From 8b71c76df102c04c2cf5292954885a50cda822fb Mon Sep 17 00:00:00 2001 From: Niall O'Higgins Date: Thu, 8 Sep 2005 23:05:59 +0000 Subject: ensure that renegotiation is performed for a transition from "SSLVerifyClient optional" to "SSLVerifyClient require" fixes CAN-2005-2700 ok henning@, "go for it" deraadt@ --- usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c index a8fdff3cf3d..fdc07837b13 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c @@ -866,8 +866,8 @@ int ssl_hook_Access(request_rec *r) && (nVerify != SSL_VERIFY_NONE)) || ( !(nVerifyOld & SSL_VERIFY_PEER) && (nVerify & SSL_VERIFY_PEER)) - || ( !(nVerifyOld & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) - && (nVerify & (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))) { + || ( !(nVerifyOld & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) + && (nVerify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { renegotiate = TRUE; /* optimization */ if ( dc->nOptions & SSL_OPT_OPTRENEGOTIATE -- cgit v1.2.3