[OE-core] [PATCH v2] openssl: disable SSLv3 by default
brendan.le.foll at intel.com
brendan.le.foll at intel.com
Thu Feb 19 15:45:10 UTC 2015
From: Brendan Le Foll <brendan.le.foll at intel.com>
Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
SSLv3 even if patched with the TLS_FALLBACK_SCSV
Signed-off-by: Brendan Le Foll <brendan.le.foll at intel.com>
---
meta/recipes-connectivity/openssl/openssl.inc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index 6eb1b5e..f42b1ea 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -16,6 +16,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
S = "${WORKDIR}/openssl-${PV}"
PACKAGECONFIG[perl] = ",,,"
+# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
+# vulnerability
+PACKAGECONFIG[ssl3] = "--enable-ssl3, --no-ssl3,,"
AR_append = " r"
# Avoid binaries being marked as requiring an executable stack since it
--
2.2.1
More information about the Openembedded-core
mailing list