From: Jeff Trawick <trawick@apache.org>
Date: Fri, 7 Oct 2005 23:55:44 +0000 (+0000)
Subject: backport from trunk and 2.2.x:
X-Git-Tag: 2.0.55~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78097bc324d100e0c68d234d3bc3c0f218d97112;p=thirdparty%2Fapache%2Fhttpd.git

backport from trunk and 2.2.x:

   SECURITY: CAN-2005-2700 (cve.mitre.org)
   mod_ssl: Fix a security issue where "SSLVerifyClient" was not
   enforced in per-location context if "SSLVerifyClient optional"
   was configured in the vhost configuration.

Submitted by: Joe Orton
Reviewed by: wrowe, trawick



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@307220 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 1712823c758..da3b60b6dfb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.55
 
+  *) SECURITY: CAN-2005-2700 (cve.mitre.org)
+     mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+     enforced in per-location context if "SSLVerifyClient optional"
+     was configured in the vhost configuration.  [Joe Orton]
+
   *) worker MPM: Fix a memory leak which can occur after an aborted
      connection in some limited circumstances.  [Greg Ames]
 
diff --git a/STATUS b/STATUS
index 7af4b887af5..9846ac5a3ba 100644
--- a/STATUS
+++ b/STATUS
@@ -104,12 +104,6 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
-    *) Fix CAN-2005-2700, mod_ssl SSLVerifyClient bug
-         http://svn.apache.org/viewcvs?rev=264800&view=rev
-       test case: perl-framework/t/security/CAN-2005-2700.t
-       +1: jorton, wrowe, trawick
-       wrowe cautions to backport to 2.2.x branch as well.
-
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 268079bd5c7..eeaf5ea6e99 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -406,8 +406,8 @@ int ssl_hook_Access(request_rec *r)
                 (!(verify_old & SSL_VERIFY_PEER) &&
                   (verify     & SSL_VERIFY_PEER)) ||
 
-                (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
-                  (verify     & SSL_VERIFY_PEER_STRICT)))
+                (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
+                  (verify     & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
             {
                 renegotiate = TRUE;
                 /* optimization */