File openssl-add_DEFAULT_SUSE_cipher_list.patch of Package compat-openssl098.14113

Index: openssl-0.9.8j/ssl/ssl.h
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl.h	2017-04-18 17:29:45.151203872 +0200
+++ openssl-0.9.8j/ssl/ssl.h	2017-04-18 17:29:45.179204314 +0200
@@ -323,6 +323,9 @@ extern "C" {
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
 #define SSL_DEFAULT_CIPHER_LIST	"AES:ALL:!aNULL:!eNULL:!EXP:+RC4:@STRENGTH" /* low priority for RC4 */
+#define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+    "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+    "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA"
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN	1
Index: openssl-0.9.8j/ssl/ssl_ciph.c
===================================================================
--- openssl-0.9.8j.orig/ssl/ssl_ciph.c	2017-04-18 17:29:45.019201786 +0200
+++ openssl-0.9.8j/ssl/ssl_ciph.c	2017-04-18 17:29:45.179204314 +0200
@@ -1021,7 +1021,17 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
 	 */
 	ok = 1;
 	rule_p = rule_str;
-	if (strncmp(rule_str,"DEFAULT",7) == 0)
+
+	if (strncmp(rule_str,"DEFAULT_SUSE",12) == 0)
+		{
+		ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
+			co_list, &head, &tail, ca_list);
+		rule_p += 12;
+		if (*rule_p == ':')
+			rule_p++;
+		}
+
+	else if (strncmp(rule_str,"DEFAULT",7) == 0)
 		{
 		ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
 			co_list, &head, &tail, ca_list);
Index: openssl-0.9.8j/test/testssl
===================================================================
--- openssl-0.9.8j.orig/test/testssl	2005-02-02 00:48:36.000000000 +0100
+++ openssl-0.9.8j/test/testssl	2017-04-18 17:29:45.179204314 +0200
@@ -119,6 +119,25 @@ $ssltest -bio_pair -server_auth -client_
 echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
 $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
 
+echo "Testing default ciphersuites"
+
+for cipher_suite in DEFAULT_SUSE DEFAULT; do
+    ../util/shlib_wrap.sh ../apps/openssl ciphers $cipher_suite
+    if [ $? -ne 0 ]; then
+        echo "Failed default ciphersuite $cipher_suite"
+        exit 1
+    fi
+done
+
+echo "Testing if MD5, DES and RC4 are excluded from DEFAULT_SUSE cipher suite"
+../util/shlib_wrap.sh ../apps/openssl ciphers DEFAULT_SUSE| grep "MD5\|RC4\|DES-[^CBC3]" 
+
+if [ $? -ne 1 ];then
+    echo "weak ciphers are present on DEFAULT_SUSE cipher suite"
+    exit 1
+fi
+
+
 #############################################################################
 
 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
openSUSE Build Service is sponsored by