From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 13:36:17 +0100 Subject: [PATCH 33/33] Introduce TLSv1.1 and TLSv1.2 options. Users can now enable a specific version of TLS protocol. --- parseconf.c | 2 ++ ssl.c | 8 ++++++++ tunables.c | 9 +++++++-- tunables.h | 2 ++ vsftpd.conf.5 | 24 ++++++++++++++++++++---- 5 files changed, 39 insertions(+), 6 deletions(-) diff --git a/parseconf.c b/parseconf.c index a2c715b..33a1349 100644 --- a/parseconf.c +++ b/parseconf.c @@ -85,6 +85,8 @@ parseconf_bool_array[] = { "ssl_sslv2", &tunable_sslv2 }, { "ssl_sslv3", &tunable_sslv3 }, { "ssl_tlsv1", &tunable_tlsv1 }, + { "ssl_tlsv1_1", &tunable_tlsv1_1 }, + { "ssl_tlsv1_2", &tunable_tlsv1_2 }, { "tilde_user_enable", &tunable_tilde_user_enable }, { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, diff --git a/ssl.c b/ssl.c index 96bf8ad..ba8a613 100644 --- a/ssl.c +++ b/ssl.c @@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess) { options |= SSL_OP_NO_TLSv1; } + if (!tunable_tlsv1_1) + { + options |= SSL_OP_NO_TLSv1_1; + } + if (!tunable_tlsv1_2) + { + options |= SSL_OP_NO_TLSv1_2; + } SSL_CTX_set_options(p_ctx, options); if (tunable_rsa_cert_file) { diff --git a/tunables.c b/tunables.c index 93f85b1..78f2bcd 100644 --- a/tunables.c +++ b/tunables.c @@ -66,6 +66,8 @@ int tunable_force_local_data_ssl; int tunable_sslv2; int tunable_sslv3; int tunable_tlsv1; +int tunable_tlsv1_1; +int tunable_tlsv1_2; int tunable_tilde_user_enable; int tunable_force_anon_logins_ssl; int tunable_force_anon_data_ssl; @@ -209,7 +211,10 @@ tunables_load_defaults() tunable_force_local_data_ssl = 1; tunable_sslv2 = 0; tunable_sslv3 = 0; + /* TLSv1 up to TLSv1.2 is enabled by default */ tunable_tlsv1 = 1; + tunable_tlsv1_1 = 1; + tunable_tlsv1_2 = 1; tunable_tilde_user_enable = 0; tunable_force_anon_logins_ssl = 0; tunable_force_anon_data_ssl = 0; @@ -292,8 +297,8 @@ tunables_load_defaults() install_str_setting(0, &tunable_dsa_cert_file); install_str_setting(0, &tunable_dh_param_file); install_str_setting(0, &tunable_ecdh_param_file); - install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", - &tunable_ssl_ciphers); + install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", + &tunable_ssl_ciphers); install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_dsa_private_key_file); install_str_setting(0, &tunable_ca_certs_file); diff --git a/tunables.h b/tunables.h index 3e2d40c..a466427 100644 --- a/tunables.h +++ b/tunables.h @@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */ extern int tunable_sslv2; /* Allow SSLv2 */ extern int tunable_sslv3; /* Allow SSLv3 */ extern int tunable_tlsv1; /* Allow TLSv1 */ +extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ +extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 index cf1ae34..a3d569e 100644 --- a/vsftpd.conf.5 +++ b/vsftpd.conf.5 @@ -506,7 +506,7 @@ Default: YES Only applies if .BR ssl_enable is activated. If enabled, this option will permit SSL v2 protocol connections. -TLS v1 connections are preferred. +TLS v1.2 connections are preferred. Default: NO .TP @@ -514,7 +514,7 @@ Default: NO Only applies if .BR ssl_enable is activated. If enabled, this option will permit SSL v3 protocol connections. -TLS v1 connections are preferred. +TLS v1.2 connections are preferred. Default: NO .TP @@ -522,7 +522,23 @@ Default: NO Only applies if .BR ssl_enable is activated. If enabled, this option will permit TLS v1 protocol connections. -TLS v1 connections are preferred. +TLS v1.2 connections are preferred. + +Default: YES +.TP +.B ssl_tlsv1_1 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.1 protocol connections. +TLS v1.2 connections are preferred. + +Default: YES +.TP +.B ssl_tlsv1_2 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.2 protocol connections. +TLS v1.2 connections are preferred. Default: YES .TP @@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with. -Default: DES-CBC3-SHA +Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 .TP .B user_config_dir This powerful option allows the override of any config option specified in -- 2.7.4