upstream/oracle/userland-gate: components/curl/patches/016-curl-disable-sslv3.patch@de2c1a2b2040 (annotated)

3467 de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	1	Remove SSLv3 from SSL default due to the POODLE attack.
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	2
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	3	Based on the following curl changeset:
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	4
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	5	commit ec783dc142129d3860e542b443caaa78a6172d56
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	6	Author: Jay Satiro <[email protected]>
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	7	Date: Fri Oct 24 13:41:56 2014 +0200
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	8
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	9	- Remove SSLv3 from the SSL default effectively making the default TLS 1.x.
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	10	- Update curl_easy_setopt doc.
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	11
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	12	--- ./docs/libcurl/curl_easy_setopt.3.orig 2014-11-11 12:03:20.659217117 -0800
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	13	+++ ./docs/libcurl/curl_easy_setopt.3 2014-11-11 12:06:57.274210401 -0800
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	14	@@ -1819,8 +1819,7 @@
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	15	.RS
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	16	.IP CURL_SSLVERSION_DEFAULT
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	17	The default action. This will attempt to figure out the remote SSL protocol
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	18	-version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	19	-by default with 7.18.1).
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	20	+version. SSLv2 and SSLv3 are disabled by default.
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	21	.IP CURL_SSLVERSION_TLSv1
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	22	Force TLSv1
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	23	.IP CURL_SSLVERSION_SSLv2
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	24	--- ./lib/nss.c.orig 2014-11-11 12:08:37.152918397 -0800
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	25	+++ ./lib/nss.c 2014-11-11 12:11:02.819141917 -0800
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	26	@@ -1177,12 +1177,6 @@
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	27	switch (data->set.ssl.version) {
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	28	default:
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	29	case CURL_SSLVERSION_DEFAULT:
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	30	- ssl3 = PR_TRUE;
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	31	- if (data->state.ssl_connect_retry)
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	32	- infof(data, "TLS disabled due to previous handshake failure\n");
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	33	- else
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	34	- tlsv1 = PR_TRUE;
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	35	- break;
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	36	case CURL_SSLVERSION_TLSv1:
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	37	tlsv1 = PR_TRUE;
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	38	break;
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	39	--- ./lib/qssl.c.orig 2014-11-11 12:08:44.037832982 -0800
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	40	+++ ./lib/qssl.c 2014-11-11 12:12:10.802950719 -0800
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	41	@@ -192,9 +192,6 @@
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	42
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	43	default:
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	44	case CURL_SSLVERSION_DEFAULT:
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	45	- h->protocol = SSL_VERSION_CURRENT; /* TLSV1 compat. SSLV[23]. */
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	46	- break;
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	47	-
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	48	case CURL_SSLVERSION_TLSv1:
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	49	h->protocol = TLS_VERSION_1;
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	50	break;
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	51	--- ./lib/ssluse.c.orig 2014-11-11 12:08:52.156569428 -0800
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	52	+++ ./lib/ssluse.c 2014-11-11 12:21:38.593664424 -0800
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	53	@@ -1448,10 +1448,6 @@
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	54	switch(data->set.ssl.version) {
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	55	default:
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	56	case CURL_SSLVERSION_DEFAULT:
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	57	- /* we try to figure out version */
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	58	- req_method = SSLv23_client_method();
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	59	- use_sni(TRUE);
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	60	- break;
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	61	case CURL_SSLVERSION_TLSv1:
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	62	req_method = TLSv1_client_method();
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	63	use_sni(TRUE);
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	64	@@ -1531,9 +1527,9 @@
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	65
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	66	SSL_CTX_set_options(connssl->ctx, ctx_options);
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	67
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	68	- /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	69	+ /* disable SSLv2 and SSLv3 in the default case (i.e. allow TLSv1) */
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	70	if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	71	- SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	72	+ SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3);
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	73
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	74	#if 0
de2c1a2b2040 20010069 curl should disable SSLv3 by default Rich Burridge <rich.burridge@oracle.com> parents: diff changeset	75	/*

author	Rich Burridge <rich.burridge@oracle.com>
	Fri, 14 Nov 2014 05:49:51 -0800
branch	s11-update
changeset 3467	de2c1a2b2040
permissions	-rw-r--r--