stunnel/stunnel-5.72-default-tls-version.patch

122 lines
5.2 KiB
Diff
Raw Permalink Normal View History

From c104c853a545b00992c7c3b3aa0d625016dc1577 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 4/5] Use TLS version f/crypto-policies unless specified
Do not explicitly set the TLS version and rely on the defaults from
crypto-policies unless a TLS minimum or maximum version are explicitly
specified in the stunnel configuration.
Patch-name: stunnel-5.72-default-tls-version.patch
Patch-id: 5
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/ctx.c | 34 ++++++++++++++++++++++------------
src/options.c | 15 +++++++++++----
src/prototypes.h | 3 +++
3 files changed, 36 insertions(+), 16 deletions(-)
diff --git a/src/ctx.c b/src/ctx.c
index 8d0e9de..3418779 100644
--- a/src/ctx.c
+++ b/src/ctx.c
@@ -163,19 +163,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
/* set supported protocol versions */
#if OPENSSL_VERSION_NUMBER>=0x10100000L
- if(section->min_proto_version &&
- !SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
+ " crypto policies. Not setting explicitly.");
+ } else {
+ if(section->min_proto_version &&
+ !SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(section->max_proto_version &&
- !SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
+ " crypto policies. Not setting explicitly");
+ } else {
+ if(section->max_proto_version &&
+ !SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
#endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
diff --git a/src/options.c b/src/options.c
index 12b57fe..816c06e 100644
--- a/src/options.c
+++ b/src/options.c
@@ -3433,8 +3433,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
return "Invalid protocol version";
return NULL; /* OK */
case CMD_INITIALIZE:
- if(section->max_proto_version && section->min_proto_version &&
- section->max_proto_version<section->min_proto_version)
+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
+ && section->max_proto_version<section->min_proto_version)
return "Invalid protocol version range";
break;
case CMD_PRINT_DEFAULTS:
@@ -3452,7 +3453,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
/* sslVersionMax */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->max_proto_version=0; /* highest supported */
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies.Do not
+ override it */
break;
case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version;
@@ -3483,7 +3487,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
/* sslVersionMin */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->min_proto_version=0; /* lowest supported */
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies. Do not
+ override it */
break;
case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version;
diff --git a/src/prototypes.h b/src/prototypes.h
index a2b10aa..e76335e 100644
--- a/src/prototypes.h
+++ b/src/prototypes.h
@@ -956,6 +956,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
+ crypto policies */
+
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */
--
2.43.0