[packages/ejabberd] Disable SSLv3 and 3DES ciphers

Sat Nov 16 17:07:20 CET 2013

commit c4f8aa566c910e35f6e618e2de356ebdae92ce0a
Author: Jacek Konieczny <jajcus at jajcus.net>
Date:   Sat Nov 16 16:28:04 2013 +0100

    Disable SSLv3 and 3DES ciphers
    
    TLS is required by XMPP RFC and SSLv3. Weak 3DES-based ciphers
    are highly discouraged by the XMPP community.

 ejabberd-no_sslv3_or_3des.patch | 26 ++++++++++++++++++++++++++
 ejabberd.spec                   |  5 +++++
 2 files changed, 31 insertions(+)
---

diff --git a/ejabberd.spec b/ejabberd.spec
index 6c7c37c..a8cbbe1 100644
--- a/ejabberd.spec
+++ b/ejabberd.spec
@@ -2,6 +2,7 @@
 # Conditional build:
 %bcond_with	pam		# PAM authentication support
 %bcond_with	logdb		# enable mod_logdb (server-side message logging)
+%bcond_with	weaker_crypto	# enable SSLv3
 
 Summary:	Fault-tolerant distributed Jabber/XMPP server
 Summary(pl.UTF-8):	Odporny na awarie rozproszony serwer Jabbera/XMPP
@@ -54,6 +55,7 @@ Patch1:		%{name}-config.patch
 #Patch2:		%{name}-vcard-access-get.patch
 # http://www.dp.uz.gov.ua/o.palij/mod_logdb/patch-mod_logdb-2.1.12.diff
 Patch3:		%{name}-mod_logdb.patch
+Patch4:		%{name}-no_sslv3_or_3des.patch
 URL:		http://www.ejabberd.im/
 BuildRequires:	autoconf
 BuildRequires:	automake
@@ -105,6 +107,9 @@ Server-side logging module.
 %if %{with logdb}
 %patch3 -p0
 %endif
+%if %{without weaker_crypto}
+%patch4 -p1
+%endif
 
 # Various parts of the build system use 'git describe'
 # which returns nonsense on manual builds using the builder script
diff --git a/ejabberd-no_sslv3_or_3des.patch b/ejabberd-no_sslv3_or_3des.patch
new file mode 100644
index 0000000..4ee7a00
--- /dev/null
+++ b/ejabberd-no_sslv3_or_3des.patch
@@ -0,0 +1,26 @@
+diff -dur ejabberd-13.10.orig/deps/p1_tls/c_src/p1_tls_drv.c ejabberd-13.10/deps/p1_tls/c_src/p1_tls_drv.c
+--- ejabberd-13.10.orig/deps/p1_tls/c_src/p1_tls_drv.c	2013-07-17 13:50:12.000000000 +0200
++++ ejabberd-13.10/deps/p1_tls/c_src/p1_tls_drv.c	2013-11-16 15:29:02.705022418 +0100
+@@ -44,7 +44,7 @@
+ #define SSL_OP_NO_TICKET 0
+ #endif
+ 
+-#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!3DES"
+ 
+ /*
+  * R15B changed several driver callbacks to use ErlDrvSizeT and
+@@ -490,11 +490,11 @@
+ 	 SSL_set_bio(d->ssl, d->bio_read, d->bio_write);
+ 
+ 	 if (command == SET_CERTIFICATE_FILE_ACCEPT) {
+-	    SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET|SSL_OP_ALL);
++	    SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET|SSL_OP_ALL);
+ 
+ 	    SSL_set_accept_state(d->ssl);
+ 	 } else {
+-	    SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
++	    SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
+ 	    SSL_set_connect_state(d->ssl);
+ 	 }
+ 	 break;
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/ejabberd.git/commitdiff/c4f8aa566c910e35f6e618e2de356ebdae92ce0a

