From 18782a8572cd6bd6641d9a57245836fed999d90f Mon Sep 17 00:00:00 2001 From: Björn Esser Date: Sep 24 2020 09:14:48 +0000 Subject: Use a more elaborate application specific OpenSSL configuration This reverts the technical change in commit: b4878fc695c2de4c9f2896227695117c6cc8f85a --- diff --git a/AusweisApp2.spec b/AusweisApp2.spec index 7f49177..b3d8c82 100644 --- a/AusweisApp2.spec +++ b/AusweisApp2.spec @@ -22,7 +22,7 @@ fipshmac "$bindir/%{name}" \ Name: AusweisApp2 Version: 1.20.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: %{pkg_sum} # Init forge packaging helpers. @@ -132,15 +132,21 @@ install -pm 0644 %{SOURCE1} LICENSE.en.txt # Create custom configuration for OpenSSL basing on the system's default # configuration to enable all ciphers required by the application. # This basically modifies the system's default configuration to enable -# all RSA-PSK algorithms. +# all algorithms using RSA-PSK keyexchange, algorithms using SHA1, SHA256, +# and SHA384 hashes, as well as algorithms using AES128 encryption. Also +# ensure the application must (or can) use at least TLS v1.2 as the miminum +# required cryptographic protocol for encrypted connections. # A shell wrapper around the AusweisApp2 binary will take care of injecting # this configuration before application startup and only for this specific # application. cat << EOF > %{name}_openssl.cnf -# This application specific OpenSSL configuration file basically -# modifies the system's default configuration to enable all -# RSA-PSK algorithms, which are needed for AusweisApp2 to provide -# full functionality for the end-user. +# This application specific OpenSSL configuration file basically modifies +# the system's default configuration to enable algorithms using RSA-PSK +# keyexchange, algorithms using SHA1, SHA256, and SHA384 hashes, as well as +# algorithms using AES128 encryption, which are needed for AusweisApp2 to +# provide full functionality to the end-user. +# Also ensure the application must (or can) use at least TLS v1.2 as the +# miminum required cryptographic protocol for encrypted connections. openssl_conf = AusweisApp2_conf @@ -153,9 +159,12 @@ system_default = AusweisApp2_ciphers [AusweisApp2_ciphers] EOF grep 'CipherString' %{_datadir}/crypto-policies/DEFAULT/opensslcnf.txt | \ -sed -e 's!:-!:kRSAPSK&!' -e 's!:-kRSAPSK!!' >> %{name}_openssl.cnf +sed -e 's!:-!:kRSAPSK&!' -e 's!:-kRSAPSK!!' -e 's!:-AES128!!' \ + -e 's!:-SHA1!!' -e 's!:-SHA256!!' -e 's!:-SHA384!!' \ + >> %{name}_openssl.cnf grep -v 'CipherString' %{_datadir}/crypto-policies/DEFAULT/opensslcnf.txt \ >> %{name}_openssl.cnf +sed -i -e 's!^MinProtocol =.*$!MinProtocol = TLSv1.2!' %{name}_openssl.cnf # Create the shell wrapper. cat << EOF > %{name}_wrapper.sh @@ -275,6 +284,10 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %changelog +* Thu Sep 24 2020 Björn Esser - 1.20.2-4 +- Use a more elaborate application specific OpenSSL configuration + This also re-enables SHA384 hashes in ciphers + * Wed Sep 23 2020 Björn Esser - 1.20.2-3 - Do not enable SHA384 ciphers in custom OpenSSL configuration