openssl

Commit Graph

Author	SHA1	Message	Date
Dmitry Belyavskiy	e994f999e2	Rebase to upstream version 3.0.8 Resolves: CVE-2022-4203 Resolves: CVE-2022-4304 Resolves: CVE-2022-4450 Resolves: CVE-2023-0215 Resolves: CVE-2023-0216 Resolves: CVE-2023-0217 Resolves: CVE-2023-0286 Resolves: CVE-2023-0401	2023-02-09 17:46:45 +01:00
Dmitry Belyavskiy	8a03afa13c	Rebasing to OpenSSL 3.0.3 Resolves: rhbz#2091987	2022-06-01 17:29:35 +02:00
Clemens Lang	432cfa2baa	Allow disabling of SHA1 signatures NOTE: This patch is ported from CentOS 9 / RHEL 9, where it defaults to denying SHA1 signatures. On Fedora, the default is – for now – to allow SHA1 signatures. In order to phase out SHA1 signatures, introduce a new configuration option in the alg_section named 'rh-allow-sha1-signatures'. This option defaults to true. If set to false, any signature creation or verification operations that involve SHA1 as digest will fail. This also affects TLS, where the signature_algorithms extension of any ClientHello message sent by OpenSSL will no longer include signatures with the SHA1 digest if rh-allow-sha1-signatures is false. For servers that request a client certificate, the same also applies for CertificateRequest messages sent by them. Resolves: rhbz#2070977 Related: rhbz#2031742, rhbz#2062640 Signed-off-by: Clemens Lang <cllang@redhat.com>	2022-04-07 18:14:04 +02:00

Author

SHA1

Message

Date

Dmitry Belyavskiy

e994f999e2

Rebase to upstream version 3.0.8

Resolves: CVE-2022-4203
Resolves: CVE-2022-4304
Resolves: CVE-2022-4450
Resolves: CVE-2023-0215
Resolves: CVE-2023-0216
Resolves: CVE-2023-0217
Resolves: CVE-2023-0286
Resolves: CVE-2023-0401

2023-02-09 17:46:45 +01:00

Dmitry Belyavskiy

8a03afa13c

Rebasing to OpenSSL 3.0.3

Resolves: rhbz#2091987

2022-06-01 17:29:35 +02:00

Clemens Lang

432cfa2baa

Allow disabling of SHA1 signatures

NOTE: This patch is ported from CentOS 9 / RHEL 9, where it defaults to
denying SHA1 signatures. On Fedora, the default is – for now – to allow
SHA1 signatures.

In order to phase out SHA1 signatures, introduce a new configuration
option in the alg_section named 'rh-allow-sha1-signatures'. This option
defaults to true. If set to false, any signature creation or
verification operations that involve SHA1 as digest will fail.

This also affects TLS, where the signature_algorithms extension of any
ClientHello message sent by OpenSSL will no longer include signatures
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
that request a client certificate, the same also applies for
CertificateRequest messages sent by them.

Resolves: rhbz#2070977
Related: rhbz#2031742, rhbz#2062640
Signed-off-by: Clemens Lang <cllang@redhat.com>

2022-04-07 18:14:04 +02:00

3 Commits