From d8732e2dd66710042ac69afd402195c2eeb31ae4 Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Wed, 26 Apr 2017 00:46:39 +0100 Subject: [PATCH] Change mlogc default SSL algo (RHBZ #1441614) --- ...nges-the-default-SSL-algo-to-TLS-1.2.patch | 28 +++++++++++++++++++ mod_security.spec | 7 ++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch diff --git a/0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch b/0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch new file mode 100644 index 0000000..3f8a93f --- /dev/null +++ b/0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch @@ -0,0 +1,28 @@ +From 84f2299f6b3b56cf5342ad378c3641be548bf79c Mon Sep 17 00:00:00 2001 +From: Felipe Zimmerle +Date: Mon, 3 Nov 2014 10:13:21 -0800 +Subject: [PATCH] mlogc: Changes the default SSL algo to TLS 1.2 + +As reported by Josh Amishav-Zlatin, mlogc was making usage of SSLv3 instead of +TLS 1.2. Servers should not answer SSLv3 after poodle. +--- + mlogc/mlogc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mlogc/mlogc.c b/mlogc/mlogc.c +index 4163230..c4b2a23 100644 +--- a/mlogc/mlogc.c ++++ b/mlogc/mlogc.c +@@ -1218,8 +1218,8 @@ static void logc_init(void) + curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0); +- /* SSLv3 works better overall as some servers have issues with TLS */ +- curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_SSLv3); ++ curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); ++ + curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 15); + curl_easy_setopt(curl, CURLOPT_NOSIGNAL, TRUE); + curl_easy_setopt(curl, CURLOPT_HEADER, TRUE); +-- +1.9.1 \ No newline at end of file diff --git a/mod_security.spec b/mod_security.spec index 505d036..cd5cd00 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -10,7 +10,7 @@ Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.7.3 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons @@ -20,6 +20,7 @@ Source2: 10-mod_security.conf Patch0: mod_security-2.7.3-fix-mem-leak-and-cve-2013-2765.patch Patch1: mod_security-2.7.6-fix_chunked_string_case_sensitive_issue-cve-2013-5705.patch Patch2: mod_security-fix-error-500-for-invalid-requests.patch +Patch3: 0001-mlogc-Changes-the-default-SSL-algo-to-TLS-1.2.patch Requires: httpd httpd-mmn = %{_httpd_mmn} BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel @@ -43,6 +44,7 @@ This package contains the ModSecurity Audit Log Collector. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build %configure --enable-pcre-match-limit=1000000 \ @@ -113,6 +115,9 @@ rm -rf %{buildroot} %endif %changelog +* Wed Apr 26 2017 Athmane Madjoudj - 2.7.3-5 +- Change mlogc default SSL algo (RHBZ #1441614) + * Thu Jun 16 2016 Athmane Madjoudj - 2.7.3-4 - Add a fix for failing on PUT/POST requests with http 500 error (RHBZ #1344471)