Accepting request 1062217 from security:tls:unstable
- Set OpenSSL 3.0 as the default openssl [bsc#1205042] * For compatibility with OpenSSL 3.0, the OpenSSL master configuration file openssl.cnf has been renamed to openssl-1_1.cnf. The executables openssl, c_rehash, CA.pl and tsget.pl have been also renamed to openssl-1_1, c_rehash-1_1, CA-1_1.pl and tsget-1_1.pl, respectively. * Add openssl-1_1-devel as conflicting with libopenssl-3-devel * Add openssl-1_1-openssl-config.patch OBS-URL: https://build.opensuse.org/request/show/1062217 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=126
This commit is contained in:
parent
93c266235b
commit
6d27aa3f13
@ -5,5 +5,6 @@ libopenssl1_1-hmac
|
|||||||
libopenssl-1_1-devel
|
libopenssl-1_1-devel
|
||||||
provides "libopenssl-devel-<targettype> = <version>"
|
provides "libopenssl-devel-<targettype> = <version>"
|
||||||
conflicts "otherproviders(libopenssl-devel-<targettype>)"
|
conflicts "otherproviders(libopenssl-devel-<targettype>)"
|
||||||
|
conflicts "libopenssl-3-devel-<targettype>"
|
||||||
requires -"openssl-1_1-<targettype>"
|
requires -"openssl-1_1-<targettype>"
|
||||||
requires "libopenssl1_1-<targettype> = <version>"
|
requires "libopenssl1_1-<targettype> = <version>"
|
||||||
|
530
openssl-1_1-openssl-config.patch
Normal file
530
openssl-1_1-openssl-config.patch
Normal file
@ -0,0 +1,530 @@
|
|||||||
|
Index: openssl-1.1.1s/Configurations/unix-Makefile.tmpl
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/Configurations/unix-Makefile.tmpl
|
||||||
|
+++ openssl-1.1.1s/Configurations/unix-Makefile.tmpl
|
||||||
|
@@ -140,8 +140,8 @@ INSTALL_SHLIB_INFO={- join(" ", map { "\
|
||||||
|
INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -}
|
||||||
|
INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } @{$unified_info{install}->{programs}}) -}
|
||||||
|
{- output_off() if $disabled{apps}; "" -}
|
||||||
|
-BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash
|
||||||
|
-MISC_SCRIPTS=$(BLDDIR)/apps/CA.pl $(BLDDIR)/apps/tsget.pl:tsget
|
||||||
|
+BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash-1_1
|
||||||
|
+MISC_SCRIPTS=$(BLDDIR)/apps/CA-1_1.pl $(BLDDIR)/apps/tsget-1_1.pl:tsget-1_1
|
||||||
|
{- output_on() if $disabled{apps}; "" -}
|
||||||
|
|
||||||
|
APPS_OPENSSL={- use File::Spec::Functions;
|
||||||
|
@@ -579,14 +579,14 @@ install_ssldirs:
|
||||||
|
: {- output_on() if windowsdll(); "" -}; \
|
||||||
|
fi; \
|
||||||
|
done
|
||||||
|
- @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
|
||||||
|
- @cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
|
||||||
|
- @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
|
||||||
|
- @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
|
||||||
|
- @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
|
||||||
|
- $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
|
||||||
|
- cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
|
||||||
|
- chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
|
||||||
|
+ @$(ECHO) "install $(SRCDIR)/apps/openssl-1_1.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.dist"
|
||||||
|
+ @cp $(SRCDIR)/apps/openssl-1_1.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new"
|
||||||
|
+ @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new"
|
||||||
|
+ @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.dist"
|
||||||
|
+ @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf" ]; then \
|
||||||
|
+ $(ECHO) "install $(SRCDIR)/apps/openssl-1_1.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \
|
||||||
|
+ cp $(SRCDIR)/apps/openssl-1_1.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \
|
||||||
|
+ chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \
|
||||||
|
fi
|
||||||
|
@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
|
||||||
|
@cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new"
|
||||||
|
@@ -870,7 +870,7 @@ lint:
|
||||||
|
|
||||||
|
generate_apps:
|
||||||
|
( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
|
||||||
|
- < apps/openssl.cnf > apps/openssl-vms.cnf )
|
||||||
|
+ < apps/openssl-1_1.cnf > apps/openssl-vms.cnf )
|
||||||
|
|
||||||
|
generate_crypto_bn:
|
||||||
|
( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
|
||||||
|
Index: openssl-1.1.1s/Configure
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/Configure
|
||||||
|
+++ openssl-1.1.1s/Configure
|
||||||
|
@@ -35,7 +35,7 @@ my $usage="Usage: Configure [no-<cipher>
|
||||||
|
# directories bin, lib, include, share/man, share/doc/openssl
|
||||||
|
# This becomes the value of INSTALLTOP in Makefile
|
||||||
|
# (Default: /usr/local)
|
||||||
|
-# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys.
|
||||||
|
+# --openssldir OpenSSL data area, such as openssl-1_1.cnf, certificates and keys.
|
||||||
|
# If it's a relative directory, it will be added on the directory
|
||||||
|
# given with --prefix.
|
||||||
|
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||||
|
Index: openssl-1.1.1s/INSTALL
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/INSTALL
|
||||||
|
+++ openssl-1.1.1s/INSTALL
|
||||||
|
@@ -296,7 +296,7 @@
|
||||||
|
be undesirable if small executable size is an objective.
|
||||||
|
|
||||||
|
no-autoload-config
|
||||||
|
- Don't automatically load the default openssl.cnf file.
|
||||||
|
+ Don't automatically load the default openssl-1_1.cnf file.
|
||||||
|
Typically OpenSSL will automatically load a system config
|
||||||
|
file which configures default ssl options.
|
||||||
|
|
||||||
|
Index: openssl-1.1.1s/NEWS
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/NEWS
|
||||||
|
+++ openssl-1.1.1s/NEWS
|
||||||
|
@@ -5,6 +5,9 @@
|
||||||
|
This file gives a brief overview of the major changes between each OpenSSL
|
||||||
|
release. For more details please read the CHANGES file.
|
||||||
|
|
||||||
|
+ IMPORTANT: For compatibility with OpenSSL 3.0, the OpenSSL master
|
||||||
|
+ configuration file openssl.cnf has been renamed to openssl-1_1.cnf.
|
||||||
|
+
|
||||||
|
Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022]
|
||||||
|
|
||||||
|
o Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the
|
||||||
|
Index: openssl-1.1.1s/doc/HOWTO/certificates.txt
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/doc/HOWTO/certificates.txt
|
||||||
|
+++ openssl-1.1.1s/doc/HOWTO/certificates.txt
|
||||||
|
@@ -16,7 +16,7 @@ Certificate authorities should read http
|
||||||
|
In all the cases shown below, the standard configuration file, as
|
||||||
|
compiled into openssl, will be used. You may find it in /etc/,
|
||||||
|
/usr/local/ssl/ or somewhere else. By default the file is named
|
||||||
|
-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
|
||||||
|
+openssl-1_1.cnf and is described at https://www.openssl.org/docs/apps/config.html.
|
||||||
|
You can specify a different configuration file using the
|
||||||
|
'-config {file}' argument with the commands shown below.
|
||||||
|
|
||||||
|
Index: openssl-1.1.1s/doc/man3/OPENSSL_config.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/doc/man3/OPENSSL_config.pod
|
||||||
|
+++ openssl-1.1.1s/doc/man3/OPENSSL_config.pod
|
||||||
|
@@ -15,7 +15,7 @@ OPENSSL_config, OPENSSL_no_config - simp
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
|
||||||
|
+OPENSSL_config() configures OpenSSL using the standard B<openssl-1_1.cnf> and
|
||||||
|
reads from the application section B<appname>. If B<appname> is NULL then
|
||||||
|
the default section, B<openssl_conf>, will be used.
|
||||||
|
Errors are silently ignored.
|
||||||
|
Index: openssl-1.1.1s/doc/man5/config.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/doc/man5/config.pod
|
||||||
|
+++ openssl-1.1.1s/doc/man5/config.pod
|
||||||
|
@@ -7,7 +7,7 @@ config - OpenSSL CONF library configurat
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
The OpenSSL CONF library can be used to read configuration files.
|
||||||
|
-It is used for the OpenSSL master configuration file B<openssl.cnf>
|
||||||
|
+It is used for the OpenSSL master configuration file B<openssl-1_1.cnf>
|
||||||
|
and in a few other places like B<SPKAC> files and certificate extension
|
||||||
|
files for the B<x509> utility. OpenSSL applications can also use the
|
||||||
|
CONF library for their own purposes.
|
||||||
|
Index: openssl-1.1.1s/include/internal/cryptlib.h
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/include/internal/cryptlib.h
|
||||||
|
+++ openssl-1.1.1s/include/internal/cryptlib.h
|
||||||
|
@@ -51,7 +51,7 @@ typedef struct app_mem_info_st APP_INFO;
|
||||||
|
typedef struct mem_st MEM;
|
||||||
|
DEFINE_LHASH_OF(MEM);
|
||||||
|
|
||||||
|
-# define OPENSSL_CONF "openssl.cnf"
|
||||||
|
+# define OPENSSL_CONF "openssl-1_1.cnf"
|
||||||
|
|
||||||
|
# ifndef OPENSSL_SYS_VMS
|
||||||
|
# define X509_CERT_AREA OPENSSLDIR
|
||||||
|
Index: openssl-1.1.1s/Configurations/descrip.mms.tmpl
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/Configurations/descrip.mms.tmpl
|
||||||
|
+++ openssl-1.1.1s/Configurations/descrip.mms.tmpl
|
||||||
|
@@ -140,8 +140,8 @@ INSTALL_SHLIBS={- join(", ", map { "-\n\
|
||||||
|
INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{engines}}) -}
|
||||||
|
INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{programs}}) -}
|
||||||
|
{- output_off() if $disabled{apps}; "" -}
|
||||||
|
-BIN_SCRIPTS=[.tools]c_rehash.pl
|
||||||
|
-MISC_SCRIPTS=[.apps]CA.pl, [.apps]tsget.pl
|
||||||
|
+BIN_SCRIPTS=[.tools]c_rehash-1_1.pl
|
||||||
|
+MISC_SCRIPTS=[.apps]CA-1_1.pl, [.apps]tsget-1_1.pl
|
||||||
|
{- output_on() if $disabled{apps}; "" -}
|
||||||
|
|
||||||
|
APPS_OPENSSL={- use File::Spec::Functions;
|
||||||
|
Index: openssl-1.1.1s/VMS/openssl_utils.com.in
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/VMS/openssl_utils.com.in
|
||||||
|
+++ openssl-1.1.1s/VMS/openssl_utils.com.in
|
||||||
|
@@ -8,7 +8,7 @@ $ OPENSSL :== $OSSL$EXE:OPENSSL'v'
|
||||||
|
$
|
||||||
|
$ IF F$TYPE(PERL) .EQS. "STRING"
|
||||||
|
$ THEN
|
||||||
|
-$ C_REHASH :== 'PERL' OSSL$EXE:c_rehash.pl
|
||||||
|
+$ C_REHASH :== 'PERL' OSSL$EXE:c_rehash-1_1.pl
|
||||||
|
$ ELSE
|
||||||
|
$ WRITE SYS$ERROR "NOTE: no perl => no C_REHASH"
|
||||||
|
$ ENDIF
|
||||||
|
Index: openssl-1.1.1s/apps/CA.pl.in
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/apps/CA.pl.in
|
||||||
|
+++ openssl-1.1.1s/apps/CA.pl.in
|
||||||
|
@@ -113,10 +113,10 @@ sub run
|
||||||
|
|
||||||
|
|
||||||
|
if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
|
||||||
|
- print STDERR "usage: CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n";
|
||||||
|
- print STDERR " CA.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n";
|
||||||
|
- print STDERR " CA.pl -verify [-extra-verify extra-params] certfile ...\n";
|
||||||
|
- print STDERR " CA.pl -revoke [-extra-ca extra-params] certfile [reason]\n";
|
||||||
|
+ print STDERR "usage: CA-1_1.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n";
|
||||||
|
+ print STDERR " CA-1_1.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n";
|
||||||
|
+ print STDERR " CA-1_1.pl -verify [-extra-verify extra-params] certfile ...\n";
|
||||||
|
+ print STDERR " CA-1_1.pl -revoke [-extra-ca extra-params] certfile [reason]\n";
|
||||||
|
exit 0;
|
||||||
|
}
|
||||||
|
if ($WHAT eq '-newcert' ) {
|
||||||
|
Index: openssl-1.1.1s/apps/build.info
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/apps/build.info
|
||||||
|
+++ openssl-1.1.1s/apps/build.info
|
||||||
|
@@ -73,7 +73,7 @@ IF[{- !$disabled{apps} -}]
|
||||||
|
GENERATE[progs.h]=progs.pl $(APPS_OPENSSL)
|
||||||
|
DEPEND[progs.h]=../configdata.pm
|
||||||
|
|
||||||
|
- SCRIPTS=CA.pl tsget.pl
|
||||||
|
- SOURCE[CA.pl]=CA.pl.in
|
||||||
|
- SOURCE[tsget.pl]=tsget.in
|
||||||
|
+ SCRIPTS=CA-1_1.pl tsget-1_1.pl
|
||||||
|
+ SOURCE[CA-1_1.pl]=CA.pl.in
|
||||||
|
+ SOURCE[tsget-1_1.pl]=tsget.in
|
||||||
|
ENDIF
|
||||||
|
Index: openssl-1.1.1s/apps/tsget.in
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/apps/tsget.in
|
||||||
|
+++ openssl-1.1.1s/apps/tsget.in
|
||||||
|
@@ -47,7 +47,7 @@ sub create_curl {
|
||||||
|
$curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
|
||||||
|
$curl->setopt(CURLOPT_FAILONERROR, 1);
|
||||||
|
$curl->setopt(CURLOPT_USERAGENT,
|
||||||
|
- "OpenTSA tsget.pl/openssl-{- $config{version} -}");
|
||||||
|
+ "OpenTSA tsget-1_1.pl/openssl-{- $config{version} -}");
|
||||||
|
|
||||||
|
# Options for POST method.
|
||||||
|
$curl->setopt(CURLOPT_UPLOAD, 1);
|
||||||
|
Index: openssl-1.1.1s/doc/man1/CA.pl.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/doc/man1/CA.pl.pod
|
||||||
|
+++ openssl-1.1.1s/doc/man1/CA.pl.pod
|
||||||
|
@@ -2,16 +2,16 @@
|
||||||
|
|
||||||
|
=head1 NAME
|
||||||
|
|
||||||
|
-CA.pl - friendlier interface for OpenSSL certificate programs
|
||||||
|
+CA-1_1.pl - friendlier interface for OpenSSL certificate programs
|
||||||
|
|
||||||
|
=head1 SYNOPSIS
|
||||||
|
|
||||||
|
-B<CA.pl>
|
||||||
|
+B<CA-1_1.pl>
|
||||||
|
B<-?> |
|
||||||
|
B<-h> |
|
||||||
|
B<-help>
|
||||||
|
|
||||||
|
-B<CA.pl>
|
||||||
|
+B<CA-1_1.pl>
|
||||||
|
B<-newcert> |
|
||||||
|
B<-newreq> |
|
||||||
|
B<-newreq-nodes> |
|
||||||
|
@@ -23,15 +23,15 @@ B<-crl> |
|
||||||
|
B<-newca>
|
||||||
|
[B<-extra-cmd> extra-params]
|
||||||
|
|
||||||
|
-B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> extra-params] [B<certname>]
|
||||||
|
+B<CA-1_1.pl> B<-pkcs12> [B<-extra-pkcs12> extra-params] [B<certname>]
|
||||||
|
|
||||||
|
-B<CA.pl> B<-verify> [B<-extra-verify> extra-params] B<certfile>...
|
||||||
|
+B<CA-1_1.pl> B<-verify> [B<-extra-verify> extra-params] B<certfile>...
|
||||||
|
|
||||||
|
-B<CA.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
|
||||||
|
+B<CA-1_1.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
-The B<CA.pl> script is a perl script that supplies the relevant command line
|
||||||
|
+The B<CA-1_1.pl> script is a perl script that supplies the relevant command line
|
||||||
|
arguments to the B<openssl> command for some common certificate operations.
|
||||||
|
It is intended to simplify the process of certificate creation and management
|
||||||
|
by the use of some simple options.
|
||||||
|
@@ -136,19 +136,19 @@ Users should consult B<openssl> command
|
||||||
|
|
||||||
|
Create a CA hierarchy:
|
||||||
|
|
||||||
|
- CA.pl -newca
|
||||||
|
+ CA-1_1.pl -newca
|
||||||
|
|
||||||
|
Complete certificate creation example: create a CA, create a request, sign
|
||||||
|
the request and finally create a PKCS#12 file containing it.
|
||||||
|
|
||||||
|
- CA.pl -newca
|
||||||
|
- CA.pl -newreq
|
||||||
|
- CA.pl -sign
|
||||||
|
- CA.pl -pkcs12 "My Test Certificate"
|
||||||
|
+ CA-1_1.pl -newca
|
||||||
|
+ CA-1_1.pl -newreq
|
||||||
|
+ CA-1_1.pl -sign
|
||||||
|
+ CA-1_1.pl -pkcs12 "My Test Certificate"
|
||||||
|
|
||||||
|
=head1 DSA CERTIFICATES
|
||||||
|
|
||||||
|
-Although the B<CA.pl> creates RSA CAs and requests it is still possible to
|
||||||
|
+Although the B<CA-1_1.pl> creates RSA CAs and requests it is still possible to
|
||||||
|
use it with DSA certificates and requests using the L<req(1)> command
|
||||||
|
directly. The following example shows the steps that would typically be taken.
|
||||||
|
|
||||||
|
@@ -162,7 +162,7 @@ Create a DSA CA certificate and private
|
||||||
|
|
||||||
|
Create the CA directories and files:
|
||||||
|
|
||||||
|
- CA.pl -newca
|
||||||
|
+ CA-1_1.pl -newca
|
||||||
|
|
||||||
|
enter cacert.pem when prompted for the CA filename.
|
||||||
|
|
||||||
|
@@ -173,22 +173,22 @@ can optionally be created first):
|
||||||
|
|
||||||
|
Sign the request:
|
||||||
|
|
||||||
|
- CA.pl -sign
|
||||||
|
+ CA-1_1.pl -sign
|
||||||
|
|
||||||
|
=head1 NOTES
|
||||||
|
|
||||||
|
-Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
|
||||||
|
+Most of the filenames mentioned can be modified by editing the B<CA-1_1.pl> script.
|
||||||
|
|
||||||
|
If the demoCA directory already exists then the B<-newca> command will not
|
||||||
|
overwrite it and will do nothing. This can happen if a previous call using
|
||||||
|
the B<-newca> option terminated abnormally. To get the correct behaviour
|
||||||
|
delete the demoCA directory if it already exists.
|
||||||
|
|
||||||
|
-Under some environments it may not be possible to run the B<CA.pl> script
|
||||||
|
+Under some environments it may not be possible to run the B<CA-1_1.pl> script
|
||||||
|
directly (for example Win32) and the default configuration file location may
|
||||||
|
be wrong. In this case the command:
|
||||||
|
|
||||||
|
- perl -S CA.pl
|
||||||
|
+ perl -S CA-1_1.pl
|
||||||
|
|
||||||
|
can be used and the B<OPENSSL_CONF> environment variable changed to point to
|
||||||
|
the correct path of the configuration file.
|
||||||
|
Index: openssl-1.1.1s/doc/man1/ca.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/doc/man1/ca.pod
|
||||||
|
+++ openssl-1.1.1s/doc/man1/ca.pod
|
||||||
|
@@ -698,7 +698,7 @@ the database has to be kept in memory.
|
||||||
|
The B<ca> command really needs rewriting or the required functionality
|
||||||
|
exposed at either a command or interface level so a more friendly utility
|
||||||
|
(perl script or GUI) can handle things properly. The script
|
||||||
|
-B<CA.pl> helps a little but not very much.
|
||||||
|
+B<CA-1_1.pl> helps a little but not very much.
|
||||||
|
|
||||||
|
Any fields in a request that are not present in a policy are silently
|
||||||
|
deleted. This does not happen if the B<-preserveDN> option is used. To
|
||||||
|
@@ -754,7 +754,7 @@ are in year 2050 or later.
|
||||||
|
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
-L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA.pl(1)>,
|
||||||
|
+L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA-1_1.pl(1)>,
|
||||||
|
L<config(5)>, L<x509v3_config(5)>
|
||||||
|
|
||||||
|
=head1 COPYRIGHT
|
||||||
|
Index: openssl-1.1.1s/doc/man1/rehash.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/doc/man1/rehash.pod
|
||||||
|
+++ openssl-1.1.1s/doc/man1/rehash.pod
|
||||||
|
@@ -6,7 +6,7 @@ Original text by James Westby, contribut
|
||||||
|
=head1 NAME
|
||||||
|
|
||||||
|
openssl-c_rehash, openssl-rehash,
|
||||||
|
-c_rehash, rehash - Create symbolic links to files named by the hash values
|
||||||
|
+c_rehash-1_1, rehash - Create symbolic links to files named by the hash values
|
||||||
|
|
||||||
|
=head1 SYNOPSIS
|
||||||
|
|
||||||
|
@@ -19,13 +19,13 @@ B<[-n]>
|
||||||
|
B<[-v]>
|
||||||
|
[ I<directory>...]
|
||||||
|
|
||||||
|
-B<c_rehash>
|
||||||
|
+B<c_rehash-1_1>
|
||||||
|
I<flags...>
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
-On some platforms, the OpenSSL B<rehash> command is available as
|
||||||
|
-an external script called B<c_rehash>. They are functionally equivalent,
|
||||||
|
+On some platforms, the OpenSSL B<rehash-1_1> command is available as
|
||||||
|
+an external script called B<c_rehash-1_1>. They are functionally equivalent,
|
||||||
|
except for minor differences noted below.
|
||||||
|
|
||||||
|
B<rehash> scans directories and calculates a hash value of each
|
||||||
|
@@ -66,7 +66,7 @@ more than one such object appears in the
|
||||||
|
|
||||||
|
=head2 Script Configuration
|
||||||
|
|
||||||
|
-The B<c_rehash> script
|
||||||
|
+The B<c_rehash-1_1> script
|
||||||
|
uses the B<openssl> program to compute the hashes and
|
||||||
|
fingerprints. If not found in the user's B<PATH>, then set the
|
||||||
|
B<OPENSSL> environment variable to the full pathname.
|
||||||
|
Index: openssl-1.1.1s/doc/man1/tsget.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/doc/man1/tsget.pod
|
||||||
|
+++ openssl-1.1.1s/doc/man1/tsget.pod
|
||||||
|
@@ -35,7 +35,7 @@ line.
|
||||||
|
The tool sends the following HTTP request for each timestamp request:
|
||||||
|
|
||||||
|
POST url HTTP/1.1
|
||||||
|
- User-Agent: OpenTSA tsget.pl/<version>
|
||||||
|
+ User-Agent: OpenTSA tsget-1_1.pl/<version>
|
||||||
|
Host: <host>:<port>
|
||||||
|
Pragma: no-cache
|
||||||
|
Content-Type: application/timestamp-query
|
||||||
|
@@ -108,7 +108,7 @@ Either option B<-C> or option B<-P> must
|
||||||
|
=item B<-P> CA_path
|
||||||
|
|
||||||
|
(HTTPS) The path containing the trusted CA certificates to verify the peer's
|
||||||
|
-certificate. The directory must be prepared with the B<c_rehash>
|
||||||
|
+certificate. The directory must be prepared with the B<c_rehash-1_1>
|
||||||
|
OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of
|
||||||
|
HTTPS. (Optional)
|
||||||
|
|
||||||
|
Index: openssl-1.1.1s/doc/man1/verify.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/doc/man1/verify.pod
|
||||||
|
+++ openssl-1.1.1s/doc/man1/verify.pod
|
||||||
|
@@ -75,7 +75,7 @@ The file should contain one or more cert
|
||||||
|
A directory of trusted certificates. The certificates should have names
|
||||||
|
of the form: hash.0 or have symbolic links to them of this
|
||||||
|
form ("hash" is the hashed certificate subject name: see the B<-hash> option
|
||||||
|
-of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
|
||||||
|
+of the B<x509> utility). Under Unix the B<c_rehash-1_1> script will automatically
|
||||||
|
create symbolic links to a directory of certificates.
|
||||||
|
|
||||||
|
=item B<-no-CAfile>
|
||||||
|
Index: openssl-1.1.1s/doc/man1/x509.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/doc/man1/x509.pod
|
||||||
|
+++ openssl-1.1.1s/doc/man1/x509.pod
|
||||||
|
@@ -932,7 +932,7 @@ The hash algorithm used in the B<-subjec
|
||||||
|
before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
|
||||||
|
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
|
||||||
|
canonical version of the DN using SHA1. This means that any directories using
|
||||||
|
-the old form must have their links rebuilt using B<c_rehash> or similar.
|
||||||
|
+the old form must have their links rebuilt using B<c_rehash-1_1> or similar.
|
||||||
|
|
||||||
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
|
Index: openssl-1.1.1s/doc/man3/SSL_CTX_load_verify_locations.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/doc/man3/SSL_CTX_load_verify_locations.pod
|
||||||
|
+++ openssl-1.1.1s/doc/man3/SSL_CTX_load_verify_locations.pod
|
||||||
|
@@ -63,7 +63,7 @@ If more than one CA certificate with the
|
||||||
|
extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
|
||||||
|
is performed in the ordering of the extension number, regardless of other
|
||||||
|
properties of the certificates.
|
||||||
|
-Use the B<c_rehash> utility to create the necessary links.
|
||||||
|
+Use the B<c_rehash-1_1> utility to create the necessary links.
|
||||||
|
|
||||||
|
The certificates in B<CApath> are only looked up when required, e.g. when
|
||||||
|
building the certificate chain or when actually performing the verification
|
||||||
|
@@ -137,7 +137,7 @@ Prepare the directory /some/where/certs
|
||||||
|
for use as B<CApath>:
|
||||||
|
|
||||||
|
cd /some/where/certs
|
||||||
|
- c_rehash .
|
||||||
|
+ c_rehash-1_1 .
|
||||||
|
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
Index: openssl-1.1.1s/test/recipes/80-test_ca.t
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/test/recipes/80-test_ca.t
|
||||||
|
+++ openssl-1.1.1s/test/recipes/80-test_ca.t
|
||||||
|
@@ -27,27 +27,27 @@ plan tests => 5;
|
||||||
|
SKIP: {
|
||||||
|
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
|
||||||
|
skip "failed creating CA structure", 4
|
||||||
|
- if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
|
||||||
|
+ if !ok(run(perlapp(["CA-1_1.pl","-newca"], stdin => undef)),
|
||||||
|
'creating CA structure');
|
||||||
|
|
||||||
|
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
|
||||||
|
skip "failed creating new certificate request", 3
|
||||||
|
- if !ok(run(perlapp(["CA.pl","-newreq"])),
|
||||||
|
+ if !ok(run(perlapp(["CA-1_1.pl","-newreq"])),
|
||||||
|
'creating certificate request');
|
||||||
|
|
||||||
|
$ENV{OPENSSL_CONFIG} = '-rand_serial -config "'.$std_openssl_cnf.'"';
|
||||||
|
skip "failed to sign certificate request", 2
|
||||||
|
- if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
|
||||||
|
+ if !is(yes(cmdstr(perlapp(["CA-1_1.pl", "-sign"]))), 0,
|
||||||
|
'signing certificate request');
|
||||||
|
|
||||||
|
- ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
|
||||||
|
+ ok(run(perlapp(["CA-1_1.pl", "-verify", "newcert.pem"])),
|
||||||
|
'verifying new certificate');
|
||||||
|
|
||||||
|
skip "CT not configured, can't use -precert", 1
|
||||||
|
if disabled("ct");
|
||||||
|
|
||||||
|
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
|
||||||
|
- ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)),
|
||||||
|
+ ok(run(perlapp(["CA-1_1.pl", "-precert"], stderr => undef)),
|
||||||
|
'creating new pre-certificate');
|
||||||
|
}
|
||||||
|
|
||||||
|
Index: openssl-1.1.1s/tools/build.info
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/tools/build.info
|
||||||
|
+++ openssl-1.1.1s/tools/build.info
|
||||||
|
@@ -1,5 +1,5 @@
|
||||||
|
{- our $c_rehash_name =
|
||||||
|
- $config{target} =~ /^(VC|vms)-/ ? "c_rehash.pl" : "c_rehash";
|
||||||
|
+ $config{target} =~ /^(VC|vms)-/ ? "c_rehash-1_1.pl" : "c_rehash-1_1";
|
||||||
|
"" -}
|
||||||
|
IF[{- !$disabled{apps} -}]
|
||||||
|
SCRIPTS={- $c_rehash_name -}
|
||||||
|
Index: openssl-1.1.1s/tools/c_rehash.in
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1s.orig/tools/c_rehash.in
|
||||||
|
+++ openssl-1.1.1s/tools/c_rehash.in
|
||||||
|
@@ -8,7 +8,7 @@
|
||||||
|
# in the file LICENSE in the source distribution or at
|
||||||
|
# https://www.openssl.org/source/license.html
|
||||||
|
|
||||||
|
-# Perl c_rehash script, scan all files in a directory
|
||||||
|
+# Perl c_rehash-1_1 script, scan all files in a directory
|
||||||
|
# and add symbolic links to their hash values.
|
||||||
|
|
||||||
|
my $dir = {- quotify1($config{openssldir}) -};
|
||||||
|
@@ -44,7 +44,7 @@ while ( $ARGV[0] =~ /^-/ ) {
|
||||||
|
}
|
||||||
|
|
||||||
|
sub help {
|
||||||
|
- print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n";
|
||||||
|
+ print "Usage: c_rehash-1_1 [-old] [-h] [-help] [-v] [dirs...]\n";
|
||||||
|
print " -old use old-style digest\n";
|
||||||
|
print " -h or -help print this help text\n";
|
||||||
|
print " -v print files removed and linked\n";
|
||||||
|
@@ -73,7 +73,7 @@ if (! -x $openssl) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ($found == 0) {
|
||||||
|
- print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
|
||||||
|
+ print STDERR "c_rehash-1_1: rehashing skipped ('openssl-1_1' program not available)\n";
|
||||||
|
exit 0;
|
||||||
|
}
|
||||||
|
}
|
@ -1,3 +1,15 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 14 12:56:06 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- Set OpenSSL 3.0 as the default openssl [bsc#1205042]
|
||||||
|
* For compatibility with OpenSSL 3.0, the OpenSSL master
|
||||||
|
configuration file openssl.cnf has been renamed to
|
||||||
|
openssl-1_1.cnf. The executables openssl, c_rehash, CA.pl and
|
||||||
|
tsget.pl have been also renamed to openssl-1_1, c_rehash-1_1,
|
||||||
|
CA-1_1.pl and tsget-1_1.pl, respectively.
|
||||||
|
* Add openssl-1_1-devel as conflicting with libopenssl-3-devel
|
||||||
|
* Add openssl-1_1-openssl-config.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Dec 14 09:04:40 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>
|
Wed Dec 14 09:04:40 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package openssl-1_1
|
# spec file for package openssl-1_1
|
||||||
#
|
#
|
||||||
# Copyright (c) 2022 SUSE LLC
|
# Copyright (c) 2023 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -40,7 +40,7 @@
|
|||||||
%define maj_min 1.1
|
%define maj_min 1.1
|
||||||
%define _rname openssl
|
%define _rname openssl
|
||||||
Name: openssl-1_1
|
Name: openssl-1_1
|
||||||
# Don't forget to update the version in the "openssl" package!
|
# Don't forget to update the version in the "openssl" meta-package!
|
||||||
Version: 1.1.1s
|
Version: 1.1.1s
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Sockets and Transport Layer Security
|
Summary: Secure Sockets and Transport Layer Security
|
||||||
@ -130,16 +130,14 @@ Patch76: openssl-1_1-Fixed-counter-overflow.patch
|
|||||||
Patch77: openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch
|
Patch77: openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch
|
||||||
Patch78: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch
|
Patch78: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch
|
||||||
Patch79: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
|
Patch79: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
|
||||||
|
#PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl
|
||||||
Requires: libopenssl1_1 = %{version}-%{release}
|
Patch80: openssl-1_1-openssl-config.patch
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: pkgconfig(zlib)
|
BuildRequires: pkgconfig(zlib)
|
||||||
|
Requires: libopenssl1_1 = %{version}-%{release}
|
||||||
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
|
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
|
||||||
Requires: crypto-policies
|
Requires: crypto-policies
|
||||||
%endif
|
%endif
|
||||||
Conflicts: ssl
|
|
||||||
Provides: ssl
|
|
||||||
Provides: openssl(cli)
|
|
||||||
# Needed for clean upgrade path, boo#1070003
|
# Needed for clean upgrade path, boo#1070003
|
||||||
Obsoletes: openssl-1_0_0
|
Obsoletes: openssl-1_0_0
|
||||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
||||||
@ -178,11 +176,9 @@ Group: Development/Libraries/C and C++
|
|||||||
Requires: libopenssl1_1 = %{version}
|
Requires: libopenssl1_1 = %{version}
|
||||||
Requires: pkgconfig(zlib)
|
Requires: pkgconfig(zlib)
|
||||||
Recommends: %{name} = %{version}
|
Recommends: %{name} = %{version}
|
||||||
# we need to have around only the exact version we are able to operate with
|
|
||||||
Conflicts: libopenssl-devel < %{version}
|
|
||||||
Conflicts: libopenssl-devel > %{version}
|
|
||||||
Conflicts: ssl-devel
|
Conflicts: ssl-devel
|
||||||
Provides: ssl-devel
|
# Conflicting names with libopenssl-3-devel
|
||||||
|
Conflicts: libopenssl-3-devel
|
||||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
||||||
Obsoletes: libopenssl-1_1_0-devel
|
Obsoletes: libopenssl-1_1_0-devel
|
||||||
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
||||||
@ -222,6 +218,8 @@ this package's base documentation.
|
|||||||
%prep
|
%prep
|
||||||
%autosetup -p1 -n %{_rname}-%{version}
|
%autosetup -p1 -n %{_rname}-%{version}
|
||||||
|
|
||||||
|
cp apps/openssl.cnf apps/openssl-1_1.cnf
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%ifarch armv5el armv5tel
|
%ifarch armv5el armv5tel
|
||||||
export MACHINE=armv5el
|
export MACHINE=armv5el
|
||||||
@ -306,9 +304,19 @@ cp %{tar_package_name} %{_other}
|
|||||||
%make_install %{?_smp_mflags}
|
%make_install %{?_smp_mflags}
|
||||||
# kill static libs
|
# kill static libs
|
||||||
rm -f %{buildroot}%{_libdir}/lib*.a
|
rm -f %{buildroot}%{_libdir}/lib*.a
|
||||||
|
|
||||||
|
# Rename the openssl CLI to openssl-1_1
|
||||||
|
mv %{buildroot}%{_bindir}/openssl %{buildroot}%{_bindir}/openssl-1_1
|
||||||
|
|
||||||
|
# Install the openssl-1_1.cnf config file
|
||||||
|
install -m 644 apps/openssl-1_1.cnf %{buildroot}%{_sysconfdir}/ssl/openssl-1_1.cnf
|
||||||
|
|
||||||
# remove the cnf.dist
|
# remove the cnf.dist
|
||||||
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist
|
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl-1_1.cnf.dist
|
||||||
|
rm -f %{buildroot}%{_sysconfdir}/ssl/ct_log_list.cnf
|
||||||
|
rm -f %{buildroot}%{_sysconfdir}/ssl/ct_log_list.cnf.dist
|
||||||
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
|
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
|
||||||
|
|
||||||
mkdir %{buildroot}/%{_datadir}/ssl
|
mkdir %{buildroot}/%{_datadir}/ssl
|
||||||
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
|
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
|
||||||
# Create the two directories into which packages will drop their configuration
|
# Create the two directories into which packages will drop their configuration
|
||||||
@ -410,17 +418,14 @@ unset LD_LIBRARY_PATH
|
|||||||
%files -f filelist
|
%files -f filelist
|
||||||
%doc CHANGE* NEWS README
|
%doc CHANGE* NEWS README
|
||||||
%dir %{ssletcdir}
|
%dir %{ssletcdir}
|
||||||
%config (noreplace) %{ssletcdir}/openssl.cnf
|
%config (noreplace) %{ssletcdir}/openssl-1_1.cnf
|
||||||
%attr(700,root,root) %{ssletcdir}/private
|
%attr(700,root,root) %{ssletcdir}/private
|
||||||
%dir %{ssletcdir}/engines.d
|
%dir %{ssletcdir}/engines.d
|
||||||
%dir %{ssletcdir}/engdef.d
|
%dir %{ssletcdir}/engdef.d
|
||||||
%{ssletcdir}/ct_log_list.cnf
|
|
||||||
%{ssletcdir}/ct_log_list.cnf.dist
|
|
||||||
|
|
||||||
%dir %{_datadir}/ssl
|
%dir %{_datadir}/ssl
|
||||||
%{_datadir}/ssl/misc
|
%{_datadir}/ssl/misc
|
||||||
%{_bindir}/c_rehash
|
%{_bindir}/c_rehash-1_1
|
||||||
%{_bindir}/fips_standalone_hmac
|
%{_bindir}/fips_standalone_hmac
|
||||||
%{_bindir}/%{_rname}
|
%{_bindir}/openssl-1_1
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
Loading…
Reference in New Issue
Block a user