bdf3209e96
- update to 1.0.2a
* Major changes since 1.0.1:
- Suite B support for TLS 1.2 and DTLS 1.2
- Support for DTLS 1.2
- TLS automatic EC curve selection.
- API to set TLS supported signature algorithms and curves
- SSL_CONF configuration API.
- TLS Brainpool support.
- ALPN support.
- CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
- packaging changes:
* merged patches modifying CIPHER_LIST into one, dropping:
- openssl-1.0.1e-add-suse-default-cipher-header.patch
- openssl-libssl-noweakciphers.patch
* fix a manpage with invalid name
- added openssl-fix_invalid_manpage_name.patch
* remove a missing fips function
- openssl-missing_FIPS_ec_group_new_by_curve_name.patch
* reimported patches from Fedora
dropped patches:
- openssl-1.0.1c-default-paths.patch
- openssl-1.0.1c-ipv6-apps.patch
- openssl-1.0.1e-fips-ctor.patch
- openssl-1.0.1e-fips-ec.patch
- openssl-1.0.1e-fips.patch
- openssl-1.0.1e-new-fips-reqs.patch
- VIA_padlock_support_on_64systems.patch
added patches:
- openssl-1.0.2a-default-paths.patch
- openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek)
OBS-URL: https://build.opensuse.org/request/show/310849
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=127
39 lines
2.1 KiB
Diff
39 lines
2.1 KiB
Diff
Index: openssl-1.0.2a/ssl/ssl_ciph.c
|
|
===================================================================
|
|
--- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-05-24 14:26:18.132243785 +0200
|
|
+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-05-24 14:26:18.229245199 +0200
|
|
@@ -1604,7 +1604,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
*/
|
|
ok = 1;
|
|
rule_p = rule_str;
|
|
- if (strncmp(rule_str, "DEFAULT", 7) == 0) {
|
|
+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
|
|
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
|
|
+ &head, &tail, ca_list);
|
|
+ rule_p += 12;
|
|
+ if (*rule_p == ':')
|
|
+ rule_p++;
|
|
+ }
|
|
+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
|
|
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
|
|
&head, &tail, ca_list);
|
|
rule_p += 7;
|
|
Index: openssl-1.0.2a/ssl/ssl.h
|
|
===================================================================
|
|
--- openssl-1.0.2a.orig/ssl/ssl.h 2015-03-19 14:30:36.000000000 +0100
|
|
+++ openssl-1.0.2a/ssl/ssl.h 2015-05-24 14:31:25.801726491 +0200
|
|
@@ -338,7 +338,12 @@ extern "C" {
|
|
* The following cipher list is used by default. It also is substituted when
|
|
* an application-defined cipher list string starts with 'DEFAULT'.
|
|
*/
|
|
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
|
|
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!RC2:!DES"
|
|
+
|
|
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
|
|
+ "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
|
|
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
|
|
+
|
|
/*
|
|
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
|
|
* starts with a reasonable order, and all we have to do for DEFAULT is
|