diff --git a/net/freeswitch-stable/Makefile b/net/freeswitch-stable/Makefile index 18beb3f..2a8cf03 100644 --- a/net/freeswitch-stable/Makefile +++ b/net/freeswitch-stable/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PRG_NAME:=freeswitch PKG_NAME:=$(PRG_NAME)-stable PKG_VERSION:=1.10.1 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_MAINTAINER:=Sebastian Kemper PKG_SOURCE:=$(PRG_NAME)-$(PKG_VERSION).-release.tar.xz diff --git a/net/freeswitch-stable/patches/040-gentls_cert_update_message_digest.patch b/net/freeswitch-stable/patches/040-gentls_cert_update_message_digest.patch new file mode 100644 index 0000000..ff5226d --- /dev/null +++ b/net/freeswitch-stable/patches/040-gentls_cert_update_message_digest.patch @@ -0,0 +1,51 @@ +commit 70d1cbafe4ab0176cd9fc01f740e34cd1bae326b +Author: Sebastian Kemper +Date: Wed Nov 13 20:29:50 2019 +0100 + + [gentls_cert] Update message digest + + Debian Buster updated /etc/ssl/openssl.cnf to default to + + MinProtocol = TLSv1.2 + CipherString = DEFAULT@SECLEVEL=2 + + gentls_cert currently uses SHA1 as message digest. According to OpenSSL + documentation this only offers 80 bit of security. 80 bits is enough for + security level 1, but not 2. + + The OpenSSL default MD nowadays is SHA256. This commit updates + gentls_cert to use it. + + Issue was reported on the FS mailing list. The certificates created by + gentls_cert caused "md too weak" errors and clients were unable to + connect. + + Signed-off-by: Sebastian Kemper + +diff --git a/scripts/gentls_cert.in b/scripts/gentls_cert.in +index 43aa8ac605..dd56c9f6dc 100644 +--- a/scripts/gentls_cert.in ++++ b/scripts/gentls_cert.in +@@ -89,7 +89,7 @@ setup_ca() { + + openssl req -out "${CONFDIR}/CA/cacert.pem" \ + -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" \ +- -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1 ++ -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha256 >/dev/null || exit 1 + cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem" + cp $TMPFILE.cfg /tmp/ssl.cfg + rm "${TMPFILE}.cfg" +@@ -131,11 +131,11 @@ generate_cert() { + + openssl req -new -out "${TMPFILE}.req" \ + -newkey rsa:${KEY_SIZE} -keyout "${TMPFILE}.key" \ +- -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1 ++ -config "${TMPFILE}.cfg" -nodes -sha256 >/dev/null || exit 1 + + openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \ + -in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \ +- -extensions "${EXTENSIONS}" -days ${DAYS} -sha1 >/dev/null || exit 1 ++ -extensions "${EXTENSIONS}" -days ${DAYS} -sha256 >/dev/null || exit 1 + + cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}" +