081,10 +1083,10 @@ static void ssl_init_server_certs(server_rec *s,

     ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);

 #endif

-    have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);

-    have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);

+    have_rsa = ssl_server_import_cert(s, p, ptemp, mctx, rsa_id, SSL_AIDX_RSA);

+    have_dsa = ssl_server_import_cert(s, p, ptemp, mctx, dsa_id, SSL_AIDX_DSA);

 #ifndef OPENSSL_NO_EC

-    have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);

+    have_ecc = ssl_server_import_cert(s, p, ptemp, mctx, ecc_id, SSL_AIDX_ECC);

 #endif

     if (!(have_rsa || have_dsa

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h

index 80e1e8e..0cc6d3f 100644

--- a/modules/ssl/ssl_private.h

+++ b/modules/ssl/ssl_private.h

@@ -132,6 +132,13 @@

 #if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \

     && !defined(OPENSSL_NO_TLSEXT)

 #define HAVE_OCSP_STAPLING

+/* backward compatibility with OpenSSL < 1.0 */

+#ifndef sk_OPENSSL_STRING_num 

+#define sk_OPENSSL_STRING_num sk_num

+#endif

+#ifndef sk_OPENSSL_STRING_value

+#define sk_OPENSSL_STRING_value sk_value

+#endif

 #if (OPENSSL_VERSION_NUMBER < 0x10000000)

 #define sk_OPENSSL_STRING_pop sk_pop

 #endif

@@ -862,10 +869,10 @@ const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char

 const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);

 const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);

 const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);

-const char  *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);

+const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);

 void         modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);

-void         ssl_stapling_ex_init(void);

-int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);

+void         ssl_stapling_certinfo_hash_init(apr_pool_t *);

+int          ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *, X509 *);

 #endif

 #ifndef OPENSSL_NO_SRP

 int          ssl_callback_SRPServerParams(SSL *, int *, void *);

diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c

index 2be2c36..2387ae1 100644

--- a/modules/ssl/ssl_util_stapling.c

+++ b/modules/ssl/ssl_util_stapling.c

@@ -43,36 +43,32 @@

 #define MAX_STAPLING_DER 10240

-/* Cached info stored in certificate ex_info. */

+/* Cached info stored in the global stapling_certinfo hash. */

 typedef struct {

-    /* Index in session cache SHA1 hash of certificate */

-    UCHAR idx[20];

-    /* Certificate ID for OCSP requests or NULL if ID cannot be determined */

+    /* Index in session cache (SHA-1 digest of DER encoded certificate) */

+    UCHAR idx[SHA_DIGEST_LENGTH];

+    /* Certificate ID for OCSP request */

     OCSP_CERTID *cid;

-    /* Responder details */

+    /* URI of the OCSP responder */

     char *uri;

 } certinfo;

-static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,

-                                        int idx, long argl, void *argp)

+static apr_status_t ssl_stapling_certid_free(void *data)

 {

-    certinfo *cinf = ptr;

+    OCSP_CERTID *cid = data;

-    if (!cinf)

-        return;

-    if (cinf->uri)

-        OPENSSL_free(cinf->uri);

-    OPENSSL_free(cinf);

+    if (cid) {

+        OCSP_CERTID_free(cid);

+    }

+

+    return APR_SUCCESS;

 }

-static int stapling_ex_idx = -1;

+static apr_hash_t *stapling_certinfo;

-void ssl_stapling_ex_init(void)

+void ssl_stapling_certinfo_hash_init(apr_pool_t *p)

 {

-    if (stapling_ex_idx != -1)

-        return;

-    stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,

-                                            certinfo_free);

+    stapling_certinfo = apr_hash_make(p);

 }

 static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)

@@ -106,70 +102,97 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)

 }

-int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)

+int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,

+                           modssl_ctx_t *mctx, X509 *x)

 {

-    certinfo *cinf;

+    UCHAR idx[SHA_DIGEST_LENGTH];

+    certinfo *cinf = NULL;

     X509 *issuer = NULL;

+    OCSP_CERTID *cid = NULL;

     STACK_OF(OPENSSL_STRING) *aia = NULL;

-    if (x == NULL)

+    if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))

         return 0;

-    cinf  = X509_get_ex_data(x, stapling_ex_idx);

+

+    cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));

     if (cinf) {

-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)

-                     "ssl_stapling_init_cert: certificate already initialized!");

-        return 0;

-    }

-    cinf = OPENSSL_malloc(sizeof(certinfo));

-    if (!cinf) {

-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)

-                     "ssl_stapling_init_cert: error allocating memory!");

-        return 0;

+        /*

+        * We already parsed the certificate, and no OCSP URI was found.

+        * The certificate might be used for multiple vhosts, though,

+        * so we check for a ForceURL for this vhost.

+        */

+        if (!cinf->uri && !mctx->stapling_force_url) {

+            ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,

+                           APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI "

+                           "in certificate and no SSLStaplingForceURL "

+                           "configured for server %s", mctx->sc->vhost_id);

+            return 0;

+        }

+        return 1;

     }

-    cinf->cid = NULL;

-    cinf->uri = NULL;

-    X509_set_ex_data(x, stapling_ex_idx, cinf);

-

-    issuer = stapling_get_issuer(mctx, x);

-    if (issuer == NULL) {

-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02217)

-                     "ssl_stapling_init_cert: Can't retrieve issuer certificate!");

+    if (!(issuer = stapling_get_issuer(mctx, x))) {

+        ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217)

+                       "ssl_stapling_init_cert: can't retrieve issuer "

+                       "certificate!");

         return 0;

     }

-    cinf->cid = OCSP_cert_to_id(NULL, x, issuer);

+    cid = OCSP_cert_to_id(NULL, x, issuer);

     X509_free(issuer);

-    if (!cinf->cid)

+    if (!cid) {

+        ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815)

+                       "ssl_stapling_init_cert: can't create CertID "

+                       "for OCSP request");

         return 0;

-    X509_digest(x, EVP_sha1(), cinf->idx, NULL);

+    }

     aia = X509_get1_ocsp(x);

-    if (aia) {

-        cinf->uri = sk_OPENSSL_STRING_pop(aia);

-        X509_email_free(aia);

-    }

-    if (!cinf->uri && !mctx->stapling_force_url) {

-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)

-                     "ssl_stapling_init_cert: no responder URL");

+

+    if (!aia && !mctx->stapling_force_url) {

+        OCSP_CERTID_free(cid);

+        ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,

+                       APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI "

+                       "in certificate and no SSLStaplingForceURL set");

         return 0;

     }

+

+    /* At this point, we have determined that there's something to store */

+    cinf = apr_pcalloc(p, sizeof(certinfo));

+    memcpy (cinf->idx, idx, sizeof(idx));

+    cinf->cid = cid;

+    /* make sure cid is also freed at pool cleanup */

+    apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free,

+                              apr_pool_cleanup_null);

+    if (aia) {

+       /* allocate uri from the pconf pool */

+       cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));

+       X509_email_free(aia);

+    }

+

+    ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x,

+                   "ssl_stapling_init_cert: storing certinfo for server %s",

+                   mctx->sc->vhost_id);

+

+    apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf);

+

     return 1;

 }

-static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx,

+static certinfo *stapling_get_certinfo(server_rec *s, modssl_ctx_t *mctx,

                                         SSL *ssl)

 {

     certinfo *cinf;

     X509 *x;

+    UCHAR idx[SHA_DIGEST_LENGTH];

     x = SSL_get_certificate(ssl);

-    if (x == NULL)

+    if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))

         return NULL;

-    cinf = X509_get_ex_data(x, stapling_ex_idx);

+    cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));

     if (cinf && cinf->cid)

         return cinf;

     ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)

-                 "stapling_get_cert_info: stapling not supported for certificate");

+                 "stapling_get_certinfo: stapling not supported for certificate");

     return NULL;

 }

@@ -585,7 +608,7 @@ static int stapling_cb(SSL *ssl, void *arg)

     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951)

                  "stapling_cb: OCSP Stapling callback called");

-    cinf = stapling_get_cert_info(s, mctx, ssl);

+    cinf = stapling_get_certinfo(s, mctx, ssl);

     if (cinf == NULL) {

         return SSL_TLSEXT_ERR_NOACK;

     }