errata patch to disble sslv3
21 October, 2014 by tedu@tedunangst.com | openbsd
This patch disables the SSLv3 protocol for the forthcoming 5.6 release.
untrusted comment: signature from openbsd 5.6 base private key
RWR0EANmo9nqhqNRnZqpfGyXZORy+gN++chhlgejO0bmLmp81bJL1+Dhl3iP0bL1NnRopcGECX4QoUbsCCcnMOxkXAYeMYkmMgw
OpenBSD 5.6 errata 5, Oct 20, 2014
This patch disables the SSLv3 protocol by default.
Applications depending on SSLv3 may need to be recompiled with
SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3);
but we recommend against the continued use of this obsolete protocol.
Apply patch using:
signify -Vep /etc/signify/openbsd-56-base.pub -x 005_nosslv3.patch.sig \
-m - | (cd /usr/src && patch -p0)
Then build and install libssl
cd /usr/src/lib/libssl/ssl
make obj
make
make install
Index: lib/libssl/src/ssl/ssl_lib.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/ssl_lib.c,v
retrieving revision 1.78
diff -u -p -r1.78 ssl_lib.c
--- lib/libssl/src/ssl/ssl_lib.c 12 Jul 2014 22:33:39 -0000 1.78
+++ lib/libssl/src/ssl/ssl_lib.c 19 Oct 2014 23:09:46 -0000
@@ -1823,6 +1823,9 @@ SSL_CTX_new(const SSL_METHOD *meth)
*/
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+ /* Disable SSLv3 by default. */
+ ret->options |= SSL_OP_NO_SSLv3;
+
return (ret);
err:
SSLerr(SSL_F_SSL_CTX_NEW,