import CS stunnel-5.71-2.el8
This commit is contained in:
parent
1cc4c07761
commit
1fc37baa6d
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/stunnel-5.56.tar.gz
|
SOURCES/stunnel-5.71.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
a7fa3fb55d698f50f3d54e4fc08588a119f21cad SOURCES/stunnel-5.56.tar.gz
|
dab534acc28f389f98bf8724d9f42ad9ca472691 SOURCES/stunnel-5.71.tar.gz
|
||||||
|
125
SOURCES/pgp.asc
Normal file
125
SOURCES/pgp.asc
Normal file
@ -0,0 +1,125 @@
|
|||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
|
||||||
|
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
|
||||||
|
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
|
||||||
|
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
|
||||||
|
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
|
||||||
|
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
|
||||||
|
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
|
||||||
|
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
|
||||||
|
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
|
||||||
|
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
|
||||||
|
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
|
||||||
|
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
|
||||||
|
iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT
|
||||||
|
1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK
|
||||||
|
JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan
|
||||||
|
OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT
|
||||||
|
JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe
|
||||||
|
tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa
|
||||||
|
sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx
|
||||||
|
RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu
|
||||||
|
XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc
|
||||||
|
Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq
|
||||||
|
HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA
|
||||||
|
G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD
|
||||||
|
ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu
|
||||||
|
VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID
|
||||||
|
AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj
|
||||||
|
k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs
|
||||||
|
pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq
|
||||||
|
eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL
|
||||||
|
CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG
|
||||||
|
L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH
|
||||||
|
xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez
|
||||||
|
YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l
|
||||||
|
qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR
|
||||||
|
EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm
|
||||||
|
qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c
|
||||||
|
MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy
|
||||||
|
b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb
|
||||||
|
AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq
|
||||||
|
owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U
|
||||||
|
0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+
|
||||||
|
B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN
|
||||||
|
d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ
|
||||||
|
zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx
|
||||||
|
Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H
|
||||||
|
3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV
|
||||||
|
t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8
|
||||||
|
eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b
|
||||||
|
rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst
|
||||||
|
r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb
|
||||||
|
/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN
|
||||||
|
aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI
|
||||||
|
CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE
|
||||||
|
iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl
|
||||||
|
qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS
|
||||||
|
bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ
|
||||||
|
jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ
|
||||||
|
Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj
|
||||||
|
zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM
|
||||||
|
f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM
|
||||||
|
9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio
|
||||||
|
bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e
|
||||||
|
GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23
|
||||||
|
+6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU
|
||||||
|
68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z
|
||||||
|
kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6
|
||||||
|
q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1
|
||||||
|
3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb
|
||||||
|
Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G
|
||||||
|
KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ
|
||||||
|
HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef
|
||||||
|
wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1
|
||||||
|
eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc
|
||||||
|
gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE
|
||||||
|
7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB
|
||||||
|
AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA
|
||||||
|
N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r
|
||||||
|
PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f
|
||||||
|
xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT
|
||||||
|
3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp
|
||||||
|
hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j
|
||||||
|
KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv
|
||||||
|
MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW
|
||||||
|
Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY
|
||||||
|
SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm
|
||||||
|
CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE
|
||||||
|
SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA
|
||||||
|
q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/
|
||||||
|
fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD
|
||||||
|
Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g
|
||||||
|
qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u
|
||||||
|
/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F
|
||||||
|
ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj
|
||||||
|
PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK
|
||||||
|
zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue
|
||||||
|
Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU
|
||||||
|
qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp
|
||||||
|
42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB
|
||||||
|
AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd
|
||||||
|
f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz
|
||||||
|
qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM
|
||||||
|
UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN
|
||||||
|
oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV
|
||||||
|
wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW
|
||||||
|
YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv
|
||||||
|
WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG
|
||||||
|
TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV
|
||||||
|
AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz
|
||||||
|
GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM
|
||||||
|
eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8
|
||||||
|
PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw
|
||||||
|
I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2
|
||||||
|
1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx
|
||||||
|
dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml
|
||||||
|
DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M
|
||||||
|
5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+
|
||||||
|
kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh
|
||||||
|
NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b
|
||||||
|
zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s
|
||||||
|
wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B
|
||||||
|
=EgcU
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
@ -1,43 +1,62 @@
|
|||||||
diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in
|
From cfbf803dd3338a915f41bdfded69b34e7f21403d Mon Sep 17 00:00:00 2001
|
||||||
--- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
+++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||||
@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th
|
Subject: [PATCH 1/7] Apply patch stunnel-5.50-authpriv.patch
|
||||||
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
|
|
||||||
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
|
Patch-name: stunnel-5.50-authpriv.patch
|
||||||
|
Patch-id: 0
|
||||||
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||||
|
---
|
||||||
|
doc/stunnel.8.in | 2 +-
|
||||||
|
doc/stunnel.html.in | 2 +-
|
||||||
|
doc/stunnel.pod.in | 2 +-
|
||||||
|
src/options.c | 4 ++++
|
||||||
|
4 files changed, 7 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
|
||||||
|
index 8cd8bc0..b5d7d75 100644
|
||||||
|
--- a/doc/stunnel.8.in
|
||||||
|
+++ b/doc/stunnel.8.in
|
||||||
|
@@ -209,7 +209,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
|
||||||
.Sp
|
.Sp
|
||||||
-The syslog facility 'daemon' will be used unless a facility name is supplied.
|
The default logging level is notice (5).
|
||||||
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
|
.Sp
|
||||||
|
-The syslog 'daemon' facility will be used unless a facility name is supplied.
|
||||||
|
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
|
||||||
(Facilities are not supported on Win32.)
|
(Facilities are not supported on Win32.)
|
||||||
.Sp
|
.Sp
|
||||||
Case is ignored for both facilities and levels.
|
Case is ignored for both facilities and levels.
|
||||||
diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in
|
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
|
||||||
--- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100
|
index a7931aa..cda5993 100644
|
||||||
+++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100
|
--- a/doc/stunnel.html.in
|
||||||
@@ -244,7 +244,7 @@
|
+++ b/doc/stunnel.html.in
|
||||||
|
@@ -248,7 +248,7 @@
|
||||||
|
|
||||||
<p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
|
<p>The default logging level is notice (5).</p>
|
||||||
|
|
||||||
-<p>The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
-<p>The syslog 'daemon' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||||
+<p>The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
+<p>The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||||
|
|
||||||
<p>Case is ignored for both facilities and levels.</p>
|
<p>Case is ignored for both facilities and levels.</p>
|
||||||
|
|
||||||
diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in
|
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
|
||||||
--- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100
|
index a54b25d..f830cf3 100644
|
||||||
+++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100
|
--- a/doc/stunnel.pod.in
|
||||||
@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th
|
+++ b/doc/stunnel.pod.in
|
||||||
all levels numerically less than it will be shown. Use I<debug = debug> or
|
@@ -197,7 +197,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
|
||||||
I<debug = 7> for greatest debugging output. The default is notice (5).
|
|
||||||
|
|
||||||
-The syslog facility 'daemon' will be used unless a facility name is supplied.
|
The default logging level is notice (5).
|
||||||
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
|
|
||||||
|
-The syslog 'daemon' facility will be used unless a facility name is supplied.
|
||||||
|
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
|
||||||
(Facilities are not supported on Win32.)
|
(Facilities are not supported on Win32.)
|
||||||
|
|
||||||
Case is ignored for both facilities and levels.
|
Case is ignored for both facilities and levels.
|
||||||
diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
|
diff --git a/src/options.c b/src/options.c
|
||||||
--- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100
|
index 5f8ad8b..6e4a18b 100644
|
||||||
+++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100
|
--- a/src/options.c
|
||||||
@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD
|
+++ b/src/options.c
|
||||||
|
@@ -1960,7 +1960,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
case CMD_SET_DEFAULTS:
|
case CMD_SET_DEFAULTS:
|
||||||
section->log_level=LOG_NOTICE;
|
section->log_level=LOG_NOTICE;
|
||||||
#if !defined (USE_WIN32) && !defined (__vms)
|
#if !defined (USE_WIN32) && !defined (__vms)
|
||||||
@ -45,8 +64,10 @@ diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
|
|||||||
+ new_global_options.log_facility=LOG_AUTHPRIV;
|
+ new_global_options.log_facility=LOG_AUTHPRIV;
|
||||||
+#else
|
+#else
|
||||||
new_global_options.log_facility=LOG_DAEMON;
|
new_global_options.log_facility=LOG_DAEMON;
|
||||||
#endif
|
|
||||||
+#endif
|
+#endif
|
||||||
|
#endif
|
||||||
break;
|
break;
|
||||||
case CMD_SET_COPY:
|
case CMD_SET_COPY:
|
||||||
section->log_level=new_service_options.log_level;
|
--
|
||||||
|
2.39.2
|
||||||
|
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
|
|
||||||
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
|
|
||||||
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
|
|
||||||
@@ -5,6 +5,7 @@ After=syslog.target network.target
|
|
||||||
[Service]
|
|
||||||
ExecStart=@bindir@/stunnel
|
|
||||||
Type=forking
|
|
||||||
+PrivateTmp=true
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
@ -1,22 +0,0 @@
|
|||||||
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
|
|
||||||
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
|
||||||
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
|
|
||||||
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
|
|
||||||
for(;;) {
|
|
||||||
va_copy(ap, start_ap);
|
|
||||||
n=vsnprintf(p, size, format, ap);
|
|
||||||
+ va_end(ap);
|
|
||||||
if(n>-1 && n<(int)size)
|
|
||||||
return p;
|
|
||||||
if(n>-1) /* glibc 2.1 */
|
|
||||||
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
|
|
||||||
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
|
||||||
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
|
|
||||||
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
|
|
||||||
#endif
|
|
||||||
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
|
|
||||||
s_log(LOG_ERR, "Connection rejected: create_client failed");
|
|
||||||
- closesocket(s);
|
|
||||||
#ifndef USE_FORK
|
|
||||||
service_free(opt);
|
|
||||||
#endif
|
|
@ -1,66 +1,98 @@
|
|||||||
--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200
|
From e951a8a7edc87dbd608043f8aab67ef12979e3ca Mon Sep 17 00:00:00 2001
|
||||||
+++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200
|
From: Sahana Prasad <sahana@redhat.com>
|
||||||
@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||||
|
Subject: [PATCH 6/8] Apply patch stunnel-5.56-curves-doc-update.patch
|
||||||
|
|
||||||
|
Patch-name: stunnel-5.56-curves-doc-update.patch
|
||||||
|
Patch-id: 6
|
||||||
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||||
|
---
|
||||||
|
doc/stunnel.8.in | 2 ++
|
||||||
|
doc/stunnel.html.in | 2 ++
|
||||||
|
doc/stunnel.pl.8.in | 2 ++
|
||||||
|
doc/stunnel.pl.html.in | 2 ++
|
||||||
|
doc/stunnel.pl.pod.in | 2 ++
|
||||||
|
doc/stunnel.pod.in | 2 ++
|
||||||
|
6 files changed, 12 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
|
||||||
|
index a56f0b7..977a1a4 100644
|
||||||
|
--- a/doc/stunnel.8.in
|
||||||
|
+++ b/doc/stunnel.8.in
|
||||||
|
@@ -475,6 +475,8 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and
|
||||||
.IX Item "curves = list"
|
.IX Item "curves = list"
|
||||||
\&\s-1ECDH\s0 curves separated with ':'
|
\&\s-1ECDH\s0 curves separated with ':'
|
||||||
.Sp
|
.Sp
|
||||||
+Note: This option is supported for server mode sockets only.
|
+Note: This option is supported for server mode sockets only.
|
||||||
+.Sp
|
+.Sp
|
||||||
Only a single curve name is allowed for OpenSSL older than 1.1.0.
|
Only a single curve name is allowed for OpenSSL older than 1.1.1.
|
||||||
.Sp
|
.Sp
|
||||||
To get a list of supported curves use:
|
To get a list of supported curves use:
|
||||||
--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200
|
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
|
||||||
+++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200
|
index 608afa9..cecc81a 100644
|
||||||
@@ -568,6 +568,8 @@
|
--- a/doc/stunnel.html.in
|
||||||
|
+++ b/doc/stunnel.html.in
|
||||||
|
@@ -570,6 +570,8 @@
|
||||||
|
|
||||||
<p>ECDH curves separated with ':'</p>
|
<p>ECDH curves separated with ':'</p>
|
||||||
|
|
||||||
+<p>Note: This option is supported for server mode sockets only.</p>
|
+<p>Note: This option is supported for server mode sockets only.</p>
|
||||||
+
|
+
|
||||||
<p>Only a single curve name is allowed for OpenSSL older than 1.1.0.</p>
|
<p>Only a single curve name is allowed for OpenSSL older than 1.1.1.</p>
|
||||||
|
|
||||||
<p>To get a list of supported curves use:</p>
|
<p>To get a list of supported curves use:</p>
|
||||||
--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200
|
diff --git a/doc/stunnel.pl.8.in b/doc/stunnel.pl.8.in
|
||||||
+++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200
|
index e2e6622..eae88f8 100644
|
||||||
@@ -499,6 +499,8 @@ I<verifyPeer> options.
|
--- a/doc/stunnel.pl.8.in
|
||||||
|
+++ b/doc/stunnel.pl.8.in
|
||||||
ECDH curves separated with ':'
|
@@ -492,6 +492,8 @@ przez opcje \fIverifyChain\fR i \fIverifyPeer\fR.
|
||||||
|
|
||||||
+Note: This option is supported for server mode sockets only.
|
|
||||||
+
|
|
||||||
Only a single curve name is allowed for OpenSSL older than 1.1.0.
|
|
||||||
|
|
||||||
To get a list of supported curves use:
|
|
||||||
--- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200
|
|
||||||
+++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200
|
|
||||||
@@ -507,6 +507,8 @@ przez opcje I<verifyChain> i I<verifyPee
|
|
||||||
|
|
||||||
krzywe ECDH odddzielone ':'
|
|
||||||
|
|
||||||
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
|
||||||
+
|
|
||||||
Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
|
|
||||||
|
|
||||||
Listę dostępnych krzywych można uzyskać poleceniem:
|
|
||||||
--- stunnel-5.56/doc/stunnel.pl.html.in.curves-doc-update 2020-04-16 17:24:46.857579674 +0200
|
|
||||||
+++ stunnel-5.56/doc/stunnel.pl.html.in 2020-04-16 17:46:13.385404626 +0200
|
|
||||||
@@ -564,6 +564,8 @@
|
|
||||||
|
|
||||||
<p>krzywe ECDH odddzielone ':'</p>
|
|
||||||
|
|
||||||
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
|
|
||||||
+
|
|
||||||
<p>Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.</p>
|
|
||||||
|
|
||||||
<p>Listę dostępnych krzywych można uzyskać poleceniem:</p>
|
|
||||||
--- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200
|
|
||||||
+++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200
|
|
||||||
@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif
|
|
||||||
.IX Item "curves = lista"
|
.IX Item "curves = lista"
|
||||||
krzywe \s-1ECDH\s0 odddzielone ':'
|
krzywe \s-1ECDH\s0 odddzielone ':'
|
||||||
.Sp
|
.Sp
|
||||||
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
||||||
+.Sp
|
+.Sp
|
||||||
Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
|
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
|
||||||
.Sp
|
.Sp
|
||||||
Listę dostępnych krzywych można uzyskać poleceniem:
|
Listę dostępnych krzywych można uzyskać poleceniem:
|
||||||
|
diff --git a/doc/stunnel.pl.html.in b/doc/stunnel.pl.html.in
|
||||||
|
index 7be87f1..7fd7a7c 100644
|
||||||
|
--- a/doc/stunnel.pl.html.in
|
||||||
|
+++ b/doc/stunnel.pl.html.in
|
||||||
|
@@ -568,6 +568,8 @@
|
||||||
|
|
||||||
|
<p>krzywe ECDH odddzielone ':'</p>
|
||||||
|
|
||||||
|
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
|
||||||
|
+
|
||||||
|
<p>Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.</p>
|
||||||
|
|
||||||
|
<p>Listę dostępnych krzywych można uzyskać poleceniem:</p>
|
||||||
|
diff --git a/doc/stunnel.pl.pod.in b/doc/stunnel.pl.pod.in
|
||||||
|
index dc6b255..712f751 100644
|
||||||
|
--- a/doc/stunnel.pl.pod.in
|
||||||
|
+++ b/doc/stunnel.pl.pod.in
|
||||||
|
@@ -516,6 +516,8 @@ przez opcje I<verifyChain> i I<verifyPeer>.
|
||||||
|
|
||||||
|
krzywe ECDH odddzielone ':'
|
||||||
|
|
||||||
|
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
||||||
|
+
|
||||||
|
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
|
||||||
|
|
||||||
|
Listę dostępnych krzywych można uzyskać poleceniem:
|
||||||
|
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
|
||||||
|
index 840c708..85cc199 100644
|
||||||
|
--- a/doc/stunnel.pod.in
|
||||||
|
+++ b/doc/stunnel.pod.in
|
||||||
|
@@ -501,6 +501,8 @@ I<verifyPeer> options.
|
||||||
|
|
||||||
|
ECDH curves separated with ':'
|
||||||
|
|
||||||
|
+Note: This option is supported for server mode sockets only.
|
||||||
|
+
|
||||||
|
Only a single curve name is allowed for OpenSSL older than 1.1.1.
|
||||||
|
|
||||||
|
To get a list of supported curves use:
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
||||||
|
@ -1,12 +0,0 @@
|
|||||||
diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c
|
|
||||||
--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200
|
|
||||||
+++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200
|
|
||||||
@@ -277,7 +277,7 @@ static char *option_not_found=
|
|
||||||
"Specified option name is not valid here";
|
|
||||||
|
|
||||||
static char *stunnel_cipher_list=
|
|
||||||
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
|
||||||
+ "PROFILE=SYSTEM";
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_TLS1_3
|
|
||||||
static char *stunnel_ciphersuites=
|
|
@ -1,219 +0,0 @@
|
|||||||
diff -up stunnel-5.56/src/ssl.c.verify-chain stunnel-5.56/src/ssl.c
|
|
||||||
--- stunnel-5.56/src/ssl.c.verify-chain 2021-02-17 00:37:28.950981672 +0100
|
|
||||||
+++ stunnel-5.56/src/ssl.c 2021-02-17 00:37:36.047053139 +0100
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
/*
|
|
||||||
* stunnel TLS offloading and load-balancing proxy
|
|
||||||
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
|
||||||
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
|
||||||
*
|
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
|
||||||
* under the terms of the GNU General Public License as published by the
|
|
||||||
@@ -39,7 +39,12 @@
|
|
||||||
#include "prototypes.h"
|
|
||||||
|
|
||||||
/* global OpenSSL initialization: compression, engine, entropy */
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
|
||||||
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
|
||||||
+ int idx, long argl, void *argp);
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
|
||||||
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
|
||||||
+ void **from_d, int idx, long argl, void *argp);
|
|
||||||
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
|
|
||||||
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
|
||||||
void *from_d, int idx, long argl, void *argp);
|
|
||||||
#else
|
|
||||||
@@ -72,7 +77,7 @@ int ssl_init(void) { /* init TLS before
|
|
||||||
index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
|
|
||||||
"SERVICE_OPTIONS pointer", NULL, NULL, NULL);
|
|
||||||
index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
|
|
||||||
- "session authenticated", NULL, NULL, NULL);
|
|
||||||
+ "session authenticated", cb_new_auth, NULL, NULL);
|
|
||||||
index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
|
|
||||||
"session connect address", NULL, cb_dup_addr, cb_free_addr);
|
|
||||||
if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
|
|
||||||
@@ -104,17 +109,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
|
|
||||||
BN_free(dh->p);
|
|
||||||
BN_free(dh->q);
|
|
||||||
BN_free(dh->g);
|
|
||||||
- dh->p = p;
|
|
||||||
- dh->q = q;
|
|
||||||
- dh->g = g;
|
|
||||||
+ dh->p=p;
|
|
||||||
+ dh->q=q;
|
|
||||||
+ dh->g=g;
|
|
||||||
if(q)
|
|
||||||
- dh->length = BN_num_bits(q);
|
|
||||||
+ dh->length=BN_num_bits(q);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
|
||||||
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
|
|
||||||
+ int idx, long argl, void *argp) {
|
|
||||||
+ (void)parent; /* squash the unused parameter warning */
|
|
||||||
+ (void)ptr; /* squash the unused parameter warning */
|
|
||||||
+ (void)argl; /* squash the unused parameter warning */
|
|
||||||
+ s_log(LOG_DEBUG, "Initializing application specific data for %s",
|
|
||||||
+ (char *)argp);
|
|
||||||
+ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
|
|
||||||
+ sslerror("CRYPTO_set_ex_data");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
|
|
||||||
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
|
||||||
+ void **from_d, int idx, long argl, void *argp) {
|
|
||||||
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
|
|
||||||
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
|
|
||||||
void *from_d, int idx, long argl, void *argp) {
|
|
||||||
#else
|
|
||||||
diff -up stunnel-5.56/src/verify.c.verify-chain stunnel-5.56/src/verify.c
|
|
||||||
--- stunnel-5.56/src/verify.c.verify-chain 2021-02-17 00:37:11.577806692 +0100
|
|
||||||
+++ stunnel-5.56/src/verify.c 2021-02-17 00:37:42.542118546 +0100
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
/*
|
|
||||||
* stunnel TLS offloading and load-balancing proxy
|
|
||||||
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
|
||||||
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
|
||||||
*
|
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
|
||||||
* under the terms of the GNU General Public License as published by the
|
|
||||||
@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preveri
|
|
||||||
s_log(LOG_INFO, "Certificate verification disabled");
|
|
||||||
return 1; /* accept */
|
|
||||||
}
|
|
||||||
- if(verify_checks(c, preverify_ok, callback_ctx)) {
|
|
||||||
+ if(verify_checks(c, preverify_ok, callback_ctx))
|
|
||||||
+ return 1; /* accept */
|
|
||||||
+ if(c->opt->option.client || c->opt->protocol)
|
|
||||||
+ return 0; /* reject */
|
|
||||||
+ if(c->opt->redirect_addr.names) {
|
|
||||||
SSL_SESSION *sess=SSL_get1_session(c->ssl);
|
|
||||||
if(sess) {
|
|
||||||
- int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated,
|
|
||||||
- (void *)(-1));
|
|
||||||
+ int ok=SSL_SESSION_set_ex_data(sess,
|
|
||||||
+ index_session_authenticated, NULL);
|
|
||||||
SSL_SESSION_free(sess);
|
|
||||||
if(!ok) {
|
|
||||||
sslerror("SSL_SESSION_set_ex_data");
|
|
||||||
@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preveri
|
|
||||||
}
|
|
||||||
return 1; /* accept */
|
|
||||||
}
|
|
||||||
- if(c->opt->option.client || c->opt->protocol)
|
|
||||||
- return 0; /* reject */
|
|
||||||
- if(c->opt->redirect_addr.names)
|
|
||||||
- return 1; /* accept */
|
|
||||||
return 0; /* reject */
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain stunnel-5.56/tests/recipes/028_redirect_chain
|
|
||||||
--- stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain 2021-02-17 00:38:44.823745781 +0100
|
|
||||||
+++ stunnel-5.56/tests/recipes/028_redirect_chain 2021-02-17 00:38:16.143456937 +0100
|
|
||||||
@@ -0,0 +1,50 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+
|
|
||||||
+# Redirect TLS client connections on certificate-based authentication failures.
|
|
||||||
+# [client_1] -> [server_1] -> [client_2] -> [server_2]
|
|
||||||
+# The success is expected because the client presents the *wrong* certificate
|
|
||||||
+# and the client connection is redirected.
|
|
||||||
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
|
|
||||||
+
|
|
||||||
+. $(dirname $0)/../test_library
|
|
||||||
+
|
|
||||||
+start() {
|
|
||||||
+ ../../src/stunnel -fd 0 <<EOT
|
|
||||||
+ debug = debug
|
|
||||||
+ syslog = no
|
|
||||||
+ pid = ${result_path}/stunnel.pid
|
|
||||||
+ output = ${result_path}/stunnel.log
|
|
||||||
+
|
|
||||||
+ [client_1]
|
|
||||||
+ client = yes
|
|
||||||
+ accept = 127.0.0.1:${http1}
|
|
||||||
+ connect = 127.0.0.1:${https1}
|
|
||||||
+ ;cert = ${script_path}/certs/client_cert.pem
|
|
||||||
+;wrong self signed certificate
|
|
||||||
+ cert = ${script_path}/certs/stunnel.pem
|
|
||||||
+
|
|
||||||
+ [client_2]
|
|
||||||
+ client = yes
|
|
||||||
+ accept = 127.0.0.1:${http2}
|
|
||||||
+ connect = 127.0.0.1:${https2}
|
|
||||||
+
|
|
||||||
+ [server_1]
|
|
||||||
+ accept = 127.0.0.1:${https1}
|
|
||||||
+ exec = ${script_path}/execute
|
|
||||||
+ execArgs = execute 028_redirect_chain_error
|
|
||||||
+ redirect = ${http2}
|
|
||||||
+ cert = ${script_path}/certs/server_cert.pem
|
|
||||||
+ verifyChain = yes
|
|
||||||
+ CAfile = ${script_path}/certs/CACert.pem
|
|
||||||
+
|
|
||||||
+ [server_2]
|
|
||||||
+ accept = 127.0.0.1:${https2}
|
|
||||||
+ cert = ${script_path}/certs/server_cert.pem
|
|
||||||
+ exec = ${script_path}/execute
|
|
||||||
+ execArgs = execute 028_redirect_chain
|
|
||||||
+
|
|
||||||
+EOT
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+test_log_for "028_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
|
|
||||||
+exit $?
|
|
||||||
diff -up stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain stunnel-5.56/tests/recipes/029_no_redirect_chain
|
|
||||||
--- stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain 2021-02-17 00:38:57.819876672 +0100
|
|
||||||
+++ stunnel-5.56/tests/recipes/029_no_redirect_chain 2021-02-17 00:38:24.895545080 +0100
|
|
||||||
@@ -0,0 +1,49 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+
|
|
||||||
+# Do not redirect TLS client connections on certificate-based authentication success.
|
|
||||||
+# [client_1] -> [server_1]
|
|
||||||
+# The success is expected because the client presents the *correct* certificate
|
|
||||||
+# and the client connection isn't redirected.
|
|
||||||
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
|
|
||||||
+
|
|
||||||
+. $(dirname $0)/../test_library
|
|
||||||
+
|
|
||||||
+start() {
|
|
||||||
+ ../../src/stunnel -fd 0 <<EOT
|
|
||||||
+ debug = debug
|
|
||||||
+ syslog = no
|
|
||||||
+ pid = ${result_path}/stunnel.pid
|
|
||||||
+ output = ${result_path}/stunnel.log
|
|
||||||
+
|
|
||||||
+ [client_1]
|
|
||||||
+ client = yes
|
|
||||||
+ accept = 127.0.0.1:${http1}
|
|
||||||
+ connect = 127.0.0.1:${https1}
|
|
||||||
+;correct certificate
|
|
||||||
+ cert = ${script_path}/certs/client_cert.pem
|
|
||||||
+
|
|
||||||
+ [client_2]
|
|
||||||
+ client = yes
|
|
||||||
+ accept = 127.0.0.1:${http2}
|
|
||||||
+ connect = 127.0.0.1:${https2}
|
|
||||||
+
|
|
||||||
+ [server_1]
|
|
||||||
+ accept = 127.0.0.1:${https1}
|
|
||||||
+ exec = ${script_path}/execute
|
|
||||||
+ execArgs = execute 029_no_redirect_chain
|
|
||||||
+ redirect = ${http2}
|
|
||||||
+ cert = ${script_path}/certs/server_cert.pem
|
|
||||||
+ verifyChain = yes
|
|
||||||
+ CAfile = ${script_path}/certs/CACert.pem
|
|
||||||
+
|
|
||||||
+ [server_2]
|
|
||||||
+ accept = 127.0.0.1:${https2}
|
|
||||||
+ cert = ${script_path}/certs/server_cert.pem
|
|
||||||
+ exec = ${script_path}/execute
|
|
||||||
+ execArgs = execute 029_no_redirect_chain_error
|
|
||||||
+
|
|
||||||
+EOT
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+test_log_for "029_no_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
|
|
||||||
+exit $?
|
|
@ -1,18 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAl3YIPhfFIAAAAAALgAo
|
|
||||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
|
||||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
|
||||||
4BTuMw//R+LJhCo2prR6RIxEsYbfzIwkl9NwcE5EPTKse2umTOHsMRfVMpZiKjCl
|
|
||||||
5UC1tLbqUzSjAydQiFwdvcHZAJLWblr84p+CC5hEaS/rwX4PL221gqqrC8Ut7ap3
|
|
||||||
n/v5gCJ8iqnpgZSgHPSGqucG3x1KlZotPnny1RVIjCSHPvoUtocAwJNSChRkyUT0
|
|
||||||
ym8qhUPyOmRhYQZew1haxFJa26yc017dN5QZy+H3uo0zPLXaWJpPjJG/1pBtden4
|
|
||||||
mL+mg8phZZ9MtBtEOK2NTA+4K24vcM+aHoEyMI/dcmi4NN256N5CJZ13tF3LgHNV
|
|
||||||
j0vp1a75p5aAMeRTv7zShegZGvJJciyYJKwRnOAUnHVFDhnsgd05VQHeWC1aFKjM
|
|
||||||
cXwrvHgGn+TG0V29ahnzR7NdVhkuP3etcqx6FuIgcj2omp0Bj4zFRlKSl4x+hY56
|
|
||||||
MTvwksIXZTItHvffiE49ExGPA8OQW3S9Sr+lPFk98xjVuTU/P8GIVNp2kof4ezYN
|
|
||||||
Yhav4mA/KAkMX0fb+Cw6eyZl0aZEPx76hhkKhh2OmR8w3k5X2hetGcXX1/UFEHCm
|
|
||||||
uNCvWwV5Ry6Kc8Zpr8p6fUOh0Se4cNi59c1FKEwMX1hTgLklbIZioiFM/fR0RLOJ
|
|
||||||
PU/Cq+NbaZ3O8Cup7PsVjCDgXTcKcQAdQTOxgfW6f+szmTo5Qx4=
|
|
||||||
=RhpX
|
|
||||||
-----END PGP SIGNATURE-----
|
|
27
SOURCES/stunnel-5.61-systemd-service.patch
Normal file
27
SOURCES/stunnel-5.61-systemd-service.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 6cb73d824ac204f5680e469b0474855aaa6b8ddc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||||
|
Subject: [PATCH 2/8] Apply patch stunnel-5.61-systemd-service.patch
|
||||||
|
|
||||||
|
Patch-name: stunnel-5.61-systemd-service.patch
|
||||||
|
Patch-id: 1
|
||||||
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||||
|
---
|
||||||
|
tools/stunnel.service.in | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
|
||||||
|
index fa98996..0c5a216 100644
|
||||||
|
--- a/tools/stunnel.service.in
|
||||||
|
+++ b/tools/stunnel.service.in
|
||||||
|
@@ -6,6 +6,7 @@ After=syslog.target network-online.target
|
||||||
|
ExecStart=@bindir@/stunnel
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
Type=forking
|
||||||
|
+PrivateTmp=true
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -1,18 +1,68 @@
|
|||||||
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
|
From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
|
||||||
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||||
ICON_IMAGE load_icon_file(const char *);
|
Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
|
||||||
#endif
|
|
||||||
|
Patch-name: stunnel-5.69-default-tls-version.patch
|
||||||
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
Patch-id: 5
|
||||||
+ crypto policies */
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||||
+
|
---
|
||||||
#endif /* defined PROTOTYPES_H */
|
src/ctx.c | 34 ++++++++++++++++++++++------------
|
||||||
|
src/options.c | 15 +++++++++++----
|
||||||
/* end of prototypes.h */
|
src/prototypes.h | 3 +++
|
||||||
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200
|
3 files changed, 36 insertions(+), 16 deletions(-)
|
||||||
+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200
|
|
||||||
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD
|
diff --git a/src/ctx.c b/src/ctx.c
|
||||||
|
index 6a42a6b..cba24d9 100644
|
||||||
|
--- a/src/ctx.c
|
||||||
|
+++ b/src/ctx.c
|
||||||
|
@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
|
||||||
|
section->ctx=SSL_CTX_new(section->option.client ?
|
||||||
|
TLS_client_method() : TLS_server_method());
|
||||||
|
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
||||||
|
- if(section->min_proto_version &&
|
||||||
|
- !SSL_CTX_set_min_proto_version(section->ctx,
|
||||||
|
- section->min_proto_version)) {
|
||||||
|
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||||
|
- section->min_proto_version);
|
||||||
|
- return 1; /* FAILED */
|
||||||
|
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||||
|
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
|
||||||
|
+ " crypto policies. Not setting explicitly.");
|
||||||
|
+ } else {
|
||||||
|
+ if(section->min_proto_version &&
|
||||||
|
+ !SSL_CTX_set_min_proto_version(section->ctx,
|
||||||
|
+ section->min_proto_version)) {
|
||||||
|
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||||
|
+ section->min_proto_version);
|
||||||
|
+ return 1; /* FAILED */
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
- if(section->max_proto_version &&
|
||||||
|
- !SSL_CTX_set_max_proto_version(section->ctx,
|
||||||
|
- section->max_proto_version)) {
|
||||||
|
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||||
|
- section->max_proto_version);
|
||||||
|
- return 1; /* FAILED */
|
||||||
|
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||||
|
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
|
||||||
|
+ " crypto policies. Not setting explicitly");
|
||||||
|
+ } else {
|
||||||
|
+ if(section->max_proto_version &&
|
||||||
|
+ !SSL_CTX_set_max_proto_version(section->ctx,
|
||||||
|
+ section->max_proto_version)) {
|
||||||
|
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||||
|
+ section->max_proto_version);
|
||||||
|
+ return 1; /* FAILED */
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||||
|
if(section->option.client)
|
||||||
|
diff --git a/src/options.c b/src/options.c
|
||||||
|
index 4d31815..2ec5934 100644
|
||||||
|
--- a/src/options.c
|
||||||
|
+++ b/src/options.c
|
||||||
|
@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
return "Invalid protocol version";
|
return "Invalid protocol version";
|
||||||
return NULL; /* OK */
|
return NULL; /* OK */
|
||||||
case CMD_INITIALIZE:
|
case CMD_INITIALIZE:
|
||||||
@ -24,7 +74,7 @@
|
|||||||
return "Invalid protocol version range";
|
return "Invalid protocol version range";
|
||||||
break;
|
break;
|
||||||
case CMD_PRINT_DEFAULTS:
|
case CMD_PRINT_DEFAULTS:
|
||||||
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD
|
@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
/* sslVersionMax */
|
/* sslVersionMax */
|
||||||
switch(cmd) {
|
switch(cmd) {
|
||||||
case CMD_SET_DEFAULTS:
|
case CMD_SET_DEFAULTS:
|
||||||
@ -36,11 +86,11 @@
|
|||||||
break;
|
break;
|
||||||
case CMD_SET_COPY:
|
case CMD_SET_COPY:
|
||||||
section->max_proto_version=new_service_options.max_proto_version;
|
section->max_proto_version=new_service_options.max_proto_version;
|
||||||
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD
|
@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
/* sslVersionMin */
|
/* sslVersionMin */
|
||||||
switch(cmd) {
|
switch(cmd) {
|
||||||
case CMD_SET_DEFAULTS:
|
case CMD_SET_DEFAULTS:
|
||||||
- section->min_proto_version=TLS1_VERSION;
|
- section->min_proto_version=0; /* lowest supported */
|
||||||
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||||
+ OpenSSL crypto
|
+ OpenSSL crypto
|
||||||
+ policies. Do not
|
+ policies. Do not
|
||||||
@ -48,45 +98,20 @@
|
|||||||
break;
|
break;
|
||||||
case CMD_SET_COPY:
|
case CMD_SET_COPY:
|
||||||
section->min_proto_version=new_service_options.min_proto_version;
|
section->min_proto_version=new_service_options.min_proto_version;
|
||||||
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
|
diff --git a/src/prototypes.h b/src/prototypes.h
|
||||||
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
|
index 0ecd719..a126c9e 100644
|
||||||
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
|
--- a/src/prototypes.h
|
||||||
section->ctx=SSL_CTX_new(TLS_client_method());
|
+++ b/src/prototypes.h
|
||||||
else /* server mode */
|
@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||||
section->ctx=SSL_CTX_new(TLS_server_method());
|
ICON_IMAGE load_icon_file(const char *);
|
||||||
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
#endif
|
||||||
- section->min_proto_version)) {
|
|
||||||
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
||||||
- section->min_proto_version);
|
+ crypto policies */
|
||||||
- return 1; /* FAILED */
|
|
||||||
+
|
+
|
||||||
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
#endif /* defined PROTOTYPES_H */
|
||||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
|
||||||
+ OpenSSL crypto policies. Not setting explicitly.");
|
/* end of prototypes.h */
|
||||||
+ } else {
|
--
|
||||||
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
2.39.2
|
||||||
+ section->min_proto_version)) {
|
|
||||||
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
|
||||||
+ section->min_proto_version);
|
|
||||||
+ return 1; /* FAILED */
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
|
||||||
- section->max_proto_version)) {
|
|
||||||
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
|
||||||
- section->max_proto_version);
|
|
||||||
- return 1; /* FAILED */
|
|
||||||
+
|
|
||||||
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
|
||||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
|
||||||
+ OpenSSL crypto policies. Not setting explicitly");
|
|
||||||
+ } else {
|
|
||||||
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
|
||||||
+ section->max_proto_version)) {
|
|
||||||
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
|
||||||
+ section->max_proto_version);
|
|
||||||
+ return 1; /* FAILED */
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
|
||||||
if(section->option.client)
|
|
37
SOURCES/stunnel-5.69-system-ciphers.patch
Normal file
37
SOURCES/stunnel-5.69-system-ciphers.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sahana Prasad <sprasad@localhost.localdomain>
|
||||||
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||||
|
Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
|
||||||
|
|
||||||
|
On Fedora, CentOS and RHEL, the system's crypto policies are the best
|
||||||
|
source to determine which cipher suites to accept in TLS. On these
|
||||||
|
platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
|
||||||
|
policies. Change stunnel to default to this setting.
|
||||||
|
|
||||||
|
Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
|
||||||
|
Patch-name: stunnel-5.69-system-ciphers.patch
|
||||||
|
Patch-id: 3
|
||||||
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||||
|
---
|
||||||
|
src/options.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/options.c b/src/options.c
|
||||||
|
index 6e4a18b..4d31815 100644
|
||||||
|
--- a/src/options.c
|
||||||
|
+++ b/src/options.c
|
||||||
|
@@ -321,9 +321,9 @@ static const char *option_not_found=
|
||||||
|
"Specified option name is not valid here";
|
||||||
|
|
||||||
|
static const char *stunnel_cipher_list=
|
||||||
|
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
||||||
|
+ "PROFILE=SYSTEM";
|
||||||
|
static const char *fips_cipher_list=
|
||||||
|
- "FIPS:!DH:!kDHEPSK";
|
||||||
|
+ "PROFILE=SYSTEM";
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_TLS1_3
|
||||||
|
static const char *stunnel_ciphersuites=
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -0,0 +1,37 @@
|
|||||||
|
From 4ffcbcecaf901b13a36dba1e651cfc16e5242e5a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Thu, 19 Oct 2023 14:41:54 +0200
|
||||||
|
Subject: [PATCH] Preserve NO_TLSv1.[123] option compatibility
|
||||||
|
|
||||||
|
On RHEL 8, stunnel used to support the NO_TLSv1.1, NO_TLSv1.2, and
|
||||||
|
NO_TLSv1.3 values for the options directive. Since we do not break
|
||||||
|
compatibility, preserve these options for customers that have them set.
|
||||||
|
|
||||||
|
Related: RHEL-2340
|
||||||
|
---
|
||||||
|
src/options.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/options.c b/src/options.c
|
||||||
|
index a306c4c..c05692c 100644
|
||||||
|
--- a/src/options.c
|
||||||
|
+++ b/src/options.c
|
||||||
|
@@ -229,12 +229,15 @@ static const SSL_OPTION ssl_opts[] = {
|
||||||
|
#endif
|
||||||
|
#ifdef SSL_OP_NO_TLSv1_1
|
||||||
|
{"NO_TLSv1_1", SSL_OP_NO_TLSv1_1},
|
||||||
|
+ {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1},
|
||||||
|
#endif
|
||||||
|
#ifdef SSL_OP_NO_TLSv1_2
|
||||||
|
{"NO_TLSv1_2", SSL_OP_NO_TLSv1_2},
|
||||||
|
+ {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2},
|
||||||
|
#endif
|
||||||
|
#ifdef SSL_OP_NO_TLSv1_3
|
||||||
|
{"NO_TLSv1_3", SSL_OP_NO_TLSv1_3},
|
||||||
|
+ {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3},
|
||||||
|
#endif
|
||||||
|
#ifdef SSL_OP_PKCS1_CHECK_1
|
||||||
|
{"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1},
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
18
SOURCES/stunnel-5.71.tar.gz.asc
Normal file
18
SOURCES/stunnel-5.71.tar.gz.asc
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmUKA7NfFIAAAAAALgAo
|
||||||
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
||||||
|
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
||||||
|
4BS9ZxAAxK9dNbFrL3ZOmW18OT82LKza1Zli9grdiEx4GY6s+atY6DgrWiOfJi5A
|
||||||
|
NQtwoeYRWcEkMgWKRev28zMEPzGkUzYyaBUbqDDisAziDXyyKfriqmkbG4jl8Gv+
|
||||||
|
qY+SgrM2ElhZxTnvRtUvzG6dogBeA1iWcNANAYgYVxH2yOFcNB0HYA25aBrPpmO4
|
||||||
|
37h7ZRc94Yn2fK4zdR7D8DxYEAkmrZJxMydytTwp4EHu2t3lmw+vJdzIS7RtJoRL
|
||||||
|
Apd/Fh8USZB++Xx+4vFiuDcydGz5xdUNCB9jXYJoTCxFUP9mQsyR05Q8uscPunk9
|
||||||
|
SfCd7pbzextsoFF5gOoee3tvwgwlhI7SR9eS585ni0oXyNaFUMwXS0qBVN1f86fr
|
||||||
|
iAl3j8pGVnqJpmiZ8o4xGj3/g5Nvp14Ts/qXlRvqvzoU6Ka6MEefH2sMxzm5RCQr
|
||||||
|
tAcrDROGUyN0HJcdy8TAWobqX0HWQqwlGjyeZAJAtFcmno00Au6FYnkn+dLkvxIx
|
||||||
|
bsEaaG7QrP9p6JpEnQhsLLEKAgD9olmPWzFLCeeE1PZg/klSbVG4qmHv113ixlDy
|
||||||
|
6smwnHDnb+UysgosKyAzWqlrLUhPYqca83Y8DFbpS9wi1AG6OjCuJ3jtdRq+HAjn
|
||||||
|
l5PRZhWOTUi+weLWSpmGO2py5JfJm010grKdzA9d9YMR9YspSOU=
|
||||||
|
=6RnW
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,7 +1,7 @@
|
|||||||
# Do not generate provides for private libraries
|
# Do not generate provides for private libraries
|
||||||
%global __provides_exclude_from ^%{_libdir}/stunnel/.*$
|
%global __provides_exclude_from ^%{_libdir}/stunnel/.*$
|
||||||
|
|
||||||
%if 0%{?fedora} > 27 || 0%{?rhel} > 7
|
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||||
%bcond_with libwrap
|
%bcond_with libwrap
|
||||||
%else
|
%else
|
||||||
%bcond_without libwrap
|
%bcond_without libwrap
|
||||||
@ -9,11 +9,11 @@
|
|||||||
|
|
||||||
Summary: A TLS-encrypting socket wrapper
|
Summary: A TLS-encrypting socket wrapper
|
||||||
Name: stunnel
|
Name: stunnel
|
||||||
Version: 5.56
|
Version: 5.71
|
||||||
Release: 5%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
URL: http://www.stunnel.org/
|
URL: https://www.stunnel.org/
|
||||||
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
||||||
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
|
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
|
||||||
Source2: Certificate-Creation
|
Source2: Certificate-Creation
|
||||||
@ -22,15 +22,20 @@ Source4: stunnel-sfinger.conf
|
|||||||
Source5: pop3-redirect.xinetd
|
Source5: pop3-redirect.xinetd
|
||||||
Source6: stunnel-pop3s-client.conf
|
Source6: stunnel-pop3s-client.conf
|
||||||
Source7: stunnel@.service
|
Source7: stunnel@.service
|
||||||
|
# Upstream release signing key
|
||||||
|
# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
|
||||||
|
# the remote one makes packit source-git choke.
|
||||||
|
Source99: pgp.asc
|
||||||
Patch0: stunnel-5.50-authpriv.patch
|
Patch0: stunnel-5.50-authpriv.patch
|
||||||
Patch1: stunnel-5.50-systemd-service.patch
|
Patch1: stunnel-5.61-systemd-service.patch
|
||||||
Patch3: stunnel-5.56-system-ciphers.patch
|
Patch3: stunnel-5.69-system-ciphers.patch
|
||||||
Patch4: stunnel-5.56-coverity.patch
|
Patch5: stunnel-5.69-default-tls-version.patch
|
||||||
Patch5: stunnel-5.56-default-tls-version.patch
|
|
||||||
Patch6: stunnel-5.56-curves-doc-update.patch
|
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||||
Patch7: stunnel-5.56-verify-chain.patch
|
Patch7: stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch
|
||||||
# util-linux is needed for rename
|
# util-linux is needed for rename
|
||||||
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
|
BuildRequires: gnupg2
|
||||||
BuildRequires: openssl-devel, pkgconfig, util-linux
|
BuildRequires: openssl-devel, pkgconfig, util-linux
|
||||||
BuildRequires: autoconf automake libtool
|
BuildRequires: autoconf automake libtool
|
||||||
%if %{with libwrap}
|
%if %{with libwrap}
|
||||||
@ -40,7 +45,8 @@ BuildRequires: /usr/bin/pod2man
|
|||||||
BuildRequires: /usr/bin/pod2html
|
BuildRequires: /usr/bin/pod2html
|
||||||
# build test requirements
|
# build test requirements
|
||||||
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
|
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
|
||||||
BuildRequires: systemd
|
BuildRequires: python3.11 python3.11-cryptography openssl
|
||||||
|
BuildRequires: systemd systemd-devel
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -50,20 +56,17 @@ to ordinary applications. For example, it can be used in
|
|||||||
conjunction with imapd to create a TLS secure IMAP server.
|
conjunction with imapd to create a TLS secure IMAP server.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
|
%{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch0 -p1 -b .authpriv
|
%patch0 -p1 -b .authpriv
|
||||||
%patch1 -p1 -b .systemd-service
|
%patch1 -p1 -b .systemd-service
|
||||||
%patch3 -p1 -b .system-ciphers
|
%patch3 -p1 -b .system-ciphers
|
||||||
%patch4 -p1 -b .coverity
|
|
||||||
%patch5 -p1 -b .default-tls-version
|
%patch5 -p1 -b .default-tls-version
|
||||||
%patch6 -p1 -b .curves-doc-update
|
%patch6 -p1 -b .curves-doc-update
|
||||||
%patch7 -p1 -b .verify-chain
|
%patch7 -p1 -b .preserve-no-tlsv1-123-option-compatibility
|
||||||
|
|
||||||
# Fix the configure script output for FIPS mode and stack protector flag
|
# Fix the stack protector flag
|
||||||
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
|
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
|
||||||
|
|
||||||
# Fix a testcase with system-ciphers support
|
|
||||||
sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
#autoreconf -v
|
#autoreconf -v
|
||||||
@ -78,6 +81,7 @@ fi
|
|||||||
%else
|
%else
|
||||||
--disable-libwrap \
|
--disable-libwrap \
|
||||||
%endif
|
%endif
|
||||||
|
--with-bashcompdir=%{_datadir}/bash-completion/completions \
|
||||||
CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
|
CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
|
||||||
make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
|
make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
|
||||||
|
|
||||||
@ -93,22 +97,18 @@ for lang in pl ; do
|
|||||||
done
|
done
|
||||||
mkdir srpm-docs
|
mkdir srpm-docs
|
||||||
cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs
|
cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs
|
||||||
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
|
|
||||||
mkdir -p %{buildroot}%{_unitdir}
|
mkdir -p %{buildroot}%{_unitdir}
|
||||||
cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
|
cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
|
||||||
cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
|
cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
|
||||||
%endif
|
|
||||||
|
|
||||||
%check
|
%check
|
||||||
# For unknown reason the 042_inetd test fails in Brew. The failure is not reproducible
|
if ! make test; then
|
||||||
# in Fedora or normal RHEL-8 install.
|
for i in tests/logs/*.log; do
|
||||||
rm tests/recipes/042_inetd
|
echo "$i":
|
||||||
# We override the security policy as it is too strict for the tests.
|
cat "$i"
|
||||||
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
done
|
||||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
exit 1
|
||||||
OPENSSL_CONF=
|
fi
|
||||||
export OPENSSL_CONF
|
|
||||||
make test
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%{!?_licensedir:%global license %%doc}
|
%{!?_licensedir:%global license %%doc}
|
||||||
@ -127,9 +127,8 @@ make test
|
|||||||
%lang(pl) %{_mandir}/pl/man8/stunnel.8*
|
%lang(pl) %{_mandir}/pl/man8/stunnel.8*
|
||||||
%dir %{_sysconfdir}/%{name}
|
%dir %{_sysconfdir}/%{name}
|
||||||
%exclude %{_sysconfdir}/stunnel/*
|
%exclude %{_sysconfdir}/stunnel/*
|
||||||
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
|
|
||||||
%{_unitdir}/%{name}*.service
|
%{_unitdir}/%{name}*.service
|
||||||
%endif
|
%{_datadir}/bash-completion/completions/%{name}.bash
|
||||||
|
|
||||||
%post
|
%post
|
||||||
/sbin/ldconfig
|
/sbin/ldconfig
|
||||||
@ -143,8 +142,19 @@ make test
|
|||||||
%systemd_postun_with_restart %{name}.service
|
%systemd_postun_with_restart %{name}.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Feb 16 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5
|
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 5.71-2
|
||||||
- Fix CVE-2021-20230 stunnel: client certificate not
|
- Restore support for the NO_TLSv1.[123] values for the option directive
|
||||||
|
Resolves: RHEL-2340
|
||||||
|
|
||||||
|
* Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
|
||||||
|
- New upstream release 5.71
|
||||||
|
Resolves: RHEL-2340
|
||||||
|
- Enable socket activation support
|
||||||
|
- verify upstream source in %%prep
|
||||||
|
- clean up stale conditionals
|
||||||
|
|
||||||
|
* Tue Feb 23 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5
|
||||||
|
- Fixes CVE-2021-20230 stunnel: client certificate not
|
||||||
correctly verified when redirect and verifyChain options are used.
|
correctly verified when redirect and verifyChain options are used.
|
||||||
|
|
||||||
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
|
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
|
||||||
|
Loading…
Reference in New Issue
Block a user