[Git][debian-proftpd-team/proftpd][master] Issue #1074: Properly handle the `TLSCertificateChainFile` directive when SNI is used.
Hilmar Preuße
gitlab at salsa.debian.org
Thu Sep 10 23:04:43 BST 2020
Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd
Commits:
697a4399 by Hilmar Preusse at 2020-09-11T00:01:56+02:00
Issue #1074: Properly handle the `TLSCertificateChainFile` directive when SNI is used.
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/2eadd82f392573235432a9cb60266f6472d08884.diff
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -13,6 +13,9 @@ proftpd-dfsg (1.3.7a-2) UNRELEASED; urgency=medium
login/authentication issues.
- debian/patches/pr_1094.diff: Improve prxs detection of `configure`
scripts for modules.
+ - 2eadd82f392573235432a9cb60266f6472d08884.diff
+ Issue #1074: Properly handle the `TLSCertificateChainFile` directive
+ when SNI is used.
* Add patch from Andreas Trottmann <andreas.trottmann at werft22.com> to
reintroduce "SQLAUthTypes Backend" with MySQL database
=====================================
debian/patches/2eadd82f392573235432a9cb60266f6472d08884.diff
=====================================
@@ -0,0 +1,140 @@
+From 2eadd82f392573235432a9cb60266f6472d08884 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Sun, 16 Aug 2020 08:51:10 -0700
+Subject: [PATCH] Issue #1074: Properly handle the `TLSCertificateChainFile`
+ directive when SNI is used.
+
+---
+ contrib/mod_tls.c | 56 ++++++++++++++++++++++++++++++++++++++++-------
+ src/main.c | 4 ++++
+ 2 files changed, 52 insertions(+), 8 deletions(-)
+
+Index: proftpd/contrib/mod_tls.c
+===================================================================
+--- proftpd.orig/contrib/mod_tls.c 2020-09-10 23:48:30.260677792 +0200
++++ proftpd/contrib/mod_tls.c 2020-09-10 23:48:30.228662195 +0200
+@@ -16172,6 +16172,30 @@
+
+ /* SSL setters */
+
++static int tls_ssl_set_cert_chain(SSL *ssl) {
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
++ !defined(HAVE_LIBRESSL)
++ int res;
++
++ if (tls_ca_chain == NULL) {
++ return 0;
++ }
++
++ tls_log("adding certs from '%s' to SSL certificate chain", tls_ca_chain);
++ PRIVS_ROOT
++ res = SSL_use_certificate_chain_file(ssl, tls_ca_chain);
++ PRIVS_RELINQUISH
++
++ if (res != 1) {
++ tls_log("unable to read certificate chain '%s': %s", tls_ca_chain,
++ tls_get_errors());
++ return -1;
++ }
++#endif /* OpenSSL 1.1.x and later */
++
++ return 0;
++}
++
+ static int tls_ssl_set_ciphers(SSL *ssl) {
+ SSL_set_cipher_list(ssl, tls_cipher_suite);
+ return 0;
+@@ -16689,6 +16713,13 @@
+ return -1;
+ }
+
++ /* Inexplicable OpenSSL errors occur if the cert chain is updated after
++ * calling SSL_set_SSL_CTX, so we do it beforehand.
++ */
++ if (tls_ssl_set_cert_chain(ssl) < 0) {
++ return -1;
++ }
++
+ #if OPENSSL_VERSION_NUMBER > 0x009080cfL
+ /* Note that it is important that we update the SSL with the new SSL_CTX
+ * AFTER it has been provisioned. That way, the new/changed certs in the
+@@ -17333,10 +17364,10 @@
+
+ static int tls_ctx_set_cert_chain(SSL_CTX *ctx, X509 *dsa_cert, X509 *ec_cert,
+ X509 *rsa_cert) {
++#if defined(SSL_CTRL_CHAIN_CERT)
+ BIO *bio;
+ X509 *cert;
+ unsigned int count = 0;
+- int res;
+
+ if (tls_ca_chain == NULL) {
+ return 0;
+@@ -17344,14 +17375,20 @@
+
+ PRIVS_ROOT
+ bio = BIO_new_file(tls_ca_chain, "r");
+- if (bio == NULL) {
+- PRIVS_RELINQUISH
++ PRIVS_RELINQUISH
+
++ if (bio == NULL) {
+ tls_log("unable to read certificate chain '%s': %s", tls_ca_chain,
+ tls_get_errors());
+ return 0;
+ }
+
++ if (SSL_CTX_clear_chain_certs(ctx) != 1) {
++ tls_log("error clearing SSL_CTX chain certs: %s", tls_get_errors());
++ BIO_free(bio);
++ return -1;
++ }
++
+ cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+ while (cert != NULL) {
+ pr_signals_handle();
+@@ -17383,9 +17420,9 @@
+ }
+ }
+
+- res = SSL_CTX_add_extra_chain_cert(ctx, cert);
+- if (res != 1) {
+- tls_log("error adding cert to certificate chain: %s", tls_get_errors());
++ if (SSL_CTX_add1_chain_cert(ctx, cert) != 1) {
++ tls_log("error adding cert to SSL_CTX certificate chain: %s",
++ tls_get_errors());
+ X509_free(cert);
+ break;
+ }
+@@ -17394,10 +17431,13 @@
+ cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+ }
+
+- PRIVS_RELINQUISH
+ BIO_free(bio);
++ ERR_clear_error();
++
++ tls_log("added %u certs from '%s' to SSL_CTX certificate chain", count,
++ tls_ca_chain);
++#endif /* SSL_CTRL_CHAIN_CERT */
+
+- tls_log("added %u certs from '%s' to certificate chain", count, tls_ca_chain);
+ return 0;
+ }
+
+Index: proftpd/src/main.c
+===================================================================
+--- proftpd.orig/src/main.c 2020-09-10 23:48:30.260677792 +0200
++++ proftpd/src/main.c 2020-09-10 23:48:30.244669994 +0200
+@@ -2102,7 +2102,11 @@
+ # ifdef PR_USE_OPENSSL_FIPS
+ printf(" + OpenSSL support (%s, FIPS enabled)\n", OPENSSL_VERSION_TEXT);
+ # else
++# ifdef LIBRESSL_VERSION_NUMBER
++ printf(" + OpenSSL support (%s, LibreSSL)\n", OPENSSL_VERSION_TEXT);
++# else
+ printf(" + OpenSSL support (%s)\n", OPENSSL_VERSION_TEXT);
++# endif /* Have LibreSSL */
+ # endif /* PR_USE_OPENSSL_FIPS */
+ #else
+ printf("%s", " - OpenSSL support\n");
=====================================
debian/patches/series
=====================================
@@ -16,3 +16,4 @@ upstream_1070
upstream_1061
3c73f39f0db6724db597646eb6e476278f76edf5.diff
pr_1094.diff
+2eadd82f392573235432a9cb60266f6472d08884.diff
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/697a439931f094a8ffe7df9c2c33a11aada82cb3
--
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/697a439931f094a8ffe7df9c2c33a11aada82cb3
You're receiving this email because of your account on salsa.debian.org.
More information about the Pkg-proftpd-maintainers
mailing list