diff --git a/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch b/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch new file mode 100644 index 0000000..e1900ee --- /dev/null +++ b/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch @@ -0,0 +1,96 @@ +diff --git a/features.c b/features.c +index d024366..3a60b88 100644 +--- a/features.c ++++ b/features.c +@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess) + { + vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); + } +- if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) ++ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3) + { + vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); + } +diff --git a/parseconf.c b/parseconf.c +index ee1b8b4..5188088 100644 +--- a/parseconf.c ++++ b/parseconf.c +@@ -87,6 +87,7 @@ parseconf_bool_array[] = + { "ssl_tlsv1", &tunable_tlsv1 }, + { "ssl_tlsv1_1", &tunable_tlsv1_1 }, + { "ssl_tlsv1_2", &tunable_tlsv1_2 }, ++ { "ssl_tlsv1_3", &tunable_tlsv1_3 }, + { "tilde_user_enable", &tunable_tilde_user_enable }, + { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, + { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, +diff --git a/ssl.c b/ssl.c +index 51345f8..d5d4a21 100644 +--- a/ssl.c ++++ b/ssl.c +@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess) + { + options |= SSL_OP_NO_TLSv1_2; + } ++ if (!tunable_tlsv1_3) ++ { ++ options |= SSL_OP_NO_TLSv1_3; ++ } + SSL_CTX_set_options(p_ctx, options); + if (tunable_rsa_cert_file) + { +diff --git a/tunables.c b/tunables.c +index d8dfcde..dc001ac 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -68,6 +68,7 @@ int tunable_sslv3; + int tunable_tlsv1; + int tunable_tlsv1_1; + int tunable_tlsv1_2; ++int tunable_tlsv1_3; + int tunable_tilde_user_enable; + int tunable_force_anon_logins_ssl; + int tunable_force_anon_data_ssl; +@@ -218,8 +219,9 @@ tunables_load_defaults() + tunable_sslv3 = 0; + tunable_tlsv1 = 0; + tunable_tlsv1_1 = 0; +- /* Only TLSv1.2 is enabled by default */ ++ /* Only TLSv1.2 and TLSv1.3 are enabled by default */ + tunable_tlsv1_2 = 1; ++ tunable_tlsv1_3 = 1; + tunable_tilde_user_enable = 0; + tunable_force_anon_logins_ssl = 0; + tunable_force_anon_data_ssl = 0; +diff --git a/tunables.h b/tunables.h +index de6cab0..ff0eebc 100644 +--- a/tunables.h ++++ b/tunables.h +@@ -69,6 +69,7 @@ extern int tunable_sslv3; /* Allow SSLv3 */ + extern int tunable_tlsv1; /* Allow TLSv1 */ + extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ + extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ ++extern int tunable_tlsv1_3; /* Allow TLSv1.3 */ + extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ + extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ + extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index 7006287..d181e50 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -587,7 +587,15 @@ Default: NO + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit TLS v1.2 protocol connections. +-TLS v1.2 connections are preferred. ++TLS v1.2 and TLS v1.3 connections are preferred. ++ ++Default: YES ++.TP ++.B ssl_tlsv1_3 ++Only applies if ++.BR ssl_enable ++is activated. If enabled, this option will permit TLS v1.3 protocol connections. ++TLS v1.2 and TLS v1.3 connections are preferred. + + Default: YES + .TP diff --git a/vsftpd.spec b/vsftpd.spec index 9e4fd3b..934cd80 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -2,7 +2,7 @@ Name: vsftpd Version: 3.0.3 -Release: 48%{?dist} +Release: 49%{?dist} Summary: Very Secure Ftp Daemon # OpenSSL link exception @@ -100,6 +100,7 @@ Patch70: fix-str_open.patch # upstream commits 56402c0, 8b82e73 rhbz#1948570 Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch Patch72: vsftpd-3.0.3-ALPACA.patch +Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch %description vsftpd is a Very Secure FTP daemon. It was written completely from @@ -172,6 +173,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %{_var}/ftp %changelog +* Wed Oct 27 2021 Artem Egorenkov - 3.0.3-49 +- add option to disable TLSv1.3 +- Resolves: rhbz#1954682 + * Wed Oct 13 2021 Artem Egorenkov - 3.0.3-48 - ALPACA fix backported from upstram 3.0.5 version - Resolves: rhbz#1975647