Hello community, here is the log from the commit of package sblim-sfcb for openSUSE:Factory checked in at 2020-11-26 23:15:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sblim-sfcb (Old) and /work/SRC/openSUSE:Factory/.sblim-sfcb.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sblim-sfcb" Thu Nov 26 23:15:47 2020 rev:60 rq:851001 version:1.4.9 Changes: -------- --- /work/SRC/openSUSE:Factory/sblim-sfcb/sblim-sfcb.changes 2020-08-03 14:19:48.204764875 +0200 +++ /work/SRC/openSUSE:Factory/.sblim-sfcb.new.5913/sblim-sfcb.changes 2020-11-26 23:16:25.917085976 +0100 @@ -1,0 +2,7 @@ +Thu Nov 26 10:43:48 UTC 2020 - Adam Majer <[email protected]> + +- no_tlsv1_config.patch: add support for disabling TLSv1_1 + as well as re-add missing disablement options for TLSv1 and SSLv3 + (bsc#1178415) + +------------------------------------------------------------------- New: ---- no_tlsv1_config.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sblim-sfcb.spec ++++++ --- /var/tmp/diff_new_pack.vFquSa/_old 2020-11-26 23:16:26.925086760 +0100 +++ /var/tmp/diff_new_pack.vFquSa/_new 2020-11-26 23:16:26.929086763 +0100 @@ -80,6 +80,7 @@ Patch26: 0026-fix-build-dependencies-for-sfcbinst2mof.patch Patch27: 0027-Makefile.am-add-autoconfiscate.sh-to-dist.patch Patch28: 0028-allow-requests-with-Content-Type-set-to-text-xml.patch +Patch29: no_tlsv1_config.patch Provides: cim-server Provides: cimserver @@ -174,6 +175,7 @@ %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 export PATCH_GET=0 ++++++ no_tlsv1_config.patch ++++++ Index: sblim-sfcb-1.4.9/control.c =================================================================== --- sblim-sfcb-1.4.9.orig/control.c +++ sblim-sfcb-1.4.9/control.c @@ -175,6 +175,9 @@ static Control init[] = { {"sslCiphers", CTL_STRING, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", {0}}, {"sslDhParamsFilePath", CTL_STRING, NULL, {0}}, {"sslEcDhCurveName", CTL_STRING, "secp224r1", {0}}, + {"sslNoSSLv3", CTL_BOOL, NULL, {.b=0}}, + {"sslNoTLSv1", CTL_BOOL, NULL, {.b=0}}, + {"sslNoTLSv1_1", CTL_BOOL, NULL, {.b=0}}, {"enableSslCipherServerPref", CTL_BOOL, NULL, {.b=0}}, {"registrationDir", CTL_STRING, SFCB_STATEDIR "/registration", {0}}, Index: sblim-sfcb-1.4.9/httpAdapter.c =================================================================== --- sblim-sfcb-1.4.9.orig/httpAdapter.c +++ sblim-sfcb-1.4.9/httpAdapter.c @@ -2039,7 +2039,7 @@ initSSL() *fdhp, *sslCiphers; int rc, - escsp; + sslopt; if (ctx) SSL_CTX_free(ctx); @@ -2087,14 +2087,24 @@ initSSL() /* * Set options */ - SSL_CTX_set_options(ctx, SSL_OP_ALL | - SSL_OP_NO_SSLv2 | - SSL_OP_SINGLE_DH_USE); + long options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2; - if (!getControlBool("enableSslCipherServerPref", &escsp) && escsp) { + if (!getControlBool("sslNoSSLv3", &sslopt) && sslopt) + options |= SSL_OP_NO_SSLv3; + if (!getControlBool("sslNoTLSv1", &sslopt) && sslopt) + options |= SSL_OP_NO_TLSv1; + if (!getControlBool("sslNoTLSv1_1", &sslopt) && sslopt) + options |= SSL_OP_NO_TLSv1_1; + _SFCB_TRACE(1, ("--- sslNoSSLv3=%s, sslNoTLSv1=%s, sslNoTLSv1_1=%s", + (options & SSL_OP_NO_SSLv3 ? "true" : "false"), + (options & SSL_OP_NO_TLSv1 ? "true" : "false"), + (options & SSL_OP_NO_TLSv1_1 ? "true" : "false"))); + + if (!getControlBool("enableSslCipherServerPref", &sslopt) && sslopt) { _SFCB_TRACE(1, ("--- enableSslCipherServerPref = true")); - SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + options |= SSL_OP_CIPHER_SERVER_PREFERENCE; } + SSL_CTX_set_options(ctx, options); /* * Set valid ciphers Index: sblim-sfcb-1.4.9/sfcb.cfg.pre.in =================================================================== --- sblim-sfcb-1.4.9.orig/sfcb.cfg.pre.in +++ sblim-sfcb-1.4.9/sfcb.cfg.pre.in @@ -288,6 +288,14 @@ certificateAuthLib: sfcCertificateAuth ## weak ciphers. sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH +## When set to true, disable the indicated SSL/TLS protocol. This sets +## the corresponding openssl option SSL_OP_NO_SSLv3 or SSL_OP_NO_TLSv1. +## See man SSL_CTX_set_options(3) for details. +## Default is false for both +#sslNoSSLv3: false +#sslNoTLSv1: false +#sslNoTLSv1_1: false + ## Optionally configure a DH parameters file for ephemeral key generation. ## See man SSL_CTX_set_tmp_dh_callback(3) for details. The value should be ## the full path to the file. Note that ephemeral key generation will still _______________________________________________ openSUSE Commits mailing list -- [email protected] To unsubscribe, email [email protected] List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/[email protected]
