disable SSLv2 support altogether (without ABI break)
This commit is contained in:
Tomas Mraz
parent
589d3ee15b
commit
0a6d0e5ddc
|
|
@ -0,0 +1,27 @@
|
|||
diff -up openssl-1.0.2g/ssl/ssl.h.remove-ssl2 openssl-1.0.2g/ssl/ssl.h
|
||||
--- openssl-1.0.2g/ssl/ssl.h.remove-ssl2 2016-03-02 09:26:24.000000000 +0100
|
||||
+++ openssl-1.0.2g/ssl/ssl.h 2016-03-29 15:24:01.471422525 +0200
|
||||
@@ -2283,7 +2283,7 @@ const char *SSL_get_version(const SSL *s
|
||||
/* This sets the 'default' SSL version that SSL_new() will create */
|
||||
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
|
||||
|
||||
-# ifndef OPENSSL_NO_SSL2
|
||||
+# ifndef OPENSSL_NO_SSL2_METHOD
|
||||
const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
|
||||
const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
|
||||
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
|
||||
diff -up openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2 openssl-1.0.2g/ssl/s2_meth.c
|
||||
--- openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2 2016-01-28 14:38:31.000000000 +0100
|
||||
+++ openssl-1.0.2g/ssl/s2_meth.c 2016-03-29 15:19:49.319654216 +0200
|
||||
@@ -74,8 +74,8 @@ IMPLEMENT_ssl2_meth_func(SSLv2_method,
|
||||
ssl2_accept, ssl2_connect, ssl2_get_method)
|
||||
#else /* !OPENSSL_NO_SSL2 */
|
||||
|
||||
-# if PEDANTIC
|
||||
-static void *dummy = &dummy;
|
||||
-# endif
|
||||
+const SSL_METHOD *SSLv2_method(void) { return NULL; }
|
||||
+const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
|
||||
+const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
|
||||
|
||||
#endif
|
||||
11
openssl.spec
11
openssl.spec
|
|
@ -23,7 +23,7 @@
|
|||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.2g
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
|
|
@ -88,6 +88,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch
|
|||
Patch80: openssl-1.0.2e-wrap-pad.patch
|
||||
Patch81: openssl-1.0.2a-padlock64.patch
|
||||
Patch82: openssl-1.0.2c-trusted-first-doc.patch
|
||||
Patch83: openssl-1.0.2g-remove-ssl2.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
|
|
@ -212,6 +213,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
|||
%patch80 -p1 -b .wrap
|
||||
%patch81 -p1 -b .padlock64
|
||||
%patch82 -p1 -b .trusted-first
|
||||
%patch83 -p1 -b .remove-ssl2
|
||||
|
||||
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
||||
|
||||
|
|
@ -287,8 +289,8 @@ sslflags=enable-ec_nistp_64_gcc_128
|
|||
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
|
||||
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
||||
zlib sctp enable-camellia enable-seed enable-tlsext enable-rfc3779 \
|
||||
enable-cms enable-md2 enable-ssl2 \
|
||||
no-mdc2 enable-rc5 no-ec2m no-gost no-srp \
|
||||
enable-cms enable-md2 enable-rc5 \
|
||||
no-mdc2 no-ec2m no-gost no-srp \
|
||||
--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
|
||||
--with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}
|
||||
|
||||
|
|
@ -502,6 +504,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Tue Mar 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2g-4
|
||||
- disable SSLv2 support altogether (without ABI break)
|
||||
|
||||
* Mon Mar 7 2016 Tom Callaway <spot@fedoraproject.org> - 1.0.2g-3
|
||||
- enable RC5
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue