rpms / vsftpd

Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main rawhide
  1.   rawhide
  2.   0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
Blob Blame History Raw 
From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Nov 2016 13:36:17 +0100
Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options.

Users can now enable a specific version of TLS protocol.
---
 parseconf.c   |  2 ++
 ssl.c         |  8 ++++++++
 tunables.c    |  9 +++++++--
 tunables.h    |  2 ++
 vsftpd.conf.5 | 24 ++++++++++++++++++++----
 5 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/parseconf.c b/parseconf.c
index a2c715b..33a1349 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -85,6 +85,8 @@ parseconf_bool_array[] =
   { "ssl_sslv2", &tunable_sslv2 },
   { "ssl_sslv3", &tunable_sslv3 },
   { "ssl_tlsv1", &tunable_tlsv1 },
+  { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+  { "ssl_tlsv1_2", &tunable_tlsv1_2 },
   { "tilde_user_enable", &tunable_tilde_user_enable },
   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
diff --git a/ssl.c b/ssl.c
index 96bf8ad..ba8a613 100644
--- a/ssl.c
+++ b/ssl.c
@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess)
     {
       options |= SSL_OP_NO_TLSv1;
     }
+    if (!tunable_tlsv1_1)
+    {
+      options |= SSL_OP_NO_TLSv1_1;
+    }
+    if (!tunable_tlsv1_2)
+    {
+      options |= SSL_OP_NO_TLSv1_2;
+    }
     SSL_CTX_set_options(p_ctx, options);
     if (tunable_rsa_cert_file)
     {
diff --git a/tunables.c b/tunables.c
index 93f85b1..78f2bcd 100644
--- a/tunables.c
+++ b/tunables.c
@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl;
 int tunable_sslv2;
 int tunable_sslv3;
 int tunable_tlsv1;
+int tunable_tlsv1_1;
+int tunable_tlsv1_2;
 int tunable_tilde_user_enable;
 int tunable_force_anon_logins_ssl;
 int tunable_force_anon_data_ssl;
@@ -209,7 +211,10 @@ tunables_load_defaults()
   tunable_force_local_data_ssl = 1;
   tunable_sslv2 = 0;
   tunable_sslv3 = 0;
+  /* TLSv1 up to TLSv1.2 is enabled by default */
   tunable_tlsv1 = 1;
+  tunable_tlsv1_1 = 1;
+  tunable_tlsv1_2 = 1;
   tunable_tilde_user_enable = 0;
   tunable_force_anon_logins_ssl = 0;
   tunable_force_anon_data_ssl = 0;
@@ -292,8 +297,8 @@ tunables_load_defaults()
   install_str_setting(0, &tunable_dsa_cert_file);
   install_str_setting(0, &tunable_dh_param_file);
   install_str_setting(0, &tunable_ecdh_param_file);
-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
-                      &tunable_ssl_ciphers);
+  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
+          &tunable_ssl_ciphers);
   install_str_setting(0, &tunable_rsa_private_key_file);
   install_str_setting(0, &tunable_dsa_private_key_file);
   install_str_setting(0, &tunable_ca_certs_file);
diff --git a/tunables.h b/tunables.h
index 3e2d40c..a466427 100644
--- a/tunables.h
+++ b/tunables.h
@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl;      /* Require local data uses SSL */
 extern int tunable_sslv2;                     /* Allow SSLv2 */
 extern int tunable_sslv3;                     /* Allow SSLv3 */
 extern int tunable_tlsv1;                     /* Allow TLSv1 */
+extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */
+extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */
 extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */
 extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
 extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index cf1ae34..a3d569e 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -506,7 +506,7 @@ Default: YES
 Only applies if
 .BR ssl_enable
 is activated. If enabled, this option will permit SSL v2 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
 
 Default: NO
 .TP
@@ -514,7 +514,7 @@ Default: NO
 Only applies if
 .BR ssl_enable
 is activated. If enabled, this option will permit SSL v3 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
 
 Default: NO
 .TP
@@ -522,7 +522,23 @@ Default: NO
 Only applies if
 .BR ssl_enable
 is activated. If enabled, this option will permit TLS v1 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_1
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.1 protocol connections.
+TLS v1.2 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_2
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.2 protocol connections.
+TLS v1.2 connections are preferred.
 
 Default: YES
 .TP
@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful
 security precaution as it prevents malicious remote parties forcing a cipher
 which they have found problems with.
 
-Default: DES-CBC3-SHA
+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
 .TP
 .B user_config_dir
 This powerful option allows the override of any config option specified in
-- 
2.14.4
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.