From: Brendan Le Foll <brendan.le.foll@intel.com>
To: Martin Jansa <martin.jansa@gmail.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] openssl: disable SSLv3 by default
Date: Mon, 16 Feb 2015 13:51:20 +0000 [thread overview]
Message-ID: <20150216135119.GC9950@jupiter.iwi.intel.com> (raw)
In-Reply-To: <20150216131003.GG2297@jama>
On Mon, Feb 16, 2015 at 02:10:03PM +0100, Martin Jansa wrote:
> On Mon, Feb 16, 2015 at 11:18:29AM +0000, brendan.le.foll@intel.com wrote:
> > From: Brendan Le Foll <brendan.le.foll@intel.com>
> >
> > Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
> > SSLv3 even if patched with the TLS_FALLBACK_SCSV
> >
> > Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
> > ---
> > meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> > index 6eb1b5e..ba9bca6 100644
> > --- a/meta/recipes-connectivity/openssl/openssl.inc
> > +++ b/meta/recipes-connectivity/openssl/openssl.inc
> > @@ -50,6 +50,10 @@ CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
> > RRECOMMENDS_libcrypto += "openssl-conf"
> > RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
> >
> > +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
> > +# vulnerability
> > +EXTRA_OECONF = " -no-ssl3"
>
> Why not use PACKAGECONFIG to make it easier to enable from distro
> config or bbappend?
No real reason, was trying to keep it as simple as possible whilst
making it clear it was not a good idea to re-enable it. I can make it
a PACKAGECOUNFIG[ssl3] = "--no-ssl3" if you think that's best.
Cheers,
Brendan
next prev parent reply other threads:[~2015-02-16 13:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-16 11:18 [PATCH] openssl: disable SSLv3 by default brendan.le.foll
2015-02-16 11:18 ` brendan.le.foll
2015-02-16 13:10 ` Martin Jansa
2015-02-16 13:51 ` Brendan Le Foll [this message]
2015-02-16 14:35 ` Sven Ebenfeld
2015-02-16 14:38 ` Brendan Le Foll
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150216135119.GC9950@jupiter.iwi.intel.com \
--to=brendan.le.foll@intel.com \
--cc=martin.jansa@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.