From: TJ S. <cas...@us...> - 2011-12-10 21:37:07
|
Update of /cvsroot/proftp/proftpd/contrib In directory vz-cvs-3.sog:/tmp/cvs-serv32370/contrib Modified Files: mod_tls.c Log Message: Support TLSv1.1 and TLSv1.2 protocol versions in the TLSProtocol directive, assuming the version of OpenSSL used is new enough (1.0.1 and later). Index: mod_tls.c =================================================================== RCS file: /cvsroot/proftp/proftpd/contrib/mod_tls.c,v retrieving revision 1.266 retrieving revision 1.267 diff -u -d -r1.266 -r1.267 --- mod_tls.c 6 Dec 2011 03:34:44 -0000 1.266 +++ mod_tls.c 10 Dec 2011 21:37:04 -0000 1.267 @@ -376,6 +376,8 @@ #define TLS_PROTO_SSL_V3 0x0001 #define TLS_PROTO_TLS_V1 0x0002 +#define TLS_PROTO_TLS_V1_1 0x0004 +#define TLS_PROTO_TLS_V1_2 0x0008 static unsigned int tls_protocol = TLS_PROTO_SSL_V3|TLS_PROTO_TLS_V1; #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS @@ -2334,7 +2336,11 @@ if ((tls_protocol & TLS_PROTO_SSL_V3) && (tls_protocol & TLS_PROTO_TLS_V1)) { /* This is the default, so there is no need to do anything. */ +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting SSLv3, TLSv1, TLSv1.1, TLSv1.2 protocols"); +#else pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting SSLv3, TLSv1 protocols"); +#endif /* OpenSSL-1.0.1 or later */ } else if (tls_protocol & TLS_PROTO_SSL_V3) { SSL_CTX_set_ssl_version(ssl_ctx, SSLv3_server_method()); @@ -2343,6 +2349,17 @@ } else if (tls_protocol & TLS_PROTO_TLS_V1) { SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_server_method()); pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting TLSv1 protocol only"); + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + } else if (tls_protocol & TLS_PROTO_TLS_V1_1) { + SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_1_server_method()); + pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting TLSv1.1 protocol only"); + + } else if (tls_protocol & TLS_PROTO_TLS_V1_2) { + SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_2_server_method()); + pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting TLSv1.2 protocol only"); + +#endif /* OpenSSL-1.0.1 or later */ } tls_ca_cert = get_param_ptr(main_server->conf, "TLSCACertificateFile", FALSE); @@ -7079,6 +7096,20 @@ } else if (strncasecmp(cmd->argv[i], "TLSv1", 6) == 0) { tls_protocol |= TLS_PROTO_TLS_V1; + } else if (strncasecmp(cmd->argv[i], "TLSv1.1", 8) == 0) { +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + tls_protocol |= TLS_PROTO_TLS_V1_1; +#else + CONF_ERROR(cmd, "Your OpenSSL installation does not support TLSv1.1"); +#endif /* OpenSSL 1.0.1 or later */ + + } else if (strncasecmp(cmd->argv[i], "TLSv1.2", 8) == 0) { +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + tls_protocol |= TLS_PROTO_TLS_V1_2; +#else + CONF_ERROR(cmd, "Your OpenSSL installation does not support TLSv1.2"); +#endif /* OpenSSL 1.0.1 or later */ + } else { CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "unknown protocol: '", cmd->argv[i], "'", NULL)); |