summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiall O'Higgins <niallo@cvs.openbsd.org>2005-09-08 23:05:59 +0000
committerNiall O'Higgins <niallo@cvs.openbsd.org>2005-09-08 23:05:59 +0000
commit8b71c76df102c04c2cf5292954885a50cda822fb (patch)
treee730ea7775eeae3bfd467a34a84a950bb7057c15
parent68d75234d710569f4c15a4c2eb4e49d5703584c6 (diff)
ensure that renegotiation is performed for a transition from "SSLVerifyClient
optional" to "SSLVerifyClient require" fixes CAN-2005-2700 ok henning@, "go for it" deraadt@
-rw-r--r--usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
index a8fdff3cf3d..fdc07837b13 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
@@ -866,8 +866,8 @@ int ssl_hook_Access(request_rec *r)
&& (nVerify != SSL_VERIFY_NONE))
|| ( !(nVerifyOld & SSL_VERIFY_PEER)
&& (nVerify & SSL_VERIFY_PEER))
- || ( !(nVerifyOld & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
- && (nVerify & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))) {
+ || ( !(nVerifyOld & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
+ && (nVerify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
renegotiate = TRUE;
/* optimization */
if ( dc->nOptions & SSL_OPT_OPTRENEGOTIATE