add patch to provide option for TLSv1.3 ciphersuites

Resolves: rhbz#2069733
2023-04-06 22:23:13 +02:00 · 2023-04-06 22:23:13 +02:00 · 443ad52e56
commit 443ad52e56
parent c45123a0b6
2 changed files with 81 additions and 2 deletions
--- a/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch
+++ b/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch
@ -0,0 +1,75 @@
+diff -urN a/parseconf.c b/parseconf.c
+--- a/parseconf.c	2021-05-29 23:39:19.000000000 +0200
+++ b/parseconf.c	2023-03-03 10:22:38.256439634 +0100
+@@ -185,6 +185,7 @@
+   { "dsa_cert_file", &tunable_dsa_cert_file },
+   { "dh_param_file", &tunable_dh_param_file },
+   { "ecdh_param_file", &tunable_ecdh_param_file },
+  { "ssl_ciphersuites", &tunable_ssl_ciphersuites },
+   { "ssl_ciphers", &tunable_ssl_ciphers },
+   { "rsa_private_key_file", &tunable_rsa_private_key_file },
+   { "dsa_private_key_file", &tunable_dsa_private_key_file },
+diff -urN a/ssl.c b/ssl.c
+--- a/ssl.c	2021-08-02 08:24:35.000000000 +0200
+++ b/ssl.c	2023-03-03 10:28:05.989757655 +0100
+@@ -135,6 +135,11 @@
+     {
+       die("SSL: could not set cipher list");
+     }
+    if (tunable_ssl_ciphersuites &&
+        SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
+    {
+      die("SSL: could not set ciphersuites list");
+    }
+     if (RAND_status() != 1)
+     {
+       die("SSL: RNG is not seeded");
+diff -urN a/tunables.c b/tunables.c
+--- a/tunables.c	2021-05-29 23:39:00.000000000 +0200
+++ b/tunables.c	2023-03-03 10:13:30.566868026 +0100
+@@ -154,6 +154,7 @@
+ const char* tunable_dsa_cert_file;
+ const char* tunable_dh_param_file;
+ const char* tunable_ecdh_param_file;
+ const char* tunable_ssl_ciphers;
+const char* tunable_ssl_ciphersuites;
+ const char* tunable_rsa_private_key_file;
+ const char* tunable_dsa_private_key_file;
+@@ -293,6 +293,7 @@
+   install_str_setting(0, &tunable_dh_param_file);
+   install_str_setting(0, &tunable_ecdh_param_file);
+   install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
+  install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites);
+   install_str_setting(0, &tunable_rsa_private_key_file);
+   install_str_setting(0, &tunable_dsa_private_key_file);
+   install_str_setting(0, &tunable_ca_certs_file);
+diff -urN a/tunables.h b/tunables.h
+--- a/tunables.h
+++ b/tunables.h
+@@ -144,6 +144,7 @@
+ extern const char* tunable_dsa_cert_file;
+ extern const char* tunable_dh_param_file;
+ extern const char* tunable_ecdh_param_file;
+ extern const char* tunable_ssl_ciphers;
+extern const char* tunable_ssl_ciphersuites;
+ extern const char* tunable_rsa_private_key_file;
+ extern const char* tunable_dsa_private_key_file;
+--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
+@@ -1009,6 +1009,16 @@
+ 
+ Default: PROFILE=SYSTEM
+ .TP
+.B ssl_ciphersuites
+This option can be used to select which SSL cipher suites vsftpd will allow for
+encrypted SSL connections with TLSv1.3. See the
+.BR ciphers
+man page for further details. Note that restricting ciphers can be a useful
+security precaution as it prevents malicious remote parties forcing a cipher
+which they have found problems with.
+
+Default: TLS_AES_256_GCM_SHA384
+.TP
+ .B user_config_dir
+ This powerful option allows the override of any config option specified in
+ the manual page, on a per-user basis. Usage is simple, and is best illustrated
--- a/vsftpd.spec
+++ b/vsftpd.spec
@ -2,7 +2,7 @@

 Name:    vsftpd
 Version: 3.0.3
-Release: 35%{?dist}
+Release: 36%{?dist}
 Summary: Very Secure Ftp Daemon

 Group:    System Environment/Daemons
@ -97,7 +97,7 @@ Patch65: 0001-Fix-timestamp-handling-in-MDTM.patch
 Patch66: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
 Patch67: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
 Patch68: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
-
+Patch69: vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch
 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
 scratch.
@ -165,6 +165,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp

 %changelog
+* Thu Apr 06 2023 Richard Lescak <rlescak@redhat.com> -3.0.3-36
+- add patch to provide option for TLSv1.3 ciphersuites
+- Resolves: rhbz#2069733
+
 * Fri Dec 03 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-35
 - add option to disable TLSv1.3
 - Resolves: rhbz#1638375