From 0480ac07c53f5841c52a6ce21616b56112f8d8c2 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 22 Aug 2017 17:39:58 +0200 Subject: [PATCH] Resolves: #1483972 - utilize system wide crypto policies for TLS --- 0103-curl-7.55.1-system-crypto-policy.patch | 27 +++++++++++++++++++++ curl.spec | 9 ++++++- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 0103-curl-7.55.1-system-crypto-policy.patch diff --git a/0103-curl-7.55.1-system-crypto-policy.patch b/0103-curl-7.55.1-system-crypto-policy.patch new file mode 100644 index 0000000..8dd670b --- /dev/null +++ b/0103-curl-7.55.1-system-crypto-policy.patch @@ -0,0 +1,27 @@ +From 7271547cb46a4dc28004febaea19e5edaa2250d2 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 22 Aug 2017 17:02:26 +0200 +Subject: [PATCH] openssl: utilize system wide crypto policies + +... unless explicitly overridden via libcurl API +--- + lib/vtls/openssl.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h +index b9648d5..48036e1 100644 +--- a/lib/vtls/openssl.h ++++ b/lib/vtls/openssl.h +@@ -119,8 +119,7 @@ bool Curl_ossl_cert_status_request(void); + #endif + #define curlssl_cert_status_request() Curl_ossl_cert_status_request() + +-#define DEFAULT_CIPHER_SELECTION \ +- "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH" ++#define DEFAULT_CIPHER_SELECTION "PROFILE=SYSTEM" + + #endif /* USE_OPENSSL */ + #endif /* HEADER_CURL_SSLUSE_H */ +-- +2.9.5 + diff --git a/curl.spec b/curl.spec index 076a723..bf9c192 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.55.1 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Group: Applications/Internet Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz @@ -15,6 +15,9 @@ Patch101: 0101-curl-7.32.0-multilib.patch # prevent configure script from discarding -g in CFLAGS (#496778) Patch102: 0102-curl-7.36.0-debug.patch +# utilize system wide crypto policies for TLS (#1483972) +Patch103: 0103-curl-7.55.1-system-crypto-policy.patch + # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch @@ -157,6 +160,7 @@ be installed. # Fedora patches %patch101 -p1 %patch102 -p1 +%patch103 -p1 %patch104 -p1 # regenerate Makefile.in files @@ -306,6 +310,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal %changelog +* Tue Aug 22 2017 Kamil Dudka 7.55.1-3 +- utilize system wide crypto policies for TLS (#1483972) + * Tue Aug 15 2017 Kamil Dudka 7.55.1-2 - make zsh completion work again