forked from rpms/openssl
Ciphersuites with RSAPSK KX should be filterd in FIPS mode
Related: rhbz#2085088
This commit is contained in:
parent
8b08b372c8
commit
8638196167
@ -689,7 +689,7 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
|
||||
ctx->disabled_auth_mask = 0;
|
||||
|
||||
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
|
||||
+ ctx->disabled_mkey_mask |= SSL_kRSA;
|
||||
+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
|
||||
+
|
||||
/*
|
||||
* We ignore any errors from the fetches below. They are expected to fail
|
||||
|
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.1
|
||||
Release: 35%{?dist}
|
||||
Release: 36%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -458,6 +458,10 @@ install -m644 %{SOURCE9} \
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Thu Jun 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-36
|
||||
- Ciphersuites with RSAPSK KX should be filterd in FIPS mode
|
||||
- Related: rhbz#2085088
|
||||
|
||||
* Wed Jun 08 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-35
|
||||
- Add explicit indicators for signatures in FIPS mode and mark signature
|
||||
primitives as unapproved.
|
||||
|
Loading…
Reference in New Issue
Block a user