[OE-core] [PATCH v2] openssl: disable SSLv3 by default
Martin Jansa
martin.jansa at gmail.com
Thu Feb 19 16:17:01 UTC 2015
On Thu, Feb 19, 2015 at 03:45:10PM +0000, brendan.le.foll at intel.com wrote:
> From: Brendan Le Foll <brendan.le.foll at intel.com>
>
> Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
> SSLv3 even if patched with the TLS_FALLBACK_SCSV
Please rebase on corrent master, because v1 was already merged (so you
should remove EXTRA_OECONF now).
>
> Signed-off-by: Brendan Le Foll <brendan.le.foll at intel.com>
> ---
> meta/recipes-connectivity/openssl/openssl.inc | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> index 6eb1b5e..f42b1ea 100644
> --- a/meta/recipes-connectivity/openssl/openssl.inc
> +++ b/meta/recipes-connectivity/openssl/openssl.inc
> @@ -16,6 +16,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
> S = "${WORKDIR}/openssl-${PV}"
>
> PACKAGECONFIG[perl] = ",,,"
> +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
> +# vulnerability
> +PACKAGECONFIG[ssl3] = "--enable-ssl3, --no-ssl3,,"
>
> AR_append = " r"
> # Avoid binaries being marked as requiring an executable stack since it
> --
> 2.2.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
--
Martin 'JaMa' Jansa jabber: Martin.Jansa at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20150219/7f36a72e/attachment-0002.sig>
More information about the Openembedded-core
mailing list