66d6e48709
NOTE:
I submitted perl-Net-SSLeay 1.64 update to devel:languages:perl which
fixes its regression.
- updated openssl to 1.0.1h (bnc#880891):
- CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
- CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
OpenSSL DTLS client the code can be made to recurse eventually crashing
in a DoS attack.
- CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer
overrun attack can be triggered by sending invalid DTLS fragments to
an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
- CVE-2014-3470: Fix bug in TLS code where clients enable anonymous
ECDH ciphersuites are subject to a denial of service attack.
- openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream
- CVE-2014-0198.patch: removed, upstream
- 0009-Fix-double-frees.patch: removed, upstream
- 0012-Fix-eckey_priv_encode.patch: removed, upstream
- 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream
- 0018-fix-coverity-issues-966593-966596.patch: removed, upstream
- 0020-Initialize-num-properly.patch: removed, upstream
- 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream
- 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream
- 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream
- 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream
- 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase
- openssl-1.0.1c-ipv6-apps.patch: refreshed
- openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed
- Added new SUSE default cipher suite
openssl-1.0.1e-add-suse-default-cipher.patch
OBS-URL: https://build.opensuse.org/request/show/236989
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=118
40 lines
1.9 KiB
Diff
40 lines
1.9 KiB
Diff
Index: openssl-1.0.1g/ssl/ssl_ciph.c
|
|
===================================================================
|
|
--- openssl-1.0.1g.orig/ssl/ssl_ciph.c
|
|
+++ openssl-1.0.1g/ssl/ssl_ciph.c
|
|
@@ -1470,7 +1470,17 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
*/
|
|
ok = 1;
|
|
rule_p = rule_str;
|
|
- if (strncmp(rule_str,"DEFAULT",7) == 0)
|
|
+
|
|
+ if (strncmp(rule_str,"DEFAULT_SUSE",12) == 0)
|
|
+ {
|
|
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
|
|
+ &head, &tail, ca_list);
|
|
+ rule_p += 12;
|
|
+ if (*rule_p == ':')
|
|
+ rule_p++;
|
|
+ }
|
|
+
|
|
+ else if (strncmp(rule_str,"DEFAULT",7) == 0)
|
|
{
|
|
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
|
|
&head, &tail, ca_list);
|
|
Index: openssl-1.0.1g/ssl/ssl.h
|
|
===================================================================
|
|
--- openssl-1.0.1g.orig/ssl/ssl.h
|
|
+++ openssl-1.0.1g/ssl/ssl.h
|
|
@@ -331,7 +331,10 @@ extern "C" {
|
|
/* The following cipher list is used by default.
|
|
* It also is substituted when an application-defined cipher list string
|
|
* starts with 'DEFAULT'. */
|
|
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW"
|
|
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
|
|
+#define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
|
|
+ "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
|
|
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
|
|
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
|
|
* starts with a reasonable order, and all we have to do for DEFAULT is
|
|
* throwing out anonymous and unencrypted ciphersuites!
|