openssl-3/openssl-truststore.patch

Don't use the legacy /etc/ssl/certs directory anymore but rather the
p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
Index: openssl-3.2.3/include/internal/common.h
===================================================================
--- openssl-3.2.3.orig/include/internal/common.h
+++ openssl-3.2.3/include/internal/common.h
@@ -82,8 +82,8 @@ __owur static ossl_inline int ossl_asser
 
 # ifndef OPENSSL_SYS_VMS
 #  define X509_CERT_AREA          OPENSSLDIR
-#  define X509_CERT_DIR           OPENSSLDIR "/certs"
-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
+#  define X509_CERT_DIR           "/var/lib/ca-certificates/openssl"
+#  define X509_CERT_FILE          "/var/lib/ca-certificates/ca-bundle.pem"
 #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
 #  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
 # else
- Support MSA 11 HMAC on s390x jsc#PED-10273 * Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch * Add openssl-3-fix-hmac-digest-detection-s390x.patch * Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch - Add hardware acceleration for full AES-XTS jsc#PED-10273 * Add openssl-3-hw-acceleration-aes-xts-s390x.patch - Support MSA 12 SHA3 on s390x jsc#PED-10280 * Add openssl-3-add_EVP_DigestSqueeze_api.patch * Add openssl-3-support-multiple-sha3_squeeze_s390x.patch * Add openssl-3-add-xof-state-handling-s3_absorb.patch * Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch * Add openssl-3-fix-state-handling-sha3_final_s390x.patch * Add openssl-3-fix-state-handling-shake_final_s390x.patch * Add openssl-3-fix-state-handling-keccak_final_s390x.patch * Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch * Add openssl-3-add-defines-CPACF-funcs.patch * Add openssl-3-add-hw-acceleration-hmac.patch * Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch * Add openssl-3-fix-s390x_sha3_absorb.patch * Add openssl-3-fix-s390x_shake_squeeze.patch - Update to 3.2.3: * Changes between 3.2.2 and 3.2.3: - Fixed possible denial of service in X.509 name checks. [CVE-2024-6119] - Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535] * Changes between 3.2.1 and 3.2.2: - Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741] - Fixed an issue where checking excessively long DSA keys or parameters may OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=121 2024-11-05 20:08:08 +01:00			`Don't use the legacy /etc/ssl/certs directory anymore but rather the`
			`p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)`
			`Index: openssl-3.2.3/include/internal/common.h`
			`===================================================================`
			`--- openssl-3.2.3.orig/include/internal/common.h`
			`+++ openssl-3.2.3/include/internal/common.h`
			`@@ -82,8 +82,8 @@ __owur static ossl_inline int ossl_asser`

			`# ifndef OPENSSL_SYS_VMS`
			`# define X509_CERT_AREA OPENSSLDIR`
			`-# define X509_CERT_DIR OPENSSLDIR "/certs"`
			`-# define X509_CERT_FILE OPENSSLDIR "/cert.pem"`
			`+# define X509_CERT_DIR "/var/lib/ca-certificates/openssl"`
			`+# define X509_CERT_FILE "/var/lib/ca-certificates/ca-bundle.pem"`
			`# define X509_PRIVATE_DIR OPENSSLDIR "/private"`
			`# define CTLOG_FILE OPENSSLDIR "/ct_log_list.cnf"`
			`# else`