summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--mongo-c-driver-crypto.patch17
-rw-r--r--mongo-c-driver.spec11
2 files changed, 27 insertions, 1 deletions
diff --git a/mongo-c-driver-crypto.patch b/mongo-c-driver-crypto.patch
new file mode 100644
index 0000000..e3cf7da
--- /dev/null
+++ b/mongo-c-driver-crypto.patch
@@ -0,0 +1,17 @@
+diff -up ./src/mongoc/mongoc-ssl.c.old ./src/mongoc/mongoc-ssl.c
+--- ./src/mongoc/mongoc-ssl.c.old 2016-05-16 10:06:56.592895951 +0200
++++ ./src/mongoc/mongoc-ssl.c 2016-05-16 10:07:57.737182179 +0200
+@@ -405,11 +405,8 @@ _mongoc_ssl_ctx_new (mongoc_ssl_opt_t *o
+ * SSL_OP_NO_SSLv2 - Disable SSL v2 support */
+ SSL_CTX_set_options (ctx, (SSL_OP_ALL | SSL_OP_NO_SSLv2));
+
+- /* HIGH - Enable strong ciphers
+- * !EXPORT - Disable export ciphers (40/56 bit)
+- * !aNULL - Disable anonymous auth ciphers
+- * @STRENGTH - Sort ciphers based on strength */
+- SSL_CTX_set_cipher_list (ctx, "HIGH:!EXPORT:!aNULL@STRENGTH");
++ /* See https://fedoraproject.org/wiki/Packaging:CryptoPolicies */
++ SSL_CTX_set_cipher_list (ctx, "PROFILE=SYSTEM");
+
+ /* If renegotiation is needed, don't return from recv() or send() until it's successful.
+ * Note: this is for blocking sockets only. */
diff --git a/mongo-c-driver.spec b/mongo-c-driver.spec
index a9673ad..2e6f3bf 100644
--- a/mongo-c-driver.spec
+++ b/mongo-c-driver.spec
@@ -23,13 +23,17 @@
Name: mongo-c-driver
Summary: Client library written in C for MongoDB
Version: 1.3.5
-Release: 1%{?dist}
+Release: 2%{?dist}
License: ASL 2.0
Group: System Environment/Libraries
URL: https://github.com/%{gh_owner}/%{gh_project}
Source0: https://github.com/%{gh_owner}/%{gh_project}/releases/download/%{version}%{?prever:-%{prever}}/%{gh_project}-%{version}%{?prever:-%{prever}}.tar.gz
+# Enforce system crypto policies
+# https://fedoraproject.org/wiki/Packaging:CryptoPolicies
+Patch0: %{name}-crypto.patch
+
BuildRequires: pkgconfig(openssl)
BuildRequires: pkgconfig(libbson-1.0)
%if 0%{?fedora} > 21 || 0%{?rhel} > 6
@@ -80,6 +84,8 @@ Documentation: http://api.mongodb.org/c/%{version}/
%prep
%setup -q -n %{gh_project}-%{version}%{?prever:-%{prever}}
+%patch0 -p1 -b .cryptopolicy
+
rm -r src/libbson
# Ignore check for libbson version = libmongoc version
@@ -171,6 +177,9 @@ exit $ret
%changelog
+* Mon May 16 2016 Remi Collet <remi@fedoraproject.org> - 1.3.5-2
+- add patch to enforce system crypto policies
+
* Thu Mar 31 2016 Remi Collet <remi@fedoraproject.org> - 1.3.5-1
- update to 1.3.5
- use --disable-automatic-init-and-cleanup build option