From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001

From: Martin Sehnoutka <msehnout@redhat.com>

Date: Thu, 17 Nov 2016 13:36:17 +0100

Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options.

Users can now enable a specific version of TLS protocol.

---

 parseconf.c   |  2 ++

 ssl.c         |  8 ++++++++

 tunables.c    |  9 +++++++--

 tunables.h    |  2 ++

 vsftpd.conf.5 | 24 ++++++++++++++++++++----

 5 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/parseconf.c b/parseconf.c

index a2c715b..33a1349 100644

--- a/parseconf.c

+++ b/parseconf.c

@@ -85,6 +85,8 @@ parseconf_bool_array[] =

   { "ssl_sslv2", &tunable_sslv2 },

   { "ssl_sslv3", &tunable_sslv3 },

   { "ssl_tlsv1", &tunable_tlsv1 },

+  { "ssl_tlsv1_1", &tunable_tlsv1_1 },

+  { "ssl_tlsv1_2", &tunable_tlsv1_2 },

   { "tilde_user_enable", &tunable_tilde_user_enable },

   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },

   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },

diff --git a/ssl.c b/ssl.c

index 96bf8ad..ba8a613 100644

--- a/ssl.c

+++ b/ssl.c

@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess)

     {

       options |= SSL_OP_NO_TLSv1;

     }

+    if (!tunable_tlsv1_1)

+    {

+      options |= SSL_OP_NO_TLSv1_1;

+    }

+    if (!tunable_tlsv1_2)

+    {

+      options |= SSL_OP_NO_TLSv1_2;

+    }

     SSL_CTX_set_options(p_ctx, options);

     if (tunable_rsa_cert_file)

     {

diff --git a/tunables.c b/tunables.c

index 93f85b1..78f2bcd 100644

--- a/tunables.c

+++ b/tunables.c

@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl;

 int tunable_sslv2;

 int tunable_sslv3;

 int tunable_tlsv1;

+int tunable_tlsv1_1;

+int tunable_tlsv1_2;

 int tunable_tilde_user_enable;

 int tunable_force_anon_logins_ssl;

 int tunable_force_anon_data_ssl;

@@ -209,7 +211,10 @@ tunables_load_defaults()

   tunable_force_local_data_ssl = 1;

   tunable_sslv2 = 0;

   tunable_sslv3 = 0;

+  /* TLSv1 up to TLSv1.2 is enabled by default */

   tunable_tlsv1 = 1;

+  tunable_tlsv1_1 = 1;

+  tunable_tlsv1_2 = 1;

   tunable_tilde_user_enable = 0;

   tunable_force_anon_logins_ssl = 0;

   tunable_force_anon_data_ssl = 0;

@@ -292,8 +297,8 @@ tunables_load_defaults()

   install_str_setting(0, &tunable_dsa_cert_file);

   install_str_setting(0, &tunable_dh_param_file);

   install_str_setting(0, &tunable_ecdh_param_file);

-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",

-                      &tunable_ssl_ciphers);

+  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",

+          &tunable_ssl_ciphers);

   install_str_setting(0, &tunable_rsa_private_key_file);

   install_str_setting(0, &tunable_dsa_private_key_file);

   install_str_setting(0, &tunable_ca_certs_file);

diff --git a/tunables.h b/tunables.h

index 3e2d40c..a466427 100644

--- a/tunables.h

+++ b/tunables.h

@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl;      /* Require local data uses SSL */

 extern int tunable_sslv2;                     /* Allow SSLv2 */

 extern int tunable_sslv3;                     /* Allow SSLv3 */

 extern int tunable_tlsv1;                     /* Allow TLSv1 */

+extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */

+extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */

 extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */

 extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */

 extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */

diff --git a/vsftpd.conf.5 b/vsftpd.conf.5

index cf1ae34..a3d569e 100644

--- a/vsftpd.conf.5

+++ b/vsftpd.conf.5

@@ -506,7 +506,7 @@ Default: YES

 Only applies if

 .BR ssl_enable

 is activated. If enabled, this option will permit SSL v2 protocol connections.

-TLS v1 connections are preferred.

+TLS v1.2 connections are preferred.

 Default: NO

 .TP

@@ -514,7 +514,7 @@ Default: NO

 Only applies if

 .BR ssl_enable

 is activated. If enabled, this option will permit SSL v3 protocol connections.

-TLS v1 connections are preferred.

+TLS v1.2 connections are preferred.

 Default: NO

 .TP

@@ -522,7 +522,23 @@ Default: NO

 Only applies if

 .BR ssl_enable

 is activated. If enabled, this option will permit TLS v1 protocol connections.

-TLS v1 connections are preferred.

+TLS v1.2 connections are preferred.

+

+Default: YES

+.TP

+.B ssl_tlsv1_1

+Only applies if

+.BR ssl_enable

+is activated. If enabled, this option will permit TLS v1.1 protocol connections.

+TLS v1.2 connections are preferred.

+

+Default: YES

+.TP

+.B ssl_tlsv1_2

+Only applies if

+.BR ssl_enable

+is activated. If enabled, this option will permit TLS v1.2 protocol connections.

+TLS v1.2 connections are preferred.

 Default: YES

 .TP

@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful

 security precaution as it prevents malicious remote parties forcing a cipher

 which they have found problems with.

-Default: DES-CBC3-SHA

+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384

 .TP

 .B user_config_dir

 This powerful option allows the override of any config option specified in

-- 

2.14.4