for consistent support of security policies we build
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
This commit is contained in:
Tomas Mraz
parent
d2c08bab45
commit
1a7b91b472
@ -1,30 +0,0 @@
|
|||||||
diff -up openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers openssl-1.1.0f/ssl/s3_lib.c
|
|
||||||
--- openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers 2017-05-25 14:46:20.000000000 +0200
|
|
||||||
+++ openssl-1.1.0f/ssl/s3_lib.c 2017-06-15 15:12:51.555142528 +0200
|
|
||||||
@@ -2425,7 +2425,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|
||||||
SSL_GOST89MAC,
|
|
||||||
TLS1_VERSION, TLS1_2_VERSION,
|
|
||||||
0, 0,
|
|
||||||
- SSL_HIGH,
|
|
||||||
+ SSL_MEDIUM,
|
|
||||||
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
|
|
||||||
256,
|
|
||||||
256,
|
|
||||||
@@ -2455,7 +2455,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|
||||||
SSL_GOST89MAC12,
|
|
||||||
TLS1_VERSION, TLS1_2_VERSION,
|
|
||||||
0, 0,
|
|
||||||
- SSL_HIGH,
|
|
||||||
+ SSL_MEDIUM,
|
|
||||||
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
|
|
||||||
256,
|
|
||||||
256,
|
|
||||||
@@ -2558,7 +2558,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|
||||||
},
|
|
||||||
#endif /* OPENSSL_NO_SEED */
|
|
||||||
|
|
||||||
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
|
||||||
+#if 0 /* No RC4 */
|
|
||||||
{
|
|
||||||
1,
|
|
||||||
SSL3_TXT_RSA_RC4_128_MD5,
|
|
||||||
51
openssl-1.1.1-seclevel.patch
Normal file
51
openssl-1.1.1-seclevel.patch
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
|
||||||
|
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
|
||||||
|
+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-09-14 10:51:05.126520376 +0200
|
||||||
|
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
|
||||||
|
}
|
||||||
|
|
||||||
|
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
|
||||||
|
+static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
|
||||||
|
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
|
||||||
|
|
||||||
|
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
|
||||||
|
return 0;
|
||||||
|
-
|
||||||
|
- return secbits >= minbits_table[level - 1];
|
||||||
|
+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
|
||||||
|
+ if (FIPS_mode())
|
||||||
|
+ return secbits >= minbits_table[level - 1];
|
||||||
|
+ return secbits >= minbits_digest_table[level - 1];
|
||||||
|
}
|
||||||
|
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
|
||||||
|
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
|
||||||
|
+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-09-13 15:55:17.579190996 +0200
|
||||||
|
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
|
||||||
|
|
||||||
|
=item B<Level 2>
|
||||||
|
|
||||||
|
-Security level set to 112 bits of security. As a result RSA, DSA and DH keys
|
||||||
|
-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
|
||||||
|
+Security level set to 112 bits of security with the exception of SHA1 allowed
|
||||||
|
+for signatures.
|
||||||
|
+As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
|
||||||
|
+shorter than 224 bits are prohibited.
|
||||||
|
In addition to the level 1 exclusions any cipher suite using RC4 is also
|
||||||
|
prohibited. SSL version 3 is also not allowed. Compression is disabled.
|
||||||
|
|
||||||
|
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
|
||||||
|
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
|
||||||
|
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-09-14 10:50:35.960112056 +0200
|
||||||
|
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
|
||||||
|
return 0;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
+ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
|
||||||
|
+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
|
||||||
|
+ break;
|
||||||
|
if (bits < minbits)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
0
openssl-1.1.1-weak-ciphers.patch
Normal file
0
openssl-1.1.1-weak-ciphers.patch
Normal file
@ -56,7 +56,8 @@ Patch41: openssl-1.1.1-system-cipherlist.patch
|
|||||||
Patch42: openssl-1.1.1-fips.patch
|
Patch42: openssl-1.1.1-fips.patch
|
||||||
Patch43: openssl-1.1.1-ignore-bound.patch
|
Patch43: openssl-1.1.1-ignore-bound.patch
|
||||||
Patch44: openssl-1.1.1-version-override.patch
|
Patch44: openssl-1.1.1-version-override.patch
|
||||||
Patch45: openssl-1.1.0-weak-ciphers.patch
|
Patch45: openssl-1.1.1-weak-ciphers.patch
|
||||||
|
Patch46: openssl-1.1.1-seclevel.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
@ -159,6 +160,7 @@ cp %{SOURCE13} test/
|
|||||||
%patch43 -p1 -b .ignore-bound
|
%patch43 -p1 -b .ignore-bound
|
||||||
%patch44 -p1 -b .version-override
|
%patch44 -p1 -b .version-override
|
||||||
%patch45 -p1 -b .weak-ciphers
|
%patch45 -p1 -b .weak-ciphers
|
||||||
|
%patch46 -p1 -b .seclevel
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -447,6 +449,10 @@ export LD_LIBRARY_PATH
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Sep 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-2
|
||||||
|
- for consistent support of security policies we build
|
||||||
|
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
|
||||||
|
|
||||||
* Thu Sep 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1
|
* Thu Sep 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1
|
||||||
- update to the final 1.1.1 version
|
- update to the final 1.1.1 version
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user