libressl

SOURCES/README.DHE.md

@@ -0,0 +1,93 @@
+DH Paramaters
+=============
+
+It is the opinion of the LibreSSL packager that whenever possible, DHE
+key exchange should be avoided and ECDHE key exchange should be used
+instead.
+
+Some TLS clients do not support ECDHE key exchange, so DHE may still
+need to be supported on some servers.
+
+MODP IKE DH Paramaters
+----------------------
+
+RFC 3526 defines several Diffie-Hellman groups for the Internet Key
+Exchange (IKE) protocol.
+
+The RFC may be retrieved at https://www.ietf.org/rfc/rfc3526.txt
+
+From that RFC, the following DH groups are provided in PEM format:
+
+* `/etc/pki/tls/MODP-IKE-2048-group14.pem`
+* `/etc/pki/tls/MODP-IKE-3072-group15.pem`
+* `/etc/pki/tls/MODP-IKE-4096-group16.pem`
+* `/etc/pki/tls/MODP-IKE-6144-group17.pem`
+* `/etc/pki/tls/MODP-IKE-8192-group18.pem`
+
+The `.pem` files were retrieved from https://bettercrypto.org/static/dhparams/
+
+At this point in time it is no longer recommended to use DH groups less
+than 2048-bit and if you must, they should be uniquely generated and
+fairly frequently so. For this reason, the 1536-bit MODP parameters are
+not included here.
+
+LibreSSL DH Parameters
+----------------------
+
+DH parameters < 1024-bit should never be used and are not supported by
+the LibreSSL library. They are vulnerable to the logjam attack, see
+https://weakdh.org/ for more information.
+
+DH parameters < 2048-bit should not be used but a few TLS clients still
+in use do not support DH parameters > 1024-bit. When using a 1024-bit
+group to satisfy those clients it is important that they are unique to
+your server and are re-generated frequently.
+
+YJL provides a cron script in `/etc/cron.daily` that will generate a
+fresh 2048-bit group on a daily basis, and a cron script in
+`/etc/cron.monthly` that will generate fresh 3072-bit and 4096-bit
+groups on a monthly basis.
+
+The results of those scripts are placed in the following PEM format
+files:
+
+* `/etc/pki/tls/dh2048.pem`
+* `/etc/pki/tls/dh3072.pem`
+* `/etc/pki/tls/dh4096.pem`
+
+The initial group in the `dh2048.pem`, `dh3072.pem`, and `dh4096.pem`
+files are the same as the MODP-IKE parameters. The group in the
+`dh2048.pem` file will be replaced by a fresh unique group generated
+on your server within a day of install, and the groups in the `dh3072.pem`
+and `dh4096.pem` files will be replaced by fresh unique groups within
+a month of install.
+
+Which to Use?
+-------------
+
+If you must use a 1024-bit group, you will need to generate it youself.
+I would recommend regenerating it at least four times a day.
+
+For 2048-bit, 3072-bit, 4096-bit you have a choice. Some prefer the
+pre-defined MODP-IKE parameters as they have likely been reviewed by
+many eyes, while others prefer parameters uniquely generated on the
+server.
+
+It is hypothetically possible unique parameters have a flaw that can
+be exploited (e.g. not truly prime and can be factored) but it is very
+unlikely.
+
+Similarly it is possible an attack has been crafted for the RFC published
+DH parameters, though that also is unlikely as it would almost certainly
+take more computing power than even the NSA has to even develop an attack
+against the published 2048-bit group.
+
+My *personal* preference is to use the `dh2048.pem` parameters that are
+daily re-generated on the server when I need to support DHE key exchange.
+The rationale I use is that if an attack ever is developed, it provides
+a moving target rather than a static target.
+
+If security beyond what the `dh4096.pem` parameters can provide is
+required, then I require ECDHE key exchange.
+
+EOF

SOURCES/group14.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
+-----END DH PARAMETERS-----

SOURCES/group15.pem

@@ -0,0 +1,11 @@
+-----BEGIN DH PARAMETERS-----
+MIIBiAKCAYEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
+fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
+ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqTrS
+yv//////////AgEC
+-----END DH PARAMETERS-----

SOURCES/group16.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
+fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
+ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
+ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
+HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
+-----END DH PARAMETERS-----

SOURCES/group17.pem

@@ -0,0 +1,19 @@
+-----BEGIN DH PARAMETERS-----
+MIIDCAKCAwEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
+fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
+ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
+ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
+HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
+3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
+7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
+A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
+xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
+8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebcxA
+JP//////////AgEC
+-----END DH PARAMETERS-----

SOURCES/group18.pem

@@ -0,0 +1,24 @@
+-----BEGIN DH PARAMETERS-----
+MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
+fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
+ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
+ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
+HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
+3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
+7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
+A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
+xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
+8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
+WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
+ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
+xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
+Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
+aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
+38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
+-----END DH PARAMETERS-----

SOURCES/libressl-3.7.2-cnf-name.patch

@@ -0,0 +1,96 @@
+diff -ur libressl-3.7.2.orig/CMakeLists.txt libressl-3.7.2/CMakeLists.txt
+--- libressl-3.7.2.orig/CMakeLists.txt	2023-03-28 04:55:36.000000000 -0700
++++ libressl-3.7.2/CMakeLists.txt	2023-05-07 22:13:47.896252860 -0700
+@@ -445,7 +445,7 @@
+ endif()
+ 
+ if(ENABLE_LIBRESSL_INSTALL)
+-	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
++	install(FILES cert.pem libressl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+ 	install(DIRECTORY DESTINATION ${CONF_DIR}/certs)
+ endif(ENABLE_LIBRESSL_INSTALL)
+ 
+diff -ur libressl-3.7.2.orig/Makefile.am libressl-3.7.2/Makefile.am
+--- libressl-3.7.2.orig/Makefile.am	2023-03-28 04:55:36.000000000 -0700
++++ libressl-3.7.2/Makefile.am	2023-05-07 22:14:46.126652600 -0700
+@@ -12,7 +12,7 @@
+ 
+ EXTRA_DIST = README.md README.windows VERSION config scripts
+ EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in FindLibreSSL.cmake
+-EXTRA_DIST += cert.pem openssl.cnf x509v3.cnf
++EXTRA_DIST += cert.pem libressl.cnf x509v3.cnf
+ 
+ .PHONY: install_sw
+ install_sw: install
+@@ -24,7 +24,7 @@
+ 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
+ 	fi; \
+ 	mkdir -p "$$OPENSSLDIR/certs"; \
+-	for i in cert.pem openssl.cnf x509v3.cnf; do \
++	for i in cert.pem libressl.cnf x509v3.cnf; do \
+ 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
+ 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
+ 		else \
+@@ -38,7 +38,7 @@
+ 	else \
+ 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
+ 	fi; \
+-	for i in cert.pem openssl.cnf x509v3.cnf; do \
++	for i in cert.pem libressl.cnf x509v3.cnf; do \
+ 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
+ 			rm -f "$$OPENSSLDIR/$$i"; \
+ 		fi \
+diff -ur libressl-3.7.2.orig/Makefile.in libressl-3.7.2/Makefile.in
+--- libressl-3.7.2.orig/Makefile.in	2023-04-06 19:01:15.000000000 -0700
++++ libressl-3.7.2/Makefile.in	2023-05-07 22:15:24.941586209 -0700
+@@ -375,7 +375,7 @@
+ EXTRA_DIST = README.md README.windows VERSION config scripts \
+ 	CMakeLists.txt cmake_export_symbol.cmake \
+ 	cmake_uninstall.cmake.in FindLibreSSL.cmake cert.pem \
+-	openssl.cnf x509v3.cnf
++	libressl.cnf x509v3.cnf
+ all: all-recursive
+ 
+ .SUFFIXES:
+@@ -896,7 +896,7 @@
+ 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
+ 	fi; \
+ 	mkdir -p "$$OPENSSLDIR/certs"; \
+-	for i in cert.pem openssl.cnf x509v3.cnf; do \
++	for i in cert.pem libressl.cnf x509v3.cnf; do \
+ 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
+ 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
+ 		else \
+@@ -910,7 +910,7 @@
+ 	else \
+ 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
+ 	fi; \
+-	for i in cert.pem openssl.cnf x509v3.cnf; do \
++	for i in cert.pem libressl.cnf x509v3.cnf; do \
+ 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
+ 			rm -f "$$OPENSSLDIR/$$i"; \
+ 		fi \
+diff -ur libressl-3.7.2.orig/apps/openssl/apps.c libressl-3.7.2/apps/openssl/apps.c
+--- libressl-3.7.2.orig/apps/openssl/apps.c	2022-03-15 09:37:03.000000000 -0700
++++ libressl-3.7.2/apps/openssl/apps.c	2023-05-07 22:16:40.972497926 -0700
+@@ -1134,7 +1134,7 @@
+ 	const char *t = X509_get_default_cert_area();
+ 	char *p;
+ 
+-	if (asprintf(&p, "%s/openssl.cnf", t) == -1)
++	if (asprintf(&p, "%s/libressl.cnf", t) == -1)
+ 		return NULL;
+ 	return p;
+ }
+diff -ur libressl-3.7.2.orig/crypto/conf/conf_mod.c libressl-3.7.2/crypto/conf/conf_mod.c
+--- libressl-3.7.2.orig/crypto/conf/conf_mod.c	2022-02-18 14:30:39.000000000 -0800
++++ libressl-3.7.2/crypto/conf/conf_mod.c	2023-05-07 22:15:56.781711569 -0700
+@@ -545,7 +545,7 @@
+ {
+ 	char *file = NULL;
+ 
+-	if (asprintf(&file, "%s/openssl.cnf",
++	if (asprintf(&file, "%s/libressl.cnf",
+ 	    X509_get_default_cert_area()) == -1)
+ 		return (NULL);
+ 	return file;

SOURCES/libressl-yjl-additions.cnf

@@ -0,0 +1,223 @@
+
+# Additions from RHEL/CentOS 7 openssl.cnf w/ default_bits increased
+####################################################################
+[ req ]
+default_bits		= 3072
+default_md		= sha256
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= XX
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= Default Province
+
+localityName			= Locality Name (eg, city)
+localityName_default		= Default City
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Default Company Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+

SPECS/libressl.spec

@@ -0,0 +1,300 @@
+%if 0%{!?_ssldir:1} == 1
+%global _ssldir %{_sysconfdir}/ssl
+%endif
+%if 0%{!?_pkitls:1} == 1
+%global _pkitls %{_sysconfdir}/pki/tls
+%endif
+
+%if 0%{!?__sed:1} == 1
+%global __sed %{_bindir}/sed
+%endif
+%if 0%{!?__chrpath:1} == 1
+%global __chrpath %{_bindir}/chrpath
+%endif
+
+# Shared library versions
+%global slibcryptov 50.0.2
+%global slibsslv 53.0.2
+%global slibtlsv 26.0.2
+
+Name:     libressl
+Version:  3.7.2
+Release:  %{?repo}0.rc1%{?dist}
+Summary:  OpenBSD fork of the OpenSSL Cryptography Suite
+
+Group:    System Environment/Libraries
+License:  OpenSSL
+URL:      https://www.libressl.org/
+Source0:  https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/%{name}-%{version}.tar.gz
+Source1:  libressl-yjl-additions.cnf
+# some DH params
+#  2048
+Source20: https://bettercrypto.org/static/dhparams/group14.pem
+#  3072
+Source21: https://bettercrypto.org/static/dhparams/group15.pem
+#  4096
+Source22: https://bettercrypto.org/static/dhparams/group16.pem
+#  6144
+Source23: https://bettercrypto.org/static/dhparams/group17.pem
+#  8192
+Source24: https://bettercrypto.org/static/dhparams/group18.pem
+#  DHE README
+Source25: README.DHE.md
+###### YJL patches
+Patch90:  libressl-3.7.2-cnf-name.patch
+Patch91:  libressl-3.7.2-manpage.patch
+
+
+#BuildRequires:	%%{__chrpath}
+BuildRequires:  %{__sed}
+Requires: %{name}-libs = %{version}-%{release}
+
+%description
+LibreSSL is a fork of OpenSSL 1.0.1g developed by the OpenBSD project.
+Our goal is to modernize the codebase, improve security, and apply best
+practice development processes from OpenBSD.
+
+%package libs
+Summary:  Shared Libraries for LibreSSL
+Group:    System Environment/Libraries
+Requires: make-ca
+#Requires:	ca-certificates
+
+%description libs
+This package provides the shared libraries for LibreSSL.
+
+LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include
+all new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs
+not yet present in OpenSSL. The current common API subset is OpenSSL
+1.0.1.
+
+LibreSSL it is not ABI compatible with any release of OpenSSL, or
+necessarily earlier releases of LibreSSL. You will need to relink your
+programs to LibreSSL in order to use it, just as in moving between major
+versions of OpenSSL.
+
+LibreSSL's installed library version numbers are incremented to account
+for ABI and API changes.
+
+%package devel
+Summary:  Developer files for LibreSSL
+Group:    Development/Libraries
+Requires: %{name}-libs = %{version}-%{release}
+Conflicts:  openssl-devel
+
+%description devel
+This package provides the development header files for LibreSSL.
+
+%package dhe-cron
+Summary:  Cron scripts to generate DHE groups
+Group:    System Administration/Miscellaneous
+Requires: %{name} = %{version}-%{release}
+Requires: fcron
+
+%description dhe-cron
+For servers that support TLS with the DHE key exchange, it is generally
+a good idea to generate fresh DHE groups periodically. This package
+installs cron job scripts that do so.
+
+For non-servers, all these scripts do is waste CPU cycles. Desktop
+users should not install this package.
+
+%prep
+%setup -q
+%patch 90 -p1
+%patch 91 -p1
+# These aren't renamed in the patches to reduce patch size.
+mv openssl.cnf libressl.cnf
+mv man/openssl.cnf.5 man/libressl.cnf.5
+mv apps/openssl/openssl.1 apps/openssl/libressl.1
+
+cp %{SOURCE25} .
+
+
+%build
+%configure \
+  --with-openssldir=%{_ssldir} \
+  --libdir=/%{_lib} 
+
+# fails biotest w/ this option
+#  --enable-extratests
+
+##%% from RHEL/CentOS OpenSSL spec file ##%%
+# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
+# marked as not requiring an executable stack.
+# Also add -DPURIFY to make using valgrind with openssl easier as we do not
+# want to depend on the uninitialized memory as a source of entropy anyway.
+RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY"
+  
+make %{?_smp_mflags}
+
+%check
+%if 0%{?runtests:1} == 1
+make check > %{name}-make.check.log 2>&1
+%else
+echo "make test not run during package build." > %{name}-make.check.log
+%endif
+
+
+%install
+make install DESTDIR=%{buildroot}
+rm -f %{buildroot}%{_ssldir}/cert.pem
+install -d %{buildroot}%{_ssldir}/csr
+#install -d %%{buildroot}%%{_sysconfdir}/ssl
+#ln -s ../pki/tls/libressl.cnf %%{buildroot}%%{_sysconfdir}/ssl/libressl.cnf
+install -d %{buildroot}%{_pkitls}
+
+#rename openssl binary
+mv %{buildroot}%{_bindir}/openssl %{buildroot}%{_bindir}/libressl
+
+#customize the conf
+cat %{SOURCE1} >> %{buildroot}%{_ssldir}/libressl.cnf
+
+# adjust developer .so links
+install -m755 -d %{buildroot}%{_libdir}
+rm -f %{buildroot}/%{_lib}/libcrypto.{so,la}
+ln -s ../../%{_lib}/libcrypto.so.%{slibcryptov} \
+  %{buildroot}%{_libdir}/libcrypto.so
+mv %{buildroot}/%{_lib}/libcrypto.a %{buildroot}%{_libdir}/
+rm -f %{buildroot}/%{_lib}/libssl.{so,la}
+ln -s ../../%{_lib}/libssl.so.%{slibsslv} \
+  %{buildroot}%{_libdir}/libssl.so
+mv %{buildroot}/%{_lib}/libssl.a %{buildroot}%{_libdir}/
+rm -f %{buildroot}/%{_lib}/libtls.{so,la}
+ln -s ../../%{_lib}/libtls.so.%{slibtlsv} \
+  %{buildroot}%{_libdir}/libtls.so
+mv %{buildroot}/%{_lib}/libtls.a %{buildroot}%{_libdir}/
+
+# adjust developer pkgconfig files
+%{__sed} -i 's?libdir=.*?libdir=%{_libdir}?' \
+             %{buildroot}/%{_lib}/pkgconfig/libcrypto.pc
+%{__sed} -i 's?libdir=.*?libdir=%{_libdir}?' \
+             %{buildroot}/%{_lib}/pkgconfig/libssl.pc
+%{__sed} -i 's?libdir=.*?libdir=%{_libdir}?' \
+             %{buildroot}/%{_lib}/pkgconfig/libtls.pc
+%{__sed} -i 's?libdir=.*?libdir=%{_libdir}?' \
+             %{buildroot}/%{_lib}/pkgconfig/openssl.pc
+mv %{buildroot}/%{_lib}/pkgconfig %{buildroot}%{_libdir}/
+
+
+
+#MODP IKE
+install -p -m644 %{SOURCE20} %{buildroot}%{_pkitls}/MODP-IKE-2048-group14.pem
+install -p -m644 %{SOURCE21} %{buildroot}%{_pkitls}/MODP-IKE-3072-group15.pem
+install -p -m644 %{SOURCE22} %{buildroot}%{_pkitls}/MODP-IKE-4096-group16.pem
+install -p -m644 %{SOURCE23} %{buildroot}%{_pkitls}/MODP-IKE-6144-group17.pem
+install -p -m644 %{SOURCE24} %{buildroot}%{_pkitls}/MODP-IKE-8192-group18.pem
+
+# initial parameters
+install -p -m644 %{SOURCE20} %{buildroot}%{_pkitls}/dh2048.pem
+install -p -m644 %{SOURCE21} %{buildroot}%{_pkitls}/dh3072.pem
+install -p -m644 %{SOURCE22} %{buildroot}%{_pkitls}/dh4096.pem
+install -p -m644 %{SOURCE25} %{buildroot}%{_pkitls}/README.DHE.md
+
+#DH parameter generation cronjobs
+mkdir -p %{buildroot}%{_sysconfdir}/cron.daily
+mkdir -p %{buildroot}%{_sysconfdir}/cron.monthly
+cat <<EOF > %{buildroot}%{_sysconfdir}/cron.daily/generate_dh_params.sh
+#!/bin/bash
+TMPFILE="\`%{_bindir}/mktemp -p /tmp dhparams.XXXXXXXXXX\`"
+
+trap "rm -f \${TMPFILE}" EXIT TERM
+
+%{_bindir}/nice -n19 %{_bindir}/libressl dhparam -out \${TMPFILE} 2048 > /dev/null 2>&1
+if [ \$? -eq 0 ]; then
+  install -m644 \${TMPFILE} %{_pkitls}/dh2048.pem
+fi
+EOF
+cat <<EOF > %{buildroot}%{_sysconfdir}/cron.monthly/generate_dh_params.sh
+#!/bin/bash
+TMPFILE="\`%{_bindir}/mktemp -p /tmp dhparams.XXXXXXXXXX\`"
+
+trap "rm -f \${TMPFILE}" EXIT TERM
+
+%{_bindir}/nice -n19 %{_bindir}/libressl dhparam -out \${TMPFILE} 3072 > /dev/null 2>&1
+if [ \$? -eq 0 ]; then
+  install -m644 \${TMPFILE} %{_pkitls}/dh3072.pem
+fi
+%{_bindir}/nice -n19 %{_bindir}/libressl dhparam -out \${TMPFILE} 4096 > /dev/null 2>&1
+if [ \$? -eq 0 ]; then
+  install -m644 \${TMPFILE} %{_pkitls}/dh4096.pem
+fi
+EOF
+
+#fix rpath
+#%%{_bindir}/chrpath -d %%{buildroot}%{_bindir}/libressl
+#%%{_bindir}/chrpath -d %%{buildroot}%{_bindir}/ocspcheck
+#%%{_bindir}/chrpath -d %%{buildroot}/%%{_lib}/libcrypto.so.%%{slibcryptov}
+#%%{_bindir}/chrpath -d %%{buildroot}/%%{_lib}/libssl.so.%%{slibsslv}
+#%%{_bindir}/chrpath -d %%{buildroot}/%%{_lib}/libtls.so.%%{slibtlsv}
+
+
+%post libs -p /sbin/ldconfig
+%postun libs -p /sbin/ldconfig
+
+%files
+%defattr(-,root,root,-)
+%attr(0755,root,root) %{_bindir}/libressl
+%attr(0755,root,root) %{_bindir}/ocspcheck
+%attr(0644,root,root) %{_mandir}/man1/libressl.1*
+%attr(0644,root,root) %{_mandir}/man5/libressl.cnf.5*
+%attr(0644,root,root) %{_mandir}/man5/x509v3.cnf.5*
+%attr(0644,root,root) %{_mandir}/man8/ocspcheck.8*
+%license COPYING
+%doc ChangeLog COPYING README.md VERSION %{name}-make.check.log
+
+%files libs
+%defattr(-,root,root,-)
+%dir %{_ssldir}/csr
+%dir %{_sysconfdir}/ssl
+/%{_lib}/libcrypto.so.50
+%attr(0755,root,root) /%{_lib}/libcrypto.so.%{slibcryptov}
+/%{_lib}/libssl.so.53
+%attr(0755,root,root) /%{_lib}/libssl.so.%{slibsslv}
+/%{_lib}/libtls.so.26
+%attr(0755,root,root) /%{_lib}/libtls.so.%{slibtlsv}
+# configuration files
+%attr(0644,root,root) %config(noreplace) %{_ssldir}/libressl.cnf
+%attr(0644,root,root) %config(noreplace) %{_ssldir}/x509v3.cnf
+%attr(0644,root,root) %config(noreplace) %{_pkitls}/dh2048.pem
+%attr(0644,root,root) %config(noreplace) %{_pkitls}/dh3072.pem
+%attr(0644,root,root) %config(noreplace) %{_pkitls}/dh4096.pem
+# MODP IKE
+%attr(0644,root,root) %{_pkitls}/MODP-IKE-2048-group14.pem
+%attr(0644,root,root) %{_pkitls}/MODP-IKE-3072-group15.pem
+%attr(0644,root,root) %{_pkitls}/MODP-IKE-4096-group16.pem
+%attr(0644,root,root) %{_pkitls}/MODP-IKE-6144-group17.pem
+%attr(0644,root,root) %{_pkitls}/MODP-IKE-8192-group18.pem
+%license COPYING
+%doc ChangeLog COPYING README.md VERSION %{name}-make.check.log
+
+%files devel
+%defattr(-,root,root,-)
+%{_includedir}/openssl
+%{_includedir}/tls.h
+%exclude %{_libdir}/libcrypto.a
+%{_libdir}/libcrypto.so
+%exclude %{_libdir}/libssl.a
+%{_libdir}/libssl.so
+%exclude %{_libdir}/libtls.a
+%{_libdir}/libtls.so
+%{_mandir}/man3/*.3*
+%attr(0644,root,root) %{_libdir}/pkgconfig/*.pc
+
+%files dhe-cron
+%defattr(-,root,root,-)
+%attr(0755,root,root) %{_sysconfdir}/cron.daily/generate_dh_params.sh
+%attr(0755,root,root) %{_sysconfdir}/cron.monthly/generate_dh_params.sh
+%attr(0644,root,root) %{_pkitls}/README.DHE.md
+%doc README.DHE.md
+
+%changelog
+* Sun May 07 2023 Michael A. Peters <anymouseprophet@gmail.com> - 3.7.2-0.rc1
+- Update to 3.7.2
+
+* Thu Apr 27 2023 Michael A. Peters <anymouseprophet@gmail.com> - 3.6.2-0.rc3
+- Fix openssldir
+
+* Sat Mar 18 2023 Michael A. Peters <anymouseprophet@gmail.com> - 3.6.2-0.rc1
+- Initial spec file for YJL (RPM bootstrapping LFS/BLFS 11.3)
+- Based on the LibreSSL packages I created for CentOS 7 (AWEL)