diff --git a/dotnet8.0.spec b/dotnet8.0.spec index 573e2a3..e4aaa88 100644 --- a/dotnet8.0.spec +++ b/dotnet8.0.spec @@ -53,7 +53,7 @@ Name: dotnet%{dotnetver} Version: %{sdk_rpm_version} -Release: 2%{?dist} +Release: 3%{?dist} Summary: .NET Runtime and SDK License: 0BSD AND Apache-2.0 AND (Apache-2.0 WITH LLVM-exception) AND APSL-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSL-1.0 AND bzip2-1.0.6 AND CC0-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-PDDC AND CNRI-Python AND EPL-1.0 AND GPL-2.0-only AND (GPL-2.0-only WITH GCC-exception-2.0) AND GPL-2.0-or-later AND GPL-3.0-only AND ICU AND ISC AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-Fedora-Public-Domain AND LicenseRef-ISO-8879 AND MIT AND MIT-Wu AND MS-PL AND MS-RL AND NCSA AND OFL-1.1 AND OpenSSL AND Unicode-DFS-2015 AND Unicode-DFS-2016 AND W3C-19980720 AND X11 AND Zlib @@ -89,6 +89,11 @@ Patch2: vstest-intent-net8.0.patch Patch3: runtime-re-enable-implicit-rejection.patch # https://github.com/dotnet/msbuild/pull/9449 Patch4: msbuild-9449-exec-stop-setting-a-locale.patch +# We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed. +# A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message +# digests used for the signature are not treated as fatal errors. +# https://issues.redhat.com/browse/RHEL-25254 +Patch5: runtime-openssl-sha1.patch ExclusiveArch: aarch64 ppc64le s390x x86_64 @@ -707,6 +712,12 @@ export COMPlus_LTTng=0 %changelog +* Sun Mar 31 2024 Tom Deseyn - 8.0.103-3 +- We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed. + A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message + digests used for the signature are not treated as fatal errors. +- Resolves: RHEL-28344 + * Tue Mar 19 2024 Omair Majid - 8.0.103-2 - Update to .NET SDK 8.0.103 and Runtime 8.0.3 - Resolves: RHEL-27553 diff --git a/runtime-openssl-sha1.patch b/runtime-openssl-sha1.patch new file mode 100644 index 0000000..6e307ef --- /dev/null +++ b/runtime-openssl-sha1.patch @@ -0,0 +1,34 @@ +From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001 +From: Tom Deseyn +Date: Wed, 28 Feb 2024 14:08:15 +0100 +Subject: [PATCH] Allow certificate validation with SHA-1 signatures. + +RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate +validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag +with a chain where the last certificate uses a SHA-1 signature. + +This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default +OpenSSL behavior for certificate validation. +--- + .../libs/System.Security.Cryptography.Native/pal_x509.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c +index 04c6ba06cd..2cd3413dae 100644 +--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c ++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c +@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5 + + int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore); + +- if (val != 0) +- { +- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE); +- } +- + return val; + } + +-- +2.43.2 +