add option for TLSv1.3 ciphersuites
SPDX migration
This commit is contained in:
parent
9f310a0dd2
commit
17a18d5fda
@ -69,7 +69,7 @@ index c362983..22b69b3 100644
|
|||||||
if (!tunable_sslv2)
|
if (!tunable_sslv2)
|
||||||
{
|
{
|
||||||
options |= SSL_OP_NO_SSLv2;
|
options |= SSL_OP_NO_SSLv2;
|
||||||
@@ -130,6 +147,25 @@
|
@@ -149,8 +166,27 @@
|
||||||
die("SSL: cannot load DSA private key");
|
die("SSL: cannot load DSA private key");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -95,6 +95,8 @@ index c362983..22b69b3 100644
|
|||||||
if (tunable_ssl_ciphers &&
|
if (tunable_ssl_ciphers &&
|
||||||
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
|
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
|
||||||
{
|
{
|
||||||
|
die("SSL: could not set cipher list");
|
||||||
|
}
|
||||||
@@ -184,6 +226,9 @@
|
@@ -184,6 +226,9 @@
|
||||||
/* Ensure cached session doesn't expire */
|
/* Ensure cached session doesn't expire */
|
||||||
SSL_CTX_set_timeout(p_ctx, INT_MAX);
|
SSL_CTX_set_timeout(p_ctx, INT_MAX);
|
||||||
|
79
vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch
Normal file
79
vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
diff -urN a/parseconf.c b/parseconf.c
|
||||||
|
--- a/parseconf.c 2021-05-29 23:39:19.000000000 +0200
|
||||||
|
+++ b/parseconf.c 2023-03-03 10:22:38.256439634 +0100
|
||||||
|
@@ -185,6 +185,7 @@
|
||||||
|
{ "dsa_cert_file", &tunable_dsa_cert_file },
|
||||||
|
{ "dh_param_file", &tunable_dh_param_file },
|
||||||
|
{ "ecdh_param_file", &tunable_ecdh_param_file },
|
||||||
|
+ { "ssl_ciphersuites", &tunable_ssl_ciphersuites },
|
||||||
|
{ "ssl_ciphers", &tunable_ssl_ciphers },
|
||||||
|
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
|
||||||
|
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
|
||||||
|
diff -urN a/ssl.c b/ssl.c
|
||||||
|
--- a/ssl.c 2021-08-02 08:24:35.000000000 +0200
|
||||||
|
+++ b/ssl.c 2023-03-03 10:28:05.989757655 +0100
|
||||||
|
@@ -135,6 +135,11 @@
|
||||||
|
{
|
||||||
|
die("SSL: could not set cipher list");
|
||||||
|
}
|
||||||
|
+ if (tunable_ssl_ciphersuites &&
|
||||||
|
+ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
|
||||||
|
+ {
|
||||||
|
+ die("SSL: could not set ciphersuites");
|
||||||
|
+ }
|
||||||
|
if (RAND_status() != 1)
|
||||||
|
{
|
||||||
|
die("SSL: RNG is not seeded");
|
||||||
|
diff -urN a/tunables.c b/tunables.c
|
||||||
|
--- a/tunables.c 2021-05-29 23:39:00.000000000 +0200
|
||||||
|
+++ b/tunables.c 2023-03-03 10:13:30.566868026 +0100
|
||||||
|
@@ -154,6 +154,7 @@
|
||||||
|
const char* tunable_dsa_cert_file;
|
||||||
|
const char* tunable_dh_param_file;
|
||||||
|
const char* tunable_ecdh_param_file;
|
||||||
|
const char* tunable_ssl_ciphers;
|
||||||
|
+const char* tunable_ssl_ciphersuites;
|
||||||
|
const char* tunable_rsa_private_key_file;
|
||||||
|
const char* tunable_dsa_private_key_file;
|
||||||
|
@@ -293,6 +293,7 @@
|
||||||
|
install_str_setting(0, &tunable_dh_param_file);
|
||||||
|
install_str_setting(0, &tunable_ecdh_param_file);
|
||||||
|
install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
|
||||||
|
+ install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites);
|
||||||
|
install_str_setting(0, &tunable_rsa_private_key_file);
|
||||||
|
install_str_setting(0, &tunable_dsa_private_key_file);
|
||||||
|
install_str_setting(0, &tunable_ca_certs_file);
|
||||||
|
diff -urN a/tunables.h b/tunables.h
|
||||||
|
--- a/tunables.h
|
||||||
|
+++ b/tunables.h
|
||||||
|
@@ -144,6 +144,7 @@
|
||||||
|
extern const char* tunable_dsa_cert_file;
|
||||||
|
extern const char* tunable_dh_param_file;
|
||||||
|
extern const char* tunable_ecdh_param_file;
|
||||||
|
extern const char* tunable_ssl_ciphers;
|
||||||
|
+extern const char* tunable_ssl_ciphersuites;
|
||||||
|
extern const char* tunable_rsa_private_key_file;
|
||||||
|
extern const char* tunable_dsa_private_key_file;
|
||||||
|
--- a/vsftpd.conf.5
|
||||||
|
+++ b/vsftpd.conf.5
|
||||||
|
@@ -1009,6 +1009,20 @@
|
||||||
|
|
||||||
|
Default: PROFILE=SYSTEM
|
||||||
|
.TP
|
||||||
|
+.B ssl_ciphersuites
|
||||||
|
+This option can be used to select which SSL cipher suites vsftpd will allow for
|
||||||
|
+encrypted SSL connections with TLSv1.3. See the
|
||||||
|
+.BR ciphers
|
||||||
|
+man page for further details. Note that restricting ciphers can be a useful
|
||||||
|
+security precaution as it prevents malicious remote parties forcing a cipher
|
||||||
|
+which they have found problems with.
|
||||||
|
+
|
||||||
|
+By default, the system-wide crypto policy is used. See
|
||||||
|
+.BR update-crypto-policies(8)
|
||||||
|
+for further details.
|
||||||
|
+
|
||||||
|
+Default: TLS_AES_256_GCM_SHA384
|
||||||
|
+.TP
|
||||||
|
.B ssl_sni_hostname
|
||||||
|
If set, SSL connections will be rejected unless the SNI hostname in the
|
||||||
|
incoming handshakes matches this value.
|
@ -25,7 +25,7 @@ diff --git a/ssl.c b/ssl.c
|
|||||||
int verify_option = 0;
|
int verify_option = 0;
|
||||||
SSL_library_init();
|
SSL_library_init();
|
||||||
- p_ctx = SSL_CTX_new(SSLv23_server_method());
|
- p_ctx = SSL_CTX_new(SSLv23_server_method());
|
||||||
+ p_ctx = SSL_CTX_new_ex(NULL, NULL, SSLv23_server_method());
|
+ p_ctx = SSL_CTX_new_ex(NULL, NULL, TLS_server_method());
|
||||||
if (p_ctx == NULL)
|
if (p_ctx == NULL)
|
||||||
{
|
{
|
||||||
die("SSL: could not allocate SSL context");
|
die("SSL: could not allocate SSL context");
|
||||||
|
15
vsftpd-3.0.5-use-old-tlsv-options.patch
Normal file
15
vsftpd-3.0.5-use-old-tlsv-options.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
--- parseconf-orig.c 2022-10-25 15:17:18.990701984 +0200
|
||||||
|
+++ parseconf.c 2022-10-25 15:12:44.213480000 +0200
|
||||||
|
@@ -85,9 +85,9 @@
|
||||||
|
{ "ssl_sslv2", &tunable_sslv2 },
|
||||||
|
{ "ssl_sslv3", &tunable_sslv3 },
|
||||||
|
{ "ssl_tlsv1", &tunable_tlsv1 },
|
||||||
|
- { "ssl_tlsv11", &tunable_tlsv1_1 },
|
||||||
|
- { "ssl_tlsv12", &tunable_tlsv1_2 },
|
||||||
|
- { "ssl_tlsv13", &tunable_tlsv1_3 },
|
||||||
|
+ { "ssl_tlsv1_1", &tunable_tlsv1_1 },
|
||||||
|
+ { "ssl_tlsv1_2", &tunable_tlsv1_2 },
|
||||||
|
+ { "ssl_tlsv1_3", &tunable_tlsv1_3 },
|
||||||
|
{ "tilde_user_enable", &tunable_tilde_user_enable },
|
||||||
|
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
|
||||||
|
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
|
10
vsftpd.spec
10
vsftpd.spec
@ -2,11 +2,11 @@
|
|||||||
|
|
||||||
Name: vsftpd
|
Name: vsftpd
|
||||||
Version: 3.0.5
|
Version: 3.0.5
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Summary: Very Secure Ftp Daemon
|
Summary: Very Secure Ftp Daemon
|
||||||
|
|
||||||
# OpenSSL link exception
|
# OpenSSL link exception
|
||||||
License: GPLv2 with exceptions
|
License: GPL-2.0-only WITH vsftpd-openssl-exception
|
||||||
URL: https://security.appspot.com/vsftpd.html
|
URL: https://security.appspot.com/vsftpd.html
|
||||||
Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz
|
Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz
|
||||||
Source1: vsftpd.xinetd
|
Source1: vsftpd.xinetd
|
||||||
@ -99,6 +99,8 @@ Patch70: fix-str_open.patch
|
|||||||
Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
|
Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
|
||||||
Patch72: vsftpd-3.0.5-replace-old-network-addr-functions.patch
|
Patch72: vsftpd-3.0.5-replace-old-network-addr-functions.patch
|
||||||
Patch73: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
|
Patch73: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
|
||||||
|
Patch74: vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch
|
||||||
|
Patch75: vsftpd-3.0.5-use-old-tlsv-options.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
vsftpd is a Very Secure FTP daemon. It was written completely from
|
vsftpd is a Very Secure FTP daemon. It was written completely from
|
||||||
@ -168,6 +170,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
|
|||||||
%{_var}/ftp
|
%{_var}/ftp
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu May 04 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-4
|
||||||
|
- add option for TLSv1.3 ciphersuites
|
||||||
|
- SPDX migration
|
||||||
|
|
||||||
* Fri Feb 17 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-3
|
* Fri Feb 17 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-3
|
||||||
- make vsftpd compatible with Openssl 3.0+
|
- make vsftpd compatible with Openssl 3.0+
|
||||||
- replace old network functions
|
- replace old network functions
|
||||||
|
Loading…
Reference in New Issue
Block a user