rpms / openssl

Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fix_strcasecmp main minimize_test_skip no_engine openssl_rebase_308to311 rawhide
  1.   rawhide
  2.   0024-load-legacy-prov.patch
Blob Blame History Raw 
From 69636828729ecc287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 14/35] 0024-load-legacy-prov.patch

Patch-name: 0024-load-legacy-prov.patch
Patch-id: 24
Patch-status: |
    # Instructions to load legacy provider in openssl.cnf
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
 apps/openssl.cnf    | 37 +++++++++++++++----------------------
 doc/man5/config.pod |  8 ++++++++
 2 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 3956235fda..bddb6bc029 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 
-# For FIPS
-# Optionally include a file that is generated by the OpenSSL fipsinstall
-# application. This file contains configuration data required by the OpenSSL
-# fips provider. It contains a named section e.g. [fips_sect] which is
-# referenced from the [provider_sect] below.
-# Refer to the OpenSSL security policy for more information.
-# .include fipsmodule.cnf
-
 [openssl_init]
 providers = provider_sect
 # Load default TLS policy configuration
 ssl_conf = ssl_module
 
-# List of providers to load
+# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
+# Key Derivation Function (KDF): PBKDF1
+# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated.
+
 [provider_sect]
 default = default_sect
-# The fips section name should match the section name inside the
-# included fipsmodule.cnf.
-# fips = fips_sect
-
-# If no providers are activated explicitly, the default one is activated implicitly.
-# See man 7 OSSL_PROVIDER-default for more details.
-#
-# If you add a section explicitly activating any other provider(s), you most
-# probably need to explicitly activate the default provider, otherwise it
-# becomes unavailable in openssl.  As a consequence applications depending on
-# OpenSSL may not work correctly which could lead to significant system
-# problems including inability to remotely access the system.
+##legacy = legacy_sect
+##
 [default_sect]
-# activate = 1
+activate = 1
+
+##[legacy_sect]
+##activate = 1
 
 [ ssl_module ]
 
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 8d312c661f..714a10437b 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -273,6 +273,14 @@ significant.
 All parameters in the section as well as sub-sections are made
 available to the provider.
 
+=head3 Loading the legacy provider
+
+Uncomment the sections that start with ## in openssl.cnf
+to enable the legacy provider.
+Note: In general it is not recommended to use the above mentioned algorithms for
+security critical operations, as they are cryptographically weak or vulnerable
+to side-channel attacks and as such have been deprecated.
+
 =head3 Default provider and its activation
 
 If no providers are activated explicitly, the default one is activated implicitly.
-- 
2.41.0
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.