Accepting request 960455 from home:pmonrealgonzalez:branches:security:tls
- Security fix: [bsc#1192820, CVE-2002-20001]
* Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows
remote attackers (from the client side) to send arbitrary
numbers that are actually not public keys, and trigger
expensive server-side DHE calculation.
* Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST
* Rebase openssl-DEFAULT_SUSE_cipher.patch
- Fix the engines section in /etc/ssl/openssl.cnf [bsc#1194187]
* In an INI-type file, the sections begin with a [section_name]
and they run until the next section begins.
* Rebase openssl-1_1-use-include-directive.patch
OBS-URL: https://build.opensuse.org/request/show/960455
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=107
This commit is contained in:
Git OBS Bridge
parent
66f0a2e283
commit
8cce2e6a14
@ -1,26 +1,29 @@
|
||||
--- a/apps/openssl.cnf 2021-08-24 09:38:47.000000000 -0400
|
||||
+++ b/apps/openssl.cnf 2021-12-06 17:13:34.549291242 -0500
|
||||
@@ -11,9 +11,23 @@
|
||||
Index: openssl-1.1.1m/apps/openssl.cnf
|
||||
===================================================================
|
||||
--- openssl-1.1.1m.orig/apps/openssl.cnf
|
||||
+++ openssl-1.1.1m/apps/openssl.cnf
|
||||
@@ -11,6 +11,24 @@
|
||||
# defined.
|
||||
HOME = .
|
||||
|
||||
+openssl_conf = openssl_init
|
||||
+openssl_conf = openssl_init
|
||||
+
|
||||
+[openssl_init]
|
||||
+[ openssl_init ]
|
||||
+
|
||||
+engines = engine_section
|
||||
+
|
||||
+[ engine_section ]
|
||||
+
|
||||
+# This include will look through the directory that will contain the
|
||||
+# engine declarations for any engines provided by other packages.
|
||||
+.include /etc/ssl/engines.d
|
||||
+
|
||||
+# This include will look through the directory that will contain the
|
||||
+# definitions of the engines declared in the engine section.
|
||||
+.include /etc/ssl/engdef.d
|
||||
+
|
||||
+[ oid_section ]
|
||||
+
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
oid_section = new_oids
|
||||
+engines = engine_section
|
||||
+
|
||||
+# This include will look through the directory that will contain the
|
||||
+# engine declarations for any engines provided by other packages.
|
||||
+[engine_section]
|
||||
+.include /etc/ssl/engines.d/
|
||||
+
|
||||
+# This include will look through the directory that will contain the
|
||||
+# definitions of the engines declared in the engine section.
|
||||
+.include /etc/ssl/engdef.d/
|
||||
|
||||
# To use this configuration file with the "-extfile" option of the
|
||||
# "openssl x509" utility, name here the section containing the
|
||||
|
||||
@ -1,3 +1,22 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 4 13:11:14 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- Security fix: [bsc#1192820, CVE-2002-20001]
|
||||
* Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows
|
||||
remote attackers (from the client side) to send arbitrary
|
||||
numbers that are actually not public keys, and trigger
|
||||
expensive server-side DHE calculation.
|
||||
* Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST
|
||||
* Rebase openssl-DEFAULT_SUSE_cipher.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 22 17:35:53 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- Fix the engines section in /etc/ssl/openssl.cnf [bsc#1194187]
|
||||
* In an INI-type file, the sections begin with a [section_name]
|
||||
and they run until the next section begins.
|
||||
* Rebase openssl-1_1-use-include-directive.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 11 12:32:11 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
|
||||
@ -22,14 +22,13 @@ Index: openssl-1.1.1/include/openssl/ssl.h
|
||||
===================================================================
|
||||
--- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000 +0200
|
||||
+++ openssl-1.1.1/include/openssl/ssl.h 2018-09-11 16:45:20.979303981 +0200
|
||||
@@ -171,6 +171,11 @@ extern "C" {
|
||||
@@ -171,6 +171,10 @@ extern "C" {
|
||||
* This applies to ciphersuites for TLSv1.2 and below.
|
||||
*/
|
||||
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
|
||||
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
|
||||
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
|
||||
+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
|
||||
+ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
|
||||
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
|
||||
/* This is the default set of TLSv1.3 ciphersuites */
|
||||
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user