public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: for consistent support of security policies we build
@ 2026-06-09 12:44 Tomas Mraz
0 siblings, 0 replies; only message in thread
From: Tomas Mraz @ 2026-06-09 12:44 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 1a7b91b47232e59b671d3ca34e3b7aa6e16674b6
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2018-09-14T10:56:06+02:00
Stats : +58/-31 in 4 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/1a7b91b47232e59b671d3ca34e3b7aa6e16674b6?branch=rebase_40beta
Log:
for consistent support of security policies we build
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
---
diff --git a/openssl-1.1.0-weak-ciphers.patch b/openssl-1.1.0-weak-ciphers.patch
deleted file mode 100644
index 6dfd9e3..0000000
--- a/openssl-1.1.0-weak-ciphers.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff -up openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers openssl-1.1.0f/ssl/s3_lib.c
---- openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers 2017-05-25 14:46:20.000000000 +0200
-+++ openssl-1.1.0f/ssl/s3_lib.c 2017-06-15 15:12:51.555142528 +0200
-@@ -2425,7 +2425,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
- SSL_GOST89MAC,
- TLS1_VERSION, TLS1_2_VERSION,
- 0, 0,
-- SSL_HIGH,
-+ SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
- 256,
- 256,
-@@ -2455,7 +2455,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
- SSL_GOST89MAC12,
- TLS1_VERSION, TLS1_2_VERSION,
- 0, 0,
-- SSL_HIGH,
-+ SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
- 256,
- 256,
-@@ -2558,7 +2558,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
- },
- #endif /* OPENSSL_NO_SEED */
-
--#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-+#if 0 /* No RC4 */
- {
- 1,
- SSL3_TXT_RSA_RC4_128_MD5,
diff --git a/openssl-1.1.1-seclevel.patch b/openssl-1.1.1-seclevel.patch
new file mode 100644
index 0000000..1e26df6
--- /dev/null
+++ b/openssl-1.1.1-seclevel.patch
@@ -0,0 +1,51 @@
+diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
+--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
++++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-09-14 10:51:05.126520376 +0200
+@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
+ }
+
+ static const int minbits_table[] = { 80, 112, 128, 192, 256 };
++static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
+ static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
+
+ /*
+@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
+
+ if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
+ return 0;
+-
+- return secbits >= minbits_table[level - 1];
++ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
++ if (FIPS_mode())
++ return secbits >= minbits_table[level - 1];
++ return secbits >= minbits_digest_table[level - 1];
+ }
+diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
+--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
++++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-09-13 15:55:17.579190996 +0200
+@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
+
+ =item B<Level 2>
+
+-Security level set to 112 bits of security. As a result RSA, DSA and DH keys
+-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
++Security level set to 112 bits of security with the exception of SHA1 allowed
++for signatures.
++As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
++shorter than 224 bits are prohibited.
+ In addition to the level 1 exclusions any cipher suite using RC4 is also
+ prohibited. SSL version 3 is also not allowed. Compression is disabled.
+
+diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
+--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
++++ openssl-1.1.1/ssl/ssl_cert.c 2018-09-14 10:50:35.960112056 +0200
+@@ -983,6 +983,9 @@ static int ssl_security_default_callback
+ return 0;
+ break;
+ default:
++ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
++ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
++ break;
+ if (bits < minbits)
+ return 0;
+ }
diff --git a/openssl-1.1.1-weak-ciphers.patch b/openssl-1.1.1-weak-ciphers.patch
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/openssl-1.1.1-weak-ciphers.patch
diff --git a/openssl.spec b/openssl.spec
index d9f3d8f..1d28483 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -56,7 +56,8 @@ Patch41: openssl-1.1.1-system-cipherlist.patch
Patch42: openssl-1.1.1-fips.patch
Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch
-Patch45: openssl-1.1.0-weak-ciphers.patch
+Patch45: openssl-1.1.1-weak-ciphers.patch
+Patch46: openssl-1.1.1-seclevel.patch
# Backported fixes including security fixes
License: OpenSSL
@@ -159,6 +160,7 @@ cp %{SOURCE13} test/
%patch43 -p1 -b .ignore-bound
%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
+%patch46 -p1 -b .seclevel
%build
@@ -447,6 +449,10 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
+* Fri Sep 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-2
+- for consistent support of security policies we build
+ RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
+
* Thu Sep 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1
- update to the final 1.1.1 version
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:44 [rpms/openssl] rebase_40beta: for consistent support of security policies we build Tomas Mraz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox