File stunnel-5.69-default-tls-version.patch of Package stunnel

From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch

Patch-name: stunnel-5.69-default-tls-version.patch
Patch-id: 5
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
 src/ctx.c        | 34 ++++++++++++++++++++++------------
 src/options.c    | 15 +++++++++++----
 src/prototypes.h |  3 +++
 3 files changed, 36 insertions(+), 16 deletions(-)

Index: stunnel-5.72/src/ctx.c
===================================================================
--- stunnel-5.72.orig/src/ctx.c
+++ stunnel-5.72/src/ctx.c
@@ -163,19 +163,29 @@ int context_init(SERVICE_OPTIONS *sectio
 
     /* set supported protocol versions */
 #if OPENSSL_VERSION_NUMBER>=0x10100000L
-    if(section->min_proto_version &&
-            !SSL_CTX_set_min_proto_version(section->ctx,
-            section->min_proto_version)) {
-        s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
-            section->min_proto_version);
-        return 1; /* FAILED */
+    if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+        s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
+              " crypto policies. Not setting explicitly.");
+    } else {
+        if(section->min_proto_version &&
+                !SSL_CTX_set_min_proto_version(section->ctx,
+                section->min_proto_version)) {
+            s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+                section->min_proto_version);
+            return 1; /* FAILED */
+        }
     }
-    if(section->max_proto_version &&
-            !SSL_CTX_set_max_proto_version(section->ctx,
-            section->max_proto_version)) {
-        s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
-            section->max_proto_version);
-        return 1; /* FAILED */
+    if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+        s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
+                " crypto policies. Not setting explicitly");
+    } else {
+        if(section->max_proto_version &&
+                !SSL_CTX_set_max_proto_version(section->ctx,
+                section->max_proto_version)) {
+            s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+                section->max_proto_version);
+            return 1; /* FAILED */
+        }
     }
 #endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
 
Index: stunnel-5.72/src/options.c
===================================================================
--- stunnel-5.72.orig/src/options.c
+++ stunnel-5.72/src/options.c
@@ -3429,8 +3429,9 @@ NOEXPORT const char *parse_service_optio
             return "Invalid protocol version";
         return NULL; /* OK */
     case CMD_INITIALIZE:
-        if(section->max_proto_version && section->min_proto_version &&
-                section->max_proto_version<section->min_proto_version)
+        if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
+                && section->min_proto_version != USE_DEFAULT_TLS_VERSION
+                && section->max_proto_version<section->min_proto_version)
             return "Invalid protocol version range";
         break;
     case CMD_PRINT_DEFAULTS:
@@ -3448,7 +3449,10 @@ NOEXPORT const char *parse_service_optio
     /* sslVersionMax */
     switch(cmd) {
     case CMD_SET_DEFAULTS:
-        section->max_proto_version=0; /* highest supported */
+        section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+                                                               OpenSSL crypto
+                                                               policies.Do not
+                                                               override it */
         break;
     case CMD_SET_COPY:
         section->max_proto_version=new_service_options.max_proto_version;
@@ -3479,7 +3483,10 @@ NOEXPORT const char *parse_service_optio
     /* sslVersionMin */
     switch(cmd) {
     case CMD_SET_DEFAULTS:
-        section->min_proto_version=0; /* lowest supported */
+        section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+                                                               OpenSSL crypto
+                                                               policies. Do not
+                                                               override it */
         break;
     case CMD_SET_COPY:
         section->min_proto_version=new_service_options.min_proto_version;
Index: stunnel-5.72/src/prototypes.h
===================================================================
--- stunnel-5.72.orig/src/prototypes.h
+++ stunnel-5.72/src/prototypes.h
@@ -956,6 +956,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
 ICON_IMAGE load_icon_file(const char *);
 #endif
 
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
+                                             crypto policies */
+
 #endif /* defined PROTOTYPES_H */
 
 /* end of prototypes.h */