.gitignore

@@ -1 +1 @@
-SOURCES/sscg-3.0.0.tar.xz
+SOURCES/sscg-4.0.3.tar.gz

.sscg.metadata

@@ -1 +1 @@
-81e3b33e118edff96583314ceb4bfde9a1e6b45c SOURCES/sscg-3.0.0.tar.xz
+829d6dd6d5ad493499317a2bf6f25167c9b3c623 SOURCES/sscg-4.0.3.tar.gz

SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch

@@ -1,34 +0,0 @@
-From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Sat, 7 Aug 2021 11:48:04 -0400
-Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC()
-
-This macro was dropped in OpenSSL 3.0 and has actually not been
-providing a valid return code for some time.
-
-Related: rhbz#1964837
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
----
- include/sscg.h | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/include/sscg.h b/include/sscg.h
-index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644
---- a/include/sscg.h
-+++ b/include/sscg.h
-@@ -94,11 +94,10 @@
-       if (_sslret != 1)                                                       \
-         {                                                                     \
-           /* Get information about error from OpenSSL */                      \
-           unsigned long _ssl_error = ERR_get_error ();                        \
-           if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) &&                     \
--              (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) &&         \
-               ((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) ||      \
-                (ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL)))       \
-             {                                                                 \
-               fprintf (                                                       \
-                 stderr,                                                       \
--- 
-2.33.0
-

SOURCES/0001-Restore-defaulting-to-dhparams.pem-creation.patch

@@ -0,0 +1,119 @@
+From 771a7663bccbd360f017c4c22358a46abcdfa93f Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Mon, 27 Oct 2025 14:58:11 -0400
+Subject: [PATCH] Restore defaulting to dhparams.pem creation
+
+This was disabled upstream, but for backwards-compatibility in the RHEL
+9 and RHEL 10 lifecycle, we'll continue to do so there.
+
+This reverts commit 0e5e011acc2dc19f3c2fcb5699cf8fa662a2b135.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/arguments.c                |  4 ++--
+ src/sscg.c                     | 39 +++++++++++++++++++++++++---------
+ test/test_dhparams_creation.sh |  6 +-----
+ 3 files changed, 32 insertions(+), 17 deletions(-)
+
+diff --git a/src/arguments.c b/src/arguments.c
+index 38c8740c1f159368d6fc92d51ba48d83700c3320..4ff75fdf86728592e7ca05db4cf4ac88bf79ca2e 100644
+--- a/src/arguments.c
++++ b/src/arguments.c
+@@ -682,7 +682,7 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
+       &options->dhparams_file,
+       0,
+       _("A file to contain a set of Diffie-Hellman parameters. "
+-        "(Default: not created)"),
++        "(Default: \"./dhparams.pem\")"),
+       NULL
+     },
+ 
+@@ -692,7 +692,7 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
+       POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
+       &options->skip_dhparams,
+       0,
+-      _ ("Deprecated: Retained for backwards compatibility. To be removed in SSCG 5.0."),
++      _ ("Do not create the dhparams file"),
+       NULL
+     },
+ 
+diff --git a/src/sscg.c b/src/sscg.c
+index b9b191f109300f6447262858f57a3a8321a14966..d2dce334cff1342d975e9867a2c82a222d76925e 100644
+--- a/src/sscg.c
++++ b/src/sscg.c
+@@ -166,19 +166,38 @@ main (int argc, const char **argv)
+                                        options->crl_mode);
+   CHECK_OK (ret);
+ 
+-  if (options->dhparams_file)
++  if (!options->skip_dhparams)
+     {
+-      dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
+-      CHECK_MEM (dhparams_file);
++      if (options->dhparams_file)
++        {
++          dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
++          CHECK_MEM (dhparams_file);
+ 
+-      ret = sscg_io_utils_add_output_file (options->streams,
+-                                           SSCG_FILE_TYPE_DHPARAMS,
+-                                           dhparams_file,
+-                                           options->overwrite,
+-                                           options->dhparams_mode);
+-      CHECK_OK (ret);
++          ret = sscg_io_utils_add_output_file (options->streams,
++                                               SSCG_FILE_TYPE_DHPARAMS,
++                                               dhparams_file,
++                                               options->overwrite,
++                                               options->dhparams_mode);
++          CHECK_OK (ret);
++        }
++      else
++        {
++          dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem");
++          CHECK_MEM (dhparams_file);
++
++          ret = sscg_io_utils_add_output_file (options->streams,
++                                               SSCG_FILE_TYPE_DHPARAMS,
++                                               dhparams_file,
++                                               options->overwrite,
++                                               options->dhparams_mode);
++          SSCG_LOG (SSCG_VERBOSE,
++                    "Could not open dhparams file %s: %s\n",
++                    dhparams_file,
++                    strerror (ret));
++          /* This is non-fatal if the file path was not explicitly passed */
++          ret = EOK;
++        }
+     }
+-
+   /* Validate and open the file paths */
+   ret = sscg_io_utils_open_BIOs (options->streams);
+   CHECK_OK (ret);
+diff --git a/test/test_dhparams_creation.sh b/test/test_dhparams_creation.sh
+index d0b4cbb71f3cd1656f1422524c4da7b30fbf3e0a..49f2b08d23246c90663eb7d2e5078817eb42139b 100755
+--- a/test/test_dhparams_creation.sh
++++ b/test/test_dhparams_creation.sh
+@@ -42,10 +42,6 @@
+ # just warn and ignore it if it was not (returning 0). However, if it is
+ # explicitly requested on the command-line and cannot be written to that
+ # location, it should fail with an error code.
+-#
+-# Updated 2025-10-21: SSCG 4.0 no longer creates the dhparams file by default.
+-# It should not attempt to create it unless explicitly requested using the
+-# --dhparams-file option.
+ 
+ set -e
+ 
+@@ -181,7 +177,7 @@ run_test \
+     "" \
+     0 \
+     "$WRITABLE_DIR/dhparams.pem" \
+-    "false" \
++    "true" \
+     "$WRITABLE_DIR"
+ 
+ # Test 2: No --dhparams-file, readonly directory, no existing file
+-- 
+2.52.0
+

SOURCES/0002-Avoid-segfault-on-receiving-bad-CLI-arguments.patch

@@ -0,0 +1,38 @@
+From f40d0070641543a140428d70211d53d36fd2c34b Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 2 Dec 2025 12:12:26 -0500
+Subject: [PATCH 2/3] Avoid segfault on receiving bad CLI arguments
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/sscg.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/sscg.c b/src/sscg.c
+index d2dce334cff1342d975e9867a2c82a222d76925e..070d567bb189d42a20fd0a80f8fe2f7caae4d9eb 100644
+--- a/src/sscg.c
++++ b/src/sscg.c
+@@ -59,7 +59,7 @@ int
+ main (int argc, const char **argv)
+ {
+   int ret, sret;
+-  struct sscg_options *options;
++  struct sscg_options *options = NULL;
+   bool build_client_cert = false;
+   char *dhparams_file = NULL;
+ 
+@@ -361,7 +361,10 @@ main (int argc, const char **argv)
+ done:
+   if (ret != EOK)
+     {
+-      sscg_io_utils_delete_output_files (options->streams);
++      if (options)
++        {
++          sscg_io_utils_delete_output_files (options->streams);
++        }
+     }
+   talloc_zfree (main_ctx);
+   if (getenv ("SSCG_TALLOC_REPORT"))
+-- 
+2.52.0
+

SOURCES/0002-Correct-certificate-lifetime-calculation.patch

@@ -1,46 +0,0 @@
-From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
-From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
-Date: Tue, 26 Oct 2021 12:32:13 +0200
-Subject: [PATCH 2/2] Correct certificate lifetime calculation
-
-sscg allows passing the certificate lifetime, as a number of days, as a
-commandline argument.  It converts this value to seconds using the
-formula
-
-  days * 24 * 3650
-
-which is incorrect.  The correct value is 3600.
-
-This effectively adds an extra 20 minutes to the lifetime of the
-certificate for each day as given on the commandline, and was enough to
-cause some new integration tests in cockpit to fail.
-
-Interestingly, 3650 is the old default value for the number of days of
-certificate validity (~10 years) so this probably slipped in as a sort
-of muscle-memory-assisted typo.
-
-Let's just write `24 * 60 * 60` to make things clear.
----
- src/x509.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/x509.c b/src/x509.c
-index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
---- a/src/x509.c
-+++ b/src/x509.c
-@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
-       X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
-     }
- 
-   /* set time */
-   X509_gmtime_adj (X509_get_notBefore (cert), 0);
--  X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650);
-+  X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60);
- 
-   /* set subject */
-   subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
-   sslret = X509_set_subject_name (cert, subject);
-   CHECK_SSL (sslret, X509_set_subject_name);
--- 
-2.33.0
-

SOURCES/0003-Restore-error-message.patch

@@ -0,0 +1,29 @@
+From 08dacb632cc331027f39dcfa0b782aeb6f2f893a Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 2 Dec 2025 12:19:04 -0500
+Subject: [PATCH 3/3] Restore error message
+
+This was dropped in 4.0, but should be retained in RHEL 9 and 10 for
+compatibility, particularly with existing tests that look for specific
+messages.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/sscg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/sscg.c b/src/sscg.c
+index 070d567bb189d42a20fd0a80f8fe2f7caae4d9eb..9f46cd622a4d55bd634a370ccc81ff063422b5af 100644
+--- a/src/sscg.c
++++ b/src/sscg.c
+@@ -361,6 +361,7 @@ main (int argc, const char **argv)
+ done:
+   if (ret != EOK)
+     {
++      SSCG_ERROR ("%s\n", strerror (ret));
+       if (options)
+         {
+           sscg_io_utils_delete_output_files (options->streams);
+-- 
+2.52.0
+

SOURCES/0003-Truncate-IP-address-in-SAN.patch

@@ -1,68 +0,0 @@
-From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Tue, 8 Mar 2022 16:33:35 -0500
-Subject: [PATCH] Truncate IP address in SAN
-
-In OpenSSL 1.1, this was done automatically when addind a SAN extension,
-but in OpenSSL 3.0 it is rejected as an invalid input.
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
----
- src/x509.c | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/src/x509.c b/src/x509.c
-index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
---- a/src/x509.c
-+++ b/src/x509.c
-@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
-   size_t i;
-   X509_NAME *subject;
-   char *alt_name = NULL;
-   char *tmp = NULL;
-   char *san = NULL;
-+  char *slash = NULL;
-   TALLOC_CTX *tmp_ctx;
-   X509_EXTENSION *ex = NULL;
-   struct sscg_x509_req *csr;
- 
-   /* Make sure we have a key available */
-@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
-                 tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
-             }
-           else
-             {
-               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
-+              /* SAN IP addresses cannot include the subnet mask */
-+              if ((slash = strchr (san, '/')))
-+                {
-+                  /* Truncate at the slash */
-+                  *slash = '\0';
-+                }
-             }
-           CHECK_MEM (san);
- 
-           if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
-             {
-@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
-           alt_name = tmp;
-         }
-     }
- 
-   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
--  CHECK_MEM (ex);
-+  if (!ex)
-+    {
-+      ret = EINVAL;
-+      fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
-+      goto done;
-+    }
-+
-   sk_X509_EXTENSION_push (certinfo->extensions, ex);
- 
-   /* Set the public key for the certificate */
-   sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
-   CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
--- 
-2.35.1
-

SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch

@@ -1,139 +0,0 @@
-From 282f819bc39c9557ee34f73c6f6623182f680792 Mon Sep 17 00:00:00 2001
-From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Wed, 16 Nov 2022 15:27:58 -0500
-Subject: [PATCH] dhparams: don't fail if default file can't be created
-
-Resolves: rhbz#2143206
-
-Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
----
- src/arguments.c |  1 -
- src/io_utils.c  | 12 +++++++++++
- src/sscg.c      | 55 +++++++++++++++++++++++++++++++++----------------
- 3 files changed, 49 insertions(+), 19 deletions(-)
-
-diff --git a/src/arguments.c b/src/arguments.c
-index 7b9da14a732875b0f33a12e22a97d51a78216839..770d834aacc05d6d92cc0c855852eadb88f8c9bc 100644
---- a/src/arguments.c
-+++ b/src/arguments.c
-@@ -69,7 +69,6 @@ set_default_options (struct sscg_options *opts)
- 
-   opts->lifetime = 398;
- 
--  opts->dhparams_file = talloc_strdup (opts, "dhparams.pem");
-   opts->dhparams_group = talloc_strdup (opts, "ffdhe4096");
-   opts->dhparams_generator = 2;
- 
-diff --git a/src/io_utils.c b/src/io_utils.c
-index 1b8bc41c3849acbe4657ae14dfe55e3010957129..5d34327bdbe450add5326ac20c337c9399b471dc 100644
---- a/src/io_utils.c
-+++ b/src/io_utils.c
-@@ -544,6 +544,18 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite)
-     {
-       SSCG_LOG (SSCG_DEBUG, "Opening %s\n", stream->path);
-       stream->bio = BIO_new_file (stream->path, create_mode);
-+      if (!stream->bio)
-+        {
-+          fprintf (stderr,
-+                   "Could not write to %s. Check directory permissions.\n",
-+                   stream->path);
-+
-+          /* The dhparams file is special, it will be handled later */
-+          if (i != SSCG_FILE_TYPE_DHPARAMS)
-+            {
-+              continue;
-+            }
-+        }
-       CHECK_BIO (stream->bio, stream->path);
-     }
- 
-diff --git a/src/sscg.c b/src/sscg.c
-index 1bf8019c2dda136abe56acd101dfe8ad0b3d725d..dcff4cd2b8dfd2e11c8612d36ecc94b175e9dc26 100644
---- a/src/sscg.c
-+++ b/src/sscg.c
-@@ -93,6 +93,7 @@ main (int argc, const char **argv)
-   int ret, sret;
-   struct sscg_options *options;
-   bool build_client_cert = false;
-+  char *dhparams_file = NULL;
- 
-   struct sscg_x509_cert *cacert;
-   struct sscg_evp_pkey *cakey;
-@@ -182,9 +183,19 @@ main (int argc, const char **argv)
-                                        options->crl_mode);
-   CHECK_OK (ret);
- 
-+  if (options->dhparams_file)
-+    {
-+      dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
-+    }
-+  else
-+    {
-+      dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem");
-+    }
-+  CHECK_MEM (dhparams_file);
-+
-   ret = sscg_io_utils_add_output_file (options->streams,
-                                        SSCG_FILE_TYPE_DHPARAMS,
--                                       options->dhparams_file,
-+                                       dhparams_file,
-                                        options->dhparams_mode);
-   CHECK_OK (ret);
- 
-@@ -281,28 +292,36 @@ main (int argc, const char **argv)
- 
- 
-   /* Create DH parameters file */
--  bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS);
--  if (options->dhparams_prime_len > 0)
-+  if ((bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS)))
-     {
--      ret = create_dhparams (options->verbosity,
--                             options->dhparams_prime_len,
--                             options->dhparams_generator,
--                             &dhparams);
--      CHECK_OK (ret);
-+      if (options->dhparams_prime_len > 0)
-+        {
-+          ret = create_dhparams (options->verbosity,
-+                                 options->dhparams_prime_len,
-+                                 options->dhparams_generator,
-+                                 &dhparams);
-+          CHECK_OK (ret);
-+        }
-+      else
-+        {
-+          ret = get_params_by_named_group (options->dhparams_group, &dhparams);
-+          CHECK_OK (ret);
-+        }
-+
-+      /* Export the DH parameters to the file */
-+      sret = PEM_write_bio_Parameters (bp, dhparams);
-+      CHECK_SSL (sret, PEM_write_bio_Parameters ());
-+      ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
-+      EVP_PKEY_free (dhparams);
-     }
--  else
-+  else if (options->dhparams_file)
-     {
--      ret = get_params_by_named_group (options->dhparams_group, &dhparams);
--      CHECK_OK (ret);
-+      /* A filename was explicitly passed, but it couldn't be created */
-+      ret = EPERM;
-+      fprintf (stderr, "Could not write to %s: ", options->dhparams_file);
-+      goto done;
-     }
- 
--  /* Export the DH parameters to the file */
--  sret = PEM_write_bio_Parameters (bp, dhparams);
--  CHECK_SSL (sret, PEM_write_bio_Parameters ());
--  ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
--  EVP_PKEY_free (dhparams);
--
--
-   /* Set the final file permissions */
-   sscg_io_utils_finalize_output_files (options->streams);
- 
--- 
-2.38.1
-

SPECS/sscg.spec

@@ -1,3 +1,13 @@
+## START: Set by rpmautospec
+## (rpmautospec version 0.6.5)
+## RPMAUTOSPEC: autorelease, autochangelog
+%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
+    release_number = 2;
+    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
+    print(release_number + base_release_number - 1);
+}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## END: Set by rpmautospec
+
 %global provider        github
 %global provider_tld    com
 %global project sgallagher
@@ -8,29 +18,32 @@
 
 
 Name:           sscg
-Version:        3.0.0
+Version:        4.0.3
-Release:        7%{?dist}
+Release:        %autorelease
-Summary:        Simple SSL certificate generator
+Summary:        Simple Signed Certificate Generator
 
-License:        GPLv3+ with exceptions
+License:        GPL-3.0-or-later WITH cryptsetup-OpenSSL-exception
 URL:            https://%{provider_prefix}
-Source0:        https://%{provider_prefix}/releases/download/%{repo}-%{version}/%{repo}-%{version}.tar.xz
+Source0:        %{URL}/archive/refs/tags/sscg-%{version}.tar.gz
-
 BuildRequires:  gcc
 BuildRequires:  libtalloc-devel
 BuildRequires:  openssl-devel
 BuildRequires:  popt-devel
-BuildRequires:  libpath_utils-devel
 BuildRequires:  meson
 BuildRequires:  ninja-build
 BuildRequires:  help2man
 
 
-Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
+# For backwards-compatibility in RHEL, revert the 4.0 patch that disables
-Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
+# dhparam file generation by default.
-Patch0003: 0003-Truncate-IP-address-in-SAN.patch
+Patch: 0001-Restore-defaulting-to-dhparams.pem-creation.patch
-Patch0004: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
 
+# Upstream patch to avoid segfault when receiving bad CLI arguments
+Patch: 0002-Avoid-segfault-on-receiving-bad-CLI-arguments.patch
+
+# Downstream patch to restore error message at the end of execution that is
+# checked by certain tests
+Patch: 0003-Restore-error-message.patch
 
 %description
 A utility to aid in the creation of more secure "self-signed"
@@ -41,7 +54,7 @@ up a full PKI environment and without exposing the machine to a risk of
 false signatures from the service certificate.
 
 %prep
-%autosetup -p1
+%autosetup -p1 -n sscg-sscg-%{version}
 
 
 %build
@@ -61,69 +74,140 @@ false signatures from the service certificate.
 %{_mandir}/man8/%{name}.8*
 
 %changelog
-* Thu Dec 08 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-7
+## START: Generated by rpmautospec
-- Correctly apply the patch for default dhparams
+* Tue Dec 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 4.0.3-2
-- Resolves: rhbz#2143206
+- Fix issues discovered by OSCI tests
+
+* Tue Dec 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 4.0.3-1
+- Update to SSCG 4.0.3
+
+* Tue Dec 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 4.0.1-1
+- Update to SSCG 4.0.1
+
+* Mon Oct 27 2025 Stephen Gallagher <sgallagh@redhat.com> - 4.0.0-2
+- Restore creation of dhparams file by default
+
+* Mon Aug 11 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-10
+- Fix IP address handling in CA certificate SAN constraints
+- Resolves: RHEL-107289
+
+* Tue Apr 22 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-9
+- Ensure 'critical' basicConstraint for CA cert
+- Resolves: RHEL-88119
+
+* Wed Apr 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-8
+- x509: Use proper version for CSR
+- Resolves: RHEL-85851
+
+* Fri Dec 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-7
+- Use EVP_default_properties_is_fips_enabled() on OpenSSL 3.0
+- Related: rhbz#2083879
 
 * Mon Nov 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
 - Don't fail if default dhparams file can't be created
-- Resolves: rhbz#2143206
+- Resolves: rhbz#2149064
 
-* Thu Jul 14 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
+* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
-- Rebase to sscg 3.0.0
+- Handle IP addresses in subjectAlternativeName correctly
-- Resolves: rhbz#2107369
+- Resolves: rhbz#2061923
-- Resolves: rhbz#2091525
 
-* Thu Jun 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-15
+* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
-- Fix certificate lifetime calculation
+- Correct certificate lifetime calculation
-- Resolves: rhbz#2091525
+- Resolves: rhbz#2017667
 
-* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-14
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.0-3
-- Properly handling reading long passphrase files.
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-13
+* Sat Aug 07 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-2
-- Fix missing error check for --*-key-passfile
+- Drop usage of removed macro ERR_GET_FUNC()
+- Related: rhbz#1964837
 
-* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-12
+* Wed Jul 21 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-1
-- Improve validation of command-line arguments
+- Release 3.0.0
-- Resolves: rhbz#1784441
+- Support for OpenSSL 3.0
-- Resolves: rhbz#1784443
+- Support for outputting named Diffie-Hellman parameter groups
+- Support for CentOS Stream 9
+- Resolves: rhbz#1984468
 
-* Tue Jan 07 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-11
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-8
-- Further improve --client-key-file help message
+- Rebuilt for RHEL 9 BETA for openssl 3.0
-- Resolves: rhbz#1720667
+  Related: rhbz#1971065
 
-* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-10
+* Wed May 26 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-7
-- Fix incorrect help message
+- OpenSSL 3.0 compatibility: fix RSA key-generation test
-- Resolves: rhbz#1720667
+- Resolves: rhbz#1964837
 
-* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-9
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-6
-- Fix null-dereference and memory leak issues with client certs
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-- Resolves: rhbz#1720667
 
-* Wed Dec 11 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-8
+* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-5
-- Add support for generating client authentication certificates
+- Fixing incorrect license declaration
-- Resolves: rhbz#1720667
 
-* Fri Nov 01 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-7
+* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-4
-- Add support for password-protecting the private key files
+- Updating to rebuild against the latest glibc
-- Resolves: rhbz#1717880
 
-* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-3
-- Fixes for issues detected by automated testing.
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-- Resolves: rhbz#1653323
 
-* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-5
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 23 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-1
+- Update to 2.6.2
+- Handle very short and very long passphrases properly (fixes rhbz#1850183)
+- Drop upstreamed patch
+
+* Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-4
+- Rebuild with corrected ELN macro definitions
+
+* Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-3
+- Don't bother running clang-format in the RPM build
+- Lengthen the test timeout so ARM tests pass
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-1
+- Bugfixes from upstream
+
+* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-2
+- Fix incorrect help description for --client-key-file
+
+* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-1
+- Update to 2.6.0
+- Can now generate an empty CRL file.
+- Can now create and store a Diffie-Hellman parameters (dhparams) file.
+- Support for setting a password on private keys.
+- Support for generating a client authentication certificate and key.
+- Better support for OpenSSL 1.0
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.1-1
+- Update to 2.5.1
+- Fixes discovered by automated testing.
+
+* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.0-1
+- Update to 2.5.0
+- Auto-detect the hash algorithm to use by default.
+
+* Tue Nov 27 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.4.0-1
+- Update to 2.4.0
 - Autodetect the minimum key strength from the system security level.
-- Autodetect the hash algorithm to use from the system security level.
 - Disallow setting a key strength below the system minimum.
-- Resolves: rhbz#1653323
+
+- Drop upstreamed patches
 
 * Mon Sep 17 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-4
-- Add a manpage for sscg.
+- Add a manpage.
 
-* Thu Jul 05 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-3
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-3
-- Strip out bundled popt since RHEL 8 has a new-enough version.
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
@@ -266,3 +350,6 @@ false signatures from the service certificate.
 
 * Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-1
 - First packaging
+
+
+## END: Generated by rpmautospec