Allow certificate validation with SHA-1 signatures.
Resolves: RHEL-28344
This commit is contained in:
parent
2c5539f849
commit
33fbcb0f34
@ -53,7 +53,7 @@
|
|||||||
|
|
||||||
Name: dotnet%{dotnetver}
|
Name: dotnet%{dotnetver}
|
||||||
Version: %{sdk_rpm_version}
|
Version: %{sdk_rpm_version}
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: .NET Runtime and SDK
|
Summary: .NET Runtime and SDK
|
||||||
License: 0BSD AND Apache-2.0 AND (Apache-2.0 WITH LLVM-exception) AND APSL-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSL-1.0 AND bzip2-1.0.6 AND CC0-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-PDDC AND CNRI-Python AND EPL-1.0 AND GPL-2.0-only AND (GPL-2.0-only WITH GCC-exception-2.0) AND GPL-2.0-or-later AND GPL-3.0-only AND ICU AND ISC AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-Fedora-Public-Domain AND LicenseRef-ISO-8879 AND MIT AND MIT-Wu AND MS-PL AND MS-RL AND NCSA AND OFL-1.1 AND OpenSSL AND Unicode-DFS-2015 AND Unicode-DFS-2016 AND W3C-19980720 AND X11 AND Zlib
|
License: 0BSD AND Apache-2.0 AND (Apache-2.0 WITH LLVM-exception) AND APSL-2.0 AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSL-1.0 AND bzip2-1.0.6 AND CC0-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-PDDC AND CNRI-Python AND EPL-1.0 AND GPL-2.0-only AND (GPL-2.0-only WITH GCC-exception-2.0) AND GPL-2.0-or-later AND GPL-3.0-only AND ICU AND ISC AND LGPL-2.1-only AND LGPL-2.1-or-later AND LicenseRef-Fedora-Public-Domain AND LicenseRef-ISO-8879 AND MIT AND MIT-Wu AND MS-PL AND MS-RL AND NCSA AND OFL-1.1 AND OpenSSL AND Unicode-DFS-2015 AND Unicode-DFS-2016 AND W3C-19980720 AND X11 AND Zlib
|
||||||
|
|
||||||
@ -89,6 +89,11 @@ Patch2: vstest-intent-net8.0.patch
|
|||||||
Patch3: runtime-re-enable-implicit-rejection.patch
|
Patch3: runtime-re-enable-implicit-rejection.patch
|
||||||
# https://github.com/dotnet/msbuild/pull/9449
|
# https://github.com/dotnet/msbuild/pull/9449
|
||||||
Patch4: msbuild-9449-exec-stop-setting-a-locale.patch
|
Patch4: msbuild-9449-exec-stop-setting-a-locale.patch
|
||||||
|
# We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed.
|
||||||
|
# A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message
|
||||||
|
# digests used for the signature are not treated as fatal errors.
|
||||||
|
# https://issues.redhat.com/browse/RHEL-25254
|
||||||
|
Patch5: runtime-openssl-sha1.patch
|
||||||
|
|
||||||
|
|
||||||
ExclusiveArch: aarch64 ppc64le s390x x86_64
|
ExclusiveArch: aarch64 ppc64le s390x x86_64
|
||||||
@ -707,6 +712,12 @@ export COMPlus_LTTng=0
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sun Mar 31 2024 Tom Deseyn <tom.deseyn@gmail.com> - 8.0.103-3
|
||||||
|
- We disable checking the signature of the last certificate in a chain if the certificate is supposedly self-signed.
|
||||||
|
A side effect of not checking the self-signature of such a certificate is that disabled or unsupported message
|
||||||
|
digests used for the signature are not treated as fatal errors.
|
||||||
|
- Resolves: RHEL-28344
|
||||||
|
|
||||||
* Tue Mar 19 2024 Omair Majid <omajid@redhat.com> - 8.0.103-2
|
* Tue Mar 19 2024 Omair Majid <omajid@redhat.com> - 8.0.103-2
|
||||||
- Update to .NET SDK 8.0.103 and Runtime 8.0.3
|
- Update to .NET SDK 8.0.103 and Runtime 8.0.3
|
||||||
- Resolves: RHEL-27553
|
- Resolves: RHEL-27553
|
||||||
|
34
runtime-openssl-sha1.patch
Normal file
34
runtime-openssl-sha1.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tom Deseyn <tom.deseyn@gmail.com>
|
||||||
|
Date: Wed, 28 Feb 2024 14:08:15 +0100
|
||||||
|
Subject: [PATCH] Allow certificate validation with SHA-1 signatures.
|
||||||
|
|
||||||
|
RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate
|
||||||
|
validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag
|
||||||
|
with a chain where the last certificate uses a SHA-1 signature.
|
||||||
|
|
||||||
|
This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default
|
||||||
|
OpenSSL behavior for certificate validation.
|
||||||
|
---
|
||||||
|
.../libs/System.Security.Cryptography.Native/pal_x509.c | 5 -----
|
||||||
|
1 file changed, 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
|
||||||
|
index 04c6ba06cd..2cd3413dae 100644
|
||||||
|
--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
|
||||||
|
+++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
|
||||||
|
@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5
|
||||||
|
|
||||||
|
int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore);
|
||||||
|
|
||||||
|
- if (val != 0)
|
||||||
|
- {
|
||||||
|
- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
return val;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.43.2
|
||||||
|
|
Loading…
Reference in New Issue
Block a user