import stunnel-5.56-4.el8
This commit is contained in:
parent
9e3aa13593
commit
12a6ec9bae
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/stunnel-5.48.tar.gz
|
SOURCES/stunnel-5.56.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
8e8576abf9b143c7ef1b7390c35b46c4cf878ca0 SOURCES/stunnel-5.48.tar.gz
|
a7fa3fb55d698f50f3d54e4fc08588a119f21cad SOURCES/stunnel-5.56.tar.gz
|
||||||
|
@ -1,17 +0,0 @@
|
|||||||
diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
|
|
||||||
index 53ad3e7..620a0e7 100644
|
|
||||||
--- a/tools/stunnel.service.in
|
|
||||||
+++ b/tools/stunnel.service.in
|
|
||||||
@@ -1,10 +1,11 @@
|
|
||||||
[Unit]
|
|
||||||
Description=TLS tunnel for network daemons
|
|
||||||
-After=syslog.target
|
|
||||||
+After=syslog.target network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecStart=@bindir@/stunnel
|
|
||||||
Type=forking
|
|
||||||
+PrivateTmp=true
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up stunnel-5.46/src/options.c.system-ciphers stunnel-5.46/src/options.c
|
|
||||||
--- stunnel-5.46/src/options.c.system-ciphers 2018-05-29 08:58:03.601089886 +0200
|
|
||||||
+++ stunnel-5.46/src/options.c 2018-05-29 08:59:00.880244728 +0200
|
|
||||||
@@ -252,7 +252,7 @@ static char *option_not_found=
|
|
||||||
"Specified option name is not valid here";
|
|
||||||
|
|
||||||
static char *stunnel_cipher_list=
|
|
||||||
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
|
||||||
+ "PROFILE=SYSTEM";
|
|
||||||
|
|
||||||
/**************************************** parse commandline parameters */
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
|||||||
diff -up stunnel-5.48/src/file.c.coverity stunnel-5.48/src/file.c
|
|
||||||
--- stunnel-5.48/src/file.c.coverity 2018-04-06 16:25:10.000000000 +0200
|
|
||||||
+++ stunnel-5.48/src/file.c 2018-09-04 17:24:08.948928882 +0200
|
|
||||||
@@ -120,7 +120,7 @@ DISK_FILE *file_open(char *name, FILE_MO
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
/* setup df structure */
|
|
||||||
- df=str_alloc(sizeof df);
|
|
||||||
+ df=str_alloc(sizeof *df);
|
|
||||||
df->fd=fd;
|
|
||||||
return df;
|
|
||||||
}
|
|
||||||
diff -up stunnel-5.48/src/options.c.coverity stunnel-5.48/src/options.c
|
|
||||||
--- stunnel-5.48/src/options.c.coverity 2018-09-04 17:24:08.946928836 +0200
|
|
||||||
+++ stunnel-5.48/src/options.c 2018-09-04 18:47:03.135083884 +0200
|
|
||||||
@@ -515,8 +515,7 @@ NOEXPORT int options_include(char *direc
|
|
||||||
"%s/%s",
|
|
||||||
#endif
|
|
||||||
directory, namelist[i]->d_name);
|
|
||||||
- stat(name, &sb);
|
|
||||||
- if(S_ISREG(sb.st_mode))
|
|
||||||
+ if(stat(name, &sb) == 0 && S_ISREG(sb.st_mode))
|
|
||||||
err=options_file(name, CONF_FILE, section);
|
|
||||||
else
|
|
||||||
s_log(LOG_DEBUG, "\"%s\" is not a file", name);
|
|
||||||
@@ -3773,6 +3772,7 @@ NOEXPORT PSK_KEYS *psk_dup(PSK_KEYS *src
|
|
||||||
else
|
|
||||||
head=curr;
|
|
||||||
tail=curr;
|
|
||||||
+ src=src->next;
|
|
||||||
}
|
|
||||||
return head;
|
|
||||||
}
|
|
||||||
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
|
|
||||||
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
|
||||||
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
|
|
||||||
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
|
|
||||||
for(;;) {
|
|
||||||
va_copy(ap, start_ap);
|
|
||||||
n=vsnprintf(p, size, format, ap);
|
|
||||||
+ va_end(ap);
|
|
||||||
if(n>-1 && n<(int)size)
|
|
||||||
return p;
|
|
||||||
if(n>-1) /* glibc 2.1 */
|
|
||||||
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
|
|
||||||
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
|
||||||
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
|
|
||||||
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
|
|
||||||
#endif
|
|
||||||
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
|
|
||||||
s_log(LOG_ERR, "Connection rejected: create_client failed");
|
|
||||||
- closesocket(s);
|
|
||||||
#ifndef USE_FORK
|
|
||||||
service_free(opt);
|
|
||||||
#endif
|
|
@ -1,18 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAls6m2RfFIAAAAAALgAo
|
|
||||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
|
||||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
|
||||||
4BTksRAAiWO5DWBpHrnDKy1jon+4lG/OPHe92nWxc6yH2HVeB064tXYeXYjRnnR4
|
|
||||||
mItaO4wCJICd94+5EUO6DUfut4+7SIAWNPUnZd5OgFkgmGd0YEF6tEfM9z6BhMc3
|
|
||||||
T8ZwKCP/hhU5oxqQyDO/esk2+Opps5ddsQLx84iUsylFwq8gK8BkVZrx2yLBX/fz
|
|
||||||
wGpP1YnxLdx+rQQx/BkHd52nQAR3gqrGcZtMgchhTBsfZ4jgnr4Xr4XgXJPfe0Di
|
|
||||||
xGCD7/sy+N8sNu4S6RER4qNV6PLBcZ6Bjp+VqMpODdoXlD0EQXundgbrg8Nuq8HR
|
|
||||||
TTbL1pItHo0vy5QetFILJqlrdLw3sIG5Wy1+k87X485DKhJuvZqU0nKixYmaujB9
|
|
||||||
as1YNccDb2FwF7Rzq4hF1J0IwYUsyfgbd58k1VdmtPp5TSUyd1lp+tpX0tEJePk6
|
|
||||||
g1X3NecNVbw8p66gPiUadlTYkkUQdqDHnGxD9EKG7BwRE8lPR5CTJD1w8xEOzLMw
|
|
||||||
tVKSBgcHeIA7Sn9mJtOFOJ7Y+aUccMIliprgk34P3+4bFFBxLQaRQycfLVIyRy4t
|
|
||||||
3QRk+vsMxfuAVainN/yVU7hCtiL09ZHm3g8AnDZFKmtZzYcBbb24RWhONt0bz9j1
|
|
||||||
fnYKvguL78ptBpsmPmXjwBY+qxmJx4LAWFxE7TUgqsaASJYWSH4=
|
|
||||||
=KMsG
|
|
||||||
-----END PGP SIGNATURE-----
|
|
@ -1,8 +1,7 @@
|
|||||||
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
|
diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in
|
||||||
index a00cc78..85a0123 100644
|
--- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100
|
||||||
--- a/doc/stunnel.8.in
|
+++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100
|
||||||
+++ b/doc/stunnel.8.in
|
@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th
|
||||||
@@ -204,7 +204,7 @@ info (6), or debug (7). All logs for the specified level and
|
|
||||||
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
|
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
|
||||||
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
|
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
|
||||||
.Sp
|
.Sp
|
||||||
@ -11,10 +10,9 @@ index a00cc78..85a0123 100644
|
|||||||
(Facilities are not supported on Win32.)
|
(Facilities are not supported on Win32.)
|
||||||
.Sp
|
.Sp
|
||||||
Case is ignored for both facilities and levels.
|
Case is ignored for both facilities and levels.
|
||||||
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
|
diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in
|
||||||
index b7a0663..6bb01cd 100644
|
--- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100
|
||||||
--- a/doc/stunnel.html.in
|
+++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100
|
||||||
+++ b/doc/stunnel.html.in
|
|
||||||
@@ -244,7 +244,7 @@
|
@@ -244,7 +244,7 @@
|
||||||
|
|
||||||
<p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
|
<p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
|
||||||
@ -24,11 +22,10 @@ index b7a0663..6bb01cd 100644
|
|||||||
|
|
||||||
<p>Case is ignored for both facilities and levels.</p>
|
<p>Case is ignored for both facilities and levels.</p>
|
||||||
|
|
||||||
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
|
diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in
|
||||||
index 42d3a33..3806b5a 100644
|
--- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100
|
||||||
--- a/doc/stunnel.pod.in
|
+++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100
|
||||||
+++ b/doc/stunnel.pod.in
|
@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th
|
||||||
@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for the specified level and
|
|
||||||
all levels numerically less than it will be shown. Use I<debug = debug> or
|
all levels numerically less than it will be shown. Use I<debug = debug> or
|
||||||
I<debug = 7> for greatest debugging output. The default is notice (5).
|
I<debug = 7> for greatest debugging output. The default is notice (5).
|
||||||
|
|
||||||
@ -37,12 +34,11 @@ index 42d3a33..3806b5a 100644
|
|||||||
(Facilities are not supported on Win32.)
|
(Facilities are not supported on Win32.)
|
||||||
|
|
||||||
Case is ignored for both facilities and levels.
|
Case is ignored for both facilities and levels.
|
||||||
diff --git a/src/options.c b/src/options.c
|
diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
|
||||||
index 5881486..345d274 100644
|
--- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100
|
||||||
--- a/src/options.c
|
+++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100
|
||||||
+++ b/src/options.c
|
@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD
|
||||||
@@ -1554,8 +1554,12 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section,
|
case CMD_SET_DEFAULTS:
|
||||||
case CMD_BEGIN:
|
|
||||||
section->log_level=LOG_NOTICE;
|
section->log_level=LOG_NOTICE;
|
||||||
#if !defined (USE_WIN32) && !defined (__vms)
|
#if !defined (USE_WIN32) && !defined (__vms)
|
||||||
+#if defined(LOG_AUTHPRIV)
|
+#if defined(LOG_AUTHPRIV)
|
||||||
@ -52,5 +48,5 @@ index 5881486..345d274 100644
|
|||||||
#endif
|
#endif
|
||||||
+#endif
|
+#endif
|
||||||
break;
|
break;
|
||||||
case CMD_EXEC:
|
case CMD_SET_COPY:
|
||||||
if(strcasecmp(opt, "debug"))
|
section->log_level=new_service_options.log_level;
|
11
SOURCES/stunnel-5.50-systemd-service.patch
Normal file
11
SOURCES/stunnel-5.50-systemd-service.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
|
||||||
|
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
|
||||||
|
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
|
||||||
|
@@ -5,6 +5,7 @@ After=syslog.target network.target
|
||||||
|
[Service]
|
||||||
|
ExecStart=@bindir@/stunnel
|
||||||
|
Type=forking
|
||||||
|
+PrivateTmp=true
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
22
SOURCES/stunnel-5.56-coverity.patch
Normal file
22
SOURCES/stunnel-5.56-coverity.patch
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
|
||||||
|
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
||||||
|
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
|
||||||
|
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
|
||||||
|
for(;;) {
|
||||||
|
va_copy(ap, start_ap);
|
||||||
|
n=vsnprintf(p, size, format, ap);
|
||||||
|
+ va_end(ap);
|
||||||
|
if(n>-1 && n<(int)size)
|
||||||
|
return p;
|
||||||
|
if(n>-1) /* glibc 2.1 */
|
||||||
|
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
|
||||||
|
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
||||||
|
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
|
||||||
|
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
|
||||||
|
#endif
|
||||||
|
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
|
||||||
|
s_log(LOG_ERR, "Connection rejected: create_client failed");
|
||||||
|
- closesocket(s);
|
||||||
|
#ifndef USE_FORK
|
||||||
|
service_free(opt);
|
||||||
|
#endif
|
66
SOURCES/stunnel-5.56-curves-doc-update.patch
Normal file
66
SOURCES/stunnel-5.56-curves-doc-update.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200
|
||||||
|
+++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200
|
||||||
|
@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w
|
||||||
|
.IX Item "curves = list"
|
||||||
|
\&\s-1ECDH\s0 curves separated with ':'
|
||||||
|
.Sp
|
||||||
|
+Note: This option is supported for server mode sockets only.
|
||||||
|
+.Sp
|
||||||
|
Only a single curve name is allowed for OpenSSL older than 1.1.0.
|
||||||
|
.Sp
|
||||||
|
To get a list of supported curves use:
|
||||||
|
--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200
|
||||||
|
+++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200
|
||||||
|
@@ -568,6 +568,8 @@
|
||||||
|
|
||||||
|
<p>ECDH curves separated with ':'</p>
|
||||||
|
|
||||||
|
+<p>Note: This option is supported for server mode sockets only.</p>
|
||||||
|
+
|
||||||
|
<p>Only a single curve name is allowed for OpenSSL older than 1.1.0.</p>
|
||||||
|
|
||||||
|
<p>To get a list of supported curves use:</p>
|
||||||
|
--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200
|
||||||
|
+++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200
|
||||||
|
@@ -499,6 +499,8 @@ I<verifyPeer> options.
|
||||||
|
|
||||||
|
ECDH curves separated with ':'
|
||||||
|
|
||||||
|
+Note: This option is supported for server mode sockets only.
|
||||||
|
+
|
||||||
|
Only a single curve name is allowed for OpenSSL older than 1.1.0.
|
||||||
|
|
||||||
|
To get a list of supported curves use:
|
||||||
|
--- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200
|
||||||
|
+++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200
|
||||||
|
@@ -507,6 +507,8 @@ przez opcje I<verifyChain> i I<verifyPee
|
||||||
|
|
||||||
|
krzywe ECDH odddzielone ':'
|
||||||
|
|
||||||
|
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
||||||
|
+
|
||||||
|
Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
|
||||||
|
|
||||||
|
Listę dostępnych krzywych można uzyskać poleceniem:
|
||||||
|
--- stunnel-5.56/doc/stunnel.pl.html.in.curves-doc-update 2020-04-16 17:24:46.857579674 +0200
|
||||||
|
+++ stunnel-5.56/doc/stunnel.pl.html.in 2020-04-16 17:46:13.385404626 +0200
|
||||||
|
@@ -564,6 +564,8 @@
|
||||||
|
|
||||||
|
<p>krzywe ECDH odddzielone ':'</p>
|
||||||
|
|
||||||
|
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
|
||||||
|
+
|
||||||
|
<p>Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.</p>
|
||||||
|
|
||||||
|
<p>Listę dostępnych krzywych można uzyskać poleceniem:</p>
|
||||||
|
--- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200
|
||||||
|
+++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200
|
||||||
|
@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif
|
||||||
|
.IX Item "curves = lista"
|
||||||
|
krzywe \s-1ECDH\s0 odddzielone ':'
|
||||||
|
.Sp
|
||||||
|
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
||||||
|
+.Sp
|
||||||
|
Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
|
||||||
|
.Sp
|
||||||
|
Listę dostępnych krzywych można uzyskać poleceniem:
|
92
SOURCES/stunnel-5.56-default-tls-version.patch
Normal file
92
SOURCES/stunnel-5.56-default-tls-version.patch
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
|
||||||
|
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
|
||||||
|
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||||
|
ICON_IMAGE load_icon_file(const char *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
||||||
|
+ crypto policies */
|
||||||
|
+
|
||||||
|
#endif /* defined PROTOTYPES_H */
|
||||||
|
|
||||||
|
/* end of prototypes.h */
|
||||||
|
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200
|
||||||
|
+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200
|
||||||
|
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD
|
||||||
|
return "Invalid protocol version";
|
||||||
|
return NULL; /* OK */
|
||||||
|
case CMD_INITIALIZE:
|
||||||
|
- if(section->max_proto_version && section->min_proto_version &&
|
||||||
|
- section->max_proto_version<section->min_proto_version)
|
||||||
|
+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
|
||||||
|
+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
|
||||||
|
+ && section->max_proto_version<section->min_proto_version)
|
||||||
|
return "Invalid protocol version range";
|
||||||
|
break;
|
||||||
|
case CMD_PRINT_DEFAULTS:
|
||||||
|
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||||
|
/* sslVersionMax */
|
||||||
|
switch(cmd) {
|
||||||
|
case CMD_SET_DEFAULTS:
|
||||||
|
- section->max_proto_version=0; /* highest supported */
|
||||||
|
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||||
|
+ OpenSSL crypto
|
||||||
|
+ policies.Do not
|
||||||
|
+ override it */
|
||||||
|
break;
|
||||||
|
case CMD_SET_COPY:
|
||||||
|
section->max_proto_version=new_service_options.max_proto_version;
|
||||||
|
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD
|
||||||
|
/* sslVersionMin */
|
||||||
|
switch(cmd) {
|
||||||
|
case CMD_SET_DEFAULTS:
|
||||||
|
- section->min_proto_version=TLS1_VERSION;
|
||||||
|
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||||
|
+ OpenSSL crypto
|
||||||
|
+ policies. Do not
|
||||||
|
+ override it */
|
||||||
|
break;
|
||||||
|
case CMD_SET_COPY:
|
||||||
|
section->min_proto_version=new_service_options.min_proto_version;
|
||||||
|
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
|
||||||
|
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
|
||||||
|
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
|
||||||
|
section->ctx=SSL_CTX_new(TLS_client_method());
|
||||||
|
else /* server mode */
|
||||||
|
section->ctx=SSL_CTX_new(TLS_server_method());
|
||||||
|
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||||
|
- section->min_proto_version)) {
|
||||||
|
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||||
|
- section->min_proto_version);
|
||||||
|
- return 1; /* FAILED */
|
||||||
|
+
|
||||||
|
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||||
|
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
||||||
|
+ OpenSSL crypto policies. Not setting explicitly.");
|
||||||
|
+ } else {
|
||||||
|
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
||||||
|
+ section->min_proto_version)) {
|
||||||
|
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||||
|
+ section->min_proto_version);
|
||||||
|
+ return 1; /* FAILED */
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||||
|
- section->max_proto_version)) {
|
||||||
|
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||||
|
- section->max_proto_version);
|
||||||
|
- return 1; /* FAILED */
|
||||||
|
+
|
||||||
|
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||||
|
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
||||||
|
+ OpenSSL crypto policies. Not setting explicitly");
|
||||||
|
+ } else {
|
||||||
|
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
||||||
|
+ section->max_proto_version)) {
|
||||||
|
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||||
|
+ section->max_proto_version);
|
||||||
|
+ return 1; /* FAILED */
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||||
|
if(section->option.client)
|
12
SOURCES/stunnel-5.56-system-ciphers.patch
Normal file
12
SOURCES/stunnel-5.56-system-ciphers.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c
|
||||||
|
--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200
|
||||||
|
+++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200
|
||||||
|
@@ -277,7 +277,7 @@ static char *option_not_found=
|
||||||
|
"Specified option name is not valid here";
|
||||||
|
|
||||||
|
static char *stunnel_cipher_list=
|
||||||
|
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
||||||
|
+ "PROFILE=SYSTEM";
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_TLS1_3
|
||||||
|
static char *stunnel_ciphersuites=
|
18
SOURCES/stunnel-5.56.tar.gz.asc
Normal file
18
SOURCES/stunnel-5.56.tar.gz.asc
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAl3YIPhfFIAAAAAALgAo
|
||||||
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
||||||
|
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
||||||
|
4BTuMw//R+LJhCo2prR6RIxEsYbfzIwkl9NwcE5EPTKse2umTOHsMRfVMpZiKjCl
|
||||||
|
5UC1tLbqUzSjAydQiFwdvcHZAJLWblr84p+CC5hEaS/rwX4PL221gqqrC8Ut7ap3
|
||||||
|
n/v5gCJ8iqnpgZSgHPSGqucG3x1KlZotPnny1RVIjCSHPvoUtocAwJNSChRkyUT0
|
||||||
|
ym8qhUPyOmRhYQZew1haxFJa26yc017dN5QZy+H3uo0zPLXaWJpPjJG/1pBtden4
|
||||||
|
mL+mg8phZZ9MtBtEOK2NTA+4K24vcM+aHoEyMI/dcmi4NN256N5CJZ13tF3LgHNV
|
||||||
|
j0vp1a75p5aAMeRTv7zShegZGvJJciyYJKwRnOAUnHVFDhnsgd05VQHeWC1aFKjM
|
||||||
|
cXwrvHgGn+TG0V29ahnzR7NdVhkuP3etcqx6FuIgcj2omp0Bj4zFRlKSl4x+hY56
|
||||||
|
MTvwksIXZTItHvffiE49ExGPA8OQW3S9Sr+lPFk98xjVuTU/P8GIVNp2kof4ezYN
|
||||||
|
Yhav4mA/KAkMX0fb+Cw6eyZl0aZEPx76hhkKhh2OmR8w3k5X2hetGcXX1/UFEHCm
|
||||||
|
uNCvWwV5Ry6Kc8Zpr8p6fUOh0Se4cNi59c1FKEwMX1hTgLklbIZioiFM/fR0RLOJ
|
||||||
|
PU/Cq+NbaZ3O8Cup7PsVjCDgXTcKcQAdQTOxgfW6f+szmTo5Qx4=
|
||||||
|
=RhpX
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -9,8 +9,8 @@
|
|||||||
|
|
||||||
Summary: A TLS-encrypting socket wrapper
|
Summary: A TLS-encrypting socket wrapper
|
||||||
Name: stunnel
|
Name: stunnel
|
||||||
Version: 5.48
|
Version: 5.56
|
||||||
Release: 5%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
URL: http://www.stunnel.org/
|
URL: http://www.stunnel.org/
|
||||||
@ -22,10 +22,12 @@ Source4: stunnel-sfinger.conf
|
|||||||
Source5: pop3-redirect.xinetd
|
Source5: pop3-redirect.xinetd
|
||||||
Source6: stunnel-pop3s-client.conf
|
Source6: stunnel-pop3s-client.conf
|
||||||
Source7: stunnel@.service
|
Source7: stunnel@.service
|
||||||
Patch0: stunnel-5.40-authpriv.patch
|
Patch0: stunnel-5.50-authpriv.patch
|
||||||
Patch1: stunnel-5.40-systemd-service.patch
|
Patch1: stunnel-5.50-systemd-service.patch
|
||||||
Patch3: stunnel-5.46-system-ciphers.patch
|
Patch3: stunnel-5.56-system-ciphers.patch
|
||||||
Patch4: stunnel-5.48-coverity.patch
|
Patch4: stunnel-5.56-coverity.patch
|
||||||
|
Patch5: stunnel-5.56-default-tls-version.patch
|
||||||
|
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||||
# util-linux is needed for rename
|
# util-linux is needed for rename
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: openssl-devel, pkgconfig, util-linux
|
BuildRequires: openssl-devel, pkgconfig, util-linux
|
||||||
@ -52,6 +54,8 @@ conjunction with imapd to create a TLS secure IMAP server.
|
|||||||
%patch1 -p1 -b .systemd-service
|
%patch1 -p1 -b .systemd-service
|
||||||
%patch3 -p1 -b .system-ciphers
|
%patch3 -p1 -b .system-ciphers
|
||||||
%patch4 -p1 -b .coverity
|
%patch4 -p1 -b .coverity
|
||||||
|
%patch5 -p1 -b .default-tls-version
|
||||||
|
%patch6 -p1 -b .curves-doc-update
|
||||||
|
|
||||||
# Fix the configure script output for FIPS mode and stack protector flag
|
# Fix the configure script output for FIPS mode and stack protector flag
|
||||||
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
|
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
|
||||||
@ -106,7 +110,7 @@ make test
|
|||||||
|
|
||||||
%files
|
%files
|
||||||
%{!?_licensedir:%global license %%doc}
|
%{!?_licensedir:%global license %%doc}
|
||||||
%doc AUTHORS BUGS ChangeLog CREDITS PORTS README TODO
|
%doc AUTHORS.md BUGS.md CREDITS.md PORTS.md README.md TODO.md
|
||||||
%doc tools/stunnel.conf-sample
|
%doc tools/stunnel.conf-sample
|
||||||
%doc srpm-docs/*
|
%doc srpm-docs/*
|
||||||
%license COPY*
|
%license COPY*
|
||||||
@ -137,6 +141,18 @@ make test
|
|||||||
%systemd_postun_with_restart %{name}.service
|
%systemd_postun_with_restart %{name}.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
|
||||||
|
- Updates documentation to specify that the option "curves" can be used in server mode only.
|
||||||
|
|
||||||
|
* Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
|
||||||
|
- Fixes default tls version patch to handle default values from OpenSSL crypto policies
|
||||||
|
|
||||||
|
* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-2
|
||||||
|
- Adds default tls version patch to comply with OpenSSL crypto policies
|
||||||
|
|
||||||
|
* Fri Apr 03 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1
|
||||||
|
- New upstream release 5.56
|
||||||
|
|
||||||
* Tue Sep 4 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-5
|
* Tue Sep 4 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-5
|
||||||
- Fix -fstack-protector-strong build flag application
|
- Fix -fstack-protector-strong build flag application
|
||||||
- Fix bugs from Coverity scan
|
- Fix bugs from Coverity scan
|
||||||
|
Loading…
Reference in New Issue
Block a user