Vulnerability Note VU#744929

mod_ssl fails to properly enforce client certificates authentication

Original Release date: 09 Sep 2005 | Last revised: 18 Oct 2006


mod_ssl, the Apache web server module for Secure Socket Layer (SSL) communications, may not properly authenticate client certificates.


mod_ssl provides Secure Socket Layer (SSL) communications for the Apache web server. SSL is designed to provide the ability to encrypt and authenticate TCP connections. Apache, using mod_ssl, can be configured to use SSL to authenticate web users using client certificates.

The requirement for client certificates is not enforced if a web server configuration specifies client authentication as optional ("SSLVerifyClient optional") in the global virtual host configuration, but specifies client certificates as required in some location's context ("SSLVerifyClient require").


An attacker may access web documents in a restricted section of a web site without providing a valid client certificate.


Upgrade to mod_ssl 2.8.24 or later, or apply a patch as specified by your vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apache HTTP Server ProjectAffected-18 Oct 2005
Avaya, Inc.Affected-03 Oct 2005
Debian LinuxAffected07 Sep 200512 Sep 2005
F5 Networks, Inc.Affected07 Sep 200508 Sep 2005
Fedora ProjectAffected-09 Sep 2005
Gentoo LinuxAffected-23 Sep 2005
Mandriva, Inc.Affected07 Sep 200503 Oct 2005
Mandriva, Inc.Affected07 Sep 200509 Sep 2005
mod_sslAffected07 Sep 200509 Sep 2005
OpenPKGAffected07 Sep 200507 Sep 2005
Oracle CorporationAffected07 Sep 200518 Oct 2006
Red Hat, Inc.Affected07 Sep 200528 Dec 2005
Slackware Linux Inc.Affected-09 Sep 2005
SUSE LinuxAffected07 Sep 200516 Sep 2005
Trustix Secure LinuxAffected-09 Sep 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Reported by Joe Orton of Red Hat.

This document was written by Hal Burch.

Other Information

  • CVE IDs: CVE-2005-2700
  • Date Public: 31 Aug 2005
  • Date First Published: 09 Sep 2005
  • Date Last Updated: 18 Oct 2006
  • Severity Metric: 1.45
  • Document Revision: 69


If you have feedback, comments, or additional information about this vulnerability, please send us email.