isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/0024-load-legacy-prov.patch

6ed7c9
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
6ed7c9
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov	2021-09-09 12:06:40.895793297 +0200
6ed7c9
+++ openssl-3.0.0/apps/openssl.cnf	2021-09-09 12:12:33.947482500 +0200
6ed7c9
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
2871ff
 tsa_policy2 = 1.2.3.4.5.6
2871ff
 tsa_policy3 = 1.2.3.4.5.7
2871ff
 
2871ff
-# For FIPS
2871ff
-# Optionally include a file that is generated by the OpenSSL fipsinstall
2871ff
-# application. This file contains configuration data required by the OpenSSL
2871ff
-# fips provider. It contains a named section e.g. [fips_sect] which is
2871ff
-# referenced from the [provider_sect] below.
2871ff
-# Refer to the OpenSSL security policy for more information.
2871ff
-# .include fipsmodule.cnf
2871ff
-
2871ff
 [openssl_init]
2871ff
 providers = provider_sect
2871ff
 # Load default TLS policy configuration
2871ff
 ssl_conf = ssl_module
2871ff
 
2871ff
-# List of providers to load
6ed7c9
-[provider_sect]
6ed7c9
-default = default_sect
6ed7c9
-# The fips section name should match the section name inside the
6ed7c9
-# included fipsmodule.cnf.
6ed7c9
-# fips = fips_sect
2871ff
+# Uncomment the sections that start with ## below to enable the legacy provider.
2871ff
+# Loading the legacy provider enables support for the following algorithms:
2871ff
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
2871ff
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
2871ff
+# Key Derivation Function (KDF): PBKDF1
2871ff
+# In general it is not recommended to use the above mentioned algorithms for
2871ff
+# security critical operations, as they are cryptographically weak or vulnerable
2871ff
+# to side-channel attacks and as such have been deprecated.
6ed7c9
 
6ed7c9
-# If no providers are activated explicitly, the default one is activated implicitly.
6ed7c9
-# See man 7 OSSL_PROVIDER-default for more details.
6ed7c9
-#
6ed7c9
-# If you add a section explicitly activating any other provider(s), you most
6ed7c9
-# probably need to explicitly activate the default provider, otherwise it
6ed7c9
-# becomes unavailable in openssl.  As a consequence applications depending on
6ed7c9
-# OpenSSL may not work correctly which could lead to significant system
6ed7c9
-# problems including inability to remotely access the system.
2871ff
-[default_sect]
2871ff
-# activate = 1
6ed7c9
+[provider_sect]
6ed7c9
+default = default_sect
2871ff
+##legacy = legacy_sect
2871ff
+##
6ed7c9
+[default_sect]
6ed7c9
+activate = 1
6ed7c9
+
2871ff
+##[legacy_sect]
2871ff
+##activate = 1
2871ff
 
2871ff
 [ ssl_module ]
2871ff
 
6ed7c9
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
6ed7c9
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov	2021-09-09 12:09:38.079040853 +0200
6ed7c9
+++ openssl-3.0.0/doc/man5/config.pod	2021-09-09 12:11:56.646224876 +0200
6ed7c9
@@ -273,6 +273,14 @@ significant.
2871ff
 All parameters in the section as well as sub-sections are made
2871ff
 available to the provider.
2871ff
 
2871ff
+=head3 Loading the legacy provider
2871ff
+
2871ff
+Uncomment the sections that start with ## in openssl.cnf
2871ff
+to enable the legacy provider.
2871ff
+Note: In general it is not recommended to use the above mentioned algorithms for
2871ff
+security critical operations, as they are cryptographically weak or vulnerable
2871ff
+to side-channel attacks and as such have been deprecated.
2871ff
+
6ed7c9
 =head3 Default provider and its activation
2871ff
 
6ed7c9
 If no providers are activated explicitly, the default one is activated implicitly.