Re: svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
What about SSLv3 due to POODLE ? On Fri, Mar 20, 2015 at 7:48 PM, Jung-uk Kim j...@freebsd.org wrote: Author: jkim Date: Fri Mar 20 23:48:11 2015 New Revision: 280306 URL: https://svnweb.freebsd.org/changeset/base/280306 Log: Disable insecure SSLv2 support from the base OpenSSL. Differential Revision:https://reviews.freebsd.org/D1304 Modified: head/secure/lib/libcrypto/opensslconf-arm.h head/secure/lib/libcrypto/opensslconf-mips.h head/secure/lib/libcrypto/opensslconf-powerpc.h head/secure/lib/libcrypto/opensslconf-sparc64.h head/secure/lib/libcrypto/opensslconf-x86.h head/secure/lib/libssl/Makefile head/sys/sys/param.h Modified: head/secure/lib/libcrypto/opensslconf-arm.h == --- head/secure/lib/libcrypto/opensslconf-arm.h Fri Mar 20 21:56:48 2015 (r280305) +++ head/secure/lib/libcrypto/opensslconf-arm.h Fri Mar 20 23:48:11 2015 (r280306) @@ -27,6 +27,9 @@ extern C { #ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP #endif +#ifndef OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL2 +#endif #ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE #endif @@ -69,6 +72,9 @@ extern C { # if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP) # define NO_SCTP # endif +# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2) +# define NO_SSL2 +# endif # if defined(OPENSSL_NO_STORE) !defined(NO_STORE) # define NO_STORE # endif Modified: head/secure/lib/libcrypto/opensslconf-mips.h == --- head/secure/lib/libcrypto/opensslconf-mips.hFri Mar 20 21:56:48 2015(r280305) +++ head/secure/lib/libcrypto/opensslconf-mips.hFri Mar 20 23:48:11 2015(r280306) @@ -27,6 +27,9 @@ extern C { #ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP #endif +#ifndef OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL2 +#endif #ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE #endif @@ -69,6 +72,9 @@ extern C { # if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP) # define NO_SCTP # endif +# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2) +# define NO_SSL2 +# endif # if defined(OPENSSL_NO_STORE) !defined(NO_STORE) # define NO_STORE # endif Modified: head/secure/lib/libcrypto/opensslconf-powerpc.h == --- head/secure/lib/libcrypto/opensslconf-powerpc.h Fri Mar 20 21:56:48 2015(r280305) +++ head/secure/lib/libcrypto/opensslconf-powerpc.h Fri Mar 20 23:48:11 2015(r280306) @@ -27,6 +27,9 @@ extern C { #ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP #endif +#ifndef OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL2 +#endif #ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE #endif @@ -69,6 +72,9 @@ extern C { # if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP) # define NO_SCTP # endif +# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2) +# define NO_SSL2 +# endif # if defined(OPENSSL_NO_STORE) !defined(NO_STORE) # define NO_STORE # endif Modified: head/secure/lib/libcrypto/opensslconf-sparc64.h == --- head/secure/lib/libcrypto/opensslconf-sparc64.h Fri Mar 20 21:56:48 2015(r280305) +++ head/secure/lib/libcrypto/opensslconf-sparc64.h Fri Mar 20 23:48:11 2015(r280306) @@ -27,6 +27,9 @@ extern C { #ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP #endif +#ifndef OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL2 +#endif #ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE #endif @@ -69,6 +72,9 @@ extern C { # if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP) # define NO_SCTP # endif +# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2) +# define NO_SSL2 +# endif # if defined(OPENSSL_NO_STORE) !defined(NO_STORE) # define NO_STORE # endif Modified: head/secure/lib/libcrypto/opensslconf-x86.h == --- head/secure/lib/libcrypto/opensslconf-x86.h Fri Mar 20 21:56:48 2015 (r280305) +++ head/secure/lib/libcrypto/opensslconf-x86.h Fri Mar 20 23:48:11 2015 (r280306) @@ -27,6 +27,9 @@ extern C { #ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP #endif +#ifndef OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL2 +#endif #ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE #endif @@ -66,6 +69,9 @@ extern C { # if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP) # define NO_SCTP # endif +# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2) +# define NO_SSL2 +# endif # if defined(OPENSSL_NO_STORE) !defined(NO_STORE) # define NO_STORE # endif Modified: head/secure/lib/libssl/Makefile == --- head/secure/lib/libssl/Makefile Fri Mar 20 21:56:48 2015
Re: svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
On 3/23/2015 2:08 PM, Bryan Drewery wrote: On 3/20/2015 6:48 PM, Jung-uk Kim wrote: Author: jkim Date: Fri Mar 20 23:48:11 2015 New Revision: 280306 URL: https://svnweb.freebsd.org/changeset/base/280306 Log: Disable insecure SSLv2 support from the base OpenSSL. Differential Revision: https://reviews.freebsd.org/D1304 Modified: head/secure/lib/libcrypto/opensslconf-arm.h head/secure/lib/libcrypto/opensslconf-mips.h head/secure/lib/libcrypto/opensslconf-powerpc.h head/secure/lib/libcrypto/opensslconf-sparc64.h head/secure/lib/libcrypto/opensslconf-x86.h head/secure/lib/libssl/Makefile head/sys/sys/param.h Can this be backed out until a ports exp-run is done and ports are fixed? This is causing a lot of fallout. Here are the results actually: http://gohan2.ysv.freebsd.org/build.html?mastername=head-amd64-default-baselinebuild=p381881_s280335 It is not that bad. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
On 3/20/2015 6:48 PM, Jung-uk Kim wrote: Author: jkim Date: Fri Mar 20 23:48:11 2015 New Revision: 280306 URL: https://svnweb.freebsd.org/changeset/base/280306 Log: Disable insecure SSLv2 support from the base OpenSSL. Differential Revision: https://reviews.freebsd.org/D1304 Modified: head/secure/lib/libcrypto/opensslconf-arm.h head/secure/lib/libcrypto/opensslconf-mips.h head/secure/lib/libcrypto/opensslconf-powerpc.h head/secure/lib/libcrypto/opensslconf-sparc64.h head/secure/lib/libcrypto/opensslconf-x86.h head/secure/lib/libssl/Makefile head/sys/sys/param.h Can this be backed out until a ports exp-run is done and ports are fixed? This is causing a lot of fallout. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
On 3/23/2015 2:13 PM, Bryan Drewery wrote: On 3/23/2015 2:08 PM, Bryan Drewery wrote: On 3/20/2015 6:48 PM, Jung-uk Kim wrote: Author: jkim Date: Fri Mar 20 23:48:11 2015 New Revision: 280306 URL: https://svnweb.freebsd.org/changeset/base/280306 Log: Disable insecure SSLv2 support from the base OpenSSL. Differential Revision:https://reviews.freebsd.org/D1304 Modified: head/secure/lib/libcrypto/opensslconf-arm.h head/secure/lib/libcrypto/opensslconf-mips.h head/secure/lib/libcrypto/opensslconf-powerpc.h head/secure/lib/libcrypto/opensslconf-sparc64.h head/secure/lib/libcrypto/opensslconf-x86.h head/secure/lib/libssl/Makefile head/sys/sys/param.h Can this be backed out until a ports exp-run is done and ports are fixed? This is causing a lot of fallout. Here are the results actually: http://gohan2.ysv.freebsd.org/build.html?mastername=head-amd64-default-baselinebuild=p381881_s280335 It is not that bad. Reminds me that I need to implement this https://lists.freebsd.org/pipermail/freebsd-current/2014-September/052187.html -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/23/2015 11:35, Philip M. Gollucci wrote: What about SSLv3 due to POODLE ? IMHO, it is too early to remove SSLv3 support because it is still widely used although there are known vulnerabilities. Please use OpenSSL from ports, i.e., security/openssl, i.e., turn off both SSL2 and SSL3 options and compile all ports with it. Jung-uk Kim -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVEFbGAAoJEHyflib82/FGtH0H/jEr8VI2EIh4T0qmOyaXbwEg Aqz6sIO1AJe/PultpqEMSUWPKofHNH4YstOcaHQ421g22tcGjK3VgwhzSG97IPjH vlSY3451DDw0FzQVD20N3c8B0tjnrM2QD9K+wULvE74W9Yu6woSgQN/kLqhGnuss qPM3MemKNYq5euGnWVzXaY+IuDHFf8CFKanpymVFc378rV/M4tgXJbesNOX9Koiv VC7tvfn7slsr/bHSqC6zdDNk5BkL3iaNGceHweMeIQ8HeTtglESVjjOnBMayxsYS YKapEONNnhVh+Waq2jH0JylDIfotWMylvxFRLlW99oSPnvVHOMhsr+gEh6LxZGQ= =a8q9 -END PGP SIGNATURE- ___ svn-src-head@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to svn-src-head-unsubscr...@freebsd.org
svn commit: r280306 - in head: secure/lib/libcrypto secure/lib/libssl sys/sys
Author: jkim Date: Fri Mar 20 23:48:11 2015 New Revision: 280306 URL: https://svnweb.freebsd.org/changeset/base/280306 Log: Disable insecure SSLv2 support from the base OpenSSL. Differential Revision:https://reviews.freebsd.org/D1304 Modified: head/secure/lib/libcrypto/opensslconf-arm.h head/secure/lib/libcrypto/opensslconf-mips.h head/secure/lib/libcrypto/opensslconf-powerpc.h head/secure/lib/libcrypto/opensslconf-sparc64.h head/secure/lib/libcrypto/opensslconf-x86.h head/secure/lib/libssl/Makefile head/sys/sys/param.h Modified: head/secure/lib/libcrypto/opensslconf-arm.h == --- head/secure/lib/libcrypto/opensslconf-arm.h Fri Mar 20 21:56:48 2015 (r280305) +++ head/secure/lib/libcrypto/opensslconf-arm.h Fri Mar 20 23:48:11 2015 (r280306) @@ -27,6 +27,9 @@ extern C { #ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP #endif +#ifndef OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL2 +#endif #ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE #endif @@ -69,6 +72,9 @@ extern C { # if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP) # define NO_SCTP # endif +# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2) +# define NO_SSL2 +# endif # if defined(OPENSSL_NO_STORE) !defined(NO_STORE) # define NO_STORE # endif Modified: head/secure/lib/libcrypto/opensslconf-mips.h == --- head/secure/lib/libcrypto/opensslconf-mips.hFri Mar 20 21:56:48 2015(r280305) +++ head/secure/lib/libcrypto/opensslconf-mips.hFri Mar 20 23:48:11 2015(r280306) @@ -27,6 +27,9 @@ extern C { #ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP #endif +#ifndef OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL2 +#endif #ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE #endif @@ -69,6 +72,9 @@ extern C { # if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP) # define NO_SCTP # endif +# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2) +# define NO_SSL2 +# endif # if defined(OPENSSL_NO_STORE) !defined(NO_STORE) # define NO_STORE # endif Modified: head/secure/lib/libcrypto/opensslconf-powerpc.h == --- head/secure/lib/libcrypto/opensslconf-powerpc.h Fri Mar 20 21:56:48 2015(r280305) +++ head/secure/lib/libcrypto/opensslconf-powerpc.h Fri Mar 20 23:48:11 2015(r280306) @@ -27,6 +27,9 @@ extern C { #ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP #endif +#ifndef OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL2 +#endif #ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE #endif @@ -69,6 +72,9 @@ extern C { # if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP) # define NO_SCTP # endif +# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2) +# define NO_SSL2 +# endif # if defined(OPENSSL_NO_STORE) !defined(NO_STORE) # define NO_STORE # endif Modified: head/secure/lib/libcrypto/opensslconf-sparc64.h == --- head/secure/lib/libcrypto/opensslconf-sparc64.h Fri Mar 20 21:56:48 2015(r280305) +++ head/secure/lib/libcrypto/opensslconf-sparc64.h Fri Mar 20 23:48:11 2015(r280306) @@ -27,6 +27,9 @@ extern C { #ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP #endif +#ifndef OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL2 +#endif #ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE #endif @@ -69,6 +72,9 @@ extern C { # if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP) # define NO_SCTP # endif +# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2) +# define NO_SSL2 +# endif # if defined(OPENSSL_NO_STORE) !defined(NO_STORE) # define NO_STORE # endif Modified: head/secure/lib/libcrypto/opensslconf-x86.h == --- head/secure/lib/libcrypto/opensslconf-x86.h Fri Mar 20 21:56:48 2015 (r280305) +++ head/secure/lib/libcrypto/opensslconf-x86.h Fri Mar 20 23:48:11 2015 (r280306) @@ -27,6 +27,9 @@ extern C { #ifndef OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP #endif +#ifndef OPENSSL_NO_SSL2 +# define OPENSSL_NO_SSL2 +#endif #ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE #endif @@ -66,6 +69,9 @@ extern C { # if defined(OPENSSL_NO_SCTP) !defined(NO_SCTP) # define NO_SCTP # endif +# if defined(OPENSSL_NO_SSL2) !defined(NO_SSL2) +# define NO_SSL2 +# endif # if defined(OPENSSL_NO_STORE) !defined(NO_STORE) # define NO_STORE # endif Modified: head/secure/lib/libssl/Makefile == --- head/secure/lib/libssl/Makefile Fri Mar 20 21:56:48 2015 (r280305) +++ head/secure/lib/libssl/Makefile Fri Mar 20 23:48:11 2015 (r280306) @@ -12,11 +12,11 @@ NO_LINT= SRCS= bio_ssl.c d1_both.c d1_clnt.c d1_enc.c d1_lib.c d1_meth.c d1_pkt.c \ d1_srtp.c d1_srvr.c s23_clnt.c