Bug 2069733

Summary: Not able to specify TLS1.3 ciphersuites in vsftpd configuration
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: vsftpdAssignee: Richard Lescak <rlescak>
Status: VERIFIED --- QA Contact: Ondrej Mejzlik <omejzlik>
Severity: medium Docs Contact: Šárka Jana <sjanderk>
Priority: medium    
Version: 8.5CC: asosedki, jorton, omejzlik, rlescak
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: vsftpd-3.0.3-36.el8 Doc Type: Bug Fix
Doc Text:
TLSv1.3 ciphersuites are different than previous ciphers of lower tls versions and they need to be handled separately. Vsftpd now has option 'ssl_ciphersuites' , where they can be set. List of multiple ciphersuites needs to be separated by colon (":").
 Story Points: ---
Clone Of:
: 2188296 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2022-03-29 15:01:03 UTC 
Description of problem:

This is related to BZ #1638375 (RHEL8.6) but not identical since BZ #1638375 deals with being able to disable TLS1.3, not configuring it.

By default we have vsftpd use the system-wide crypto policy, which ends up using the following Ciphersuites with TLS1.3 for policy DEFAULT:

Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256


It appears that it's not possible to change the setting for vsftpd only.
Trying to set ssl_ciphers to one of the above fails.

Example with ssl_ciphers=TLS_AES_256_GCM_SHA384:

500 OOPS: SSL: could not set cipher list

The failure happens when calling the OpenSSL code:
~~~
 146 void
 147 ssl_init(struct vsf_session* p_sess)
 148 {
 :
 233     if (tunable_ssl_ciphers &&
 234         SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
 235     {
 236       die("SSL: could not set cipher list");
 237     }
~~~

Note that specifying TLS1.2 ciphers (e.g. ECDHE-RSA-CHACHA20-POLY1305) works fine.


Version-Release number of selected component (if applicable):

vsftpd-3.0.3-34.el8.x86_64


How reproducible:

Always, see above.