- Fix CAN-2005-2700

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that
renegotiation is performed for a transition from "SSLVerifyClient
optional" to "SSLVerifyClient require".

2 files changed, 15 insertions, 1 deletions

diff --git a/www/apache2/Makefile b/www/apache2/Makefile
index ea3383d0980c..44c46a7bae65 100644
--- a/www/apache2/Makefile
+++ b/www/apache2/Makefile
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.0.54
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		${MASTER_SITE_LOCAL:S/%SUBDIR%/clement/}:powerlogo
diff --git a/www/apache2/files/patch-secfix-CAN-2005-2700 b/www/apache2/files/patch-secfix-CAN-2005-2700
new file mode 100644
index 000000000000..d720084ed8f9
--- /dev/null
+++ b/www/apache2/files/patch-secfix-CAN-2005-2700
@@ -0,0 +1,14 @@
+--- modules/ssl/ssl_engine_kernel.c	2005/08/30 15:54:34	264799
++++ modules/ssl/ssl_engine_kernel.c	2005/08/30 
+15:57:38	264800
+@@ -406,8 +406,8 @@
+                 (!(verify_old & SSL_VERIFY_PEER) &&
+                   (verify     & SSL_VERIFY_PEER)) ||
+ 
+-                (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
+-                  (verify     & SSL_VERIFY_PEER_STRICT)))
++                (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
++                  (verify     & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
+             {
+                 renegotiate = TRUE;
+                 /* optimization */