[Git][debian-proftpd-team/proftpd][master] Issue #1074: Properly handle the `TLSCertificateChainFile` directive when SNI is used.

Hilmar Preuße gitlab at salsa.debian.org
Thu Sep 10 23:04:43 BST 2020



Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd


Commits:
697a4399 by Hilmar Preusse at 2020-09-11T00:01:56+02:00
Issue #1074: Properly handle the `TLSCertificateChainFile` directive when SNI is used.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/2eadd82f392573235432a9cb60266f6472d08884.diff
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -13,6 +13,9 @@ proftpd-dfsg (1.3.7a-2) UNRELEASED; urgency=medium
       login/authentication issues.
     - debian/patches/pr_1094.diff: Improve prxs detection of `configure`
       scripts for modules.
+    - 2eadd82f392573235432a9cb60266f6472d08884.diff
+      Issue #1074: Properly handle the `TLSCertificateChainFile` directive
+      when SNI is used.
 
   * Add patch from Andreas Trottmann <andreas.trottmann at werft22.com> to
     reintroduce "SQLAUthTypes Backend" with MySQL database


=====================================
debian/patches/2eadd82f392573235432a9cb60266f6472d08884.diff
=====================================
@@ -0,0 +1,140 @@
+From 2eadd82f392573235432a9cb60266f6472d08884 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Sun, 16 Aug 2020 08:51:10 -0700
+Subject: [PATCH] Issue #1074: Properly handle the `TLSCertificateChainFile`
+ directive when SNI is used.
+
+---
+ contrib/mod_tls.c | 56 ++++++++++++++++++++++++++++++++++++++++-------
+ src/main.c        |  4 ++++
+ 2 files changed, 52 insertions(+), 8 deletions(-)
+
+Index: proftpd/contrib/mod_tls.c
+===================================================================
+--- proftpd.orig/contrib/mod_tls.c	2020-09-10 23:48:30.260677792 +0200
++++ proftpd/contrib/mod_tls.c	2020-09-10 23:48:30.228662195 +0200
+@@ -16172,6 +16172,30 @@
+ 
+ /* SSL setters */
+ 
++static int tls_ssl_set_cert_chain(SSL *ssl) {
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
++    !defined(HAVE_LIBRESSL)
++  int res;
++
++  if (tls_ca_chain == NULL) {
++    return 0;
++  }
++
++  tls_log("adding certs from '%s' to SSL certificate chain", tls_ca_chain);
++  PRIVS_ROOT
++  res = SSL_use_certificate_chain_file(ssl, tls_ca_chain);
++  PRIVS_RELINQUISH
++
++  if (res != 1) {
++    tls_log("unable to read certificate chain '%s': %s", tls_ca_chain,
++      tls_get_errors());
++    return -1;
++  }
++#endif /* OpenSSL 1.1.x and later */
++
++  return 0;
++}
++
+ static int tls_ssl_set_ciphers(SSL *ssl) {
+   SSL_set_cipher_list(ssl, tls_cipher_suite);
+   return 0;
+@@ -16689,6 +16713,13 @@
+     return -1;
+   }
+ 
++  /* Inexplicable OpenSSL errors occur if the cert chain is updated after
++   * calling SSL_set_SSL_CTX, so we do it beforehand.
++   */
++  if (tls_ssl_set_cert_chain(ssl) < 0) {
++    return -1;
++  }
++
+ #if OPENSSL_VERSION_NUMBER > 0x009080cfL
+   /* Note that it is important that we update the SSL with the new SSL_CTX
+    * AFTER it has been provisioned.  That way, the new/changed certs in the
+@@ -17333,10 +17364,10 @@
+ 
+ static int tls_ctx_set_cert_chain(SSL_CTX *ctx, X509 *dsa_cert, X509 *ec_cert,
+     X509 *rsa_cert) {
++#if defined(SSL_CTRL_CHAIN_CERT)
+   BIO *bio;
+   X509 *cert;
+   unsigned int count = 0;
+-  int res;
+ 
+   if (tls_ca_chain == NULL) {
+     return 0;
+@@ -17344,14 +17375,20 @@
+ 
+   PRIVS_ROOT
+   bio = BIO_new_file(tls_ca_chain, "r");
+-  if (bio == NULL) {
+-    PRIVS_RELINQUISH
++  PRIVS_RELINQUISH
+ 
++  if (bio == NULL) {
+     tls_log("unable to read certificate chain '%s': %s", tls_ca_chain,
+       tls_get_errors());
+     return 0;
+   }
+ 
++  if (SSL_CTX_clear_chain_certs(ctx) != 1) {
++    tls_log("error clearing SSL_CTX chain certs: %s", tls_get_errors());
++    BIO_free(bio);
++    return -1;
++  }
++
+   cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+   while (cert != NULL) {
+     pr_signals_handle();
+@@ -17383,9 +17420,9 @@
+       }
+     }
+ 
+-    res = SSL_CTX_add_extra_chain_cert(ctx, cert);
+-    if (res != 1) {
+-      tls_log("error adding cert to certificate chain: %s", tls_get_errors());
++    if (SSL_CTX_add1_chain_cert(ctx, cert) != 1) {
++      tls_log("error adding cert to SSL_CTX certificate chain: %s",
++        tls_get_errors());
+       X509_free(cert);
+       break;
+     }
+@@ -17394,10 +17431,13 @@
+     cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+   }
+ 
+-  PRIVS_RELINQUISH
+   BIO_free(bio);
++  ERR_clear_error();
++
++  tls_log("added %u certs from '%s' to SSL_CTX certificate chain", count,
++    tls_ca_chain);
++#endif /* SSL_CTRL_CHAIN_CERT */
+ 
+-  tls_log("added %u certs from '%s' to certificate chain", count, tls_ca_chain);
+   return 0;
+ }
+ 
+Index: proftpd/src/main.c
+===================================================================
+--- proftpd.orig/src/main.c	2020-09-10 23:48:30.260677792 +0200
++++ proftpd/src/main.c	2020-09-10 23:48:30.244669994 +0200
+@@ -2102,7 +2102,11 @@
+ # ifdef PR_USE_OPENSSL_FIPS
+     printf("    + OpenSSL support (%s, FIPS enabled)\n", OPENSSL_VERSION_TEXT);
+ # else
++#  ifdef LIBRESSL_VERSION_NUMBER
++    printf("    + OpenSSL support (%s, LibreSSL)\n", OPENSSL_VERSION_TEXT);
++#  else
+     printf("    + OpenSSL support (%s)\n", OPENSSL_VERSION_TEXT);
++#  endif /* Have LibreSSL */
+ # endif /* PR_USE_OPENSSL_FIPS */
+ #else
+   printf("%s", "    - OpenSSL support\n");


=====================================
debian/patches/series
=====================================
@@ -16,3 +16,4 @@ upstream_1070
 upstream_1061
 3c73f39f0db6724db597646eb6e476278f76edf5.diff
 pr_1094.diff
+2eadd82f392573235432a9cb60266f6472d08884.diff



View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/697a439931f094a8ffe7df9c2c33a11aada82cb3

-- 
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/697a439931f094a8ffe7df9c2c33a11aada82cb3
You're receiving this email because of your account on salsa.debian.org.




More information about the Pkg-proftpd-maintainers mailing list