From 0a6d0e5ddca93ab78e034d8752aab531938b66d0 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 29 Mar 2016 15:47:40 +0200 Subject: [PATCH] disable SSLv2 support altogether (without ABI break) --- openssl-1.0.2g-remove-ssl2.patch | 27 +++++++++++++++++++++++++++ openssl.spec | 11 ++++++++--- 2 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 openssl-1.0.2g-remove-ssl2.patch diff --git a/openssl-1.0.2g-remove-ssl2.patch b/openssl-1.0.2g-remove-ssl2.patch new file mode 100644 index 0000000..1812cde --- /dev/null +++ b/openssl-1.0.2g-remove-ssl2.patch @@ -0,0 +1,27 @@ +diff -up openssl-1.0.2g/ssl/ssl.h.remove-ssl2 openssl-1.0.2g/ssl/ssl.h +--- openssl-1.0.2g/ssl/ssl.h.remove-ssl2 2016-03-02 09:26:24.000000000 +0100 ++++ openssl-1.0.2g/ssl/ssl.h 2016-03-29 15:24:01.471422525 +0200 +@@ -2283,7 +2283,7 @@ const char *SSL_get_version(const SSL *s + /* This sets the 'default' SSL version that SSL_new() will create */ + int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); + +-# ifndef OPENSSL_NO_SSL2 ++# ifndef OPENSSL_NO_SSL2_METHOD + const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ + const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ + const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ +diff -up openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2 openssl-1.0.2g/ssl/s2_meth.c +--- openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2 2016-01-28 14:38:31.000000000 +0100 ++++ openssl-1.0.2g/ssl/s2_meth.c 2016-03-29 15:19:49.319654216 +0200 +@@ -74,8 +74,8 @@ IMPLEMENT_ssl2_meth_func(SSLv2_method, + ssl2_accept, ssl2_connect, ssl2_get_method) + #else /* !OPENSSL_NO_SSL2 */ + +-# if PEDANTIC +-static void *dummy = &dummy; +-# endif ++const SSL_METHOD *SSLv2_method(void) { return NULL; } ++const SSL_METHOD *SSLv2_client_method(void) { return NULL; } ++const SSL_METHOD *SSLv2_server_method(void) { return NULL; } + + #endif diff --git a/openssl.spec b/openssl.spec index 54e1001..01f2eb3 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.2g -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -88,6 +88,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch Patch80: openssl-1.0.2e-wrap-pad.patch Patch81: openssl-1.0.2a-padlock64.patch Patch82: openssl-1.0.2c-trusted-first-doc.patch +Patch83: openssl-1.0.2g-remove-ssl2.patch License: OpenSSL Group: System Environment/Libraries @@ -212,6 +213,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch80 -p1 -b .wrap %patch81 -p1 -b .padlock64 %patch82 -p1 -b .trusted-first +%patch83 -p1 -b .remove-ssl2 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -287,8 +289,8 @@ sslflags=enable-ec_nistp_64_gcc_128 --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ zlib sctp enable-camellia enable-seed enable-tlsext enable-rfc3779 \ - enable-cms enable-md2 enable-ssl2 \ - no-mdc2 enable-rc5 no-ec2m no-gost no-srp \ + enable-cms enable-md2 enable-rc5 \ + no-mdc2 no-ec2m no-gost no-srp \ --with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \ --with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips} @@ -502,6 +504,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Tue Mar 29 2016 Tomáš Mráz 1.0.2g-4 +- disable SSLv2 support altogether (without ABI break) + * Mon Mar 7 2016 Tom Callaway - 1.0.2g-3 - enable RC5