[rpms/openssl] rebase_40beta: reinstate accidentally dropped patch for weak ciphersuites

[Tomas Mraz <tmraz@fedoraproject.org>]

A new commit has been pushed.

Repo   : rpms/openssl
Branch : rebase_40beta
Commit : 33bd389ea82fcbbb132afa1ac20efe99835e92ec
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date   : 2018-09-17T12:56:19+02:00
Stats  : +61/-1 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/openssl/c/33bd389ea82fcbbb132afa1ac20efe99835e92ec?branch=rebase_40beta

Log:
reinstate accidentally dropped patch for weak ciphersuites

---
diff --git a/openssl-1.1.1-weak-ciphers.patch b/openssl-1.1.1-weak-ciphers.patch
index e69de29..0083643 100644
--- a/openssl-1.1.1-weak-ciphers.patch
+++ b/openssl-1.1.1-weak-ciphers.patch
@@ -0,0 +1,57 @@
+diff -up openssl-1.1.1/ssl/s3_lib.c.weak-ciphers openssl-1.1.1/ssl/s3_lib.c
+--- openssl-1.1.1/ssl/s3_lib.c.weak-ciphers	2018-09-11 14:48:23.000000000 +0200
++++ openssl-1.1.1/ssl/s3_lib.c	2018-09-17 12:53:33.850637181 +0200
+@@ -2612,7 +2612,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_GOST89MAC,
+      TLS1_VERSION, TLS1_2_VERSION,
+      0, 0,
+-     SSL_HIGH,
++     SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
+      256,
+      256,
+@@ -2644,7 +2644,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_GOST89MAC12,
+      TLS1_VERSION, TLS1_2_VERSION,
+      0, 0,
+-     SSL_HIGH,
++     SSL_MEDIUM,
+      SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
+      256,
+      256,
+@@ -2753,7 +2753,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      },
+ #endif                          /* OPENSSL_NO_SEED */
+ 
+-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
++#if 0 /* No MD5 ciphersuites */
+     {
+      1,
+      SSL3_TXT_RSA_RC4_128_MD5,
+@@ -2770,6 +2770,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      128,
+      128,
+      },
++#endif
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_RSA_RC4_128_SHA,
+@@ -2786,6 +2788,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      128,
+      128,
+      },
++#endif
++#if 0
+     {
+      1,
+      SSL3_TXT_ADH_RC4_128_MD5,
+@@ -2802,6 +2806,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      128,
+      128,
+      },
++#endif
++#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,

diff --git a/openssl.spec b/openssl.spec
index 3a25df1..74f0d49 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -449,6 +449,9 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Sep 17 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-3
+- reinstate accidentally dropped patch for weak ciphersuites
+
 * Fri Sep 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-2
 - for consistent support of security policies we build
   RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2