disable SSLv2 support altogether (without ABI break)

2016-03-29 15:47:40 +02:00 · 2016-03-29 15:47:40 +02:00 · 0a6d0e5ddc
commit 0a6d0e5ddc
parent 589d3ee15b
2 changed files with 35 additions and 3 deletions
--- a/openssl-1.0.2g-remove-ssl2.patch
+++ b/openssl-1.0.2g-remove-ssl2.patch
@ -0,0 +1,27 @@
 diff -up openssl-1.0.2g/ssl/ssl.h.remove-ssl2 openssl-1.0.2g/ssl/ssl.h
 --- openssl-1.0.2g/ssl/ssl.h.remove-ssl2	2016-03-02 09:26:24.000000000 +0100
 +++ openssl-1.0.2g/ssl/ssl.h	2016-03-29 15:24:01.471422525 +0200
@@ -2283,7 +2283,7 @@ const char *SSL_get_version(const SSL *s
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 -# ifndef OPENSSL_NO_SSL2
 +# ifndef OPENSSL_NO_SSL2_METHOD
 const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
 diff -up openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2 openssl-1.0.2g/ssl/s2_meth.c
 --- openssl-1.0.2g/ssl/s2_meth.c.remove-ssl2	2016-01-28 14:38:31.000000000 +0100
 +++ openssl-1.0.2g/ssl/s2_meth.c	2016-03-29 15:19:49.319654216 +0200
@@ -74,8 +74,8 @@ IMPLEMENT_ssl2_meth_func(SSLv2_method,
                          ssl2_accept, ssl2_connect, ssl2_get_method)
 #else                           /* !OPENSSL_NO_SSL2 */
 -# if PEDANTIC
 -static void *dummy = &dummy;
 -# endif
 +const SSL_METHOD *SSLv2_method(void) { return NULL; }
 +const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
 +const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
 #endif
--- a/openssl.spec
+++ b/openssl.spec
@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.2g
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -88,6 +88,7 @@ Patch96: openssl-1.0.2e-speed-doc.patch
 Patch80: openssl-1.0.2e-wrap-pad.patch
 Patch81: openssl-1.0.2a-padlock64.patch
 Patch82: openssl-1.0.2c-trusted-first-doc.patch
 Patch83: openssl-1.0.2g-remove-ssl2.patch
 License: OpenSSL
 Group: System Environment/Libraries
@ -212,6 +213,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch80 -p1 -b .wrap
 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .trusted-first
 %patch83 -p1 -b .remove-ssl2
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -287,8 +289,8 @@ sslflags=enable-ec_nistp_64_gcc_128
 	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
 	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
 	zlib sctp enable-camellia enable-seed enable-tlsext enable-rfc3779 \
-	enable-cms enable-md2 enable-ssl2 \
+	enable-cms enable-md2 enable-rc5 \
-	no-mdc2 enable-rc5 no-ec2m no-gost no-srp \
+	no-mdc2 no-ec2m no-gost no-srp \
 	--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
 	--with-krb5-dir=/usr shared  ${sslarch} %{?!nofips:fips}
@ -502,6 +504,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 %changelog
 * Tue Mar 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2g-4
 - disable SSLv2 support altogether (without ABI break)
 * Mon Mar  7 2016 Tom Callaway <spot@fedoraproject.org> - 1.0.2g-3
 - enable RC5