.gitignore

@@ -1,17 +1,4 @@
-sblim-sfcb-1.3.7.tar.bz2
-sblim-sfcb-1.3.8.tar.bz2
-/sblim-sfcb-1.3.9.tar.bz2
-/sblim-sfcb-1.3.10.tar.bz2
-/sfcb.service
-/sblim-sfcb-1.3.11.tar.bz2
-/sblim-sfcb-1.3.12.tar.bz2
-/sblim-sfcb-1.3.13.tar.bz2
-/sblim-sfcb-1.3.14-1.fc18.src.rpm
-/sblim-sfcb-1.3.14.tar.bz2
-/sblim-sfcb-1.3.15.tar.bz2
-/sblim-sfcb-1.3.16.tar.bz2
-/sblim-sfcb-1.4.5.tar.bz2
-/sblim-sfcb-1.4.6.tar.bz2
-/sblim-sfcb-1.4.7.tar.bz2
-/sblim-sfcb-1.4.8.tar.bz2
-/sblim-sfcb-1.4.9.tar.bz2
+SOURCES/sblim-sfcb-1.4.9.tar.bz2
+SOURCES/sfcbdump.1.gz
+SOURCES/sfcbinst2mof.1.gz
+SOURCES/sfcbtrace.1.gz

.sblim-sfcb.metadata

@@ -0,0 +1,4 @@
+8dd01ac4617d0d20990176011a5b444f77aaf8c3 SOURCES/sblim-sfcb-1.4.9.tar.bz2
+3cbf7595a4570de9608a20226a4a89fc90f50645 SOURCES/sfcbdump.1.gz
+aa1fc9fef75470214332eefa06ca93b26448c561 SOURCES/sfcbinst2mof.1.gz
+b3762122828bd8988049e18cf7cd6b6a3d8cf7f9 SOURCES/sfcbtrace.1.gz

SOURCES/sfcb.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Small Footprint CIM Broker Service
+After=syslog.target
+
+[Service]
+ExecStart=/usr/sbin/sfcbd
+
+[Install]
+WantedBy=multi-user.target

SPECS/sblim-sfcb.spec

@@ -8,7 +8,7 @@ Name: sblim-sfcb
 Summary: Small Footprint CIM Broker
 URL: http://sblim.wiki.sourceforge.net/
 Version: 1.4.9
-Release: 27%{?dist}
+Release: 17%{?dist}
 License: EPL-1.0
 Source0: http://downloads.sourceforge.net/sblim/%{name}-%{version}.tar.bz2
 Source1: sfcb.service
@@ -16,8 +16,6 @@ Source1: sfcb.service
 Source2: sfcbdump.1.gz
 Source3: sfcbinst2mof.1.gz
 Source4: sfcbtrace.1.gz
-# /etc/tmpfiles.d configuration file
-Source5: sblim-sfcb.tmpfiles
 # Patch0: changes schema location to the path we use
 Patch0: sblim-sfcb-1.3.9-sfcbrepos-schema-location.patch
 # Patch1: Fix provider debugging - variable for stopping wait-for-debugger
@@ -38,21 +36,14 @@ Patch7: sblim-sfcb-1.4.9-fix-null-deref.patch
 # Patch8: fix null pointer (DoS) vulnerability via POST request to /cimom
 #   (CVE-2018-6644), patch by Adam Majer, rhbz#1543826
 Patch8: sblim-sfcb-1.4.9-fix-null-content-type-crash.patch
-# Patch9: removes decrease of optimization level to -O0 on ppc64le
+# Patch9: removes decrease of optimization level to -O0 on ppc64le, rhbz#1624171
 Patch9: sblim-sfcb-1.4.9-fix-ppc-optimization-level.patch
 # Patch10: fixes docdir name and removes install of COPYING with license
-#   which is included through %%license
+#   which is included through %%license, rhbz#1638007
 Patch10: sblim-sfcb-1.4.9-docdir-license.patch
-# Patch11: use sscg to generate cert, openssl as fallback, obtain correct
-#   key length based upon crypto policy level
-Patch11: sblim-sfcb-1.4.9-ssl-certs-gen-changes.patch
-# Patch12: adds configuration options to specify fallback SSL cert/key pair
-#   and disables default ECDH ephemeral key generation
-Patch12: sblim-sfcb-1.4.9-post-quantum.patch
 Provides: cim-server = 0
 Requires: cim-schema
 Requires: sblim-sfcCommon
-BuildRequires: make
 BuildRequires: libcurl-devel
 BuildRequires: perl-generators
 BuildRequires: zlib-devel
@@ -72,39 +63,31 @@ Requires(postun): systemd-units
 %Description
 Small Footprint CIM Broker (sfcb) is a CIM server conforming to the
 CIM Operations over HTTP protocol.
-It is robust, with low resource consumption and therefore specifically 
+It is robust, with low resource consumption and therefore specifically
 suited for embedded and resource constrained environments.
 sfcb supports providers written against the Common Manageability
 Programming Interface (CMPI).
 
 %prep
 %setup -q -T -b 0 -n %{name}-%{version}
-%patch -P0 -p1 -b .sfcbrepos-schema-location
-%patch -P1 -p1 -b .fix-provider-debugging
-%patch -P2 -p1 -b .maxMsgLen
-%patch -P3 -p1 -b .service
-%patch -P4 -p1 -b .multilib-man-cfg
-%patch -P5 -p1 -b .default-ecdh-curve-name
-%patch -P6 -p1 -b .fix-ftbfs
-%patch -P7 -p1 -b .fix-null-deref
-%patch -P8 -p1 -b .fix-null-content-type-crash
-%patch -P9 -p1 -b .fix-ppc-optimization-level
-%patch -P10 -p1 -b .docdir-license
-%patch -P11 -p1 -b .ssl-certs-gen-changes
-%patch -P12 -p1 -b .post-quantum
-
-# Create a sysusers.d config file
-cat >sblim-sfcb.sysusers.conf <<EOF
-g sfcb -
-m root sfcb
-EOF
+%patch0 -p1 -b .sfcbrepos-schema-location
+%patch1 -p1 -b .fix-provider-debugging
+%patch2 -p1 -b .maxMsgLen
+%patch3 -p1 -b .service
+%patch4 -p1 -b .multilib-man-cfg
+%patch5 -p1 -b .default-ecdh-curve-name
+%patch6 -p1 -b .fix-ftbfs
+%patch7 -p1 -b .fix-null-deref
+%patch8 -p1 -b .fix-null-content-type-crash
+%patch9 -p1 -b .fix-ppc-optimization-level
+%patch10 -p1 -b .docdir-license
 
 %build
 %configure --enable-debug --enable-uds --enable-ssl --enable-pam --enable-ipv6 \
     --enable-slp --enable-large_volume_support --enable-optimized-enumeration --enable-relax-mofsyntax \
-    CFLAGS="$CFLAGS -D_GNU_SOURCE -fPIE -DPIE -fcommon" LDFLAGS="$LDFLAGS -Wl,-z,now -pie"
- 
-make 
+    CFLAGS="$CFLAGS -D_GNU_SOURCE -fPIE -DPIE" LDFLAGS="$LDFLAGS -Wl,-z,now -pie"
+
+make
 
 %install
 make DESTDIR=$RPM_BUILD_ROOT install
@@ -122,7 +105,7 @@ find $RPM_BUILD_ROOT/%{_datadir}/sfcb -type f | grep -v $RPM_BUILD_ROOT/%{_datad
 sed -i s?$RPM_BUILD_ROOT??g _pkg_list > _pkg_list_2
 echo "%config(noreplace) %{_sysconfdir}/sfcb/*" >> _pkg_list
 echo "%config(noreplace) %{_sysconfdir}/pam.d/*" >> _pkg_list
-echo "%doc %{_datadir}/doc/sblim-sfcb/[!COPYING]*" >> _pkg_list
+echo "%doc %{_datadir}/doc/*" >> _pkg_list
 echo "%{_datadir}/man/man1/*" >> _pkg_list
 echo "%{_unitdir}/sblim-sfcb.service" >> _pkg_list
 echo "%{_localstatedir}/lib/sfcb" >> _pkg_list
@@ -133,95 +116,50 @@ echo "%{_libdir}/sfcb/*.so" >> _pkg_list
 
 cat _pkg_list
 
-install -m0644 -D sblim-sfcb.sysusers.conf %{buildroot}%{_sysusersdir}/sblim-sfcb.conf
-mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir}
-install -p -D -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_tmpfilesdir}/sblim-sfcb.conf
+%pre
+/usr/bin/getent group sfcb >/dev/null || /usr/sbin/groupadd -r sfcb
+/usr/sbin/usermod -a -G sfcb root > /dev/null 2>&1 || :
 
-%post 
+%post
 %{_datadir}/sfcb/genSslCert.sh %{_sysconfdir}/sfcb &>/dev/null || :
 /sbin/ldconfig
 %{_bindir}/sfcbrepos -f > /dev/null 2>&1
 %systemd_post sblim-sfcb.service
-# copy content of /var/lib/sfcb to temporary place for Image Mode
-(mkdir -p /usr/share/factory/var/lib && cp -a /var/lib/sfcb /usr/share/factory/var/lib/sfcb) >/dev/null 2>&1 || :;
 
 %preun
 %systemd_preun sblim-sfcb.service
-if [ $1 -eq 0 ]; then
-   # Package removal, not upgrade
-   rm -rf /usr/share/factory/var/lib/sfcb
-fi
 
 %postun
 /sbin/ldconfig
 %systemd_postun_with_restart sblim-sfcb.service
+if [ $1 -eq 0 ]; then
+        /usr/sbin/groupdel sfcb > /dev/null 2>&1 || :;
+fi;
 
 %files -f _pkg_list
-%{_sysusersdir}/sblim-sfcb.conf
-%{_tmpfilesdir}/sblim-sfcb.conf
 
 %changelog
-* Fri Jan 30 2026 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-27
-- Add support for post-quantum cryptography
-  Resolves: RHEL-127515
-
-* Tue Sep 30 2025 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-26
-- Update OpenSSL certificates set up
-  Resolves: RHEL-118293
-- Eliminate use of obsolete %patchN syntax
-  Related: RHEL-91101
-- Add sysusers.d config file to allow rpm to create users/groups automatically
-  and drop attempt to delete group
-  Related: RHEL-91101
-- Add support for Image Mode
-  Resolves: RHEL-91101
-
-* Thu Jan 27 2022 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-25
-- Change build flags, fix errors during the start of the service
-
-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.9-24
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.9-23
-- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
-
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.4.9-22
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-21
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-20
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jul 08 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-19
+* Mon Nov 23 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-17
 - Fix sfcbrepos redirection
+  Resolves: #1854991
 
-* Wed Feb 12 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-18
-- Fixes multiple definiton of variables (FTBFS with GCC 10)
-  Resolves: #1800074
-
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-17
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-16
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-15
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Thu Oct 11 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-14
-- Don't decrease optimization level to -O0 on ppc64le
+* Mon Oct 15 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-16
 - Use %%license for file which contains the text of the license
 - Change versioned docdir to unversioned and rename the docdir to match
   the package name
 - Remove %%defattr
+  Resolves: #1638007
 
-* Mon Oct 08 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-13
+* Mon Oct 08 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-15
 - Fix license tag
 
+* Wed Sep 26 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-14
+- Don't decrease optimization level to -O0 on ppc64le
+  Resolves: #1624171
+
+* Tue Aug 21 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-13
+- Rebuilt
+
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
@@ -231,7 +169,6 @@ fi
 * Wed Feb 14 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-10
 - Fix null pointer (DoS) vulnerability via POST request to /cimom (CVE-2018-6644)
   (patch by Adam Majer)
-  Resolves: #1543825
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
@@ -250,7 +187,6 @@ fi
 
 * Mon Aug 24 2015 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-4
 - Fix possible null pointer dereference (CVE-2015-5185)
-  Resolves: #1255587
 
 * Mon Jul 13 2015 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.4.9-3
 - Fix sblim-sfcb FTBFS in rawhide
@@ -319,7 +255,7 @@ fi
   Resolves: #919377
 
 * Mon May 20 2013 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.3.16-3
-- Fix indCIMXmlHandler crash in IndCIMXMLHandlerInvokeMethod with Embedded Instances 
+- Fix indCIMXmlHandler crash in IndCIMXMLHandlerInvokeMethod with Embedded Instances
   Resolves: #957747
 - Fix sfcb creates invalid XML with embedded object inside embedded object
   Resolves: #957742
@@ -382,7 +318,7 @@ fi
 
 * Fri Jan  7 2011 Praveen K Paladugu <praveen_paladugu@dell.com> - 1.3.10-2
 - Following the BZ#660072, added sfcb.service file for compliance with systemd
-- Since sfcb's PAM authentication requires, the user to be in group sfcb, 
+- Since sfcb's PAM authentication requires, the user to be in group sfcb,
 -    added the root user to "sfcb" group in %%pre section.
 
 * Mon Dec  6 2010 Vitezslav Crhonek <vcrhonek@redhat.com> - 1.3.10-1
@@ -424,7 +360,7 @@ fi
 - Fixed the incoherent init script problem by renaming the init script
 
 * Thu Sep 03 2009 <srinivas_ramanatha@dell.com> - 1.3.4-5
-- added the devel package to fit in all the development files 
+- added the devel package to fit in all the development files
 - Made changes to the initscript not to start the service by default
 
 * Thu Jul 02 2009 <ratliff@austin.ibm.com> - 1.3.4-4
@@ -445,7 +381,7 @@ fi
 - updated the source URL
 
 * Wed Oct 08 2008 <ratliff@austin.ibm.com> - 1.3.2-1
-- updated upstream version and added CFLAGS to configure to work 
+- updated upstream version and added CFLAGS to configure to work
 - around http://sources.redhat.com/bugzilla/show_bug.cgi?id=6545
 
 * Fri Aug 08 2008 <ratliff@austin.ibm.com> - 1.3.0-1

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-9
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

rpminspect.yaml

@@ -1,9 +0,0 @@
----
-badfuncs:
-    allowed:
-        /usr/lib64/sfcb/libsfcHttpAdapter.so.*:
-            - inet_aton
-
-runpath:
-    allowed_paths:
-        - /usr/lib64/sfcb

sblim-sfcb-1.4.9-post-quantum.patch

@@ -1,104 +0,0 @@
-diff -up sblim-sfcb-1.4.9/control.c.orig sblim-sfcb-1.4.9/control.c
---- sblim-sfcb-1.4.9/control.c.orig	2025-05-28 10:39:14.751599855 +0200
-+++ sblim-sfcb-1.4.9/control.c	2025-06-12 10:20:43.025624410 +0200
-@@ -171,10 +171,12 @@ static Control init[] = {
- 
-   {"sslKeyFilePath", CTL_STRING, SFCB_CONFDIR "/file.pem", {0}},
-   {"sslCertificateFilePath", CTL_STRING, SFCB_CONFDIR "/server.pem", {0}},
-+  {"sslKeyFallbackFilePath", CTL_STRING, NULL, {0}},
-+  {"sslCertificateFallbackFilePath", CTL_STRING, NULL, {0}},
-   {"sslCertList", CTL_STRING, SFCB_CONFDIR "/clist.pem", {0}},
-   {"sslCiphers", CTL_STRING, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", {0}},
-   {"sslDhParamsFilePath", CTL_STRING, NULL, {0}},
--  {"sslEcDhCurveName", CTL_STRING, "secp384r1", {0}},
-+  {"sslEcDhCurveName", CTL_STRING, NULL, {0}},
-   {"enableSslCipherServerPref", CTL_BOOL, NULL, {.b=0}},
- 
-   {"registrationDir", CTL_STRING, SFCB_STATEDIR "/registration", {0}},
-diff -up sblim-sfcb-1.4.9/httpAdapter.c.orig sblim-sfcb-1.4.9/httpAdapter.c
---- sblim-sfcb-1.4.9/httpAdapter.c.orig	2025-05-21 10:41:30.727123823 +0200
-+++ sblim-sfcb-1.4.9/httpAdapter.c	2025-06-12 11:14:32.906455875 +0200
-@@ -2053,6 +2053,24 @@ initSSL()
-   _SFCB_TRACE(1, ("---  sslKeyFilePath = %s", fnk));
-   if (SSL_CTX_use_PrivateKey_file(ctx, fnk, SSL_FILETYPE_PEM) != 1)
-     intSSLerror("Error loading private key from file");
-+
-+  /*
-+   *  Add fall back certificate/key pair
-+   */
-+  getControlChars("sslCertificateFallbackFilePath", &fnc);
-+  if (fnc) {
-+    _SFCB_TRACE(1, ("---  sslCertificateFallbackFilePath = %s", fnc));
-+    if (SSL_CTX_use_certificate_chain_file(ctx, fnc) != 1)
-+      intSSLerror("Error loading certificate fall back from file");
-+  }
-+
-+  getControlChars("sslKeyFallbackFilePath", &fnk);
-+  if (fnk) {
-+    _SFCB_TRACE(1, ("---  sslKeyFallbackFilePath = %s", fnk));
-+    if (SSL_CTX_use_PrivateKey_file(ctx, fnk, SSL_FILETYPE_PEM) != 1)
-+      intSSLerror("Error loading private key fall back from file");
-+  }
-+
-   getControlChars("sslClientCertificate", &fnl);
-   _SFCB_TRACE(1, ("---  sslClientCertificate = %s", fnl));
-   getControlChars("sslCertList", &fcert);
-@@ -2103,6 +2121,26 @@ initSSL()
-   _SFCB_TRACE(1, ("---  sslCiphers = %s", sslCiphers));
-   if (SSL_CTX_set_cipher_list(ctx, sslCiphers) != 1)
-     intSSLerror("Error setting cipher list (no valid ciphers)");
-+
-+  /*
-+   * Configure TLS key exchange groups with PQC support
-+   */
-+  if (SSL_CTX_set1_groups_list(ctx, "X25519MLKEM768:P-256:P-384:X25519") != 1) {
-+    mlogf(M_INFO, M_SHOW, "--- SSL: Failed to set PQC groups, trying traditional groups\n");
-+    /* Fallback to traditional groups for systems without PQC support */
-+    if (SSL_CTX_set1_groups_list(ctx, "P-256:P-384:X25519") != 1)
-+      mlogf(M_ERROR, M_SHOW, "--- SSL: Failed to set traditional groups\n");
-+  }
-+
-+  /*
-+   * Configure TLS signature algorithms with PQC support (ML-DSA)
-+   */
-+  if (SSL_CTX_set1_sigalgs_list(ctx, "mldsa65:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384") != 1) {
-+    mlogf(M_INFO, M_SHOW, "--- SSL: Failed to set PQC signature algorithms, trying traditional algorithms\n");
-+    /* Fallback to traditional signature algorithms */
-+    if (SSL_CTX_set1_sigalgs_list(ctx, "rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384") != 1)
-+      mlogf(M_ERROR, M_SHOW, "--- SSL: Failed to set traditional signature algorithms\n");
-+  }
- 
- #if (defined HEADER_DH_H && !defined OPENSSL_NO_DH)
-   /*
-diff -up sblim-sfcb-1.4.9/sfcb.cfg.pre.in.orig sblim-sfcb-1.4.9/sfcb.cfg.pre.in
---- sblim-sfcb-1.4.9/sfcb.cfg.pre.in.orig	2025-05-28 10:05:42.359932525 +0200
-+++ sblim-sfcb-1.4.9/sfcb.cfg.pre.in	2025-06-12 11:23:37.424277273 +0200
-@@ -244,6 +244,15 @@ sslKeyFilePath: @sysconfdir@/sfcb/file.p
- ## Default is @sysconfdir@/sfcb/server.pem
- sslCertificateFilePath: @sysconfdir@/sfcb/server.pem
- 
-+## Filename containing the fall back private key for the server's fall back certificate.
-+## The file  must be in PEM format and may not be passphrase-protected. The file is
-+## relevant for both client connect and indications sent via https.
-+#sslKeyFallbackFilePath: @sysconfdir@/sfcb/file-fallback.pem
-+
-+## Filename containing the server's fall back certificate. Must be in PEM format.
-+## The file is relevant for both client connect and indications sent via https.
-+#sslCertificateFallbackFilePath: @sysconfdir@/sfcb/server-fallback.pem
-+
- ## Filename containing list of certificates server accepts.
- ## The file is relevant client connect only.
- ## Default is @sysconfdir@/sfcb/clist.pem
-@@ -302,10 +311,10 @@ sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STR
- ## Configure a curve name for ECDH ephemeral key generation. See man
- ## SSL_CTX_set_tmp_ecdh(3) for details. The value should be a curve name
- ## listed by the "openssl ecparam -list_curves" command in the SFCB runtime
--## environment. If this value is not set, the indicated default is in effect.
-+## environment. If this value is not set, ECDH ephemeral key generation is not used.
- ## If the value is set but the curve name is not recognized by the underlying
- ## openssl implementation, SFCB will abort.
--## Default is secp384r1
-+## Default is: not set
- #sslEcDhCurveName: secp384r1
- 
- ## When set to true, sets the SSL_OP_CIPHER_SERVER_PREFERENCE flag for the ssl

sblim-sfcb-1.4.9-ssl-certs-gen-changes.patch

@@ -1,71 +0,0 @@
-diff -up sblim-sfcb-1.4.9/genSslCert.sh.orig sblim-sfcb-1.4.9/genSslCert.sh
---- sblim-sfcb-1.4.9/genSslCert.sh.orig	2014-11-25 02:43:10.000000000 +0100
-+++ sblim-sfcb-1.4.9/genSslCert.sh	2025-10-07 11:23:59.201504832 +0200
-@@ -4,6 +4,44 @@ HOSTNAME=`uname -n`
- DO_SERVER=yes
- DO_CLIENT=yes
- DIR=`mktemp -d /var/tmp/sfcb.XXXXXX` || exit 1
-+DAYS=365
-+# Get minimum RSA key length at current security level
-+# This workarounds openssl not enforcing min. key length enforced by current security level
-+KEYSIZE=`grep min_rsa_size /etc/crypto-policies/state/CURRENT.pol 2>/dev/null | cut -d ' ' -f 3`
-+if [ -z "$KEYSIZE" ]; then
-+    KEYSIZE=2048  # fallback to safe default
-+fi
-+
-+function create_ssl_cnf()
-+{
-+cat > $DIR/ssl.cnf <<EOF
-+[req]
-+distinguished_name=user_dn
-+prompt=no
-+
-+[user_dn]
-+CN=$HOSTNAME
-+emailAddress=root@$HOSTNAME
-+EOF
-+}
-+
-+function selfsign_sscg()
-+{
-+    sscg --quiet \
-+         --lifetime "${DAYS}" \
-+         --cert-key-file "${DIR}"/key.pem \
-+         --cert-file "${DIR}"/cert.pem \
-+         --ca-file "${DIR}"/ca.crt \
-+         --hostname "${HOSTNAME}" \
-+         --email root@"{$HOSTNAME}"
-+}
-+
-+function selfsign_openssl()
-+{
-+    openssl req -x509 -days $DAYS -newkey rsa:$KEYSIZE \
-+       -nodes -config $DIR/ssl.cnf   \
-+       -keyout $DIR/key.pem -out $DIR/cert.pem
-+}
- 
- trap "rm -rf $DIR" exit
- 
-@@ -28,19 +66,10 @@ then
-     exit 0
- fi
- 
--cat > $DIR/ssl.cnf <<EOF
--[req]
--distinguished_name=user_dn
--prompt=no
--
--[user_dn]
--CN=$HOSTNAME
--emailAddress=root@$HOSTNAME
--EOF
-+create_ssl_cnf
- 
--openssl req -x509 -days 365 -newkey rsa:2048 \
--   -nodes -config $DIR/ssl.cnf   \
--   -keyout $DIR/key.pem -out $DIR/cert.pem
-+# If sscg fails, try openssl
-+selfsign_sscg || selfsign_openssl
- 
- chmod 700 $DIR/*.pem
- 

sblim-sfcb.tmpfiles

@@ -1,2 +0,0 @@
-# populate /var/lib/sfcb with content from /usr/share/factory/var/lib/sfcb
-C /var/lib/sfcb - - - -

sources

@@ -1,2 +0,0 @@
-494b9bdd96c1d8d90dafc26cd5534082  sfcb.service
-28021cdabc73690a94f4f9d57254ce30  sblim-sfcb-1.4.9.tar.bz2