2069733 – Not able to specify TLS1.3 ciphersuites in vsftpd configuration

Bug 2069733 - Not able to specify TLS1.3 ciphersuites in vsftpd configuration

Summary: Not able to specify TLS1.3 ciphersuites in vsftpd configuration

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	vsftpd
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Richard Lescak
QA Contact:	Ondrej Mejzlik
Docs Contact:	Šárka Jana
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-03-29 15:01 UTC by Renaud Métrich
Modified:	2023-07-12 08:06 UTC (History)
CC List:	4 users (show)
Fixed In Version:	vsftpd-3.0.3-36.el8
Doc Type:	Bug Fix
Doc Text:	TLSv1.3 ciphersuites are different than previous ciphers of lower tls versions and they need to be handled separately. Vsftpd now has option 'ssl_ciphersuites' , where they can be set. List of multiple ciphersuites needs to be separated by colon (":").
Clone Of:
Clones:	2188296 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-117162	0	None	None	None	2022-03-29 16:00:05 UTC
Red Hat Knowledge Base (Solution)	6912881	0	None	None	None	2022-04-12 12:32:19 UTC

Description Renaud Métrich 2022-03-29 15:01:03 UTC

Description of problem:

This is related to BZ #1638375 (RHEL8.6) but not identical since BZ #1638375 deals with being able to disable TLS1.3, not configuring it.

By default we have vsftpd use the system-wide crypto policy, which ends up using the following Ciphersuites with TLS1.3 for policy DEFAULT:

Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256


It appears that it's not possible to change the setting for vsftpd only.
Trying to set ssl_ciphers to one of the above fails.

Example with ssl_ciphers=TLS_AES_256_GCM_SHA384:

500 OOPS: SSL: could not set cipher list

The failure happens when calling the OpenSSL code:
~~~
 146 void
 147 ssl_init(struct vsf_session* p_sess)
 148 {
 :
 233     if (tunable_ssl_ciphers &&
 234         SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
 235     {
 236       die("SSL: could not set cipher list");
 237     }
~~~

Note that specifying TLS1.2 ciphers (e.g. ECDHE-RSA-CHACHA20-POLY1305) works fine.


Version-Release number of selected component (if applicable):

vsftpd-3.0.3-34.el8.x86_64


How reproducible:

Always, see above.

Note You need to log in before you can comment on or make changes to this bug.