Adds default tls version patch to comply with OpenSSL crypto policies.

With this patch, the stunnel defaults defined in sslVersionMin and sslVersionMax cannot override the default versions defined in OpenSSL crypto policies.
2020-04-06 11:50:10 +02:00 · 2020-04-06 11:50:10 +02:00 · 1bba186b2d
commit 1bba186b2d
parent 77b6fcf87e
2 changed files with 86 additions and 1 deletions
--- a/stunnel-5.56-default-tls-version.patch
+++ b/stunnel-5.56-default-tls-version.patch
@ -0,0 +1,80 @@
+--- stunnel-5.56/src/prototypes.h.default-tls-version	2020-04-06 11:22:24.480280384 +0200
+++ stunnel-5.56/src/prototypes.h	2020-04-06 11:21:05.407597053 +0200
+@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
+ ICON_IMAGE load_icon_file(const char *);
+ #endif
+ 
+#define USE_DEFAULT_TLS_VERSION ((long unsigned)-2) /* Use defaults in OpenSSL
+                                                       crypto policies */
+
+ #endif /* defined PROTOTYPES_H */
+
+ /* end of prototypes.h */
+--- stunnel-5.56/src/options.c.default-tls-version	2020-04-06 11:14:41.993334510 +0200
+++ stunnel-5.56/src/options.c	2020-04-06 11:22:37.393391977 +0200
+@@ -3142,7 +3142,10 @@ NOEXPORT char *parse_service_option(CMD
+     /* sslVersionMax */
+     switch(cmd) {
+     case CMD_SET_DEFAULTS:
+-        section->max_proto_version=0; /* highest supported */
+        section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+                                                               OpenSSL crypto
+                                                               policies.Do not
+                                                               override it */
+         break;
+     case CMD_SET_COPY:
+         section->max_proto_version=new_service_options.max_proto_version;
+@@ -3173,7 +3176,10 @@ NOEXPORT char *parse_service_option(CMD
+     /* sslVersionMin */
+     switch(cmd) {
+     case CMD_SET_DEFAULTS:
+-        section->min_proto_version=TLS1_VERSION;
+        section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+                                                               OpenSSL crypto
+                                                               policies. Do not
+                                                               override it */
+         break;
+     case CMD_SET_COPY:
+         section->min_proto_version=new_service_options.min_proto_version;
+--- stunnel-5.56/src/ctx.c.default-tls-version	2019-10-24 10:48:11.000000000 +0200
+++ stunnel-5.56/src/ctx.c	2020-04-06 11:16:48.406406794 +0200
+@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
+         section->ctx=SSL_CTX_new(TLS_client_method());
+     else /* server mode */
+         section->ctx=SSL_CTX_new(TLS_server_method());
+-    if(!SSL_CTX_set_min_proto_version(section->ctx,
+-            section->min_proto_version)) {
+-        s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+-            section->min_proto_version);
+-        return 1; /* FAILED */
+
+    if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+        s_log(LOG_INFO, "Using the default TLS version as specified in \
+                OpenSSL crypto policies. Not setting explicitly.");
+    } else {
+        if(!SSL_CTX_set_min_proto_version(section->ctx,
+                    section->min_proto_version)) {
+            s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+                    section->min_proto_version);
+            return 1; /* FAILED */
+        }
+     }
+-    if(!SSL_CTX_set_max_proto_version(section->ctx,
+-            section->max_proto_version)) {
+-        s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+-            section->max_proto_version);
+-        return 1; /* FAILED */
+
+    if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+        s_log(LOG_INFO, "Using the default TLS version as specified in \
+                OpenSSL crypto policies. Not setting explicitly");
+    } else {
+        if(!SSL_CTX_set_max_proto_version(section->ctx,
+                    section->max_proto_version)) {
+            s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+                    section->max_proto_version);
+            return 1; /* FAILED */
+        }
+     }
+ #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
+     if(section->option.client)
--- a/stunnel.spec
+++ b/stunnel.spec
@ -10,7 +10,7 @@
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
 Version: 5.56
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2
 URL: http://www.stunnel.org/
 Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
@ -25,6 +25,7 @@ Patch0: stunnel-5.50-authpriv.patch
 Patch1: stunnel-5.50-systemd-service.patch
 Patch3: stunnel-5.56-system-ciphers.patch
 Patch4: stunnel-5.56-coverity.patch
+Patch5: stunnel-5.56-default-tls-version.patch
 # util-linux is needed for rename
 BuildRequires: gcc
 BuildRequires: openssl-devel, pkgconfig, util-linux
@ -51,6 +52,7 @@ conjunction with imapd to create a TLS secure IMAP server.
 %patch1 -p1 -b .systemd-service
 %patch3 -p1 -b .system-ciphers
 %patch4 -p1 -b .coverity
+%patch5 -p1 -b .default-tls-version

 # Fix the configure script output for FIPS mode and stack protector flag
 sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
@ -136,6 +138,9 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
 %systemd_postun_with_restart %{name}.service

 %changelog
+* Tue Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
+- Adds default tls version patch to comply with OpenSSL crypto policies
+
 * Tue Mar 31 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
 - Adds coverity patch