Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9

0007-Enable-TLSv1.3-by-default.patch

@@ -0,0 +1,173 @@
+From cc7b92c61a2833ff9dc2b4dfba4591966769da78 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Tue, 21 Jun 2022 13:55:04 +0200
+Subject: [PATCH] Enable TLSv1.3 by default in nginx
+
+---
+ src/event/ngx_event_openssl.c          | 77 ++++++++++++++------------
+ src/event/ngx_event_openssl.h          |  1 +
+ src/http/modules/ngx_http_ssl_module.c |  3 +-
+ src/mail/ngx_mail_ssl_module.c         |  3 +-
+ src/stream/ngx_stream_ssl_module.c     |  3 +-
+ 5 files changed, 46 insertions(+), 41 deletions(-)
+
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index f813458..2e6a6c0 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -258,6 +258,8 @@ ngx_ssl_init(ngx_log_t *log)
+ ngx_int_t
+ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+ {
++    ngx_uint_t prot = NGX_SSL_NO_PROT;
++
+     ssl->ctx = SSL_CTX_new(SSLv23_method());
+ 
+     if (ssl->ctx == NULL) {
+@@ -322,49 +324,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+ 
+     SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
+-    /* only in 0.9.8m+ */
+-    SSL_CTX_clear_options(ssl->ctx,
+-                          SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
+-#endif
+-
+-    if (!(protocols & NGX_SSL_SSLv2)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
+-    }
+-    if (!(protocols & NGX_SSL_SSLv3)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
+-    }
+-    if (!(protocols & NGX_SSL_TLSv1)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
+-    }
+-#ifdef SSL_OP_NO_TLSv1_1
+-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+-    if (!(protocols & NGX_SSL_TLSv1_1)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+-    }
++    if (protocols){
++#ifdef SSL_OP_NO_TLSv1_3
++        if (protocols & NGX_SSL_TLSv1_3) {
++            prot = TLS1_3_VERSION;
++        } else
+ #endif
+ #ifdef SSL_OP_NO_TLSv1_2
+-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
+-    if (!(protocols & NGX_SSL_TLSv1_2)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
+-    }
++        if (protocols & NGX_SSL_TLSv1_2) {
++            prot =  TLS1_2_VERSION;
++        } else
+ #endif
+-#ifdef SSL_OP_NO_TLSv1_3
+-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+-    if (!(protocols & NGX_SSL_TLSv1_3)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+-    }
++#ifdef SSL_OP_NO_TLSv1_1
++        if (protocols & NGX_SSL_TLSv1_1) {
++            prot = TLS1_1_VERSION;
++        } else
+ #endif
++        if (protocols & NGX_SSL_TLSv1) {
++            prot = TLS1_VERSION;
++        }
++
++        if (prot == NGX_SSL_NO_PROT) {
++                    ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
++                      "No SSL protocols available [hint: ssl_protocols]");
++            return NGX_ERROR;
++        }
+ 
+-#ifdef SSL_CTX_set_min_proto_version
+-    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+-    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
++        SSL_CTX_set_max_proto_version(ssl->ctx, prot);
++
++        /* Now, we have to scan for minimal protocol version,
++         *without allowing holes between min and max*/
++#if SSL_OP_NO_TLSv1_3
++        if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) {
++            prot = TLS1_2_VERSION;
++        }
+ #endif
+ 
+-#ifdef TLS1_3_VERSION
+-    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+-    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
++#ifdef SSL_OP_NO_TLSv1_1
++        if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) {
++            prot = TLS1_1_VERSION;
++        }
++#endif
++#ifdef SSL_OP_NO_TLSv1_2
++        if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) {
++            prot = TLS1_VERSION;
++        }
+ #endif
++        SSL_CTX_set_min_proto_version(ssl->ctx, prot);
++    }
+ 
+ #ifdef SSL_OP_NO_COMPRESSION
+     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
+diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
+index 329760d..5cee113 100644
+--- a/src/event/ngx_event_openssl.h
++++ b/src/event/ngx_event_openssl.h
+@@ -152,6 +152,7 @@ typedef struct {
+ #endif
+ 
+ 
++#define NGX_SSL_NO_PROT  0x0000
+ #define NGX_SSL_SSLv2    0x0002
+ #define NGX_SSL_SSLv3    0x0004
+ #define NGX_SSL_TLSv1    0x0008
+diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
+index a47d696..94f30db 100644
+--- a/src/http/modules/ngx_http_ssl_module.c
++++ b/src/http/modules/ngx_http_ssl_module.c
+@@ -671,8 +671,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+     ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
+ 
+     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
+-                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
+-                          |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
++                         0)
+ 
+     ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
+                          NGX_SSL_BUFSIZE);
+diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
+index 7eae83e..8328560 100644
+--- a/src/mail/ngx_mail_ssl_module.c
++++ b/src/mail/ngx_mail_ssl_module.c
+@@ -306,8 +306,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
+                          prev->prefer_server_ciphers, 0);
+ 
+     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
+-                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
+-                          |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
++                         0);
+ 
+     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
+     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
+diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
+index d8c0471..cef590d 100644
+--- a/src/stream/ngx_stream_ssl_module.c
++++ b/src/stream/ngx_stream_ssl_module.c
+@@ -641,8 +641,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
+                          prev->prefer_server_ciphers, 0);
+ 
+     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
+-                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
+-                          |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
++                         0);
+ 
+     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
+     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
+-- 
+2.31.1
+

nginx.spec

@@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.20.1
-Release:           10%{?dist}
+Release:           11%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@@ -88,6 +88,9 @@ Patch4:            0005-Init-openssl-engine-properly.patch
 # upstream patch - fixing ALPACA(CVE-2021-3618) security issue - https://bugzilla.redhat.com/show_bug.cgi?id=1975623
 Patch5:            0006-Fix-ALPACA-security-issue.patch
 
+# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2028781
+Patch6:            0007-Enable-TLSv1.3-by-default.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -587,6 +590,9 @@ fi
 
 
 %changelog
+* Tue Jun 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-11
+- Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9
+
 * Wed Feb 02 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-10
 - Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol
   Confusion - Analyzing and Mitigating Cracks in TLS Authentication