From 5ad7499d0382ba4d8e7340d61995b24951be66df Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Tue, 18 Oct 2022 10:42:04 +0200 Subject: [PATCH] Switch to newer TLS and disable old SSL. --- openssl.patch | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/openssl.patch b/openssl.patch index a8a426e..656a9a1 100644 --- a/openssl.patch +++ b/openssl.patch @@ -22,3 +22,52 @@ } } return(dh); +commit fe4c4ab914d82af1a1cb2e1bca78c8dcfbc57d4d +Author: Harin Vadodaria +Date: Fri Jan 2 10:18:04 2015 +0530 + + Bug#19820550 : DISABLE SSL 3.0 SUPPORT IN OPENSSL + + Explicitly disable weaker SSL protocols. + +diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c +index cd6a6d68cb4..7e475683f9a 100644 +--- a/vio/viosslfactories.c ++++ b/vio/viosslfactories.c +@@ -173,6 +173,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file, + { + DH *dh; + struct st_VioSSLFd *ssl_fd; ++ long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + DBUG_ENTER("new_VioSSLFd"); + + check_ssl_init(); +@@ -200,6 +201,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file, + DBUG_RETURN(0); + } + ++ SSL_CTX_set_options(ssl_fd->ssl_context, ssl_ctx_options); ++ + /* + Set the ciphers that can be used + NOTE: SSL_CTX_set_cipher_list will return 0 if +--- mysql-5.0.96/vio/viosslfactories.c~ 2022-10-18 09:53:29.000000000 +0200 ++++ mysql-5.0.96/vio/viosslfactories.c 2022-10-18 10:39:06.402730218 +0200 +@@ -338,7 +338,7 @@ + verify= SSL_VERIFY_NONE; + + if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, +- ca_path, cipher, TLSv1_client_method(), &dummy))) ++ ca_path, cipher, TLS_client_method(), &dummy))) + { + return 0; + } +@@ -360,7 +360,7 @@ + struct st_VioSSLFd *ssl_fd; + int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, +- ca_path, cipher, TLSv1_server_method(), error))) ++ ca_path, cipher, TLS_server_method(), error))) + { + return 0; + } -- 2.44.0