From: Martin Jansa <martin.jansa@gmail.com>
To: brendan.le.foll@intel.com
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] openssl: disable SSLv3 by default
Date: Mon, 16 Feb 2015 14:10:03 +0100 [thread overview]
Message-ID: <20150216131003.GG2297@jama> (raw)
In-Reply-To: <1424085509-25433-2-git-send-email-brendan.le.foll@intel.com>
[-- Attachment #1: Type: text/plain, Size: 1509 bytes --]
On Mon, Feb 16, 2015 at 11:18:29AM +0000, brendan.le.foll@intel.com wrote:
> From: Brendan Le Foll <brendan.le.foll@intel.com>
>
> Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
> SSLv3 even if patched with the TLS_FALLBACK_SCSV
>
> Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
> ---
> meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> index 6eb1b5e..ba9bca6 100644
> --- a/meta/recipes-connectivity/openssl/openssl.inc
> +++ b/meta/recipes-connectivity/openssl/openssl.inc
> @@ -50,6 +50,10 @@ CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
> RRECOMMENDS_libcrypto += "openssl-conf"
> RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
>
> +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
> +# vulnerability
> +EXTRA_OECONF = " -no-ssl3"
Why not use PACKAGECONFIG to make it easier to enable from distro
config or bbappend?
> +
> do_configure_prepend_darwin () {
> sed -i -e '/version-script=openssl\.ld/d' Configure
> }
> --
> 2.2.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]
next prev parent reply other threads:[~2015-02-16 13:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-16 11:18 [PATCH] openssl: disable SSLv3 by default brendan.le.foll
2015-02-16 11:18 ` brendan.le.foll
2015-02-16 13:10 ` Martin Jansa [this message]
2015-02-16 13:51 ` Brendan Le Foll
2015-02-16 14:35 ` Sven Ebenfeld
2015-02-16 14:38 ` Brendan Le Foll
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150216131003.GG2297@jama \
--to=martin.jansa@gmail.com \
--cc=brendan.le.foll@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.