From 443ad52e56d1da68d886a0191925f80398884d4e Mon Sep 17 00:00:00 2001 From: Richard Lescak Date: Thu, 6 Apr 2023 22:23:13 +0200 Subject: [PATCH] add patch to provide option for TLSv1.3 ciphersuites Resolves: rhbz#2069733 --- ...-add-option-for-tlsv1.3-ciphersuites.patch | 75 +++++++++++++++++++ vsftpd.spec | 8 +- 2 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch diff --git a/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch b/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch new file mode 100644 index 0000000..6bcef1b --- /dev/null +++ b/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch @@ -0,0 +1,75 @@ +diff -urN a/parseconf.c b/parseconf.c +--- a/parseconf.c 2021-05-29 23:39:19.000000000 +0200 ++++ b/parseconf.c 2023-03-03 10:22:38.256439634 +0100 +@@ -185,6 +185,7 @@ + { "dsa_cert_file", &tunable_dsa_cert_file }, + { "dh_param_file", &tunable_dh_param_file }, + { "ecdh_param_file", &tunable_ecdh_param_file }, ++ { "ssl_ciphersuites", &tunable_ssl_ciphersuites }, + { "ssl_ciphers", &tunable_ssl_ciphers }, + { "rsa_private_key_file", &tunable_rsa_private_key_file }, + { "dsa_private_key_file", &tunable_dsa_private_key_file }, +diff -urN a/ssl.c b/ssl.c +--- a/ssl.c 2021-08-02 08:24:35.000000000 +0200 ++++ b/ssl.c 2023-03-03 10:28:05.989757655 +0100 +@@ -135,6 +135,11 @@ + { + die("SSL: could not set cipher list"); + } ++ if (tunable_ssl_ciphersuites && ++ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1) ++ { ++ die("SSL: could not set ciphersuites list"); ++ } + if (RAND_status() != 1) + { + die("SSL: RNG is not seeded"); +diff -urN a/tunables.c b/tunables.c +--- a/tunables.c 2021-05-29 23:39:00.000000000 +0200 ++++ b/tunables.c 2023-03-03 10:13:30.566868026 +0100 +@@ -154,6 +154,7 @@ + const char* tunable_dsa_cert_file; + const char* tunable_dh_param_file; + const char* tunable_ecdh_param_file; + const char* tunable_ssl_ciphers; ++const char* tunable_ssl_ciphersuites; + const char* tunable_rsa_private_key_file; + const char* tunable_dsa_private_key_file; +@@ -293,6 +293,7 @@ + install_str_setting(0, &tunable_dh_param_file); + install_str_setting(0, &tunable_ecdh_param_file); + install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); ++ install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); +diff -urN a/tunables.h b/tunables.h +--- a/tunables.h ++++ b/tunables.h +@@ -144,6 +144,7 @@ + extern const char* tunable_dsa_cert_file; + extern const char* tunable_dh_param_file; + extern const char* tunable_ecdh_param_file; + extern const char* tunable_ssl_ciphers; ++extern const char* tunable_ssl_ciphersuites; + extern const char* tunable_rsa_private_key_file; + extern const char* tunable_dsa_private_key_file; +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -1009,6 +1009,16 @@ + + Default: PROFILE=SYSTEM + .TP ++.B ssl_ciphersuites ++This option can be used to select which SSL cipher suites vsftpd will allow for ++encrypted SSL connections with TLSv1.3. See the ++.BR ciphers ++man page for further details. Note that restricting ciphers can be a useful ++security precaution as it prevents malicious remote parties forcing a cipher ++which they have found problems with. ++ ++Default: TLS_AES_256_GCM_SHA384 ++.TP + .B user_config_dir + This powerful option allows the override of any config option specified in + the manual page, on a per-user basis. Usage is simple, and is best illustrated diff --git a/vsftpd.spec b/vsftpd.spec index 523454b..6280949 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -2,7 +2,7 @@ Name: vsftpd Version: 3.0.3 -Release: 35%{?dist} +Release: 36%{?dist} Summary: Very Secure Ftp Daemon Group: System Environment/Daemons @@ -97,7 +97,7 @@ Patch65: 0001-Fix-timestamp-handling-in-MDTM.patch Patch66: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch Patch67: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch Patch68: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch - +Patch69: vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch %description vsftpd is a Very Secure FTP daemon. It was written completely from scratch. @@ -165,6 +165,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %{_var}/ftp %changelog +* Thu Apr 06 2023 Richard Lescak -3.0.3-36 +- add patch to provide option for TLSv1.3 ciphersuites +- Resolves: rhbz#2069733 + * Fri Dec 03 2021 Artem Egorenkov - 3.0.3-35 - add option to disable TLSv1.3 - Resolves: rhbz#1638375