From 9048b9f36a53159864aae8471906597a4d1d37b7 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Sun, 26 Aug 2018 02:03:46 -0400 Subject: [PATCH] Use system-wide crypto policy Upstream uses reasonable defaults and keeps them updated. However, Fedora packages should use the system-wide crypto policy. Reference: https://fedoraproject.org/wiki/Packaging:CryptoPolicies --- 0001-Use-system-wide-crypto-policy.patch | 42 ++++++++++++++++++++++++ znc.spec | 4 +++ 2 files changed, 46 insertions(+) create mode 100644 0001-Use-system-wide-crypto-policy.patch diff --git a/0001-Use-system-wide-crypto-policy.patch b/0001-Use-system-wide-crypto-policy.patch new file mode 100644 index 0000000..04b4cfa --- /dev/null +++ b/0001-Use-system-wide-crypto-policy.patch @@ -0,0 +1,42 @@ +From f0f51d75c160baeb212090940ec1dc35af9bd565 Mon Sep 17 00:00:00 2001 +From: Todd Zullinger +Date: Sun, 26 Aug 2018 01:31:13 -0400 +Subject: [PATCH] Use system-wide crypto policy + +Reference: https://fedoraproject.org/wiki/Packaging:CryptoPolicies +--- + src/Socket.cpp | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +diff --git a/src/Socket.cpp b/src/Socket.cpp +index fa510462..e40c76ea 100644 +--- a/src/Socket.cpp ++++ b/src/Socket.cpp +@@ -28,21 +28,10 @@ + #endif + + #ifdef HAVE_LIBSSL +-// Copypasted from +-// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 +-// at 2018-04-01 ++// Use system-wide crypto policy ++// https://fedoraproject.org/wiki/Packaging:CryptoPolicies + static CString ZNC_DefaultCipher() { +- return "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-" +- "ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-" +- "AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-" +- "SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-" +- "RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:" +- "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-" +- "SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:" +- "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:" +- "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:" +- "AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-" +- "SHA:DES-CBC3-SHA:!DSS"; ++ return "PROFILE=SYSTEM"; + } + #endif + +-- +2.19.0.rc0 + diff --git a/znc.spec b/znc.spec index 8c39890..1b0143b 100644 --- a/znc.spec +++ b/znc.spec @@ -21,6 +21,9 @@ URL: https://znc.in Source0: %{url}/releases/%{name}-%{version}.tar.gz Source1: %{url}/releases/%{name}-%{version}.tar.gz.sig Source2: gpgkey-5AE420CC0209989E.asc +# Use system-wide crypto policy +# https://fedoraproject.org/wiki/Packaging:CryptoPolicies +Patch0: 0001-Use-system-wide-crypto-policy.patch BuildRequires: automake BuildRequires: c-ares-devel @@ -219,6 +222,7 @@ getent passwd znc >/dev/null || \ - Enable verbose make - Pass --with-tcl to ensure tclConfig.sh is found - Remove Group tag +- Use system-wide crypto policy * Mon Jul 23 2018 Nick Bebout - 1.7.1-2 - Add gcc-c++ and redhat-rpm-config to znc-devel's dependencies