2022-09-12 10:11:10 +00:00
|
|
|
From a8a49e5040e78200b6fb4220132c9e7c3aff1383 Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: Clemens Lang <cllang@redhat.com>
|
|
|
|
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
|
|
|
|
Subject: [PATCH 5/8] Apply patch stunnel-5.61-default-tls-version.patch
|
|
|
|
|
|
|
|
|
|
Patch-name: stunnel-5.61-default-tls-version.patch
|
|
|
|
|
Patch-id: 5
|
|
|
|
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
|
|
|
|
---
|
|
|
|
|
src/ctx.c | 32 +++++++++++++++++++++-----------
|
|
|
|
|
src/options.c | 15 +++++++++++----
|
|
|
|
|
src/prototypes.h | 3 +++
|
|
|
|
|
3 files changed, 35 insertions(+), 15 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/src/ctx.c b/src/ctx.c
|
|
|
|
|
index cc0806c..309ed91 100644
|
|
|
|
|
--- a/src/ctx.c
|
|
|
|
|
+++ b/src/ctx.c
|
|
|
|
|
@@ -152,18 +152,28 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
|
2022-01-12 11:09:33 +00:00
|
|
|
section->ctx=SSL_CTX_new(section->option.client ?
|
|
|
|
|
TLS_client_method() : TLS_server_method());
|
|
|
|
|
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
|
|
|
|
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
|
|
|
|
- section->min_proto_version)) {
|
|
|
|
|
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
|
|
|
|
- section->min_proto_version);
|
|
|
|
|
- return 1; /* FAILED */
|
|
|
|
|
- }
|
|
|
|
|
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
|
|
|
|
- section->max_proto_version)) {
|
|
|
|
|
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
|
|
|
|
- section->max_proto_version);
|
|
|
|
|
- return 1; /* FAILED */
|
|
|
|
|
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
|
|
|
|
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
|
|
|
|
|
+ "OpenSSL crypto policies. Not setting explicitly.");
|
|
|
|
|
+ } else {
|
|
|
|
|
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
|
|
|
|
+ section->min_proto_version)) {
|
|
|
|
|
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
|
|
|
|
+ section->min_proto_version);
|
|
|
|
|
+ return 1; /* FAILED */
|
|
|
|
|
+ }
|
|
|
|
|
}
|
|
|
|
|
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
|
|
|
|
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
|
|
|
|
|
+ "OpenSSL crypto policies. Not setting explicitly");
|
|
|
|
|
+ } else {
|
|
|
|
|
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
|
|
|
|
+ section->max_proto_version)) {
|
|
|
|
|
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
|
|
|
|
+ section->max_proto_version);
|
|
|
|
|
+ return 1; /* FAILED */
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
|
|
|
|
if(section->option.client)
|
|
|
|
|
section->ctx=SSL_CTX_new(section->client_method);
|
2022-09-12 10:11:10 +00:00
|
|
|
diff --git a/src/options.c b/src/options.c
|
|
|
|
|
index 418f25d..09d02bd 100644
|
|
|
|
|
--- a/src/options.c
|
|
|
|
|
+++ b/src/options.c
|
|
|
|
|
@@ -3289,8 +3289,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
2020-04-08 14:12:55 +00:00
|
|
|
return "Invalid protocol version";
|
|
|
|
|
return NULL; /* OK */
|
|
|
|
|
case CMD_INITIALIZE:
|
|
|
|
|
- if(section->max_proto_version && section->min_proto_version &&
|
|
|
|
|
- section->max_proto_version<section->min_proto_version)
|
|
|
|
|
+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
|
|
|
|
|
+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
|
|
|
|
|
+ && section->max_proto_version<section->min_proto_version)
|
|
|
|
|
return "Invalid protocol version range";
|
|
|
|
|
break;
|
|
|
|
|
case CMD_PRINT_DEFAULTS:
|
2022-09-12 10:11:10 +00:00
|
|
|
@@ -3308,7 +3309,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
2020-04-06 09:50:10 +00:00
|
|
|
/* sslVersionMax */
|
|
|
|
|
switch(cmd) {
|
|
|
|
|
case CMD_SET_DEFAULTS:
|
|
|
|
|
- section->max_proto_version=0; /* highest supported */
|
|
|
|
|
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
|
|
|
|
+ OpenSSL crypto
|
|
|
|
|
+ policies.Do not
|
|
|
|
|
+ override it */
|
|
|
|
|
break;
|
|
|
|
|
case CMD_SET_COPY:
|
|
|
|
|
section->max_proto_version=new_service_options.max_proto_version;
|
2022-09-12 10:11:10 +00:00
|
|
|
@@ -3339,7 +3343,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
2020-04-06 09:50:10 +00:00
|
|
|
/* sslVersionMin */
|
|
|
|
|
switch(cmd) {
|
|
|
|
|
case CMD_SET_DEFAULTS:
|
|
|
|
|
- section->min_proto_version=TLS1_VERSION;
|
|
|
|
|
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
|
|
|
|
+ OpenSSL crypto
|
|
|
|
|
+ policies. Do not
|
|
|
|
|
+ override it */
|
|
|
|
|
break;
|
|
|
|
|
case CMD_SET_COPY:
|
|
|
|
|
section->min_proto_version=new_service_options.min_proto_version;
|
2022-09-12 10:11:10 +00:00
|
|
|
diff --git a/src/prototypes.h b/src/prototypes.h
|
|
|
|
|
index 89d77b8..23f6014 100644
|
|
|
|
|
--- a/src/prototypes.h
|
|
|
|
|
+++ b/src/prototypes.h
|
|
|
|
|
@@ -930,6 +930,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
2022-01-12 11:09:33 +00:00
|
|
|
ICON_IMAGE load_icon_file(const char *);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
|
|
|
|
+ crypto policies */
|
2020-04-06 09:50:10 +00:00
|
|
|
+
|
2022-01-12 11:09:33 +00:00
|
|
|
#endif /* defined PROTOTYPES_H */
|
|
|
|
|
|
|
|
|
|
/* end of prototypes.h */
|
2022-09-12 10:11:10 +00:00
|
|
|
--
|
|
|
|
|
2.37.3
|
|
|
|
|
|
