diff --git a/0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch b/0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch new file mode 100644 index 0000000..ab3fc62 --- /dev/null +++ b/0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch @@ -0,0 +1,149 @@ +From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:36:17 +0100 +Subject: [PATCH] Introduce TLSv1.1 and TLSv1.2 options. + +Users can now enable a specific version of TLS protocol. +--- + parseconf.c | 2 ++ + ssl.c | 8 ++++++++ + tunables.c | 9 +++++++-- + tunables.h | 2 ++ + vsftpd.conf.5 | 24 ++++++++++++++++++++---- + 5 files changed, 39 insertions(+), 6 deletions(-) + +Index: vsftpd-3.0.3/parseconf.c +=================================================================== +--- vsftpd-3.0.3.orig/parseconf.c 2020-11-13 09:52:41.369111000 +0000 ++++ vsftpd-3.0.3/parseconf.c 2020-11-13 09:52:48.881045043 +0000 +@@ -85,6 +85,8 @@ parseconf_bool_array[] = + { "ssl_sslv2", &tunable_sslv2 }, + { "ssl_sslv3", &tunable_sslv3 }, + { "ssl_tlsv1", &tunable_tlsv1 }, ++ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, ++ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, + { "tilde_user_enable", &tunable_tilde_user_enable }, + { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, + { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, +Index: vsftpd-3.0.3/ssl.c +=================================================================== +--- vsftpd-3.0.3.orig/ssl.c 2020-11-13 09:52:41.369111000 +0000 ++++ vsftpd-3.0.3/ssl.c 2020-11-13 09:52:48.881045043 +0000 +@@ -78,6 +78,14 @@ ssl_init(struct vsf_session* p_sess) + { + options |= SSL_OP_NO_TLSv1; + } ++ if (!tunable_tlsv1_1) ++ { ++ options |= SSL_OP_NO_TLSv1_1; ++ } ++ if (!tunable_tlsv1_2) ++ { ++ options |= SSL_OP_NO_TLSv1_2; ++ } + SSL_CTX_set_options(p_ctx, options); + if (tunable_rsa_cert_file) + { +Index: vsftpd-3.0.3/tunables.c +=================================================================== +--- vsftpd-3.0.3.orig/tunables.c 2020-11-13 09:52:41.369111000 +0000 ++++ vsftpd-3.0.3/tunables.c 2020-11-13 09:56:53.162888596 +0000 +@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl; + int tunable_sslv2; + int tunable_sslv3; + int tunable_tlsv1; ++int tunable_tlsv1_1; ++int tunable_tlsv1_2; + int tunable_tilde_user_enable; + int tunable_force_anon_logins_ssl; + int tunable_force_anon_data_ssl; +@@ -207,7 +209,10 @@ tunables_load_defaults() + tunable_force_local_data_ssl = 1; + tunable_sslv2 = 0; + tunable_sslv3 = 0; ++ /* TLSv1 up to TLSv1.2 is enabled by default */ + tunable_tlsv1 = 1; ++ tunable_tlsv1_1 = 1; ++ tunable_tlsv1_2 = 1; + tunable_tilde_user_enable = 0; + tunable_force_anon_logins_ssl = 0; + tunable_force_anon_data_ssl = 0; +@@ -288,7 +293,8 @@ tunables_load_defaults() + install_str_setting("/usr/share/ssl/certs/vsftpd.pem", + &tunable_rsa_cert_file); + install_str_setting(0, &tunable_dsa_cert_file); +- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); ++ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", ++ &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); +Index: vsftpd-3.0.3/tunables.h +=================================================================== +--- vsftpd-3.0.3.orig/tunables.h 2020-11-13 09:52:41.369111000 +0000 ++++ vsftpd-3.0.3/tunables.h 2020-11-13 09:52:48.881045043 +0000 +@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; + extern int tunable_sslv2; /* Allow SSLv2 */ + extern int tunable_sslv3; /* Allow SSLv3 */ + extern int tunable_tlsv1; /* Allow TLSv1 */ ++extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ ++extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ + extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ + extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ + extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ +Index: vsftpd-3.0.3/vsftpd.conf.5 +=================================================================== +--- vsftpd-3.0.3.orig/vsftpd.conf.5 2020-11-13 09:52:41.370110991 +0000 ++++ vsftpd-3.0.3/vsftpd.conf.5 2020-11-13 09:52:48.881045043 +0000 +@@ -486,7 +486,7 @@ Default: YES + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit SSL v2 protocol connections. +-TLS v1 connections are preferred. ++TLS v1.2 connections are preferred. + + Default: NO + .TP +@@ -494,7 +494,7 @@ Default: NO + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit SSL v3 protocol connections. +-TLS v1 connections are preferred. ++TLS v1.2 connections are preferred. + + Default: NO + .TP +@@ -502,7 +502,23 @@ Default: NO + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit TLS v1 protocol connections. +-TLS v1 connections are preferred. ++TLS v1.2 connections are preferred. ++ ++Default: YES ++.TP ++.B ssl_tlsv1_1 ++Only applies if ++.BR ssl_enable ++is activated. If enabled, this option will permit TLS v1.1 protocol connections. ++TLS v1.2 connections are preferred. ++ ++Default: YES ++.TP ++.B ssl_tlsv1_2 ++Only applies if ++.BR ssl_enable ++is activated. If enabled, this option will permit TLS v1.2 protocol connections. ++TLS v1.2 connections are preferred. + + Default: YES + .TP +@@ -1001,7 +1017,7 @@ man page for further details. Note that + security precaution as it prevents malicious remote parties forcing a cipher + which they have found problems with. + +-Default: DES-CBC3-SHA ++Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 + .TP + .B user_config_dir + This powerful option allows the override of any config option specified in diff --git a/0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch b/0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch new file mode 100644 index 0000000..ad6f51d --- /dev/null +++ b/0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch @@ -0,0 +1,31 @@ +From 1c280a0b04e58ec63ce9ab5eb8d0ffe5ebbae115 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= +Date: Thu, 21 Dec 2017 14:29:25 +0100 +Subject: [PATCH] When handling FEAT command, check ssl_tlsv1_1 and ssl_tlsv1_2 + +Send 'AUTH SSL' in reply to the FEAT command when the ssl_tlsv1_1 +or ssl_tlsv1_2 configuration option is enabled. + +The patch was written by Martin Sehnoutka. + +Resolves: rhbz#1432054 +--- + features.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/features.c b/features.c +index 1212980..d024366 100644 +--- a/features.c ++++ b/features.c +@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess) + { + vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); + } +- if (tunable_tlsv1) ++ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) + { + vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); + } +-- +2.29.0 + diff --git a/vsftpd.changes b/vsftpd.changes index f44a193..fb6ebc2 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Nov 13 09:49:06 AM UTC 2020 - psimons@suse.com + +- Apply "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" and + "0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch", + which add the "ssl_tlsv1_1" and "ssl_tlsv1_2" options to the + configuration file. Both options default to true. [SLE-4182] + ------------------------------------------------------------------- Wed Aug 19 09:46:05 UTC 2020 - Dominique Leuenberger diff --git a/vsftpd.spec b/vsftpd.spec index 3a15e53..d2e2a79 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -85,6 +85,8 @@ Patch30: vsftpd-3.0.3-address_space_limit.patch Patch31: vsftpd-enable-syscalls-needed-by-sle15.patch Patch32: vsftpd-support-dsa-only-setups.patch Patch33: vsftpd-avoid-bogus-ssl-write.patch +Patch34: 0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch +Patch35: 0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: pam-devel @@ -150,6 +152,8 @@ tests. %patch31 -p1 %patch32 -p1 %patch33 -p1 +%patch34 -p1 +%patch35 -p1 %build %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP