From 80b5477597e9f0d9fababd854adfb4988b37efd5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Nov 20 2014 09:25:56 +0000 Subject: disable SSLv3 by default again Mail servers and possibly LDAP servers should probably allow it explicitly by SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3) call for buggy legacy clients on the smtps, imaps, and ldaps ports. --- diff --git a/openssl-1.0.1h-disable-sslv2v3.patch b/openssl-1.0.1h-disable-sslv2v3.patch index 7a028aa..83afda0 100644 --- a/openssl-1.0.1h-disable-sslv2v3.patch +++ b/openssl-1.0.1h-disable-sslv2v3.patch @@ -5,8 +5,8 @@ diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; -+ /* Disable SSLv2 by default (affects the SSLv23_method() only) */ -+ ret->options |= SSL_OP_NO_SSLv2; ++ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */ ++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + return(ret); err: diff --git a/openssl.spec b/openssl.spec index e7ee263..191531e 100644 --- a/openssl.spec +++ b/openssl.spec @@ -23,7 +23,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1j -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -478,6 +478,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Wed Nov 20 2014 Tomáš Mráz 1.0.1j-3 +- disable SSLv3 by default again (mail servers and possibly + LDAP servers should probably allow it explicitly for legacy + clients) + * Tue Oct 21 2014 Tomáš Mráz 1.0.1j-2 - update the FIPS RSA keygen to be FIPS 186-4 compliant