From 4f728a9f3fd3d3ff9c4f15eb25e51944d5624763 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 6 Jul 2021 13:56:08 +0200 Subject: [PATCH] Fixes override of openssl_conf in openssl.cnf Resolves: rhbz#1975847 Signed-off-by: Sahana Prasad --- ...ault-paths-for-the-CA-directory-tree.patch | 40 +++++++++---------- openssl.spec | 6 ++- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/0004-Override-default-paths-for-the-CA-directory-tree.patch b/0004-Override-default-paths-for-the-CA-directory-tree.patch index 88832a2..7c70c60 100644 --- a/0004-Override-default-paths-for-the-CA-directory-tree.patch +++ b/0004-Override-default-paths-for-the-CA-directory-tree.patch @@ -27,22 +27,22 @@ index c0afb96716..d6a5fabd16 100644 my $CAKEY = "cakey.pem"; my $CAREQ = "careq.pem"; my $CACERT = "cacert.pem"; -diff --git a/apps/openssl.cnf b/apps/openssl.cnf -index eb25a0ac48..2479943fde 100644 ---- a/apps/openssl.cnf -+++ b/apps/openssl.cnf -@@ -31,6 +31,22 @@ oid_section = new_oids - # (Alternatively, use a configuration file that has only - # X.509v3 extensions in its main [= default] section.) +diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf +--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200 ++++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200 +@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7 + [openssl_init] + providers = provider_sect +# Load default TLS policy configuration -+ -+openssl_conf = default_modules -+ -+[ default_modules ] -+ +ssl_conf = ssl_module -+ + + # List of providers to load + [provider_sect] +@@ -64,6 +66,13 @@ default = default_sect + [default_sect] + # activate = 1 + +[ ssl_module ] + +system_default = crypto_policy @@ -50,11 +50,10 @@ index eb25a0ac48..2479943fde 100644 +[ crypto_policy ] + +.include = /etc/crypto-policies/back-ends/opensslcnf.config -+ - [ new_oids ] - # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. - # Add a simple OID like this: -@@ -72,7 +88,7 @@ default_ca = CA_default # The default ca section + + #################################################################### + [ ca ] +@@ -72,7 +81,7 @@ default_ca = CA_default # The default c #################################################################### [ CA_default ] @@ -63,7 +62,7 @@ index eb25a0ac48..2479943fde 100644 certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. -@@ -304,7 +320,7 @@ default_tsa = tsa_config1 # the default TSA section +@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default [ tsa_config1 ] # These are used by the TSA reply generation only. @@ -72,6 +71,3 @@ index eb25a0ac48..2479943fde 100644 serial = $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate --- -2.26.2 - diff --git a/openssl.spec b/openssl.spec index 5ed558c..19f22de 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.0 -Release: 0.alpha16.6%{?dist} +Release: 0.alpha16.7%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -383,6 +383,10 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Tue Jul 06 2021 Sahana Prasad 3.0.0-0.alpha16.7 +- Fixes override of openssl_conf in openssl.cnf +- Resolves: rhbz#1975847 + * Fri Jul 02 2021 Sahana Prasad 3.0.0-0.alpha16.6 - Adds FIPS mode compatibility patch (sahana@redhat.com) - Related: rhbz#1977318