openssl_3_4: init at 3.4.1; openssl_3_3: remove

Updates OpenSSL 3.x latest to 3.4.1 Security Fixes in 3.4.1: * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. ([CVE-2024-12797]) * Fixed timing side-channel in ECDSA signature computation. ([CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176)) Release notes: https://github.com/openssl/openssl/blob/openssl-3.4.0/NEWS.md#openssl-34 Some significant changes: * Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics * SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before. * An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0. * Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t Some new features: * Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions * New options -not_before and -not_after for explicit setting start and end dates of certificates created with the req and x509 apps * Support for attribute certificates * Support for pkeyutl in combination with key encapsulation (e.q. PQC-KEMs): -encap/-decap Signed-off-by: Markus Theil <theil.markus@gmail.com>
2025-06-14 21:49:34 +03:00 · 2025-01-10 18:27:20 +01:00 · 2025-01-10 18:27:20 +01:00 · c05c515eff
commit c05c515eff
parent 7703504a25
4 changed files with 7 additions and 7 deletions
--- a/pkgs/development/libraries/openssl/3.4/use-etc-ssl-certs-darwin.patch
+++ b/pkgs/development/libraries/openssl/3.4/use-etc-ssl-certs-darwin.patch
--- a/pkgs/development/libraries/openssl/3.4/use-etc-ssl-certs.patch
+++ b/pkgs/development/libraries/openssl/3.4/use-etc-ssl-certs.patch
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@ -366,9 +366,9 @@ in
    };
  };

-  openssl_3_3 = common {
-    version = "3.3.2";
-    hash = "sha256-LopAsBl5r+i+C7+z3l3BxnCf7bRtbInBDaEUq1/D0oE=";
+  openssl_3_4 = common {
+    version = "3.4.1";
+    hash = "sha256-1LIlJ6ZFrPdrU+REh6jbaHxu7WIdckaJHQJeOLqMllE=";

    patches = [
      ./3.0/nix-ssl-cert-file.patch
@ -379,9 +379,9 @@ in

      (
        if stdenv.hostPlatform.isDarwin then
-          ./3.3/use-etc-ssl-certs-darwin.patch
+          ./3.4/use-etc-ssl-certs-darwin.patch
        else
-          ./3.3/use-etc-ssl-certs.patch
+          ./3.4/use-etc-ssl-certs.patch
      )
    ];

--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -10196,7 +10196,7 @@ with pkgs;
    inherit (darwin.apple_sdk_11_0.frameworks) Security;
  };

-  openssl = openssl_3_3;
+  openssl = openssl_3_4;

  openssl_legacy = openssl.override {
    conf = ../development/libraries/openssl/3.0/legacy.cnf;
@ -10205,7 +10205,7 @@ with pkgs;
  inherit (callPackages ../development/libraries/openssl { })
    openssl_1_1
    openssl_3
-    openssl_3_3;
+    openssl_3_4;

  openwebrx = callPackage ../applications/radio/openwebrx {
    inherit (python3Packages)