isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone
bf760f
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
bf760f
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov	2021-09-09 12:06:40.895793297 +0200
bf760f
+++ openssl-3.0.0/apps/openssl.cnf	2021-09-09 12:12:33.947482500 +0200
bf760f
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
bf760f
 tsa_policy2 = 1.2.3.4.5.6
bf760f
 tsa_policy3 = 1.2.3.4.5.7
bf760f
 
bf760f
-# For FIPS
bf760f
-# Optionally include a file that is generated by the OpenSSL fipsinstall
bf760f
-# application. This file contains configuration data required by the OpenSSL
bf760f
-# fips provider. It contains a named section e.g. [fips_sect] which is
bf760f
-# referenced from the [provider_sect] below.
bf760f
-# Refer to the OpenSSL security policy for more information.
bf760f
-# .include fipsmodule.cnf
bf760f
-
bf760f
 [openssl_init]
bf760f
 providers = provider_sect
bf760f
 # Load default TLS policy configuration
bf760f
 ssl_conf = ssl_module
bf760f
 
bf760f
-# List of providers to load
bf760f
-[provider_sect]
bf760f
-default = default_sect
bf760f
-# The fips section name should match the section name inside the
bf760f
-# included fipsmodule.cnf.
bf760f
-# fips = fips_sect
bf760f
+# Uncomment the sections that start with ## below to enable the legacy provider.
bf760f
+# Loading the legacy provider enables support for the following algorithms:
bf760f
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
bf760f
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
bf760f
+# Key Derivation Function (KDF): PBKDF1
bf760f
+# In general it is not recommended to use the above mentioned algorithms for
bf760f
+# security critical operations, as they are cryptographically weak or vulnerable
bf760f
+# to side-channel attacks and as such have been deprecated.
bf760f
 
bf760f
-# If no providers are activated explicitly, the default one is activated implicitly.
bf760f
-# See man 7 OSSL_PROVIDER-default for more details.
bf760f
-#
bf760f
-# If you add a section explicitly activating any other provider(s), you most
bf760f
-# probably need to explicitly activate the default provider, otherwise it
bf760f
-# becomes unavailable in openssl.  As a consequence applications depending on
bf760f
-# OpenSSL may not work correctly which could lead to significant system
bf760f
-# problems including inability to remotely access the system.
bf760f
-[default_sect]
bf760f
-# activate = 1
bf760f
+[provider_sect]
bf760f
+default = default_sect
bf760f
+##legacy = legacy_sect
bf760f
+##
bf760f
+[default_sect]
bf760f
+activate = 1
bf760f
+
bf760f
+##[legacy_sect]
bf760f
+##activate = 1
bf760f
 
bf760f
 [ ssl_module ]
bf760f
 
bf760f
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
bf760f
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov	2021-09-09 12:09:38.079040853 +0200
bf760f
+++ openssl-3.0.0/doc/man5/config.pod	2021-09-09 12:11:56.646224876 +0200
bf760f
@@ -273,6 +273,14 @@ significant.
bf760f
 All parameters in the section as well as sub-sections are made
bf760f
 available to the provider.
bf760f
 
bf760f
+=head3 Loading the legacy provider
bf760f
+
bf760f
+Uncomment the sections that start with ## in openssl.cnf
bf760f
+to enable the legacy provider.
bf760f
+Note: In general it is not recommended to use the above mentioned algorithms for
bf760f
+security critical operations, as they are cryptographically weak or vulnerable
bf760f
+to side-channel attacks and as such have been deprecated.
bf760f
+
bf760f
 =head3 Default provider and its activation
bf760f
 
bf760f
 If no providers are activated explicitly, the default one is activated implicitly.