[PATCH] openssl: disable SSLv3 by default

[PATCH] openssl: disable SSLv3 by default

[brendan.le.foll]

From: Brendan Le Foll <brendan.le.foll@intel.com>

SSLv3 should be disabled because of POODLE, this patch disables it completely

Brendan Le Foll (1):
  openssl: disable SSLv3 by default

 meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
 1 file changed, 4 insertions(+)

-- 
2.2.1

[PATCH] openssl: disable SSLv3 by default

[brendan.le.foll]

From: Brendan Le Foll <brendan.le.foll@intel.com>

Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
SSLv3 even if patched with the TLS_FALLBACK_SCSV

Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
---
 meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index 6eb1b5e..ba9bca6 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -50,6 +50,10 @@ CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
 RRECOMMENDS_libcrypto += "openssl-conf"
 RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
 
+# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
+# vulnerability
+EXTRA_OECONF = " -no-ssl3"
+
 do_configure_prepend_darwin () {
 	sed -i -e '/version-script=openssl\.ld/d' Configure
 }
-- 
2.2.1

Re: [PATCH] openssl: disable SSLv3 by default

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1509 bytes --]

On Mon, Feb 16, 2015 at 11:18:29AM +0000, brendan.le.foll@intel.com wrote:
> From: Brendan Le Foll <brendan.le.foll@intel.com>
> 
> Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
> SSLv3 even if patched with the TLS_FALLBACK_SCSV
> 
> Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
> ---
>  meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> index 6eb1b5e..ba9bca6 100644
> --- a/meta/recipes-connectivity/openssl/openssl.inc
> +++ b/meta/recipes-connectivity/openssl/openssl.inc
> @@ -50,6 +50,10 @@ CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
>  RRECOMMENDS_libcrypto += "openssl-conf"
>  RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
>  
> +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
> +# vulnerability
> +EXTRA_OECONF = " -no-ssl3"

Why not use PACKAGECONFIG to make it easier to enable from distro
config or bbappend?

> +
>  do_configure_prepend_darwin () {
>  	sed -i -e '/version-script=openssl\.ld/d' Configure
>  }
> -- 
> 2.2.1
> 
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]

Re: [PATCH] openssl: disable SSLv3 by default

[Brendan Le Foll]

On Mon, Feb 16, 2015 at 02:10:03PM +0100, Martin Jansa wrote:
> On Mon, Feb 16, 2015 at 11:18:29AM +0000, brendan.le.foll@intel.com wrote:
> > From: Brendan Le Foll <brendan.le.foll@intel.com>
> > 
> > Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
> > SSLv3 even if patched with the TLS_FALLBACK_SCSV
> > 
> > Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
> > ---
> >  meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> > index 6eb1b5e..ba9bca6 100644
> > --- a/meta/recipes-connectivity/openssl/openssl.inc
> > +++ b/meta/recipes-connectivity/openssl/openssl.inc
> > @@ -50,6 +50,10 @@ CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
> >  RRECOMMENDS_libcrypto += "openssl-conf"
> >  RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
> >  
> > +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
> > +# vulnerability
> > +EXTRA_OECONF = " -no-ssl3"
> 
> Why not use PACKAGECONFIG to make it easier to enable from distro
> config or bbappend?

No real reason, was trying to keep it as simple as possible whilst
making it clear it was not a good idea to re-enable it. I can make it
a PACKAGECOUNFIG[ssl3] = "--no-ssl3" if you think that's best.

Cheers,
Brendan

Re: [PATCH] openssl: disable SSLv3 by default

[Sven Ebenfeld]

Am 16.02.2015 um 14:51 schrieb Brendan Le Foll:
> 
> No real reason, was trying to keep it as simple as possible whilst
> making it clear it was not a good idea to re-enable it. I can make it
> a PACKAGECOUNFIG[ssl3] = "--no-ssl3" if you think that's best.

Shouldn't it be PACKAGECOUNFIG[nossl3] ?
This makes it more clear that one is actually disabling SSLv3 instead of
trying to enable it.

> 
> Cheers,
> Brendan
> 

Cheers,
Sven

Re: [PATCH] openssl: disable SSLv3 by default

[Brendan Le Foll]

On Mon, Feb 16, 2015 at 03:35:32PM +0100, Sven Ebenfeld wrote:
> Am 16.02.2015 um 14:51 schrieb Brendan Le Foll:
> > 
> > No real reason, was trying to keep it as simple as possible whilst
> > making it clear it was not a good idea to re-enable it. I can make it
> > a PACKAGECOUNFIG[ssl3] = "--no-ssl3" if you think that's best.
> 
> Shouldn't it be PACKAGECOUNFIG[nossl3] ?
> This makes it more clear that one is actually disabling SSLv3 instead of
> trying to enable it.

The idea is to disable ssl3 by default and making enabling optional.

I'm thinking this, which means people have to enable SSLv3 to get it.
PACKAGECONFIG[ssl3] = "--enable-ssl3, --no-ssl3"

Cheers,
Brendan