From d0bd5afe1b27020b41d0e7e043578e313a0ebf39 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 12 Mar 2015 12:55:40 +0100 Subject: [PATCH 1/1] openssl: Disable SSLv3 and SSLv2 by default This patch will disable SSLv3 and SSLv2 by default but leaves the protocol compiled in into the library so that applications can use it when they still need it (e.g. sslscan). --- lfs/openssl | 1 + src/patches/openssl-disable-sslv2-sslv3.patch | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 src/patches/openssl-disable-sslv2-sslv3.patch diff --git a/lfs/openssl b/lfs/openssl index eae2c6e53a..df068f3a78 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -86,6 +86,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-cryptodev.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_parallel_build-1.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-weak-ciphers.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch cd $(DIR_APP) && find crypto/ -name Makefile -exec \ sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \; diff --git a/src/patches/openssl-disable-sslv2-sslv3.patch b/src/patches/openssl-disable-sslv2-sslv3.patch new file mode 100644 index 0000000000..ebf542907d --- /dev/null +++ b/src/patches/openssl-disable-sslv2-sslv3.patch @@ -0,0 +1,13 @@ +diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c +--- openssl-1.0.1h/ssl/ssl_lib.c.v2v3 2014-06-11 16:02:52.000000000 +0200 ++++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-30 14:18:04.290248080 +0200 +@@ -1875,6 +1875,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + */ + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + ++ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */ ++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; ++ + return(ret); + err: + SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); -- 2.39.2