2024-02-05 13:41:05 +00:00
|
|
|
From c104c853a545b00992c7c3b3aa0d625016dc1577 Mon Sep 17 00:00:00 2001
|
2022-09-12 10:11:10 +00:00
|
|
|
From: Clemens Lang <cllang@redhat.com>
|
|
|
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
2024-02-05 13:41:05 +00:00
|
|
|
Subject: [PATCH 4/5] Use TLS version f/crypto-policies unless specified
|
2022-09-12 10:11:10 +00:00
|
|
|
|
2024-02-05 13:41:05 +00:00
|
|
|
Do not explicitly set the TLS version and rely on the defaults from
|
|
|
|
crypto-policies unless a TLS minimum or maximum version are explicitly
|
|
|
|
specified in the stunnel configuration.
|
|
|
|
|
|
|
|
Patch-name: stunnel-5.72-default-tls-version.patch
|
2022-09-12 10:11:10 +00:00
|
|
|
Patch-id: 5
|
|
|
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
|
|
|
---
|
2023-03-06 10:45:56 +00:00
|
|
|
src/ctx.c | 34 ++++++++++++++++++++++------------
|
2022-09-12 10:11:10 +00:00
|
|
|
src/options.c | 15 +++++++++++----
|
|
|
|
src/prototypes.h | 3 +++
|
2023-03-06 10:45:56 +00:00
|
|
|
3 files changed, 36 insertions(+), 16 deletions(-)
|
2022-09-12 10:11:10 +00:00
|
|
|
|
|
|
|
diff --git a/src/ctx.c b/src/ctx.c
|
2024-02-05 13:41:05 +00:00
|
|
|
index 8d0e9de..3418779 100644
|
2022-09-12 10:11:10 +00:00
|
|
|
--- a/src/ctx.c
|
|
|
|
+++ b/src/ctx.c
|
2024-02-05 13:41:05 +00:00
|
|
|
@@ -163,19 +163,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
|
|
|
|
|
|
|
|
/* set supported protocol versions */
|
|
|
|
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
2023-03-06 10:45:56 +00:00
|
|
|
- if(section->min_proto_version &&
|
|
|
|
- !SSL_CTX_set_min_proto_version(section->ctx,
|
2022-01-12 11:09:33 +00:00
|
|
|
- section->min_proto_version)) {
|
|
|
|
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
|
|
|
- section->min_proto_version);
|
|
|
|
- return 1; /* FAILED */
|
|
|
|
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
2023-03-06 10:45:56 +00:00
|
|
|
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
|
|
|
|
+ " crypto policies. Not setting explicitly.");
|
2022-01-12 11:09:33 +00:00
|
|
|
+ } else {
|
2023-03-06 10:45:56 +00:00
|
|
|
+ if(section->min_proto_version &&
|
|
|
|
+ !SSL_CTX_set_min_proto_version(section->ctx,
|
|
|
|
+ section->min_proto_version)) {
|
2022-01-12 11:09:33 +00:00
|
|
|
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
2023-03-06 10:45:56 +00:00
|
|
|
+ section->min_proto_version);
|
2022-01-12 11:09:33 +00:00
|
|
|
+ return 1; /* FAILED */
|
|
|
|
+ }
|
|
|
|
}
|
2023-03-06 10:45:56 +00:00
|
|
|
- if(section->max_proto_version &&
|
|
|
|
- !SSL_CTX_set_max_proto_version(section->ctx,
|
|
|
|
- section->max_proto_version)) {
|
|
|
|
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
|
|
|
- section->max_proto_version);
|
|
|
|
- return 1; /* FAILED */
|
2022-01-12 11:09:33 +00:00
|
|
|
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
2023-03-06 10:45:56 +00:00
|
|
|
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
|
|
|
|
+ " crypto policies. Not setting explicitly");
|
2022-01-12 11:09:33 +00:00
|
|
|
+ } else {
|
2023-03-06 10:45:56 +00:00
|
|
|
+ if(section->max_proto_version &&
|
|
|
|
+ !SSL_CTX_set_max_proto_version(section->ctx,
|
|
|
|
+ section->max_proto_version)) {
|
2022-01-12 11:09:33 +00:00
|
|
|
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
2023-03-06 10:45:56 +00:00
|
|
|
+ section->max_proto_version);
|
2022-01-12 11:09:33 +00:00
|
|
|
+ return 1; /* FAILED */
|
|
|
|
+ }
|
2023-03-06 10:45:56 +00:00
|
|
|
}
|
2024-02-05 13:41:05 +00:00
|
|
|
#endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
|
|
|
|
|
2022-09-12 10:11:10 +00:00
|
|
|
diff --git a/src/options.c b/src/options.c
|
2024-02-05 13:41:05 +00:00
|
|
|
index 12b57fe..816c06e 100644
|
2022-09-12 10:11:10 +00:00
|
|
|
--- a/src/options.c
|
|
|
|
+++ b/src/options.c
|
2024-02-05 13:41:05 +00:00
|
|
|
@@ -3433,8 +3433,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
2020-04-08 14:12:55 +00:00
|
|
|
return "Invalid protocol version";
|
|
|
|
return NULL; /* OK */
|
|
|
|
case CMD_INITIALIZE:
|
|
|
|
- if(section->max_proto_version && section->min_proto_version &&
|
|
|
|
- section->max_proto_version<section->min_proto_version)
|
|
|
|
+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
|
|
|
|
+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
|
|
|
|
+ && section->max_proto_version<section->min_proto_version)
|
|
|
|
return "Invalid protocol version range";
|
|
|
|
break;
|
|
|
|
case CMD_PRINT_DEFAULTS:
|
2024-02-05 13:41:05 +00:00
|
|
|
@@ -3452,7 +3453,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
2020-04-06 09:50:10 +00:00
|
|
|
/* sslVersionMax */
|
|
|
|
switch(cmd) {
|
|
|
|
case CMD_SET_DEFAULTS:
|
|
|
|
- section->max_proto_version=0; /* highest supported */
|
|
|
|
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
|
|
|
+ OpenSSL crypto
|
|
|
|
+ policies.Do not
|
|
|
|
+ override it */
|
|
|
|
break;
|
|
|
|
case CMD_SET_COPY:
|
|
|
|
section->max_proto_version=new_service_options.max_proto_version;
|
2024-02-05 13:41:05 +00:00
|
|
|
@@ -3483,7 +3487,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
2020-04-06 09:50:10 +00:00
|
|
|
/* sslVersionMin */
|
|
|
|
switch(cmd) {
|
|
|
|
case CMD_SET_DEFAULTS:
|
2023-03-06 10:45:56 +00:00
|
|
|
- section->min_proto_version=0; /* lowest supported */
|
2020-04-06 09:50:10 +00:00
|
|
|
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
|
|
|
+ OpenSSL crypto
|
|
|
|
+ policies. Do not
|
|
|
|
+ override it */
|
|
|
|
break;
|
|
|
|
case CMD_SET_COPY:
|
|
|
|
section->min_proto_version=new_service_options.min_proto_version;
|
2022-09-12 10:11:10 +00:00
|
|
|
diff --git a/src/prototypes.h b/src/prototypes.h
|
2024-02-05 13:41:05 +00:00
|
|
|
index a2b10aa..e76335e 100644
|
2022-09-12 10:11:10 +00:00
|
|
|
--- a/src/prototypes.h
|
|
|
|
+++ b/src/prototypes.h
|
2024-02-05 13:41:05 +00:00
|
|
|
@@ -956,6 +956,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
2022-01-12 11:09:33 +00:00
|
|
|
ICON_IMAGE load_icon_file(const char *);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
|
|
|
+ crypto policies */
|
2020-04-06 09:50:10 +00:00
|
|
|
+
|
2022-01-12 11:09:33 +00:00
|
|
|
#endif /* defined PROTOTYPES_H */
|
|
|
|
|
|
|
|
/* end of prototypes.h */
|
2022-09-12 10:11:10 +00:00
|
|
|
--
|
2024-02-05 13:41:05 +00:00
|
|
|
2.43.0
|
2022-09-12 10:11:10 +00:00
|
|
|
|