Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/patchsets/patches-2.3.5/007-openssl-weakdh.patch
diff options
context:
space:
mode:
Diffstat (limited to 'patchsets/patches-2.3.5/007-openssl-weakdh.patch')
-rw-r--r--patchsets/patches-2.3.5/007-openssl-weakdh.patch37
1 files changed, 37 insertions, 0 deletions
diff --git a/patchsets/patches-2.3.5/007-openssl-weakdh.patch b/patchsets/patches-2.3.5/007-openssl-weakdh.patch
new file mode 100644
index 0000000..ca41065
--- /dev/null
+++ b/patchsets/patches-2.3.5/007-openssl-weakdh.patch
@@ -0,0 +1,37 @@
+From 6dee08d14f7a8a51691b799592774e805d6f8707 Mon Sep 17 00:00:00 2001
+From: Tony Arcieri <bascule@gmail.com>
+Date: Thu, 7 Jan 2016 11:02:31 -0800
+Subject: [PATCH] Remove 512-bit DH group
+
+512-bit DH keys are severely weak and have been implicated in recent attacks:
+
+https://weakdh.org/
+---
+ lib/openssl/pkey.rb | 8 --------
+
+diff --git a/lib/openssl/pkey.rb b/lib/openssl/pkey.rb
+index 3f65adad..89563b65 100644
+--- a/ext/openssl/lib/openssl/pkey.rb
++++ b/ext/openssl/lib/openssl/pkey.rb
+@@ -4,13 +4,6 @@ module PKey
+ if defined?(OpenSSL::PKey::DH)
+
+ class DH
+- DEFAULT_512 = new <<-_end_of_pem_
+------BEGIN DH PARAMETERS-----
+-MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2
+-zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC
+------END DH PARAMETERS-----
+- _end_of_pem_
+-
+ DEFAULT_1024 = new <<-_end_of_pem_
+ -----BEGIN DH PARAMETERS-----
+ MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ
+@@ -23,7 +16,6 @@ class DH
+ DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen|
+ warn "using default DH parameters." if $VERBOSE
+ case keylen
+- when 512 then OpenSSL::PKey::DH::DEFAULT_512
+ when 1024 then OpenSSL::PKey::DH::DEFAULT_1024
+ else
+ nil