From: Sander Striker <striker@apache.org>
Date: Wed, 9 Jul 2003 12:27:12 +0000 (+0000)
Subject: Forward port patch for CAN-2003-0192 from 2.0.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51b892f999120ee7256fbb52fcbbc27bd8a6e91d;p=thirdparty%2Fapache%2Fhttpd.git

Forward port patch for CAN-2003-0192 from 2.0.

SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one.  [Ben Laurie]


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/ssl@100518 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/ssl_engine_kernel.c b/ssl_engine_kernel.c
index 3d2c7de421b..18c987c10d7 100644
--- a/ssl_engine_kernel.c
+++ b/ssl_engine_kernel.c
@@ -442,7 +442,7 @@ int ssl_hook_Access(request_rec *r)
         SSL_set_verify_result(ssl, X509_V_OK);
 
         /* determine whether we've to force a renegotiation */
-        if (verify != verify_old) {
+        if (!renegotiate && verify != verify_old) {
             if (((verify_old == SSL_VERIFY_NONE) &&
                  (verify     != SSL_VERIFY_NONE)) ||