d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
253,256 Commits 72 Branches 135 Tags 3.2 GiB
16969d1448
Commit Graph

6 Commits

Author SHA1 Message Date
Conrad Meyer
80a315ffb6 Replace OPENSSL_NO_SSL3_METHODs with dummies 
SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it
should not have shipped in FreeBSD 11 (2016) or 12 (2018).  No one should use
it, and if they must, they can use some implementation outside of base.

There are three symbols removed with OPENSSL_NO_SSL3_METHOD:

SSLv3_client_method
SSLv3_method
SSLv3_server_method

These symbols exist to request an explicit SSLv3 connection to a server.
There is no good reason for an application to link or invoke these symbols
instead of TLS_method(), et al (née SSLv23_method, et al).  Applications
that do so have broken cryptography.

Define these symbols for some pedantic definition of ABI stability, but
remove the functionality again (r361392) after r362620.

Reviewed by:	gordon, jhb (earlier-but-equivalent version both)
Discussed with:	bjk, kib
Differential Revision:	https://reviews.freebsd.org/D25493
 2020-07-01 00:59:28 +00:00
Gordon Tetlow
e398139415 Revert OPENSSL_NO_SSL3_METHOD to keep ABI compatibility. 
This define caused a couple of symbols to disappear. To keep ABI
compatibility, we are going to keep the symbols exposed, but leave SSLv3 as
not in the default config (this is what OPENSSL_NO_SSL3 achieves). The
ramifications of this is an application can still use SSLv3 if it
specifically calls the SSLv3_method family of APIs.

Reported by:	kib, others
Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D25451
 2020-06-25 19:35:37 +00:00
Gordon Tetlow
f7732201a2 Remove support for SSLv3 from the OpenSSL build. 
This is the default configuration in OpenSSL 1.1.1 already. This moves
to align with that default.

Reported by:	jmg
Approved by:	jkim, cem, emaste, philip
Differential Revision:	https://reviews.freebsd.org/D24945
 2020-05-22 16:53:39 +00:00
Jung-uk Kim
0a70e97c94 Reduce diff with the vendor version. No functional change. 2020-03-18 02:20:03 +00:00
Jung-uk Kim
f622545b79 Enable devcryptoeng for OpenSSL. 
Since OpenSSL 1.1.1, the good old BSD-specific cryptodev engine has been
deprecated in favor of this new engine.  However, this engine is not
throughly tested on FreeBSD because it was originally written for Linux.

http://cryptodev-linux.org/

Also, the author actually meant to enable it by default on BSD platforms but
he failed to do so because there was a bug in the Configure script.

https://github.com/openssl/openssl/pull/7882

Now they found that it was more generic issue.

https://github.com/openssl/openssl/pull/7885

Therefore, we need to enable this engine on head to give it more exposure.
 2018-12-12 21:56:47 +00:00
Jung-uk Kim
0633b14ba1 Unify opensslconf.h templates. 
There is no MD macro in this file any more.
 2018-09-21 22:26:00 +00:00