7f772876ff
- update to 1.0.2d
* fixes CVE-2015-1793 (bsc#936746)
Alternate chains certificate forgery
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.
- drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/315685
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128
52 lines
2.2 KiB
Diff
52 lines
2.2 KiB
Diff
Index: openssl-1.0.2b/doc/ssl/SSL_COMP_add_compression_method.pod
|
|
===================================================================
|
|
--- openssl-1.0.2b.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-06-11 20:11:49.353667505 +0200
|
|
+++ openssl-1.0.2b/doc/ssl/SSL_COMP_add_compression_method.pod 2015-06-11 20:11:51.183689314 +0200
|
|
@@ -47,6 +47,24 @@ of compression methods supported on a pe
|
|
If enabled during compilation, the OpenSSL library will have the
|
|
COMP_zlib() compression method available.
|
|
|
|
+And, there is an environment variable to switch the compression
|
|
+methods off and on. In default the compression is off to mitigate
|
|
+the so called CRIME attack ( CVE-2012-4929). If you want to enable
|
|
+compression again set OPENSSL_NO_DEFAULT_ZLIB to "no".
|
|
+
|
|
+The variable can be switched on and off at runtime; when this variable
|
|
+is set "no" compression is enabled, otherwise no, for example:
|
|
+
|
|
+in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'
|
|
+or in C to call
|
|
+int setenv(const char *name, const char *value, int overwrite); and
|
|
+int unsetenv(const char *name);
|
|
+
|
|
+Note: This reverts the behavior of the variable as it was before!
|
|
+
|
|
+And pay attention that this freaure is temporary, it maybe changed by
|
|
+the following updates.
|
|
+
|
|
=head1 WARNINGS
|
|
|
|
Once the identities of the compression methods for the TLS protocol have
|
|
Index: openssl-1.0.2b/ssl/ssl_ciph.c
|
|
===================================================================
|
|
--- openssl-1.0.2b.orig/ssl/ssl_ciph.c 2015-06-11 20:11:49.353667505 +0200
|
|
+++ openssl-1.0.2b/ssl/ssl_ciph.c 2015-06-11 20:11:51.183689314 +0200
|
|
@@ -478,10 +478,16 @@ static void load_builtin_compressions(vo
|
|
|
|
if (ssl_comp_methods == NULL) {
|
|
SSL_COMP *comp = NULL;
|
|
+ const char *nodefaultzlib;
|
|
|
|
MemCheck_off();
|
|
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
|
|
- if (ssl_comp_methods != NULL) {
|
|
+ /* The default is "no" compression to avoid CRIME/BEAST */
|
|
+ nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB");
|
|
+ if ( ssl_comp_methods != NULL &&
|
|
+ nodefaultzlib &&
|
|
+ strncmp( nodefaultzlib, "no", 2) == 0)
|
|
+ {
|
|
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
|
if (comp != NULL) {
|
|
comp->method = COMP_zlib();
|