Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
vsftpd
0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch of Package vsftpd
From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka <msehnout@redhat.com> Date: Thu, 17 Nov 2016 13:36:17 +0100 Subject: [PATCH] Introduce TLSv1.1 and TLSv1.2 options. Users can now enable a specific version of TLS protocol. --- parseconf.c | 2 ++ ssl.c | 8 ++++++++ tunables.c | 9 +++++++-- tunables.h | 2 ++ vsftpd.conf.5 | 24 ++++++++++++++++++++---- 5 files changed, 39 insertions(+), 6 deletions(-) Index: vsftpd-3.0.2/parseconf.c =================================================================== --- vsftpd-3.0.2.orig/parseconf.c 2020-11-13 11:11:49.620356837 +0000 +++ vsftpd-3.0.2/parseconf.c 2020-11-13 11:11:51.896344571 +0000 @@ -85,6 +85,8 @@ parseconf_bool_array[] = { "ssl_sslv2", &tunable_sslv2 }, { "ssl_sslv3", &tunable_sslv3 }, { "ssl_tlsv1", &tunable_tlsv1 }, + { "ssl_tlsv1_1", &tunable_tlsv1_1 }, + { "ssl_tlsv1_2", &tunable_tlsv1_2 }, { "tilde_user_enable", &tunable_tilde_user_enable }, { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, Index: vsftpd-3.0.2/ssl.c =================================================================== --- vsftpd-3.0.2.orig/ssl.c 2020-11-13 11:11:49.621356829 +0000 +++ vsftpd-3.0.2/ssl.c 2020-11-13 11:11:51.896344571 +0000 @@ -78,6 +78,14 @@ ssl_init(struct vsf_session* p_sess) { options |= SSL_OP_NO_TLSv1; } + if (!tunable_tlsv1_1) + { + options |= SSL_OP_NO_TLSv1_1; + } + if (!tunable_tlsv1_2) + { + options |= SSL_OP_NO_TLSv1_2; + } SSL_CTX_set_options(p_ctx, options); if (tunable_rsa_cert_file) { Index: vsftpd-3.0.2/tunables.c =================================================================== --- vsftpd-3.0.2.orig/tunables.c 2020-11-13 11:11:49.621356829 +0000 +++ vsftpd-3.0.2/tunables.c 2020-11-13 11:12:35.713320474 +0000 @@ -66,6 +66,8 @@ int tunable_force_local_data_ssl; int tunable_sslv2; int tunable_sslv3; int tunable_tlsv1; +int tunable_tlsv1_1; +int tunable_tlsv1_2; int tunable_tilde_user_enable; int tunable_force_anon_logins_ssl; int tunable_force_anon_data_ssl; @@ -207,7 +209,10 @@ tunables_load_defaults() tunable_force_local_data_ssl = 1; tunable_sslv2 = 0; tunable_sslv3 = 0; + /* TLSv1 up to TLSv1.2 is enabled by default */ tunable_tlsv1 = 1; + tunable_tlsv1_1 = 1; + tunable_tlsv1_2 = 1; tunable_tilde_user_enable = 0; tunable_force_anon_logins_ssl = 0; tunable_force_anon_data_ssl = 0; @@ -288,7 +293,8 @@ tunables_load_defaults() install_str_setting("/usr/share/ssl/certs/vsftpd.pem", &tunable_rsa_cert_file); install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting("AES128-SHA:DES-CBC3-SHA", &tunable_ssl_ciphers); + install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", + &tunable_ssl_ciphers); install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_dsa_private_key_file); install_str_setting(0, &tunable_ca_certs_file); Index: vsftpd-3.0.2/tunables.h =================================================================== --- vsftpd-3.0.2.orig/tunables.h 2020-11-13 11:11:49.621356829 +0000 +++ vsftpd-3.0.2/tunables.h 2020-11-13 11:11:51.896344571 +0000 @@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; extern int tunable_sslv2; /* Allow SSLv2 */ extern int tunable_sslv3; /* Allow SSLv3 */ extern int tunable_tlsv1; /* Allow TLSv1 */ +extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ +extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ Index: vsftpd-3.0.2/vsftpd.conf.5 =================================================================== --- vsftpd-3.0.2.orig/vsftpd.conf.5 2020-11-13 11:11:49.621356829 +0000 +++ vsftpd-3.0.2/vsftpd.conf.5 2020-11-13 11:11:51.896344571 +0000 @@ -486,7 +486,7 @@ Default: YES Only applies if .BR ssl_enable is activated. If enabled, this option will permit SSL v2 protocol connections. -TLS v1 connections are preferred. +TLS v1.2 connections are preferred. Default: NO .TP @@ -494,7 +494,7 @@ Default: NO Only applies if .BR ssl_enable is activated. If enabled, this option will permit SSL v3 protocol connections. -TLS v1 connections are preferred. +TLS v1.2 connections are preferred. Default: NO .TP @@ -502,7 +502,23 @@ Default: NO Only applies if .BR ssl_enable is activated. If enabled, this option will permit TLS v1 protocol connections. -TLS v1 connections are preferred. +TLS v1.2 connections are preferred. + +Default: YES +.TP +.B ssl_tlsv1_1 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.1 protocol connections. +TLS v1.2 connections are preferred. + +Default: YES +.TP +.B ssl_tlsv1_2 +Only applies if +.BR ssl_enable +is activated. If enabled, this option will permit TLS v1.2 protocol connections. +TLS v1.2 connections are preferred. Default: YES .TP @@ -1001,7 +1017,7 @@ man page for further details. Note that security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with. -Default: DES-CBC3-SHA +Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 .TP .B user_config_dir This powerful option allows the override of any config option specified in
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor