diff options
Diffstat (limited to 'net-misc/tn5250/files/disable-sslv2-and-sslv3.patch')
-rw-r--r-- | net-misc/tn5250/files/disable-sslv2-and-sslv3.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch b/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch new file mode 100644 index 000000000000..9c8d04f55851 --- /dev/null +++ b/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch @@ -0,0 +1,61 @@ +From 1acfebd966e8804e6573cbe9287b8b6f028a646c Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <michael@orlitzky.com> +Date: Tue, 23 Aug 2016 18:13:47 -0400 +Subject: [PATCH 1/1] sslstream.c: ignore the user's choice of ssl_method. + +The SSLv2 and SSLv3 protocols are insecure, and people have begun to +operate without them. LibreSSL, for example, does not have them +enabled, and it is possible to build OpenSSL in the same manner. + +If SSLv[23] are disabled, the user would not be able to choose "ssl2" +or "ssl3" as his "ssl_method", an option that was undocumented +anywhere. Therefore there is not much lost, and some security to gain, +by removing the option completely. This commit does that, and uses the +automatic protocol choice that is capable of negotiating TLSv1, +TLSv1.1 and TLSv1.2. + +Gentoo-Bug: 591940 +--- + lib5250/sslstream.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c +index 7181566..2f91d1a 100644 +--- a/lib5250/sslstream.c ++++ b/lib5250/sslstream.c +@@ -362,22 +362,16 @@ int tn5250_ssl_stream_init (Tn5250Stream *This) + + /* which SSL method do we use? */ + +- strcpy(methstr,"auto"); +- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_method")) { +- strncpy(methstr, tn5250_config_get (This->config, "ssl_method"), 4); +- methstr[4] = '\0'; +- } +- +- if (!strcmp(methstr, "ssl2")) { +- meth = SSLv2_client_method(); +- TN5250_LOG(("SSL Method = SSLv2_client_method()\n")); +- } else if (!strcmp(methstr, "ssl3")) { +- meth = SSLv3_client_method(); +- TN5250_LOG(("SSL Method = SSLv3_client_method()\n")); +- } else { +- meth = SSLv23_client_method(); +- TN5250_LOG(("SSL Method = SSLv23_client_method()\n")); +- } ++ /* Ignore the user's choice of ssl_method (which isn't documented ++ * anyway...) if it was either "ssl2" or "ssl3". Both are insecure, ++ * and this is only safe supported method left. ++ * ++ * This is a Gentoo-specific modification that lets us build ++ * against LibreSSL and newer OpenSSL with its insecure protocols ++ * disabled. ++ */ ++ meth = SSLv23_client_method(); ++ TN5250_LOG(("SSL Method = SSLv23_client_method()\n")); + + /* create a new SSL context */ + +-- +2.7.3 + |