From 1fc37baa6de3526981e9834bb4931241ed3cc63b Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 27 Mar 2024 20:33:13 +0000 Subject: [PATCH] import CS stunnel-5.71-2.el8 --- .gitignore | 2 +- .stunnel.metadata | 2 +- SOURCES/pgp.asc | 125 ++++++++++ SOURCES/stunnel-5.50-authpriv.patch | 79 ++++--- SOURCES/stunnel-5.50-systemd-service.patch | 11 - SOURCES/stunnel-5.56-coverity.patch | 22 -- SOURCES/stunnel-5.56-curves-doc-update.patch | 122 ++++++---- SOURCES/stunnel-5.56-system-ciphers.patch | 12 - SOURCES/stunnel-5.56-verify-chain.patch | 219 ------------------ SOURCES/stunnel-5.56.tar.gz.asc | 18 -- SOURCES/stunnel-5.61-systemd-service.patch | 27 +++ ...=> stunnel-5.69-default-tls-version.patch} | 143 +++++++----- SOURCES/stunnel-5.69-system-ciphers.patch | 37 +++ ...e-NO_TLSv1.-123-option-compatibility.patch | 37 +++ SOURCES/stunnel-5.71.tar.gz.asc | 18 ++ SPECS/stunnel.spec | 74 +++--- 16 files changed, 499 insertions(+), 449 deletions(-) create mode 100644 SOURCES/pgp.asc delete mode 100644 SOURCES/stunnel-5.50-systemd-service.patch delete mode 100644 SOURCES/stunnel-5.56-coverity.patch delete mode 100644 SOURCES/stunnel-5.56-system-ciphers.patch delete mode 100644 SOURCES/stunnel-5.56-verify-chain.patch delete mode 100644 SOURCES/stunnel-5.56.tar.gz.asc create mode 100644 SOURCES/stunnel-5.61-systemd-service.patch rename SOURCES/{stunnel-5.56-default-tls-version.patch => stunnel-5.69-default-tls-version.patch} (53%) create mode 100644 SOURCES/stunnel-5.69-system-ciphers.patch create mode 100644 SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch create mode 100644 SOURCES/stunnel-5.71.tar.gz.asc diff --git a/.gitignore b/.gitignore index 413edf9..a0c6578 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/stunnel-5.56.tar.gz +SOURCES/stunnel-5.71.tar.gz diff --git a/.stunnel.metadata b/.stunnel.metadata index 01414ab..f05f04b 100644 --- a/.stunnel.metadata +++ b/.stunnel.metadata @@ -1 +1 @@ -a7fa3fb55d698f50f3d54e4fc08588a119f21cad SOURCES/stunnel-5.56.tar.gz +dab534acc28f389f98bf8724d9f42ad9ca472691 SOURCES/stunnel-5.71.tar.gz diff --git a/SOURCES/pgp.asc b/SOURCES/pgp.asc new file mode 100644 index 0000000..69e2e4e --- /dev/null +++ b/SOURCES/pgp.asc @@ -0,0 +1,125 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0 +hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf +ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S +fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY +kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX +1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8 +rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn +RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN +Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E +sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk +4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB +tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+ +iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT +1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK +JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan +OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT +JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe +tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa +sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx +RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu +XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc +Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq +HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA +G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD +ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu +VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID +AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj +k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs +pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq +eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL +CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG +L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH +xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez +YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l +qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR +EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm +qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c +MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy +b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb +AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq +owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U +0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+ +B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN +d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ +zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx +Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H +3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV +t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8 +eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b +rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst +r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb +/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN +aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE +iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl +qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS +bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ +jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ +Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj +zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM +f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM +9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio +bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e +GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23 ++6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU +68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z +kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6 +q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1 +3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb +Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G +KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ +HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef +wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1 +eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc +gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE +7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB +AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA +N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r +PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f +xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT +3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp +hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j +KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv +MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW +Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY +SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm +CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE +SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA +q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/ +fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD +Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g +qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u +/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F +ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj +PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK +zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue +Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU +qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp +42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB +AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd +f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz +qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM +UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN +oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV +wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW +YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv +WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG +TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV +AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz +GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM +eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8 +PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw +I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2 +1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx +dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml +DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M +5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+ +kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh +NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b +zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s +wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B +=EgcU +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SOURCES/stunnel-5.50-authpriv.patch b/SOURCES/stunnel-5.50-authpriv.patch index 13c1e9c..dbb3b43 100644 --- a/SOURCES/stunnel-5.50-authpriv.patch +++ b/SOURCES/stunnel-5.50-authpriv.patch @@ -1,43 +1,62 @@ -diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in ---- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100 -+++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100 -@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th - all levels numerically less than it will be shown. Use \fIdebug = debug\fR or - \&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). +From cfbf803dd3338a915f41bdfded69b34e7f21403d Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 1/7] Apply patch stunnel-5.50-authpriv.patch + +Patch-name: stunnel-5.50-authpriv.patch +Patch-id: 0 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + doc/stunnel.8.in | 2 +- + doc/stunnel.html.in | 2 +- + doc/stunnel.pod.in | 2 +- + src/options.c | 4 ++++ + 4 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in +index 8cd8bc0..b5d7d75 100644 +--- a/doc/stunnel.8.in ++++ b/doc/stunnel.8.in +@@ -209,7 +209,7 @@ requested to do so by an stunnel developer, or when you intend to get confused. .Sp --The syslog facility 'daemon' will be used unless a facility name is supplied. -+The syslog facility 'authpriv' will be used unless a facility name is supplied. + The default logging level is notice (5). + .Sp +-The syslog 'daemon' facility will be used unless a facility name is supplied. ++The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.) .Sp Case is ignored for both facilities and levels. -diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in ---- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100 -+++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100 -@@ -244,7 +244,7 @@ +diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in +index a7931aa..cda5993 100644 +--- a/doc/stunnel.html.in ++++ b/doc/stunnel.html.in +@@ -248,7 +248,7 @@ -

Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).

+

The default logging level is notice (5).

--

The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

-+

The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

+-

The syslog 'daemon' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

++

The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

Case is ignored for both facilities and levels.

-diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in ---- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100 -+++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100 -@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th - all levels numerically less than it will be shown. Use I or - I for greatest debugging output. The default is notice (5). +diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in +index a54b25d..f830cf3 100644 +--- a/doc/stunnel.pod.in ++++ b/doc/stunnel.pod.in +@@ -197,7 +197,7 @@ requested to do so by an stunnel developer, or when you intend to get confused. --The syslog facility 'daemon' will be used unless a facility name is supplied. -+The syslog facility 'authpriv' will be used unless a facility name is supplied. + The default logging level is notice (5). + +-The syslog 'daemon' facility will be used unless a facility name is supplied. ++The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.) Case is ignored for both facilities and levels. -diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c ---- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100 -+++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100 -@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD +diff --git a/src/options.c b/src/options.c +index 5f8ad8b..6e4a18b 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -1960,7 +1960,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr case CMD_SET_DEFAULTS: section->log_level=LOG_NOTICE; #if !defined (USE_WIN32) && !defined (__vms) @@ -45,8 +64,10 @@ diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c + new_global_options.log_facility=LOG_AUTHPRIV; +#else new_global_options.log_facility=LOG_DAEMON; - #endif +#endif + #endif break; case CMD_SET_COPY: - section->log_level=new_service_options.log_level; +-- +2.39.2 + diff --git a/SOURCES/stunnel-5.50-systemd-service.patch b/SOURCES/stunnel-5.50-systemd-service.patch deleted file mode 100644 index 9fc170b..0000000 --- a/SOURCES/stunnel-5.50-systemd-service.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in ---- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100 -+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100 -@@ -5,6 +5,7 @@ After=syslog.target network.target - [Service] - ExecStart=@bindir@/stunnel - Type=forking -+PrivateTmp=true - - [Install] - WantedBy=multi-user.target diff --git a/SOURCES/stunnel-5.56-coverity.patch b/SOURCES/stunnel-5.56-coverity.patch deleted file mode 100644 index 526f7f0..0000000 --- a/SOURCES/stunnel-5.56-coverity.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c ---- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200 -+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200 -@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va - for(;;) { - va_copy(ap, start_ap); - n=vsnprintf(p, size, format, ap); -+ va_end(ap); - if(n>-1 && n<(int)size) - return p; - if(n>-1) /* glibc 2.1 */ -diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c ---- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200 -+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200 -@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O - #endif - if(create_client(fd, s, alloc_client_session(opt, s, s))) { - s_log(LOG_ERR, "Connection rejected: create_client failed"); -- closesocket(s); - #ifndef USE_FORK - service_free(opt); - #endif diff --git a/SOURCES/stunnel-5.56-curves-doc-update.patch b/SOURCES/stunnel-5.56-curves-doc-update.patch index 84a01a3..c61263e 100644 --- a/SOURCES/stunnel-5.56-curves-doc-update.patch +++ b/SOURCES/stunnel-5.56-curves-doc-update.patch @@ -1,66 +1,98 @@ ---- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200 -+++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200 -@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w +From e951a8a7edc87dbd608043f8aab67ef12979e3ca Mon Sep 17 00:00:00 2001 +From: Sahana Prasad +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 6/8] Apply patch stunnel-5.56-curves-doc-update.patch + +Patch-name: stunnel-5.56-curves-doc-update.patch +Patch-id: 6 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + doc/stunnel.8.in | 2 ++ + doc/stunnel.html.in | 2 ++ + doc/stunnel.pl.8.in | 2 ++ + doc/stunnel.pl.html.in | 2 ++ + doc/stunnel.pl.pod.in | 2 ++ + doc/stunnel.pod.in | 2 ++ + 6 files changed, 12 insertions(+) + +diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in +index a56f0b7..977a1a4 100644 +--- a/doc/stunnel.8.in ++++ b/doc/stunnel.8.in +@@ -475,6 +475,8 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and .IX Item "curves = list" \&\s-1ECDH\s0 curves separated with ':' .Sp +Note: This option is supported for server mode sockets only. +.Sp - Only a single curve name is allowed for OpenSSL older than 1.1.0. + Only a single curve name is allowed for OpenSSL older than 1.1.1. .Sp To get a list of supported curves use: ---- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200 -+++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200 -@@ -568,6 +568,8 @@ +diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in +index 608afa9..cecc81a 100644 +--- a/doc/stunnel.html.in ++++ b/doc/stunnel.html.in +@@ -570,6 +570,8 @@

ECDH curves separated with ':'

+

Note: This option is supported for server mode sockets only.

+ -

Only a single curve name is allowed for OpenSSL older than 1.1.0.

+

Only a single curve name is allowed for OpenSSL older than 1.1.1.

To get a list of supported curves use:

---- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200 -+++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200 -@@ -499,6 +499,8 @@ I options. - - ECDH curves separated with ':' - -+Note: This option is supported for server mode sockets only. -+ - Only a single curve name is allowed for OpenSSL older than 1.1.0. - - To get a list of supported curves use: ---- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200 -+++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200 -@@ -507,6 +507,8 @@ przez opcje I i Ikrzywe ECDH odddzielone ':'

- -+

Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.

-+ -

Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.

- -

Listę dostępnych krzywych można uzyskać poleceniem:

---- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200 -+++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200 -@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif +diff --git a/doc/stunnel.pl.8.in b/doc/stunnel.pl.8.in +index e2e6622..eae88f8 100644 +--- a/doc/stunnel.pl.8.in ++++ b/doc/stunnel.pl.8.in +@@ -492,6 +492,8 @@ przez opcje \fIverifyChain\fR i \fIverifyPeer\fR. .IX Item "curves = lista" krzywe \s-1ECDH\s0 odddzielone ':' .Sp +Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera. +.Sp - Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej. + Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej. .Sp Listę dostępnych krzywych można uzyskać poleceniem: +diff --git a/doc/stunnel.pl.html.in b/doc/stunnel.pl.html.in +index 7be87f1..7fd7a7c 100644 +--- a/doc/stunnel.pl.html.in ++++ b/doc/stunnel.pl.html.in +@@ -568,6 +568,8 @@ + +

krzywe ECDH odddzielone ':'

+ ++

Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.

++ +

Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.

+ +

Listę dostępnych krzywych można uzyskać poleceniem:

+diff --git a/doc/stunnel.pl.pod.in b/doc/stunnel.pl.pod.in +index dc6b255..712f751 100644 +--- a/doc/stunnel.pl.pod.in ++++ b/doc/stunnel.pl.pod.in +@@ -516,6 +516,8 @@ przez opcje I i I. + + krzywe ECDH odddzielone ':' + ++Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera. ++ + Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej. + + Listę dostępnych krzywych można uzyskać poleceniem: +diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in +index 840c708..85cc199 100644 +--- a/doc/stunnel.pod.in ++++ b/doc/stunnel.pod.in +@@ -501,6 +501,8 @@ I options. + + ECDH curves separated with ':' + ++Note: This option is supported for server mode sockets only. ++ + Only a single curve name is allowed for OpenSSL older than 1.1.1. + + To get a list of supported curves use: +-- +2.37.3 + diff --git a/SOURCES/stunnel-5.56-system-ciphers.patch b/SOURCES/stunnel-5.56-system-ciphers.patch deleted file mode 100644 index de8679c..0000000 --- a/SOURCES/stunnel-5.56-system-ciphers.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c ---- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200 -+++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200 -@@ -277,7 +277,7 @@ static char *option_not_found= - "Specified option name is not valid here"; - - static char *stunnel_cipher_list= -- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; -+ "PROFILE=SYSTEM"; - - #ifndef OPENSSL_NO_TLS1_3 - static char *stunnel_ciphersuites= diff --git a/SOURCES/stunnel-5.56-verify-chain.patch b/SOURCES/stunnel-5.56-verify-chain.patch deleted file mode 100644 index d36f240..0000000 --- a/SOURCES/stunnel-5.56-verify-chain.patch +++ /dev/null @@ -1,219 +0,0 @@ -diff -up stunnel-5.56/src/ssl.c.verify-chain stunnel-5.56/src/ssl.c ---- stunnel-5.56/src/ssl.c.verify-chain 2021-02-17 00:37:28.950981672 +0100 -+++ stunnel-5.56/src/ssl.c 2021-02-17 00:37:36.047053139 +0100 -@@ -1,6 +1,6 @@ - /* - * stunnel TLS offloading and load-balancing proxy -- * Copyright (C) 1998-2019 Michal Trojnara -+ * Copyright (C) 1998-2020 Michal Trojnara - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the -@@ -39,7 +39,12 @@ - #include "prototypes.h" - - /* global OpenSSL initialization: compression, engine, entropy */ --#if OPENSSL_VERSION_NUMBER>=0x10100000L -+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -+ int idx, long argl, void *argp); -+#if OPENSSL_VERSION_NUMBER>=0x30000000L -+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, -+ void **from_d, int idx, long argl, void *argp); -+#elif OPENSSL_VERSION_NUMBER>=0x10100000L - NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, - void *from_d, int idx, long argl, void *argp); - #else -@@ -72,7 +77,7 @@ int ssl_init(void) { /* init TLS before - index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0, - "SERVICE_OPTIONS pointer", NULL, NULL, NULL); - index_session_authenticated=SSL_SESSION_get_ex_new_index(0, -- "session authenticated", NULL, NULL, NULL); -+ "session authenticated", cb_new_auth, NULL, NULL); - index_session_connect_address=SSL_SESSION_get_ex_new_index(0, - "session connect address", NULL, cb_dup_addr, cb_free_addr); - if(index_ssl_cli<0 || index_ssl_ctx_opt<0 || -@@ -104,17 +109,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU - BN_free(dh->p); - BN_free(dh->q); - BN_free(dh->g); -- dh->p = p; -- dh->q = q; -- dh->g = g; -+ dh->p=p; -+ dh->q=q; -+ dh->g=g; - if(q) -- dh->length = BN_num_bits(q); -+ dh->length=BN_num_bits(q); - return 1; - } - #endif - #endif - --#if OPENSSL_VERSION_NUMBER>=0x10100000L -+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -+ int idx, long argl, void *argp) { -+ (void)parent; /* squash the unused parameter warning */ -+ (void)ptr; /* squash the unused parameter warning */ -+ (void)argl; /* squash the unused parameter warning */ -+ s_log(LOG_DEBUG, "Initializing application specific data for %s", -+ (char *)argp); -+ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1))) -+ sslerror("CRYPTO_set_ex_data"); -+} -+ -+#if OPENSSL_VERSION_NUMBER>=0x30000000L -+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, -+ void **from_d, int idx, long argl, void *argp) { -+#elif OPENSSL_VERSION_NUMBER>=0x10100000L - NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, - void *from_d, int idx, long argl, void *argp) { - #else -diff -up stunnel-5.56/src/verify.c.verify-chain stunnel-5.56/src/verify.c ---- stunnel-5.56/src/verify.c.verify-chain 2021-02-17 00:37:11.577806692 +0100 -+++ stunnel-5.56/src/verify.c 2021-02-17 00:37:42.542118546 +0100 -@@ -1,6 +1,6 @@ - /* - * stunnel TLS offloading and load-balancing proxy -- * Copyright (C) 1998-2019 Michal Trojnara -+ * Copyright (C) 1998-2020 Michal Trojnara - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the -@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preveri - s_log(LOG_INFO, "Certificate verification disabled"); - return 1; /* accept */ - } -- if(verify_checks(c, preverify_ok, callback_ctx)) { -+ if(verify_checks(c, preverify_ok, callback_ctx)) -+ return 1; /* accept */ -+ if(c->opt->option.client || c->opt->protocol) -+ return 0; /* reject */ -+ if(c->opt->redirect_addr.names) { - SSL_SESSION *sess=SSL_get1_session(c->ssl); - if(sess) { -- int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated, -- (void *)(-1)); -+ int ok=SSL_SESSION_set_ex_data(sess, -+ index_session_authenticated, NULL); - SSL_SESSION_free(sess); - if(!ok) { - sslerror("SSL_SESSION_set_ex_data"); -@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preveri - } - return 1; /* accept */ - } -- if(c->opt->option.client || c->opt->protocol) -- return 0; /* reject */ -- if(c->opt->redirect_addr.names) -- return 1; /* accept */ - return 0; /* reject */ - } - -diff -up stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain stunnel-5.56/tests/recipes/028_redirect_chain ---- stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain 2021-02-17 00:38:44.823745781 +0100 -+++ stunnel-5.56/tests/recipes/028_redirect_chain 2021-02-17 00:38:16.143456937 +0100 -@@ -0,0 +1,50 @@ -+#!/bin/sh -+ -+# Redirect TLS client connections on certificate-based authentication failures. -+# [client_1] -> [server_1] -> [client_2] -> [server_2] -+# The success is expected because the client presents the *wrong* certificate -+# and the client connection is redirected. -+# Checking if the verifyChain option verifies the peer certificate starting from the root CA. -+ -+. $(dirname $0)/../test_library -+ -+start() { -+ ../../src/stunnel -fd 0 <> "stderr.log" -+exit $? -diff -up stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain stunnel-5.56/tests/recipes/029_no_redirect_chain ---- stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain 2021-02-17 00:38:57.819876672 +0100 -+++ stunnel-5.56/tests/recipes/029_no_redirect_chain 2021-02-17 00:38:24.895545080 +0100 -@@ -0,0 +1,49 @@ -+#!/bin/sh -+ -+# Do not redirect TLS client connections on certificate-based authentication success. -+# [client_1] -> [server_1] -+# The success is expected because the client presents the *correct* certificate -+# and the client connection isn't redirected. -+# Checking if the verifyChain option verifies the peer certificate starting from the root CA. -+ -+. $(dirname $0)/../test_library -+ -+start() { -+ ../../src/stunnel -fd 0 <> "stderr.log" -+exit $? diff --git a/SOURCES/stunnel-5.56.tar.gz.asc b/SOURCES/stunnel-5.56.tar.gz.asc deleted file mode 100644 index 6142f0f..0000000 --- a/SOURCES/stunnel-5.56.tar.gz.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAl3YIPhfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC -QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW -4BTuMw//R+LJhCo2prR6RIxEsYbfzIwkl9NwcE5EPTKse2umTOHsMRfVMpZiKjCl -5UC1tLbqUzSjAydQiFwdvcHZAJLWblr84p+CC5hEaS/rwX4PL221gqqrC8Ut7ap3 -n/v5gCJ8iqnpgZSgHPSGqucG3x1KlZotPnny1RVIjCSHPvoUtocAwJNSChRkyUT0 -ym8qhUPyOmRhYQZew1haxFJa26yc017dN5QZy+H3uo0zPLXaWJpPjJG/1pBtden4 -mL+mg8phZZ9MtBtEOK2NTA+4K24vcM+aHoEyMI/dcmi4NN256N5CJZ13tF3LgHNV -j0vp1a75p5aAMeRTv7zShegZGvJJciyYJKwRnOAUnHVFDhnsgd05VQHeWC1aFKjM -cXwrvHgGn+TG0V29ahnzR7NdVhkuP3etcqx6FuIgcj2omp0Bj4zFRlKSl4x+hY56 -MTvwksIXZTItHvffiE49ExGPA8OQW3S9Sr+lPFk98xjVuTU/P8GIVNp2kof4ezYN -Yhav4mA/KAkMX0fb+Cw6eyZl0aZEPx76hhkKhh2OmR8w3k5X2hetGcXX1/UFEHCm -uNCvWwV5Ry6Kc8Zpr8p6fUOh0Se4cNi59c1FKEwMX1hTgLklbIZioiFM/fR0RLOJ -PU/Cq+NbaZ3O8Cup7PsVjCDgXTcKcQAdQTOxgfW6f+szmTo5Qx4= -=RhpX ------END PGP SIGNATURE----- diff --git a/SOURCES/stunnel-5.61-systemd-service.patch b/SOURCES/stunnel-5.61-systemd-service.patch new file mode 100644 index 0000000..a7831d8 --- /dev/null +++ b/SOURCES/stunnel-5.61-systemd-service.patch @@ -0,0 +1,27 @@ +From 6cb73d824ac204f5680e469b0474855aaa6b8ddc Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 2/8] Apply patch stunnel-5.61-systemd-service.patch + +Patch-name: stunnel-5.61-systemd-service.patch +Patch-id: 1 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + tools/stunnel.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in +index fa98996..0c5a216 100644 +--- a/tools/stunnel.service.in ++++ b/tools/stunnel.service.in +@@ -6,6 +6,7 @@ After=syslog.target network-online.target + ExecStart=@bindir@/stunnel + ExecReload=/bin/kill -HUP $MAINPID + Type=forking ++PrivateTmp=true + + [Install] + WantedBy=multi-user.target +-- +2.37.3 + diff --git a/SOURCES/stunnel-5.56-default-tls-version.patch b/SOURCES/stunnel-5.69-default-tls-version.patch similarity index 53% rename from SOURCES/stunnel-5.56-default-tls-version.patch rename to SOURCES/stunnel-5.69-default-tls-version.patch index 2515ee6..36ac353 100644 --- a/SOURCES/stunnel-5.56-default-tls-version.patch +++ b/SOURCES/stunnel-5.69-default-tls-version.patch @@ -1,18 +1,68 @@ ---- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 -+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 -@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); - ICON_IMAGE load_icon_file(const char *); - #endif - -+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL -+ crypto policies */ -+ - #endif /* defined PROTOTYPES_H */ - - /* end of prototypes.h */ ---- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 -+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 -@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD +From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch + +Patch-name: stunnel-5.69-default-tls-version.patch +Patch-id: 5 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + src/ctx.c | 34 ++++++++++++++++++++++------------ + src/options.c | 15 +++++++++++---- + src/prototypes.h | 3 +++ + 3 files changed, 36 insertions(+), 16 deletions(-) + +diff --git a/src/ctx.c b/src/ctx.c +index 6a42a6b..cba24d9 100644 +--- a/src/ctx.c ++++ b/src/ctx.c +@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ + section->ctx=SSL_CTX_new(section->option.client ? + TLS_client_method() : TLS_server_method()); + #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ +- if(section->min_proto_version && +- !SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS minimum version as specified in" ++ " crypto policies. Not setting explicitly."); ++ } else { ++ if(section->min_proto_version && ++ !SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } +- if(section->max_proto_version && +- !SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS maximum version as specified in" ++ " crypto policies. Not setting explicitly"); ++ } else { ++ if(section->max_proto_version && ++ !SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } + } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) +diff --git a/src/options.c b/src/options.c +index 4d31815..2ec5934 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr return "Invalid protocol version"; return NULL; /* OK */ case CMD_INITIALIZE: @@ -24,7 +74,7 @@ return "Invalid protocol version range"; break; case CMD_PRINT_DEFAULTS: -@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD +@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr /* sslVersionMax */ switch(cmd) { case CMD_SET_DEFAULTS: @@ -36,11 +86,11 @@ break; case CMD_SET_COPY: section->max_proto_version=new_service_options.max_proto_version; -@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD +@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr /* sslVersionMin */ switch(cmd) { case CMD_SET_DEFAULTS: -- section->min_proto_version=TLS1_VERSION; +- section->min_proto_version=0; /* lowest supported */ + section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in + OpenSSL crypto + policies. Do not @@ -48,45 +98,20 @@ break; case CMD_SET_COPY: section->min_proto_version=new_service_options.min_proto_version; ---- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 -+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 -@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio - section->ctx=SSL_CTX_new(TLS_client_method()); - else /* server mode */ - section->ctx=SSL_CTX_new(TLS_server_method()); -- if(!SSL_CTX_set_min_proto_version(section->ctx, -- section->min_proto_version)) { -- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -- section->min_proto_version); -- return 1; /* FAILED */ +diff --git a/src/prototypes.h b/src/prototypes.h +index 0ecd719..a126c9e 100644 +--- a/src/prototypes.h ++++ b/src/prototypes.h +@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL ++ crypto policies */ + -+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in \ -+ OpenSSL crypto policies. Not setting explicitly."); -+ } else { -+ if(!SSL_CTX_set_min_proto_version(section->ctx, -+ section->min_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", -+ section->min_proto_version); -+ return 1; /* FAILED */ -+ } - } -- if(!SSL_CTX_set_max_proto_version(section->ctx, -- section->max_proto_version)) { -- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -- section->max_proto_version); -- return 1; /* FAILED */ -+ -+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { -+ s_log(LOG_INFO, "Using the default TLS version as specified in \ -+ OpenSSL crypto policies. Not setting explicitly"); -+ } else { -+ if(!SSL_CTX_set_max_proto_version(section->ctx, -+ section->max_proto_version)) { -+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", -+ section->max_proto_version); -+ return 1; /* FAILED */ -+ } - } - #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ - if(section->option.client) + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ +-- +2.39.2 + diff --git a/SOURCES/stunnel-5.69-system-ciphers.patch b/SOURCES/stunnel-5.69-system-ciphers.patch new file mode 100644 index 0000000..c7be57d --- /dev/null +++ b/SOURCES/stunnel-5.69-system-ciphers.patch @@ -0,0 +1,37 @@ +From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001 +From: Sahana Prasad +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 3/7] Use cipher configuration from crypto-policies + +On Fedora, CentOS and RHEL, the system's crypto policies are the best +source to determine which cipher suites to accept in TLS. On these +platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those +policies. Change stunnel to default to this setting. + +Co-Authored-by: Sahana Prasad +Patch-name: stunnel-5.69-system-ciphers.patch +Patch-id: 3 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + src/options.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/options.c b/src/options.c +index 6e4a18b..4d31815 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -321,9 +321,9 @@ static const char *option_not_found= + "Specified option name is not valid here"; + + static const char *stunnel_cipher_list= +- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + static const char *fips_cipher_list= +- "FIPS:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + + #ifndef OPENSSL_NO_TLS1_3 + static const char *stunnel_ciphersuites= +-- +2.39.2 + diff --git a/SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch b/SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch new file mode 100644 index 0000000..8b11a61 --- /dev/null +++ b/SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch @@ -0,0 +1,37 @@ +From 4ffcbcecaf901b13a36dba1e651cfc16e5242e5a Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 19 Oct 2023 14:41:54 +0200 +Subject: [PATCH] Preserve NO_TLSv1.[123] option compatibility + +On RHEL 8, stunnel used to support the NO_TLSv1.1, NO_TLSv1.2, and +NO_TLSv1.3 values for the options directive. Since we do not break +compatibility, preserve these options for customers that have them set. + +Related: RHEL-2340 +--- + src/options.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/options.c b/src/options.c +index a306c4c..c05692c 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -229,12 +229,15 @@ static const SSL_OPTION ssl_opts[] = { + #endif + #ifdef SSL_OP_NO_TLSv1_1 + {"NO_TLSv1_1", SSL_OP_NO_TLSv1_1}, ++ {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1}, + #endif + #ifdef SSL_OP_NO_TLSv1_2 + {"NO_TLSv1_2", SSL_OP_NO_TLSv1_2}, ++ {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2}, + #endif + #ifdef SSL_OP_NO_TLSv1_3 + {"NO_TLSv1_3", SSL_OP_NO_TLSv1_3}, ++ {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3}, + #endif + #ifdef SSL_OP_PKCS1_CHECK_1 + {"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1}, +-- +2.41.0 + diff --git a/SOURCES/stunnel-5.71.tar.gz.asc b/SOURCES/stunnel-5.71.tar.gz.asc new file mode 100644 index 0000000..6c33f21 --- /dev/null +++ b/SOURCES/stunnel-5.71.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmUKA7NfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC +QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW +4BS9ZxAAxK9dNbFrL3ZOmW18OT82LKza1Zli9grdiEx4GY6s+atY6DgrWiOfJi5A +NQtwoeYRWcEkMgWKRev28zMEPzGkUzYyaBUbqDDisAziDXyyKfriqmkbG4jl8Gv+ +qY+SgrM2ElhZxTnvRtUvzG6dogBeA1iWcNANAYgYVxH2yOFcNB0HYA25aBrPpmO4 +37h7ZRc94Yn2fK4zdR7D8DxYEAkmrZJxMydytTwp4EHu2t3lmw+vJdzIS7RtJoRL +Apd/Fh8USZB++Xx+4vFiuDcydGz5xdUNCB9jXYJoTCxFUP9mQsyR05Q8uscPunk9 +SfCd7pbzextsoFF5gOoee3tvwgwlhI7SR9eS585ni0oXyNaFUMwXS0qBVN1f86fr +iAl3j8pGVnqJpmiZ8o4xGj3/g5Nvp14Ts/qXlRvqvzoU6Ka6MEefH2sMxzm5RCQr +tAcrDROGUyN0HJcdy8TAWobqX0HWQqwlGjyeZAJAtFcmno00Au6FYnkn+dLkvxIx +bsEaaG7QrP9p6JpEnQhsLLEKAgD9olmPWzFLCeeE1PZg/klSbVG4qmHv113ixlDy +6smwnHDnb+UysgosKyAzWqlrLUhPYqca83Y8DFbpS9wi1AG6OjCuJ3jtdRq+HAjn +l5PRZhWOTUi+weLWSpmGO2py5JfJm010grKdzA9d9YMR9YspSOU= +=6RnW +-----END PGP SIGNATURE----- diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec index 8b55caa..1597e04 100644 --- a/SPECS/stunnel.spec +++ b/SPECS/stunnel.spec @@ -1,7 +1,7 @@ # Do not generate provides for private libraries %global __provides_exclude_from ^%{_libdir}/stunnel/.*$ -%if 0%{?fedora} > 27 || 0%{?rhel} > 7 +%if 0%{?fedora} || 0%{?rhel} > 7 %bcond_with libwrap %else %bcond_without libwrap @@ -9,11 +9,11 @@ Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.56 -Release: 5%{?dist} +Version: 5.71 +Release: 2%{?dist} License: GPLv2 Group: Applications/Internet -URL: http://www.stunnel.org/ +URL: https://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc Source2: Certificate-Creation @@ -22,15 +22,20 @@ Source4: stunnel-sfinger.conf Source5: pop3-redirect.xinetd Source6: stunnel-pop3s-client.conf Source7: stunnel@.service +# Upstream release signing key +# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because +# the remote one makes packit source-git choke. +Source99: pgp.asc Patch0: stunnel-5.50-authpriv.patch -Patch1: stunnel-5.50-systemd-service.patch -Patch3: stunnel-5.56-system-ciphers.patch -Patch4: stunnel-5.56-coverity.patch -Patch5: stunnel-5.56-default-tls-version.patch +Patch1: stunnel-5.61-systemd-service.patch +Patch3: stunnel-5.69-system-ciphers.patch +Patch5: stunnel-5.69-default-tls-version.patch Patch6: stunnel-5.56-curves-doc-update.patch -Patch7: stunnel-5.56-verify-chain.patch +Patch7: stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch # util-linux is needed for rename +BuildRequires: make BuildRequires: gcc +BuildRequires: gnupg2 BuildRequires: openssl-devel, pkgconfig, util-linux BuildRequires: autoconf automake libtool %if %{with libwrap} @@ -40,7 +45,8 @@ BuildRequires: /usr/bin/pod2man BuildRequires: /usr/bin/pod2html # build test requirements BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps -BuildRequires: systemd +BuildRequires: python3.11 python3.11-cryptography openssl +BuildRequires: systemd systemd-devel %{?systemd_requires} %description @@ -50,20 +56,17 @@ to ordinary applications. For example, it can be used in conjunction with imapd to create a TLS secure IMAP server. %prep +%{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %setup -q %patch0 -p1 -b .authpriv %patch1 -p1 -b .systemd-service %patch3 -p1 -b .system-ciphers -%patch4 -p1 -b .coverity %patch5 -p1 -b .default-tls-version %patch6 -p1 -b .curves-doc-update -%patch7 -p1 -b .verify-chain +%patch7 -p1 -b .preserve-no-tlsv1-123-option-compatibility -# Fix the configure script output for FIPS mode and stack protector flag -sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure - -# Fix a testcase with system-ciphers support -sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets +# Fix the stack protector flag +sed -i 's/-fstack-protector/-fstack-protector-strong/' configure %build #autoreconf -v @@ -78,6 +81,7 @@ fi %else --disable-libwrap \ %endif + --with-bashcompdir=%{_datadir}/bash-completion/completions \ CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" @@ -93,22 +97,18 @@ for lang in pl ; do done mkdir srpm-docs cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs -%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 mkdir -p %{buildroot}%{_unitdir} cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service -%endif %check -# For unknown reason the 042_inetd test fails in Brew. The failure is not reproducible -# in Fedora or normal RHEL-8 install. -rm tests/recipes/042_inetd -# We override the security policy as it is too strict for the tests. -OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file -export OPENSSL_SYSTEM_CIPHERS_OVERRIDE -OPENSSL_CONF= -export OPENSSL_CONF -make test +if ! make test; then + for i in tests/logs/*.log; do + echo "$i": + cat "$i" + done + exit 1 +fi %files %{!?_licensedir:%global license %%doc} @@ -127,9 +127,8 @@ make test %lang(pl) %{_mandir}/pl/man8/stunnel.8* %dir %{_sysconfdir}/%{name} %exclude %{_sysconfdir}/stunnel/* -%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 %{_unitdir}/%{name}*.service -%endif +%{_datadir}/bash-completion/completions/%{name}.bash %post /sbin/ldconfig @@ -143,8 +142,19 @@ make test %systemd_postun_with_restart %{name}.service %changelog -* Tue Feb 16 2021 Sahana Prasad - 5.56-5 -- Fix CVE-2021-20230 stunnel: client certificate not +* Thu Oct 19 2023 Clemens Lang - 5.71-2 +- Restore support for the NO_TLSv1.[123] values for the option directive + Resolves: RHEL-2340 + +* Thu Oct 05 2023 Clemens Lang - 5.71-1 +- New upstream release 5.71 + Resolves: RHEL-2340 +- Enable socket activation support +- verify upstream source in %%prep +- clean up stale conditionals + +* Tue Feb 23 2021 Sahana Prasad - 5.56-5 +- Fixes CVE-2021-20230 stunnel: client certificate not correctly verified when redirect and verifyChain options are used. * Thu Apr 16 2020 Sahana Prasad - 5.56-4