reinstate accidentally dropped patch for weak ciphersuites

2018-09-17 12:56:19 +02:00 · 2018-09-17 12:56:19 +02:00 · 33bd389ea8
commit 33bd389ea8
parent 746c76a1d7
2 changed files with 61 additions and 1 deletions
--- a/openssl-1.1.1-weak-ciphers.patch
+++ b/openssl-1.1.1-weak-ciphers.patch
@ -0,0 +1,57 @@
+diff -up openssl-1.1.1/ssl/s3_lib.c.weak-ciphers openssl-1.1.1/ssl/s3_lib.c
+--- openssl-1.1.1/ssl/s3_lib.c.weak-ciphers	2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/ssl/s3_lib.c	2018-09-17 12:53:33.850637181 +0200
+@@ -2612,7 +2612,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_GOST89MAC,
+      TLS1_VERSION, TLS1_2_VERSION,
+      0, 0,
+-     SSL_HIGH,
+     SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
+      256,
+      256,
+@@ -2644,7 +2644,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_GOST89MAC12,
+      TLS1_VERSION, TLS1_2_VERSION,
+      0, 0,
+-     SSL_HIGH,
+     SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
+      256,
+      256,
+@@ -2753,7 +2753,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      },
+ #endif                          /* OPENSSL_NO_SEED */
+ 
+-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+#if 0 /* No MD5 ciphersuites */
+     {
+      1,
+      SSL3_TXT_RSA_RC4_128_MD5,
+@@ -2770,6 +2770,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      128,
+      128,
+      },
+#endif
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_RSA_RC4_128_SHA,
+@@ -2786,6 +2788,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      128,
+      128,
+      },
+#endif
+#if 0
+     {
+      1,
+      SSL3_TXT_ADH_RC4_128_MD5,
+@@ -2802,6 +2806,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      128,
+      128,
+      },
+#endif
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
--- a/openssl.spec
+++ b/openssl.spec
@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -449,6 +449,9 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig

 %changelog
+* Mon Sep 17 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-3
+- reinstate accidentally dropped patch for weak ciphersuites
+
 * Fri Sep 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-2
 - for consistent support of security policies we build
  RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2