Commit Graph

7 Commits

Author SHA1 Message Date
Sahana Prasad
d508cbed93 Synchronize patches from c9s and Fedora
Resolves: RHEL-31762

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2024-06-05 09:32:43 +02:00
Sahana Prasad
f4c397c598 Rebase to new upstream release 3.2.1
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2024-02-08 13:42:51 +01:00
Dmitry Belyavskiy
e52367af47 Synchronize patches from CentOS stream 2023-08-22 16:39:12 +02:00
Sahana Prasad
9409bc7044 Rebase to upstream release 3.1.1
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-07-28 15:26:00 +02:00
Dmitry Belyavskiy
194ef7464a Rebase to upstream version 3.0.8
Resolves: CVE-2022-4203
Resolves: CVE-2022-4304
Resolves: CVE-2022-4450
Resolves: CVE-2023-0215
Resolves: CVE-2023-0216
Resolves: CVE-2023-0217
Resolves: CVE-2023-0286
Resolves: CVE-2023-0401
2023-02-09 17:57:19 +01:00
Dmitry Belyavskiy
8a03afa13c Rebasing to OpenSSL 3.0.3
Resolves: rhbz#2091987
2022-06-01 17:29:35 +02:00
Clemens Lang
432cfa2baa Allow disabling of SHA1 signatures
NOTE: This patch is ported from CentOS 9 / RHEL 9, where it defaults to
denying SHA1 signatures. On Fedora, the default is – for now – to allow
SHA1 signatures.

In order to phase out SHA1 signatures, introduce a new configuration
option in the alg_section named 'rh-allow-sha1-signatures'. This option
defaults to true. If set to false, any signature creation or
verification operations that involve SHA1 as digest will fail.

This also affects TLS, where the signature_algorithms extension of any
ClientHello message sent by OpenSSL will no longer include signatures
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
that request a client certificate, the same also applies for
CertificateRequest messages sent by them.

Resolves: rhbz#2070977
Related: rhbz#2031742, rhbz#2062640
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-07 18:14:04 +02:00