1 files changed, 503 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch
new file mode 100644
index 0000000000..d2602447f3
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch
@@ -0,0 +1,503 @@
+From bc38a7d2d3c6082163c50ddf99464736110f2000 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Fri, 19 Feb 2016 13:05:11 -0500
+Subject: [PATCH] Disable EXPORT and LOW SSLv3+ ciphers by default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Reviewed-by: Emilia Käsper <emilia@openssl.org>
+Upstream-Status: Backport
+https://git.openssl.org/?p=openssl.git;a=commit;h=bc38a7d2d3c6082163c50ddf99464736110f2000
+CVE: CVE-2016-0800 #3 patch
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ CHANGES              |  5 +++++
+ Configure            |  5 +++++
+ NEWS                 |  1 +
+ doc/apps/ciphers.pod | 30 ++++++++++++++++++++---------
+ ssl/s3_lib.c         | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 86 insertions(+), 9 deletions(-)
+Index: openssl-1.0.2d/Configure
+===================================================================
+--- openssl-1.0.2d.orig/Configure
+++ openssl-1.0.2d/Configure
+@@ -58,6 +58,10 @@ my $usage="Usage: Configure [no-<cipher>
+ #              library and will be loaded in run-time by the OpenSSL library.
+ # sctp          include SCTP support
+ # 386           generate 80386 code
+# enable-weak-ssl-ciphers
+#              Enable EXPORT and LOW SSLv3 ciphers that are disabled by
+#              default.  Note, weak SSLv2 ciphers are unconditionally
+#              disabled.
+ # no-sse2      disables IA-32 SSE2 code, above option implies no-sse2
+ # no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
+ # -<xxx> +<xxx> compiler options are passed through 
+@@ -853,6 +857,7 @@ my %disabled = ( # "what"         => "co
+                 "ssl2"           => "default",
+                 "store"          => "experimental",
+                 "unit-test"      => "default",
+                "weak-ssl-ciphers" => "default",
+                 "zlib"           => "default",
+                 "zlib-dynamic"   => "default"
+               );
+Index: openssl-1.0.2d/doc/apps/ciphers.pod
+===================================================================
+--- openssl-1.0.2d.orig/doc/apps/ciphers.pod
+++ openssl-1.0.2d/doc/apps/ciphers.pod
+@@ -136,34 +136,46 @@ than 128 bits, and some cipher suites wi
+ 
+ =item B<LOW>
+ 
+-"low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms
+-but excluding export cipher suites.
+Low strength encryption cipher suites, currently those using 64 or 56 bit
+encryption algorithms but excluding export cipher suites.
+As of OpenSSL 1.0.2g, these are disabled in default builds.
+ 
+ =item B<EXP>, B<EXPORT>
+ 
+-export encryption algorithms. Including 40 and 56 bits algorithms.
+Export strength encryption algorithms. Including 40 and 56 bits algorithms.
+As of OpenSSL 1.0.2g, these are disabled in default builds.
+ 
+ =item B<EXPORT40>
+ 
+-40 bit export encryption algorithms
+40-bit export encryption algorithms
+As of OpenSSL 1.0.2g, these are disabled in default builds.
+ 
+ =item B<EXPORT56>
+ 
+-56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of
+56-bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of
+ 56 bit export ciphers is empty unless OpenSSL has been explicitly configured
+ with support for experimental ciphers.
+As of OpenSSL 1.0.2g, these are disabled in default builds.
+ 
+ =item B<eNULL>, B<NULL>
+ 
+-the "NULL" ciphers that is those offering no encryption. Because these offer no
+-encryption at all and are a security risk they are disabled unless explicitly
+-included.
+The "NULL" ciphers that is those offering no encryption. Because these offer no
+encryption at all and are a security risk they are not enabled via either the
+B<DEFAULT> or B<ALL> cipher strings.
+Be careful when building cipherlists out of lower-level primitives such as
+B<kRSA> or B<aECDSA> as these do overlap with the B<eNULL> ciphers.
+When in doubt, include B<!eNULL> in your cipherlist.
+ 
+ =item B<aNULL>
+ 
+-the cipher suites offering no authentication. This is currently the anonymous
+The cipher suites offering no authentication. This is currently the anonymous
+ DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable
+ to a "man in the middle" attack and so their use is normally discouraged.
+These are excluded from the B<DEFAULT> ciphers, but included in the B<ALL>
+ciphers.
+Be careful when building cipherlists out of lower-level primitives such as
+B<kDHE> or B<AES> as these do overlap with the B<aNULL> ciphers.
+When in doubt, include B<!aNULL> in your cipherlist.
+ 
+ =item B<kRSA>, B<RSA>
+ 
+Index: openssl-1.0.2d/ssl/s3_lib.c
+===================================================================
+--- openssl-1.0.2d.orig/ssl/s3_lib.c
+++ openssl-1.0.2d/ssl/s3_lib.c
+@@ -198,6 +198,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      },
+ 
+ /* Cipher 03 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_RSA_RC4_40_MD5,
+@@ -212,6 +213,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      128,
+      },
+#endif
+ 
+ /* Cipher 04 */
+     {
+@@ -246,6 +248,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      },
+ 
+ /* Cipher 06 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_RSA_RC2_40_MD5,
+@@ -260,6 +263,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      128,
+      },
+#endif
+ 
+ /* Cipher 07 */
+ #ifndef OPENSSL_NO_IDEA
+@@ -280,6 +284,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ #endif
+ 
+ /* Cipher 08 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_RSA_DES_40_CBC_SHA,
+@@ -294,8 +299,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      56,
+      },
+#endif
+ 
+ /* Cipher 09 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_RSA_DES_64_CBC_SHA,
+@@ -310,6 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      56,
+      },
+#endif
+ 
+ /* Cipher 0A */
+     {
+@@ -329,6 +337,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ 
+ /* The DH ciphers */
+ /* Cipher 0B */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      0,
+      SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
+@@ -343,8 +352,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      56,
+      },
+#endif
+ 
+ /* Cipher 0C */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
+@@ -359,6 +370,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      56,
+      },
+#endif
+ 
+ /* Cipher 0D */
+     {
+@@ -377,6 +389,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      },
+ 
+ /* Cipher 0E */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      0,
+      SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
+@@ -391,8 +404,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      56,
+      },
+#endif
+ 
+ /* Cipher 0F */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
+@@ -407,6 +422,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      56,
+      },
+#endif
+ 
+ /* Cipher 10 */
+     {
+@@ -426,6 +442,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ 
+ /* The Ephemeral DH ciphers */
+ /* Cipher 11 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
+@@ -440,8 +457,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      56,
+      },
+#endif
+ 
+ /* Cipher 12 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
+@@ -456,6 +475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      56,
+      },
+#endif
+ 
+ /* Cipher 13 */
+     {
+@@ -474,6 +494,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      },
+ 
+ /* Cipher 14 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
+@@ -488,8 +509,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      56,
+      },
+#endif
+ 
+ /* Cipher 15 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
+@@ -504,6 +527,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      56,
+      },
+#endif
+ 
+ /* Cipher 16 */
+     {
+@@ -522,6 +546,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      },
+ 
+ /* Cipher 17 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_ADH_RC4_40_MD5,
+@@ -536,6 +561,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      128,
+      },
+#endif
+ 
+ /* Cipher 18 */
+     {
+@@ -554,6 +580,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      },
+ 
+ /* Cipher 19 */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_ADH_DES_40_CBC_SHA,
+@@ -568,8 +595,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      128,
+      },
+#endif
+ 
+ /* Cipher 1A */
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_ADH_DES_64_CBC_SHA,
+@@ -584,6 +613,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      56,
+      },
+#endif
+ 
+ /* Cipher 1B */
+     {
+@@ -655,6 +685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ #ifndef OPENSSL_NO_KRB5
+ /* The Kerberos ciphers*/
+ /* Cipher 1E */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_KRB5_DES_64_CBC_SHA,
+@@ -669,6 +700,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      56,
+      },
+# endif
+ 
+ /* Cipher 1F */
+     {
+@@ -719,6 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      },
+ 
+ /* Cipher 22 */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_KRB5_DES_64_CBC_MD5,
+@@ -733,6 +766,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      56,
+      },
+# endif
+ 
+ /* Cipher 23 */
+     {
+@@ -783,6 +817,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      },
+ 
+ /* Cipher 26 */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_KRB5_DES_40_CBC_SHA,
+@@ -797,8 +832,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      56,
+      },
+# endif
+ 
+ /* Cipher 27 */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_KRB5_RC2_40_CBC_SHA,
+@@ -813,8 +850,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      128,
+      },
+# endif
+ 
+ /* Cipher 28 */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_KRB5_RC4_40_SHA,
+@@ -829,8 +868,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      128,
+      },
+# endif
+ 
+ /* Cipher 29 */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_KRB5_DES_40_CBC_MD5,
+@@ -845,8 +886,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      56,
+      },
+# endif
+ 
+ /* Cipher 2A */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_KRB5_RC2_40_CBC_MD5,
+@@ -861,8 +904,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      128,
+      },
+# endif
+ 
+ /* Cipher 2B */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      SSL3_TXT_KRB5_RC4_40_MD5,
+@@ -877,6 +922,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      40,
+      128,
+      },
+# endif
+ #endif                          /* OPENSSL_NO_KRB5 */
+ 
+ /* New AES ciphersuites */
+@@ -1300,6 +1346,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ # endif
+ 
+     /* Cipher 62 */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+@@ -1314,8 +1361,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      56,
+      },
+# endif
+ 
+     /* Cipher 63 */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+@@ -1330,8 +1379,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      56,
+      },
+# endif
+ 
+     /* Cipher 64 */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
+@@ -1346,8 +1397,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      128,
+      },
+# endif
+ 
+     /* Cipher 65 */
+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+     {
+      1,
+      TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+@@ -1362,6 +1415,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+      56,
+      128,
+      },
+# endif
+ 
+     /* Cipher 66 */
+     {
+Index: openssl-1.0.2d/CHANGES
+===================================================================
+--- openssl-1.0.2d.orig/CHANGES
+++ openssl-1.0.2d/CHANGES
+@@ -2,7 +2,11 @@
+  OpenSSL CHANGES
+  _______________
+ 
+- 
+  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+    Builds that are not configured with "enable-weak-ssl-ciphers" will not
+    provide any "EXPORT" or "LOW" strength ciphers.
+    [Viktor Dukhovni]
+
+   * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
+     is by default disabled at build-time.  Builds that are not configured with
+     "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
+Index: openssl-1.0.2d/NEWS
+===================================================================
+--- openssl-1.0.2d.orig/NEWS
+++ openssl-1.0.2d/NEWS
+@@ -1,6 +1,7 @@
+ 
+   NEWS
+   ====
+  Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+   Disable SSLv2 default build, default negotiation and weak ciphers.
+ 
+   This file gives a brief overview of the major changes between each OpenSSL

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch new file mode 100644 index 0000000000..d2602447f3 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_3.patch
@@ -0,0 +1,503 @@
	1	From bc38a7d2d3c6082163c50ddf99464736110f2000 Mon Sep 17 00:00:00 2001
	2	From: Viktor Dukhovni <openssl-users@dukhovni.org>
	3	Date: Fri, 19 Feb 2016 13:05:11 -0500
	4	Subject: [PATCH] Disable EXPORT and LOW SSLv3+ ciphers by default
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Reviewed-by: Emilia Käsper <emilia@openssl.org>
	10
	11	Upstream-Status: Backport
	12
	13	https://git.openssl.org/?p=openssl.git;a=commit;h=bc38a7d2d3c6082163c50ddf99464736110f2000
	14
	15	CVE: CVE-2016-0800 #3 patch
	16	Signed-off-by: Armin Kuster <akuster@mvista.com>
	17
	18	---
	19	CHANGES \| 5 +++++
	20	Configure \| 5 +++++
	21	NEWS \| 1 +
	22	doc/apps/ciphers.pod \| 30 ++++++++++++++++++++---------
	23	ssl/s3_lib.c \| 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++
	24	5 files changed, 86 insertions(+), 9 deletions(-)
	25
	26	Index: openssl-1.0.2d/Configure
	27	===================================================================
	28	--- openssl-1.0.2d.orig/Configure
	29	+++ openssl-1.0.2d/Configure
	30	@@ -58,6 +58,10 @@ my $usage="Usage: Configure [no-<cipher>
	31	# library and will be loaded in run-time by the OpenSSL library.
	32	# sctp include SCTP support
	33	# 386 generate 80386 code
	34	+# enable-weak-ssl-ciphers
	35	+# Enable EXPORT and LOW SSLv3 ciphers that are disabled by
	36	+# default. Note, weak SSLv2 ciphers are unconditionally
	37	+# disabled.
	38	# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
	39	# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
	40	# -<xxx> +<xxx> compiler options are passed through
	41	@@ -853,6 +857,7 @@ my %disabled = ( # "what" => "co
	42	"ssl2" => "default",
	43	"store" => "experimental",
	44	"unit-test" => "default",
	45	+ "weak-ssl-ciphers" => "default",
	46	"zlib" => "default",
	47	"zlib-dynamic" => "default"
	48	);
	49	Index: openssl-1.0.2d/doc/apps/ciphers.pod
	50	===================================================================
	51	--- openssl-1.0.2d.orig/doc/apps/ciphers.pod
	52	+++ openssl-1.0.2d/doc/apps/ciphers.pod
	53	@@ -136,34 +136,46 @@ than 128 bits, and some cipher suites wi
	54
	55	=item B<LOW>
	56
	57	-"low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms
	58	-but excluding export cipher suites.
	59	+Low strength encryption cipher suites, currently those using 64 or 56 bit
	60	+encryption algorithms but excluding export cipher suites.
	61	+As of OpenSSL 1.0.2g, these are disabled in default builds.
	62
	63	=item B<EXP>, B<EXPORT>
	64
	65	-export encryption algorithms. Including 40 and 56 bits algorithms.
	66	+Export strength encryption algorithms. Including 40 and 56 bits algorithms.
	67	+As of OpenSSL 1.0.2g, these are disabled in default builds.
	68
	69	=item B<EXPORT40>
	70
	71	-40 bit export encryption algorithms
	72	+40-bit export encryption algorithms
	73	+As of OpenSSL 1.0.2g, these are disabled in default builds.
	74
	75	=item B<EXPORT56>
	76
	77	-56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of
	78	+56-bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of
	79	56 bit export ciphers is empty unless OpenSSL has been explicitly configured
	80	with support for experimental ciphers.
	81	+As of OpenSSL 1.0.2g, these are disabled in default builds.
	82
	83	=item B<eNULL>, B<NULL>
	84
	85	-the "NULL" ciphers that is those offering no encryption. Because these offer no
	86	-encryption at all and are a security risk they are disabled unless explicitly
	87	-included.
	88	+The "NULL" ciphers that is those offering no encryption. Because these offer no
	89	+encryption at all and are a security risk they are not enabled via either the
	90	+B<DEFAULT> or B<ALL> cipher strings.
	91	+Be careful when building cipherlists out of lower-level primitives such as
	92	+B<kRSA> or B<aECDSA> as these do overlap with the B<eNULL> ciphers.
	93	+When in doubt, include B<!eNULL> in your cipherlist.
	94
	95	=item B<aNULL>
	96
	97	-the cipher suites offering no authentication. This is currently the anonymous
	98	+The cipher suites offering no authentication. This is currently the anonymous
	99	DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable
	100	to a "man in the middle" attack and so their use is normally discouraged.
	101	+These are excluded from the B<DEFAULT> ciphers, but included in the B<ALL>
	102	+ciphers.
	103	+Be careful when building cipherlists out of lower-level primitives such as
	104	+B<kDHE> or B<AES> as these do overlap with the B<aNULL> ciphers.
	105	+When in doubt, include B<!aNULL> in your cipherlist.
	106
	107	=item B<kRSA>, B<RSA>
	108
	109	Index: openssl-1.0.2d/ssl/s3_lib.c
	110	===================================================================
	111	--- openssl-1.0.2d.orig/ssl/s3_lib.c
	112	+++ openssl-1.0.2d/ssl/s3_lib.c
	113	@@ -198,6 +198,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	114	},
	115
	116	/* Cipher 03 */
	117	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	118	{
	119	1,
	120	SSL3_TXT_RSA_RC4_40_MD5,
	121	@@ -212,6 +213,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	122	40,
	123	128,
	124	},
	125	+#endif
	126
	127	/* Cipher 04 */
	128	{
	129	@@ -246,6 +248,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	130	},
	131
	132	/* Cipher 06 */
	133	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	134	{
	135	1,
	136	SSL3_TXT_RSA_RC2_40_MD5,
	137	@@ -260,6 +263,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	138	40,
	139	128,
	140	},
	141	+#endif
	142
	143	/* Cipher 07 */
	144	#ifndef OPENSSL_NO_IDEA
	145	@@ -280,6 +284,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	146	#endif
	147
	148	/* Cipher 08 */
	149	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	150	{
	151	1,
	152	SSL3_TXT_RSA_DES_40_CBC_SHA,
	153	@@ -294,8 +299,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	154	40,
	155	56,
	156	},
	157	+#endif
	158
	159	/* Cipher 09 */
	160	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	161	{
	162	1,
	163	SSL3_TXT_RSA_DES_64_CBC_SHA,
	164	@@ -310,6 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	165	56,
	166	56,
	167	},
	168	+#endif
	169
	170	/* Cipher 0A */
	171	{
	172	@@ -329,6 +337,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	173
	174	/* The DH ciphers */
	175	/* Cipher 0B */
	176	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	177	{
	178	0,
	179	SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
	180	@@ -343,8 +352,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	181	40,
	182	56,
	183	},
	184	+#endif
	185
	186	/* Cipher 0C */
	187	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	188	{
	189	1,
	190	SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
	191	@@ -359,6 +370,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	192	56,
	193	56,
	194	},
	195	+#endif
	196
	197	/* Cipher 0D */
	198	{
	199	@@ -377,6 +389,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	200	},
	201
	202	/* Cipher 0E */
	203	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	204	{
	205	0,
	206	SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
	207	@@ -391,8 +404,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	208	40,
	209	56,
	210	},
	211	+#endif
	212
	213	/* Cipher 0F */
	214	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	215	{
	216	1,
	217	SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
	218	@@ -407,6 +422,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	219	56,
	220	56,
	221	},
	222	+#endif
	223
	224	/* Cipher 10 */
	225	{
	226	@@ -426,6 +442,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	227
	228	/* The Ephemeral DH ciphers */
	229	/* Cipher 11 */
	230	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	231	{
	232	1,
	233	SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
	234	@@ -440,8 +457,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	235	40,
	236	56,
	237	},
	238	+#endif
	239
	240	/* Cipher 12 */
	241	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	242	{
	243	1,
	244	SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
	245	@@ -456,6 +475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	246	56,
	247	56,
	248	},
	249	+#endif
	250
	251	/* Cipher 13 */
	252	{
	253	@@ -474,6 +494,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	254	},
	255
	256	/* Cipher 14 */
	257	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	258	{
	259	1,
	260	SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
	261	@@ -488,8 +509,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	262	40,
	263	56,
	264	},
	265	+#endif
	266
	267	/* Cipher 15 */
	268	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	269	{
	270	1,
	271	SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
	272	@@ -504,6 +527,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	273	56,
	274	56,
	275	},
	276	+#endif
	277
	278	/* Cipher 16 */
	279	{
	280	@@ -522,6 +546,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	281	},
	282
	283	/* Cipher 17 */
	284	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	285	{
	286	1,
	287	SSL3_TXT_ADH_RC4_40_MD5,
	288	@@ -536,6 +561,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	289	40,
	290	128,
	291	},
	292	+#endif
	293
	294	/* Cipher 18 */
	295	{
	296	@@ -554,6 +580,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	297	},
	298
	299	/* Cipher 19 */
	300	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	301	{
	302	1,
	303	SSL3_TXT_ADH_DES_40_CBC_SHA,
	304	@@ -568,8 +595,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	305	40,
	306	128,
	307	},
	308	+#endif
	309
	310	/* Cipher 1A */
	311	+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	312	{
	313	1,
	314	SSL3_TXT_ADH_DES_64_CBC_SHA,
	315	@@ -584,6 +613,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	316	56,
	317	56,
	318	},
	319	+#endif
	320
	321	/* Cipher 1B */
	322	{
	323	@@ -655,6 +685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	324	#ifndef OPENSSL_NO_KRB5
	325	/* The Kerberos ciphers*/
	326	/* Cipher 1E */
	327	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	328	{
	329	1,
	330	SSL3_TXT_KRB5_DES_64_CBC_SHA,
	331	@@ -669,6 +700,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	332	56,
	333	56,
	334	},
	335	+# endif
	336
	337	/* Cipher 1F */
	338	{
	339	@@ -719,6 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	340	},
	341
	342	/* Cipher 22 */
	343	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	344	{
	345	1,
	346	SSL3_TXT_KRB5_DES_64_CBC_MD5,
	347	@@ -733,6 +766,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	348	56,
	349	56,
	350	},
	351	+# endif
	352
	353	/* Cipher 23 */
	354	{
	355	@@ -783,6 +817,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	356	},
	357
	358	/* Cipher 26 */
	359	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	360	{
	361	1,
	362	SSL3_TXT_KRB5_DES_40_CBC_SHA,
	363	@@ -797,8 +832,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	364	40,
	365	56,
	366	},
	367	+# endif
	368
	369	/* Cipher 27 */
	370	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	371	{
	372	1,
	373	SSL3_TXT_KRB5_RC2_40_CBC_SHA,
	374	@@ -813,8 +850,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	375	40,
	376	128,
	377	},
	378	+# endif
	379
	380	/* Cipher 28 */
	381	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	382	{
	383	1,
	384	SSL3_TXT_KRB5_RC4_40_SHA,
	385	@@ -829,8 +868,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	386	40,
	387	128,
	388	},
	389	+# endif
	390
	391	/* Cipher 29 */
	392	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	393	{
	394	1,
	395	SSL3_TXT_KRB5_DES_40_CBC_MD5,
	396	@@ -845,8 +886,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	397	40,
	398	56,
	399	},
	400	+# endif
	401
	402	/* Cipher 2A */
	403	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	404	{
	405	1,
	406	SSL3_TXT_KRB5_RC2_40_CBC_MD5,
	407	@@ -861,8 +904,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	408	40,
	409	128,
	410	},
	411	+# endif
	412
	413	/* Cipher 2B */
	414	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	415	{
	416	1,
	417	SSL3_TXT_KRB5_RC4_40_MD5,
	418	@@ -877,6 +922,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	419	40,
	420	128,
	421	},
	422	+# endif
	423	#endif /* OPENSSL_NO_KRB5 */
	424
	425	/* New AES ciphersuites */
	426	@@ -1300,6 +1346,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	427	# endif
	428
	429	/* Cipher 62 */
	430	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	431	{
	432	1,
	433	TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
	434	@@ -1314,8 +1361,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	435	56,
	436	56,
	437	},
	438	+# endif
	439
	440	/* Cipher 63 */
	441	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	442	{
	443	1,
	444	TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
	445	@@ -1330,8 +1379,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	446	56,
	447	56,
	448	},
	449	+# endif
	450
	451	/* Cipher 64 */
	452	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	453	{
	454	1,
	455	TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
	456	@@ -1346,8 +1397,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	457	56,
	458	128,
	459	},
	460	+# endif
	461
	462	/* Cipher 65 */
	463	+# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
	464	{
	465	1,
	466	TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
	467	@@ -1362,6 +1415,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
	468	56,
	469	128,
	470	},
	471	+# endif
	472
	473	/* Cipher 66 */
	474	{
	475	Index: openssl-1.0.2d/CHANGES
	476	===================================================================
	477	--- openssl-1.0.2d.orig/CHANGES
	478	+++ openssl-1.0.2d/CHANGES
	479	@@ -2,7 +2,11 @@
	480	OpenSSL CHANGES
	481	_______________
	482
	483	-
	484	+ * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
	485	+ Builds that are not configured with "enable-weak-ssl-ciphers" will not
	486	+ provide any "EXPORT" or "LOW" strength ciphers.
	487	+ [Viktor Dukhovni]
	488	+
	489	* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
	490	is by default disabled at build-time. Builds that are not configured with
	491	"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
	492	Index: openssl-1.0.2d/NEWS
	493	===================================================================
	494	--- openssl-1.0.2d.orig/NEWS
	495	+++ openssl-1.0.2d/NEWS
	496	@@ -1,6 +1,7 @@
	497
	498	NEWS
	499	====
	500	+ Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
	501	Disable SSLv2 default build, default negotiation and weak ciphers.
	502
	503	This file gives a brief overview of the major changes between each OpenSSL