From 33c4c29b5e32c818e1c0fc925424950f8cd613f6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 29 Dec 2013 20:46:41 +0100 Subject: [PATCH] openssl: Don't propose too weak ciphers. --- lfs/openssl | 1 + src/patches/openssl-1.0.1e-weak-ciphers.patch | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 src/patches/openssl-1.0.1e-weak-ciphers.patch diff --git a/lfs/openssl b/lfs/openssl index 3452b7198..e75101f16 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -86,6 +86,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-cryptodev.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_parallel_build-1.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_pod_syntax-1.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-weak-ciphers.patch cd $(DIR_APP) && find crypto/ -name Makefile -exec \ sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \; diff --git a/src/patches/openssl-1.0.1e-weak-ciphers.patch b/src/patches/openssl-1.0.1e-weak-ciphers.patch new file mode 100644 index 000000000..865734538 --- /dev/null +++ b/src/patches/openssl-1.0.1e-weak-ciphers.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.1e/ssl/ssl.h.weak-ciphers openssl-1.0.1e/ssl/ssl.h +--- openssl-1.0.1e/ssl/ssl.h.weak-ciphers 2013-12-18 15:50:40.881620314 +0100 ++++ openssl-1.0.1e/ssl/ssl.h 2013-12-18 14:25:25.596566704 +0100 +@@ -331,7 +331,7 @@ extern "C" { + /* The following cipher list is used by default. + * It also is substituted when an application-defined cipher list string + * starts with 'DEFAULT'. */ +-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" ++#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES" + /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always + * starts with a reasonable order, and all we have to do for DEFAULT is + * throwing out anonymous and unencrypted ciphersuites! -- 2.39.2