* [PATCH] openssl: disable SSLv3 by default
@ 2015-02-16 11:18 brendan.le.foll
2015-02-16 11:18 ` brendan.le.foll
0 siblings, 1 reply; 6+ messages in thread
From: brendan.le.foll @ 2015-02-16 11:18 UTC (permalink / raw)
To: openembedded-core; +Cc: Brendan Le Foll
From: Brendan Le Foll <brendan.le.foll@intel.com>
SSLv3 should be disabled because of POODLE, this patch disables it completely
Brendan Le Foll (1):
openssl: disable SSLv3 by default
meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
1 file changed, 4 insertions(+)
--
2.2.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] openssl: disable SSLv3 by default
2015-02-16 11:18 [PATCH] openssl: disable SSLv3 by default brendan.le.foll
@ 2015-02-16 11:18 ` brendan.le.foll
2015-02-16 13:10 ` Martin Jansa
0 siblings, 1 reply; 6+ messages in thread
From: brendan.le.foll @ 2015-02-16 11:18 UTC (permalink / raw)
To: openembedded-core; +Cc: Brendan Le Foll
From: Brendan Le Foll <brendan.le.foll@intel.com>
Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
SSLv3 even if patched with the TLS_FALLBACK_SCSV
Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
---
meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index 6eb1b5e..ba9bca6 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -50,6 +50,10 @@ CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
RRECOMMENDS_libcrypto += "openssl-conf"
RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
+# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
+# vulnerability
+EXTRA_OECONF = " -no-ssl3"
+
do_configure_prepend_darwin () {
sed -i -e '/version-script=openssl\.ld/d' Configure
}
--
2.2.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] openssl: disable SSLv3 by default
2015-02-16 11:18 ` brendan.le.foll
@ 2015-02-16 13:10 ` Martin Jansa
2015-02-16 13:51 ` Brendan Le Foll
0 siblings, 1 reply; 6+ messages in thread
From: Martin Jansa @ 2015-02-16 13:10 UTC (permalink / raw)
To: brendan.le.foll; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1509 bytes --]
On Mon, Feb 16, 2015 at 11:18:29AM +0000, brendan.le.foll@intel.com wrote:
> From: Brendan Le Foll <brendan.le.foll@intel.com>
>
> Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
> SSLv3 even if patched with the TLS_FALLBACK_SCSV
>
> Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
> ---
> meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> index 6eb1b5e..ba9bca6 100644
> --- a/meta/recipes-connectivity/openssl/openssl.inc
> +++ b/meta/recipes-connectivity/openssl/openssl.inc
> @@ -50,6 +50,10 @@ CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
> RRECOMMENDS_libcrypto += "openssl-conf"
> RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
>
> +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
> +# vulnerability
> +EXTRA_OECONF = " -no-ssl3"
Why not use PACKAGECONFIG to make it easier to enable from distro
config or bbappend?
> +
> do_configure_prepend_darwin () {
> sed -i -e '/version-script=openssl\.ld/d' Configure
> }
> --
> 2.2.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] openssl: disable SSLv3 by default
2015-02-16 13:10 ` Martin Jansa
@ 2015-02-16 13:51 ` Brendan Le Foll
2015-02-16 14:35 ` Sven Ebenfeld
0 siblings, 1 reply; 6+ messages in thread
From: Brendan Le Foll @ 2015-02-16 13:51 UTC (permalink / raw)
To: Martin Jansa; +Cc: openembedded-core
On Mon, Feb 16, 2015 at 02:10:03PM +0100, Martin Jansa wrote:
> On Mon, Feb 16, 2015 at 11:18:29AM +0000, brendan.le.foll@intel.com wrote:
> > From: Brendan Le Foll <brendan.le.foll@intel.com>
> >
> > Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
> > SSLv3 even if patched with the TLS_FALLBACK_SCSV
> >
> > Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
> > ---
> > meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> > index 6eb1b5e..ba9bca6 100644
> > --- a/meta/recipes-connectivity/openssl/openssl.inc
> > +++ b/meta/recipes-connectivity/openssl/openssl.inc
> > @@ -50,6 +50,10 @@ CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
> > RRECOMMENDS_libcrypto += "openssl-conf"
> > RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
> >
> > +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
> > +# vulnerability
> > +EXTRA_OECONF = " -no-ssl3"
>
> Why not use PACKAGECONFIG to make it easier to enable from distro
> config or bbappend?
No real reason, was trying to keep it as simple as possible whilst
making it clear it was not a good idea to re-enable it. I can make it
a PACKAGECOUNFIG[ssl3] = "--no-ssl3" if you think that's best.
Cheers,
Brendan
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] openssl: disable SSLv3 by default
2015-02-16 13:51 ` Brendan Le Foll
@ 2015-02-16 14:35 ` Sven Ebenfeld
2015-02-16 14:38 ` Brendan Le Foll
0 siblings, 1 reply; 6+ messages in thread
From: Sven Ebenfeld @ 2015-02-16 14:35 UTC (permalink / raw)
To: openembedded-core, brendan.le.foll, martin.jansa
Am 16.02.2015 um 14:51 schrieb Brendan Le Foll:
>
> No real reason, was trying to keep it as simple as possible whilst
> making it clear it was not a good idea to re-enable it. I can make it
> a PACKAGECOUNFIG[ssl3] = "--no-ssl3" if you think that's best.
Shouldn't it be PACKAGECOUNFIG[nossl3] ?
This makes it more clear that one is actually disabling SSLv3 instead of
trying to enable it.
>
> Cheers,
> Brendan
>
Cheers,
Sven
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] openssl: disable SSLv3 by default
2015-02-16 14:35 ` Sven Ebenfeld
@ 2015-02-16 14:38 ` Brendan Le Foll
0 siblings, 0 replies; 6+ messages in thread
From: Brendan Le Foll @ 2015-02-16 14:38 UTC (permalink / raw)
To: Sven Ebenfeld; +Cc: openembedded-core
On Mon, Feb 16, 2015 at 03:35:32PM +0100, Sven Ebenfeld wrote:
> Am 16.02.2015 um 14:51 schrieb Brendan Le Foll:
> >
> > No real reason, was trying to keep it as simple as possible whilst
> > making it clear it was not a good idea to re-enable it. I can make it
> > a PACKAGECOUNFIG[ssl3] = "--no-ssl3" if you think that's best.
>
> Shouldn't it be PACKAGECOUNFIG[nossl3] ?
> This makes it more clear that one is actually disabling SSLv3 instead of
> trying to enable it.
The idea is to disable ssl3 by default and making enabling optional.
I'm thinking this, which means people have to enable SSLv3 to get it.
PACKAGECONFIG[ssl3] = "--enable-ssl3, --no-ssl3"
Cheers,
Brendan
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-02-16 14:38 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-16 11:18 [PATCH] openssl: disable SSLv3 by default brendan.le.foll
2015-02-16 11:18 ` brendan.le.foll
2015-02-16 13:10 ` Martin Jansa
2015-02-16 13:51 ` Brendan Le Foll
2015-02-16 14:35 ` Sven Ebenfeld
2015-02-16 14:38 ` Brendan Le Foll
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox