[OE-core] [PATCH] openssl: disable SSLv3 by default

Martin Jansa martin.jansa at gmail.com
Mon Feb 16 13:10:03 UTC 2015


On Mon, Feb 16, 2015 at 11:18:29AM +0000, brendan.le.foll at intel.com wrote:
> From: Brendan Le Foll <brendan.le.foll at intel.com>
> 
> Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
> SSLv3 even if patched with the TLS_FALLBACK_SCSV
> 
> Signed-off-by: Brendan Le Foll <brendan.le.foll at intel.com>
> ---
>  meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> index 6eb1b5e..ba9bca6 100644
> --- a/meta/recipes-connectivity/openssl/openssl.inc
> +++ b/meta/recipes-connectivity/openssl/openssl.inc
> @@ -50,6 +50,10 @@ CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
>  RRECOMMENDS_libcrypto += "openssl-conf"
>  RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
>  
> +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
> +# vulnerability
> +EXTRA_OECONF = " -no-ssl3"

Why not use PACKAGECONFIG to make it easier to enable from distro
config or bbappend?

> +
>  do_configure_prepend_darwin () {
>  	sed -i -e '/version-script=openssl\.ld/d' Configure
>  }
> -- 
> 2.2.1
> 
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20150216/e5105978/attachment-0002.sig>


More information about the Openembedded-core mailing list