You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2005/08/30 17:57:43 UTC
svn commit: r264800 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_kernel.c
Author: jorton
Date: Tue Aug 30 08:57:38 2005
New Revision: 264800
URL: http://svn.apache.org/viewcvs?rev=264800&view=rev
Log:
Fix CVE CAN-2005-2700:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that
renegotiation is performed for a transition from "SSLVerifyClient
optional" to "SSLVerifyClient require".
The boolean "verify_old & SSL_VERIFY_PEER_STRICT" is true if the old
context merely has optional verification configured, since the
definition of SSL_VERIFY_PEER_STRICT is
(SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_PEER).
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=264800&r1=264799&r2=264800&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Aug 30 08:57:38 2005
@@ -2,6 +2,11 @@
Changes with Apache 2.3.0
[Remove entries to the current 2.0 and 2.2 section below, when backported]
+ *) SECURITY: CAN-2005-2700 (cve.mitre.org)
+ mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+ enforced in per-location context if "SSLVerifyClient optional"
+ was configured in the vhost configuration. [Joe Orton]
+
*) mod_cgid: run the get_suexec_identity hook within the request-handler
instead of within cgid. PR36410. [Colm MacCarthaigh]
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=264800&r1=264799&r2=264800&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Tue Aug 30 08:57:38 2005
@@ -406,8 +406,8 @@
(!(verify_old & SSL_VERIFY_PEER) &&
(verify & SSL_VERIFY_PEER)) ||
- (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
- (verify & SSL_VERIFY_PEER_STRICT)))
+ (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
+ (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
{
renegotiate = TRUE;
/* optimization */