commit a639ef40edd233db34a0dbe37d828914709a2977 Author: Arkadiusz Miśkiewicz <ar...@maven.pl> Date: Tue Feb 19 11:13:46 2019 +0100
- rel 6; tls patches from upstream pure-ftpd.spec | 4 +++- tls.patch | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-) --- diff --git a/pure-ftpd.spec b/pure-ftpd.spec index 4abfc33..15e9159 100644 --- a/pure-ftpd.spec +++ b/pure-ftpd.spec @@ -9,7 +9,7 @@ %bcond_without tls # disable SSL/TLS support %bcond_without cap # disable capabilities -%define rel 5 +%define rel 6 Summary: Small, fast and secure FTP server Summary(pl.UTF-8): Mały, szybki i bezpieczny serwer FTP Name: pure-ftpd @@ -32,6 +32,7 @@ Patch2: %{name}-pure-pw_passwd.patch Patch3: %{name}-mysql_config.patch # from Fedora Patch4: 0003-Allow-having-both-options-and-config-file-on-command.patch +Patch5: tls.patch Patch7: audit_cap.patch Patch8: %{name}-apparmor.patch @@ -111,6 +112,7 @@ Ten pakiet zawiera schemat Pure-FTPd pureftpd.schema dla openldapa. %patch1 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %patch7 -p1 %patch8 -p1 diff --git a/tls.patch b/tls.patch new file mode 100644 index 0000000..615fb96 --- /dev/null +++ b/tls.patch @@ -0,0 +1,63 @@ +commit 4a495c61ce22c893aed5ee57f6ce0b43c3be59ad +Author: Frank Denis <git...@pureftpd.org> +Date: Wed Sep 19 23:53:45 2018 +0200 + + TLS1.3 compatibility + + Fixes #94 + +diff --git a/src/tls.c b/src/tls.c +index c693d3b..f383ed9 100644 +--- a/src/tls.c ++++ b/src/tls.c +@@ -228,7 +228,16 @@ static void ssl_info_cb(const SSL *cnx, int where, int ret) + if ((where & SSL_CB_HANDSHAKE_START) != 0) { + if ((cnx == tls_cnx && tls_cnx_handshook != 0) || + (cnx == tls_data_cnx && tls_data_cnx_handshook != 0)) { +- die(400, LOG_ERR, "TLS renegociation"); ++ const SSL_CIPHER *cipher; ++ const char *cipher_version; ++ if ((cipher = SSL_get_current_cipher(cnx)) == NULL || ++ (cipher_version = SSL_CIPHER_get_version(cipher)) == NULL) { ++ die(400, LOG_ERR, "No cipher"); ++ } ++ if (strcmp(cipher_version, "TLSv1.3") != 0) { ++ die(400, LOG_ERR, "TLS renegociation"); ++ return; ++ } + } + return; + } +@@ -264,10 +273,10 @@ int tls_init_library(void) + OpenSSL_add_all_algorithms(); + # else + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | +- OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); ++ OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | +- OPENSSL_INIT_ADD_ALL_DIGESTS | +- OPENSSL_INIT_LOAD_CONFIG, NULL); ++ OPENSSL_INIT_ADD_ALL_DIGESTS | ++ OPENSSL_INIT_LOAD_CONFIG, NULL); + # endif + while (RAND_status() == 0) { + rnd = zrand(); +commit aa68b2d620ef0c83c7f52213c7e6093722b0b8bd +Author: Frank Denis <git...@pureftpd.org> +Date: Wed Oct 24 19:19:26 2018 +0200 + + Disable TLSv1_1 + +diff --git a/src/tls.c b/src/tls.c +index f383ed9..c4e2a1b 100644 +--- a/src/tls.c ++++ b/src/tls.c +@@ -297,7 +297,7 @@ int tls_init_library(void) + SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1); + # endif + # ifdef SSL_OP_NO_TLSv1_1 +- SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_1); ++ SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_1); + # endif + # ifdef SSL_OP_NO_TLSv1_2 + SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2); ================================================================ ---- gitweb: http://git.pld-linux.org/gitweb.cgi/packages/pure-ftpd.git/commitdiff/a639ef40edd233db34a0dbe37d828914709a2977 _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit