- add option to disable TLSv1.3
- Resolves: rhbz#1954682
This commit is contained in:
parent
4e05e47dcd
commit
771a91c375
96
vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
Normal file
96
vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
diff --git a/features.c b/features.c
|
||||||
|
index d024366..3a60b88 100644
|
||||||
|
--- a/features.c
|
||||||
|
+++ b/features.c
|
||||||
|
@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
|
||||||
|
{
|
||||||
|
vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
|
||||||
|
}
|
||||||
|
- if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
|
||||||
|
+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
|
||||||
|
{
|
||||||
|
vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
|
||||||
|
}
|
||||||
|
diff --git a/parseconf.c b/parseconf.c
|
||||||
|
index ee1b8b4..5188088 100644
|
||||||
|
--- a/parseconf.c
|
||||||
|
+++ b/parseconf.c
|
||||||
|
@@ -87,6 +87,7 @@ parseconf_bool_array[] =
|
||||||
|
{ "ssl_tlsv1", &tunable_tlsv1 },
|
||||||
|
{ "ssl_tlsv1_1", &tunable_tlsv1_1 },
|
||||||
|
{ "ssl_tlsv1_2", &tunable_tlsv1_2 },
|
||||||
|
+ { "ssl_tlsv1_3", &tunable_tlsv1_3 },
|
||||||
|
{ "tilde_user_enable", &tunable_tilde_user_enable },
|
||||||
|
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
|
||||||
|
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
|
||||||
|
diff --git a/ssl.c b/ssl.c
|
||||||
|
index 51345f8..d5d4a21 100644
|
||||||
|
--- a/ssl.c
|
||||||
|
+++ b/ssl.c
|
||||||
|
@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess)
|
||||||
|
{
|
||||||
|
options |= SSL_OP_NO_TLSv1_2;
|
||||||
|
}
|
||||||
|
+ if (!tunable_tlsv1_3)
|
||||||
|
+ {
|
||||||
|
+ options |= SSL_OP_NO_TLSv1_3;
|
||||||
|
+ }
|
||||||
|
SSL_CTX_set_options(p_ctx, options);
|
||||||
|
if (tunable_rsa_cert_file)
|
||||||
|
{
|
||||||
|
diff --git a/tunables.c b/tunables.c
|
||||||
|
index d8dfcde..dc001ac 100644
|
||||||
|
--- a/tunables.c
|
||||||
|
+++ b/tunables.c
|
||||||
|
@@ -68,6 +68,7 @@ int tunable_sslv3;
|
||||||
|
int tunable_tlsv1;
|
||||||
|
int tunable_tlsv1_1;
|
||||||
|
int tunable_tlsv1_2;
|
||||||
|
+int tunable_tlsv1_3;
|
||||||
|
int tunable_tilde_user_enable;
|
||||||
|
int tunable_force_anon_logins_ssl;
|
||||||
|
int tunable_force_anon_data_ssl;
|
||||||
|
@@ -218,8 +219,9 @@ tunables_load_defaults()
|
||||||
|
tunable_sslv3 = 0;
|
||||||
|
tunable_tlsv1 = 0;
|
||||||
|
tunable_tlsv1_1 = 0;
|
||||||
|
- /* Only TLSv1.2 is enabled by default */
|
||||||
|
+ /* Only TLSv1.2 and TLSv1.3 are enabled by default */
|
||||||
|
tunable_tlsv1_2 = 1;
|
||||||
|
+ tunable_tlsv1_3 = 1;
|
||||||
|
tunable_tilde_user_enable = 0;
|
||||||
|
tunable_force_anon_logins_ssl = 0;
|
||||||
|
tunable_force_anon_data_ssl = 0;
|
||||||
|
diff --git a/tunables.h b/tunables.h
|
||||||
|
index de6cab0..ff0eebc 100644
|
||||||
|
--- a/tunables.h
|
||||||
|
+++ b/tunables.h
|
||||||
|
@@ -69,6 +69,7 @@ extern int tunable_sslv3; /* Allow SSLv3 */
|
||||||
|
extern int tunable_tlsv1; /* Allow TLSv1 */
|
||||||
|
extern int tunable_tlsv1_1; /* Allow TLSv1.1 */
|
||||||
|
extern int tunable_tlsv1_2; /* Allow TLSv1.2 */
|
||||||
|
+extern int tunable_tlsv1_3; /* Allow TLSv1.3 */
|
||||||
|
extern int tunable_tilde_user_enable; /* Support e.g. ~chris */
|
||||||
|
extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */
|
||||||
|
extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
|
||||||
|
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
||||||
|
index 7006287..d181e50 100644
|
||||||
|
--- a/vsftpd.conf.5
|
||||||
|
+++ b/vsftpd.conf.5
|
||||||
|
@@ -587,7 +587,15 @@ Default: NO
|
||||||
|
Only applies if
|
||||||
|
.BR ssl_enable
|
||||||
|
is activated. If enabled, this option will permit TLS v1.2 protocol connections.
|
||||||
|
-TLS v1.2 connections are preferred.
|
||||||
|
+TLS v1.2 and TLS v1.3 connections are preferred.
|
||||||
|
+
|
||||||
|
+Default: YES
|
||||||
|
+.TP
|
||||||
|
+.B ssl_tlsv1_3
|
||||||
|
+Only applies if
|
||||||
|
+.BR ssl_enable
|
||||||
|
+is activated. If enabled, this option will permit TLS v1.3 protocol connections.
|
||||||
|
+TLS v1.2 and TLS v1.3 connections are preferred.
|
||||||
|
|
||||||
|
Default: YES
|
||||||
|
.TP
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: vsftpd
|
Name: vsftpd
|
||||||
Version: 3.0.3
|
Version: 3.0.3
|
||||||
Release: 48%{?dist}
|
Release: 49%{?dist}
|
||||||
Summary: Very Secure Ftp Daemon
|
Summary: Very Secure Ftp Daemon
|
||||||
|
|
||||||
# OpenSSL link exception
|
# OpenSSL link exception
|
||||||
@ -100,6 +100,7 @@ Patch70: fix-str_open.patch
|
|||||||
# upstream commits 56402c0, 8b82e73 rhbz#1948570
|
# upstream commits 56402c0, 8b82e73 rhbz#1948570
|
||||||
Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
|
Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
|
||||||
Patch72: vsftpd-3.0.3-ALPACA.patch
|
Patch72: vsftpd-3.0.3-ALPACA.patch
|
||||||
|
Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
vsftpd is a Very Secure FTP daemon. It was written completely from
|
vsftpd is a Very Secure FTP daemon. It was written completely from
|
||||||
@ -172,6 +173,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
|
|||||||
%{_var}/ftp
|
%{_var}/ftp
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Oct 27 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-49
|
||||||
|
- add option to disable TLSv1.3
|
||||||
|
- Resolves: rhbz#1954682
|
||||||
|
|
||||||
* Wed Oct 13 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-48
|
* Wed Oct 13 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-48
|
||||||
- ALPACA fix backported from upstram 3.0.5 version
|
- ALPACA fix backported from upstram 3.0.5 version
|
||||||
- Resolves: rhbz#1975647
|
- Resolves: rhbz#1975647
|
||||||
|
Loading…
Reference in New Issue
Block a user