enable 3DES SSL ciphersuites, RC4 is kept disabled (#1453066)

This commit is contained in:
Tomas Mraz 2017-06-15 15:17:26 +02:00
parent 6b68d87d06
commit 81258b6d2a
2 changed files with 37 additions and 1 deletions

View File

@ -0,0 +1,30 @@
diff -up openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers openssl-1.1.0f/ssl/s3_lib.c
--- openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers 2017-05-25 14:46:20.000000000 +0200
+++ openssl-1.1.0f/ssl/s3_lib.c 2017-06-15 15:12:51.555142528 +0200
@@ -2425,7 +2425,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_GOST89MAC,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
256,
256,
@@ -2455,7 +2455,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
SSL_GOST89MAC12,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
- SSL_HIGH,
+ SSL_MEDIUM,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
256,
256,
@@ -2558,7 +2558,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
},
#endif /* OPENSSL_NO_SEED */
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+#if 0 /* No RC4 */
{
1,
SSL3_TXT_RSA_RC4_128_MD5,

View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.0f Version: 1.1.0f
Release: 2%{?dist} Release: 3%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -60,6 +60,7 @@ Patch41: openssl-1.1.0-system-cipherlist.patch
Patch42: openssl-1.1.0-fips.patch Patch42: openssl-1.1.0-fips.patch
Patch43: openssl-1.1.0-afalg-eventfd2.patch Patch43: openssl-1.1.0-afalg-eventfd2.patch
Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
Patch45: openssl-1.1.0-weak-ciphers.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch70: openssl-1.1.0-thread-local.patch Patch70: openssl-1.1.0-thread-local.patch
@ -162,6 +163,7 @@ cp %{SOURCE13} test/
%patch42 -p1 -b .fips %patch42 -p1 -b .fips
%patch43 -p1 -b .eventfd2 %patch43 -p1 -b .eventfd2
%patch44 -p1 -b .preserve-nl %patch44 -p1 -b .preserve-nl
%patch45 -p1 -b .weak-ciphers
%patch70 -p1 -b .thread-local %patch70 -p1 -b .thread-local
@ -240,6 +242,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY"
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
enable-weak-ssl-ciphers \
no-mdc2 no-ec2m \ no-mdc2 no-ec2m \
shared ${sslarch} $RPM_OPT_FLAGS shared ${sslarch} $RPM_OPT_FLAGS
@ -431,6 +434,9 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Thu Jun 15 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-3
- enable 3DES SSL ciphersuites, RC4 is kept disabled (#1453066)
* Mon Jun 5 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-2 * Mon Jun 5 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-2
- only release thread-local key if we created it (from upstream) (#1458775) - only release thread-local key if we created it (from upstream) (#1458775)