demus/mod_security-rpm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mlogc: Changes the default SSL version to TLS 1.2 since SSLv3 is vulnerable to poodle

Browse Source
This commit is contained in:
Athmane Madjoudj 2014-11-03 22:10:50 +01:00
parent dfce998cb7
commit 5a0c73f78a
2 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch Normal file
View File

@ -0,0 +1,28 @@
From 84f2299f6b3b56cf5342ad378c3641be548bf79c Mon Sep 17 00:00:00 2001
From: Felipe Zimmerle <fcosta@trustwave.com>
Date: Mon, 3 Nov 2014 10:13:21 -0800
Subject: [PATCH] mlogc: Changes the default SSL algo to TLS 1.2
As reported by Josh Amishav-Zlatin, mlogc was making usage of SSLv3 instead of
TLS 1.2. Servers should not answer SSLv3 after poodle.
---
mlogc/mlogc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mlogc/mlogc.c b/mlogc/mlogc.c
index 4163230..c4b2a23 100644
--- a/mlogc/mlogc.c
+++ b/mlogc/mlogc.c
@@ -1218,8 +1218,8 @@ static void logc_init(void)
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
- /* SSLv3 works better overall as some servers have issues with TLS */
- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3);
+ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+
curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 15);
curl_easy_setopt(curl, CURLOPT_NOSIGNAL, TRUE);
curl_easy_setopt(curl, CURLOPT_HEADER, TRUE);
--
1.9.1

7
mod_security.spec
View File

@ -10,7 +10,7 @@
Summary: Security module for the Apache HTTP Server Summary: Security module for the Apache HTTP Server
Name: mod_security Name: mod_security
Version: 2.8.0 Version: 2.8.0
Release: 5%{?dist} Release: 6%{?dist}
License: ASL 2.0 License: ASL 2.0
URL: http://www.modsecurity.org/ URL: http://www.modsecurity.org/
Group: System Environment/Daemons Group: System Environment/Daemons
@ -18,6 +18,7 @@ Source: https://www.modsecurity.org/tarball/%{version}/modsecurity-%{version}.ta
Source1: mod_security.conf Source1: mod_security.conf
Source2: 10-mod_security.conf Source2: 10-mod_security.conf
Source3: modsecurity_localrules.conf Source3: modsecurity_localrules.conf
Patch0: 0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch
Requires: httpd httpd-mmn = %{_httpd_mmn} Requires: httpd httpd-mmn = %{_httpd_mmn}
BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
@ -38,6 +39,7 @@ This package contains the ModSecurity Audit Log Collector.
%prep %prep
%setup -q -n modsecurity-%{version} %setup -q -n modsecurity-%{version}
%patch0 -p1
%build %build
%configure --enable-pcre-match-limit=1000000 \ %configure --enable-pcre-match-limit=1000000 \
@ -120,6 +122,9 @@ rm -rf %{buildroot}
%endif %endif
%changelog %changelog
* Mon Nov 03 2014 Athmane Madjoudj <athmane@fedoraproject.org> 2.8.0-6
- Changes the default SSL version to TLS 1.2 since SSLv3 is vulnerable to poodle
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.0-5 * Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.8.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild