1 files changed, 46 insertions, 0 deletions

diff --git a/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch b/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch
new file mode 100644
index 000000000..4b98bc08d
--- /dev/null
+++ b/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch
@@ -0,0 +1,46 @@
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Tue, 20 Mar 2018 22:07:30 +0100
+Subject: [PATCH] Set systemwide default settings for libssl users
+
+This config change enforeces a TLS1.2 protocol version as minimum. It
+can be overwritten by the system administrator.
+
+It also changes the default security level from 1 to 2, moving from the 80 bit
+security level to the 112 bit security level.
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+
+Imported from openssl_1.1.1h-1.debian.tar.xz
+
+Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+---
+ apps/openssl.cnf | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 4acca4b0446f..a6fed92a2e75 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -15,6 +15,9 @@ HOME			= .
+ #oid_file		= $ENV::HOME/.oid
+ oid_section		= new_oids
+ 
++# System default
++openssl_conf = default_conf
++
+ # To use this configuration file with the "-extfile" option of the
+ # "openssl x509" utility, name here the section containing the
+ # X.509v3 extensions to use:
+@@ -348,3 +351,12 @@ ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+ 				# (optional, default: no)
+ ess_cert_id_alg		= sha1	# algorithm to compute certificate
+ 				# identifier (optional, default: sha1)
++[default_conf]
++ssl_conf = ssl_sect
++
++[ssl_sect]
++system_default = system_default_sect
++
++[system_default_sect]
++MinProtocol = TLSv1.2
++CipherString = DEFAULT@SECLEVEL=2