SHA256
1
0
forked from pool/openssl-1_1
Dominique Leuenberger 2022-03-11 20:39:43 +00:00 committed by Git OBS Bridge
commit 7812ff217a
3 changed files with 41 additions and 20 deletions

View File

@ -1,26 +1,29 @@
--- a/apps/openssl.cnf 2021-08-24 09:38:47.000000000 -0400
+++ b/apps/openssl.cnf 2021-12-06 17:13:34.549291242 -0500
@@ -11,9 +11,23 @@
Index: openssl-1.1.1m/apps/openssl.cnf
===================================================================
--- openssl-1.1.1m.orig/apps/openssl.cnf
+++ openssl-1.1.1m/apps/openssl.cnf
@@ -11,6 +11,24 @@
# defined.
HOME = .
+openssl_conf = openssl_init
+openssl_conf = openssl_init
+
+[openssl_init]
+[ openssl_init ]
+
+engines = engine_section
+
+[ engine_section ]
+
+# This include will look through the directory that will contain the
+# engine declarations for any engines provided by other packages.
+.include /etc/ssl/engines.d
+
+# This include will look through the directory that will contain the
+# definitions of the engines declared in the engine section.
+.include /etc/ssl/engdef.d
+
+[ oid_section ]
+
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
+engines = engine_section
+
+# This include will look through the directory that will contain the
+# engine declarations for any engines provided by other packages.
+[engine_section]
+.include /etc/ssl/engines.d/
+
+# This include will look through the directory that will contain the
+# definitions of the engines declared in the engine section.
+.include /etc/ssl/engdef.d/
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Fri Mar 4 13:11:14 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1192820, CVE-2002-20001]
* Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows
remote attackers (from the client side) to send arbitrary
numbers that are actually not public keys, and trigger
expensive server-side DHE calculation.
* Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST
* Rebase openssl-DEFAULT_SUSE_cipher.patch
-------------------------------------------------------------------
Tue Feb 22 17:35:53 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
- Fix the engines section in /etc/ssl/openssl.cnf [bsc#1194187]
* In an INI-type file, the sections begin with a [section_name]
and they run until the next section begins.
* Rebase openssl-1_1-use-include-directive.patch
-------------------------------------------------------------------
Fri Feb 11 12:32:11 UTC 2022 - Pedro Monreal <pmonreal@suse.com>

View File

@ -22,14 +22,13 @@ Index: openssl-1.1.1/include/openssl/ssl.h
===================================================================
--- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/include/openssl/ssl.h 2018-09-11 16:45:20.979303981 +0200
@@ -171,6 +171,11 @@ extern "C" {
@@ -171,6 +171,10 @@ extern "C" {
* This applies to ciphersuites for TLSv1.2 and below.
*/
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
/* This is the default set of TLSv1.3 ciphersuites */
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)