diff --git a/Makefile.certificate b/Makefile.certificate index 4f9d55d..cc88c52 100644 --- a/Makefile.certificate +++ b/Makefile.certificate @@ -1,8 +1,11 @@ UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8) -SERIAL=0 DAYS=365 KEYLEN=2048 TYPE=rsa:$(KEYLEN) +EXTRA_FLAGS= +ifdef SERIAL + EXTRA_FLAGS+=-set_serial $(SERIAL) +endif .PHONY: usage .SUFFIXES: .key .csr .crt .pem @@ -23,8 +26,9 @@ usage: @echo "To create a CSR for use with Apache, run \"make certreq\"." @echo "To create a test certificate for use with Apache, run \"make testcert\"." @echo - @echo "To create a test certificate with serial number other than zero, add SERIAL=num" + @echo "To create a test certificate with serial number other than random, add SERIAL=num" @echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n" + @echo "Any additional options can be passed to openssl req via EXTRA_FLAGS" @echo @echo Examples: @echo " make server.key" @@ -35,14 +39,14 @@ usage: @echo " make certreq" @echo " make testcert" @echo " make server.crt SERIAL=1" - @echo " make stunnel.pem SERIAL=2" - @echo " make testcert SERIAL=3" + @echo " make stunnel.pem EXTRA_FLAGS=-sha384" + @echo " make testcert DAYS=600" %.pem: umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ - /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \ + /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \ cat $$PEM1 > $@ ; \ echo "" >> $@ ; \ cat $$PEM2 >> $@ ; \ @@ -58,7 +62,7 @@ usage: %.crt: %.key umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL) + /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS) TLSROOT=/etc/pki/tls KEY=$(TLSROOT)/private/localhost.key @@ -75,4 +79,4 @@ $(CSR): $(KEY) $(CRT): $(KEY) umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL) + /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS) diff --git a/openssl.spec b/openssl.spec index fa18769..6d27b92 100644 --- a/openssl.spec +++ b/openssl.spec @@ -227,6 +227,9 @@ if ! echo %{_target} | grep -q i686 ; then sslflags="no-asm 386" fi %endif +%ifarch x86_64 +sslflags=enable-ec_nistp_64_gcc_128 +%endif %ifarch sparcv9 sslarch=linux-sparcv9 sslflags=no-asm @@ -243,21 +246,25 @@ sslarch="linux-generic32 -DB_ENDIAN" %endif %ifarch s390x sslarch="linux64-s390x" +sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch %{arm} sslarch=linux-armv4 %endif %ifarch aarch64 sslarch=linux-aarch64 +sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch sh3 sh4 sslarch=linux-generic32 %endif %ifarch ppc64 ppc64p7 sslarch=linux-ppc64 +sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch ppc64le sslarch="linux-ppc64le" +sslflags=enable-ec_nistp_64_gcc_128 %endif # ia64, x86_64, ppc are OK by default @@ -268,7 +275,7 @@ sslarch="linux-ppc64le" --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ - enable-cms enable-md2 enable-ec_nistp_64_gcc_128 \ + enable-cms enable-md2 \ no-mdc2 no-rc5 no-ec2m no-gost no-srp \ --with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \ --with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips} @@ -488,6 +495,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* - enable fast assembler implementation for NIST P-256 and P-521 elliptic curves (#1164210) - filter out unwanted link options from the .pc files (#1257836) +- do not set serial to 0 in Makefile.certificate (#1135719) * Mon Nov 16 2015 Tomáš Mráz 1.0.2d-3 - fix sigill on some AMD CPUs (#1278194)