Начало Каталог contacts
Вход
LDA010
/
bug_ebuild
Наблюдаван 0
Харесван 0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
ИН на ревизия: 96cec4cf63
Клонове Маркери
bug_ebuild
/
gentoo
/
net-misc
/
tn5250
/
files
/
disable-sslv2-and-sslv3.patch

disable-sslv2-and-sslv3.patch 2.3 KB
История Директен файл

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 
  1. From 1acfebd966e8804e6573cbe9287b8b6f028a646c Mon Sep 17 00:00:00 2001
    2. 

  2. From: Michael Orlitzky <michael@orlitzky.com>
    3. 

  3. Date: Tue, 23 Aug 2016 18:13:47 -0400
    4. 

  4. Subject: [PATCH 1/1] sslstream.c: ignore the user's choice of ssl_method.
    5. 

  5. 

  6. The SSLv2 and SSLv3 protocols are insecure, and people have begun to
    7. 

  7. operate without them. LibreSSL, for example, does not have them
    8. 

  8. enabled, and it is possible to build OpenSSL in the same manner.
    9. 

  9. 

  10. If SSLv[23] are disabled, the user would not be able to choose "ssl2"
    11. 

  11. or "ssl3" as his "ssl_method", an option that was undocumented
    12. 

  12. anywhere. Therefore there is not much lost, and some security to gain,
    13. 

  13. by removing the option completely. This commit does that, and uses the
    14. 

  14. automatic protocol choice that is capable of negotiating TLSv1,
    15. 

  15. TLSv1.1 and TLSv1.2.
    16. 

  16. 

  17. Gentoo-Bug: 591940
    18. 

  18. ---
    19. 

  19.  lib5250/sslstream.c | 26 ++++++++++----------------
    20. 

  20.  1 file changed, 10 insertions(+), 16 deletions(-)
    21. 

  21. 

  22. diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
    23. 

  23. index 7181566..2f91d1a 100644
    24. 

  24. --- a/lib5250/sslstream.c
    25. 

  25. +++ b/lib5250/sslstream.c
    26. 

  26. @@ -362,22 +362,16 @@ int tn5250_ssl_stream_init (Tn5250Stream *This)
    27. 

  27.  
    28. 

  28.  /*  which SSL method do we use? */
    29. 

  29.  
    30. 

  30. -   strcpy(methstr,"auto");
    31. 

  31. -   if (This->config!=NULL && tn5250_config_get (This->config, "ssl_method")) {
    32. 

  32. -        strncpy(methstr, tn5250_config_get (This->config, "ssl_method"), 4);
    33. 

  33. -        methstr[4] = '\0';
    34. 

  34. -   }
    35. 

  35. -
    36. 

  36. -   if (!strcmp(methstr, "ssl2")) {
    37. 

  37. -        meth = SSLv2_client_method();         
    38. 

  38. -        TN5250_LOG(("SSL Method = SSLv2_client_method()\n"));
    39. 

  39. -   } else if (!strcmp(methstr, "ssl3")) {
    40. 

  40. -        meth = SSLv3_client_method();         
    41. 

  41. -        TN5250_LOG(("SSL Method = SSLv3_client_method()\n"));
    42. 

  42. -   } else {
    43. 

  43. -        meth = SSLv23_client_method();         
    44. 

  44. -        TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
    45. 

  45. -   }
    46. 

  46. +    /* Ignore the user's choice of ssl_method (which isn't documented
    47. 

  47. +     * anyway...) if it was either "ssl2" or "ssl3". Both are insecure,
    48. 

  48. +     * and this is only safe supported method left.
    49. 

  49. +     *
    50. 

  50. +     * This is a Gentoo-specific modification that lets us build
    51. 

  51. +     * against LibreSSL and newer OpenSSL with its insecure protocols
    52. 

  52. +     * disabled.
    53. 

  53. +     */
    54. 

  54. +    meth = SSLv23_client_method();
    55. 

  55. +    TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
    56. 

  56.  
    57. 

  57.  /*  create a new SSL context */
    58. 

  58.  
    59. 

  59. -- 
    60. 

  60. 2.7.3
    61. 

  61. 

  62.