Pedro Monreal Gonzalez
6bc57d937f
* SHA-1 is not allowed anymore in FIPS 186-5 for signature
verification operations. After 12/31/2030, NIST will disallow
SHA-1 for all of its usages.
* Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
- FIPS: RSA keygen PCT requirements.
* Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the
self-test requirements are covered by do_rsa_pct() for both
RSA-OAEP and RSA signatures [bsc#1221760]
* Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753]
* Add openssl-3-FIPS-PCT_rsa_keygen.patch
- FIPS: Check that the fips provider is available before setting
it as the default provider in FIPS mode. [bsc#1220523]
* Rebase openssl-Force-FIPS.patch
- FIPS: Port openssl to use jitterentropy [bsc#1220523]
* Set the module in error state if the jitter RNG fails either on
initialization or entropy gathering because health tests failed.
* Add jitterentropy as a seeding source output also in crypto/info.c
* Move the jitter entropy collector and the associated lock out
of the header file to avoid redefinitions.
* Add the fips_local.cnf symlink to the spec file. This simlink
points to the openssl_fips.config file that is provided by the
crypto-policies package.
* Rebase openssl-3-jitterentropy-3.4.0.patch
* Rebase openssl-FIPS-enforce-EMS-support.patch
- FIPS: Block non-Approved Elliptic Curves [bsc#1221786]
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110
36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
---
|
|
apps/openssl.cnf | 13 +++++++++++++
|
|
1 file changed, 13 insertions(+)
|
|
|
|
Index: openssl-3.1.4/apps/openssl.cnf
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/apps/openssl.cnf
|
|
+++ openssl-3.1.4/apps/openssl.cnf
|
|
@@ -19,6 +19,7 @@ openssl_conf = openssl_init
|
|
# Comment out the next line to ignore configuration errors
|
|
config_diagnostics = 1
|
|
|
|
+[ oid_section ]
|
|
# Extra OBJECT IDENTIFIER info:
|
|
# oid_file = $ENV::HOME/.oid
|
|
oid_section = new_oids
|
|
@@ -47,6 +48,18 @@ providers = provider_sect
|
|
# Load default TLS policy configuration
|
|
ssl_conf = ssl_module
|
|
|
|
+engines = engine_section
|
|
+
|
|
+[ engine_section ]
|
|
+
|
|
+# This include will look through the directory that will contain the
|
|
+# engine declarations for any engines provided by other packages.
|
|
+.include /etc/ssl/engines3.d
|
|
+
|
|
+# This include will look through the directory that will contain the
|
|
+# definitions of the engines declared in the engine section.
|
|
+.include /etc/ssl/engdef3.d
|
|
+
|
|
# Uncomment the sections that start with ## below to enable the legacy provider.
|
|
# Loading the legacy provider enables support for the following algorithms:
|
|
# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|