[OE-core] [PATCH] openssl: disable SSLv3 by default

Brendan Le Foll brendan.le.foll at intel.com
Mon Feb 16 13:51:20 UTC 2015


On Mon, Feb 16, 2015 at 02:10:03PM +0100, Martin Jansa wrote:
> On Mon, Feb 16, 2015 at 11:18:29AM +0000, brendan.le.foll at intel.com wrote:
> > From: Brendan Le Foll <brendan.le.foll at intel.com>
> > 
> > Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
> > SSLv3 even if patched with the TLS_FALLBACK_SCSV
> > 
> > Signed-off-by: Brendan Le Foll <brendan.le.foll at intel.com>
> > ---
> >  meta/recipes-connectivity/openssl/openssl.inc | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> > index 6eb1b5e..ba9bca6 100644
> > --- a/meta/recipes-connectivity/openssl/openssl.inc
> > +++ b/meta/recipes-connectivity/openssl/openssl.inc
> > @@ -50,6 +50,10 @@ CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
> >  RRECOMMENDS_libcrypto += "openssl-conf"
> >  RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
> >  
> > +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
> > +# vulnerability
> > +EXTRA_OECONF = " -no-ssl3"
> 
> Why not use PACKAGECONFIG to make it easier to enable from distro
> config or bbappend?

No real reason, was trying to keep it as simple as possible whilst
making it clear it was not a good idea to re-enable it. I can make it
a PACKAGECOUNFIG[ssl3] = "--no-ssl3" if you think that's best.

Cheers,
Brendan



More information about the Openembedded-core mailing list