[packages/pure-ftpd] - rel 7; log tls sni hostname
arekm
arekm at pld-linux.org
Fri Mar 15 15:58:58 CET 2019
commit bb9b82fe4bdeec87ecc472dc9a0acf53dbaac2d2
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Fri Mar 15 15:58:16 2019 +0100
- rel 7; log tls sni hostname
pure-ftpd.spec | 6 ++---
sni.patch | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 81 insertions(+), 3 deletions(-)
---
diff --git a/pure-ftpd.spec b/pure-ftpd.spec
index 15e9159..2106ce0 100644
--- a/pure-ftpd.spec
+++ b/pure-ftpd.spec
@@ -9,7 +9,7 @@
%bcond_without tls # disable SSL/TLS support
%bcond_without cap # disable capabilities
-%define rel 6
+%define rel 7
Summary: Small, fast and secure FTP server
Summary(pl.UTF-8): Mały, szybki i bezpieczny serwer FTP
Name: pure-ftpd
@@ -33,7 +33,7 @@ Patch3: %{name}-mysql_config.patch
# from Fedora
Patch4: 0003-Allow-having-both-options-and-config-file-on-command.patch
Patch5: tls.patch
-
+Patch6: sni.patch
Patch7: audit_cap.patch
Patch8: %{name}-apparmor.patch
Patch9: %{name}-mysql-utf8.patch
@@ -113,7 +113,7 @@ Ten pakiet zawiera schemat Pure-FTPd pureftpd.schema dla openldapa.
%patch3 -p1
%patch4 -p1
%patch5 -p1
-
+%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
diff --git a/sni.patch b/sni.patch
new file mode 100644
index 0000000..60912e1
--- /dev/null
+++ b/sni.patch
@@ -0,0 +1,78 @@
+commit d2906ca519ecc9fb864eb7005809982322137964
+Author: Frank Denis <github at pureftpd.org>
+Date: Fri Mar 15 13:12:04 2019 +0100
+
+ Add tlsext servername callback
+
+diff --git a/src/tls.c b/src/tls.c
+index e4bddb2..f34617b 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -219,6 +219,18 @@ static void tls_init_cache(void)
+ SSL_CTX_set_timeout(tls_ctx, 60 * 60L);
+ }
+
++static int ssl_servername_cb(SSL *cnx, int *al, void *arg)
++{
++ const char *servername;
++
++ if ((servername = SSL_get_servername(cnx, TLSEXT_NAMETYPE_host_name))
++ == NULL) {
++ logfile(LOG_INFO, "SNI: [%s]", servername);
++ return SSL_TLSEXT_ERR_NOACK;
++ }
++ return SSL_TLSEXT_ERR_OK;
++}
++
+ # ifdef DISABLE_SSL_RENEGOTIATION
+ static void ssl_info_cb(const SSL *cnx, int where, int ret)
+ {
+@@ -348,6 +360,7 @@ int tls_init_library(void)
+ SSL_CTX_set_options(tls_ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ # endif
+ SSL_CTX_set_info_callback(tls_ctx, ssl_info_cb);
++ SSL_CTX_set_tlsext_servername_callback(tls_ctx, ssl_servername_cb);
+ # endif
+ SSL_CTX_set_verify_depth(tls_ctx, 6);
+ if (ssl_verify_client_cert) {
+commit 1d110dd103d306ce14c17320a03d6c324ef2db9c
+Author: Frank Denis <github at pureftpd.org>
+Date: Fri Mar 15 13:45:14 2019 +0100
+
+ Don't log a NULL name :)
+
+diff --git a/src/tls.c b/src/tls.c
+index f34617b..6078dd7 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -225,9 +225,10 @@ static int ssl_servername_cb(SSL *cnx, int *al, void *arg)
+
+ if ((servername = SSL_get_servername(cnx, TLSEXT_NAMETYPE_host_name))
+ == NULL) {
+- logfile(LOG_INFO, "SNI: [%s]", servername);
+ return SSL_TLSEXT_ERR_NOACK;
+ }
++ logfile(LOG_INFO, "SNI: [%s]", servername);
++
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+commit f0659f8357952c0a95cd62c938bd6c9852cd78f9
+Author: Frank Denis <github at pureftpd.org>
+Date: Fri Mar 15 14:14:15 2019 +0100
+
+ Reject empty names
+
+diff --git a/src/tls.c b/src/tls.c
+index 6078dd7..a992473 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -224,7 +224,7 @@ static int ssl_servername_cb(SSL *cnx, int *al, void *arg)
+ const char *servername;
+
+ if ((servername = SSL_get_servername(cnx, TLSEXT_NAMETYPE_host_name))
+- == NULL) {
++ == NULL || *servername == 0) {
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+ logfile(LOG_INFO, "SNI: [%s]", servername);
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/pure-ftpd.git/commitdiff/bb9b82fe4bdeec87ecc472dc9a0acf53dbaac2d2
More information about the pld-cvs-commit
mailing list