diff --git a/SOURCES/0007-Enable-TLSv1.3-by-default.patch b/SOURCES/0007-Enable-TLSv1.3-by-default.patch new file mode 100644 index 0000000..c8bac0b --- /dev/null +++ b/SOURCES/0007-Enable-TLSv1.3-by-default.patch @@ -0,0 +1,173 @@ +From cc7b92c61a2833ff9dc2b4dfba4591966769da78 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Tue, 21 Jun 2022 13:55:04 +0200 +Subject: [PATCH] Enable TLSv1.3 by default in nginx + +--- + src/event/ngx_event_openssl.c | 77 ++++++++++++++------------ + src/event/ngx_event_openssl.h | 1 + + src/http/modules/ngx_http_ssl_module.c | 3 +- + src/mail/ngx_mail_ssl_module.c | 3 +- + src/stream/ngx_stream_ssl_module.c | 3 +- + 5 files changed, 46 insertions(+), 41 deletions(-) + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index f813458..2e6a6c0 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -258,6 +258,8 @@ ngx_ssl_init(ngx_log_t *log) + ngx_int_t + ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) + { ++ ngx_uint_t prot = NGX_SSL_NO_PROT; ++ + ssl->ctx = SSL_CTX_new(SSLv23_method()); + + if (ssl->ctx == NULL) { +@@ -322,49 +324,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) + + SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); + +-#if OPENSSL_VERSION_NUMBER >= 0x009080dfL +- /* only in 0.9.8m+ */ +- SSL_CTX_clear_options(ssl->ctx, +- SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); +-#endif +- +- if (!(protocols & NGX_SSL_SSLv2)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); +- } +- if (!(protocols & NGX_SSL_SSLv3)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); +- } +- if (!(protocols & NGX_SSL_TLSv1)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); +- } +-#ifdef SSL_OP_NO_TLSv1_1 +- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); +- if (!(protocols & NGX_SSL_TLSv1_1)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); +- } ++ if (protocols){ ++#ifdef SSL_OP_NO_TLSv1_3 ++ if (protocols & NGX_SSL_TLSv1_3) { ++ prot = TLS1_3_VERSION; ++ } else + #endif + #ifdef SSL_OP_NO_TLSv1_2 +- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); +- if (!(protocols & NGX_SSL_TLSv1_2)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); +- } ++ if (protocols & NGX_SSL_TLSv1_2) { ++ prot = TLS1_2_VERSION; ++ } else + #endif +-#ifdef SSL_OP_NO_TLSv1_3 +- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); +- if (!(protocols & NGX_SSL_TLSv1_3)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); +- } ++#ifdef SSL_OP_NO_TLSv1_1 ++ if (protocols & NGX_SSL_TLSv1_1) { ++ prot = TLS1_1_VERSION; ++ } else + #endif ++ if (protocols & NGX_SSL_TLSv1) { ++ prot = TLS1_VERSION; ++ } ++ ++ if (prot == NGX_SSL_NO_PROT) { ++ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, ++ "No SSL protocols available [hint: ssl_protocols]"); ++ return NGX_ERROR; ++ } + +-#ifdef SSL_CTX_set_min_proto_version +- SSL_CTX_set_min_proto_version(ssl->ctx, 0); +- SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); ++ SSL_CTX_set_max_proto_version(ssl->ctx, prot); ++ ++ /* Now, we have to scan for minimal protocol version, ++ *without allowing holes between min and max*/ ++#ifdef SSL_OP_NO_TLSv1_3 ++ if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) { ++ prot = TLS1_2_VERSION; ++ } + #endif + +-#ifdef TLS1_3_VERSION +- SSL_CTX_set_min_proto_version(ssl->ctx, 0); +- SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); ++#ifdef SSL_OP_NO_TLSv1_1 ++ if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) { ++ prot = TLS1_1_VERSION; ++ } ++#endif ++#ifdef SSL_OP_NO_TLSv1_2 ++ if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) { ++ prot = TLS1_VERSION; ++ } + #endif ++ SSL_CTX_set_min_proto_version(ssl->ctx, prot); ++ } + + #ifdef SSL_OP_NO_COMPRESSION + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); +diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +index 329760d..5cee113 100644 +--- a/src/event/ngx_event_openssl.h ++++ b/src/event/ngx_event_openssl.h +@@ -152,6 +152,7 @@ typedef struct { + #endif + + ++#define NGX_SSL_NO_PROT 0x0000 + #define NGX_SSL_SSLv2 0x0002 + #define NGX_SSL_SSLv3 0x0004 + #define NGX_SSL_TLSv1 0x0008 +diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c +index a47d696..94f30db 100644 +--- a/src/http/modules/ngx_http_ssl_module.c ++++ b/src/http/modules/ngx_http_ssl_module.c +@@ -671,8 +671,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) + ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0); + + ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, +- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 +- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); ++ 0) + + ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size, + NGX_SSL_BUFSIZE); +diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c +index 7eae83e..8328560 100644 +--- a/src/mail/ngx_mail_ssl_module.c ++++ b/src/mail/ngx_mail_ssl_module.c +@@ -306,8 +306,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) + prev->prefer_server_ciphers, 0); + + ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, +- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 +- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); ++ 0); + + ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); + ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); +diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c +index d8c0471..cef590d 100644 +--- a/src/stream/ngx_stream_ssl_module.c ++++ b/src/stream/ngx_stream_ssl_module.c +@@ -641,8 +641,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) + prev->prefer_server_ciphers, 0); + + ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, +- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 +- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); ++ 0); + + ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); + ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); +-- +2.31.1 + diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 581c0b6..634e61c 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -41,7 +41,7 @@ Name: nginx Epoch: 1 Version: 1.20.1 -Release: 10%{?dist}.alma +Release: 13%{?dist}.alma Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -88,6 +88,9 @@ Patch4: 0005-Init-openssl-engine-properly.patch # upstream patch - fixing ALPACA(CVE-2021-3618) security issue - https://bugzilla.redhat.com/show_bug.cgi?id=1975623 Patch5: 0006-Fix-ALPACA-security-issue.patch +# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2028781 +Patch6: 0007-Enable-TLSv1.3-by-default.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -114,16 +117,12 @@ Obsoletes: nginx-mod-http-geoip <= 1:1.16 Requires: system-logos-httpd %endif -Requires: openssl Requires: pcre -Requires(pre): nginx-filesystem -%if 0%{?with_mailcap_mimetypes} -Requires: nginx-mimetypes -%endif Provides: webserver %if 0%{?fedora} || 0%{?rhel} >= 8 Recommends: logrotate %endif +Requires: %{name}-core = %{epoch}:%{version}-%{release} BuildRequires: systemd Requires(post): systemd @@ -137,6 +136,18 @@ Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. +%package core +Summary: nginx minimal core +%if 0%{?with_mailcap_mimetypes} +Requires: nginx-mimetypes +%endif +Requires: openssl-libs +Requires(pre): nginx-filesystem +Conflicts: nginx < 1:1.20.1-13 + +%description core +nginx minimal core + %package all-modules Summary: A meta package that installs all available Nginx modules BuildArch: noarch @@ -500,14 +511,11 @@ if [ $1 -ge 1 ]; then fi %files -%license LICENSE -%doc CHANGES README README.dynamic %if 0%{?rhel} == 7 %doc UPGRADE-NOTES-1.6-to-1.10 %endif %{_datadir}/nginx/html/* %{_bindir}/nginx-upgrade -%{_sbindir}/nginx %{_datadir}/vim/vimfiles/ftdetect/nginx.vim %{_datadir}/vim/vimfiles/ftplugin/nginx.vim %{_datadir}/vim/vimfiles/syntax/nginx.vim @@ -516,6 +524,11 @@ fi %{_mandir}/man8/nginx.8* %{_mandir}/man8/nginx-upgrade.8* %{_unitdir}/nginx.service + +%files core +%license LICENSE +%doc CHANGES README README.dynamic +%{_sbindir}/nginx %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default %config(noreplace) %{_sysconfdir}/nginx/fastcgi_params @@ -587,9 +600,14 @@ fi %changelog -* Wed May 18 2022 Eduard Abdullin - 1:1.20.1-10.alma +* Tue Nov 15 2022 Eduard Abdullin - 1:1.20.1-13.alma - Debrand for AlmaLinux +* Wed Jun 22 2022 Luboš Uhliarik - 1:1.20.1-13 +- Resolves: #2099752 - nginx minimisation for ubi-micro +* Tue Jun 21 2022 Luboš Uhliarik - 1:1.20.1-11 +- Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9 + * Wed Feb 02 2022 Luboš Uhliarik - 1:1.20.1-10 - Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication