From f888db7a7d815ddd638bc6dae643c6d5f739ee11 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Tue, 20 Aug 2024 10:15:51 +0200 Subject: [PATCH] Fix FEAT command to list AUTH TLS when TLSv1.3 is enabled Resolves: RHEL-45022 --- ...ntroduce-TLSv1.1-and-TLSv1.2-options.patch | 153 ------------------ ...AT-command-check-ssl_tlsv1_1-and-ssl.patch | 2 +- 0043-Enable-only-TLSv1.2-by-default.patch | 53 ------ vsftpd.spec | 10 +- 4 files changed, 7 insertions(+), 211 deletions(-) delete mode 100644 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch delete mode 100644 0043-Enable-only-TLSv1.2-by-default.patch diff --git a/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch b/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch deleted file mode 100644 index 8d6228e..0000000 --- a/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Nov 2016 13:36:17 +0100 -Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options. - -Users can now enable a specific version of TLS protocol. ---- - parseconf.c | 2 ++ - ssl.c | 8 ++++++++ - tunables.c | 9 +++++++-- - tunables.h | 2 ++ - vsftpd.conf.5 | 24 ++++++++++++++++++++---- - 5 files changed, 39 insertions(+), 6 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index a2c715b..33a1349 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -85,6 +85,8 @@ parseconf_bool_array[] = - { "ssl_sslv2", &tunable_sslv2 }, - { "ssl_sslv3", &tunable_sslv3 }, - { "ssl_tlsv1", &tunable_tlsv1 }, -+ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, -+ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, - { "tilde_user_enable", &tunable_tilde_user_enable }, - { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, - { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, -diff --git a/ssl.c b/ssl.c -index 96bf8ad..ba8a613 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess) - { - options |= SSL_OP_NO_TLSv1; - } -+ if (!tunable_tlsv1_1) -+ { -+ options |= SSL_OP_NO_TLSv1_1; -+ } -+ if (!tunable_tlsv1_2) -+ { -+ options |= SSL_OP_NO_TLSv1_2; -+ } - SSL_CTX_set_options(p_ctx, options); - if (tunable_rsa_cert_file) - { -diff --git a/tunables.c b/tunables.c -index 93f85b1..78f2bcd 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl; - int tunable_sslv2; - int tunable_sslv3; - int tunable_tlsv1; -+int tunable_tlsv1_1; -+int tunable_tlsv1_2; - int tunable_tilde_user_enable; - int tunable_force_anon_logins_ssl; - int tunable_force_anon_data_ssl; -@@ -209,7 +211,10 @@ tunables_load_defaults() - tunable_force_local_data_ssl = 1; - tunable_sslv2 = 0; - tunable_sslv3 = 0; -+ /* TLSv1 up to TLSv1.2 is enabled by default */ - tunable_tlsv1 = 1; -+ tunable_tlsv1_1 = 1; -+ tunable_tlsv1_2 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; - tunable_force_anon_data_ssl = 0; -@@ -292,8 +297,8 @@ tunables_load_defaults() - install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting(0, &tunable_dh_param_file); - install_str_setting(0, &tunable_ecdh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", -- &tunable_ssl_ciphers); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", -+ &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -diff --git a/tunables.h b/tunables.h -index 3e2d40c..a466427 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */ - extern int tunable_sslv2; /* Allow SSLv2 */ - extern int tunable_sslv3; /* Allow SSLv3 */ - extern int tunable_tlsv1; /* Allow TLSv1 */ -+extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ -+extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ - extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ - extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ - extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index cf1ae34..a3d569e 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -506,7 +506,7 @@ Default: YES - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit SSL v2 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. - - Default: NO - .TP -@@ -514,7 +514,7 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit SSL v3 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. - - Default: NO - .TP -@@ -522,7 +522,23 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit TLS v1 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_1 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.1 protocol connections. -+TLS v1.2 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_2 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.2 protocol connections. -+TLS v1.2 connections are preferred. - - Default: YES - .TP -@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful - security precaution as it prevents malicious remote parties forcing a cipher - which they have found problems with. - --Default: DES-CBC3-SHA -+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 - .TP - .B user_config_dir - This powerful option allows the override of any config option specified in --- -2.14.4 - diff --git a/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch b/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch index 250a44c..1e14813 100644 --- a/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch +++ b/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch @@ -23,7 +23,7 @@ index 1212980..d024366 100644 vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); } - if (tunable_tlsv1) -+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) ++ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3) { vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); } diff --git a/0043-Enable-only-TLSv1.2-by-default.patch b/0043-Enable-only-TLSv1.2-by-default.patch deleted file mode 100644 index eb157f8..0000000 --- a/0043-Enable-only-TLSv1.2-by-default.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 75c942c77aa575143c5b75637e64a925ad12641a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= -Date: Thu, 21 Dec 2017 16:38:40 +0100 -Subject: [PATCH 43/59] Enable only TLSv1.2 by default - -Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default. ---- - tunables.c | 6 +++--- - vsftpd.conf.5 | 4 ++-- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/tunables.c b/tunables.c -index 354251c..9680528 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -211,9 +211,9 @@ tunables_load_defaults() - tunable_force_local_data_ssl = 1; - tunable_sslv2 = 0; - tunable_sslv3 = 0; -- /* TLSv1 up to TLSv1.2 is enabled by default */ -- tunable_tlsv1 = 1; -- tunable_tlsv1_1 = 1; -+ tunable_tlsv1 = 0; -+ tunable_tlsv1_1 = 0; -+ /* Only TLSv1.2 is enabled by default */ - tunable_tlsv1_2 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 2a7662e..df14027 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -539,7 +539,7 @@ Only applies if - is activated. If enabled, this option will permit TLS v1 protocol connections. - TLS v1.2 connections are preferred. - --Default: YES -+Default: NO - .TP - .B ssl_tlsv1_1 - Only applies if -@@ -547,7 +547,7 @@ Only applies if - is activated. If enabled, this option will permit TLS v1.1 protocol connections. - TLS v1.2 connections are preferred. - --Default: YES -+Default: NO - .TP - .B ssl_tlsv1_2 - Only applies if --- -2.14.4 - diff --git a/vsftpd.spec b/vsftpd.spec index ef34762..fbd5a40 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -2,7 +2,7 @@ Name: vsftpd Version: 3.0.5 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Very Secure Ftp Daemon # OpenSSL link exception @@ -61,7 +61,6 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch -#Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch @@ -69,8 +68,7 @@ Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch Patch40: 0040-Use-system-wide-crypto-policy.patch Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch -#Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch -#Patch43: 0043-Enable-only-TLSv1.2-by-default.patch +Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch @@ -170,6 +168,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %{_var}/ftp %changelog +* Tue Aug 20 2024 Tomas Korbar - 3.0.5-6 +- Fix FEAT command to list AUTH TLS when TLSv1.3 is enabled +- Resolves: RHEL-45022 + * Thu Apr 27 2023 Richard Lescak - 3.0.5-5 - add option for TLSv1.3 ciphersuites - Resolves: rhbz#2188296