Difuse/telephony
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #498 from micmac1/1907-fix-weak-md

Browse source 
[19.07] freeswitch-stable: fix weak md in gentls_cert
This commit is contained in:
micmac1 2019-12-20 10:11:54 +01:00 committed by GitHub
commit f920139fea
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 52 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/freeswitch-stable/Makefile
View file

@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
PRG_NAME:=freeswitch PRG_NAME:=freeswitch
PKG_NAME:=$(PRG_NAME)-stable PKG_NAME:=$(PRG_NAME)-stable
PKG_VERSION:=1.10.1 PKG_VERSION:=1.10.1
PKG_RELEASE:=3 PKG_RELEASE:=4
PKG_MAINTAINER:=Sebastian Kemper <sebastian_ml@gmx.net> PKG_MAINTAINER:=Sebastian Kemper <sebastian_ml@gmx.net>
PKG_SOURCE:=$(PRG_NAME)-$(PKG_VERSION).-release.tar.xz PKG_SOURCE:=$(PRG_NAME)-$(PKG_VERSION).-release.tar.xz

51
net/freeswitch-stable/patches/040-gentls_cert_update_message_digest.patch Normal file
View file

@ -0,0 +1,51 @@
commit 70d1cbafe4ab0176cd9fc01f740e34cd1bae326b
Author: Sebastian Kemper <sebastian_ml@gmx.net>
Date: Wed Nov 13 20:29:50 2019 +0100
[gentls_cert] Update message digest
Debian Buster updated /etc/ssl/openssl.cnf to default to
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
gentls_cert currently uses SHA1 as message digest. According to OpenSSL
documentation this only offers 80 bit of security. 80 bits is enough for
security level 1, but not 2.
The OpenSSL default MD nowadays is SHA256. This commit updates
gentls_cert to use it.
Issue was reported on the FS mailing list. The certificates created by
gentls_cert caused "md too weak" errors and clients were unable to
connect.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
diff --git a/scripts/gentls_cert.in b/scripts/gentls_cert.in
index 43aa8ac605..dd56c9f6dc 100644
--- a/scripts/gentls_cert.in
+++ b/scripts/gentls_cert.in
@@ -89,7 +89,7 @@ setup_ca() {
openssl req -out "${CONFDIR}/CA/cacert.pem" \
-new -x509 -keyout "${CONFDIR}/CA/cakey.pem" \
- -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1
+ -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha256 >/dev/null || exit 1
cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem"
cp $TMPFILE.cfg /tmp/ssl.cfg
rm "${TMPFILE}.cfg"
@@ -131,11 +131,11 @@ generate_cert() {
openssl req -new -out "${TMPFILE}.req" \
-newkey rsa:${KEY_SIZE} -keyout "${TMPFILE}.key" \
- -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1
+ -config "${TMPFILE}.cfg" -nodes -sha256 >/dev/null || exit 1
openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \
-in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \
- -extensions "${EXTENSIONS}" -days ${DAYS} -sha1 >/dev/null || exit 1
+ -extensions "${EXTENSIONS}" -days ${DAYS} -sha256 >/dev/null || exit 1
cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"