Adds default tls version patch to comply with OpenSSL crypto policies.
With this patch, the stunnel defaults defined in sslVersionMin and sslVersionMax cannot override the default versions defined in OpenSSL crypto policies.
This commit is contained in:
parent
77b6fcf87e
commit
1bba186b2d
80
stunnel-5.56-default-tls-version.patch
Normal file
80
stunnel-5.56-default-tls-version.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
|
||||||
|
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
|
||||||
|
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||||
|
ICON_IMAGE load_icon_file(const char *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#define USE_DEFAULT_TLS_VERSION ((long unsigned)-2) /* Use defaults in OpenSSL
|
||||||
|
+ crypto policies */
|
||||||
|
+
|
||||||
|
#endif /* defined PROTOTYPES_H */
|
||||||
|
|
||||||
|
/* end of prototypes.h */
|
||||||
|
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 11:14:41.993334510 +0200
|
||||||
|
+++ stunnel-5.56/src/options.c 2020-04-06 11:22:37.393391977 +0200
|
||||||
|
@@ -3142,7 +3142,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||||
|
/* sslVersionMax */
|
||||||
|
switch(cmd) {
|
||||||
|
case CMD_SET_DEFAULTS:
|
||||||
|
- section->max_proto_version=0; /* highest supported */
|
||||||
|
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||||
|
+ OpenSSL crypto
|
||||||
|
+ policies.Do not
|
||||||
|
+ override it */
|
||||||
|
break;
|
||||||
|
case CMD_SET_COPY:
|
||||||
|
section->max_proto_version=new_service_options.max_proto_version;
|
||||||
|
@@ -3173,7 +3176,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||||
|
/* sslVersionMin */
|
||||||
|
switch(cmd) {
|
||||||
|
case CMD_SET_DEFAULTS:
|
||||||
|
- section->min_proto_version=TLS1_VERSION;
|
||||||
|
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||||
|
+ OpenSSL crypto
|
||||||
|
+ policies. Do not
|
||||||
|
+ override it */
|
||||||
|
break;
|
||||||
|
case CMD_SET_COPY:
|
||||||
|
section->min_proto_version=new_service_options.min_proto_version;
|
||||||
|
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
|
||||||
|
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
|
||||||
|
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
|
||||||
|
section->ctx=SSL_CTX_new(TLS_client_method());
|
||||||
|
else /* server mode */
|
||||||
|
section->ctx=SSL_CTX_new(TLS_server_method());
|
||||||
|
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||||
|
- section->min_proto_version)) {
|
||||||
|
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||||
|
- section->min_proto_version);
|
||||||
|
- return 1; /* FAILED */
|
||||||
|
+
|
||||||
|
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||||
|
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
||||||
|
+ OpenSSL crypto policies. Not setting explicitly.");
|
||||||
|
+ } else {
|
||||||
|
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||||
|
+ section->min_proto_version)) {
|
||||||
|
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||||
|
+ section->min_proto_version);
|
||||||
|
+ return 1; /* FAILED */
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||||
|
- section->max_proto_version)) {
|
||||||
|
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||||
|
- section->max_proto_version);
|
||||||
|
- return 1; /* FAILED */
|
||||||
|
+
|
||||||
|
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||||
|
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
||||||
|
+ OpenSSL crypto policies. Not setting explicitly");
|
||||||
|
+ } else {
|
||||||
|
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||||
|
+ section->max_proto_version)) {
|
||||||
|
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||||
|
+ section->max_proto_version);
|
||||||
|
+ return 1; /* FAILED */
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||||
|
if(section->option.client)
|
@ -10,7 +10,7 @@
|
|||||||
Summary: A TLS-encrypting socket wrapper
|
Summary: A TLS-encrypting socket wrapper
|
||||||
Name: stunnel
|
Name: stunnel
|
||||||
Version: 5.56
|
Version: 5.56
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
URL: http://www.stunnel.org/
|
URL: http://www.stunnel.org/
|
||||||
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
||||||
@ -25,6 +25,7 @@ Patch0: stunnel-5.50-authpriv.patch
|
|||||||
Patch1: stunnel-5.50-systemd-service.patch
|
Patch1: stunnel-5.50-systemd-service.patch
|
||||||
Patch3: stunnel-5.56-system-ciphers.patch
|
Patch3: stunnel-5.56-system-ciphers.patch
|
||||||
Patch4: stunnel-5.56-coverity.patch
|
Patch4: stunnel-5.56-coverity.patch
|
||||||
|
Patch5: stunnel-5.56-default-tls-version.patch
|
||||||
# util-linux is needed for rename
|
# util-linux is needed for rename
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: openssl-devel, pkgconfig, util-linux
|
BuildRequires: openssl-devel, pkgconfig, util-linux
|
||||||
@ -51,6 +52,7 @@ conjunction with imapd to create a TLS secure IMAP server.
|
|||||||
%patch1 -p1 -b .systemd-service
|
%patch1 -p1 -b .systemd-service
|
||||||
%patch3 -p1 -b .system-ciphers
|
%patch3 -p1 -b .system-ciphers
|
||||||
%patch4 -p1 -b .coverity
|
%patch4 -p1 -b .coverity
|
||||||
|
%patch5 -p1 -b .default-tls-version
|
||||||
|
|
||||||
# Fix the configure script output for FIPS mode and stack protector flag
|
# Fix the configure script output for FIPS mode and stack protector flag
|
||||||
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
|
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
|
||||||
@ -136,6 +138,9 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
|
|||||||
%systemd_postun_with_restart %{name}.service
|
%systemd_postun_with_restart %{name}.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
|
||||||
|
- Adds default tls version patch to comply with OpenSSL crypto policies
|
||||||
|
|
||||||
* Tue Mar 31 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
|
* Tue Mar 31 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
|
||||||
- Adds coverity patch
|
- Adds coverity patch
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user