0bb9b0ad33
- Build everything with full RELRO (-Wl,-z,relro,-z,now) - Remove -fstack-protector from the hardcoded build options it is already in RPM_OPT_FLAGS and is replaced by -fstack-protector-strong with gcc 4.9 - Remove the "gmp" and "capi" shared engines, nobody noticed but they are just dummies that do nothing. - Use enable-rfc3779 to allow projects such as rpki.net to work in openSUSE and match the functionality available in Debian/Fedora/etc - openssl-buffreelistbug-aka-CVE-2010-5298.patch fix CVE-2010-5298 and disable the internal BUF_FREELISTS functionality. it hides bugs like heartbleed and is there only for systems on which malloc() free() are slow. - ensure we export MALLOC_CHECK and PERTURB during the test suite, now that the freelist functionality is disabled it will help to catch bugs before they hit users. - openssl-libssl-noweakciphers.patch do not offer "export" or "low" quality ciphers by default. using such ciphers is not forbidden but requires an explicit request - openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does not return memory of "num * old_num" but only "num" size fortunately this function is currently unused. (forwarded request 230868 from elvigia) OBS-URL: https://build.opensuse.org/request/show/231108 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=114
12 lines
588 B
Diff
12 lines
588 B
Diff
--- openssl-1.0.1g.orig/ssl/ssl.h
|
|
+++ openssl-1.0.1g/ssl/ssl.h
|
|
@@ -331,7 +331,7 @@ extern "C" {
|
|
/* The following cipher list is used by default.
|
|
* It also is substituted when an application-defined cipher list string
|
|
* starts with 'DEFAULT'. */
|
|
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
|
|
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW"
|
|
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
|
|
* starts with a reasonable order, and all we have to do for DEFAULT is
|
|
* throwing out anonymous and unencrypted ciphersuites!
|