From 0334b7c96b6e9cea1aaa1c0d02aee9aac5b02b30 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 19 Oct 2023 14:52:34 +0200 Subject: [PATCH] Preserve NO_TLSv1.[123] option compatibility On RHEL 8, stunnel used to support the NO_TLSv1.1, NO_TLSv1.2, and NO_TLSv1.3 values for the options directive. Since we do not break compatibility, preserve these options for customers that have them set. Resolves: RHEL-2340 Signed-off-by: Clemens Lang --- ...e-NO_TLSv1.-123-option-compatibility.patch | 37 +++++++++++++++++++ stunnel.spec | 8 +++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch diff --git a/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch b/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch new file mode 100644 index 0000000..8b11a61 --- /dev/null +++ b/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch @@ -0,0 +1,37 @@ +From 4ffcbcecaf901b13a36dba1e651cfc16e5242e5a Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 19 Oct 2023 14:41:54 +0200 +Subject: [PATCH] Preserve NO_TLSv1.[123] option compatibility + +On RHEL 8, stunnel used to support the NO_TLSv1.1, NO_TLSv1.2, and +NO_TLSv1.3 values for the options directive. Since we do not break +compatibility, preserve these options for customers that have them set. + +Related: RHEL-2340 +--- + src/options.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/options.c b/src/options.c +index a306c4c..c05692c 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -229,12 +229,15 @@ static const SSL_OPTION ssl_opts[] = { + #endif + #ifdef SSL_OP_NO_TLSv1_1 + {"NO_TLSv1_1", SSL_OP_NO_TLSv1_1}, ++ {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1}, + #endif + #ifdef SSL_OP_NO_TLSv1_2 + {"NO_TLSv1_2", SSL_OP_NO_TLSv1_2}, ++ {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2}, + #endif + #ifdef SSL_OP_NO_TLSv1_3 + {"NO_TLSv1_3", SSL_OP_NO_TLSv1_3}, ++ {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3}, + #endif + #ifdef SSL_OP_PKCS1_CHECK_1 + {"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1}, +-- +2.41.0 + diff --git a/stunnel.spec b/stunnel.spec index 166d499..1597e04 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -10,7 +10,7 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel Version: 5.71 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Group: Applications/Internet URL: https://www.stunnel.org/ @@ -31,6 +31,7 @@ Patch1: stunnel-5.61-systemd-service.patch Patch3: stunnel-5.69-system-ciphers.patch Patch5: stunnel-5.69-default-tls-version.patch Patch6: stunnel-5.56-curves-doc-update.patch +Patch7: stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch # util-linux is needed for rename BuildRequires: make BuildRequires: gcc @@ -62,6 +63,7 @@ conjunction with imapd to create a TLS secure IMAP server. %patch3 -p1 -b .system-ciphers %patch5 -p1 -b .default-tls-version %patch6 -p1 -b .curves-doc-update +%patch7 -p1 -b .preserve-no-tlsv1-123-option-compatibility # Fix the stack protector flag sed -i 's/-fstack-protector/-fstack-protector-strong/' configure @@ -140,6 +142,10 @@ fi %systemd_postun_with_restart %{name}.service %changelog +* Thu Oct 19 2023 Clemens Lang - 5.71-2 +- Restore support for the NO_TLSv1.[123] values for the option directive + Resolves: RHEL-2340 + * Thu Oct 05 2023 Clemens Lang - 5.71-1 - New upstream release 5.71 Resolves: RHEL-2340