Ciphersuites with RSAPSK KX should be filterd in FIPS mode

Related: rhbz#2085088
epel8
Dmitry Belyavskiy 2 years ago
parent 8b08b372c8
commit 8638196167

@ -689,7 +689,7 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
ctx->disabled_auth_mask = 0;
+ if (EVP_default_properties_is_fips_enabled(ctx->libctx))
+ ctx->disabled_mkey_mask |= SSL_kRSA;
+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
+
/*
* We ignore any errors from the fetches below. They are expected to fail

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.1
Release: 35%{?dist}
Release: 36%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -458,6 +458,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Thu Jun 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-36
- Ciphersuites with RSAPSK KX should be filterd in FIPS mode
- Related: rhbz#2085088
* Wed Jun 08 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-35
- Add explicit indicators for signatures in FIPS mode and mark signature
primitives as unapproved.

Loading…
Cancel
Save