Pedro Monreal Gonzalez
f8ec18178a
- Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
557 lines
23 KiB
Diff
557 lines
23 KiB
Diff
---
|
|
Configurations/descrip.mms.tmpl | 4 +--
|
|
Configurations/unix-Makefile.tmpl | 22 ++++++++---------
|
|
Configure | 2 -
|
|
INSTALL | 2 -
|
|
NEWS | 3 ++
|
|
VMS/openssl_utils.com.in | 2 -
|
|
apps/CA.pl.in | 8 +++---
|
|
apps/build.info | 6 ++--
|
|
apps/tsget.in | 2 -
|
|
doc/HOWTO/certificates.txt | 2 -
|
|
doc/man1/CA.pl.pod | 36 ++++++++++++++---------------
|
|
doc/man1/ca.pod | 4 +--
|
|
doc/man1/rehash.pod | 10 ++++----
|
|
doc/man1/tsget.pod | 4 +--
|
|
doc/man1/verify.pod | 2 -
|
|
doc/man1/x509.pod | 2 -
|
|
doc/man3/OPENSSL_config.pod | 2 -
|
|
doc/man3/SSL_CTX_load_verify_locations.pod | 4 +--
|
|
doc/man5/config.pod | 2 -
|
|
include/internal/cryptlib.h | 2 -
|
|
test/recipes/80-test_ca.t | 10 ++++----
|
|
tools/build.info | 2 -
|
|
tools/c_rehash.in | 6 ++--
|
|
23 files changed, 71 insertions(+), 68 deletions(-)
|
|
|
|
Index: openssl-1.1.1v/Configurations/descrip.mms.tmpl
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/Configurations/descrip.mms.tmpl
|
|
+++ openssl-1.1.1v/Configurations/descrip.mms.tmpl
|
|
@@ -142,8 +142,8 @@ INSTALL_SHLIBS={- join(", ", map { "-\n\
|
|
INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{engines}}) -}
|
|
INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{programs}}) -}
|
|
{- output_off() if $disabled{apps}; "" -}
|
|
-BIN_SCRIPTS=[.tools]c_rehash.pl
|
|
-MISC_SCRIPTS=[.apps]CA.pl, [.apps]tsget.pl
|
|
+BIN_SCRIPTS=[.tools]c_rehash-1_1.pl
|
|
+MISC_SCRIPTS=[.apps]CA-1_1.pl, [.apps]tsget-1_1.pl
|
|
{- output_on() if $disabled{apps}; "" -}
|
|
|
|
APPS_OPENSSL={- use File::Spec::Functions;
|
|
Index: openssl-1.1.1v/Configurations/unix-Makefile.tmpl
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/Configurations/unix-Makefile.tmpl
|
|
+++ openssl-1.1.1v/Configurations/unix-Makefile.tmpl
|
|
@@ -140,8 +140,8 @@ INSTALL_SHLIB_INFO={- join(" ", map { "\
|
|
INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -}
|
|
INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } @{$unified_info{install}->{programs}}) -}
|
|
{- output_off() if $disabled{apps}; "" -}
|
|
-BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash
|
|
-MISC_SCRIPTS=$(BLDDIR)/apps/CA.pl $(BLDDIR)/apps/tsget.pl:tsget
|
|
+BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash-1_1
|
|
+MISC_SCRIPTS=$(BLDDIR)/apps/CA-1_1.pl $(BLDDIR)/apps/tsget-1_1.pl:tsget-1_1
|
|
{- output_on() if $disabled{apps}; "" -}
|
|
|
|
APPS_OPENSSL={- use File::Spec::Functions;
|
|
@@ -579,14 +579,14 @@ install_ssldirs:
|
|
: {- output_on() if windowsdll(); "" -}; \
|
|
fi; \
|
|
done
|
|
- @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
|
|
- @cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
|
|
- @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
|
|
- @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
|
|
- @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
|
|
- $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
|
|
- cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
|
|
- chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
|
|
+ @$(ECHO) "install $(SRCDIR)/apps/openssl-1_1.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.dist"
|
|
+ @cp $(SRCDIR)/apps/openssl-1_1.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new"
|
|
+ @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new"
|
|
+ @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.dist"
|
|
+ @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf" ]; then \
|
|
+ $(ECHO) "install $(SRCDIR)/apps/openssl-1_1.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \
|
|
+ cp $(SRCDIR)/apps/openssl-1_1.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \
|
|
+ chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \
|
|
fi
|
|
@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
|
|
@cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new"
|
|
@@ -870,7 +870,7 @@ lint:
|
|
|
|
generate_apps:
|
|
( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
|
|
- < apps/openssl.cnf > apps/openssl-vms.cnf )
|
|
+ < apps/openssl-1_1.cnf > apps/openssl-vms.cnf )
|
|
|
|
generate_crypto_bn:
|
|
( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
|
|
Index: openssl-1.1.1v/Configure
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/Configure
|
|
+++ openssl-1.1.1v/Configure
|
|
@@ -35,7 +35,7 @@ my $usage="Usage: Configure [no-<cipher>
|
|
# directories bin, lib, include, share/man, share/doc/openssl
|
|
# This becomes the value of INSTALLTOP in Makefile
|
|
# (Default: /usr/local)
|
|
-# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys.
|
|
+# --openssldir OpenSSL data area, such as openssl-1_1.cnf, certificates and keys.
|
|
# If it's a relative directory, it will be added on the directory
|
|
# given with --prefix.
|
|
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
|
Index: openssl-1.1.1v/INSTALL
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/INSTALL
|
|
+++ openssl-1.1.1v/INSTALL
|
|
@@ -296,7 +296,7 @@
|
|
be undesirable if small executable size is an objective.
|
|
|
|
no-autoload-config
|
|
- Don't automatically load the default openssl.cnf file.
|
|
+ Don't automatically load the default openssl-1_1.cnf file.
|
|
Typically OpenSSL will automatically load a system config
|
|
file which configures default ssl options.
|
|
|
|
Index: openssl-1.1.1v/NEWS
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/NEWS
|
|
+++ openssl-1.1.1v/NEWS
|
|
@@ -10,6 +10,9 @@
|
|
o Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
|
|
o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
|
|
|
|
+ IMPORTANT: For compatibility with OpenSSL 3.0, the OpenSSL master
|
|
+ configuration file openssl.cnf has been renamed to openssl-1_1.cnf.
|
|
+
|
|
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]
|
|
|
|
o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
|
|
Index: openssl-1.1.1v/VMS/openssl_utils.com.in
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/VMS/openssl_utils.com.in
|
|
+++ openssl-1.1.1v/VMS/openssl_utils.com.in
|
|
@@ -8,7 +8,7 @@ $ OPENSSL :== $OSSL$EXE:OPENSSL'v'
|
|
$
|
|
$ IF F$TYPE(PERL) .EQS. "STRING"
|
|
$ THEN
|
|
-$ C_REHASH :== 'PERL' OSSL$EXE:c_rehash.pl
|
|
+$ C_REHASH :== 'PERL' OSSL$EXE:c_rehash-1_1.pl
|
|
$ ELSE
|
|
$ WRITE SYS$ERROR "NOTE: no perl => no C_REHASH"
|
|
$ ENDIF
|
|
Index: openssl-1.1.1v/apps/CA.pl.in
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/apps/CA.pl.in
|
|
+++ openssl-1.1.1v/apps/CA.pl.in
|
|
@@ -113,10 +113,10 @@ sub run
|
|
|
|
|
|
if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
|
|
- print STDERR "usage: CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n";
|
|
- print STDERR " CA.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n";
|
|
- print STDERR " CA.pl -verify [-extra-verify extra-params] certfile ...\n";
|
|
- print STDERR " CA.pl -revoke [-extra-ca extra-params] certfile [reason]\n";
|
|
+ print STDERR "usage: CA-1_1.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n";
|
|
+ print STDERR " CA-1_1.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n";
|
|
+ print STDERR " CA-1_1.pl -verify [-extra-verify extra-params] certfile ...\n";
|
|
+ print STDERR " CA-1_1.pl -revoke [-extra-ca extra-params] certfile [reason]\n";
|
|
exit 0;
|
|
}
|
|
if ($WHAT eq '-newcert' ) {
|
|
Index: openssl-1.1.1v/apps/build.info
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/apps/build.info
|
|
+++ openssl-1.1.1v/apps/build.info
|
|
@@ -73,7 +73,7 @@ IF[{- !$disabled{apps} -}]
|
|
GENERATE[progs.h]=progs.pl $(APPS_OPENSSL)
|
|
DEPEND[progs.h]=../configdata.pm
|
|
|
|
- SCRIPTS=CA.pl tsget.pl
|
|
- SOURCE[CA.pl]=CA.pl.in
|
|
- SOURCE[tsget.pl]=tsget.in
|
|
+ SCRIPTS=CA-1_1.pl tsget-1_1.pl
|
|
+ SOURCE[CA-1_1.pl]=CA.pl.in
|
|
+ SOURCE[tsget-1_1.pl]=tsget.in
|
|
ENDIF
|
|
Index: openssl-1.1.1v/apps/tsget.in
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/apps/tsget.in
|
|
+++ openssl-1.1.1v/apps/tsget.in
|
|
@@ -47,7 +47,7 @@ sub create_curl {
|
|
$curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
|
|
$curl->setopt(CURLOPT_FAILONERROR, 1);
|
|
$curl->setopt(CURLOPT_USERAGENT,
|
|
- "OpenTSA tsget.pl/openssl-{- $config{version} -}");
|
|
+ "OpenTSA tsget-1_1.pl/openssl-{- $config{version} -}");
|
|
|
|
# Options for POST method.
|
|
$curl->setopt(CURLOPT_UPLOAD, 1);
|
|
Index: openssl-1.1.1v/doc/HOWTO/certificates.txt
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/doc/HOWTO/certificates.txt
|
|
+++ openssl-1.1.1v/doc/HOWTO/certificates.txt
|
|
@@ -16,7 +16,7 @@ Certificate authorities should read http
|
|
In all the cases shown below, the standard configuration file, as
|
|
compiled into openssl, will be used. You may find it in /etc/,
|
|
/usr/local/ssl/ or somewhere else. By default the file is named
|
|
-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
|
|
+openssl-1_1.cnf and is described at https://www.openssl.org/docs/apps/config.html.
|
|
You can specify a different configuration file using the
|
|
'-config {file}' argument with the commands shown below.
|
|
|
|
Index: openssl-1.1.1v/doc/man1/CA.pl.pod
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/doc/man1/CA.pl.pod
|
|
+++ openssl-1.1.1v/doc/man1/CA.pl.pod
|
|
@@ -2,16 +2,16 @@
|
|
|
|
=head1 NAME
|
|
|
|
-CA.pl - friendlier interface for OpenSSL certificate programs
|
|
+CA-1_1.pl - friendlier interface for OpenSSL certificate programs
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
-B<CA.pl>
|
|
+B<CA-1_1.pl>
|
|
B<-?> |
|
|
B<-h> |
|
|
B<-help>
|
|
|
|
-B<CA.pl>
|
|
+B<CA-1_1.pl>
|
|
B<-newcert> |
|
|
B<-newreq> |
|
|
B<-newreq-nodes> |
|
|
@@ -23,15 +23,15 @@ B<-crl> |
|
|
B<-newca>
|
|
[B<-extra-cmd> extra-params]
|
|
|
|
-B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> extra-params] [B<certname>]
|
|
+B<CA-1_1.pl> B<-pkcs12> [B<-extra-pkcs12> extra-params] [B<certname>]
|
|
|
|
-B<CA.pl> B<-verify> [B<-extra-verify> extra-params] B<certfile>...
|
|
+B<CA-1_1.pl> B<-verify> [B<-extra-verify> extra-params] B<certfile>...
|
|
|
|
-B<CA.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
|
|
+B<CA-1_1.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
-The B<CA.pl> script is a perl script that supplies the relevant command line
|
|
+The B<CA-1_1.pl> script is a perl script that supplies the relevant command line
|
|
arguments to the B<openssl> command for some common certificate operations.
|
|
It is intended to simplify the process of certificate creation and management
|
|
by the use of some simple options.
|
|
@@ -136,19 +136,19 @@ Users should consult B<openssl> command
|
|
|
|
Create a CA hierarchy:
|
|
|
|
- CA.pl -newca
|
|
+ CA-1_1.pl -newca
|
|
|
|
Complete certificate creation example: create a CA, create a request, sign
|
|
the request and finally create a PKCS#12 file containing it.
|
|
|
|
- CA.pl -newca
|
|
- CA.pl -newreq
|
|
- CA.pl -sign
|
|
- CA.pl -pkcs12 "My Test Certificate"
|
|
+ CA-1_1.pl -newca
|
|
+ CA-1_1.pl -newreq
|
|
+ CA-1_1.pl -sign
|
|
+ CA-1_1.pl -pkcs12 "My Test Certificate"
|
|
|
|
=head1 DSA CERTIFICATES
|
|
|
|
-Although the B<CA.pl> creates RSA CAs and requests it is still possible to
|
|
+Although the B<CA-1_1.pl> creates RSA CAs and requests it is still possible to
|
|
use it with DSA certificates and requests using the L<req(1)> command
|
|
directly. The following example shows the steps that would typically be taken.
|
|
|
|
@@ -162,7 +162,7 @@ Create a DSA CA certificate and private
|
|
|
|
Create the CA directories and files:
|
|
|
|
- CA.pl -newca
|
|
+ CA-1_1.pl -newca
|
|
|
|
enter cacert.pem when prompted for the CA filename.
|
|
|
|
@@ -173,22 +173,22 @@ can optionally be created first):
|
|
|
|
Sign the request:
|
|
|
|
- CA.pl -sign
|
|
+ CA-1_1.pl -sign
|
|
|
|
=head1 NOTES
|
|
|
|
-Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
|
|
+Most of the filenames mentioned can be modified by editing the B<CA-1_1.pl> script.
|
|
|
|
If the demoCA directory already exists then the B<-newca> command will not
|
|
overwrite it and will do nothing. This can happen if a previous call using
|
|
the B<-newca> option terminated abnormally. To get the correct behaviour
|
|
delete the demoCA directory if it already exists.
|
|
|
|
-Under some environments it may not be possible to run the B<CA.pl> script
|
|
+Under some environments it may not be possible to run the B<CA-1_1.pl> script
|
|
directly (for example Win32) and the default configuration file location may
|
|
be wrong. In this case the command:
|
|
|
|
- perl -S CA.pl
|
|
+ perl -S CA-1_1.pl
|
|
|
|
can be used and the B<OPENSSL_CONF> environment variable changed to point to
|
|
the correct path of the configuration file.
|
|
Index: openssl-1.1.1v/doc/man1/ca.pod
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/doc/man1/ca.pod
|
|
+++ openssl-1.1.1v/doc/man1/ca.pod
|
|
@@ -698,7 +698,7 @@ the database has to be kept in memory.
|
|
The B<ca> command really needs rewriting or the required functionality
|
|
exposed at either a command or interface level so a more friendly utility
|
|
(perl script or GUI) can handle things properly. The script
|
|
-B<CA.pl> helps a little but not very much.
|
|
+B<CA-1_1.pl> helps a little but not very much.
|
|
|
|
Any fields in a request that are not present in a policy are silently
|
|
deleted. This does not happen if the B<-preserveDN> option is used. To
|
|
@@ -754,7 +754,7 @@ are in year 2050 or later.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
-L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA.pl(1)>,
|
|
+L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA-1_1.pl(1)>,
|
|
L<config(5)>, L<x509v3_config(5)>
|
|
|
|
=head1 COPYRIGHT
|
|
Index: openssl-1.1.1v/doc/man1/rehash.pod
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/doc/man1/rehash.pod
|
|
+++ openssl-1.1.1v/doc/man1/rehash.pod
|
|
@@ -6,7 +6,7 @@ Original text by James Westby, contribut
|
|
=head1 NAME
|
|
|
|
openssl-c_rehash, openssl-rehash,
|
|
-c_rehash, rehash - Create symbolic links to files named by the hash values
|
|
+c_rehash-1_1, rehash - Create symbolic links to files named by the hash values
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
@@ -19,13 +19,13 @@ B<[-n]>
|
|
B<[-v]>
|
|
[ I<directory>...]
|
|
|
|
-B<c_rehash>
|
|
+B<c_rehash-1_1>
|
|
I<flags...>
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
-On some platforms, the OpenSSL B<rehash> command is available as
|
|
-an external script called B<c_rehash>. They are functionally equivalent,
|
|
+On some platforms, the OpenSSL B<rehash-1_1> command is available as
|
|
+an external script called B<c_rehash-1_1>. They are functionally equivalent,
|
|
except for minor differences noted below.
|
|
|
|
B<rehash> scans directories and calculates a hash value of each
|
|
@@ -66,7 +66,7 @@ more than one such object appears in the
|
|
|
|
=head2 Script Configuration
|
|
|
|
-The B<c_rehash> script
|
|
+The B<c_rehash-1_1> script
|
|
uses the B<openssl> program to compute the hashes and
|
|
fingerprints. If not found in the user's B<PATH>, then set the
|
|
B<OPENSSL> environment variable to the full pathname.
|
|
Index: openssl-1.1.1v/doc/man1/tsget.pod
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/doc/man1/tsget.pod
|
|
+++ openssl-1.1.1v/doc/man1/tsget.pod
|
|
@@ -35,7 +35,7 @@ line.
|
|
The tool sends the following HTTP request for each timestamp request:
|
|
|
|
POST url HTTP/1.1
|
|
- User-Agent: OpenTSA tsget.pl/<version>
|
|
+ User-Agent: OpenTSA tsget-1_1.pl/<version>
|
|
Host: <host>:<port>
|
|
Pragma: no-cache
|
|
Content-Type: application/timestamp-query
|
|
@@ -108,7 +108,7 @@ Either option B<-C> or option B<-P> must
|
|
=item B<-P> CA_path
|
|
|
|
(HTTPS) The path containing the trusted CA certificates to verify the peer's
|
|
-certificate. The directory must be prepared with the B<c_rehash>
|
|
+certificate. The directory must be prepared with the B<c_rehash-1_1>
|
|
OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of
|
|
HTTPS. (Optional)
|
|
|
|
Index: openssl-1.1.1v/doc/man1/verify.pod
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/doc/man1/verify.pod
|
|
+++ openssl-1.1.1v/doc/man1/verify.pod
|
|
@@ -75,7 +75,7 @@ The file should contain one or more cert
|
|
A directory of trusted certificates. The certificates should have names
|
|
of the form: hash.0 or have symbolic links to them of this
|
|
form ("hash" is the hashed certificate subject name: see the B<-hash> option
|
|
-of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
|
|
+of the B<x509> utility). Under Unix the B<c_rehash-1_1> script will automatically
|
|
create symbolic links to a directory of certificates.
|
|
|
|
=item B<-no-CAfile>
|
|
Index: openssl-1.1.1v/doc/man1/x509.pod
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/doc/man1/x509.pod
|
|
+++ openssl-1.1.1v/doc/man1/x509.pod
|
|
@@ -932,7 +932,7 @@ The hash algorithm used in the B<-subjec
|
|
before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
|
|
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
|
|
canonical version of the DN using SHA1. This means that any directories using
|
|
-the old form must have their links rebuilt using B<c_rehash> or similar.
|
|
+the old form must have their links rebuilt using B<c_rehash-1_1> or similar.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Index: openssl-1.1.1v/doc/man3/OPENSSL_config.pod
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/doc/man3/OPENSSL_config.pod
|
|
+++ openssl-1.1.1v/doc/man3/OPENSSL_config.pod
|
|
@@ -15,7 +15,7 @@ OPENSSL_config, OPENSSL_no_config - simp
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
|
|
+OPENSSL_config() configures OpenSSL using the standard B<openssl-1_1.cnf> and
|
|
reads from the application section B<appname>. If B<appname> is NULL then
|
|
the default section, B<openssl_conf>, will be used.
|
|
Errors are silently ignored.
|
|
Index: openssl-1.1.1v/doc/man3/SSL_CTX_load_verify_locations.pod
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/doc/man3/SSL_CTX_load_verify_locations.pod
|
|
+++ openssl-1.1.1v/doc/man3/SSL_CTX_load_verify_locations.pod
|
|
@@ -63,7 +63,7 @@ If more than one CA certificate with the
|
|
extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
|
|
is performed in the ordering of the extension number, regardless of other
|
|
properties of the certificates.
|
|
-Use the B<c_rehash> utility to create the necessary links.
|
|
+Use the B<c_rehash-1_1> utility to create the necessary links.
|
|
|
|
The certificates in B<CApath> are only looked up when required, e.g. when
|
|
building the certificate chain or when actually performing the verification
|
|
@@ -137,7 +137,7 @@ Prepare the directory /some/where/certs
|
|
for use as B<CApath>:
|
|
|
|
cd /some/where/certs
|
|
- c_rehash .
|
|
+ c_rehash-1_1 .
|
|
|
|
=head1 SEE ALSO
|
|
|
|
Index: openssl-1.1.1v/doc/man5/config.pod
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/doc/man5/config.pod
|
|
+++ openssl-1.1.1v/doc/man5/config.pod
|
|
@@ -7,7 +7,7 @@ config - OpenSSL CONF library configurat
|
|
=head1 DESCRIPTION
|
|
|
|
The OpenSSL CONF library can be used to read configuration files.
|
|
-It is used for the OpenSSL master configuration file B<openssl.cnf>
|
|
+It is used for the OpenSSL master configuration file B<openssl-1_1.cnf>
|
|
and in a few other places like B<SPKAC> files and certificate extension
|
|
files for the B<x509> utility. OpenSSL applications can also use the
|
|
CONF library for their own purposes.
|
|
Index: openssl-1.1.1v/include/internal/cryptlib.h
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/include/internal/cryptlib.h
|
|
+++ openssl-1.1.1v/include/internal/cryptlib.h
|
|
@@ -51,7 +51,7 @@ typedef struct app_mem_info_st APP_INFO;
|
|
typedef struct mem_st MEM;
|
|
DEFINE_LHASH_OF(MEM);
|
|
|
|
-# define OPENSSL_CONF "openssl.cnf"
|
|
+# define OPENSSL_CONF "openssl-1_1.cnf"
|
|
|
|
# ifndef OPENSSL_SYS_VMS
|
|
# define X509_CERT_AREA OPENSSLDIR
|
|
Index: openssl-1.1.1v/test/recipes/80-test_ca.t
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/test/recipes/80-test_ca.t
|
|
+++ openssl-1.1.1v/test/recipes/80-test_ca.t
|
|
@@ -27,27 +27,27 @@ plan tests => 5;
|
|
SKIP: {
|
|
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
|
|
skip "failed creating CA structure", 4
|
|
- if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
|
|
+ if !ok(run(perlapp(["CA-1_1.pl","-newca"], stdin => undef)),
|
|
'creating CA structure');
|
|
|
|
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
|
|
skip "failed creating new certificate request", 3
|
|
- if !ok(run(perlapp(["CA.pl","-newreq"])),
|
|
+ if !ok(run(perlapp(["CA-1_1.pl","-newreq"])),
|
|
'creating certificate request');
|
|
|
|
$ENV{OPENSSL_CONFIG} = '-rand_serial -config "'.$std_openssl_cnf.'"';
|
|
skip "failed to sign certificate request", 2
|
|
- if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
|
|
+ if !is(yes(cmdstr(perlapp(["CA-1_1.pl", "-sign"]))), 0,
|
|
'signing certificate request');
|
|
|
|
- ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
|
|
+ ok(run(perlapp(["CA-1_1.pl", "-verify", "newcert.pem"])),
|
|
'verifying new certificate');
|
|
|
|
skip "CT not configured, can't use -precert", 1
|
|
if disabled("ct");
|
|
|
|
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
|
|
- ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)),
|
|
+ ok(run(perlapp(["CA-1_1.pl", "-precert"], stderr => undef)),
|
|
'creating new pre-certificate');
|
|
}
|
|
|
|
Index: openssl-1.1.1v/tools/build.info
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/tools/build.info
|
|
+++ openssl-1.1.1v/tools/build.info
|
|
@@ -1,5 +1,5 @@
|
|
{- our $c_rehash_name =
|
|
- $config{target} =~ /^(VC|vms)-/ ? "c_rehash.pl" : "c_rehash";
|
|
+ $config{target} =~ /^(VC|vms)-/ ? "c_rehash-1_1.pl" : "c_rehash-1_1";
|
|
"" -}
|
|
IF[{- !$disabled{apps} -}]
|
|
SCRIPTS={- $c_rehash_name -}
|
|
Index: openssl-1.1.1v/tools/c_rehash.in
|
|
===================================================================
|
|
--- openssl-1.1.1v.orig/tools/c_rehash.in
|
|
+++ openssl-1.1.1v/tools/c_rehash.in
|
|
@@ -8,7 +8,7 @@
|
|
# in the file LICENSE in the source distribution or at
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
-# Perl c_rehash script, scan all files in a directory
|
|
+# Perl c_rehash-1_1 script, scan all files in a directory
|
|
# and add symbolic links to their hash values.
|
|
|
|
my $dir = {- quotify1($config{openssldir}) -};
|
|
@@ -44,7 +44,7 @@ while ( $ARGV[0] =~ /^-/ ) {
|
|
}
|
|
|
|
sub help {
|
|
- print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n";
|
|
+ print "Usage: c_rehash-1_1 [-old] [-h] [-help] [-v] [dirs...]\n";
|
|
print " -old use old-style digest\n";
|
|
print " -h or -help print this help text\n";
|
|
print " -v print files removed and linked\n";
|
|
@@ -73,7 +73,7 @@ if (! -x $openssl) {
|
|
}
|
|
}
|
|
if ($found == 0) {
|
|
- print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
|
|
+ print STDERR "c_rehash-1_1: rehashing skipped ('openssl-1_1' program not available)\n";
|
|
exit 0;
|
|
}
|
|
}
|