Revert "Fix: Cannot use SSL3 anymore"

This reverts commit 53b870b7db.

Turns out the OpenSSL setting SSL_OP_NO_SSLv3 by default means we really should
not use the SSLv3 anymore, so removing the patch that tried hard.
This commit is contained in:
Matúš Honěk 2018-10-16 11:02:38 +02:00
parent b325dd4ca4
commit 939ce64f7f
2 changed files with 4 additions and 27 deletions

View File

@ -1,24 +0,0 @@
Ensure SSLv3 is enabled when necessary
Either at compilation time, or as a system-wide configuration, OpenSSL
may have disabled SSLv3 protocol by default. This change ensures the
protocol NO flag is cleared when necessary, hence allowing for the
protocol to be used.
Author: Matus Honek <mhonek@redhat.com>
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -297,8 +297,10 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#endif
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
- else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
+ else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) {
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );
+ SSL_CTX_clear_options( ctx, SSL_OP_NO_SSLv3 );
+ }
if ( lo->ldo_tls_ciphersuite &&
!SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )

View File

@ -5,7 +5,7 @@
Name: openldap Name: openldap
Version: 2.4.46 Version: 2.4.46
Release: 9%{?dist} Release: 10%{?dist}
Summary: LDAP support libraries Summary: LDAP support libraries
License: OpenLDAP License: OpenLDAP
URL: http://www.openldap.org/ URL: http://www.openldap.org/
@ -34,7 +34,6 @@ Patch17: openldap-allop-overlay.patch
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# ldapi sasl fix pending upstream inclusion # ldapi sasl fix pending upstream inclusion
Patch20: openldap-ldapi-sasl.patch Patch20: openldap-ldapi-sasl.patch
Patch21: openldap-openssl-allow-ssl3.patch
Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch
Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch
@ -113,7 +112,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch17 -p1 %patch17 -p1
%patch19 -p1 %patch19 -p1
%patch20 -p1 %patch20 -p1
%patch21 -p1
%patch22 -p1 %patch22 -p1
%patch23 -p1 %patch23 -p1
@ -485,6 +483,9 @@ exit 0
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-10
- Revert "Fix: Cannot use SSL3 anymore"
* Mon Oct 08 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9 * Mon Oct 08 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623495) - Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623495)