add option for TLSv1.3 ciphersuites

Resolves: rhbz#2188296
This commit is contained in:
Richard Lescak 2023-05-05 17:41:41 +02:00
parent 114585ffc4
commit ef6fce8c1e
5 changed files with 92 additions and 9 deletions

View File

@ -69,7 +69,7 @@ index c362983..22b69b3 100644
if (!tunable_sslv2)
{
options |= SSL_OP_NO_SSLv2;
@@ -130,6 +147,25 @@
@@ -149,8 +166,27 @@
die("SSL: cannot load DSA private key");
}
}
@ -95,6 +95,8 @@ index c362983..22b69b3 100644
if (tunable_ssl_ciphers &&
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
{
die("SSL: could not set cipher list");
}
@@ -184,6 +226,9 @@
/* Ensure cached session doesn't expire */
SSL_CTX_set_timeout(p_ctx, INT_MAX);

View File

@ -0,0 +1,79 @@
diff -urN a/parseconf.c b/parseconf.c
--- a/parseconf.c 2021-05-29 23:39:19.000000000 +0200
+++ b/parseconf.c 2023-03-03 10:22:38.256439634 +0100
@@ -185,6 +185,7 @@
{ "dsa_cert_file", &tunable_dsa_cert_file },
{ "dh_param_file", &tunable_dh_param_file },
{ "ecdh_param_file", &tunable_ecdh_param_file },
+ { "ssl_ciphersuites", &tunable_ssl_ciphersuites },
{ "ssl_ciphers", &tunable_ssl_ciphers },
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
diff -urN a/ssl.c b/ssl.c
--- a/ssl.c 2021-08-02 08:24:35.000000000 +0200
+++ b/ssl.c 2023-03-03 10:28:05.989757655 +0100
@@ -135,6 +135,11 @@
{
die("SSL: could not set cipher list");
}
+ if (tunable_ssl_ciphersuites &&
+ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
+ {
+ die("SSL: could not set ciphersuites");
+ }
if (RAND_status() != 1)
{
die("SSL: RNG is not seeded");
diff -urN a/tunables.c b/tunables.c
--- a/tunables.c 2021-05-29 23:39:00.000000000 +0200
+++ b/tunables.c 2023-03-03 10:13:30.566868026 +0100
@@ -154,6 +154,7 @@
const char* tunable_dsa_cert_file;
const char* tunable_dh_param_file;
const char* tunable_ecdh_param_file;
const char* tunable_ssl_ciphers;
+const char* tunable_ssl_ciphersuites;
const char* tunable_rsa_private_key_file;
const char* tunable_dsa_private_key_file;
@@ -293,6 +293,7 @@
install_str_setting(0, &tunable_dh_param_file);
install_str_setting(0, &tunable_ecdh_param_file);
install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
+ install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
diff -urN a/tunables.h b/tunables.h
--- a/tunables.h
+++ b/tunables.h
@@ -144,6 +144,7 @@
extern const char* tunable_dsa_cert_file;
extern const char* tunable_dh_param_file;
extern const char* tunable_ecdh_param_file;
extern const char* tunable_ssl_ciphers;
+extern const char* tunable_ssl_ciphersuites;
extern const char* tunable_rsa_private_key_file;
extern const char* tunable_dsa_private_key_file;
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -1009,6 +1009,20 @@
Default: PROFILE=SYSTEM
.TP
+.B ssl_ciphersuites
+This option can be used to select which SSL cipher suites vsftpd will allow for
+encrypted SSL connections with TLSv1.3. See the
+.BR ciphers
+man page for further details. Note that restricting ciphers can be a useful
+security precaution as it prevents malicious remote parties forcing a cipher
+which they have found problems with.
+
+By default, the system-wide crypto policy is used. See
+.BR update-crypto-policies(8)
+for further details.
+
+Default: TLS_AES_256_GCM_SHA384
+.TP
.B ssl_sni_hostname
If set, SSL connections will be rejected unless the SNI hostname in the
incoming handshakes matches this value.

View File

@ -25,7 +25,7 @@ diff --git a/ssl.c b/ssl.c
int verify_option = 0;
SSL_library_init();
- p_ctx = SSL_CTX_new(SSLv23_server_method());
+ p_ctx = SSL_CTX_new_ex(NULL, NULL, SSLv23_server_method());
+ p_ctx = SSL_CTX_new_ex(NULL, NULL, TLS_server_method());
if (p_ctx == NULL)
{
die("SSL: could not allocate SSL context");

View File

@ -2,7 +2,7 @@
Name: vsftpd
Version: 3.0.5
Release: 4%{?dist}
Release: 5%{?dist}
Summary: Very Secure Ftp Daemon
# OpenSSL link exception
@ -98,8 +98,9 @@ Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
Patch70: fix-str_open.patch
Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
Patch72: vsftpd-3.0.5-use-old-tlsv-options.patch
Patch73: vsftpd-3.0.5-repalce-old-network-addr-functions.patch
Patch73: vsftpd-3.0.5-replace-old-network-addr-functions.patch
Patch74: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
Patch75: vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch
%description
vsftpd is a Very Secure FTP daemon. It was written completely from
@ -110,14 +111,11 @@ scratch.
cp %{SOURCE1} .
%build
# temporary ignore deprecated warnings to be able to build against OpenSSL 3.0
# upstram tracking bug: rhbz#1962603
%define ignore_deprecated -Wno-deprecated-declarations
%ifarch s390x sparcv9 sparc64
%make_build CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror %ignore_deprecated" \
%make_build CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \
%else
%make_build CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror %ignore_deprecated" \
%make_build CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \
%endif
LINK="-pie -lssl $RPM_LD_FLAGS" %{?_smp_mflags}
@ -172,6 +170,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
%{_var}/ftp
%changelog
* Thu Apr 27 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-5
- add option for TLSv1.3 ciphersuites
- Resolves: rhbz#2188296
* Mon Feb 13 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-4
- add patch to replace deprecated Openssl functions
- Resolves: rhbz#1981411