SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences

of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@100506 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index b550a88c7020b02e983d346be5de4852e5910517..adaea8b8a7240a0d882d6731619eebbc056dcec6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,11 @@
 Changes with Apache 2.0.47
 
+  *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
+     of per-directory renegotiations and the SSLCipherSuite directive
+     being used to upgrade from a weak ciphersuite to a strong one
+     could result in the weak ciphersuite being used in place of the
+     strong one.  [Ben Laurie]
+
   *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
      temporary denial of service when accept() on a rarely accessed port
      returns certain errors.  Reported by Saheed Akhtar

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 628d862ff21195f07922047dece06ef7ca6e16f1..2d628b85298c2a56c000dedef44035fb1ea623ca 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -432,7 +432,7 @@ int ssl_hook_Access(request_rec *r)
         SSL_set_verify_result(ssl, X509_V_OK);
 
         /* determine whether we've to force a renegotiation */
-        if (verify != verify_old) {
+        if (!renegotiate && verify != verify_old) {
             if (((verify_old == SSL_VERIFY_NONE) &&
                  (verify     != SSL_VERIFY_NONE)) ||