From 69636828729ecc287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Mon, 31 Jul 2023 09:41:28 +0200 Subject: [PATCH 14/35] 0024-load-legacy-prov.patch Patch-name: 0024-load-legacy-prov.patch Patch-id: 24 Patch-status: | # Instructions to load legacy provider in openssl.cnf From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd --- apps/openssl.cnf | 37 +++++++++++++++---------------------- doc/man5/config.pod | 8 ++++++++ 2 files changed, 23 insertions(+), 22 deletions(-) diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf --- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200 +++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200 @@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 -# For FIPS -# Optionally include a file that is generated by the OpenSSL fipsinstall -# application. This file contains configuration data required by the OpenSSL -# fips provider. It contains a named section e.g. [fips_sect] which is -# referenced from the [provider_sect] below. -# Refer to the OpenSSL security policy for more information. -# .include fipsmodule.cnf - [openssl_init] providers = provider_sect # Load default TLS policy configuration @@ -42,23 +42,27 @@ [ evp_properties ] #This section is intentionally added empty here #to be tuned on particular systems -# List of providers to load -[provider_sect] -default = default_sect -# The fips section name should match the section name inside the -# included fipsmodule.cnf. -# fips = fips_sect +# Uncomment the sections that start with ## below to enable the legacy provider. +# Loading the legacy provider enables support for the following algorithms: +# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 +# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED +# Key Derivation Function (KDF): PBKDF1 +# In general it is not recommended to use the above mentioned algorithms for +# security critical operations, as they are cryptographically weak or vulnerable +# to side-channel attacks and as such have been deprecated. -# If no providers are activated explicitly, the default one is activated implicitly. -# See man 7 OSSL_PROVIDER-default for more details. -# -# If you add a section explicitly activating any other provider(s), you most -# probably need to explicitly activate the default provider, otherwise it -# becomes unavailable in openssl. As a consequence applications depending on -# OpenSSL may not work correctly which could lead to significant system -# problems including inability to remotely access the system. -[default_sect] -# activate = 1 +[provider_sect] +default = default_sect +##legacy = legacy_sect +## +[default_sect] +activate = 1 + +##[legacy_sect] +##activate = 1 + +#Place the third party provider configuration files into this folder +.include /etc/pki/tls/openssl.d [ ssl_module ] diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod --- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200 +++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200 @@ -273,6 +273,14 @@ significant. All parameters in the section as well as sub-sections are made available to the provider. +=head3 Loading the legacy provider + +Uncomment the sections that start with ## in openssl.cnf +to enable the legacy provider. +Note: In general it is not recommended to use the above mentioned algorithms for +security critical operations, as they are cryptographically weak or vulnerable +to side-channel attacks and as such have been deprecated. + =head3 Default provider and its activation If no providers are activated explicitly, the default one is activated implicitly.