Merge branch 'c9' into a9

2022-11-15 11:52:38 +00:00 · 2022-11-15 11:52:38 +00:00 · d8f729b364
commit d8f729b364
parent 866617d210 ebe7215bc0
2 changed files with 201 additions and 10 deletions
--- a/SOURCES/0007-Enable-TLSv1.3-by-default.patch
+++ b/SOURCES/0007-Enable-TLSv1.3-by-default.patch
@ -0,0 +1,173 @@
 From cc7b92c61a2833ff9dc2b4dfba4591966769da78 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
 Date: Tue, 21 Jun 2022 13:55:04 +0200
 Subject: [PATCH] Enable TLSv1.3 by default in nginx
 ---
 src/event/ngx_event_openssl.c          | 77 ++++++++++++++------------
 src/event/ngx_event_openssl.h          |  1 +
 src/http/modules/ngx_http_ssl_module.c |  3 +-
 src/mail/ngx_mail_ssl_module.c         |  3 +-
 src/stream/ngx_stream_ssl_module.c     |  3 +-
 5 files changed, 46 insertions(+), 41 deletions(-)
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
 index f813458..2e6a6c0 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
@@ -258,6 +258,8 @@ ngx_ssl_init(ngx_log_t *log)
 ngx_int_t
 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
 {
 +    ngx_uint_t prot = NGX_SSL_NO_PROT;
 +
     ssl->ctx = SSL_CTX_new(SSLv23_method());
     if (ssl->ctx == NULL) {
@@ -322,49 +324,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
 -#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
 -    /* only in 0.9.8m+ */
 -    SSL_CTX_clear_options(ssl->ctx,
 -                          SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
 -#endif
 -
 -    if (!(protocols & NGX_SSL_SSLv2)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
 -    }
 -    if (!(protocols & NGX_SSL_SSLv3)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
 -    }
 -    if (!(protocols & NGX_SSL_TLSv1)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
 -    }
 -#ifdef SSL_OP_NO_TLSv1_1
 -    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
 -    if (!(protocols & NGX_SSL_TLSv1_1)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
 -    }
 +    if (protocols){
 +#ifdef SSL_OP_NO_TLSv1_3
 +        if (protocols & NGX_SSL_TLSv1_3) {
 +            prot = TLS1_3_VERSION;
 +        } else
 #endif
 #ifdef SSL_OP_NO_TLSv1_2
 -    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
 -    if (!(protocols & NGX_SSL_TLSv1_2)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
 -    }
 +        if (protocols & NGX_SSL_TLSv1_2) {
 +            prot =  TLS1_2_VERSION;
 +        } else
 #endif
 -#ifdef SSL_OP_NO_TLSv1_3
 -    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
 -    if (!(protocols & NGX_SSL_TLSv1_3)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
 -    }
 +#ifdef SSL_OP_NO_TLSv1_1
 +        if (protocols & NGX_SSL_TLSv1_1) {
 +            prot = TLS1_1_VERSION;
 +        } else
 #endif
 +        if (protocols & NGX_SSL_TLSv1) {
 +            prot = TLS1_VERSION;
 +        }
 +
 +        if (prot == NGX_SSL_NO_PROT) {
 +                    ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
 +                      "No SSL protocols available [hint: ssl_protocols]");
 +            return NGX_ERROR;
 +        }
 -#ifdef SSL_CTX_set_min_proto_version
 -    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
 -    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
 +        SSL_CTX_set_max_proto_version(ssl->ctx, prot);
 +
 +        /* Now, we have to scan for minimal protocol version,
 +         *without allowing holes between min and max*/
 +#ifdef SSL_OP_NO_TLSv1_3
 +        if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) {
 +            prot = TLS1_2_VERSION;
 +        }
 #endif
 -#ifdef TLS1_3_VERSION
 -    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
 -    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
 +#ifdef SSL_OP_NO_TLSv1_1
 +        if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) {
 +            prot = TLS1_1_VERSION;
 +        }
 +#endif
 +#ifdef SSL_OP_NO_TLSv1_2
 +        if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) {
 +            prot = TLS1_VERSION;
 +        }
 #endif
 +        SSL_CTX_set_min_proto_version(ssl->ctx, prot);
 +    }
 #ifdef SSL_OP_NO_COMPRESSION
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
 diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
 index 329760d..5cee113 100644
 --- a/src/event/ngx_event_openssl.h
 +++ b/src/event/ngx_event_openssl.h
@@ -152,6 +152,7 @@ typedef struct {
 #endif
 +#define NGX_SSL_NO_PROT  0x0000
 #define NGX_SSL_SSLv2    0x0002
 #define NGX_SSL_SSLv3    0x0004
 #define NGX_SSL_TLSv1    0x0008
 diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
 index a47d696..94f30db 100644
 --- a/src/http/modules/ngx_http_ssl_module.c
 +++ b/src/http/modules/ngx_http_ssl_module.c
@@ -671,8 +671,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
 -                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
 -                          |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
 +                         0)
     ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
                          NGX_SSL_BUFSIZE);
 diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
 index 7eae83e..8328560 100644
 --- a/src/mail/ngx_mail_ssl_module.c
 +++ b/src/mail/ngx_mail_ssl_module.c
@@ -306,8 +306,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
                          prev->prefer_server_ciphers, 0);
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
 -                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
 -                          |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
 +                         0);
     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
 diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
 index d8c0471..cef590d 100644
 --- a/src/stream/ngx_stream_ssl_module.c
 +++ b/src/stream/ngx_stream_ssl_module.c
@@ -641,8 +641,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
                          prev->prefer_server_ciphers, 0);
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
 -                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
 -                          |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
 +                         0);
     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
 -- 
 2.31.1
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.20.1
-Release:           10%{?dist}.alma
+Release:           13%{?dist}.alma
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -88,6 +88,9 @@ Patch4:            0005-Init-openssl-engine-properly.patch
 # upstream patch - fixing ALPACA(CVE-2021-3618) security issue - https://bugzilla.redhat.com/show_bug.cgi?id=1975623
 Patch5:            0006-Fix-ALPACA-security-issue.patch
 # downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2028781
 Patch6:            0007-Enable-TLSv1.3-by-default.patch
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -114,16 +117,12 @@ Obsoletes:         nginx-mod-http-geoip <= 1:1.16
 Requires:          system-logos-httpd
 %endif
 Requires:          openssl
 Requires:          pcre
 Requires(pre):     nginx-filesystem
 %if 0%{?with_mailcap_mimetypes}
 Requires:          nginx-mimetypes
 %endif
 Provides:          webserver
 %if 0%{?fedora} || 0%{?rhel} >= 8
 Recommends:        logrotate
 %endif
 Requires:          %{name}-core = %{epoch}:%{version}-%{release}
 BuildRequires:     systemd
 Requires(post):    systemd
@ -137,6 +136,18 @@ Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
 IMAP protocols, with a strong focus on high concurrency, performance and low
 memory usage.
 %package core
 Summary: nginx minimal core
 %if 0%{?with_mailcap_mimetypes}
 Requires:          nginx-mimetypes
 %endif
 Requires:          openssl-libs
 Requires(pre):     nginx-filesystem
 Conflicts:         nginx < 1:1.20.1-13
 %description core
 nginx minimal core
 %package all-modules
 Summary:           A meta package that installs all available Nginx modules
 BuildArch:         noarch
@ -500,14 +511,11 @@ if [ $1 -ge 1 ]; then
 fi
 %files
 %license LICENSE
 %doc CHANGES README README.dynamic
 %if 0%{?rhel} == 7
 %doc UPGRADE-NOTES-1.6-to-1.10
 %endif
 %{_datadir}/nginx/html/*
 %{_bindir}/nginx-upgrade
 %{_sbindir}/nginx
 %{_datadir}/vim/vimfiles/ftdetect/nginx.vim
 %{_datadir}/vim/vimfiles/ftplugin/nginx.vim
 %{_datadir}/vim/vimfiles/syntax/nginx.vim
@ -516,6 +524,11 @@ fi
 %{_mandir}/man8/nginx.8*
 %{_mandir}/man8/nginx-upgrade.8*
 %{_unitdir}/nginx.service
 %files core
 %license LICENSE
 %doc CHANGES README README.dynamic
 %{_sbindir}/nginx
 %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf
 %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default
 %config(noreplace) %{_sysconfdir}/nginx/fastcgi_params
@ -587,9 +600,14 @@ fi
 %changelog
-* Wed May 18 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.20.1-10.alma
+* Tue Nov 15 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.20.1-13.alma
 - Debrand for AlmaLinux
 * Wed Jun 22 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-13
 - Resolves: #2099752 - nginx minimisation for ubi-micro
 * Tue Jun 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-11
 - Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9
 * Wed Feb 02 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-10
 - Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol
  Confusion - Analyzing and Mitigating Cracks in TLS Authentication