rpms / mingw-openssl

Clone
Source Code
GIT

Files

  1.   f8a253ee41eb3ff94eae25d48adcab31406ef1d6
  2.   0024-load-legacy-prov.patch
Blob Blame History Raw 
diff -rupN --no-dereference openssl-3.0.5/apps/openssl.cnf openssl-3.0.5-new/apps/openssl.cnf
--- openssl-3.0.5/apps/openssl.cnf	2022-07-08 10:09:53.054097960 +0200
+++ openssl-3.0.5-new/apps/openssl.cnf	2022-07-08 10:09:54.234097986 +0200
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 
-# For FIPS
-# Optionally include a file that is generated by the OpenSSL fipsinstall
-# application. This file contains configuration data required by the OpenSSL
-# fips provider. It contains a named section e.g. [fips_sect] which is
-# referenced from the [provider_sect] below.
-# Refer to the OpenSSL security policy for more information.
-# .include fipsmodule.cnf
-
 [openssl_init]
 providers = provider_sect
 # Load default TLS policy configuration
 ssl_conf = ssl_module
 
-# List of providers to load
-[provider_sect]
-default = default_sect
-# The fips section name should match the section name inside the
-# included fipsmodule.cnf.
-# fips = fips_sect
+# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
+# Key Derivation Function (KDF): PBKDF1
+# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated.
 
-# If no providers are activated explicitly, the default one is activated implicitly.
-# See man 7 OSSL_PROVIDER-default for more details.
-#
-# If you add a section explicitly activating any other provider(s), you most
-# probably need to explicitly activate the default provider, otherwise it
-# becomes unavailable in openssl.  As a consequence applications depending on
-# OpenSSL may not work correctly which could lead to significant system
-# problems including inability to remotely access the system.
-[default_sect]
-# activate = 1
+[provider_sect]
+##default = default_sect
+##legacy = legacy_sect
+##
+##[default_sect]
+##activate = 1
+##
+##[legacy_sect]
+##activate = 1
 
 [ ssl_module ]
 
diff -rupN --no-dereference openssl-3.0.5/doc/man5/config.pod openssl-3.0.5-new/doc/man5/config.pod
--- openssl-3.0.5/doc/man5/config.pod	2022-07-05 10:57:04.000000000 +0200
+++ openssl-3.0.5-new/doc/man5/config.pod	2022-07-08 10:09:54.234097986 +0200
@@ -273,6 +273,14 @@ significant.
 All parameters in the section as well as sub-sections are made
 available to the provider.
 
+=head3 Loading the legacy provider
+
+Uncomment the sections that start with ## in openssl.cnf
+to enable the legacy provider.
+Note: In general it is not recommended to use the above mentioned algorithms for
+security critical operations, as they are cryptographically weak or vulnerable
+to side-channel attacks and as such have been deprecated.
+
 =head3 Default provider and its activation
 
 If no providers are activated explicitly, the default one is activated implicitly.
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.