[openssl] disable SSLv2 and SSLv3 protocols by default
Tomáš Mráz
tmraz at fedoraproject.org
Mon Jun 30 12:21:10 UTC 2014
commit 646646611547dd7072b0562ed5f27861fbb12f48
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Mon Jun 30 14:21:11 2014 +0200
disable SSLv2 and SSLv3 protocols by default
(can be enabled via appropriate SSL_CTX_clear_options() call)
openssl-1.0.1h-disable-sslv2v3.patch | 13 +++++++++++++
openssl.spec | 8 +++++++-
2 files changed, 20 insertions(+), 1 deletions(-)
---
diff --git a/openssl-1.0.1h-disable-sslv2v3.patch b/openssl-1.0.1h-disable-sslv2v3.patch
new file mode 100644
index 0000000..83afda0
--- /dev/null
+++ b/openssl-1.0.1h-disable-sslv2v3.patch
@@ -0,0 +1,13 @@
+diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
+--- openssl-1.0.1h/ssl/ssl_lib.c.v2v3 2014-06-11 16:02:52.000000000 +0200
++++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-30 14:18:04.290248080 +0200
+@@ -1875,6 +1875,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ */
+ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+
++ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */
++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++
+ return(ret);
+ err:
+ SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
diff --git a/openssl.spec b/openssl.spec
index 61b584d..a4196ad 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.1h
-Release: 4%{?dist}
+Release: 5%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -84,6 +84,7 @@ Patch78: openssl-1.0.1g-3des-strength.patch
Patch90: openssl-1.0.1e-enc-fail.patch
Patch91: openssl-1.0.1e-ssl2-no-ec.patch
Patch92: openssl-1.0.1h-system-cipherlist.patch
+Patch93: openssl-1.0.1h-disable-sslv2v3.patch
# Backported fixes including security fixes
Patch81: openssl-1.0.1-beta2-padlock64.patch
Patch82: openssl-1.0.1h-session-resumption.patch
@@ -208,6 +209,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch90 -p1 -b .enc-fail
%patch91 -p1 -b .ssl2noec
%patch92 -p1 -b .system
+%patch93 -p1 -b .v2v3
%patch81 -p1 -b .padlock64
%patch82 -p1 -b .resumption
@@ -478,6 +480,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Mon Jun 30 2014 Tomáš Mráz <tmraz at redhat.com> 1.0.1h-5
+- disable SSLv2 and SSLv3 protocols by default (can be enabled
+ via appropriate SSL_CTX_clear_options() call)
+
* Wed Jun 11 2014 Tomáš Mráz <tmraz at redhat.com> 1.0.1h-4
- use system profile for default cipher list
More information about the scm-commits
mailing list