author | Ronald Jordan <ron.jordan@oracle.com> |
Wed, 26 Oct 2016 13:19:33 -0700 | |
branch | s11u3-sru |
changeset 7163 | ee09edbd5876 |
permissions | -rw-r--r-- |
7163
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
1 |
# |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
2 |
# This was developed in house. The change is internal to Solaris, and |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
3 |
# it will not be contributed upstream. |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
4 |
# |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
5 |
# This patch will change the default cipher used to encrypt certificate |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
6 |
# to 3DES as RC2 is considered weak cipher. The default cipher for 1.1 will |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
7 |
# become 3DES. |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
8 |
# |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
9 |
--- openssl/apps/pkcs12.c Tue May 3 06:44:42 2016 |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
10 |
+++ openssl/apps/pkcs12.c.new Wed May 4 15:11:00 2016 |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
11 |
@@ -142,12 +142,7 @@ |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
12 |
if (!load_config(bio_err, NULL)) |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
13 |
goto end; |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
14 |
|
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
15 |
-# ifdef OPENSSL_FIPS |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
16 |
- if (FIPS_mode()) |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
17 |
- cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
18 |
- else |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
19 |
-# endif |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
20 |
- cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
21 |
+ cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
22 |
|
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
23 |
args = argv + 1; |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
24 |
|
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
25 |
@@ -379,9 +374,9 @@ |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
26 |
BIO_printf(bio_err, |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
27 |
"-twopass separate MAC, encryption passwords\n"); |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
28 |
BIO_printf(bio_err, |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
29 |
- "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
30 |
+ "-descert encrypt PKCS#12 certificates with triple DES (default)\n"); |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
31 |
BIO_printf(bio_err, |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
32 |
- "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
33 |
+ "-certpbe alg specify certificate PBE algorithm (default 3DES)\n"); |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
34 |
BIO_printf(bio_err, |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
35 |
"-keypbe alg specify private key PBE algorithm (default 3DES)\n"); |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
36 |
BIO_printf(bio_err, |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
37 |
--- openssl/doc/crypto/PKCS12_create.pod Fri May 6 09:10:00 2016 |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
38 |
+++ openssl/doc/crypto/PKCS12_create.pod Fri May 6 09:14:16 2016 |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
39 |
@@ -30,9 +30,9 @@ |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
40 |
The parameters B<nid_key>, B<nid_cert>, B<iter>, B<mac_iter> and B<keytype> |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
41 |
can all be set to zero and sensible defaults will be used. |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
42 |
|
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
43 |
-These defaults are: 40 bit RC2 encryption for certificates, triple DES |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
44 |
-encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
45 |
-(currently 2048) and a MAC iteration count of 1. |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
46 |
+These defaults are: triple DES encryption for certificates and private keys, |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
47 |
+a key iteration count of PKCS12_DEFAULT_ITER (currently 2048) and a MAC |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
48 |
+iteration count of 1. |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
49 |
|
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
50 |
The default MAC iteration count is 1 in order to retain compatibility with |
ee09edbd5876
24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
Ronald Jordan <ron.jordan@oracle.com>
parents:
diff
changeset
|
51 |
old software which did not interpret MAC iteration counts. If such compatibility |