diff --git a/CHANGES b/CHANGES
index b87d545cbe..0fca3dbe07 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) mod_ssl: Fix a problem setting variables that represent the
+     client certificate chain.  PR 21397  [Jeff Trawick]
+
   *) Remember an authenticated user during internal redirects if the
      redirection target is not access protected and pass it
      to scripts using the REDIRECT_REMOTE_USER environment variable.
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index dc63a31640..eeb331c0f2 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -290,7 +290,7 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var)
     }
     else if (ssl != NULL && strlen(var) > 18 && strcEQn(var, "CLIENT_CERT_CHAIN_", 18)) {
         sk = SSL_get_peer_cert_chain(ssl);
-        result = ssl_var_lookup_ssl_cert_chain(p, sk, var+17);
+        result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18);
     }
     else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) {
         result = ssl_var_lookup_ssl_cert_verify(p, c);