Re: svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
What about SSLv3 due to POODLE ?
On Fri, Mar 20, 2015 at 7:48 PM, Jung-uk Kim j...@freebsd.org wrote:
Author: jkim
Date: Fri Mar 20 23:48:11 2015
New Revision: 280306
URL: https://svnweb.freebsd.org/changeset/base/280306
Log:
Disable insecure SSLv2 support from the base OpenSSL.
Differential Revision:https://reviews.freebsd.org/D1304
Modified:
head/secure/lib/libcrypto/opensslconf-arm.h
head/secure/lib/libcrypto/opensslconf-mips.h
head/secure/lib/libcrypto/opensslconf-powerpc.h
head/secure/lib/libcrypto/opensslconf-sparc64.h
head/secure/lib/libcrypto/opensslconf-x86.h
head/secure/lib/libssl/Makefile
head/sys/sys/param.h
Modified: head/secure/lib/libcrypto/opensslconf-arm.h
==
--- head/secure/lib/libcrypto/opensslconf-arm.h Fri Mar 20 21:56:48 2015
(r280305)
+++ head/secure/lib/libcrypto/opensslconf-arm.h Fri Mar 20 23:48:11 2015
(r280306)
@@ -27,6 +27,9 @@ extern C {
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -69,6 +72,9 @@ extern C {
# if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP)
# define NO_SCTP
# endif
+# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2)
+# define NO_SSL2
+# endif
# if defined(OPENSSL_NO_STORE) !defined(NO_STORE)
# define NO_STORE
# endif
Modified: head/secure/lib/libcrypto/opensslconf-mips.h
==
--- head/secure/lib/libcrypto/opensslconf-mips.hFri Mar 20
21:56:48 2015(r280305)
+++ head/secure/lib/libcrypto/opensslconf-mips.hFri Mar 20
23:48:11 2015(r280306)
@@ -27,6 +27,9 @@ extern C {
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -69,6 +72,9 @@ extern C {
# if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP)
# define NO_SCTP
# endif
+# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2)
+# define NO_SSL2
+# endif
# if defined(OPENSSL_NO_STORE) !defined(NO_STORE)
# define NO_STORE
# endif
Modified: head/secure/lib/libcrypto/opensslconf-powerpc.h
==
--- head/secure/lib/libcrypto/opensslconf-powerpc.h Fri Mar 20
21:56:48 2015(r280305)
+++ head/secure/lib/libcrypto/opensslconf-powerpc.h Fri Mar 20
23:48:11 2015(r280306)
@@ -27,6 +27,9 @@ extern C {
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -69,6 +72,9 @@ extern C {
# if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP)
# define NO_SCTP
# endif
+# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2)
+# define NO_SSL2
+# endif
# if defined(OPENSSL_NO_STORE) !defined(NO_STORE)
# define NO_STORE
# endif
Modified: head/secure/lib/libcrypto/opensslconf-sparc64.h
==
--- head/secure/lib/libcrypto/opensslconf-sparc64.h Fri Mar 20
21:56:48 2015(r280305)
+++ head/secure/lib/libcrypto/opensslconf-sparc64.h Fri Mar 20
23:48:11 2015(r280306)
@@ -27,6 +27,9 @@ extern C {
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -69,6 +72,9 @@ extern C {
# if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP)
# define NO_SCTP
# endif
+# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2)
+# define NO_SSL2
+# endif
# if defined(OPENSSL_NO_STORE) !defined(NO_STORE)
# define NO_STORE
# endif
Modified: head/secure/lib/libcrypto/opensslconf-x86.h
==
--- head/secure/lib/libcrypto/opensslconf-x86.h Fri Mar 20 21:56:48 2015
(r280305)
+++ head/secure/lib/libcrypto/opensslconf-x86.h Fri Mar 20 23:48:11 2015
(r280306)
@@ -27,6 +27,9 @@ extern C {
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -66,6 +69,9 @@ extern C {
# if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP)
# define NO_SCTP
# endif
+# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2)
+# define NO_SSL2
+# endif
# if defined(OPENSSL_NO_STORE) !defined(NO_STORE)
# define NO_STORE
# endif
Modified: head/secure/lib/libssl/Makefile
==
--- head/secure/lib/libssl/Makefile Fri Mar 20 21:56:48 2015
Re: svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
On 3/23/2015 2:08 PM, Bryan Drewery wrote: On 3/20/2015 6:48 PM, Jung-uk Kim wrote: Author: jkim Date: Fri Mar 20 23:48:11 2015 New Revision: 280306 URL: https://svnweb.freebsd.org/changeset/base/280306 Log: Disable insecure SSLv2 support from the base OpenSSL. Differential Revision: https://reviews.freebsd.org/D1304 Modified: head/secure/lib/libcrypto/opensslconf-arm.h head/secure/lib/libcrypto/opensslconf-mips.h head/secure/lib/libcrypto/opensslconf-powerpc.h head/secure/lib/libcrypto/opensslconf-sparc64.h head/secure/lib/libcrypto/opensslconf-x86.h head/secure/lib/libssl/Makefile head/sys/sys/param.h Can this be backed out until a ports exp-run is done and ports are fixed? This is causing a lot of fallout. Here are the results actually: http://gohan2.ysv.freebsd.org/build.html?mastername=head-amd64-default-baselinebuild=p381881_s280335 It is not that bad. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
On 3/20/2015 6:48 PM, Jung-uk Kim wrote: Author: jkim Date: Fri Mar 20 23:48:11 2015 New Revision: 280306 URL: https://svnweb.freebsd.org/changeset/base/280306 Log: Disable insecure SSLv2 support from the base OpenSSL. Differential Revision: https://reviews.freebsd.org/D1304 Modified: head/secure/lib/libcrypto/opensslconf-arm.h head/secure/lib/libcrypto/opensslconf-mips.h head/secure/lib/libcrypto/opensslconf-powerpc.h head/secure/lib/libcrypto/opensslconf-sparc64.h head/secure/lib/libcrypto/opensslconf-x86.h head/secure/lib/libssl/Makefile head/sys/sys/param.h Can this be backed out until a ports exp-run is done and ports are fixed? This is causing a lot of fallout. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
On 3/23/2015 2:13 PM, Bryan Drewery wrote: On 3/23/2015 2:08 PM, Bryan Drewery wrote: On 3/20/2015 6:48 PM, Jung-uk Kim wrote: Author: jkim Date: Fri Mar 20 23:48:11 2015 New Revision: 280306 URL: https://svnweb.freebsd.org/changeset/base/280306 Log: Disable insecure SSLv2 support from the base OpenSSL. Differential Revision:https://reviews.freebsd.org/D1304 Modified: head/secure/lib/libcrypto/opensslconf-arm.h head/secure/lib/libcrypto/opensslconf-mips.h head/secure/lib/libcrypto/opensslconf-powerpc.h head/secure/lib/libcrypto/opensslconf-sparc64.h head/secure/lib/libcrypto/opensslconf-x86.h head/secure/lib/libssl/Makefile head/sys/sys/param.h Can this be backed out until a ports exp-run is done and ports are fixed? This is causing a lot of fallout. Here are the results actually: http://gohan2.ysv.freebsd.org/build.html?mastername=head-amd64-default-baselinebuild=p381881_s280335 It is not that bad. Reminds me that I need to implement this https://lists.freebsd.org/pipermail/freebsd-current/2014-September/052187.html -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/23/2015 11:35, Philip M. Gollucci wrote: What about SSLv3 due to POODLE ? IMHO, it is too early to remove SSLv3 support because it is still widely used although there are known vulnerabilities. Please use OpenSSL from ports, i.e., security/openssl, i.e., turn off both SSL2 and SSL3 options and compile all ports with it. Jung-uk Kim -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVEFbGAAoJEHyflib82/FGtH0H/jEr8VI2EIh4T0qmOyaXbwEg Aqz6sIO1AJe/PultpqEMSUWPKofHNH4YstOcaHQ421g22tcGjK3VgwhzSG97IPjH vlSY3451DDw0FzQVD20N3c8B0tjnrM2QD9K+wULvE74W9Yu6woSgQN/kLqhGnuss qPM3MemKNYq5euGnWVzXaY+IuDHFf8CFKanpymVFc378rV/M4tgXJbesNOX9Koiv VC7tvfn7slsr/bHSqC6zdDNk5BkL3iaNGceHweMeIQ8HeTtglESVjjOnBMayxsYS YKapEONNnhVh+Waq2jH0JylDIfotWMylvxFRLlW99oSPnvVHOMhsr+gEh6LxZGQ= =a8q9 -END PGP SIGNATURE- ___ svn-src-head@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org
svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
Author: jkim
Date: Fri Mar 20 23:48:11 2015
New Revision: 280306
URL: https://svnweb.freebsd.org/changeset/base/280306
Log:
Disable insecure SSLv2 support from the base OpenSSL.
Differential Revision:https://reviews.freebsd.org/D1304
Modified:
head/secure/lib/libcrypto/opensslconf-arm.h
head/secure/lib/libcrypto/opensslconf-mips.h
head/secure/lib/libcrypto/opensslconf-powerpc.h
head/secure/lib/libcrypto/opensslconf-sparc64.h
head/secure/lib/libcrypto/opensslconf-x86.h
head/secure/lib/libssl/Makefile
head/sys/sys/param.h
Modified: head/secure/lib/libcrypto/opensslconf-arm.h
==
--- head/secure/lib/libcrypto/opensslconf-arm.h Fri Mar 20 21:56:48 2015
(r280305)
+++ head/secure/lib/libcrypto/opensslconf-arm.h Fri Mar 20 23:48:11 2015
(r280306)
@@ -27,6 +27,9 @@ extern C {
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -69,6 +72,9 @@ extern C {
# if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP)
# define NO_SCTP
# endif
+# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2)
+# define NO_SSL2
+# endif
# if defined(OPENSSL_NO_STORE) !defined(NO_STORE)
# define NO_STORE
# endif
Modified: head/secure/lib/libcrypto/opensslconf-mips.h
==
--- head/secure/lib/libcrypto/opensslconf-mips.hFri Mar 20 21:56:48
2015(r280305)
+++ head/secure/lib/libcrypto/opensslconf-mips.hFri Mar 20 23:48:11
2015(r280306)
@@ -27,6 +27,9 @@ extern C {
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -69,6 +72,9 @@ extern C {
# if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP)
# define NO_SCTP
# endif
+# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2)
+# define NO_SSL2
+# endif
# if defined(OPENSSL_NO_STORE) !defined(NO_STORE)
# define NO_STORE
# endif
Modified: head/secure/lib/libcrypto/opensslconf-powerpc.h
==
--- head/secure/lib/libcrypto/opensslconf-powerpc.h Fri Mar 20 21:56:48
2015(r280305)
+++ head/secure/lib/libcrypto/opensslconf-powerpc.h Fri Mar 20 23:48:11
2015(r280306)
@@ -27,6 +27,9 @@ extern C {
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -69,6 +72,9 @@ extern C {
# if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP)
# define NO_SCTP
# endif
+# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2)
+# define NO_SSL2
+# endif
# if defined(OPENSSL_NO_STORE) !defined(NO_STORE)
# define NO_STORE
# endif
Modified: head/secure/lib/libcrypto/opensslconf-sparc64.h
==
--- head/secure/lib/libcrypto/opensslconf-sparc64.h Fri Mar 20 21:56:48
2015(r280305)
+++ head/secure/lib/libcrypto/opensslconf-sparc64.h Fri Mar 20 23:48:11
2015(r280306)
@@ -27,6 +27,9 @@ extern C {
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -69,6 +72,9 @@ extern C {
# if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP)
# define NO_SCTP
# endif
+# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2)
+# define NO_SSL2
+# endif
# if defined(OPENSSL_NO_STORE) !defined(NO_STORE)
# define NO_STORE
# endif
Modified: head/secure/lib/libcrypto/opensslconf-x86.h
==
--- head/secure/lib/libcrypto/opensslconf-x86.h Fri Mar 20 21:56:48 2015
(r280305)
+++ head/secure/lib/libcrypto/opensslconf-x86.h Fri Mar 20 23:48:11 2015
(r280306)
@@ -27,6 +27,9 @@ extern C {
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
#ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE
#endif
@@ -66,6 +69,9 @@ extern C {
# if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP)
# define NO_SCTP
# endif
+# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2)
+# define NO_SSL2
+# endif
# if defined(OPENSSL_NO_STORE) !defined(NO_STORE)
# define NO_STORE
# endif
Modified: head/secure/lib/libssl/Makefile
==
--- head/secure/lib/libssl/Makefile Fri Mar 20 21:56:48 2015
(r280305)
+++ head/secure/lib/libssl/Makefile Fri Mar 20 23:48:11 2015
(r280306)
@@ -12,11 +12,11 @@ NO_LINT=
SRCS= bio_ssl.c d1_both.c d1_clnt.c d1_enc.c d1_lib.c d1_meth.c d1_pkt.c \
d1_srtp.c d1_srvr.c s23_clnt.c
