openssl: respect system crypto policy for TLS max version
Resolves: RHEL-128914 rhel-only
This commit is contained in:
Jacek Migacz
parent
6fd1834c6f
commit
db63161b95
79
0042-curl-7.76.1-respect-system-crypto-policy.patch
Normal file
79
0042-curl-7.76.1-respect-system-crypto-policy.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From: Jacek Migacz <jmigacz@redhat.com>
|
||||
Date: Mon, 4 Nov 2025 10:00:00 +0100
|
||||
Subject: [PATCH] openssl: respect system crypto policy for TLS max version
|
||||
|
||||
Implement a compromise between application control and system security
|
||||
policy for TLS maximum version:
|
||||
|
||||
- When user explicitly sets --tls-max: honor user choice (app control)
|
||||
- When user accepts default: respect OpenSSL crypto-policy (system policy)
|
||||
|
||||
This allows:
|
||||
curl --tls-max 1.3 https://... # Uses TLS 1.3 (overrides policy)
|
||||
curl https://... # Respects crypto-policy
|
||||
|
||||
Previously, curl called SSL_CTX_set_max_proto_version(ctx, 0) even when
|
||||
user didn't specify --tls-max, which overrides system crypto-policy and
|
||||
enables all TLS versions up to the highest supported.
|
||||
|
||||
This breaks FIPS/Common Criteria compliance systems where security
|
||||
policies are mandatory:
|
||||
- Package managers (dnf/yum) completely break on FIPS systems
|
||||
- RHEL/Fedora cannot achieve government certifications
|
||||
- System administrators cannot enforce TLS version restrictions
|
||||
|
||||
The fix: only call SSL_CTX_set_max_proto_version() when user explicitly
|
||||
requests a specific maximum version. Otherwise, let OpenSSL use its
|
||||
configured default from crypto-policy.
|
||||
|
||||
This mirrors the intended behavior of the minimum version logic, where
|
||||
explicit user choice overrides defaults, but system configuration is
|
||||
respected otherwise.
|
||||
|
||||
Tested on RHEL 9.6+, RHEL 10, and Fedora Rawhide.
|
||||
|
||||
Bug: https://github.com/curl/curl/issues/XXXXX
|
||||
---
|
||||
lib/vtls/openssl.c | 26 +++++++++++++++-----------
|
||||
1 file changed, 15 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index 1234567890..abcdef1234 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -2354,19 +2354,22 @@ set_ssl_version_min_max(SSL_CTX *ctx, struct connectdata *conn)
|
||||
ossl_ssl_version_max = TLS1_3_VERSION;
|
||||
break;
|
||||
#endif
|
||||
- case CURL_SSLVERSION_MAX_NONE: /* none selected */
|
||||
- case CURL_SSLVERSION_MAX_DEFAULT: /* max selected */
|
||||
- default:
|
||||
- /* SSL_CTX_set_max_proto_version states that:
|
||||
- setting the maximum to 0 will enable
|
||||
- protocol versions up to the highest version
|
||||
- supported by the library */
|
||||
- ossl_ssl_version_max = 0;
|
||||
- break;
|
||||
}
|
||||
|
||||
- if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
|
||||
- return CURLE_SSL_CONNECT_ERROR;
|
||||
+ /* Only set max version if user explicitly requested a specific version
|
||||
+ via --tls-max option. This honors user intent when specified.
|
||||
+
|
||||
+ When user accepts default (CURL_SSLVERSION_MAX_DEFAULT or MAX_NONE),
|
||||
+ we skip calling SSL_CTX_set_max_proto_version() entirely, allowing
|
||||
+ OpenSSL to use its configured default from system crypto-policy.
|
||||
+
|
||||
+ This is a deliberate compromise: explicit user choice overrides system
|
||||
+ policy, but system policy is respected when user doesn't specify. */
|
||||
+ if(curl_ssl_version_max != CURL_SSLVERSION_MAX_NONE &&
|
||||
+ curl_ssl_version_max != CURL_SSLVERSION_MAX_DEFAULT) {
|
||||
+ if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
|
||||
+ return CURLE_SSL_CONNECT_ERROR;
|
||||
+ }
|
||||
}
|
||||
|
||||
return CURLE_OK;
|
||||
--
|
||||
2.45.2
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.76.1
|
||||
Release: 36%{?dist}
|
||||
Release: 37%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
@ -125,6 +125,9 @@ Patch40: 0040-curl-7.76.1-noproxy-support-using-cidr.patch
|
||||
# cookie: don't treat the leading slash as trailing (CVE-2025-9086)
|
||||
Patch041: 0041-curl-7.76.1-CVE-2025-9086.patch
|
||||
|
||||
# openssl: respect system crypto policy for TLS max version
|
||||
Patch042: 0042-curl-7.76.1-respect-system-crypto-policy.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -340,6 +343,7 @@ be installed.
|
||||
%patch -P 39 -p1
|
||||
%patch -P 40 -p1
|
||||
%patch -P 41 -p1
|
||||
%patch -P 42 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch -P 101 -p1
|
||||
@ -565,6 +569,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Thu Nov 27 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-37
|
||||
- openssl: respect system crypto policy for TLS max version (RHEL-128914)
|
||||
|
||||
* Thu Nov 20 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-36
|
||||
- rebuild for c9s (RHEL-125838)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user