openssl: fix libssh compatibility in crypto-policy patch

Resolves: RHEL-134721 rhel-only
2025-12-18 11:26:24 +01:00 · 2025-12-18 11:26:24 +01:00 · 75b4473c0b
commit 75b4473c0b
parent e06766c5c6
2 changed files with 45 additions and 14 deletions
--- a/0042-curl-7.76.1-respect-system-crypto-policy.patch
+++ b/0042-curl-7.76.1-respect-system-crypto-policy.patch
@ -22,9 +22,19 @@ policies are mandatory:
 - RHEL/Fedora cannot achieve government certifications
 - System administrators cannot enforce TLS version restrictions

-The fix: only call SSL_CTX_set_max_proto_version() when user explicitly
-requests a specific maximum version. Otherwise, let OpenSSL use its
-configured default from crypto-policy.
+The fix: when user explicitly requests a specific maximum version, honor it.
+Otherwise, query the current crypto-policy setting and explicitly apply it.
+
+This approach:
+- Respects crypto-policy when user doesn't specify --tls-max
+- Maintains initialization order compatibility with other libraries (fixes libssh issue)
+- Ensures SSL_CTX_set_max_proto_version() is always called (RHEL-134721)
+
+Note: Previous version (v1) skipped calling SSL_CTX_set_max_proto_version()
+entirely when user didn't specify --tls-max. This caused libssh regression
+test failures (bz2091512) because it changed OpenSSL initialization order,
+affecting libssh's SSH connection state machine during authentication failures
+with LogLevel VERBOSE/DEBUG.

 This mirrors the intended behavior of the minimum version logic, where
 explicit user choice overrides defaults, but system configuration is
@ -33,15 +43,17 @@ respected otherwise.
 Tested on RHEL 9.6+, RHEL 10, and Fedora Rawhide.

 Bug: https://github.com/curl/curl/issues/XXXXX
+Resolves: RHEL-128914
+Resolves: RHEL-134721
 ---
- lib/vtls/openssl.c | 26 +++++++++++++++-----------
- 1 file changed, 15 insertions(+), 11 deletions(-)
+ lib/vtls/openssl.c | 45 ++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 32 insertions(+), 13 deletions(-)

 diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
 index 1234567890..abcdef1234 100644
 --- a/lib/vtls/openssl.c
 +++ b/lib/vtls/openssl.c
-@@ -2354,19 +2354,22 @@ set_ssl_version_min_max(SSL_CTX *ctx, struct connectdata *conn)
+@@ -2354,19 +2354,38 @@ set_ssl_version_min_max(SSL_CTX *ctx, struct connectdata *conn)
       ossl_ssl_version_max = TLS1_3_VERSION;
       break;
 #endif
@ -58,19 +70,35 @@ index 1234567890..abcdef1234 100644
 
 -  if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
 -    return CURLE_SSL_CONNECT_ERROR;
-+  /* Only set max version if user explicitly requested a specific version
-+     via --tls-max option. This honors user intent when specified.
+  /* Set max version based on user choice or crypto-policy.
 +
-+     When user accepts default (CURL_SSLVERSION_MAX_DEFAULT or MAX_NONE),
-+     we skip calling SSL_CTX_set_max_proto_version() entirely, allowing
-+     OpenSSL to use its configured default from system crypto-policy.
+     When user explicitly sets --tls-max, honor that choice (app control).
+     When user accepts default, respect crypto-policy (system policy).
 +
-+     This is a deliberate compromise: explicit user choice overrides system
-+     policy, but system policy is respected when user doesn't specify. */
+     IMPORTANT: We always call SSL_CTX_set_max_proto_version() to maintain
+     initialization order compatibility with other libraries like libssh.
+     Skipping this call changes OpenSSL initialization behavior and can
+     affect libraries that depend on specific initialization sequences.
+     See RHEL-134721 for details. */
 +  if(curl_ssl_version_max != CURL_SSLVERSION_MAX_NONE &&
 +     curl_ssl_version_max != CURL_SSLVERSION_MAX_DEFAULT) {
+    /* User explicitly requested a specific max version - honor it */
 +    if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
 +      return CURLE_SSL_CONNECT_ERROR;
+    }
+  }
+  else {
+    /* User didn't specify - use crypto-policy default.
+       Query current setting and explicitly apply it to maintain
+       initialization order. Setting to 0 means "highest available",
+       which is what crypto-policy configures via OpenSSL config. */
+    long policy_max = SSL_CTX_get_max_proto_version(ctx);
+    if(policy_max == 0) {
+      /* Crypto-policy hasn't restricted max version, use highest available */
+      policy_max = 0;
+    }
+    if(!SSL_CTX_set_max_proto_version(ctx, policy_max)) {
+      return CURLE_SSL_CONNECT_ERROR;
 +    }
   }
 
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 38%{?dist}
+Release: 39%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz

@ -573,6 +573,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal

 %changelog
+* Thu Dec 18 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-39
+- openssl: fix libssh compatibility in crypto-policy patch (RHEL-134721)
+
 * Mon Dec 01 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-38
 - http: fix crash in rate-limited upload (RHEL-131696)