* [PATCH v2] openssl: disable SSLv3 by default @ 2015-02-19 15:45 brendan.le.foll 2015-02-19 15:45 ` brendan.le.foll 0 siblings, 1 reply; 3+ messages in thread From: brendan.le.foll @ 2015-02-19 15:45 UTC (permalink / raw) To: openembedded-core; +Cc: Brendan Le Foll From: Brendan Le Foll <brendan.le.foll@intel.com> Does the same thing but now uses PACKAGECONFIG as discussed on this ML Brendan Le Foll (1): openssl: disable SSLv3 by default meta/recipes-connectivity/openssl/openssl.inc | 3 +++ 1 file changed, 3 insertions(+) -- 2.2.1 ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH v2] openssl: disable SSLv3 by default 2015-02-19 15:45 [PATCH v2] openssl: disable SSLv3 by default brendan.le.foll @ 2015-02-19 15:45 ` brendan.le.foll 2015-02-19 16:17 ` Martin Jansa 0 siblings, 1 reply; 3+ messages in thread From: brendan.le.foll @ 2015-02-19 15:45 UTC (permalink / raw) To: openembedded-core; +Cc: Brendan Le Foll From: Brendan Le Foll <brendan.le.foll@intel.com> Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable SSLv3 even if patched with the TLS_FALLBACK_SCSV Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com> --- meta/recipes-connectivity/openssl/openssl.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc index 6eb1b5e..f42b1ea 100644 --- a/meta/recipes-connectivity/openssl/openssl.inc +++ b/meta/recipes-connectivity/openssl/openssl.inc @@ -16,6 +16,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ S = "${WORKDIR}/openssl-${PV}" PACKAGECONFIG[perl] = ",,," +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE +# vulnerability +PACKAGECONFIG[ssl3] = "--enable-ssl3, --no-ssl3,," AR_append = " r" # Avoid binaries being marked as requiring an executable stack since it -- 2.2.1 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] openssl: disable SSLv3 by default 2015-02-19 15:45 ` brendan.le.foll @ 2015-02-19 16:17 ` Martin Jansa 0 siblings, 0 replies; 3+ messages in thread From: Martin Jansa @ 2015-02-19 16:17 UTC (permalink / raw) To: brendan.le.foll; +Cc: openembedded-core [-- Attachment #1: Type: text/plain, Size: 1504 bytes --] On Thu, Feb 19, 2015 at 03:45:10PM +0000, brendan.le.foll@intel.com wrote: > From: Brendan Le Foll <brendan.le.foll@intel.com> > > Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable > SSLv3 even if patched with the TLS_FALLBACK_SCSV Please rebase on corrent master, because v1 was already merged (so you should remove EXTRA_OECONF now). > > Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com> > --- > meta/recipes-connectivity/openssl/openssl.inc | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc > index 6eb1b5e..f42b1ea 100644 > --- a/meta/recipes-connectivity/openssl/openssl.inc > +++ b/meta/recipes-connectivity/openssl/openssl.inc > @@ -16,6 +16,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ > S = "${WORKDIR}/openssl-${PV}" > > PACKAGECONFIG[perl] = ",,," > +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE > +# vulnerability > +PACKAGECONFIG[ssl3] = "--enable-ssl3, --no-ssl3,," > > AR_append = " r" > # Avoid binaries being marked as requiring an executable stack since it > -- > 2.2.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 188 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-02-19 16:16 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-02-19 15:45 [PATCH v2] openssl: disable SSLv3 by default brendan.le.foll 2015-02-19 15:45 ` brendan.le.foll 2015-02-19 16:17 ` Martin Jansa
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox