[git.ipfire.org] IPFire 2.x development tree branch, fifteen, updated. f7165e5aed61866f8d82141c9ac152468a964f4c

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, fifteen, updated. f7165e5aed61866f8d82141c9ac152468a964f4c
@ 2013-12-29 19:56 git
  0 siblings, 0 replies; only message in thread
From: git @ 2013-12-29 19:56 UTC (permalink / raw)
  To: ipfire-scm

[-- Attachment #1: Type: text/plain, Size: 4089 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, fifteen has been updated
       via  f7165e5aed61866f8d82141c9ac152468a964f4c (commit)
       via  33c4c29b5e32c818e1c0fc925424950f8cd613f6 (commit)
      from  63efc01c84a5f559858d0d46cb7c5a2212486567 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f7165e5aed61866f8d82141c9ac152468a964f4c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Sun Dec 29 20:56:16 2013 +0100

    openssl-compat: Enable cryptodev again.
    
    This is compiled in and therefore not an externally loadable
    engine.

commit 33c4c29b5e32c818e1c0fc925424950f8cd613f6
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Sun Dec 29 20:46:41 2013 +0100

    openssl: Don't propose too weak ciphers.

-----------------------------------------------------------------------

Summary of changes:
 lfs/openssl                                   |  1 +
 lfs/openssl-compat                            |  7 ++++++-
 src/patches/openssl-1.0.1e-weak-ciphers.patch | 12 ++++++++++++
 3 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 src/patches/openssl-1.0.1e-weak-ciphers.patch

Difference in files:
diff --git a/lfs/openssl b/lfs/openssl
index 3452b71..e75101f 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -86,6 +86,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-cryptodev.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_parallel_build-1.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_pod_syntax-1.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-weak-ciphers.patch
 
 	cd $(DIR_APP) && find crypto/ -name Makefile -exec \
 		sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
diff --git a/lfs/openssl-compat b/lfs/openssl-compat
index 75dd4a2..d2ae6a0 100644
--- a/lfs/openssl-compat
+++ b/lfs/openssl-compat
@@ -71,6 +71,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
 
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-0.9.8u-cryptodev.patch
+
 	cd $(DIR_APP) && sed -i -e 's/mcpu/march/' config
 	cd $(DIR_APP) && sed -i -e 's/-O3/-O2/' -e 's/-march=i486/-march=i586/' Configure
 
@@ -83,7 +85,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		shared linux-elf \
 		zlib-dynamic \
 		no-engines \
-		no-asm 386
+		no-asm 386 \
+		-DSSL_FORBID_ENULL \
+		-DHAVE_CRYPTODEV \
+		-DUSE_CRYPTODEV_DIGEST
 
 	cd $(DIR_APP) && make depend
 	cd $(DIR_APP) && make
diff --git a/src/patches/openssl-1.0.1e-weak-ciphers.patch b/src/patches/openssl-1.0.1e-weak-ciphers.patch
new file mode 100644
index 0000000..8657345
--- /dev/null
+++ b/src/patches/openssl-1.0.1e-weak-ciphers.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.1e/ssl/ssl.h.weak-ciphers openssl-1.0.1e/ssl/ssl.h
+--- openssl-1.0.1e/ssl/ssl.h.weak-ciphers	2013-12-18 15:50:40.881620314 +0100
++++ openssl-1.0.1e/ssl/ssl.h	2013-12-18 14:25:25.596566704 +0100
+@@ -331,7 +331,7 @@ extern "C" {
+ /* The following cipher list is used by default.
+  * It also is substituted when an application-defined cipher list string
+  * starts with 'DEFAULT'. */
+-#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:!SSLv2"
++#define SSL_DEFAULT_CIPHER_LIST	"ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES"
+ /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+  * starts with a reasonable order, and all we have to do for DEFAULT is
+  * throwing out anonymous and unencrypted ciphersuites!


hooks/post-receive
--
IPFire 2.x development tree

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2013-12-29 19:56 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-12-29 19:56 [git.ipfire.org] IPFire 2.x development tree branch, fifteen, updated. f7165e5aed61866f8d82141c9ac152468a964f4c git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox