rpms/openssl/devel openssl-0.9.7a-can-2005-2969.patch, NONE, 1.1 openssl-0.9.7f-defaults.patch, 1.1, 1.2 openssl.spec, 1.59, 1.60
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Oct 12 12:01:34 UTC 2005
Author: tmraz
Update of /cvs/dist/rpms/openssl/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv19937
Modified Files:
openssl-0.9.7f-defaults.patch openssl.spec
Added Files:
openssl-0.9.7a-can-2005-2969.patch
Log Message:
* Wed Oct 12 2005 Tomas Mraz <tmraz at redhat.com> 0.9.7f-10
- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which
disables the countermeasure against man in the middle attack in SSLv2
(#169863)
- use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)
openssl-0.9.7a-can-2005-2969.patch:
doc/ssl/SSL_CTX_set_options.pod | 2 +-
ssl/s23_srvr.c | 7 +------
ssl/ssl.h | 2 +-
3 files changed, 3 insertions(+), 8 deletions(-)
--- NEW FILE openssl-0.9.7a-can-2005-2969.patch ---
Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
(part of SSL_OP_ALL). This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
idea.
Index: doc/ssl/SSL_CTX_set_options.pod
===================================================================
RCS file: /e/openssl/cvs/openssl/doc/ssl/SSL_CTX_set_options.pod,v
retrieving revision 1.9.2.4
diff -u -r1.9.2.4 SSL_CTX_set_options.pod
--- doc/ssl/SSL_CTX_set_options.pod 22 Mar 2005 17:54:13 -0000 1.9.2.4
+++ doc/ssl/SSL_CTX_set_options.pod 23 Sep 2005 03:38:43 -0000
@@ -86,7 +86,7 @@
=item SSL_OP_MSIE_SSLV2_RSA_PADDING
-...
+This option has no effect now.
=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
Index: ssl/s23_srvr.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/s23_srvr.c,v
retrieving revision 1.41.2.6
diff -u -r1.41.2.6 s23_srvr.c
--- ssl/s23_srvr.c 31 Jan 2005 01:33:35 -0000 1.41.2.6
+++ ssl/s23_srvr.c 23 Sep 2005 03:38:44 -0000
@@ -268,9 +268,6 @@
int n=0,j;
int type=0;
int v[2];
-#ifndef OPENSSL_NO_RSA
- int use_sslv2_strong=0;
-#endif
if (s->state == SSL23_ST_SR_CLNT_HELLO_A)
{
@@ -528,9 +525,7 @@
}
s->state=SSL2_ST_GET_CLIENT_HELLO_A;
- if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
- use_sslv2_strong ||
- (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
+ if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
s->s2->ssl2_rollback=0;
else
/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
Index: ssl/ssl.h
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/ssl.h,v
retrieving revision 1.126.2.23
diff -u -r1.126.2.23 ssl.h
--- ssl/ssl.h 10 Jun 2005 20:00:39 -0000 1.126.2.23
+++ ssl/ssl.h 23 Sep 2005 03:38:47 -0000
@@ -467,7 +467,7 @@
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect due to CAN-2005-2969 */
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
openssl-0.9.7f-defaults.patch:
openssl.cnf | 16 ++++++++++------
1 files changed, 10 insertions(+), 6 deletions(-)
Index: openssl-0.9.7f-defaults.patch
===================================================================
RCS file: /cvs/dist/rpms/openssl/devel/openssl-0.9.7f-defaults.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- openssl-0.9.7f-defaults.patch 27 Apr 2005 10:48:43 -0000 1.1
+++ openssl-0.9.7f-defaults.patch 12 Oct 2005 12:01:15 -0000 1.2
@@ -1,6 +1,23 @@
---- openssl-0.9.7f/apps/openssl.cnf.defaults 2004-05-13 23:38:37.000000000 +0200
-+++ openssl-0.9.7f/apps/openssl.cnf 2005-04-27 11:40:02.651321967 +0200
-@@ -116,23 +116,26 @@
+--- openssl-0.9.7f/apps/openssl.cnf.defaults 2005-10-12 11:43:43.000000000 +0200
++++ openssl-0.9.7f/apps/openssl.cnf 2005-10-12 13:39:11.000000000 +0200
+@@ -67,7 +67,7 @@
+
+ default_days = 365 # how long to certify for
+ default_crl_days= 30 # how long before next CRL
+-default_md = md5 # which md to use.
++default_md = sha1 # which md to use.
+ preserve = no # keep passed DN ordering
+
+ # A few difference way of specifying how similar the request should look
+@@ -99,6 +99,7 @@
+ ####################################################################
+ [ req ]
+ default_bits = 1024
++default_md = sha1
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ attributes = req_attributes
+@@ -116,23 +117,26 @@
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
@@ -31,7 +48,7 @@
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
-@@ -141,7 +144,7 @@
+@@ -141,7 +145,7 @@
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
Index: openssl.spec
===================================================================
RCS file: /cvs/dist/rpms/openssl/devel/openssl.spec,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -r1.59 -r1.60
--- openssl.spec 23 Aug 2005 15:28:52 -0000 1.59
+++ openssl.spec 12 Oct 2005 12:01:16 -0000 1.60
@@ -8,7 +8,7 @@
%define soversion 5
# Number of threads to spawn when testing some threading fixes.
-#%define thread_test_threads %{?threads:%{threads}}%{!?threads:100}
+#%define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
# also be handled in opensslconf-new.h.
@@ -22,7 +22,7 @@
Summary: The OpenSSL toolkit.
Name: openssl
Version: 0.9.7f
-Release: 9
+Release: 10
Source: openssl-%{version}-usa.tar.bz2
Source1: hobble-openssl
Source2: Makefile.certificate
@@ -55,6 +55,7 @@
Patch48: openssl-0.9.7f-dsa-consttime.patch
Patch49: openssl-0.9.7f-bn-ppc-div.patch
Patch50: openssl-0.9.7f-apps-initialize.patch
+Patch51: openssl-0.9.7a-can-2005-2969.patch
License: BSDish
Group: System Environment/Libraries
@@ -140,6 +141,8 @@
%patch48 -p1 -b .dsa-consttime
%patch49 -p1 -b .ppc-div
%patch50 -p1 -b .apps-initialize
+# CAN-2005-2969
+%patch51 -p0 -b .ssl2-rollback
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@@ -407,6 +410,12 @@
%postun -p /sbin/ldconfig
%changelog
+* Wed Oct 12 2005 Tomas Mraz <tmraz at redhat.com> 0.9.7f-10
+- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which
+ disables the countermeasure against man in the middle attack in SSLv2
+ (#169863)
+- use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)
+
* Tue Aug 23 2005 Tomas Mraz <tmraz at redhat.com> 0.9.7f-9
- add *.so.soversion as symlinks in /lib (#165264)
- remove unpackaged symlinks (#159595)
More information about the fedora-cvs-commits
mailing list