httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong SSL_CLIENT_VERIFY
Date Thu, 22 Nov 2012 17:10:07 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53193

--- Comment #1 from Arnis Ut <arnis@ut.ee> ---
Created attachment 29622
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=29622&action=edit
patch

Confirmed.
When client certificate is requested in server context and GENEROUS'ly verified
session is resumed, the SSL_CLIENT_VERIFY will be set to SUCCESS.

This is security bug for these who rely on SSL_CLIENT_VERIFY to test whether
certificate verification was successful.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message