Switch to newer TLS and disable old SSL.

diff --git a/openssl.patch b/openssl.patch
index a8a426ecc0578d86dedc6e85550867cdc9fa04fe..656a9a1a5377bc5c8a0cb7e0107ba2bde979981f 100644 (file)
--- a/openssl.patch
+++ b/openssl.patch
@@ -22,3 +22,52 @@
      }
    }
    return(dh);
+commit fe4c4ab914d82af1a1cb2e1bca78c8dcfbc57d4d
+Author: Harin Vadodaria <harin.vadodaria@oracle.com>
+Date:   Fri Jan 2 10:18:04 2015 +0530
+
+    Bug#19820550 : DISABLE SSL 3.0 SUPPORT IN OPENSSL
+    
+    Explicitly disable weaker SSL protocols.
+
+diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
+index cd6a6d68cb4..7e475683f9a 100644
+--- a/vio/viosslfactories.c
++++ b/vio/viosslfactories.c
+@@ -173,6 +173,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
+ {
+   DH *dh;
+   struct st_VioSSLFd *ssl_fd;
++  long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+   DBUG_ENTER("new_VioSSLFd");
+ 
+   check_ssl_init();
+@@ -200,6 +201,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
+     DBUG_RETURN(0);
+   }
+ 
++  SSL_CTX_set_options(ssl_fd->ssl_context, ssl_ctx_options);
++
+   /*
+     Set the ciphers that can be used
+     NOTE: SSL_CTX_set_cipher_list will return 0 if
+--- mysql-5.0.96/vio/viosslfactories.c~        2022-10-18 09:53:29.000000000 +0200
++++ mysql-5.0.96/vio/viosslfactories.c 2022-10-18 10:39:06.402730218 +0200
+@@ -338,7 +338,7 @@
+     verify= SSL_VERIFY_NONE;
+ 
+   if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
+-                             ca_path, cipher, TLSv1_client_method(), &dummy)))
++                             ca_path, cipher, TLS_client_method(), &dummy)))
+   {
+     return 0;
+   }
+@@ -360,7 +360,7 @@
+   struct st_VioSSLFd *ssl_fd;
+   int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+   if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
+-                             ca_path, cipher, TLSv1_server_method(), error)))
++                             ca_path, cipher, TLS_server_method(), error)))
+   {
+     return 0;
+   }