7f772876ff
- update to 1.0.2d
* fixes CVE-2015-1793 (bsc#936746)
Alternate chains certificate forgery
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.
- drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/315685
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128
31 lines
995 B
Diff
31 lines
995 B
Diff
Index: openssl-1.0.2b/test/testssl
|
|
===================================================================
|
|
--- openssl-1.0.2b.orig/test/testssl 2015-06-11 20:11:36.398513121 +0200
|
|
+++ openssl-1.0.2b/test/testssl 2015-06-11 20:15:40.833426946 +0200
|
|
@@ -192,6 +192,25 @@ for protocol in TLSv1.2 SSLv3; do
|
|
fi
|
|
done
|
|
|
|
+echo "Testing default ciphersuites"
|
|
+
|
|
+for cipher_suite in DEFAULT_SUSE DEFAULT; do
|
|
+ ../util/shlib_wrap.sh ../apps/openssl ciphers $cipher_suite
|
|
+ if [ $? -ne 0 ]; then
|
|
+ echo "Failed default ciphersuite $cipher_suite"
|
|
+ exit 1
|
|
+ fi
|
|
+done
|
|
+
|
|
+echo "Testing if MD5, DES and RC4 are excluded from DEFAULT_SUSE cipher suite"
|
|
+../util/shlib_wrap.sh ../apps/openssl ciphers DEFAULT_SUSE| grep "MD5\|RC4\|DES-[^CBC3]"
|
|
+
|
|
+if [ $? -ne 1 ];then
|
|
+ echo "weak ciphers are present on DEFAULT_SUSE cipher suite"
|
|
+ exit 1
|
|
+fi
|
|
+
|
|
+
|
|
#############################################################################
|
|
|
|
if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
|