enable 3DES SSL ciphersuites, RC4 is kept disabled (#1453066)
This commit is contained in:
Tomas Mraz
parent
6b68d87d06
commit
81258b6d2a
|
|
@ -0,0 +1,30 @@
|
|||
diff -up openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers openssl-1.1.0f/ssl/s3_lib.c
|
||||
--- openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers 2017-05-25 14:46:20.000000000 +0200
|
||||
+++ openssl-1.1.0f/ssl/s3_lib.c 2017-06-15 15:12:51.555142528 +0200
|
||||
@@ -2425,7 +2425,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_GOST89MAC,
|
||||
TLS1_VERSION, TLS1_2_VERSION,
|
||||
0, 0,
|
||||
- SSL_HIGH,
|
||||
+ SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
|
||||
256,
|
||||
256,
|
||||
@@ -2455,7 +2455,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_GOST89MAC12,
|
||||
TLS1_VERSION, TLS1_2_VERSION,
|
||||
0, 0,
|
||||
- SSL_HIGH,
|
||||
+ SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
|
||||
256,
|
||||
256,
|
||||
@@ -2558,7 +2558,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
#endif /* OPENSSL_NO_SEED */
|
||||
|
||||
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
+#if 0 /* No RC4 */
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_RSA_RC4_128_MD5,
|
||||
|
|
@ -22,7 +22,7 @@
|
|||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.0f
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
|
|
@ -60,6 +60,7 @@ Patch41: openssl-1.1.0-system-cipherlist.patch
|
|||
Patch42: openssl-1.1.0-fips.patch
|
||||
Patch43: openssl-1.1.0-afalg-eventfd2.patch
|
||||
Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
|
||||
Patch45: openssl-1.1.0-weak-ciphers.patch
|
||||
# Backported fixes including security fixes
|
||||
Patch70: openssl-1.1.0-thread-local.patch
|
||||
|
||||
|
|
@ -162,6 +163,7 @@ cp %{SOURCE13} test/
|
|||
%patch42 -p1 -b .fips
|
||||
%patch43 -p1 -b .eventfd2
|
||||
%patch44 -p1 -b .preserve-nl
|
||||
%patch45 -p1 -b .weak-ciphers
|
||||
|
||||
%patch70 -p1 -b .thread-local
|
||||
|
||||
|
|
@ -240,6 +242,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY"
|
|||
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
||||
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
||||
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
|
||||
enable-weak-ssl-ciphers \
|
||||
no-mdc2 no-ec2m \
|
||||
shared ${sslarch} $RPM_OPT_FLAGS
|
||||
|
||||
|
|
@ -431,6 +434,9 @@ export LD_LIBRARY_PATH
|
|||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu Jun 15 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-3
|
||||
- enable 3DES SSL ciphersuites, RC4 is kept disabled (#1453066)
|
||||
|
||||
* Mon Jun 5 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-2
|
||||
- only release thread-local key if we created it (from upstream) (#1458775)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue