bdf3209e96
- update to 1.0.2a
* Major changes since 1.0.1:
- Suite B support for TLS 1.2 and DTLS 1.2
- Support for DTLS 1.2
- TLS automatic EC curve selection.
- API to set TLS supported signature algorithms and curves
- SSL_CONF configuration API.
- TLS Brainpool support.
- ALPN support.
- CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
- packaging changes:
* merged patches modifying CIPHER_LIST into one, dropping:
- openssl-1.0.1e-add-suse-default-cipher-header.patch
- openssl-libssl-noweakciphers.patch
* fix a manpage with invalid name
- added openssl-fix_invalid_manpage_name.patch
* remove a missing fips function
- openssl-missing_FIPS_ec_group_new_by_curve_name.patch
* reimported patches from Fedora
dropped patches:
- openssl-1.0.1c-default-paths.patch
- openssl-1.0.1c-ipv6-apps.patch
- openssl-1.0.1e-fips-ctor.patch
- openssl-1.0.1e-fips-ec.patch
- openssl-1.0.1e-fips.patch
- openssl-1.0.1e-new-fips-reqs.patch
- VIA_padlock_support_on_64systems.patch
added patches:
- openssl-1.0.2a-default-paths.patch
- openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/310849
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=127
52 lines
2.3 KiB
Diff
52 lines
2.3 KiB
Diff
Index: openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
|
|
===================================================================
|
|
--- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-03 22:10:19.262805732 +0200
|
|
+++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-03 22:10:28.958939879 +0200
|
|
@@ -41,6 +41,24 @@ of compression methods supported on a pe
|
|
The OpenSSL library has the compression methods B<COMP_rle()> and (when
|
|
especially enabled during compilation) B<COMP_zlib()> available.
|
|
|
|
+And, there is an environment variable to switch the compression
|
|
+methods off and on. In default the compression is off to mitigate
|
|
+the so called CRIME attack ( CVE-2012-4929). If you want to enable
|
|
+compression again set OPENSSL_NO_DEFAULT_ZLIB to "no".
|
|
+
|
|
+The variable can be switched on and off at runtime; when this variable
|
|
+is set "no" compression is enabled, otherwise no, for example:
|
|
+
|
|
+in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'
|
|
+or in C to call
|
|
+int setenv(const char *name, const char *value, int overwrite); and
|
|
+int unsetenv(const char *name);
|
|
+
|
|
+Note: This reverts the behavior of the variable as it was before!
|
|
+
|
|
+And pay attention that this freaure is temporary, it maybe changed by
|
|
+the following updates.
|
|
+
|
|
=head1 WARNINGS
|
|
|
|
Once the identities of the compression methods for the TLS protocol have
|
|
Index: openssl-1.0.2a/ssl/ssl_ciph.c
|
|
===================================================================
|
|
--- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-04-03 22:10:28.959939893 +0200
|
|
+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-03 22:12:33.425662139 +0200
|
|
@@ -478,10 +478,16 @@ static void load_builtin_compressions(vo
|
|
|
|
if (ssl_comp_methods == NULL) {
|
|
SSL_COMP *comp = NULL;
|
|
+ const char *nodefaultzlib;
|
|
|
|
MemCheck_off();
|
|
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
|
|
- if (ssl_comp_methods != NULL) {
|
|
+ /* The default is "no" compression to avoid CRIME/BEAST */
|
|
+ nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB");
|
|
+ if ( ssl_comp_methods != NULL &&
|
|
+ nodefaultzlib &&
|
|
+ strncmp( nodefaultzlib, "no", 2) == 0)
|
|
+ {
|
|
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
|
if (comp != NULL) {
|
|
comp->method = COMP_zlib();
|