From 1bba186b2d9750cb08f8340996e5343dd198890d Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Mon, 6 Apr 2020 11:50:10 +0200 Subject: [PATCH] Adds default tls version patch to comply with OpenSSL crypto policies. With this patch, the stunnel defaults defined in sslVersionMin and sslVersionMax cannot override the default versions defined in OpenSSL crypto policies. --- stunnel-5.56-default-tls-version.patch | 80 ++++++++++++++++++++++++++ stunnel.spec | 7 ++- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 stunnel-5.56-default-tls-version.patch diff --git a/stunnel-5.56-default-tls-version.patch b/stunnel-5.56-default-tls-version.patch new file mode 100644 index 0000000..e47739f --- /dev/null +++ b/stunnel-5.56-default-tls-version.patch @@ -0,0 +1,80 @@ +--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 ++++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 +@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((long unsigned)-2) /* Use defaults in OpenSSL ++ crypto policies */ ++ + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ +--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 11:14:41.993334510 +0200 ++++ stunnel-5.56/src/options.c 2020-04-06 11:22:37.393391977 +0200 +@@ -3142,7 +3142,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMax */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->max_proto_version=0; /* highest supported */ ++ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies.Do not ++ override it */ + break; + case CMD_SET_COPY: + section->max_proto_version=new_service_options.max_proto_version; +@@ -3173,7 +3176,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMin */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->min_proto_version=TLS1_VERSION; ++ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies. Do not ++ override it */ + break; + case CMD_SET_COPY: + section->min_proto_version=new_service_options.min_proto_version; +--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 ++++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 +@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio + section->ctx=SSL_CTX_new(TLS_client_method()); + else /* server mode */ + section->ctx=SSL_CTX_new(TLS_server_method()); +- if(!SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ ++ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in \ ++ OpenSSL crypto policies. Not setting explicitly."); ++ } else { ++ if(!SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } +- if(!SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in \ ++ OpenSSL crypto policies. Not setting explicitly"); ++ } else { ++ if(!SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } + } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) diff --git a/stunnel.spec b/stunnel.spec index fd65171..2283eb6 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -10,7 +10,7 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel Version: 5.56 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 URL: http://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz @@ -25,6 +25,7 @@ Patch0: stunnel-5.50-authpriv.patch Patch1: stunnel-5.50-systemd-service.patch Patch3: stunnel-5.56-system-ciphers.patch Patch4: stunnel-5.56-coverity.patch +Patch5: stunnel-5.56-default-tls-version.patch # util-linux is needed for rename BuildRequires: gcc BuildRequires: openssl-devel, pkgconfig, util-linux @@ -51,6 +52,7 @@ conjunction with imapd to create a TLS secure IMAP server. %patch1 -p1 -b .systemd-service %patch3 -p1 -b .system-ciphers %patch4 -p1 -b .coverity +%patch5 -p1 -b .default-tls-version # Fix the configure script output for FIPS mode and stack protector flag sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure @@ -136,6 +138,9 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done) %systemd_postun_with_restart %{name}.service %changelog +* Tue Apr 06 2020 Sahana Prasad - 5.56-4 +- Adds default tls version patch to comply with OpenSSL crypto policies + * Tue Mar 31 2020 Sahana Prasad - 5.56-3 - Adds coverity patch