diff options
author | V3n3RiX <venerix@koprulu.sector> | 2022-04-16 13:07:24 +0100 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2022-04-16 13:07:24 +0100 |
commit | 0c100b7dd2b30e75b799d806df4ef899fd98e1ea (patch) | |
tree | 464c922e949c7e4d5d891fb2cdda5daee5612537 /net-vpn/openconnect/files/8.20-insecure-crypto.patch | |
parent | e68d405c5d712af4387159df07e226217bdda049 (diff) |
gentoo resync : 16.04.2022
Diffstat (limited to 'net-vpn/openconnect/files/8.20-insecure-crypto.patch')
-rw-r--r-- | net-vpn/openconnect/files/8.20-insecure-crypto.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/net-vpn/openconnect/files/8.20-insecure-crypto.patch b/net-vpn/openconnect/files/8.20-insecure-crypto.patch new file mode 100644 index 000000000000..7644e1a264ba --- /dev/null +++ b/net-vpn/openconnect/files/8.20-insecure-crypto.patch @@ -0,0 +1,46 @@ +From e2b38313bbd5050acaac49a75f0a024d05b505e5 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert <floppym@gentoo.org> +Date: Sun, 10 Apr 2022 12:21:57 -0400 +Subject: [PATCH] openssl: allow ALL ciphers when allow-insecure-crypto is + enabled + +Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However, +according to ciphers(1), the DEFAULT keyword cannot be combined with +other strings using the + characters. In other words, ":+3DES:+RC4" gets +ignored. + +The user is opting into insecure behavior, so let's keep it simple and +just allow everything. + +This change fixes the obsolete-server-crypto test when openconnect is +built against openssl-1.1.x. + +Signed-off-by: Mike Gilbert <floppym@gentoo.org> +--- + openssl.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/openssl.c b/openssl.c +index 3205dbd7..2bf594e7 100644 +--- a/openssl.c ++++ b/openssl.c +@@ -1868,13 +1868,10 @@ int openconnect_open_https(struct openconnect_info *vpninfo) + struct oc_text_buf *buf = buf_alloc(); + if (vpninfo->pfs) + buf_append(buf, "HIGH:!aNULL:!eNULL:-RSA"); ++ else if (vpninfo->allow_insecure_crypto) ++ buf_append(buf, "ALL"); + else +- buf_append(buf, "DEFAULT"); +- +- if (vpninfo->allow_insecure_crypto) +- buf_append(buf, ":+3DES:+RC4"); +- else +- buf_append(buf, ":-3DES:-RC4"); ++ buf_append(buf, "DEFAULT:-3DES:-RC4"); + + if (buf_error(buf)) { + vpn_progress(vpninfo, PRG_ERR, +-- +2.35.1 + |