diff -Nru apache2-2.4.41/debian/changelog apache2-2.4.41/debian/changelog
--- apache2-2.4.41/debian/changelog	2021-06-17 18:27:53.000000000 +0000
+++ apache2-2.4.41/debian/changelog	2021-07-05 07:16:56.000000000 +0000
@@ -1,3 +1,10 @@
+apache2 (2.4.41-4ubuntu3.4) focal; urgency=medium
+
+  * d/p/lp-1930430-Backport-r1865740.patch: fix OCSP in proxy mode
+    (LP: #1930430)
+
+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 05 Jul 2021 09:16:56 +0200
+
 apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium
 
   * SECURITY UPDATE: mod_proxy_http denial of service.
diff -Nru apache2-2.4.41/debian/patches/lp-1930430-Backport-r1865740.patch apache2-2.4.41/debian/patches/lp-1930430-Backport-r1865740.patch
--- apache2-2.4.41/debian/patches/lp-1930430-Backport-r1865740.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.4.41/debian/patches/lp-1930430-Backport-r1865740.patch	2021-07-05 07:15:29.000000000 +0000
@@ -0,0 +1,32 @@
+From c11b1cd3b11f073ab1b5d1d670cec9db21144683 Mon Sep 17 00:00:00 2001
+From: Graham Leggett <minfrin@apache.org>
+Date: Wed, 1 Jan 2020 23:05:42 +0000
+Subject: [PATCH] Backport r1865740. mod_ssl: OCSP does not apply to proxy
+ mode.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1872226 13f79535-47bb-0310-9956-ffa450edef68
+
+Origin: backport, https://github.com/apache/httpd/commit/c11b1cd3b11f
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1930430
+Last-Update: 2021-07-05
+X-Backport-Note: skipped non functional changes to status (doesn't exist) and changes (does't match)
+
+---
+ CHANGES                         | 2 ++
+ STATUS                          | 5 -----
+ modules/ssl/ssl_engine_kernel.c | 4 ++--
+ 3 files changed, 4 insertions(+), 7 deletions(-)
+
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -1836,8 +1836,8 @@ int ssl_callback_SSLVerify(int ok, X509_
+     /*
+      * Perform OCSP-based revocation checks
+      */
+-    if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+-         (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {     
++    if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
++         (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {     
+         /* If there was an optional verification error, it's not
+          * possible to perform OCSP validation since the issuer may be
+          * missing/untrusted.  Fail in that case. */
diff -Nru apache2-2.4.41/debian/patches/series apache2-2.4.41/debian/patches/series
--- apache2-2.4.41/debian/patches/series	2021-06-17 18:27:53.000000000 +0000
+++ apache2-2.4.41/debian/patches/series	2021-07-05 07:12:42.000000000 +0000
@@ -27,3 +27,4 @@
 CVE-2021-26690.patch
 CVE-2021-26691.patch
 CVE-2021-30641.patch
+lp-1930430-Backport-r1865740.patch