diff options
author | Niall O'Higgins <niallo@cvs.openbsd.org> | 2005-09-08 23:05:59 +0000 |
---|---|---|
committer | Niall O'Higgins <niallo@cvs.openbsd.org> | 2005-09-08 23:05:59 +0000 |
commit | 8b71c76df102c04c2cf5292954885a50cda822fb (patch) | |
tree | e730ea7775eeae3bfd467a34a84a950bb7057c15 | |
parent | 68d75234d710569f4c15a4c2eb4e49d5703584c6 (diff) |
ensure that renegotiation is performed for a transition from "SSLVerifyClient
optional" to "SSLVerifyClient require"
fixes CAN-2005-2700
ok henning@, "go for it" deraadt@
-rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c index a8fdff3cf3d..fdc07837b13 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c @@ -866,8 +866,8 @@ int ssl_hook_Access(request_rec *r) && (nVerify != SSL_VERIFY_NONE)) || ( !(nVerifyOld & SSL_VERIFY_PEER) && (nVerify & SSL_VERIFY_PEER)) - || ( !(nVerifyOld & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) - && (nVerify & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))) { + || ( !(nVerifyOld & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) + && (nVerify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { renegotiate = TRUE; /* optimization */ if ( dc->nOptions & SSL_OPT_OPTRENEGOTIATE |