Adds default tls version patch to comply with OpenSSL crypto policies.

With this patch, the stunnel defaults defined in sslVersionMin and sslVersionMax
cannot override the default versions defined in OpenSSL crypto policies.
This commit is contained in:
Sahana Prasad 2020-04-06 11:50:10 +02:00
parent 77b6fcf87e
commit 1bba186b2d
2 changed files with 86 additions and 1 deletions

View File

@ -0,0 +1,80 @@
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
+#define USE_DEFAULT_TLS_VERSION ((long unsigned)-2) /* Use defaults in OpenSSL
+ crypto policies */
+
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 11:14:41.993334510 +0200
+++ stunnel-5.56/src/options.c 2020-04-06 11:22:37.393391977 +0200
@@ -3142,7 +3142,10 @@ NOEXPORT char *parse_service_option(CMD
/* sslVersionMax */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->max_proto_version=0; /* highest supported */
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies.Do not
+ override it */
break;
case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version;
@@ -3173,7 +3176,10 @@ NOEXPORT char *parse_service_option(CMD
/* sslVersionMin */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->min_proto_version=TLS1_VERSION;
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies. Do not
+ override it */
break;
case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version;
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
section->ctx=SSL_CTX_new(TLS_client_method());
else /* server mode */
section->ctx=SSL_CTX_new(TLS_server_method());
- if(!SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
+
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly.");
+ } else {
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(!SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)

View File

@ -10,7 +10,7 @@
Summary: A TLS-encrypting socket wrapper Summary: A TLS-encrypting socket wrapper
Name: stunnel Name: stunnel
Version: 5.56 Version: 5.56
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv2 License: GPLv2
URL: http://www.stunnel.org/ URL: http://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
@ -25,6 +25,7 @@ Patch0: stunnel-5.50-authpriv.patch
Patch1: stunnel-5.50-systemd-service.patch Patch1: stunnel-5.50-systemd-service.patch
Patch3: stunnel-5.56-system-ciphers.patch Patch3: stunnel-5.56-system-ciphers.patch
Patch4: stunnel-5.56-coverity.patch Patch4: stunnel-5.56-coverity.patch
Patch5: stunnel-5.56-default-tls-version.patch
# util-linux is needed for rename # util-linux is needed for rename
BuildRequires: gcc BuildRequires: gcc
BuildRequires: openssl-devel, pkgconfig, util-linux BuildRequires: openssl-devel, pkgconfig, util-linux
@ -51,6 +52,7 @@ conjunction with imapd to create a TLS secure IMAP server.
%patch1 -p1 -b .systemd-service %patch1 -p1 -b .systemd-service
%patch3 -p1 -b .system-ciphers %patch3 -p1 -b .system-ciphers
%patch4 -p1 -b .coverity %patch4 -p1 -b .coverity
%patch5 -p1 -b .default-tls-version
# Fix the configure script output for FIPS mode and stack protector flag # Fix the configure script output for FIPS mode and stack protector flag
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
@ -136,6 +138,9 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%systemd_postun_with_restart %{name}.service %systemd_postun_with_restart %{name}.service
%changelog %changelog
* Tue Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
- Adds default tls version patch to comply with OpenSSL crypto policies
* Tue Mar 31 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3 * Tue Mar 31 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
- Adds coverity patch - Adds coverity patch