Fix CVE CAN-2005-2700:

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that renegotiation is performed for a transition from "SSLVerifyClient optional" to "SSLVerifyClient require". The boolean "verify_old & SSL_VERIFY_PEER_STRICT" is true if the old context merely has optional verification configured, since the definition of SSL_VERIFY_PEER_STRICT is (SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_PEER). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@264800 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2005-08-30 15:57:38 +00:00
parent 19a0d050b0
commit a1e9d51be3
2 changed files with 7 additions and 2 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -406,8 +406,8 @@ int ssl_hook_Access(request_rec *r)
                (!(verify_old & SSL_VERIFY_PEER) &&
                  (verify     & SSL_VERIFY_PEER)) ||

-                (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
-                  (verify     & SSL_VERIFY_PEER_STRICT)))
+                (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
+                  (verify     & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
            {
                renegotiate = TRUE;
                /* optimization */