diff options
Diffstat (limited to 'patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch')
-rw-r--r-- | patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch b/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch new file mode 100644 index 000000000..4b98bc08d --- /dev/null +++ b/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch @@ -0,0 +1,46 @@ +From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Tue, 20 Mar 2018 22:07:30 +0100 +Subject: [PATCH] Set systemwide default settings for libssl users + +This config change enforeces a TLS1.2 protocol version as minimum. It +can be overwritten by the system administrator. + +It also changes the default security level from 1 to 2, moving from the 80 bit +security level to the 112 bit security level. + +Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> + +Imported from openssl_1.1.1h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + apps/openssl.cnf | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/apps/openssl.cnf b/apps/openssl.cnf +index 4acca4b0446f..a6fed92a2e75 100644 +--- a/apps/openssl.cnf ++++ b/apps/openssl.cnf +@@ -15,6 +15,9 @@ HOME = . + #oid_file = $ENV::HOME/.oid + oid_section = new_oids + ++# System default ++openssl_conf = default_conf ++ + # To use this configuration file with the "-extfile" option of the + # "openssl x509" utility, name here the section containing the + # X.509v3 extensions to use: +@@ -348,3 +351,12 @@ ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) + ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) ++[default_conf] ++ssl_conf = ssl_sect ++ ++[ssl_sect] ++system_default = system_default_sect ++ ++[system_default_sect] ++MinProtocol = TLSv1.2 ++CipherString = DEFAULT@SECLEVEL=2 |