openssl/openssl-libssl-noweakciphers.patch

--- openssl-1.0.1g.orig/ssl/ssl.h
+++ openssl-1.0.1g/ssl/ssl.h
@@ -331,7 +331,7 @@ extern "C" {
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:!SSLv2"
+#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW"
 /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
  * throwing out anonymous and unencrypted ciphersuites!
Accepting request 231108 from Base:System - Build everything with full RELRO (-Wl,-z,relro,-z,now) - Remove -fstack-protector from the hardcoded build options it is already in RPM_OPT_FLAGS and is replaced by -fstack-protector-strong with gcc 4.9 - Remove the "gmp" and "capi" shared engines, nobody noticed but they are just dummies that do nothing. - Use enable-rfc3779 to allow projects such as rpki.net to work in openSUSE and match the functionality available in Debian/Fedora/etc - openssl-buffreelistbug-aka-CVE-2010-5298.patch fix CVE-2010-5298 and disable the internal BUF_FREELISTS functionality. it hides bugs like heartbleed and is there only for systems on which malloc() free() are slow. - ensure we export MALLOC_CHECK and PERTURB during the test suite, now that the freelist functionality is disabled it will help to catch bugs before they hit users. - openssl-libssl-noweakciphers.patch do not offer "export" or "low" quality ciphers by default. using such ciphers is not forbidden but requires an explicit request - openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does not return memory of "num * old_num" but only "num" size fortunately this function is currently unused. (forwarded request 230868 from elvigia) OBS-URL: https://build.opensuse.org/request/show/231108 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=114 2014-04-26 17:01:45 +02:00			`--- openssl-1.0.1g.orig/ssl/ssl.h`
			`+++ openssl-1.0.1g/ssl/ssl.h`
			`@@ -331,7 +331,7 @@ extern "C" {`
			`/* The following cipher list is used by default.`
			`* It also is substituted when an application-defined cipher list string`
			`* starts with 'DEFAULT'. */`
			`-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"`
			`+#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW"`
			`/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always`
			`* starts with a reasonable order, and all we have to do for DEFAULT is`
			`* throwing out anonymous and unencrypted ciphersuites!`