[openssl] disable SSLv2 and SSLv3 protocols by default

Tomáš Mráz tmraz at fedoraproject.org
Mon Jun 30 12:21:10 UTC 2014 

commit 646646611547dd7072b0562ed5f27861fbb12f48
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Mon Jun 30 14:21:11 2014 +0200

    disable SSLv2 and SSLv3 protocols by default
    
    (can be enabled via appropriate SSL_CTX_clear_options() call)

 openssl-1.0.1h-disable-sslv2v3.patch |   13 +++++++++++++
 openssl.spec                         |    8 +++++++-
 2 files changed, 20 insertions(+), 1 deletions(-)
---
diff --git a/openssl-1.0.1h-disable-sslv2v3.patch b/openssl-1.0.1h-disable-sslv2v3.patch
new file mode 100644
index 0000000..83afda0
--- /dev/null
+++ b/openssl-1.0.1h-disable-sslv2v3.patch
@@ -0,0 +1,13 @@
+diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
+--- openssl-1.0.1h/ssl/ssl_lib.c.v2v3	2014-06-11 16:02:52.000000000 +0200
++++ openssl-1.0.1h/ssl/ssl_lib.c	2014-06-30 14:18:04.290248080 +0200
+@@ -1875,6 +1875,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ 	 */
+ 	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+ 
++	/* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */
++	ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++
+ 	return(ret);
+ err:
+ 	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
diff --git a/openssl.spec b/openssl.spec
index 61b584d..a4196ad 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1h
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -84,6 +84,7 @@ Patch78: openssl-1.0.1g-3des-strength.patch
 Patch90: openssl-1.0.1e-enc-fail.patch
 Patch91: openssl-1.0.1e-ssl2-no-ec.patch
 Patch92: openssl-1.0.1h-system-cipherlist.patch
+Patch93: openssl-1.0.1h-disable-sslv2v3.patch
 # Backported fixes including security fixes
 Patch81: openssl-1.0.1-beta2-padlock64.patch
 Patch82: openssl-1.0.1h-session-resumption.patch
@@ -208,6 +209,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch90 -p1 -b .enc-fail
 %patch91 -p1 -b .ssl2noec
 %patch92 -p1 -b .system
+%patch93 -p1 -b .v2v3
 
 %patch81 -p1 -b .padlock64
 %patch82 -p1 -b .resumption
@@ -478,6 +480,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Jun 30 2014 Tomáš Mráz <tmraz at redhat.com> 1.0.1h-5
+- disable SSLv2 and SSLv3 protocols by default (can be enabled
+  via appropriate SSL_CTX_clear_options() call)
+
 * Wed Jun 11 2014 Tomáš Mráz <tmraz at redhat.com> 1.0.1h-4
 - use system profile for default cipher list

More information about the scm-commits mailing list