From 7459c58dc7b25e5a6caff544bb9e727fb1a3a5ba Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Thu, 22 Jan 2026 21:25:43 +0000 Subject: [PATCH] openssl: fix libssh compatibility by preserving original SSL_CTX behavior Resolves: RHEL-134721 rhel-only --- ...-7.76.1-respect-system-crypto-policy.patch | 65 ++++++++++--------- curl.spec | 5 +- 2 files changed, 38 insertions(+), 32 deletions(-) diff --git a/0042-curl-7.76.1-respect-system-crypto-policy.patch b/0042-curl-7.76.1-respect-system-crypto-policy.patch index 5472eec..e2da7c2 100644 --- a/0042-curl-7.76.1-respect-system-crypto-policy.patch +++ b/0042-curl-7.76.1-respect-system-crypto-policy.patch @@ -23,37 +23,37 @@ policies are mandatory: - System administrators cannot enforce TLS version restrictions The fix: when user explicitly requests a specific maximum version, honor it. -Otherwise, query the current crypto-policy setting and explicitly apply it. +Otherwise, query the current crypto-policy setting. If the policy restricts +TLS to a version lower than 1.3, respect that restriction. If the policy +allows TLS 1.3 (the highest), use 0 to maintain the original behavior. This approach: -- Respects crypto-policy when user doesn't specify --tls-max -- Maintains initialization order compatibility with other libraries (fixes libssh issue) +- Respects crypto-policy when it actually restricts TLS versions +- Maintains original behavior (calling with 0) when no restriction applies +- Preserves compatibility with other libraries like libssh (bz2091512) - Ensures SSL_CTX_set_max_proto_version() is always called (RHEL-134721) -Note: Previous version (v1) skipped calling SSL_CTX_set_max_proto_version() -entirely when user didn't specify --tls-max. This caused libssh regression -test failures (bz2091512) because it changed OpenSSL initialization order, -affecting libssh's SSH connection state machine during authentication failures -with LogLevel VERBOSE/DEBUG. +Note: Previous versions had issues: +- v1: Skipped calling SSL_CTX_set_max_proto_version() entirely, breaking libssh +- v2: Always called with policy_max value, but on DEFAULT policy this returns + TLS1_3_VERSION instead of 0, which differs from original behavior and + still caused libssh regression + +This v3 fix preserves original behavior (call with 0) when crypto-policy +allows TLS 1.3, and only applies restrictions for FIPS/restrictive policies. This mirrors the intended behavior of the minimum version logic, where explicit user choice overrides defaults, but system configuration is respected otherwise. - -Tested on RHEL 9.6+, RHEL 10, and Fedora Rawhide. - -Bug: https://github.com/curl/curl/issues/XXXXX -Resolves: RHEL-128914 -Resolves: RHEL-134721 --- - lib/vtls/openssl.c | 45 ++++++++++++++++++++++++++++++++------------- - 1 file changed, 32 insertions(+), 13 deletions(-) + lib/vtls/openssl.c | 50 +++++++++++++++++++++++++++++++++++------------- + 1 file changed, 37 insertions(+), 13 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 1234567890..abcdef1234 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c -@@ -2354,19 +2354,38 @@ set_ssl_version_min_max(SSL_CTX *ctx, struct connectdata *conn) +@@ -2354,19 +2354,43 @@ ossl_ssl_version_max = TLS1_3_VERSION; break; #endif @@ -67,7 +67,7 @@ index 1234567890..abcdef1234 100644 - ossl_ssl_version_max = 0; - break; } - + - if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) { - return CURLE_SSL_CONNECT_ERROR; + /* Set max version based on user choice or crypto-policy. @@ -76,10 +76,9 @@ index 1234567890..abcdef1234 100644 + When user accepts default, respect crypto-policy (system policy). + + IMPORTANT: We always call SSL_CTX_set_max_proto_version() to maintain -+ initialization order compatibility with other libraries like libssh. -+ Skipping this call changes OpenSSL initialization behavior and can -+ affect libraries that depend on specific initialization sequences. -+ See RHEL-134721 for details. */ ++ compatibility with other libraries like libssh. Skipping this call ++ or calling with different values can affect libraries that depend on ++ specific OpenSSL initialization sequences. See RHEL-134721. */ + if(curl_ssl_version_max != CURL_SSLVERSION_MAX_NONE && + curl_ssl_version_max != CURL_SSLVERSION_MAX_DEFAULT) { + /* User explicitly requested a specific max version - honor it */ @@ -88,20 +87,24 @@ index 1234567890..abcdef1234 100644 + } + } + else { -+ /* User didn't specify - use crypto-policy default. -+ Query current setting and explicitly apply it to maintain -+ initialization order. Setting to 0 means "highest available", -+ which is what crypto-policy configures via OpenSSL config. */ ++ /* User didn't specify - check crypto-policy. ++ Query the current max version setting from crypto-policy config. ++ If policy restricts to below TLS 1.3, respect that restriction. ++ Otherwise, use 0 (highest available) to maintain original behavior ++ which is required for libssh compatibility (bz2091512). */ + long policy_max = SSL_CTX_get_max_proto_version(ctx); -+ if(policy_max == 0) { -+ /* Crypto-policy hasn't restricted max version, use highest available */ ++#ifdef TLS1_3_VERSION ++ if(policy_max == 0 || policy_max >= TLS1_3_VERSION) { ++ /* No restriction or TLS 1.3 allowed - use original behavior */ + policy_max = 0; + } ++ /* else: policy restricts to TLS 1.2 or lower, respect it */ ++#else ++ policy_max = 0; ++#endif + if(!SSL_CTX_set_max_proto_version(ctx, policy_max)) { + return CURLE_SSL_CONNECT_ERROR; + } } - + return CURLE_OK; --- -2.45.2 diff --git a/curl.spec b/curl.spec index 3e40268..4e49085 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.76.1 -Release: 39%{?dist} +Release: 40%{?dist} License: MIT Source: https://curl.se/download/%{name}-%{version}.tar.xz @@ -573,6 +573,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog +* Wed Jan 21 2026 Jacek Migacz - 7.76.1-40 +- openssl: fix libssh compatibility by preserving original SSL_CTX behavior (RHEL-134721) + * Thu Dec 18 2025 Jacek Migacz - 7.76.1-39 - openssl: fix libssh compatibility in crypto-policy patch (RHEL-134721)