Ciphersuites with RSA KX should be filterd in FIPS mode
Related: rhbz#2085088
This commit is contained in:
parent
b393177f7d
commit
7bc4f9f094
@ -681,3 +681,16 @@ diff -up openssl-3.0.1/apps/ecparam.c.fips_list_curves openssl-3.0.1/apps/ecpara
|
|||||||
if (comment == NULL)
|
if (comment == NULL)
|
||||||
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
||||||
if (sname == NULL)
|
if (sname == NULL)
|
||||||
|
diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
|
||||||
|
--- openssl-3.0.1/ssl/ssl_ciph.c.nokrsa 2022-05-19 13:32:32.536708638 +0200
|
||||||
|
+++ openssl-3.0.1/ssl/ssl_ciph.c 2022-05-19 13:42:29.734002959 +0200
|
||||||
|
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
|
||||||
|
ctx->disabled_mkey_mask = 0;
|
||||||
|
ctx->disabled_auth_mask = 0;
|
||||||
|
|
||||||
|
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
|
||||||
|
+ ctx->disabled_mkey_mask |= SSL_kRSA;
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* We ignore any errors from the fetches below. They are expected to fail
|
||||||
|
* if theose algorithms are not available.
|
||||||
|
@ -452,6 +452,8 @@ install -m644 %{SOURCE9} \
|
|||||||
* Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32
|
* Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32
|
||||||
- `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode
|
- `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode
|
||||||
- Resolves: rhbz#2083240
|
- Resolves: rhbz#2083240
|
||||||
|
- Ciphersuites with RSA KX should be filterd in FIPS mode
|
||||||
|
- Related: rhbz#2085088
|
||||||
|
|
||||||
* Wed May 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-31
|
* Wed May 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-31
|
||||||
- Disable SHA-1 signature verification in FIPS mode
|
- Disable SHA-1 signature verification in FIPS mode
|
||||||
|
Loading…
Reference in New Issue
Block a user