From: Michael Tremer Date: Mon, 8 Jul 2024 08:57:54 +0000 (+0000) Subject: vsftpd: Update to 3.0.5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=938d423fec1256663eac50e61826473defba1354;p=people%2Fms%2Fipfire-2.x.git vsftpd: Update to 3.0.5 Signed-off-by: Michael Tremer --- diff --git a/lfs/vsftpd b/lfs/vsftpd index 07dda3098..b7f4c0b92 100644 --- a/lfs/vsftpd +++ b/lfs/vsftpd @@ -24,7 +24,7 @@ include Config -VER = 2.3.4 +VER = 3.0.5 THISAPP = vsftpd-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,9 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = vsftpd -PAK_VER = 8 - -DEPS = "" +PAK_VER = 9 ############################################################################### # Top-level Rules @@ -44,7 +42,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 2ea5d19978710527bb7444d93b67767a +$(DL_FILE)_BLAKE2 = c197a070f7eef8c97ef0adc1ebb883520e7613d67ba0eabb1380b3adaae272f4ef79110e79ce4aad5ddebd6100fb059308d905203249c5445d3ea64c29dc5ec2 install : $(TARGET) @@ -52,7 +50,7 @@ check : $(patsubst %,$(DIR_CHK)/%,$(objects)) download :$(patsubst %,$(DIR_DL)/%,$(objects)) -md5 : $(subst %,%_MD5,$(objects)) +b2 : $(subst %,%_BLAKE2,$(objects)) dist: $(PAK) @@ -67,8 +65,8 @@ $(patsubst %,$(DIR_CHK)/%,$(objects)) : $(patsubst %,$(DIR_DL)/%,$(objects)) : @$(LOAD) -$(subst %,%_MD5,$(objects)) : - @$(MD5) +$(subst %,%_BLAKE2,$(objects)) : + @$(B2SUM) ############################################################################### # Installation Details @@ -77,11 +75,25 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && echo "#define VSF_BUILD_SSL" >>builddefs.h + + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/CVE-2015-1419.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/config-disable-anonymous-access-by-default.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/config-set-PAM-service-name-to-vsftpd.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/build-with-SSL-support.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/adjust-usr-share-empty-to-var-empty.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/fix-make-to-respect-distro-flags.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/fix-build-with-openssl-1.1.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/fix-handle-AUTH_TLS-reply-to-FEAT-for-all-TLS-varian.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/fix-ssl_tlsv-documentation-and-config-tunables.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/fix-seccomp-rules.patch + + # Don't link against libnsl + cd $(DIR_APP) && sed "/lnsl/d" -i vsf_findlibs.sh + cd $(DIR_APP) && install -v -d -m 0755 /var/ftp/empty cd $(DIR_APP) && install -v -d -m 0755 /home/ftp chown vsftpd.vsftpd /home/ftp - cd $(DIR_APP) && make + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && install -v -m 755 vsftpd /usr/sbin/vsftpd cd $(DIR_APP) && install -v -m 644 vsftpd.8 /usr/share/man/man8 cd $(DIR_APP) && install -v -m 644 vsftpd.conf.5 /usr/share/man/man5 diff --git a/src/patches/vsftpd/CVE-2015-1419.patch b/src/patches/vsftpd/CVE-2015-1419.patch new file mode 100644 index 000000000..0a6144395 --- /dev/null +++ b/src/patches/vsftpd/CVE-2015-1419.patch @@ -0,0 +1,104 @@ +Description: CVE-2015-1419: config option deny_file is not handled correctly +Author: Marcus Meissner +Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922 +Last-Update: 2015-02-24 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trunk/ls.c +=================================================================== +--- trunk.orig/ls.c ++++ trunk/ls.c +@@ -7,6 +7,7 @@ + * Would you believe, code to handle directory listing. + */ + ++#include + #include "ls.h" + #include "access.h" + #include "defs.h" +@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct + struct mystr temp_str = INIT_MYSTR; + struct mystr brace_list_str = INIT_MYSTR; + struct mystr new_filter_str = INIT_MYSTR; ++ struct mystr normalize_filename_str = INIT_MYSTR; ++ const char *normname; ++ const char *path; + int ret = 0; + char last_token = 0; + int must_match_at_current_pos = 1; ++ + str_copy(&filter_remain_str, p_filter_str); +- str_copy(&name_remain_str, p_filename_str); ++ ++ /* normalize filepath */ ++ path = str_strdup(p_filename_str); ++ normname = realpath(path, NULL); ++ if (normname == NULL) ++ goto out; ++ str_alloc_text(&normalize_filename_str, normname); ++ ++ if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) { ++ if (str_get_char_at(p_filter_str, 0) == '/') { ++ if (str_get_char_at(&normalize_filename_str, 0) != '/') { ++ str_getcwd (&name_remain_str); ++ ++ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */ ++ str_append_char (&name_remain_str, '/'); ++ ++ str_append_str (&name_remain_str, &normalize_filename_str); ++ } ++ else ++ str_copy (&name_remain_str, &normalize_filename_str); ++ } else { ++ if (str_get_char_at(p_filter_str, 0) != '{') ++ str_basename (&name_remain_str, &normalize_filename_str); ++ else ++ str_copy (&name_remain_str, &normalize_filename_str); ++ } ++ } else ++ str_copy(&name_remain_str, &normalize_filename_str); + + while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX) + { +@@ -379,6 +411,9 @@ vsf_filename_passes_filter(const struct + ret = 0; + } + out: ++ free((char*) normname); ++ free((char*) path); ++ str_free(&normalize_filename_str); + str_free(&filter_remain_str); + str_free(&name_remain_str); + str_free(&temp_str); +Index: trunk/str.c +=================================================================== +--- trunk.orig/str.c ++++ trunk/str.c +@@ -723,3 +723,14 @@ str_replace_unprintable(struct mystr* p_ + } + } + ++void ++str_basename (struct mystr* d_str, const struct mystr* path) ++{ ++ static struct mystr tmp; ++ ++ str_copy (&tmp, path); ++ str_split_char_reverse(&tmp, d_str, '/'); ++ ++ if (str_isempty(d_str)) ++ str_copy (d_str, path); ++} +Index: trunk/str.h +=================================================================== +--- trunk.orig/str.h ++++ trunk/str.h +@@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst + int str_atoi(const struct mystr* p_str); + filesize_t str_a_to_filesize_t(const struct mystr* p_str); + unsigned int str_octal_to_uint(const struct mystr* p_str); ++void str_basename (struct mystr* d_str, const struct mystr* path); + + /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string + * buffer, starting at character position 'p_pos'. The extracted line will diff --git a/src/patches/vsftpd/adjust-usr-share-empty-to-var-empty.patch b/src/patches/vsftpd/adjust-usr-share-empty-to-var-empty.patch new file mode 100644 index 000000000..258638994 --- /dev/null +++ b/src/patches/vsftpd/adjust-usr-share-empty-to-var-empty.patch @@ -0,0 +1,59 @@ +From fa4bb925ab76b629952db58557a12008de59ca25 Mon Sep 17 00:00:00 2001 +From: Levente Polyak +Date: Sat, 27 Jan 2024 20:15:33 +0100 +Subject: [PATCH] adjust /usr/share/empty to /var/empty + +--- + INSTALL | 6 +++--- + tunables.c | 2 +- + vsftpd.conf.5 | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/INSTALL b/INSTALL +index 4f811aa..d76d79a 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -27,11 +27,11 @@ user in case it does not already exist. e.g.: + [root@localhost root]# useradd nobody + useradd: user nobody exists + +-2b) vsftpd needs the (empty) directory /usr/share/empty in the default ++2b) vsftpd needs the (empty) directory /var/empty in the default + configuration. Add this directory in case it does not already exist. e.g.: + +-[root@localhost root]# mkdir /usr/share/empty/ +-mkdir: cannot create directory `/usr/share/empty': File exists ++[root@localhost root]# mkdir /var/empty/ ++mkdir: cannot create directory `/var/empty': File exists + + 2c) For anonymous FTP, you will need the user "ftp" to exist, and have a + valid home directory (which is NOT owned or writable by the user "ftp"). +diff --git a/tunables.c b/tunables.c +index 069160a..59ae493 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -261,7 +261,7 @@ tunables_load_defaults() + /* -rw------- */ + tunable_chown_upload_mode = 0600; + +- install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir); ++ install_str_setting("/var/empty", &tunable_secure_chroot_dir); + install_str_setting("ftp", &tunable_ftp_username); + install_str_setting("root", &tunable_chown_username); + install_str_setting("/var/log/xferlog", &tunable_xferlog_file); +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index 9e85785..8d469e9 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -993,7 +993,7 @@ This option should be the name of a directory which is empty. Also, the + directory should not be writable by the ftp user. This directory is used + as a secure chroot() jail at times vsftpd does not require filesystem access. + +-Default: /usr/share/empty ++Default: /var/empty + .TP + .B ssl_ciphers + This option can be used to select which SSL ciphers vsftpd will allow for +-- +2.43.0 + diff --git a/src/patches/vsftpd/build-with-SSL-support.patch b/src/patches/vsftpd/build-with-SSL-support.patch new file mode 100644 index 000000000..9a05462f4 --- /dev/null +++ b/src/patches/vsftpd/build-with-SSL-support.patch @@ -0,0 +1,25 @@ +From e2812fffd47d001478ef73ec7c5f1f0322b88684 Mon Sep 17 00:00:00 2001 +From: Levente Polyak +Date: Sat, 27 Jan 2024 23:30:47 +0100 +Subject: [PATCH] build with SSL support + +--- + builddefs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/builddefs.h b/builddefs.h +index e908352..63cc62b 100644 +--- a/builddefs.h ++++ b/builddefs.h +@@ -3,7 +3,7 @@ + + #undef VSF_BUILD_TCPWRAPPERS + #define VSF_BUILD_PAM +-#undef VSF_BUILD_SSL ++#define VSF_BUILD_SSL + + #endif /* VSF_BUILDDEFS_H */ + +-- +2.43.0 + diff --git a/src/patches/vsftpd/config-disable-anonymous-access-by-default.patch b/src/patches/vsftpd/config-disable-anonymous-access-by-default.patch new file mode 100644 index 000000000..d224f4630 --- /dev/null +++ b/src/patches/vsftpd/config-disable-anonymous-access-by-default.patch @@ -0,0 +1,25 @@ +From c6e03f208c85288b81a780f26967b98ace976e60 Mon Sep 17 00:00:00 2001 +From: Levente Polyak +Date: Sat, 27 Jan 2024 23:44:34 +0100 +Subject: [PATCH] config: disable anonymous access by default + +--- + vsftpd.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/vsftpd.conf b/vsftpd.conf +index cc1c607..f613efe 100644 +--- a/vsftpd.conf ++++ b/vsftpd.conf +@@ -9,7 +9,7 @@ + # capabilities. + # + # Allow anonymous FTP? (Beware - allowed by default if you comment this out). +-anonymous_enable=YES ++anonymous_enable=NO + # + # Uncomment this to allow local users to log in. + #local_enable=YES +-- +2.43.0 + diff --git a/src/patches/vsftpd/config-set-PAM-service-name-to-vsftpd.patch b/src/patches/vsftpd/config-set-PAM-service-name-to-vsftpd.patch new file mode 100644 index 000000000..8225f6d91 --- /dev/null +++ b/src/patches/vsftpd/config-set-PAM-service-name-to-vsftpd.patch @@ -0,0 +1,24 @@ +From efe3fa360454f86800ed60eab403c00713cf8e92 Mon Sep 17 00:00:00 2001 +From: Levente Polyak +Date: Sat, 27 Jan 2024 23:48:42 +0100 +Subject: [PATCH] config: set PAM service name to vsftpd + +--- + vsftpd.conf | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/vsftpd.conf b/vsftpd.conf +index f613efe..ce9d10a 100644 +--- a/vsftpd.conf ++++ b/vsftpd.conf +@@ -115,3 +115,7 @@ listen=YES + # sockets, you must run two copies of vsftpd with two configuration files. + # Make sure, that one of the listen options is commented !! + #listen_ipv6=YES ++ ++# Set own PAM service name to detect authentication settings specified ++# for vsftpd by the system package. ++pam_service_name=vsftpd +-- +2.43.0 + diff --git a/src/patches/vsftpd/fix-build-with-openssl-1.1.patch b/src/patches/vsftpd/fix-build-with-openssl-1.1.patch new file mode 100644 index 000000000..ef093b967 --- /dev/null +++ b/src/patches/vsftpd/fix-build-with-openssl-1.1.patch @@ -0,0 +1,25 @@ +From 4dd04b995fd51dbbeadd3d6ad0417f128924a932 Mon Sep 17 00:00:00 2001 +From: Levente Polyak +Date: Sat, 27 Jan 2024 20:27:51 +0100 +Subject: [PATCH] fix: build with openssl 1.1 + +--- + vsf_findlibs.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/vsf_findlibs.sh b/vsf_findlibs.sh +index 4538685..6e65e2e 100755 +--- a/vsf_findlibs.sh ++++ b/vsf_findlibs.sh +@@ -66,7 +66,7 @@ locate_library /usr/shlib/librt.so && echo "-lrt"; + locate_library /usr/lib/libsendfile.so && echo "-lsendfile"; + + # OpenSSL +-if find_func SSL_library_init ssl.o; then ++if find_func SSL_CTX_new ssl.o; then + echo "-lssl -lcrypto"; + elif find_func SSL_new ssl.o; then + echo "-lssl -lcrypto"; +-- +2.43.0 + diff --git a/src/patches/vsftpd/fix-handle-AUTH_TLS-reply-to-FEAT-for-all-TLS-varian.patch b/src/patches/vsftpd/fix-handle-AUTH_TLS-reply-to-FEAT-for-all-TLS-varian.patch new file mode 100644 index 000000000..281e5800d --- /dev/null +++ b/src/patches/vsftpd/fix-handle-AUTH_TLS-reply-to-FEAT-for-all-TLS-varian.patch @@ -0,0 +1,27 @@ +From 2f22333b5d39651cf0b2b973396faca510317d6c Mon Sep 17 00:00:00 2001 +From: Levente Polyak +Date: Sat, 27 Jan 2024 23:01:59 +0100 +Subject: [PATCH] fix: handle AUTH_TLS reply to FEAT for all TLS variants + +Send 'AUTH SSL' in reply to the FEAT command when any of the TLS +versions is enabled. +--- + features.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/features.c b/features.c +index 1212980..3a60b88 100644 +--- a/features.c ++++ b/features.c +@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess) + { + vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); + } +- if (tunable_tlsv1) ++ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3) + { + vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); + } +-- +2.43.0 + diff --git a/src/patches/vsftpd/fix-make-to-respect-distro-flags.patch b/src/patches/vsftpd/fix-make-to-respect-distro-flags.patch new file mode 100644 index 000000000..cb321361c --- /dev/null +++ b/src/patches/vsftpd/fix-make-to-respect-distro-flags.patch @@ -0,0 +1,46 @@ +From a23e8d016cbc4d5a9d3c3f28893c34f0dc6a6618 Mon Sep 17 00:00:00 2001 +From: Levente Polyak +Date: Sat, 27 Jan 2024 20:57:57 +0100 +Subject: [PATCH] fix: make to respect distro flags + +--- + Makefile | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/Makefile b/Makefile +index c63ed1b..2e84bb5 100644 +--- a/Makefile ++++ b/Makefile +@@ -3,14 +3,13 @@ CC = gcc + INSTALL = install + IFLAGS = -idirafter dummyinc + #CFLAGS = -g +-CFLAGS = -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \ ++CFLAGS ?= -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \ + -Wall -W -Wshadow -Werror -Wformat-security \ + -D_FORTIFY_SOURCE=2 \ + #-pedantic -Wconversion + + LIBS = `./vsf_findlibs.sh` +-LINK = -Wl,-s +-LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now ++LDFLAGS ?= -fPIE -pie -Wl,-z,relro -Wl,-z,now + + OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \ + tunables.o ftpdataio.o secbuf.o ls.o \ +@@ -23,10 +22,10 @@ OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \ + + + .c.o: +- $(CC) -c $*.c $(CFLAGS) $(IFLAGS) ++ $(CC) -c $*.c $(CFLAGS) $(CPPFLAGS) $(IFLAGS) + + vsftpd: $(OBJS) +- $(CC) -o vsftpd $(OBJS) $(LINK) $(LDFLAGS) $(LIBS) ++ $(CC) -o vsftpd $(OBJS) $(LDFLAGS) $(LIBS) + + install: + if [ -x /usr/local/sbin ]; then \ +-- +2.43.0 + diff --git a/src/patches/vsftpd/fix-seccomp-rules.patch b/src/patches/vsftpd/fix-seccomp-rules.patch new file mode 100644 index 000000000..a7d2e9002 --- /dev/null +++ b/src/patches/vsftpd/fix-seccomp-rules.patch @@ -0,0 +1,53 @@ +From 1cedb8fee186895d6828423ce4f7ca33d30ea7ad Mon Sep 17 00:00:00 2001 +From: Levente Polyak +Date: Sat, 27 Jan 2024 19:56:20 +0100 +Subject: [PATCH] fix: seccomp rules + +--- + seccompsandbox.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/seccompsandbox.c b/seccompsandbox.c +index bcd96a0..a265f93 100644 +--- a/seccompsandbox.c ++++ b/seccompsandbox.c +@@ -307,14 +307,20 @@ seccomp_sandbox_setup_base() + allow_nr_1_arg_mask(__NR_mprotect, 3, PROT_READ); + allow_nr(__NR_munmap); + allow_nr(__NR_brk); ++ allow_nr(__NR_sysinfo); ++ allow_nr(__NR_getdents64); + /* glibc falls back gracefully if mremap() fails during realloc(). */ + reject_nr(__NR_mremap, ENOSYS); + + /* Misc simple low-risk calls. */ + allow_nr(__NR_gettimeofday); /* Used by logging. */ ++ allow_nr(__NR_clock_gettime); /* Used by logging. */ + allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */ + allow_nr(__NR_restart_syscall); + allow_nr(__NR_close); ++ allow_nr(__NR_alarm); ++ allow_nr(__NR_wait4); ++ + + /* Always need to be able to exit ! */ + allow_nr(__NR_exit_group); +@@ -343,6 +349,7 @@ seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess) + allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */ + allow_nr(__NR_getpid); /* Used by logging. */ + allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */ ++ allow_nr(__NR_getrandom); /* Used by OpenSSL in SSL_accept. */ + allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL); + /* It's safe to allow O_RDWR in fcntl because these flags cannot be changed. + * Also, sockets are O_RDWR. +@@ -367,6 +374,7 @@ seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess) + { + allow_nr_1_arg_match(__NR_recvmsg, 3, 0); + allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY); ++ allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_TCP, 3, TCP_ULP); + } + if (tunable_syslog_enable) + { +-- +2.43.0 + diff --git a/src/patches/vsftpd/fix-ssl_tlsv-documentation-and-config-tunables.patch b/src/patches/vsftpd/fix-ssl_tlsv-documentation-and-config-tunables.patch new file mode 100644 index 000000000..d6ffc522a --- /dev/null +++ b/src/patches/vsftpd/fix-ssl_tlsv-documentation-and-config-tunables.patch @@ -0,0 +1,57 @@ +From ca9a5c7719f6c1a285ab80d0660e1b1fd9d0d8a3 Mon Sep 17 00:00:00 2001 +From: Levente Polyak +Date: Sat, 27 Jan 2024 20:13:59 +0100 +Subject: [PATCH] fix: ssl_tlsv documentation and config tunables + +--- + README.ssl | 4 ++-- + vsftpd.conf.5 | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/README.ssl b/README.ssl +index 2ec70cb..5327679 100644 +--- a/README.ssl ++++ b/README.ssl +@@ -35,6 +35,6 @@ go to that directory and type e.g. "make vsftpd.pem". Then answer the + questions you are asked. Alternatively, read the man page for "openssl". + - Also be aware of the following SSL related parameters. Read the vsftpd.conf.5 + manual page to learn about them: allow_anon_ssl, force_local_logins_ssl, +-force_local_data_ssl, ssl_sslv2, ssl_sslv3, ssl_tlsv1, rsa_cert_file, +-dsa_cert_file, ssl_ciphers. ++force_local_data_ssl, ssl_sslv2, ssl_sslv3, ssl_tlsv1, ssl_tlsv11, ssl_tlsv12, ++ssl_tlsv13, rsa_cert_file, dsa_cert_file, ssl_ciphers. + +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index 8d469e9..56ab251 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -499,7 +499,7 @@ TLS v1.2+ connections are preferred. + + Default: NO + .TP +-.B ssl_tlsv1_1 ++.B ssl_tlsv11 + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit TLS v1.1 protocol connections. +@@ -507,7 +507,7 @@ TLS v1.2+ connections are preferred. + + Default: NO + .TP +-.B ssl_tlsv1_2 ++.B ssl_tlsv12 + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit TLS v1.2 protocol connections. +@@ -515,7 +515,7 @@ TLS v1.2+ connections are preferred. + + Default: YES + .TP +-.B ssl_tlsv1_3 ++.B ssl_tlsv13 + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit TLS v1.3 protocol connections. +-- +2.43.0 +