Bug 2069733

Summary: Not able to specify TLS1.3 ciphersuites in vsftpd configuration
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: vsftpdAssignee: Richard Lescak <rlescak>
Status: CLOSED ERRATA QA Contact: Ondrej Mejzlik <omejzlik>
Severity: medium Docs Contact: Šárka Jana <sjanderk>
Priority: medium    
Version: 8.5CC: asosedki, jorton, omejzlik, rlescak
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: vsftpd-3.0.3-36.el8 Doc Type: Enhancement
Doc Text:
.You can now specify TLS 1.3 cipher suites in `vsftpd` With this enhancement, you can use the new `ssl_ciphersuites` option to configure which cipher suites `vsftpd` uses. As a result, you can specify TLS 1.3 cipher suites that differ from the previous TLS versions. To specify multiple cipher suites, separate entries with colons (:).
 Story Points: ---
Clone Of:
: 2188296 (view as bug list) Environment:
Last Closed: 2023-11-14 15:26:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2022-03-29 15:01:03 UTC 
Description of problem:

This is related to BZ #1638375 (RHEL8.6) but not identical since BZ #1638375 deals with being able to disable TLS1.3, not configuring it.

By default we have vsftpd use the system-wide crypto policy, which ends up using the following Ciphersuites with TLS1.3 for policy DEFAULT:

Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256


It appears that it's not possible to change the setting for vsftpd only.
Trying to set ssl_ciphers to one of the above fails.

Example with ssl_ciphers=TLS_AES_256_GCM_SHA384:

500 OOPS: SSL: could not set cipher list

The failure happens when calling the OpenSSL code:
~~~
 146 void
 147 ssl_init(struct vsf_session* p_sess)
 148 {
 :
 233     if (tunable_ssl_ciphers &&
 234         SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
 235     {
 236       die("SSL: could not set cipher list");
 237     }
~~~

Note that specifying TLS1.2 ciphers (e.g. ECDHE-RSA-CHACHA20-POLY1305) works fine.


Version-Release number of selected component (if applicable):

vsftpd-3.0.3-34.el8.x86_64


How reproducible:

Always, see above.
Comment 18 errata-xmlrpc 2023-11-14 15:26:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (vsftpd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6922