Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc/tn5250/files/disable-sslv2-and-sslv3.patch')
-rw-r--r--net-misc/tn5250/files/disable-sslv2-and-sslv3.patch61
1 files changed, 61 insertions, 0 deletions
diff --git a/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch b/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch
new file mode 100644
index 000000000000..9c8d04f55851
--- /dev/null
+++ b/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch
@@ -0,0 +1,61 @@
+From 1acfebd966e8804e6573cbe9287b8b6f028a646c Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Tue, 23 Aug 2016 18:13:47 -0400
+Subject: [PATCH 1/1] sslstream.c: ignore the user's choice of ssl_method.
+
+The SSLv2 and SSLv3 protocols are insecure, and people have begun to
+operate without them. LibreSSL, for example, does not have them
+enabled, and it is possible to build OpenSSL in the same manner.
+
+If SSLv[23] are disabled, the user would not be able to choose "ssl2"
+or "ssl3" as his "ssl_method", an option that was undocumented
+anywhere. Therefore there is not much lost, and some security to gain,
+by removing the option completely. This commit does that, and uses the
+automatic protocol choice that is capable of negotiating TLSv1,
+TLSv1.1 and TLSv1.2.
+
+Gentoo-Bug: 591940
+---
+ lib5250/sslstream.c | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
+index 7181566..2f91d1a 100644
+--- a/lib5250/sslstream.c
++++ b/lib5250/sslstream.c
+@@ -362,22 +362,16 @@ int tn5250_ssl_stream_init (Tn5250Stream *This)
+
+ /* which SSL method do we use? */
+
+- strcpy(methstr,"auto");
+- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_method")) {
+- strncpy(methstr, tn5250_config_get (This->config, "ssl_method"), 4);
+- methstr[4] = '\0';
+- }
+-
+- if (!strcmp(methstr, "ssl2")) {
+- meth = SSLv2_client_method();
+- TN5250_LOG(("SSL Method = SSLv2_client_method()\n"));
+- } else if (!strcmp(methstr, "ssl3")) {
+- meth = SSLv3_client_method();
+- TN5250_LOG(("SSL Method = SSLv3_client_method()\n"));
+- } else {
+- meth = SSLv23_client_method();
+- TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
+- }
++ /* Ignore the user's choice of ssl_method (which isn't documented
++ * anyway...) if it was either "ssl2" or "ssl3". Both are insecure,
++ * and this is only safe supported method left.
++ *
++ * This is a Gentoo-specific modification that lets us build
++ * against LibreSSL and newer OpenSSL with its insecure protocols
++ * disabled.
++ */
++ meth = SSLv23_client_method();
++ TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
+
+ /* create a new SSL context */
+
+--
+2.7.3
+