You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
96 lines
3.8 KiB
96 lines
3.8 KiB
From 69636828729ecc287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001
|
|
From: rpm-build <rpm-build>
|
|
Date: Mon, 31 Jul 2023 09:41:28 +0200
|
|
Subject: [PATCH 14/35] 0024-load-legacy-prov.patch
|
|
|
|
Patch-name: 0024-load-legacy-prov.patch
|
|
Patch-id: 24
|
|
Patch-status: |
|
|
# Instructions to load legacy provider in openssl.cnf
|
|
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|
---
|
|
apps/openssl.cnf | 37 +++++++++++++++----------------------
|
|
doc/man5/config.pod | 8 ++++++++
|
|
2 files changed, 23 insertions(+), 22 deletions(-)
|
|
|
|
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
|
|
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
|
|
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
|
|
@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1
|
|
tsa_policy2 = 1.2.3.4.5.6
|
|
tsa_policy3 = 1.2.3.4.5.7
|
|
|
|
-# For FIPS
|
|
-# Optionally include a file that is generated by the OpenSSL fipsinstall
|
|
-# application. This file contains configuration data required by the OpenSSL
|
|
-# fips provider. It contains a named section e.g. [fips_sect] which is
|
|
-# referenced from the [provider_sect] below.
|
|
-# Refer to the OpenSSL security policy for more information.
|
|
-# .include fipsmodule.cnf
|
|
-
|
|
[openssl_init]
|
|
providers = provider_sect
|
|
# Load default TLS policy configuration
|
|
@@ -42,23 +42,27 @@ [ evp_properties ]
|
|
#This section is intentionally added empty here
|
|
#to be tuned on particular systems
|
|
|
|
-# List of providers to load
|
|
-[provider_sect]
|
|
-default = default_sect
|
|
-# The fips section name should match the section name inside the
|
|
-# included fipsmodule.cnf.
|
|
-# fips = fips_sect
|
|
+# Uncomment the sections that start with ## below to enable the legacy provider.
|
|
+# Loading the legacy provider enables support for the following algorithms:
|
|
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
|
|
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
|
|
+# Key Derivation Function (KDF): PBKDF1
|
|
+# In general it is not recommended to use the above mentioned algorithms for
|
|
+# security critical operations, as they are cryptographically weak or vulnerable
|
|
+# to side-channel attacks and as such have been deprecated.
|
|
|
|
-# If no providers are activated explicitly, the default one is activated implicitly.
|
|
-# See man 7 OSSL_PROVIDER-default for more details.
|
|
-#
|
|
-# If you add a section explicitly activating any other provider(s), you most
|
|
-# probably need to explicitly activate the default provider, otherwise it
|
|
-# becomes unavailable in openssl. As a consequence applications depending on
|
|
-# OpenSSL may not work correctly which could lead to significant system
|
|
-# problems including inability to remotely access the system.
|
|
-[default_sect]
|
|
-# activate = 1
|
|
+[provider_sect]
|
|
+default = default_sect
|
|
+##legacy = legacy_sect
|
|
+##
|
|
+[default_sect]
|
|
+activate = 1
|
|
+
|
|
+##[legacy_sect]
|
|
+##activate = 1
|
|
+
|
|
+#Place the third party provider configuration files into this folder
|
|
+.include /etc/pki/tls/openssl.d
|
|
|
|
[ ssl_module ]
|
|
|
|
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
|
|
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
|
|
+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
|
|
@@ -273,6 +273,14 @@ significant.
|
|
All parameters in the section as well as sub-sections are made
|
|
available to the provider.
|
|
|
|
+=head3 Loading the legacy provider
|
|
+
|
|
+Uncomment the sections that start with ## in openssl.cnf
|
|
+to enable the legacy provider.
|
|
+Note: In general it is not recommended to use the above mentioned algorithms for
|
|
+security critical operations, as they are cryptographically weak or vulnerable
|
|
+to side-channel attacks and as such have been deprecated.
|
|
+
|
|
=head3 Default provider and its activation
|
|
|
|
If no providers are activated explicitly, the default one is activated implicitly.
|