Provide empty evp_properties section in main OpenSSL configuration file

Resolves: RHEL-11439
This commit is contained in:
Dmitry Belyavskiy 2023-10-17 12:56:38 +02:00
parent 223304543a
commit ec6d7cf272
3 changed files with 12 additions and 3 deletions

View File

@ -30,12 +30,17 @@ index c0afb96716..d6a5fabd16 100644
diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200 --- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200 +++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7 @@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init] [openssl_init]
providers = provider_sect providers = provider_sect
+# Load default TLS policy configuration +# Load default TLS policy configuration
+ssl_conf = ssl_module +ssl_conf = ssl_module
+alg_section = evp_properties
+
+[ evp_properties ]
+#This section is intentionally added empty here
+#to be tuned on particular systems
# List of providers to load # List of providers to load
[provider_sect] [provider_sect]

View File

@ -1,7 +1,7 @@
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200 --- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200 +++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1 @@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6 tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7 tsa_policy3 = 1.2.3.4.5.7
@ -16,7 +16,9 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c
[openssl_init] [openssl_init]
providers = provider_sect providers = provider_sect
# Load default TLS policy configuration # Load default TLS policy configuration
ssl_conf = ssl_module @@ -42,23 +42,24 @@ [ evp_properties ]
#This section is intentionally added empty here
#to be tuned on particular systems
-# List of providers to load -# List of providers to load
-[provider_sect] -[provider_sect]

View File

@ -527,6 +527,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
Resolves: RHEL-5317 Resolves: RHEL-5317
- Don't limit using SHA1 in KDFs in non-FIPS mode. - Don't limit using SHA1 in KDFs in non-FIPS mode.
Resolves: RHEL-5295 Resolves: RHEL-5295
- Provide empty evp_properties section in main OpenSSL configuration file
Resolves: RHEL-11439
* Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
- Make FIPS module configuration more crypto-policies friendly - Make FIPS module configuration more crypto-policies friendly