rpms / stunnel

Clone
Source Code
GIT

Blame SOURCES/stunnel-5.61-default-tls-version.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c9-beta
  2.   SOURCES
  3.   stunnel-5.61-default-tls-version.patch
Blob History Raw
b78e11 
diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
b78e11 
--- stunnel-5.61/src/ctx.c.default-tls-version	2021-12-13 09:43:22.000000000 +0100
b78e11 
+++ stunnel-5.61/src/ctx.c	2022-01-10 19:27:49.913243127 +0100
b78e11 
@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio
b78e11 
     section->ctx=SSL_CTX_new(section->option.client ?
b78e11 
         TLS_client_method() : TLS_server_method());
b78e11 
 #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
b78e11 
-    if(!SSL_CTX_set_min_proto_version(section->ctx,
b78e11 
-            section->min_proto_version)) {
b78e11 
-        s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
b78e11 
-            section->min_proto_version);
b78e11 
-        return 1; /* FAILED */
b78e11 
-    }
b78e11 
-    if(!SSL_CTX_set_max_proto_version(section->ctx,
b78e11 
-            section->max_proto_version)) {
b78e11 
-        s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
b78e11 
-            section->max_proto_version);
b78e11 
-        return 1; /* FAILED */
b78e11 
+    if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
b78e11 
+        s_log(LOG_INFO, "Using the default TLS version as specified in "
b78e11 
+                "OpenSSL crypto policies. Not setting explicitly.");
b78e11 
+    } else {
b78e11 
+        if(!SSL_CTX_set_min_proto_version(section->ctx,
b78e11 
+                    section->min_proto_version)) {
b78e11 
+            s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
b78e11 
+                    section->min_proto_version);
b78e11 
+            return 1; /* FAILED */
b78e11 
+        }
b78e11 
     }
b78e11 
+    if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
b78e11 
+        s_log(LOG_INFO, "Using the default TLS version as specified in "
b78e11 
+                "OpenSSL crypto policies. Not setting explicitly");
b78e11 
+    } else {
b78e11 
+        if(!SSL_CTX_set_max_proto_version(section->ctx,
b78e11 
+                    section->max_proto_version)) {
b78e11 
+            s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
b78e11 
+                    section->max_proto_version);
b78e11 
+            return 1; /* FAILED */
b78e11 
+        }
b78e11 
+	}
b78e11 
 #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
b78e11 
     if(section->option.client)
b78e11 
         section->ctx=SSL_CTX_new(section->client_method);
b78e11 
diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c
b78e11 
--- stunnel-5.61/src/options.c.default-tls-version	2022-01-10 19:23:15.096254067 +0100
b78e11 
+++ stunnel-5.61/src/options.c	2022-01-10 19:23:15.098254103 +0100
b78e11 
@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD
a776bd 
             return "Invalid protocol version";
a776bd 
         return NULL; /* OK */
a776bd 
     case CMD_INITIALIZE:
a776bd 
-        if(section->max_proto_version && section->min_proto_version &&
a776bd 
-                section->max_proto_version<section->min_proto_version)
a776bd 
+        if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
a776bd 
+                && section->min_proto_version != USE_DEFAULT_TLS_VERSION
a776bd 
+                && section->max_proto_version<section->min_proto_version)
a776bd 
             return "Invalid protocol version range";
a776bd 
         break;
a776bd 
     case CMD_PRINT_DEFAULTS:
b78e11 
@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD
a776bd 
     /* sslVersionMax */
a776bd 
     switch(cmd) {
a776bd 
     case CMD_SET_DEFAULTS:
a776bd 
-        section->max_proto_version=0; /* highest supported */
a776bd 
+        section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
a776bd 
+                                                               OpenSSL crypto
a776bd 
+                                                               policies.Do not
a776bd 
+                                                               override it */
a776bd 
         break;
a776bd 
     case CMD_SET_COPY:
a776bd 
         section->max_proto_version=new_service_options.max_proto_version;
b78e11 
@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD
a776bd 
     /* sslVersionMin */
a776bd 
     switch(cmd) {
a776bd 
     case CMD_SET_DEFAULTS:
a776bd 
-        section->min_proto_version=TLS1_VERSION;
a776bd 
+        section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
a776bd 
+                                                               OpenSSL crypto
a776bd 
+                                                               policies. Do not
a776bd 
+                                                               override it */
a776bd 
         break;
a776bd 
     case CMD_SET_COPY:
a776bd 
         section->min_proto_version=new_service_options.min_proto_version;
b78e11 
diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h
b78e11 
--- stunnel-5.61/src/prototypes.h.default-tls-version	2021-12-13 09:43:22.000000000 +0100
b78e11 
+++ stunnel-5.61/src/prototypes.h	2022-01-10 19:23:15.099254121 +0100
b78e11 
@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
b78e11 
 ICON_IMAGE load_icon_file(const char *);
b78e11 
 #endif
b78e11
b78e11 
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
b78e11 
+                                             crypto policies */
a776bd 
+
b78e11 
 #endif /* defined PROTOTYPES_H */
b78e11
b78e11 
 /* end of prototypes.h */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation