154 lines
5.1 KiB
Diff
154 lines
5.1 KiB
Diff
From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001
|
|
From: Martin Sehnoutka <msehnout@redhat.com>
|
|
Date: Thu, 17 Nov 2016 13:36:17 +0100
|
|
Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options.
|
|
|
|
Users can now enable a specific version of TLS protocol.
|
|
---
|
|
parseconf.c | 2 ++
|
|
ssl.c | 8 ++++++++
|
|
tunables.c | 9 +++++++--
|
|
tunables.h | 2 ++
|
|
vsftpd.conf.5 | 24 ++++++++++++++++++++----
|
|
5 files changed, 39 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/parseconf.c b/parseconf.c
|
|
index a2c715b..33a1349 100644
|
|
--- a/parseconf.c
|
|
+++ b/parseconf.c
|
|
@@ -85,6 +85,8 @@ parseconf_bool_array[] =
|
|
{ "ssl_sslv2", &tunable_sslv2 },
|
|
{ "ssl_sslv3", &tunable_sslv3 },
|
|
{ "ssl_tlsv1", &tunable_tlsv1 },
|
|
+ { "ssl_tlsv1_1", &tunable_tlsv1_1 },
|
|
+ { "ssl_tlsv1_2", &tunable_tlsv1_2 },
|
|
{ "tilde_user_enable", &tunable_tilde_user_enable },
|
|
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
|
|
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
|
|
diff --git a/ssl.c b/ssl.c
|
|
index 96bf8ad..ba8a613 100644
|
|
--- a/ssl.c
|
|
+++ b/ssl.c
|
|
@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess)
|
|
{
|
|
options |= SSL_OP_NO_TLSv1;
|
|
}
|
|
+ if (!tunable_tlsv1_1)
|
|
+ {
|
|
+ options |= SSL_OP_NO_TLSv1_1;
|
|
+ }
|
|
+ if (!tunable_tlsv1_2)
|
|
+ {
|
|
+ options |= SSL_OP_NO_TLSv1_2;
|
|
+ }
|
|
SSL_CTX_set_options(p_ctx, options);
|
|
if (tunable_rsa_cert_file)
|
|
{
|
|
diff --git a/tunables.c b/tunables.c
|
|
index 93f85b1..78f2bcd 100644
|
|
--- a/tunables.c
|
|
+++ b/tunables.c
|
|
@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl;
|
|
int tunable_sslv2;
|
|
int tunable_sslv3;
|
|
int tunable_tlsv1;
|
|
+int tunable_tlsv1_1;
|
|
+int tunable_tlsv1_2;
|
|
int tunable_tilde_user_enable;
|
|
int tunable_force_anon_logins_ssl;
|
|
int tunable_force_anon_data_ssl;
|
|
@@ -209,7 +211,10 @@ tunables_load_defaults()
|
|
tunable_force_local_data_ssl = 1;
|
|
tunable_sslv2 = 0;
|
|
tunable_sslv3 = 0;
|
|
+ /* TLSv1 up to TLSv1.2 is enabled by default */
|
|
tunable_tlsv1 = 1;
|
|
+ tunable_tlsv1_1 = 1;
|
|
+ tunable_tlsv1_2 = 1;
|
|
tunable_tilde_user_enable = 0;
|
|
tunable_force_anon_logins_ssl = 0;
|
|
tunable_force_anon_data_ssl = 0;
|
|
@@ -292,8 +297,8 @@ tunables_load_defaults()
|
|
install_str_setting(0, &tunable_dsa_cert_file);
|
|
install_str_setting(0, &tunable_dh_param_file);
|
|
install_str_setting(0, &tunable_ecdh_param_file);
|
|
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
|
|
- &tunable_ssl_ciphers);
|
|
+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
|
|
+ &tunable_ssl_ciphers);
|
|
install_str_setting(0, &tunable_rsa_private_key_file);
|
|
install_str_setting(0, &tunable_dsa_private_key_file);
|
|
install_str_setting(0, &tunable_ca_certs_file);
|
|
diff --git a/tunables.h b/tunables.h
|
|
index 3e2d40c..a466427 100644
|
|
--- a/tunables.h
|
|
+++ b/tunables.h
|
|
@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */
|
|
extern int tunable_sslv2; /* Allow SSLv2 */
|
|
extern int tunable_sslv3; /* Allow SSLv3 */
|
|
extern int tunable_tlsv1; /* Allow TLSv1 */
|
|
+extern int tunable_tlsv1_1; /* Allow TLSv1.1 */
|
|
+extern int tunable_tlsv1_2; /* Allow TLSv1.2 */
|
|
extern int tunable_tilde_user_enable; /* Support e.g. ~chris */
|
|
extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */
|
|
extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
|
|
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
|
index cf1ae34..a3d569e 100644
|
|
--- a/vsftpd.conf.5
|
|
+++ b/vsftpd.conf.5
|
|
@@ -506,7 +506,7 @@ Default: YES
|
|
Only applies if
|
|
.BR ssl_enable
|
|
is activated. If enabled, this option will permit SSL v2 protocol connections.
|
|
-TLS v1 connections are preferred.
|
|
+TLS v1.2 connections are preferred.
|
|
|
|
Default: NO
|
|
.TP
|
|
@@ -514,7 +514,7 @@ Default: NO
|
|
Only applies if
|
|
.BR ssl_enable
|
|
is activated. If enabled, this option will permit SSL v3 protocol connections.
|
|
-TLS v1 connections are preferred.
|
|
+TLS v1.2 connections are preferred.
|
|
|
|
Default: NO
|
|
.TP
|
|
@@ -522,7 +522,23 @@ Default: NO
|
|
Only applies if
|
|
.BR ssl_enable
|
|
is activated. If enabled, this option will permit TLS v1 protocol connections.
|
|
-TLS v1 connections are preferred.
|
|
+TLS v1.2 connections are preferred.
|
|
+
|
|
+Default: YES
|
|
+.TP
|
|
+.B ssl_tlsv1_1
|
|
+Only applies if
|
|
+.BR ssl_enable
|
|
+is activated. If enabled, this option will permit TLS v1.1 protocol connections.
|
|
+TLS v1.2 connections are preferred.
|
|
+
|
|
+Default: YES
|
|
+.TP
|
|
+.B ssl_tlsv1_2
|
|
+Only applies if
|
|
+.BR ssl_enable
|
|
+is activated. If enabled, this option will permit TLS v1.2 protocol connections.
|
|
+TLS v1.2 connections are preferred.
|
|
|
|
Default: YES
|
|
.TP
|
|
@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful
|
|
security precaution as it prevents malicious remote parties forcing a cipher
|
|
which they have found problems with.
|
|
|
|
-Default: DES-CBC3-SHA
|
|
+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
|
|
.TP
|
|
.B user_config_dir
|
|
This powerful option allows the override of any config option specified in
|
|
--
|
|
2.14.4
|
|
|