From 77345cceebfeb6f174556d2d2fd65002f4239bd6 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Mon, 16 May 2016 10:14:54 +0200
Subject: mongo-c-driver: add patch to enforce system crypto policies

---
 mongo-c-driver-crypto.patch | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 mongo-c-driver-crypto.patch

(limited to 'mongo-c-driver-crypto.patch')

diff --git a/mongo-c-driver-crypto.patch b/mongo-c-driver-crypto.patch
new file mode 100644
index 0000000..e3cf7da
--- /dev/null
+++ b/mongo-c-driver-crypto.patch
@@ -0,0 +1,17 @@
+diff -up ./src/mongoc/mongoc-ssl.c.old ./src/mongoc/mongoc-ssl.c
+--- ./src/mongoc/mongoc-ssl.c.old	2016-05-16 10:06:56.592895951 +0200
++++ ./src/mongoc/mongoc-ssl.c	2016-05-16 10:07:57.737182179 +0200
+@@ -405,11 +405,8 @@ _mongoc_ssl_ctx_new (mongoc_ssl_opt_t *o
+     * SSL_OP_NO_SSLv2 - Disable SSL v2 support */
+    SSL_CTX_set_options (ctx, (SSL_OP_ALL | SSL_OP_NO_SSLv2));
+ 
+-   /* HIGH - Enable strong ciphers
+-    * !EXPORT - Disable export ciphers (40/56 bit)
+-    * !aNULL - Disable anonymous auth ciphers
+-    * @STRENGTH - Sort ciphers based on strength */
+-   SSL_CTX_set_cipher_list (ctx, "HIGH:!EXPORT:!aNULL@STRENGTH");
++   /* See https://fedoraproject.org/wiki/Packaging:CryptoPolicies */
++   SSL_CTX_set_cipher_list (ctx, "PROFILE=SYSTEM");
+ 
+    /* If renegotiation is needed, don't return from recv() or send() until it's successful.
+     * Note: this is for blocking sockets only. */
-- 
cgit