From 353e08cd7778f2070469842ebe0f553e648f79d4 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Wed, 2 Mar 2016 21:31:07 +0100 Subject: [PATCH] openssl: compile with sslv2 support but disable the new default breaks the ABI so we need to compile in but disable it with a patch. --- lfs/openssl | 2 +- .../openssl-1.0.2g-disable-sslv2v3.patch | 18 ++++++++++++++++++ src/patches/openssl-disable-sslv2-sslv3.patch | 12 ------------ 3 files changed, 19 insertions(+), 13 deletions(-) create mode 100644 src/patches/openssl-1.0.2g-disable-sslv2v3.patch delete mode 100644 src/patches/openssl-disable-sslv2-sslv3.patch diff --git a/lfs/openssl b/lfs/openssl index c68cf29030..f45295e4b1 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -119,7 +119,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1m-weak-ciphers.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2g-disable-sslv2v3.patch # i586 specific patches ifeq "$(MACHINE)" "i586" diff --git a/src/patches/openssl-1.0.2g-disable-sslv2v3.patch b/src/patches/openssl-1.0.2g-disable-sslv2v3.patch new file mode 100644 index 0000000000..06f51322b4 --- /dev/null +++ b/src/patches/openssl-1.0.2g-disable-sslv2v3.patch @@ -0,0 +1,18 @@ +diff -up openssl-1.0.2g/ssl/ssl_lib.c.v2v3 openssl-1.0.2g/ssl/ssl_lib.c +--- openssl-1.0.2g/ssl/ssl_lib.c.v2v3 2016-03-01 16:38:26.879142021 +0100 ++++ openssl-1.0.2g/ssl/ssl_lib.c 2016-03-01 16:41:32.977353769 +0100 +@@ -2055,11 +2055,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + + /* +- * Disable SSLv2 by default, callers that want to enable SSLv2 will have to +- * explicitly clear this option via either of SSL_CTX_clear_options() or ++ * Disable SSLv2 and SSLv3 by default, callers that want to enable these will have to ++ * explicitly clear these options via either of SSL_CTX_clear_options() or + * SSL_clear_options(). + */ +- ret->options |= SSL_OP_NO_SSLv2; ++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + + return (ret); + err: diff --git a/src/patches/openssl-disable-sslv2-sslv3.patch b/src/patches/openssl-disable-sslv2-sslv3.patch deleted file mode 100644 index e42dfac69b..0000000000 --- a/src/patches/openssl-disable-sslv2-sslv3.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- openssl-1.0.1m/ssl/ssl_lib.c.old 2015-03-19 15:56:40.966287977 +0100 -+++ openssl-1.0.1m/ssl/ssl_lib.c 2015-03-19 15:57:07.976160846 +0100 -@@ -1892,6 +1892,9 @@ - */ - ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; - -+ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */ -+ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; -+ - return (ret); - err: - SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); -- 2.39.2