Merge branch 'c9' into a9

This commit is contained in:
eabdullin 2022-11-15 11:52:38 +00:00 committed by Stepan Oksanichenko
commit d8f729b364
2 changed files with 201 additions and 10 deletions

View File

@ -0,0 +1,173 @@
From cc7b92c61a2833ff9dc2b4dfba4591966769da78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Tue, 21 Jun 2022 13:55:04 +0200
Subject: [PATCH] Enable TLSv1.3 by default in nginx
---
src/event/ngx_event_openssl.c | 77 ++++++++++++++------------
src/event/ngx_event_openssl.h | 1 +
src/http/modules/ngx_http_ssl_module.c | 3 +-
src/mail/ngx_mail_ssl_module.c | 3 +-
src/stream/ngx_stream_ssl_module.c | 3 +-
5 files changed, 46 insertions(+), 41 deletions(-)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index f813458..2e6a6c0 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -258,6 +258,8 @@ ngx_ssl_init(ngx_log_t *log)
ngx_int_t
ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
{
+ ngx_uint_t prot = NGX_SSL_NO_PROT;
+
ssl->ctx = SSL_CTX_new(SSLv23_method());
if (ssl->ctx == NULL) {
@@ -322,49 +324,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
-#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
- /* only in 0.9.8m+ */
- SSL_CTX_clear_options(ssl->ctx,
- SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
-#endif
-
- if (!(protocols & NGX_SSL_SSLv2)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
- }
- if (!(protocols & NGX_SSL_SSLv3)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
- }
- if (!(protocols & NGX_SSL_TLSv1)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
- }
-#ifdef SSL_OP_NO_TLSv1_1
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
- if (!(protocols & NGX_SSL_TLSv1_1)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
- }
+ if (protocols){
+#ifdef SSL_OP_NO_TLSv1_3
+ if (protocols & NGX_SSL_TLSv1_3) {
+ prot = TLS1_3_VERSION;
+ } else
#endif
#ifdef SSL_OP_NO_TLSv1_2
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
- if (!(protocols & NGX_SSL_TLSv1_2)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
- }
+ if (protocols & NGX_SSL_TLSv1_2) {
+ prot = TLS1_2_VERSION;
+ } else
#endif
-#ifdef SSL_OP_NO_TLSv1_3
- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
- if (!(protocols & NGX_SSL_TLSv1_3)) {
- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
- }
+#ifdef SSL_OP_NO_TLSv1_1
+ if (protocols & NGX_SSL_TLSv1_1) {
+ prot = TLS1_1_VERSION;
+ } else
#endif
+ if (protocols & NGX_SSL_TLSv1) {
+ prot = TLS1_VERSION;
+ }
+
+ if (prot == NGX_SSL_NO_PROT) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "No SSL protocols available [hint: ssl_protocols]");
+ return NGX_ERROR;
+ }
-#ifdef SSL_CTX_set_min_proto_version
- SSL_CTX_set_min_proto_version(ssl->ctx, 0);
- SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
+ SSL_CTX_set_max_proto_version(ssl->ctx, prot);
+
+ /* Now, we have to scan for minimal protocol version,
+ *without allowing holes between min and max*/
+#ifdef SSL_OP_NO_TLSv1_3
+ if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) {
+ prot = TLS1_2_VERSION;
+ }
#endif
-#ifdef TLS1_3_VERSION
- SSL_CTX_set_min_proto_version(ssl->ctx, 0);
- SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
+#ifdef SSL_OP_NO_TLSv1_1
+ if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) {
+ prot = TLS1_1_VERSION;
+ }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+ if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) {
+ prot = TLS1_VERSION;
+ }
#endif
+ SSL_CTX_set_min_proto_version(ssl->ctx, prot);
+ }
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 329760d..5cee113 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -152,6 +152,7 @@ typedef struct {
#endif
+#define NGX_SSL_NO_PROT 0x0000
#define NGX_SSL_SSLv2 0x0002
#define NGX_SSL_SSLv3 0x0004
#define NGX_SSL_TLSv1 0x0008
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index a47d696..94f30db 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -671,8 +671,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ 0)
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
NGX_SSL_BUFSIZE);
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index 7eae83e..8328560 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -306,8 +306,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ 0);
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index d8c0471..cef590d 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -641,8 +641,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
+ 0);
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
--
2.31.1

View File

@ -41,7 +41,7 @@
Name: nginx Name: nginx
Epoch: 1 Epoch: 1
Version: 1.20.1 Version: 1.20.1
Release: 10%{?dist}.alma Release: 13%{?dist}.alma
Summary: A high performance web server and reverse proxy server Summary: A high performance web server and reverse proxy server
# BSD License (two clause) # BSD License (two clause)
@ -88,6 +88,9 @@ Patch4: 0005-Init-openssl-engine-properly.patch
# upstream patch - fixing ALPACA(CVE-2021-3618) security issue - https://bugzilla.redhat.com/show_bug.cgi?id=1975623 # upstream patch - fixing ALPACA(CVE-2021-3618) security issue - https://bugzilla.redhat.com/show_bug.cgi?id=1975623
Patch5: 0006-Fix-ALPACA-security-issue.patch Patch5: 0006-Fix-ALPACA-security-issue.patch
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2028781
Patch6: 0007-Enable-TLSv1.3-by-default.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gnupg2 BuildRequires: gnupg2
@ -114,16 +117,12 @@ Obsoletes: nginx-mod-http-geoip <= 1:1.16
Requires: system-logos-httpd Requires: system-logos-httpd
%endif %endif
Requires: openssl
Requires: pcre Requires: pcre
Requires(pre): nginx-filesystem
%if 0%{?with_mailcap_mimetypes}
Requires: nginx-mimetypes
%endif
Provides: webserver Provides: webserver
%if 0%{?fedora} || 0%{?rhel} >= 8 %if 0%{?fedora} || 0%{?rhel} >= 8
Recommends: logrotate Recommends: logrotate
%endif %endif
Requires: %{name}-core = %{epoch}:%{version}-%{release}
BuildRequires: systemd BuildRequires: systemd
Requires(post): systemd Requires(post): systemd
@ -137,6 +136,18 @@ Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and low IMAP protocols, with a strong focus on high concurrency, performance and low
memory usage. memory usage.
%package core
Summary: nginx minimal core
%if 0%{?with_mailcap_mimetypes}
Requires: nginx-mimetypes
%endif
Requires: openssl-libs
Requires(pre): nginx-filesystem
Conflicts: nginx < 1:1.20.1-13
%description core
nginx minimal core
%package all-modules %package all-modules
Summary: A meta package that installs all available Nginx modules Summary: A meta package that installs all available Nginx modules
BuildArch: noarch BuildArch: noarch
@ -500,14 +511,11 @@ if [ $1 -ge 1 ]; then
fi fi
%files %files
%license LICENSE
%doc CHANGES README README.dynamic
%if 0%{?rhel} == 7 %if 0%{?rhel} == 7
%doc UPGRADE-NOTES-1.6-to-1.10 %doc UPGRADE-NOTES-1.6-to-1.10
%endif %endif
%{_datadir}/nginx/html/* %{_datadir}/nginx/html/*
%{_bindir}/nginx-upgrade %{_bindir}/nginx-upgrade
%{_sbindir}/nginx
%{_datadir}/vim/vimfiles/ftdetect/nginx.vim %{_datadir}/vim/vimfiles/ftdetect/nginx.vim
%{_datadir}/vim/vimfiles/ftplugin/nginx.vim %{_datadir}/vim/vimfiles/ftplugin/nginx.vim
%{_datadir}/vim/vimfiles/syntax/nginx.vim %{_datadir}/vim/vimfiles/syntax/nginx.vim
@ -516,6 +524,11 @@ fi
%{_mandir}/man8/nginx.8* %{_mandir}/man8/nginx.8*
%{_mandir}/man8/nginx-upgrade.8* %{_mandir}/man8/nginx-upgrade.8*
%{_unitdir}/nginx.service %{_unitdir}/nginx.service
%files core
%license LICENSE
%doc CHANGES README README.dynamic
%{_sbindir}/nginx
%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf
%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default
%config(noreplace) %{_sysconfdir}/nginx/fastcgi_params %config(noreplace) %{_sysconfdir}/nginx/fastcgi_params
@ -587,9 +600,14 @@ fi
%changelog %changelog
* Wed May 18 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.20.1-10.alma * Tue Nov 15 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.20.1-13.alma
- Debrand for AlmaLinux - Debrand for AlmaLinux
* Wed Jun 22 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-13
- Resolves: #2099752 - nginx minimisation for ubi-micro
* Tue Jun 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-11
- Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9
* Wed Feb 02 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-10 * Wed Feb 02 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-10
- Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol - Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol
Confusion - Analyzing and Mitigating Cracks in TLS Authentication Confusion - Analyzing and Mitigating Cracks in TLS Authentication