From 60357072e0011a7802718f126050e81a793e1911 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 31 Jul 2018 16:24:45 +0200 Subject: [PATCH] load crypto policy config file from the default config --- openssl-1.1.0-ca-dir.patch | 24 --------------- openssl-1.1.1-conf-paths.patch | 56 ++++++++++++++++++++++++++++++++++ openssl.spec | 13 +++++--- 3 files changed, 64 insertions(+), 29 deletions(-) delete mode 100644 openssl-1.1.0-ca-dir.patch create mode 100644 openssl-1.1.1-conf-paths.patch diff --git a/openssl-1.1.0-ca-dir.patch b/openssl-1.1.0-ca-dir.patch deleted file mode 100644 index 421559d..0000000 --- a/openssl-1.1.0-ca-dir.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir openssl-1.1.0-pre5/apps/CA.pl.in ---- openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir 2016-07-18 15:19:40.118110405 +0200 -+++ openssl-1.1.0-pre5/apps/CA.pl.in 2016-07-18 15:21:06.531061337 +0200 -@@ -26,7 +26,7 @@ my $X509 = "$openssl x509"; - my $PKCS12 = "$openssl pkcs12"; - - # default openssl.cnf file has setup as per the following --my $CATOP = "./demoCA"; -+my $CATOP = "/etc/pki/CA"; - my $CAKEY = "cakey.pem"; - my $CAREQ = "careq.pem"; - my $CACERT = "cacert.pem"; -diff -up openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir openssl-1.1.0-pre5/apps/openssl.cnf ---- openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir 2016-07-18 15:19:40.114110315 +0200 -+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 15:19:48.492299467 +0200 -@@ -39,7 +39,7 @@ default_ca = CA_default # The default c - #################################################################### - [ CA_default ] - --dir = ./demoCA # Where everything is kept -+dir = /etc/pki/CA # Where everything is kept - certs = $dir/certs # Where the issued certs are kept - crl_dir = $dir/crl # Where the issued crl are kept - database = $dir/index.txt # database index file. diff --git a/openssl-1.1.1-conf-paths.patch b/openssl-1.1.1-conf-paths.patch new file mode 100644 index 0000000..1b02c2f --- /dev/null +++ b/openssl-1.1.1-conf-paths.patch @@ -0,0 +1,56 @@ +diff -up openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths openssl-1.1.1-pre8/apps/CA.pl.in +--- openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths 2018-06-20 16:48:09.000000000 +0200 ++++ openssl-1.1.1-pre8/apps/CA.pl.in 2018-07-25 17:26:58.388624296 +0200 +@@ -33,7 +33,7 @@ my $X509 = "$openssl x509"; + my $PKCS12 = "$openssl pkcs12"; + + # default openssl.cnf file has setup as per the following +-my $CATOP = "./demoCA"; ++my $CATOP = "/etc/pki/CA"; + my $CAKEY = "cakey.pem"; + my $CAREQ = "careq.pem"; + my $CACERT = "cacert.pem"; +diff -up openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths openssl-1.1.1-pre8/apps/openssl.cnf +--- openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths 2018-07-25 17:26:58.378624057 +0200 ++++ openssl-1.1.1-pre8/apps/openssl.cnf 2018-07-27 13:20:08.198513471 +0200 +@@ -23,6 +23,22 @@ oid_section = new_oids + # (Alternatively, use a configuration file that has only + # X.509v3 extensions in its main [= default] section.) + ++# Load default TLS policy configuration ++ ++openssl_conf = default_modules ++ ++[ default_modules ] ++ ++ssl_conf = ssl_module ++ ++[ ssl_module ] ++ ++system_default = crypto_policy ++ ++[ crypto_policy ] ++ ++.include /etc/crypto-policies/back-ends/opensslcnf.config ++ + [ new_oids ] + + # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +@@ -43,7 +59,7 @@ default_ca = CA_default # The default c + #################################################################### + [ CA_default ] + +-dir = ./demoCA # Where everything is kept ++dir = /etc/pki/CA # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +@@ -329,7 +345,7 @@ default_tsa = tsa_config1 # the default + [ tsa_config1 ] + + # These are used by the TSA reply generation only. +-dir = ./demoCA # TSA root directory ++dir = /etc/pki/CA # TSA root directory + serial = $dir/tsaserial # The current serial number (mandatory) + crypto_device = builtin # OpenSSL engine to use for signing + signer_cert = $dir/tsacert.pem # The TSA signing certificate diff --git a/openssl.spec b/openssl.spec index ff9e2f4..b0c3116 100644 --- a/openssl.spec +++ b/openssl.spec @@ -24,7 +24,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1 -Release: 0.%{prerelease}%{?dist} +Release: 0.%{prerelease}.2%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -47,7 +47,7 @@ Patch4: openssl-1.1.1-man-rename.patch # Bug fixes Patch21: openssl-1.1.0-issuer-hash.patch # Functionality changes -Patch31: openssl-1.1.0-ca-dir.patch +Patch31: openssl-1.1.1-conf-paths.patch Patch32: openssl-1.1.1-version-add-engines.patch Patch33: openssl-1.1.0-apps-dgst.patch Patch36: openssl-1.1.1-secure-getenv.patch @@ -85,7 +85,7 @@ protocols. Summary: A general purpose cryptography library with TLS implementation Group: System Environment/Libraries Requires: ca-certificates >= 2008-5 -Requires: crypto-policies +Requires: crypto-policies >= 20180730 Recommends: openssl-pkcs11%{?_isa} # Needed obsoletes due to the base/lib subpackage split Obsoletes: openssl < 1:1.0.1-0.3.beta3 @@ -148,7 +148,7 @@ cp %{SOURCE13} test/ %patch21 -p1 -b .issuer-hash -%patch31 -p1 -b .ca-dir +%patch31 -p1 -b .conf-paths %patch32 -p1 -b .version-add-engines %patch33 -p1 -b .dgst %patch36 -p1 -b .secure-getenv @@ -440,7 +440,10 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog -* Wed Jul 25 2018 Tomáš Mráz 1.1.1-0.pre8.1 +* Fri Jul 27 2018 Tomáš Mráz 1.1.1-0.pre8.2 +- load crypto policy config file from the default config + +* Wed Jul 25 2018 Tomáš Mráz 1.1.1-0.pre8 - update to the latest 1.1.1 beta version * Fri Jul 13 2018 Fedora Release Engineering - 1:1.1.0h-6