robert pushed to prosody (el5). "Merge remote branch 'origin/master' into el5"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon May 4 23:26:55 UTC 2015
>From 7fbe1b6c7769dc474b78c250382e0251fc88974e Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Tue, 5 May 2015 01:20:50 +0200
Subject: Added patch to handle the old OpenSSL 0.9.8e in RHEL 5 (and
derivates) as good as possible
diff --git a/prosody-0.9.8-rhel5.patch b/prosody-0.9.8-rhel5.patch
new file mode 100644
index 0000000..6a4a1a8
--- /dev/null
+++ b/prosody-0.9.8-rhel5.patch
@@ -0,0 +1,35 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for prosody >= 0.9.8 which removes all
+options that OpenSSL 0.9.8e (as shipped by Red Hat Enterprise Linux 5 and derivates such
+as CentOS) does not support: SSL_OP_NO_TICKET (added by upstream with OpenSSL 0.9.8f) and
+the support for secp384r1 (added by Red Hat for RHEL 6.5 with openssl-1.0.1e-15). LuaSec
+0.5 does not offer any option to detect which OpenSSL features are (not) available, thus
+Prosody upstream tries to determine them by the LuaSec version - risky, because EPEL 5 is
+shipping LuaSec 0.4.1 since ever, but still had no support for the "no_ticket" option.
+
+--- prosody-0.9.8/core/certmanager.lua 2015-03-24 20:18:04.000000000 +0100
++++ prosody-0.9.8/core/certmanager.lua.rhel5 2015-05-05 00:47:21.000000000 +0200
+@@ -33,7 +33,7 @@
+ local default_ssl_config = configmanager.get("*", "ssl");
+ local default_capath = "/etc/ssl/certs";
+ local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
+-local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
++local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference" };
+ local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" };
+
+ if ssl and not luasec_has_verifyext and ssl.x509 then
+@@ -56,6 +56,7 @@
+
+ if not ssl then return nil, "LuaSec (required for encryption) was not found"; end
+ if not user_ssl_config then return nil, "No SSL/TLS configuration present for "..host; end
++ if user_ssl_config.options then user_ssl_config.options.no_ticket = nil; end
+
+ local ssl_config = {
+ mode = mode;
+@@ -69,7 +70,6 @@
+ verifyext = user_ssl_config.verifyext or default_verifyext;
+ options = user_ssl_config.options or default_options;
+ depth = user_ssl_config.depth;
+- curve = user_ssl_config.curve or "secp384r1";
+ ciphers = user_ssl_config.ciphers or "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
+ dhparam = user_ssl_config.dhparam;
+ };
diff --git a/prosody.spec b/prosody.spec
index 3905160..382bf71 100644
--- a/prosody.spec
+++ b/prosody.spec
@@ -18,6 +18,7 @@ Source5: prosody.tmpfilesd
Source6: prosody-localhost.cfg.lua
Source7: prosody-example.com.cfg.lua
Patch0: prosody-0.9.8-config.patch
+Patch1: prosody-0.9.8-rhel5.patch
BuildRequires: libidn-devel, openssl-devel
Requires(pre): shadow-utils
%if 0%{?rhel} > 6 || 0%{?fedora} > 17
@@ -56,6 +57,9 @@ added functionality, or prototype new protocols.
%prep
%setup -q
%patch0 -p1 -b .config
+%if 0%{?rhel} == 5
+%patch1 -p1
+%endif
%build
# CFLAG -D_GNU_SOURCE requires fallocate() which requires GLIBC >= 2.10
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/prosody.git/commit/?h=el5&id=db222bf775d88e8e61d0ccd8ddd1ffb67385f2bd
More information about the scm-commits
mailing list