Fix docs for ssl_ciphers, fix FEAT handling, disable TLSv1, TLSv1.1

Document the new default for ssl_ciphers in the man page
Related: rhbz#1483970

When handling the FEAT command, check ssl_tlsv1_1 and ssl_tlsv1_2
Patch was written by Martin Sehnoutka
Resolves: rhbz#1432054

Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default.

0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch

@@ -0,0 +1,31 @@
+From 2369d1ea5144d525d315aba90da528e7d9bfd1cc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
+Date: Thu, 21 Dec 2017 14:19:18 +0100
+Subject: [PATCH 41/41] Document the new default for ssl_ciphers in the man
+ page
+
+Related: rhbz#1483970
+---
+ vsftpd.conf.5 | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 3ca55e4..2a7662e 100644
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -1078,7 +1078,11 @@ man page for further details. Note that restricting ciphers can be a useful
+ security precaution as it prevents malicious remote parties forcing a cipher
+ which they have found problems with.
+ 
+-Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
++By default, the system-wide crypto policy is used. See
++.BR update-crypto-policies(8)
++for further details.
++
++Default: PROFILE=SYSTEM
+ .TP
+ .B user_config_dir
+ This powerful option allows the override of any config option specified in
+-- 
+2.14.3
+

0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch

@@ -0,0 +1,32 @@
+From 1c280a0b04e58ec63ce9ab5eb8d0ffe5ebbae115 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
+Date: Thu, 21 Dec 2017 14:29:25 +0100
+Subject: [PATCH 42/42] When handling FEAT command, check ssl_tlsv1_1 and
+ ssl_tlsv1_2
+
+Send 'AUTH SSL' in reply to the FEAT command when the ssl_tlsv1_1
+or ssl_tlsv1_2 configuration option is enabled.
+
+The patch was written by Martin Sehnoutka.
+
+Resolves: rhbz#1432054
+---
+ features.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/features.c b/features.c
+index 1212980..d024366 100644
+--- a/features.c
++++ b/features.c
+@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
+     {
+       vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
+     }
+-    if (tunable_tlsv1)
++    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
+     {
+       vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
+     }
+-- 
+2.14.3
+

0043-Enable-only-TLSv1.2-by-default.patch

@@ -0,0 +1,53 @@
+From 75c942c77aa575143c5b75637e64a925ad12641a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
+Date: Thu, 21 Dec 2017 16:38:40 +0100
+Subject: [PATCH 43/43] Enable only TLSv1.2 by default
+
+Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default.
+---
+ tunables.c    | 6 +++---
+ vsftpd.conf.5 | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tunables.c b/tunables.c
+index 354251c..9680528 100644
+--- a/tunables.c
++++ b/tunables.c
+@@ -211,9 +211,9 @@ tunables_load_defaults()
+   tunable_force_local_data_ssl = 1;
+   tunable_sslv2 = 0;
+   tunable_sslv3 = 0;
+-  /* TLSv1 up to TLSv1.2 is enabled by default */
+-  tunable_tlsv1 = 1;
+-  tunable_tlsv1_1 = 1;
++  tunable_tlsv1 = 0;
++  tunable_tlsv1_1 = 0;
++  /* Only TLSv1.2 is enabled by default */
+   tunable_tlsv1_2 = 1;
+   tunable_tilde_user_enable = 0;
+   tunable_force_anon_logins_ssl = 0;
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 2a7662e..df14027 100644
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -539,7 +539,7 @@ Only applies if
+ is activated. If enabled, this option will permit TLS v1 protocol connections.
+ TLS v1.2 connections are preferred.
+ 
+-Default: YES
++Default: NO
+ .TP
+ .B ssl_tlsv1_1
+ Only applies if
+@@ -547,7 +547,7 @@ Only applies if
+ is activated. If enabled, this option will permit TLS v1.1 protocol connections.
+ TLS v1.2 connections are preferred.
+ 
+-Default: YES
++Default: NO
+ .TP
+ .B ssl_tlsv1_2
+ Only applies if
+-- 
+2.14.3
+

vsftpd.spec

@@ -2,7 +2,7 @@
 
 Name:    vsftpd
 Version: 3.0.3
-Release: 12%{?dist}
+Release: 13%{?dist}
 Summary: Very Secure Ftp Daemon
 
 Group:    System Environment/Daemons
@@ -69,6 +69,9 @@ Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch
 Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
 Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
 Patch40: 0040-Use-system-wide-crypto-policy.patch
+Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
+Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
+Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
 
 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@@ -138,6 +141,14 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp
 
 %changelog
+* Thu Dec 21 2017 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-13
+- Document the new default for ssl_ciphers in the man page
+- Related: rhbz#1483970
+- When handling FEAT command, check ssl_tlsv1_1 and ssl_tlsv1_2
+- Patch was written by Martin Sehnoutka
+- Resolves: rhbz#1432054
+- Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default
+
 * Thu Dec 21 2017 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-12
 - Use system wide crypto policy
 - Resolves: rhbz#1483970