* [PATCH v2] openssl: disable SSLv3 by default
@ 2015-02-19 15:45 brendan.le.foll
2015-02-19 15:45 ` brendan.le.foll
0 siblings, 1 reply; 3+ messages in thread
From: brendan.le.foll @ 2015-02-19 15:45 UTC (permalink / raw)
To: openembedded-core; +Cc: Brendan Le Foll
From: Brendan Le Foll <brendan.le.foll@intel.com>
Does the same thing but now uses PACKAGECONFIG as discussed on this ML
Brendan Le Foll (1):
openssl: disable SSLv3 by default
meta/recipes-connectivity/openssl/openssl.inc | 3 +++
1 file changed, 3 insertions(+)
--
2.2.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH v2] openssl: disable SSLv3 by default
2015-02-19 15:45 [PATCH v2] openssl: disable SSLv3 by default brendan.le.foll
@ 2015-02-19 15:45 ` brendan.le.foll
2015-02-19 16:17 ` Martin Jansa
0 siblings, 1 reply; 3+ messages in thread
From: brendan.le.foll @ 2015-02-19 15:45 UTC (permalink / raw)
To: openembedded-core; +Cc: Brendan Le Foll
From: Brendan Le Foll <brendan.le.foll@intel.com>
Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
SSLv3 even if patched with the TLS_FALLBACK_SCSV
Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
---
meta/recipes-connectivity/openssl/openssl.inc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index 6eb1b5e..f42b1ea 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -16,6 +16,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
S = "${WORKDIR}/openssl-${PV}"
PACKAGECONFIG[perl] = ",,,"
+# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
+# vulnerability
+PACKAGECONFIG[ssl3] = "--enable-ssl3, --no-ssl3,,"
AR_append = " r"
# Avoid binaries being marked as requiring an executable stack since it
--
2.2.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] openssl: disable SSLv3 by default
2015-02-19 15:45 ` brendan.le.foll
@ 2015-02-19 16:17 ` Martin Jansa
0 siblings, 0 replies; 3+ messages in thread
From: Martin Jansa @ 2015-02-19 16:17 UTC (permalink / raw)
To: brendan.le.foll; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1504 bytes --]
On Thu, Feb 19, 2015 at 03:45:10PM +0000, brendan.le.foll@intel.com wrote:
> From: Brendan Le Foll <brendan.le.foll@intel.com>
>
> Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
> SSLv3 even if patched with the TLS_FALLBACK_SCSV
Please rebase on corrent master, because v1 was already merged (so you
should remove EXTRA_OECONF now).
>
> Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
> ---
> meta/recipes-connectivity/openssl/openssl.inc | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> index 6eb1b5e..f42b1ea 100644
> --- a/meta/recipes-connectivity/openssl/openssl.inc
> +++ b/meta/recipes-connectivity/openssl/openssl.inc
> @@ -16,6 +16,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
> S = "${WORKDIR}/openssl-${PV}"
>
> PACKAGECONFIG[perl] = ",,,"
> +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
> +# vulnerability
> +PACKAGECONFIG[ssl3] = "--enable-ssl3, --no-ssl3,,"
>
> AR_append = " r"
> # Avoid binaries being marked as requiring an executable stack since it
> --
> 2.2.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-02-19 16:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-19 15:45 [PATCH v2] openssl: disable SSLv3 by default brendan.le.foll
2015-02-19 15:45 ` brendan.le.foll
2015-02-19 16:17 ` Martin Jansa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox