From: Joe Orton Date: Tue, 30 Aug 2005 15:57:38 +0000 (+0000) Subject: Fix CVE CAN-2005-2700: X-Git-Tag: 2.3.0~3040 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a1e9d51be373b9c9e537d129a48e140232643a9e;p=apache Fix CVE CAN-2005-2700: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that renegotiation is performed for a transition from "SSLVerifyClient optional" to "SSLVerifyClient require". The boolean "verify_old & SSL_VERIFY_PEER_STRICT" is true if the old context merely has optional verification configured, since the definition of SSL_VERIFY_PEER_STRICT is (SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_PEER). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@264800 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 5c965fcfd2..f46c4ac80c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,11 @@ Changes with Apache 2.3.0 [Remove entries to the current 2.0 and 2.2 section below, when backported] + *) SECURITY: CAN-2005-2700 (cve.mitre.org) + mod_ssl: Fix a security issue where "SSLVerifyClient" was not + enforced in per-location context if "SSLVerifyClient optional" + was configured in the vhost configuration. [Joe Orton] + *) mod_cgid: run the get_suexec_identity hook within the request-handler instead of within cgid. PR36410. [Colm MacCarthaigh] diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 25b8a4879f..02ee92a806 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -406,8 +406,8 @@ int ssl_hook_Access(request_rec *r) (!(verify_old & SSL_VERIFY_PEER) && (verify & SSL_VERIFY_PEER)) || - (!(verify_old & SSL_VERIFY_PEER_STRICT) && - (verify & SSL_VERIFY_PEER_STRICT))) + (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) && + (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { renegotiate = TRUE; /* optimization */