Auto sync2gitlab import of stunnel-5.56-5.el8_3.src.rpm

This commit is contained in:
James Antill 2022-05-26 14:34:55 -04:00
parent c888d2812d
commit 262b45e208
18 changed files with 1284 additions and 1 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/stunnel-5.56.tar.gz

9
Certificate-Creation Normal file
View File

@ -0,0 +1,9 @@
To generate a key and self signed certificate, execute the following commands:
cd /etc/pki/tls/certs
make stunnel.pem
Note that by default, the file containing the key and certificate has its
permissions set to 0600, which means that any service using it needs to be
started as root in order to read it. Such a service should be configured
to switch UIDs using stunnel's "-s" flag.

1
EMPTY
View File

@ -1 +0,0 @@

17
pop3-redirect.xinetd Normal file
View File

@ -0,0 +1,17 @@
# default: off
# description: The POP3 redirector allows client software which does not have \
# native support for SSL to connect to the local machine's POP3 \
# port and have the connection forwarded over the network using \
# SSL. You will need to modify stunnel-pop3s-client.conf to \
# specify the server to connect to in order for this to be useful.
service pop3
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = /etc/stunnel/stunnel-pop3s-client.conf
log_on_success += USERID
log_on_failure += USERID
}

11
sfinger.xinetd Normal file
View File

@ -0,0 +1,11 @@
# Not that anyone in their right mind would tunnel the finger protocol over
# SSL, but here's how to do it using xinetd....
service sfinger
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = /etc/stunnel/stunnel-sfinger.conf
}

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (stunnel-5.56.tar.gz) = db1be82b80bd5606568c5565f1c9a5710d4f7abca2d89388daa441bc395aaf2be998ac6403c7a17b8af01b89ade825186c20c50f73a809f9d64eca2e1b57a877

View File

@ -0,0 +1,52 @@
diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in
--- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100
+++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100
@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
.Sp
-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
.Sp
Case is ignored for both facilities and levels.
diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in
--- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100
+++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100
@@ -244,7 +244,7 @@
<p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
-<p>The syslog facility &#39;daemon&#39; will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
+<p>The syslog facility &#39;authpriv&#39; will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
<p>Case is ignored for both facilities and levels.</p>
diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in
--- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100
+++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100
@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th
all levels numerically less than it will be shown. Use I<debug = debug> or
I<debug = 7> for greatest debugging output. The default is notice (5).
-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
Case is ignored for both facilities and levels.
diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
--- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100
+++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100
@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD
case CMD_SET_DEFAULTS:
section->log_level=LOG_NOTICE;
#if !defined (USE_WIN32) && !defined (__vms)
+#if defined(LOG_AUTHPRIV)
+ new_global_options.log_facility=LOG_AUTHPRIV;
+#else
new_global_options.log_facility=LOG_DAEMON;
#endif
+#endif
break;
case CMD_SET_COPY:
section->log_level=new_service_options.log_level;

View File

@ -0,0 +1,11 @@
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
@@ -5,6 +5,7 @@ After=syslog.target network.target
[Service]
ExecStart=@bindir@/stunnel
Type=forking
+PrivateTmp=true
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,22 @@
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
for(;;) {
va_copy(ap, start_ap);
n=vsnprintf(p, size, format, ap);
+ va_end(ap);
if(n>-1 && n<(int)size)
return p;
if(n>-1) /* glibc 2.1 */
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
#endif
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
s_log(LOG_ERR, "Connection rejected: create_client failed");
- closesocket(s);
#ifndef USE_FORK
service_free(opt);
#endif

View File

@ -0,0 +1,66 @@
--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200
+++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200
@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w
.IX Item "curves = list"
\&\s-1ECDH\s0 curves separated with ':'
.Sp
+Note: This option is supported for server mode sockets only.
+.Sp
Only a single curve name is allowed for OpenSSL older than 1.1.0.
.Sp
To get a list of supported curves use:
--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200
+++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200
@@ -568,6 +568,8 @@
<p>ECDH curves separated with &#39;:&#39;</p>
+<p>Note: This option is supported for server mode sockets only.</p>
+
<p>Only a single curve name is allowed for OpenSSL older than 1.1.0.</p>
<p>To get a list of supported curves use:</p>
--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200
+++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200
@@ -499,6 +499,8 @@ I<verifyPeer> options.
ECDH curves separated with ':'
+Note: This option is supported for server mode sockets only.
+
Only a single curve name is allowed for OpenSSL older than 1.1.0.
To get a list of supported curves use:
--- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200
+++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200
@@ -507,6 +507,8 @@ przez opcje I<verifyChain> i I<verifyPee
krzywe ECDH odddzielone ':'
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
+
Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
Listę dostępnych krzywych można uzyskać poleceniem:
--- stunnel-5.56/doc/stunnel.pl.html.in.curves-doc-update 2020-04-16 17:24:46.857579674 +0200
+++ stunnel-5.56/doc/stunnel.pl.html.in 2020-04-16 17:46:13.385404626 +0200
@@ -564,6 +564,8 @@
<p>krzywe ECDH odddzielone &#39;:&#39;</p>
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
+
<p>Wersje OpenSSL starsze ni&#x17C; 1.1.0 pozwalaj&#x105; na u&#x17C;ycie tylko jednej krzywej.</p>
<p>List&#x119; dost&#x119;pnych krzywych mo&#x17C;na uzyska&#x107; poleceniem:</p>
--- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200
+++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200
@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif
.IX Item "curves = lista"
krzywe \s-1ECDH\s0 odddzielone ':'
.Sp
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
+.Sp
Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
.Sp
Listę dostępnych krzywych można uzyskać poleceniem:

View File

@ -0,0 +1,92 @@
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
+ crypto policies */
+
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200
+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD
return "Invalid protocol version";
return NULL; /* OK */
case CMD_INITIALIZE:
- if(section->max_proto_version && section->min_proto_version &&
- section->max_proto_version<section->min_proto_version)
+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
+ && section->max_proto_version<section->min_proto_version)
return "Invalid protocol version range";
break;
case CMD_PRINT_DEFAULTS:
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD
/* sslVersionMax */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->max_proto_version=0; /* highest supported */
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies.Do not
+ override it */
break;
case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version;
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD
/* sslVersionMin */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->min_proto_version=TLS1_VERSION;
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies. Do not
+ override it */
break;
case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version;
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
section->ctx=SSL_CTX_new(TLS_client_method());
else /* server mode */
section->ctx=SSL_CTX_new(TLS_server_method());
- if(!SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
+
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly.");
+ } else {
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(!SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)

View File

@ -0,0 +1,12 @@
diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c
--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200
+++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200
@@ -277,7 +277,7 @@ static char *option_not_found=
"Specified option name is not valid here";
static char *stunnel_cipher_list=
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
#ifndef OPENSSL_NO_TLS1_3
static char *stunnel_ciphersuites=

View File

@ -0,0 +1,219 @@
diff -up stunnel-5.56/src/ssl.c.verify-chain stunnel-5.56/src/ssl.c
--- stunnel-5.56/src/ssl.c.verify-chain 2021-02-17 00:37:28.950981672 +0100
+++ stunnel-5.56/src/ssl.c 2021-02-17 00:37:36.047053139 +0100
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -39,7 +39,12 @@
#include "prototypes.h"
/* global OpenSSL initialization: compression, engine, entropy */
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp);
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void **from_d, int idx, long argl, void *argp);
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
void *from_d, int idx, long argl, void *argp);
#else
@@ -72,7 +77,7 @@ int ssl_init(void) { /* init TLS before
index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
"SERVICE_OPTIONS pointer", NULL, NULL, NULL);
index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
- "session authenticated", NULL, NULL, NULL);
+ "session authenticated", cb_new_auth, NULL, NULL);
index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
"session connect address", NULL, cb_dup_addr, cb_free_addr);
if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
@@ -104,17 +109,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
BN_free(dh->p);
BN_free(dh->q);
BN_free(dh->g);
- dh->p = p;
- dh->q = q;
- dh->g = g;
+ dh->p=p;
+ dh->q=q;
+ dh->g=g;
if(q)
- dh->length = BN_num_bits(q);
+ dh->length=BN_num_bits(q);
return 1;
}
#endif
#endif
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp) {
+ (void)parent; /* squash the unused parameter warning */
+ (void)ptr; /* squash the unused parameter warning */
+ (void)argl; /* squash the unused parameter warning */
+ s_log(LOG_DEBUG, "Initializing application specific data for %s",
+ (char *)argp);
+ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
+ sslerror("CRYPTO_set_ex_data");
+}
+
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void **from_d, int idx, long argl, void *argp) {
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
void *from_d, int idx, long argl, void *argp) {
#else
diff -up stunnel-5.56/src/verify.c.verify-chain stunnel-5.56/src/verify.c
--- stunnel-5.56/src/verify.c.verify-chain 2021-02-17 00:37:11.577806692 +0100
+++ stunnel-5.56/src/verify.c 2021-02-17 00:37:42.542118546 +0100
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preveri
s_log(LOG_INFO, "Certificate verification disabled");
return 1; /* accept */
}
- if(verify_checks(c, preverify_ok, callback_ctx)) {
+ if(verify_checks(c, preverify_ok, callback_ctx))
+ return 1; /* accept */
+ if(c->opt->option.client || c->opt->protocol)
+ return 0; /* reject */
+ if(c->opt->redirect_addr.names) {
SSL_SESSION *sess=SSL_get1_session(c->ssl);
if(sess) {
- int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated,
- (void *)(-1));
+ int ok=SSL_SESSION_set_ex_data(sess,
+ index_session_authenticated, NULL);
SSL_SESSION_free(sess);
if(!ok) {
sslerror("SSL_SESSION_set_ex_data");
@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preveri
}
return 1; /* accept */
}
- if(c->opt->option.client || c->opt->protocol)
- return 0; /* reject */
- if(c->opt->redirect_addr.names)
- return 1; /* accept */
return 0; /* reject */
}
diff -up stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain stunnel-5.56/tests/recipes/028_redirect_chain
--- stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain 2021-02-17 00:38:44.823745781 +0100
+++ stunnel-5.56/tests/recipes/028_redirect_chain 2021-02-17 00:38:16.143456937 +0100
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Redirect TLS client connections on certificate-based authentication failures.
+# [client_1] -> [server_1] -> [client_2] -> [server_2]
+# The success is expected because the client presents the *wrong* certificate
+# and the client connection is redirected.
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
+
+. $(dirname $0)/../test_library
+
+start() {
+ ../../src/stunnel -fd 0 <<EOT
+ debug = debug
+ syslog = no
+ pid = ${result_path}/stunnel.pid
+ output = ${result_path}/stunnel.log
+
+ [client_1]
+ client = yes
+ accept = 127.0.0.1:${http1}
+ connect = 127.0.0.1:${https1}
+ ;cert = ${script_path}/certs/client_cert.pem
+;wrong self signed certificate
+ cert = ${script_path}/certs/stunnel.pem
+
+ [client_2]
+ client = yes
+ accept = 127.0.0.1:${http2}
+ connect = 127.0.0.1:${https2}
+
+ [server_1]
+ accept = 127.0.0.1:${https1}
+ exec = ${script_path}/execute
+ execArgs = execute 028_redirect_chain_error
+ redirect = ${http2}
+ cert = ${script_path}/certs/server_cert.pem
+ verifyChain = yes
+ CAfile = ${script_path}/certs/CACert.pem
+
+ [server_2]
+ accept = 127.0.0.1:${https2}
+ cert = ${script_path}/certs/server_cert.pem
+ exec = ${script_path}/execute
+ execArgs = execute 028_redirect_chain
+
+EOT
+}
+
+test_log_for "028_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
+exit $?
diff -up stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain stunnel-5.56/tests/recipes/029_no_redirect_chain
--- stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain 2021-02-17 00:38:57.819876672 +0100
+++ stunnel-5.56/tests/recipes/029_no_redirect_chain 2021-02-17 00:38:24.895545080 +0100
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# Do not redirect TLS client connections on certificate-based authentication success.
+# [client_1] -> [server_1]
+# The success is expected because the client presents the *correct* certificate
+# and the client connection isn't redirected.
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
+
+. $(dirname $0)/../test_library
+
+start() {
+ ../../src/stunnel -fd 0 <<EOT
+ debug = debug
+ syslog = no
+ pid = ${result_path}/stunnel.pid
+ output = ${result_path}/stunnel.log
+
+ [client_1]
+ client = yes
+ accept = 127.0.0.1:${http1}
+ connect = 127.0.0.1:${https1}
+;correct certificate
+ cert = ${script_path}/certs/client_cert.pem
+
+ [client_2]
+ client = yes
+ accept = 127.0.0.1:${http2}
+ connect = 127.0.0.1:${https2}
+
+ [server_1]
+ accept = 127.0.0.1:${https1}
+ exec = ${script_path}/execute
+ execArgs = execute 029_no_redirect_chain
+ redirect = ${http2}
+ cert = ${script_path}/certs/server_cert.pem
+ verifyChain = yes
+ CAfile = ${script_path}/certs/CACert.pem
+
+ [server_2]
+ accept = 127.0.0.1:${https2}
+ cert = ${script_path}/certs/server_cert.pem
+ exec = ${script_path}/execute
+ execArgs = execute 029_no_redirect_chain_error
+
+EOT
+}
+
+test_log_for "029_no_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
+exit $?

18
stunnel-5.56.tar.gz.asc Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAl3YIPhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
4BTuMw//R+LJhCo2prR6RIxEsYbfzIwkl9NwcE5EPTKse2umTOHsMRfVMpZiKjCl
5UC1tLbqUzSjAydQiFwdvcHZAJLWblr84p+CC5hEaS/rwX4PL221gqqrC8Ut7ap3
n/v5gCJ8iqnpgZSgHPSGqucG3x1KlZotPnny1RVIjCSHPvoUtocAwJNSChRkyUT0
ym8qhUPyOmRhYQZew1haxFJa26yc017dN5QZy+H3uo0zPLXaWJpPjJG/1pBtden4
mL+mg8phZZ9MtBtEOK2NTA+4K24vcM+aHoEyMI/dcmi4NN256N5CJZ13tF3LgHNV
j0vp1a75p5aAMeRTv7zShegZGvJJciyYJKwRnOAUnHVFDhnsgd05VQHeWC1aFKjM
cXwrvHgGn+TG0V29ahnzR7NdVhkuP3etcqx6FuIgcj2omp0Bj4zFRlKSl4x+hY56
MTvwksIXZTItHvffiE49ExGPA8OQW3S9Sr+lPFk98xjVuTU/P8GIVNp2kof4ezYN
Yhav4mA/KAkMX0fb+Cw6eyZl0aZEPx76hhkKhh2OmR8w3k5X2hetGcXX1/UFEHCm
uNCvWwV5Ry6Kc8Zpr8p6fUOh0Se4cNi59c1FKEwMX1hTgLklbIZioiFM/fR0RLOJ
PU/Cq+NbaZ3O8Cup7PsVjCDgXTcKcQAdQTOxgfW6f+szmTo5Qx4=
=RhpX
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,8 @@
# Sample configuration for stunnel, tunnelling cleartext connections on the
# default port (without an "accept" setting, stunnel uses stdio) over an
# encrypted channel to pop3s-server.example.com:pop3s. See stunnel(8) for
# more information.
client = yes
connect = pop3s-server.example.com:pop3s
CAfile = /usr/share/ssl/certs/ca-bundle.crt
verify = 2

8
stunnel-sfinger.conf Normal file
View File

@ -0,0 +1,8 @@
# Sample configuration for stunnel, forwarding data from encrypted connections
# on the default port (without an "accept" setting, stunnel uses stdio) over
# an unencrypted set of pipes which are used for stdio by in.fingerd. See
# stunnel(8) for more information.
exec = /usr/sbin/in.fingerd
execargs = in.fingerd
key = /etc/stunnel/stunnel.pem
cert = /etc/stunnel/stunnel.pem

726
stunnel.spec Normal file
View File

@ -0,0 +1,726 @@
# Do not generate provides for private libraries
%global __provides_exclude_from ^%{_libdir}/stunnel/.*$
%if 0%{?fedora} > 27 || 0%{?rhel} > 7
%bcond_with libwrap
%else
%bcond_without libwrap
%endif
Summary: A TLS-encrypting socket wrapper
Name: stunnel
Version: 5.56
Release: 5%{?dist}
License: GPLv2
Group: Applications/Internet
URL: http://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
Source2: Certificate-Creation
Source3: sfinger.xinetd
Source4: stunnel-sfinger.conf
Source5: pop3-redirect.xinetd
Source6: stunnel-pop3s-client.conf
Source7: stunnel@.service
Patch0: stunnel-5.50-authpriv.patch
Patch1: stunnel-5.50-systemd-service.patch
Patch3: stunnel-5.56-system-ciphers.patch
Patch4: stunnel-5.56-coverity.patch
Patch5: stunnel-5.56-default-tls-version.patch
Patch6: stunnel-5.56-curves-doc-update.patch
Patch7: stunnel-5.56-verify-chain.patch
# util-linux is needed for rename
BuildRequires: gcc
BuildRequires: openssl-devel, pkgconfig, util-linux
BuildRequires: autoconf automake libtool
%if %{with libwrap}
Buildrequires: tcp_wrappers-devel
%endif
BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/bin/pod2html
# build test requirements
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
BuildRequires: systemd
%{?systemd_requires}
%description
Stunnel is a socket wrapper which can provide TLS/SSL
(Transport Layer Security/Secure Sockets Layer) support
to ordinary applications. For example, it can be used in
conjunction with imapd to create a TLS secure IMAP server.
%prep
%setup -q
%patch0 -p1 -b .authpriv
%patch1 -p1 -b .systemd-service
%patch3 -p1 -b .system-ciphers
%patch4 -p1 -b .coverity
%patch5 -p1 -b .default-tls-version
%patch6 -p1 -b .curves-doc-update
%patch7 -p1 -b .verify-chain
# Fix the configure script output for FIPS mode and stack protector flag
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
# Fix a testcase with system-ciphers support
sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets
%build
#autoreconf -v
CFLAGS="$RPM_OPT_FLAGS -fPIC"; export CFLAGS
if pkg-config openssl ; then
CFLAGS="$CFLAGS `pkg-config --cflags openssl`";
LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS
fi
%configure --enable-fips --enable-ipv6 --with-ssl=%{_prefix} \
%if %{with libwrap}
--enable-libwrap \
%else
--disable-libwrap \
%endif
CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
%install
make install DESTDIR=%{buildroot}
# Move the translated man pages to the right subdirectories, and strip off the
# language suffixes.
#for lang in fr pl ; do
for lang in pl ; do
mkdir -p %{buildroot}/%{_mandir}/${lang}/man8
mv %{buildroot}/%{_mandir}/man8/*.${lang}.8* %{buildroot}/%{_mandir}/${lang}/man8/
rename ".${lang}" "" %{buildroot}/%{_mandir}/${lang}/man8/*
done
mkdir srpm-docs
cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
mkdir -p %{buildroot}%{_unitdir}
cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
%endif
%check
# For unknown reason the 042_inetd test fails in Brew. The failure is not reproducible
# in Fedora or normal RHEL-8 install.
rm tests/recipes/042_inetd
# We override the security policy as it is too strict for the tests.
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
OPENSSL_CONF=
export OPENSSL_CONF
make test
%files
%{!?_licensedir:%global license %%doc}
%doc AUTHORS.md BUGS.md CREDITS.md PORTS.md README.md TODO.md
%doc tools/stunnel.conf-sample
%doc srpm-docs/*
%license COPY*
%lang(en) %doc doc/en/*
%lang(pl) %doc doc/pl/*
%{_bindir}/stunnel
%exclude %{_bindir}/stunnel3
%exclude %{_datadir}/doc/stunnel
%{_libdir}/stunnel
%exclude %{_libdir}/stunnel/libstunnel.la
%{_mandir}/man8/stunnel.8*
%lang(pl) %{_mandir}/pl/man8/stunnel.8*
%dir %{_sysconfdir}/%{name}
%exclude %{_sysconfdir}/stunnel/*
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
%{_unitdir}/%{name}*.service
%endif
%post
/sbin/ldconfig
%systemd_post %{name}.service
%preun
%systemd_preun %{name}.service
%postun
/sbin/ldconfig
%systemd_postun_with_restart %{name}.service
%changelog
* Tue Feb 16 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5
- Fix CVE-2021-20230 stunnel: client certificate not
correctly verified when redirect and verifyChain options are used.
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
- Updates documentation to specify that the option "curves" can be used in server mode only.
* Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
- Fixes default tls version patch to handle default values from OpenSSL crypto policies
* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-2
- Adds default tls version patch to comply with OpenSSL crypto policies
* Fri Apr 03 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1
- New upstream release 5.56
* Tue Sep 4 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-5
- Fix -fstack-protector-strong build flag application
- Fix bugs from Coverity scan
* Fri Aug 3 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-3
- Override system crypto policy for build tests
* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-2
- Drop 042_inetd test which fails in the build environment
* Tue Jul 24 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-1
- New upstream release 5.48
* Thu May 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.46-1
- New upstream release 5.46
* Fri Mar 2 2018 Tomáš Mráz <tmraz@redhat.com> - 5.44-5
- Fix bind to localhost (patch backport by Christian Kujau) (#1542361)
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.44-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Jan 25 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 5.44-3
- Fix systemd executions/requirements
* Mon Jan 15 2018 Tomáš Mráz <tmraz@redhat.com> - 5.44-2
- Make the disablement of libwrap conditional
* Thu Jan 11 2018 Tomáš Mráz <tmraz@redhat.com> - 5.44-1
- New upstream release 5.44
- Disable libwrap support (#1518789)
* Tue Aug 22 2017 Tomáš Mráz <tmraz@redhat.com> - 5.42-1
- New upstream release 5.42
- Use the system cipher list by default (#1483967)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.41-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.41-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Mon Apr 17 2017 Neal Gompa <ngompa@datto.com> - 5.41-1
- New upstream release 5.41
* Mon Mar 20 2017 Neal Gompa <ngompa@datto.com> - 5.40-1
- New upstream release 5.40
- Properly mark license files
- Rebase patches
- Eliminate unnecessary Provides
- Small spec cleanups and fixes
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.35-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Jul 21 2016 Tomáš Mráz <tmraz@redhat.com> - 5.35-1
- New upstream release 5.35 with fix for bug #1358810
* Wed Jul 13 2016 Tomáš Mráz <tmraz@redhat.com> - 5.34-1
- New upstream release 5.34
* Wed Feb 3 2016 Tomáš Mráz <tmraz@redhat.com> - 5.30-1
- New upstream release 5.30
- Add generic stunnel@.service provided by Štefan Gurský (#1195742)
* Mon Jun 22 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.18-1
- New upstream release 5.18.
- Finally deleted the patch stunnel-5-sample.patch as upstream
has merged those changes.
- Fixes patches as per new code changes.
- Fixed systemd service file related changes.
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.17-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Jun 8 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.17-1
- New upstream release 5.17.
* Fri May 22 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.16-1
- New upstream release 5.16.
* Mon Apr 27 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.15-1
- New upstream release 5.15.
- 1155977: Fixed upstream too so removed the associated patch
- Updates other patches too.
* Mon Mar 30 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.14-1
- New upstream release 5.14.
* Sun Mar 29 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.13-1
- New upstream release 5.13.
* Sat Mar 28 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.12-1
- New upstream release 5.12.
* Fri Mar 27 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.11-1
- New upstream release 5.11.
* Wed Jan 28 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.10-1
- New upstream release 5.10.
* Thu Jan 8 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.09-1
- 1163349: New upstream release 5.09.
* Thu Dec 11 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.08-1
- 1163349: New upstream release 5.08
* Sun Nov 23 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.08b6-1
- 1163349: New upstream beta release 5.08b6
- Fixed incorrect reporting of fips status in configure.ac
at compile time, requires autoconf automake at buildtime
- Fixed default OpenSSL directory issue by using with-ssl
- Updates local patches
- 1155977: Fixes man page issues
* Tue Nov 04 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.07-1
- New upstream release 5.07
* Fri Oct 17 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.06-1
- New upstream release 5.06
- Addresses Poodle security issue
* Wed Oct 8 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.05b5-1
- rhbz #1144393: New upstream beta release
- systemd socket activation support
* Fri Sep 26 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.04-2
- Fixes packaging issues mentioned in rhbz#226439
* Mon Sep 22 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.04-1
- New upstream realease 5.04
- Updates local patches so that they apply cleanly to
avoud hunk errors
* Thu Aug 28 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.03-1
- New upstream realease 5.03
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.02-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Mon Jul 14 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.02-1
- rhbz#1108818: New upstream realease 5.02
- Updated local patches
- The rhbz#530950 is tested and seems to work. STRLEN has
been no longer allocated statically since 4.36 version.
So it is possible that this bz might have got fixed
around 4.36 release.
- Fixes rpmlint errors
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.01-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Mon Apr 28 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.01-2
- Integration with systemd.
- Spec file clean up
- Patched stunnel systemd unit file to have dependency on
network.target.
- rhbz#455815: Packaged systemd service file
- rhbz#782535: Fixed private tmp issue.
- rhbz#995831: Fixed wrong encoding of french man page.
* Thu Apr 17 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.01-1
- New upstream realease 5.01
- Supports OpenSSL DLLs 1.0.1g.
- Fixes to take care of OpenSSL,s TLS heartbeat
read overrun (CVE-2014-0160).
* Fri Mar 7 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.00-1
- New upstream realease 5.00
- Updated local patches.
- Fix for CVE-2014-0016
- Fixed changelog date errors
- Fixes rhbz #1006819
* Mon Aug 5 2013 Avesh Agarwal <avagarwa@redhat.com> - 4.56-3
- Ftp mirrors for NA does not work, so changing source code
URLs to the correct ones.
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.56-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Mon Apr 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 4.56-1
- New upstream realease 4.56.
- Updated local patches.
- Fixed upstream URL in spec file.
- Sourced URL of sha256 hash file in spec file.
* Tue Mar 26 2013 Avesh Agarwal <avagarwa@redhat.com> - 4.55-2
- Resolves: 927841
* Mon Mar 4 2013 Avesh Agarwal <avagarwa@redhat.com> - 4.55-1
- New upstream realease 4.55
- Updated local patches
- enabled fips mode
- Fixed for pod2man as it build-requires perl-podlators
* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.54-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Mon Dec 10 2012 Avesh Agarwal <avagarwa@redhat.com> - 4.54-2
- 884183: support for full relro.
* Tue Oct 16 2012 Avesh Agarwal <avagarwa@redhat.com> - 4.54-1
- New upstream realease 4.54
- Updated local patches
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.53-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Mon May 14 2012 Avesh Agarwal <avagarwa@redhat.com> - 4.53-1
- New upstream realease 4.53
- Updated local patches
* Tue Mar 6 2012 Avesh Agarwal <avagarwa@redhat.com> - 4.52-1
- New upstream realease 4.52
- Updated local patches
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.50-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Jan 3 2012 Avesh Agarwal <avagarwa@redhat.com> - 4.50-1
- New upstream realease 4.50
- Updated local patches
* Tue Sep 20 2011 Avesh Agarwal <avagarwa@redhat.com> - 4.44-1
- New upstream realease 4.44
- Updated local patches
* Fri Aug 19 2011 Avesh Agarwal <avagarwa@redhat.com> - 4.42-1
- New upstream realease 4.42
- Updated local patches
- Fixes #732069
* Mon Aug 1 2011 Avesh Agarwal <avagarwa@redhat.com> - 4.41-1
- New upstream realease 4.41
- Updated local patches to match the new release
* Tue Jun 28 2011 Avesh Agarwal <avagarwa@redhat.com> - 4.37-1
- New upstream realease 4.37
- Updated local patches to match the new release
* Mon Apr 4 2011 Avesh Agarwal <avagarwa@redhat.com> - 4.35-1
- New upstream realease 4.35
- Updated authpriv and sample patches to match the new release
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.34-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Mon Oct 4 2010 Avesh Agarwal <avagarwa@redhat.com> - 4.34-1
- New upstream realease 4.34
- Updated authpriv and sample patches to match the new release
* Wed Apr 7 2010 Avesh Agarwal <avagarwa@redhat.com> - 4.33-1
- New upstream realease 4.33
- Updated authpriv and sample patches to match the new release
- Addresses bz 580117 (inted mode support issue)
* Mon Mar 29 2010 Avesh Agarwal <avagarwa@redhat.com> - 4.32-1
- New upstream realease 4.32
- Updated authpriv and sample patches to match the new release
* Tue Feb 16 2010 Avesh Agarwal <avagarwa@redhat.com> - 4.31-1
- New upstream realease 4.31
- Updated authpriv and sample patches to match the new release
* Tue Jan 26 2010 Avesh Agarwal <avagarwa@redhat.com> - 4.30-1
- New upstream realease 4.30
- Updated authpriv and sample patches for the new release
* Wed Dec 09 2009 Avesh Agarwal <avagarwa@redhat.com> - 4.29-1
- New upstream realease 4.29
- Updated authpriv and sample patches for the new release
- Modified spec file to include dist tag
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 4.27-5
- rebuilt with new openssl
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.27-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Sun May 3 2009 Miloslav Trmač <mitr@redhat.com> - 4.27-3
- Fix the previous patch.
* Wed Apr 29 2009 Miloslav Trmač <mitr@redhat.com> - 4.27-2
- Avoid aliasing undefined by ISO C
* Thu Apr 16 2009 Miloslav Trmač <mitr@redhat.com> - 4.27-1
- Update to stunnel-4.27.
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.26-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Sun Jan 18 2009 Tomas Mraz <tmraz@redhat.com> - 4.26-2
- disable openssl upstream fips mode
* Mon Sep 22 2008 Miloslav Trmač <mitr@redhat.com> - 4.26-1
- Update to stunnel-4.26.
* Sun Jun 8 2008 Miloslav Trmač <mitr@redhat.com> - 4.25-2
- Use a clearer error message if the service name is unknown in "accept"
Resolves: #450344
* Mon Jun 2 2008 Miloslav Trmač <mitr@redhat.com> - 4.25-1
- Update to stunnel-4.25
* Tue May 20 2008 Miloslav Trmač <mitr@redhat.com> - 4.24-2
- Drop stunnel3
Resolves: #442842
* Mon May 19 2008 Miloslav Trmač <mitr@redhat.com> - 4.24-1
- Update to stunnel-4.24
* Fri Mar 28 2008 Miloslav Trmač <mitr@redhat.com> - 4.22-1
- Update to stunnel-4.22
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 4.20-6
- Autorebuild for GCC 4.3
* Tue Dec 4 2007 Miloslav Trmač <mitr@redhat.com> - 4.20-5
- Rebuild with openssl-0.9.8g
* Tue Oct 16 2007 Miloslav Trmač <mitr@redhat.com> - 4.20-4
- Revert the port to NSS, wait for NSS-based stunnel 5.x instead
Resolves: #301971
- Mark localized man pages with %%lang (patch by Ville Skyttä)
Resolves: #322281
* Tue Aug 28 2007 Miloslav Trmač <mitr@redhat.com> - 4.20-3.nss
- Port to NSS
* Mon Dec 4 2006 Miloslav Trmac <mitr@redhat.com> - 4.20-2
- Update BuildRequires for the separate tcp_wrappers-devel package
* Thu Nov 30 2006 Miloslav Trmac <mitr@redhat.com> - 4.20-1
- Update to stunnel-4.20
* Sat Nov 11 2006 Miloslav Trmac <mitr@redhat.com> - 4.19-1
- Update to stunnel-4.19
* Wed Oct 25 2006 Miloslav Trmac <mitr@redhat.com> - 4.18-1
- Update to stunnel-4.18
- Remove unused stunnel.cnf from the src.rpm
- Fix some rpmlint warnings
* Fri Aug 18 2006 Jesse Keating <jkeating@redhat.com> - 4.15-2
- rebuilt with latest binutils to pick up 64K -z commonpagesize on ppc*
(#203001)
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 4.15-1.1
- rebuild
* Sat Mar 18 2006 Miloslav Trmac <mitr@redhat.com> - 4.15-1
- Update to stunnel-4.15
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 4.14-3.2
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 4.14-3.1
- rebuilt for new gcc4.1 snapshot and glibc changes
* Tue Jan 31 2006 Miloslav Trmac <mitr@redhat.com> - 4.14-3
- Use pthread threading to fix crash on x86_64 (#179236)
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
* Wed Nov 9 2005 Miloslav Trmac <mitr@redhat.com> - 4.14-2
- Rebuild with newer openssl
* Thu Nov 3 2005 Miloslav Trmac <mitr@redhat.com> - 4.14-1
- Update to stunnel-4.14
- Override changed default pid file location, keep it in %%{_localstatedir}/run
* Sat Oct 22 2005 Miloslav Trmac <mitr@redhat.com> - 4.13-1
- Update to stunnel-4.13
* Fri Sep 30 2005 Miloslav Trmac <mitr@redhat.com> - 4.12-1
- Update to stunnel-4.12
* Thu Sep 22 2005 Miloslav Trmac <mitr@redhat.com> - 4.11-2
- Enable IPv6 (#169050, patch by Peter Bieringer)
- Don't ship another copy of man pages in HTML
* Tue Jul 12 2005 Miloslav Trmac <mitr@redhat.com> - 4.11-1
- Update to stunnel-4.11
- Fix int/size_t mismatches in stack_info ()
- Update Certificate-Creation for /etc/pki
* Wed Jun 1 2005 Miloslav Trmac <mitr@redhat.com> - 4.10-2
- Fix inetd mode
- Remove unnecessary Requires: and BuildRequires:
- Clean up the spec file
* Tue Apr 26 2005 Nalin Dahyabhai <nalin@redhat.com> 4.10-1
- update to 4.10
* Tue Apr 26 2005 Nalin Dahyabhai <nalin@redhat.com> 4.08-2
- add buildprereqs on libtool, util-linux; change textutils/fileutils dep to
coreutils (#133961)
* Wed Mar 16 2005 Nalin Dahyabhai <nalin@redhat.com> 4.08-1
- update to 4.08
- build stunnel as a PIE binary
* Mon Nov 22 2004 Miloslav Trmac <mitr@redhat.com> - 4.05-4
- Convert man pages to UTF-8
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Thu May 27 2004 Nalin Dahyabhai <nalin@redhat.com> 4.05-2
- move the sample configuration to %%doc, it shouldn't be used as-is (#124373)
* Thu Mar 11 2004 Nalin Dahyabhai <nalin@redhat.com> 4.05-1
- update to 4.05
* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Thu Aug 7 2003 Elliot Lee <sopwith@redhat.com> 4.04-6
- Fix libtool
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Fri Mar 21 2003 Nalin Dahyabhai <nalin@redhat.com> 4.04-4
- fix xinetd configuration samples
* Mon Feb 10 2003 Nalin Dahyabhai <nalin@redhat.com> 4.04-3
- rebuild
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
- rebuilt
* Wed Jan 15 2003 Nalin Dahyabhai <nalin@redhat.com> 4.04-1
- update to 4.04
* Tue Jan 7 2003 Nalin Dahyabhai <nalin@redhat.com> 4.03-1
- use pkgconfig for information about openssl, if available
* Fri Jan 3 2003 Nalin Dahyabhai <nalin@redhat.com>
- update to 4.03
* Mon Oct 21 2002 Nalin Dahyabhai <nalin@redhat.com> 4.02-1
- update to 4.02
* Fri Oct 4 2002 Nalin Dahyabhai <nalin@redhat.com> 4.00-1
- don't create a dummy cert
* Wed Sep 25 2002 Nalin Dahyabhai <nalin@redhat.com>
- update to 4.00
- remove textutils and fileutils as buildreqs, add automake/autoconf
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Sun May 26 2002 Tim Powers <timp@redhat.com>
- automated rebuild
* Fri May 17 2002 Nalin Dahyabhai <nalin@redhat.com> 3.22-2
- rebuild in new environment
* Wed Jan 2 2002 Nalin Dahyabhai <nalin@redhat.com> 3.22-1
- update to 3.22, correcting a format-string vulnerability
* Wed Oct 31 2001 Nalin Dahyabhai <nalin@redhat.com> 3.21a-1
- update to 3.21a
* Tue Aug 28 2001 Nalin Dahyabhai <nalin@redhat.com> 3.20-1
- log using LOG_AUTHPRIV facility by default (#47289)
- make permissions on stunnel binary 0755
- implicitly trust certificates in %%{_datadir}/ssl/trusted (#24034)
* Fri Aug 10 2001 Nalin Dahyabhai <nalin@redhat.com> 3.19-1
- update to 3.19 to avoid problems with stunnel being multithreaded, but
tcp wrappers not being thrad-safe
* Mon Jul 30 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.17
* Mon Jul 23 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.16
* Mon Jul 16 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.15
- enable tcp-wrappers support
* Tue May 29 2001 Nalin Dahyabhai <nalin@redhat.com>
- remove explicit requirement on openssl (specific version isn't enough,
we have to depend on shared library version anyway)
* Fri Apr 27 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.14
* Mon Mar 26 2001 Preston Brown <pbrown@redhat.com>
- depend on make (#33148)
* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
- rebuild in new environment
* Tue Feb 6 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.13 to get pthread, OOB, 64-bit fixes
- don't need sdf any more
* Thu Dec 28 2000 Nalin Dahyabhai <nalin@redhat.com>
- pull in sdf to build the man page (#22892)
* Fri Dec 22 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.11
- chuck the SIGHUP patch (went upstream)
- chuck parts of the 64-bit clean patch (went upstream)
* Thu Dec 21 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.10
- more 64-bit clean changes, hopefully the last bunch
* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- change piddir from the default /var/stunnel to /var/run
- clean out pid file on SIGHUP
* Fri Dec 15 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 3.9 to get a security fix
* Wed Oct 25 2000 Matt Wilson <msw@redhat.com>
- change all unsigned longs to u_int32_t when dealing with network
addresses
* Fri Aug 18 2000 Nalin Dahyabhai <nalin@redhat.com>
- make stunnel.pem also be (missingok)
* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- move to Applications/Internet group
- clean up %%post script
- make stunnel.pem %%ghost %%config(noreplace)
- provide a sample file for use with xinetd
* Thu Jun 8 2000 Nalin Dahyabhai <nalin@redhat.com>
- FHS compliance fixes
- modify defaults
* Tue Mar 14 2000 Florian La Roche <Florian.LaRoche@redhat.com>
- update to 3.8
- do not create certificate if one already exists
* Mon Feb 21 2000 Florian La Roche <Florian.LaRoche@redhat.com>
- update to 3.7
- add patch to find /usr/share/ssl
- change some perms
* Sat Oct 30 1999 Bernhard Rosenkraenzer <bero@redhat.com>
- Modify spec file to match Red Hat standards
* Thu Aug 12 1999 Damien Miller <damien@ibs.com.au>
- Updated to 3.4a
- Patched for OpenSSL 0.9.4
- Cleaned up files section
* Sun Jul 11 1999 Damien Miller <dmiller@ilogic.com.au>
- Updated to 3.3
* Sat Nov 28 1998 Damien Miller <dmiller@ilogic.com.au>
- Initial RPMification

11
stunnel@.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=TLS tunnel for %I
After=syslog.target network.target
[Service]
ExecStart=/usr/bin/stunnel /etc/stunnel/%i.conf
Type=forking
PrivateTmp=true
[Install]
WantedBy=multi-user.target