Pedro Monreal Gonzalez
8cce2e6a14
- Security fix: [bsc#1192820, CVE-2002-20001] * Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE calculation. * Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST * Rebase openssl-DEFAULT_SUSE_cipher.patch - Fix the engines section in /etc/ssl/openssl.cnf [bsc#1194187] * In an INI-type file, the sections begin with a [section_name] and they run until the next section begins. * Rebase openssl-1_1-use-include-directive.patch OBS-URL: https://build.opensuse.org/request/show/960455 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=107
64 lines
3.0 KiB
Diff
64 lines
3.0 KiB
Diff
Index: openssl-1.1.1/ssl/ssl_ciph.c
|
|
===================================================================
|
|
--- openssl-1.1.1.orig/ssl/ssl_ciph.c 2018-09-11 14:48:23.000000000 +0200
|
|
+++ openssl-1.1.1/ssl/ssl_ciph.c 2018-09-11 16:38:40.412543331 +0200
|
|
@@ -1567,7 +1567,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
*/
|
|
ok = 1;
|
|
rule_p = rule_str;
|
|
- if (strncmp(rule_str, "DEFAULT", 7) == 0) {
|
|
+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
|
|
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
|
|
+ &head, &tail, ca_list, c);
|
|
+ rule_p += 12;
|
|
+ if (*rule_p == ':')
|
|
+ rule_p++;
|
|
+ }
|
|
+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
|
|
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
|
|
&head, &tail, ca_list, c);
|
|
rule_p += 7;
|
|
Index: openssl-1.1.1/include/openssl/ssl.h
|
|
===================================================================
|
|
--- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000 +0200
|
|
+++ openssl-1.1.1/include/openssl/ssl.h 2018-09-11 16:45:20.979303981 +0200
|
|
@@ -171,6 +171,10 @@ extern "C" {
|
|
* This applies to ciphersuites for TLSv1.2 and below.
|
|
*/
|
|
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
|
|
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
|
|
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
|
|
+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
|
|
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
|
|
/* This is the default set of TLSv1.3 ciphersuites */
|
|
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
|
|
# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
|
|
Index: openssl-1.1.1/test/recipes/99-test_suse_default_ciphers.t
|
|
===================================================================
|
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
|
+++ openssl-1.1.1/test/recipes/99-test_suse_default_ciphers.t 2018-09-11 16:38:23.292423281 +0200
|
|
@@ -0,0 +1,23 @@
|
|
+#! /usr/bin/env perl
|
|
+
|
|
+use strict;
|
|
+use warnings;
|
|
+
|
|
+use OpenSSL::Test qw/:DEFAULT/;
|
|
+use OpenSSL::Test::Utils;
|
|
+
|
|
+setup("test_default_ciphersuites");
|
|
+
|
|
+plan tests => 6;
|
|
+
|
|
+my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
|
|
+
|
|
+foreach my $cipherlist (@cipher_suites) {
|
|
+ ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
|
|
+ "openssl ciphers works with ciphersuite $cipherlist");
|
|
+ ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
|
|
+ "$cipherlist shouldn't contain MD5, DES or RC4\n");
|
|
+ ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
|
|
+ "$cipherlist should contain TLSv1.3 ciphers\n");
|
|
+}
|
|
+
|