ca207c8895
Adhere to crypto-policies when restricting TLS 1.3 ciphersuites by default. When using DH, let OpenSSL set up its params automatically by default. When using ephemeral ECDH, allow all supported curves. Deprecate the `ecdh_param_file` config option which is broken since the transition to OpenSSL 3.0. Also remove old unused patches. Resolves: RHEL-99533
40 lines
1.4 KiB
Diff
40 lines
1.4 KiB
Diff
diff --git a/tunables.c b/tunables.c
|
|
--- a/tunables.c
|
|
+++ b/tunables.c
|
|
@@ -295,7 +295,7 @@
|
|
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
|
|
&tunable_rsa_cert_file);
|
|
install_str_setting(0, &tunable_dsa_cert_file);
|
|
- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers);
|
|
+ install_str_setting(0, &tunable_ssl_ciphers);
|
|
install_str_setting(0, &tunable_rsa_private_key_file);
|
|
install_str_setting(0, &tunable_dsa_private_key_file);
|
|
install_str_setting(0, &tunable_ca_certs_file);
|
|
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
|
--- a/vsftpd.conf.5
|
|
+++ b/vsftpd.conf.5
|
|
@@ -1030,14 +1030,16 @@
|
|
Default: /usr/share/empty
|
|
.TP
|
|
.B ssl_ciphers
|
|
-This option can be used to select which SSL ciphers vsftpd will allow for
|
|
-encrypted SSL connections. See the
|
|
-.BR ciphers
|
|
+This option can be used to select which TLS ciphers vsftpd will allow for
|
|
+encrypted TLS connections. See the
|
|
+.BR openssl-ciphers
|
|
-man page for further details. Note that restricting ciphers can be a useful
|
|
-security precaution as it prevents malicious remote parties forcing a cipher
|
|
-which they have found problems with.
|
|
+man page for further details.
|
|
+
|
|
+By default, the system-wide crypto policy is used. See
|
|
+.BR update-crypto-policies(8)
|
|
+for further details.
|
|
|
|
-Default: DES-CBC3-SHA
|
|
+Default: (none - system-wide crypto policy is followed)
|
|
.TP
|
|
.B ssl_sni_hostname
|
|
If set, SSL connections will be rejected unless the SNI hostname in the
|