diff --git a/openssl-1_1-use-include-directive.patch b/openssl-1_1-use-include-directive.patch index cc1e0c4..a026e67 100644 --- a/openssl-1_1-use-include-directive.patch +++ b/openssl-1_1-use-include-directive.patch @@ -1,26 +1,29 @@ ---- a/apps/openssl.cnf 2021-08-24 09:38:47.000000000 -0400 -+++ b/apps/openssl.cnf 2021-12-06 17:13:34.549291242 -0500 -@@ -11,9 +11,23 @@ +Index: openssl-1.1.1m/apps/openssl.cnf +=================================================================== +--- openssl-1.1.1m.orig/apps/openssl.cnf ++++ openssl-1.1.1m/apps/openssl.cnf +@@ -11,6 +11,24 @@ # defined. HOME = . -+openssl_conf = openssl_init ++openssl_conf = openssl_init + -+[openssl_init] ++[ openssl_init ] ++ ++engines = engine_section ++ ++[ engine_section ] ++ ++# This include will look through the directory that will contain the ++# engine declarations for any engines provided by other packages. ++.include /etc/ssl/engines.d ++ ++# This include will look through the directory that will contain the ++# definitions of the engines declared in the engine section. ++.include /etc/ssl/engdef.d ++ ++[ oid_section ] + # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids -+engines = engine_section -+ -+# This include will look through the directory that will contain the -+# engine declarations for any engines provided by other packages. -+[engine_section] -+.include /etc/ssl/engines.d/ -+ -+# This include will look through the directory that will contain the -+# definitions of the engines declared in the engine section. -+.include /etc/ssl/engdef.d/ - - # To use this configuration file with the "-extfile" option of the - # "openssl x509" utility, name here the section containing the diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 3538683..ad423d7 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Fri Mar 4 13:11:14 UTC 2022 - Pedro Monreal + +- Security fix: [bsc#1192820, CVE-2002-20001] + * Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows + remote attackers (from the client side) to send arbitrary + numbers that are actually not public keys, and trigger + expensive server-side DHE calculation. + * Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST + * Rebase openssl-DEFAULT_SUSE_cipher.patch + +------------------------------------------------------------------- +Tue Feb 22 17:35:53 UTC 2022 - Pedro Monreal + +- Fix the engines section in /etc/ssl/openssl.cnf [bsc#1194187] + * In an INI-type file, the sections begin with a [section_name] + and they run until the next section begins. + * Rebase openssl-1_1-use-include-directive.patch + ------------------------------------------------------------------- Fri Feb 11 12:32:11 UTC 2022 - Pedro Monreal diff --git a/openssl-DEFAULT_SUSE_cipher.patch b/openssl-DEFAULT_SUSE_cipher.patch index 769929d..46745b2 100644 --- a/openssl-DEFAULT_SUSE_cipher.patch +++ b/openssl-DEFAULT_SUSE_cipher.patch @@ -22,14 +22,13 @@ Index: openssl-1.1.1/include/openssl/ssl.h =================================================================== --- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000 +0200 +++ openssl-1.1.1/include/openssl/ssl.h 2018-09-11 16:45:20.979303981 +0200 -@@ -171,6 +171,11 @@ extern "C" { +@@ -171,6 +171,10 @@ extern "C" { * This applies to ciphersuites for TLSv1.2 and below. */ # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" +# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\ + "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\ + "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ -+ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ + "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" /* This is the default set of TLSv1.3 ciphersuites */ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)