From 7d3d9af0c8b57433e832dcf75f5b46e71700fe73 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 10 Jul 2024 11:43:37 +0200 Subject: [PATCH] SHA-1 signature shouldn't work in normal mode Resolves: RHEL-36677 --- 0049-Allow-disabling-of-SHA1-signatures.patch | 4 ++-- openssl.spec | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/0049-Allow-disabling-of-SHA1-signatures.patch b/0049-Allow-disabling-of-SHA1-signatures.patch index 5c0087c..487d1d9 100644 --- a/0049-Allow-disabling-of-SHA1-signatures.patch +++ b/0049-Allow-disabling-of-SHA1-signatures.patch @@ -132,7 +132,7 @@ index 630d339c35..6e4e9f5ae7 100644 + /* Warning: This patch differs from the same patch in CentOS and RHEL here, + * because the default on Fedora is to allow SHA-1 and support disabling + * it, while CentOS/RHEL disable it by default and allow enabling it. */ -+ ldsigs->allowed = 1; ++ ldsigs->allowed = 0; + return ldsigs; +} + @@ -161,7 +161,7 @@ index 630d339c35..6e4e9f5ae7 100644 + /* Warning: This patch differs from the same patch in CentOS and RHEL here, + * because the default on Fedora is to allow SHA-1 and support disabling + * it, while CentOS/RHEL disable it by default and allow enabling it. */ -+ return ldsigs != NULL ? ldsigs->allowed : 1; ++ return ldsigs != NULL ? ldsigs->allowed : 0; +} + +int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, diff --git a/openssl.spec b/openssl.spec index 69096eb..333a425 100644 --- a/openssl.spec +++ b/openssl.spec @@ -506,6 +506,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco * Wed Jul 10 2024 Dmitry Belyavskiy - 1:3.2.2-7 - Disallow SHA1 at SECLEVEL2 in OpenSSL Resolves: RHEL-39962 +- SHA-1 signature shouldn't work in normal mode + Resolves: RHEL-36677 * Mon Jul 01 2024 Dmitry Belyavskiy - 1:3.2.2-6 - Do not install ENGINE headers, man pages, and define OPENSSL_NO_ENGINE