From: Michael Tremer Date: Thu, 12 Mar 2015 11:55:40 +0000 (+0100) Subject: openssl: Disable SSLv3 and SSLv2 by default X-Git-Tag: v2.17-core89~29 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=d0bd5afe1b27020b41d0e7e043578e313a0ebf39;hp=33bfe91f5b3a332f8a711d00de8f967243daf6c5 openssl: Disable SSLv3 and SSLv2 by default This patch will disable SSLv3 and SSLv2 by default but leaves the protocol compiled in into the library so that applications can use it when they still need it (e.g. sslscan). --- diff --git a/lfs/openssl b/lfs/openssl index eae2c6e53a..df068f3a78 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -86,6 +86,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-cryptodev.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_parallel_build-1.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-weak-ciphers.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch cd $(DIR_APP) && find crypto/ -name Makefile -exec \ sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \; diff --git a/src/patches/openssl-disable-sslv2-sslv3.patch b/src/patches/openssl-disable-sslv2-sslv3.patch new file mode 100644 index 0000000000..ebf542907d --- /dev/null +++ b/src/patches/openssl-disable-sslv2-sslv3.patch @@ -0,0 +1,13 @@ +diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c +--- openssl-1.0.1h/ssl/ssl_lib.c.v2v3 2014-06-11 16:02:52.000000000 +0200 ++++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-30 14:18:04.290248080 +0200 +@@ -1875,6 +1875,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + */ + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + ++ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */ ++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; ++ + return(ret); + err: + SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);