Accepting request 1062222 from security:tls:unstable

- Relax the crypto-policies requirements for the regression tests - Set OpenSSL 3.0.7 as the default openssl [bsc#1205042] * Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch * Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * Package a copy of the original default config file called openssl.cnf and name it as openssl-orig.cnf and warn the user if the files differ. * Add openssl-3-devel as conflicting with libopenssl-1_1-devel * Remove patches: - fix-config-in-tests.patch - openssl-use-versioned-config.patch - Create the openssl ca-certificates directory in case the ca-certificates package is not installed. This directory is required by the nodejs regression tests. [bsc#1207484] - Compute the hmac files for FIPS 140-3 integrity checking of the openssl shared libraries using the brp-50-generate-fips-hmac script. Also computed for the 32bit package. OBS-URL: https://build.opensuse.org/request/show/1062222 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=51
2023-01-31 12:15:10 +00:00 · 2023-01-31 12:15:10 +00:00 · 9250deebcd
commit 9250deebcd
parent 0028006287
7 changed files with 200 additions and 255 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@ -1,6 +1,10 @@
 libopenssl3
+  obsoletes "libopenssl1_1_0-<targettype>"
+libopenssl3-hmac
+  requires "libopenssl3-<targettype> = <version>-%release"
 libopenssl-3-devel
  provides "libopenssl-devel-<targettype> = <version>"
  conflicts "otherproviders(libopenssl-devel-<targettype>)"
+  conflicts "libopenssl-1_1-devel-<targettype>"
  requires -"openssl-3-<targettype>"
  requires "libopenssl3-<targettype> = <version>"
--- a/fix-config-in-tests.patch
+++ b/fix-config-in-tests.patch
@ -1,13 +0,0 @@
-Index: openssl-3.0.1/test/run_tests.pl
-===================================================================
--- openssl-3.0.1.orig/test/run_tests.pl
-+++ openssl-3.0.1/test/run_tests.pl
-@@ -33,7 +33,7 @@ my $recipesdir = catdir($srctop, "test",
- my $libdir = rel2abs(catdir($srctop, "util", "perl"));
- my $jobs = $ENV{HARNESS_JOBS} // 1;
- 
-$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl.cnf"));
-+$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl3.cnf"));
- $ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "test"));
- $ENV{OPENSSL_MODULES} = rel2abs(catdir($bldtop, "providers"));
- $ENV{OPENSSL_ENGINES} = rel2abs(catdir($bldtop, "engines"));
--- a/openssl-3.changes
+++ b/openssl-3.changes
@ -1,9 +1,42 @@
+-------------------------------------------------------------------
+Thu Jan 26 08:17:50 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Relax the crypto-policies requirements for the regression tests
+
+-------------------------------------------------------------------
+Wed Jan 25 11:09:52 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Set OpenSSL 3.0.7 as the default openssl [bsc#1205042]
+  * Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch
+  * Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+  * Package a copy of the original default config file called
+    openssl.cnf and name it as openssl-orig.cnf and warn the user
+    if the files differ.
+  * Add openssl-3-devel as conflicting with libopenssl-1_1-devel
+  * Remove patches:
+    - fix-config-in-tests.patch
+    - openssl-use-versioned-config.patch
+
+-------------------------------------------------------------------
+Wed Jan 25 09:10:06 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Create the openssl ca-certificates directory in case the
+  ca-certificates package is not installed. This directory is
+  required by the nodejs regression tests. [bsc#1207484]
+
 -------------------------------------------------------------------
 Wed Dec 14 16:38:05 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>

 - Fix X.509 Policy Constraints Double Locking [bsc#1206374, CVE-2022-3996]
  * Add patch: openssl-3-Fix-double-locking-problem.patch

+-------------------------------------------------------------------
+Wed Dec 14 12:40:04 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Compute the hmac files for FIPS 140-3 integrity checking of the
+  openssl shared libraries using the brp-50-generate-fips-hmac
+  script. Also computed for the 32bit package.
+
 -------------------------------------------------------------------
 Tue Nov  1 18:29:41 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>

--- a/openssl-3.spec
+++ b/openssl-3.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssl-3
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -18,9 +18,10 @@

 %define ssletcdir %{_sysconfdir}/ssl
 %define sover 3
-%define _rname  openssl
+%define _rname openssl
+%define man_suffix 3ssl
 Name:           openssl-3
-# Don't forget to update the version in the "openssl" package!
+# Don't forget to update the version in the "openssl" meta-package!
 Version:        3.0.7
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
@ -35,28 +36,32 @@ Source3:        https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
 # http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
 Source4:        %{_rname}.keyring
 Source5:        showciphers.c
-# PATCH-FIX-OPENSUSE: do not install html mans as it takes ages
-Patch1:         openssl-1.1.0-no-html.patch
+# PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages
+Patch1:         openssl-no-html-docs.patch
 Patch2:         openssl-truststore.patch
 Patch3:         openssl-pkgconfig.patch
 Patch4:         openssl-DEFAULT_SUSE_cipher.patch
 Patch5:         openssl-ppc64-config.patch
 Patch6:         openssl-no-date.patch
-# Patches for crypto-policies
+# Add crypto-policies support
 Patch7:         openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
 Patch8:         openssl-Override-default-paths-for-the-CA-directory-tree.patch
-# use openssl3.cnf
-Patch9:         openssl-use-versioned-config.patch
-Patch10:        fix-config-in-tests.patch
 # PATCH-FIX-UPSTREAM bsc#1206374 CVE-2022-3996 X.509 Policy Constraints Double Locking
-Patch11:        openssl-3-Fix-double-locking-problem.patch
+Patch9:         openssl-3-Fix-double-locking-problem.patch
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)
-# Add requires for ct_log_list.cnf{,.dist}
+Requires:       libopenssl3 = %{version}-%{release}
 Requires:       openssl
+Conflicts:      ssl
+Provides:       ssl
+Provides:       openssl(cli)
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif
+# Needed for clean upgrade path, boo#1070003
+Obsoletes:      openssl-1_0_0
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      openssl-1_1_0

 %description
 OpenSSL is a software library to be used in applications that need to
@ -70,6 +75,11 @@ Summary:        Secure Sockets and Transport Layer Security
 Requires:       crypto-policies
 %endif
 Recommends:     ca-certificates-mozilla
+# install libopenssl and libopenssl-hmac close together (bsc#1090765)
+Suggests:       libopenssl3-hmac = %{version}-%{release}
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      libopenssl1_1_0
+Conflicts:      %{name} < %{version}-%{release}

 %description -n libopenssl3
 OpenSSL is a software library to be used in applications that need to
@ -82,11 +92,13 @@ Summary:        Development files for OpenSSL
 Requires:       libopenssl3 = %{version}
 Requires:       pkgconfig(zlib)
 Recommends:     %{name} = %{version}
-# We need to have around only the exact version we are able to operate with
-Conflicts:      libopenssl-devel < %{version}
-Conflicts:      libopenssl-devel > %{version}
 Conflicts:      libressl-devel
-Conflicts:      ssl-devel
+# Conflicting names with libopenssl-1_1-devel
+Conflicts:      libopenssl-1_1-devel
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      libopenssl-1_1_0-devel
+# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
+Obsoletes:      libopenssl-1_0_0-devel

 %description -n libopenssl-3-devel
 This subpackage contains header files for developing applications
@ -103,6 +115,20 @@ BuildArch:      noarch
 This package contains optional documentation provided in addition to
 this package's base documentation.

+%package -n libopenssl3-hmac
+Summary:        HMAC files for FIPS 140-3 integrity checking of the openssl shared libraries
+License:        BSD-3-Clause
+Requires:       libopenssl3 = %{version}-%{release}
+BuildRequires:  fipscheck
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      libopenssl1_1_0-hmac
+# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
+Obsoletes:      libopenssl-1_0_0-hmac
+
+%description -n libopenssl3-hmac
+The FIPS compliant operation of the openssl shared libraries is NOT
+possible without the HMAC hashes contained in this package!
+
 %prep
 %autosetup -p1 -n %{_rname}-%{version}

@ -115,13 +141,12 @@ export MACHINE=armv6l
 %endif

 ./config \
-    no-idea \
-    no-ec2m \
-    enable-rfc3779 \
+    no-mdc2 no-ec2m no-sm2 no-sm4 \
+    enable-rfc3779 enable-camellia enable-seed \
 %ifarch x86_64 aarch64 ppc64le
    enable-ec_nistp_64_gcc_128 \
 %endif
-    enable-camellia \
+    enable-fips \
    zlib \
    --prefix=%{_prefix} \
    --libdir=%{_lib} \
@ -142,110 +167,133 @@ export MACHINE=armv6l
 # Show build configuration
 perl configdata.pm --dump

+# Do not run this in a production package the FIPS symbols must be patched-in
 # util/mkdef.pl crypto update
+
 %make_build depend
 %make_build all

 %check
-
-# We must revert patch8 before running tests, otherwise they will fail.
+# Relax the crypto-policies requirements for the regression tests
+# Revert patch8 before running tests
 patch -p1 -R < %{P:8}
+export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file

 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 # export HARNESS_VERBOSE=yes
-LD_LIBRARY_PATH="$PWD" make TESTS='-test_evp_fetch_prov -test_tsa -test_ssl_new -test_sslapi' test -j1
+LD_LIBRARY_PATH="$PWD" make test -j16
+
 # show ciphers
 gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
 LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers

 %install
-%make_install %{?_smp_mflags}
+%make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix}

-# Kill static libs
+rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover}
+for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do
+    chmod 755 ${lib}
+    ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version})
+    ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}).%{sover}
+done
+
+# Remove static libraries
 rm -f %{buildroot}%{_libdir}/lib*.a
+
 # Remove the cnf.dist
-rm -f %{buildroot}%{_sysconfdir}/ssl/openssl3.cnf.dist
-mkdir %{buildroot}/%{_datadir}/ssl-3
-mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl-3/
+rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist
+rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist
+
+# Make a copy of the default openssl.cnf file
+cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf
+
+# Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484]
+mkdir -p %{buildroot}/var/lib/ca-certificates/openssl
+install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl
+
+# Remove the fipsmodule.cnf because FIPS module is loaded automatically
+rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf
+
 ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
 mkdir %{buildroot}/%{_datadir}/ssl
-# Rename binary
-mv %{buildroot}%{_bindir}/%{_rname} %{buildroot}%{_bindir}/%{name}
+mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
+
 # Avoid file conflicts with man pages from other packages
 pushd %{buildroot}/%{_mandir}
 find . -type f -exec chmod 644 {} +
-# Some man pages now contain spaces. This makes several
-# scripts go havoc, among them /usr/sbin/Check.
-# Replace spaces by underscores
-# for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
-
-touch $OLDPWD/filelist.doc $OLDPWD/filelist
-which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
-for i in man?/*; do
-  if test -L $i ; then
-    LDEST=`readlink $i`
-    rm -f $i ${i}ssl
-    ln -sf ${LDEST}ssl-3 ${i}ssl-3
-  else
-    mv $i ${i}ssl-3
-  fi
-  case "$i" in
-    *.1)
-      # These are the pages mentioned in openssl(1). They go into the main package.
-      echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist;;
-    *)
-      # The rest goes into the openssl-doc package.
-      echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist.doc;;
-  esac
-done
+mv man5/config.5%{man_suffix} man5/openssl.cnf.5
 popd

-mv %{buildroot}%{_bindir}/c_rehash %{buildroot}%{_bindir}/c_rehash-3
-
-# They are provided by openssl package
-rm %{buildroot}%{ssletcdir}/ct_log_list.cnf*
-
 # Do not install demo scripts executable under /usr/share/doc
 find demos -type f -perm /111 -exec chmod 644 {} +

 # Place showciphers.c for %%doc macro
 cp %{SOURCE5} .

+# Compute the FIPS hmac using the brp-50-generate-fips-hmac script
+export BRP_FIPSHMAC_FILES="%{buildroot}%{_libdir}/libssl.so.%{sover} %{buildroot}%{_libdir}/libcrypto.so.%{sover}"
+
+%post -p "/bin/bash"
+if [ "$1" -gt 1 ] ; then
+    # Check if the packaged default config file for openssl-3, called openssl.cnf,
+    # is the original or if it has been modified and alert the user in that case
+    # that a copy of the original file openssl-orig.cnf can be used if needed.
+    cmp --silent %{ssletcdir}/openssl.cnf %{ssletcdir}/openssl-orig.cnf 2>/dev/null
+    if [ "$?" -eq 1 ] ; then
+        echo -e " The openssl-3 default config file openssl.cnf is different from" ;
+        echo -e " the original one shipped by the package. A copy of the original" ;
+        echo -e " file is packaged and named as openssl-orig.cnf if needed."
+    fi
+fi
+
 %post -n libopenssl3 -p /sbin/ldconfig
 %postun -n libopenssl3 -p /sbin/ldconfig

 %files -n libopenssl3
 %license LICENSE.txt
+%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
 %{_libdir}/libssl.so.%{sover}
+%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
 %{_libdir}/libcrypto.so.%{sover}
 %{_libdir}/engines-%{sover}
 %dir %{_libdir}/ossl-modules
-#%%{_libdir}/ossl-modules/fips.so
+%{_libdir}/ossl-modules/fips.so
 %{_libdir}/ossl-modules/legacy.so

+%files -n libopenssl3-hmac
+%{_libdir}/.libssl.so.%{sover}.hmac
+%{_libdir}/.libcrypto.so.%{sover}.hmac
+
 %files -n libopenssl-3-devel
+%doc NOTES*.md CONTRIBUTING.md HACKING.md AUTHORS.md ACKNOWLEDGEMENTS.md
 %{_includedir}/%{_rname}/
 %{_includedir}/ssl
-%{_libdir}/libssl.so
-%{_libdir}/libcrypto.so
-%{_libdir}/pkgconfig/libcrypto.pc
-%{_libdir}/pkgconfig/libssl.pc
-%{_libdir}/pkgconfig/openssl.pc
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/*.pc
+%{_mandir}/man3/*

-%files doc -f filelist.doc
-%doc doc/* demos
+%files doc
+%doc README.md
+%doc doc/html/* doc/HOWTO/* demos
 %doc showciphers.c

-%files -f filelist
-%doc CHANGE*
+%files
+%license LICENSE.txt
+%doc CHANGES.md NEWS.md FAQ.md README.md
 %dir %{ssletcdir}
-%config (noreplace) %{ssletcdir}/openssl3.cnf
+%config %{ssletcdir}/openssl-orig.cnf
+%config (noreplace) %{ssletcdir}/openssl.cnf
+%config (noreplace) %{ssletcdir}/ct_log_list.cnf
 %attr(700,root,root) %{ssletcdir}/private
-
-%dir %{_datadir}/ssl-3
-%{_datadir}/ssl-3/misc
-%{_bindir}/c_rehash-3
-%{_bindir}/%{name}
+%dir %{_datadir}/ssl
+%{_datadir}/ssl/misc
+%dir /var/lib/ca-certificates/
+%dir /var/lib/ca-certificates/openssl
+%{_bindir}/%{_rname}
+%{_bindir}/c_rehash
+%{_mandir}/man1/*
+%{_mandir}/man5/*
+%{_mandir}/man7/*

 %changelog
--- a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+++ b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@ -15,10 +15,10 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
 util/libcrypto.num                |  1 +
 8 files changed, 110 insertions(+), 14 deletions(-)

-Index: openssl-3.0.5/Configurations/unix-Makefile.tmpl
+Index: openssl-3.0.7/Configurations/unix-Makefile.tmpl
 ===================================================================
--- openssl-3.0.5.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-3.0.5/Configurations/unix-Makefile.tmpl
+--- openssl-3.0.7.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.0.7/Configurations/unix-Makefile.tmpl
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
 DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
 HTMLDIR=$(DOCDIR)/html
@ -38,10 +38,10 @@ Index: openssl-3.0.5/Configurations/unix-Makefile.tmpl
                                   (map { "-I".$_} @{$config{CPPINCLUDES}}),
                                   @{$config{CPPFLAGS}}) -}
 CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
-Index: openssl-3.0.5/doc/man1/openssl-ciphers.pod.in
+Index: openssl-3.0.7/doc/man1/openssl-ciphers.pod.in
 ===================================================================
--- openssl-3.0.5.orig/doc/man1/openssl-ciphers.pod.in
-+++ openssl-3.0.5/doc/man1/openssl-ciphers.pod.in
+--- openssl-3.0.7.orig/doc/man1/openssl-ciphers.pod.in
+++ openssl-3.0.7/doc/man1/openssl-ciphers.pod.in
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
 
 The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@ -58,10 +58,10 @@ Index: openssl-3.0.5/doc/man1/openssl-ciphers.pod.in
 =item B<HIGH>
 
 "High" encryption cipher suites. This currently means those with key lengths
-Index: openssl-3.0.5/include/openssl/ssl.h.in
+Index: openssl-3.0.7/include/openssl/ssl.h.in
 ===================================================================
--- openssl-3.0.5.orig/include/openssl/ssl.h.in
-+++ openssl-3.0.5/include/openssl/ssl.h.in
+--- openssl-3.0.7.orig/include/openssl/ssl.h.in
+++ openssl-3.0.7/include/openssl/ssl.h.in
@@ -210,6 +210,11 @@ extern "C" {
  * throwing out anonymous and unencrypted ciphersuites! (The latter are not
  * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
@ -74,11 +74,11 @@ Index: openssl-3.0.5/include/openssl/ssl.h.in
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 # define SSL_SENT_SHUTDOWN       1
-Index: openssl-3.0.5/ssl/ssl_ciph.c
+Index: openssl-3.0.7/ssl/ssl_ciph.c
 ===================================================================
--- openssl-3.0.5.orig/ssl/ssl_ciph.c
-+++ openssl-3.0.5/ssl/ssl_ciph.c
-@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c
+--- openssl-3.0.7.orig/ssl/ssl_ciph.c
+++ openssl-3.0.7/ssl/ssl_ciph.c
+@@ -1438,6 +1438,53 @@ int SSL_set_ciphersuites(SSL *s, const c
     return ret;
 }
 
@ -132,7 +132,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
                                              STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
                                              STACK_OF(SSL_CIPHER) **cipher_list,
-@@ -1450,15 +1497,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1452,15 +1499,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
     const SSL_CIPHER **ca_list = NULL;
     const SSL_METHOD *ssl_method = ctx->method;
@ -160,7 +160,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
 
     /*
      * To reduce the work to do we only want to process the compiled
-@@ -1480,7 +1537,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1482,7 +1539,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
     if (co_list == NULL) {
         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
@ -169,7 +169,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
     }
 
     ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-@@ -1546,8 +1603,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1548,8 +1605,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      * in force within each class
      */
     if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -179,7 +179,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
     }
 
     /*
-@@ -1591,9 +1647,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1593,9 +1649,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
     ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
     if (ca_list == NULL) {
@ -190,7 +190,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
     }
     ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
                                disabled_mkey, disabled_auth, disabled_enc,
-@@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1628,8 +1683,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     OPENSSL_free(ca_list);      /* Not needed anymore */
 
     if (!ok) {                  /* Rule processing failure */
@ -200,7 +200,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
     }
 
     /*
-@@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1637,10 +1691,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      * if we cannot get one.
      */
     if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -216,7 +216,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
     /* Add TLSv1.3 ciphers first - we always prefer those if possible */
     for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
         const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
-@@ -1690,6 +1747,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1692,6 +1749,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
     *cipher_list = cipherstack;
 
     return cipherstack;
@ -231,10 +231,10 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
 }
 
 char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
-Index: openssl-3.0.5/ssl/ssl_lib.c
+Index: openssl-3.0.7/ssl/ssl_lib.c
 ===================================================================
--- openssl-3.0.5.orig/ssl/ssl_lib.c
-+++ openssl-3.0.5/ssl/ssl_lib.c
+--- openssl-3.0.7.orig/ssl/ssl_lib.c
+++ openssl-3.0.7/ssl/ssl_lib.c
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
                                 ctx->tls13_ciphersuites,
                                 &(ctx->cipher_list),
@ -244,7 +244,7 @@ Index: openssl-3.0.5/ssl/ssl_lib.c
     if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
         ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
         return 0;
-@@ -3271,7 +3271,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
+@@ -3285,7 +3285,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
     if (!ssl_create_cipher_list(ret,
                                 ret->tls13_ciphersuites,
                                 &ret->cipher_list, &ret->cipher_list_by_id,
@ -253,10 +253,10 @@ Index: openssl-3.0.5/ssl/ssl_lib.c
         || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
         ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
         goto err2;
-Index: openssl-3.0.5/test/cipherlist_test.c
+Index: openssl-3.0.7/test/cipherlist_test.c
 ===================================================================
--- openssl-3.0.5.orig/test/cipherlist_test.c
-+++ openssl-3.0.5/test/cipherlist_test.c
+--- openssl-3.0.7.orig/test/cipherlist_test.c
+++ openssl-3.0.7/test/cipherlist_test.c
@@ -246,7 +246,9 @@ end:
 
 int setup_tests(void)
@ -267,20 +267,20 @@ Index: openssl-3.0.5/test/cipherlist_test.c
     ADD_TEST(test_default_cipherlist_explicit);
     ADD_TEST(test_default_cipherlist_clear);
     return 1;
-Index: openssl-3.0.5/util/libcrypto.num
+Index: openssl-3.0.7/util/libcrypto.num
 ===================================================================
--- openssl-3.0.5.orig/util/libcrypto.num
-+++ openssl-3.0.5/util/libcrypto.num
+--- openssl-3.0.7.orig/util/libcrypto.num
+++ openssl-3.0.7/util/libcrypto.num
@@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider
 EVP_PKEY_CTX_get0_provider              5555	3_0_0	EXIST::FUNCTION:
 OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
 OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
 +ossl_safe_getenv                        ?	3_0_0   EXIST::FUNCTION:
-Index: openssl-3.0.5/Configure
+Index: openssl-3.0.7/Configure
 ===================================================================
--- openssl-3.0.5.orig/Configure
-+++ openssl-3.0.5/Configure
-@@ -28,7 +28,7 @@ use OpenSSL::config;
+--- openssl-3.0.7.orig/Configure
+++ openssl-3.0.7/Configure
+@@ -27,7 +27,7 @@ use OpenSSL::config;
 my $orig_death_handler = $SIG{__DIE__};
 $SIG{__DIE__} = \&death_handler;
 
@ -289,7 +289,7 @@ Index: openssl-3.0.5/Configure
 
 my $banner = <<"EOF";
 
-@@ -62,6 +62,10 @@ EOF
+@@ -61,6 +61,10 @@ EOF
 #               given with --prefix.
 #               This becomes the value of OPENSSLDIR in Makefile and in C.
 #               (Default: PREFIX/ssl)
@ -300,7 +300,7 @@ Index: openssl-3.0.5/Configure
 # --banner=".." Output specified text instead of default completion banner
 #
 # -w            Don't wait after showing a Configure warning
-@@ -388,6 +392,7 @@ $config{prefix}="";
+@@ -387,6 +391,7 @@ $config{prefix}="";
 $config{openssldir}="";
 $config{processor}="";
 $config{libdir}="";
@ -308,14 +308,14 @@ Index: openssl-3.0.5/Configure
 my $auto_threads=1;    # enable threads automatically? true by default
 my $default_ranlib;
 
-@@ -990,6 +995,10 @@ while (@argvcopy)
+@@ -989,6 +994,10 @@ while (@argvcopy)
                         die "FIPS key too long (64 bytes max)\n"
                            if length $1 > 64;
                         }
-+		elsif (/^--system-ciphers-file=(.*)$/)
-+			{
-+			$config{system_ciphers_file}=$1;
-+			}
+                elsif (/^--system-ciphers-file=(.*)$/)
+                        {
+                        $config{system_ciphers_file}=$1;
+                        }
                 elsif (/^--banner=(.*)$/)
                         {
                         $banner = $1 . "\n";
--- a/openssl-1.1.0-no-html.patch
+++ b/openssl-1.1.0-no-html.patch
--- a/openssl-use-versioned-config.patch
+++ b/openssl-use-versioned-config.patch
@ -1,127 +0,0 @@
-From 300d2b56166aee85d9ce4c1275da1ad79c876e31 Mon Sep 17 00:00:00 2001
-From: Sahana Prasad <sahana@redhat.com>
-Date: Tue, 5 Oct 2021 12:10:42 +0200
-Subject: [PATCH] Updates the conf file to openssl11.cnf Resolves:
- rhbz#1947584, rhbz#2003123 Signed-off-by: Sahana Prasad <sahana@redhat.com>
-
-Refactored for SUSE by Simon Lees sflees@suse.de
-
-Index: openssl-3.0.2/include/internal/cryptlib.h
-===================================================================
--- openssl-3.0.2.orig/include/internal/cryptlib.h
-+++ openssl-3.0.2/include/internal/cryptlib.h
-@@ -61,7 +61,7 @@ DEFINE_STACK_OF(EX_CALLBACK)
- typedef struct mem_st MEM;
- DEFINE_LHASH_OF(MEM);
- 
-# define OPENSSL_CONF             "openssl.cnf"
-+# define OPENSSL_CONF             "openssl3.cnf"
- 
- # ifndef OPENSSL_SYS_VMS
- #  define X509_CERT_AREA          OPENSSLDIR
-Index: openssl-3.0.2/Configurations/unix-Makefile.tmpl
-===================================================================
--- openssl-3.0.2.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-3.0.2/Configurations/unix-Makefile.tmpl
-@@ -675,14 +675,14 @@ install_ssldirs:
- 			: {- output_on() if windowsdll(); "" -}; \
- 		fi; \
- 	done
-	@$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
-	@cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
-	@chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
-	@mv -f  $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist
-	@if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
-		$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
-		cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
-		chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
-+	@$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist"
-+	@cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new
-+	@chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new
-+	@mv -f  $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist
-+	@if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl3.cnf" ]; then \
-+		$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf"; \
-+		cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \
-+		chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \
- 	fi
- 	@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
- 	@cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
-@@ -1136,7 +1136,7 @@ lint:
- 
- generate_apps:
- 	( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
-				< apps/openssl.cnf > apps/openssl-vms.cnf )
-+				< apps/openssl3.cnf > apps/openssl-vms.cnf )
- 
- generate_crypto_bn:
- 	( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
-@@ -1374,7 +1374,7 @@ tar:
- 
- # Helper targets #####################################################
- 
-link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf
-+link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl3.cnf
- 
- $(BLDDIR)/util/opensslwrap.sh: Makefile
- 	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
-@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: Makefile
- 	    ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \
- 	fi
- 
-$(BLDDIR)/apps/openssl.cnf: Makefile
-+$(BLDDIR)/apps/openssl3.cnf: Makefile
- 	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
- 	    mkdir -p "$(BLDDIR)/apps"; \
- 	    ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \
-Index: openssl-3.0.2/Configure
-===================================================================
--- openssl-3.0.2.orig/Configure
-+++ openssl-3.0.2/Configure
-@@ -56,7 +56,7 @@ EOF
- #               directories bin, lib, include, share/man, share/doc/openssl
- #               This becomes the value of INSTALLTOP in Makefile
- #               (Default: /usr/local)
-# --openssldir  OpenSSL data area, such as openssl.cnf, certificates and keys.
-+# --openssldir  OpenSSL data area, such as openssl3.cnf, certificates and keys.
- #               If it's a relative directory, it will be added on the directory
- #               given with --prefix.
- #               This becomes the value of OPENSSLDIR in Makefile and in C.
-Index: openssl-3.0.2/doc/HOWTO/certificates.txt
-===================================================================
--- openssl-3.0.2.orig/doc/HOWTO/certificates.txt
-+++ openssl-3.0.2/doc/HOWTO/certificates.txt
-@@ -16,7 +16,7 @@ Certificate authorities should read http
- In all the cases shown below, the standard configuration file, as
- compiled into openssl, will be used.  You may find it in /etc/,
- /usr/local/ssl/ or somewhere else.  By default the file is named
-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
-+openssl3.cnf and is described at https://www.openssl.org/docs/apps/config.html.
- You can specify a different configuration file using the
- '-config {file}' argument with the commands shown below.
- 
-Index: openssl-3.0.2/doc/man3/OPENSSL_config.pod
-===================================================================
--- openssl-3.0.2.orig/doc/man3/OPENSSL_config.pod
-+++ openssl-3.0.2/doc/man3/OPENSSL_config.pod
-@@ -17,7 +17,7 @@ see L<openssl_user_macros(7)>:
- 
- =head1 DESCRIPTION
- 
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
-+OPENSSL_config() configures OpenSSL using the standard B<openssl3.cnf> and
- reads from the application section B<appname>. If B<appname> is NULL then
- the default section, B<openssl_conf>, will be used.
- Errors are silently ignored.
-Index: openssl-3.0.2/INSTALL.md
-===================================================================
--- openssl-3.0.2.orig/INSTALL.md
-+++ openssl-3.0.2/INSTALL.md
-@@ -567,7 +567,7 @@ is an objective.
- 
- ### no-autoload-config
- 
-Don't automatically load the default `openssl.cnf` file.
-+Don't automatically load the default `openssl3.cnf` file.
- 
- Typically OpenSSL will automatically load a system config file which configures
- default SSL options.