New upstream release 5.72

* Bugfixes
  - Fixed SSL_CTX_new() errors handling.
  - Fixed OPENSSL_NO_PSK builds.
  - Fixed tests with OpenSSL older than 1.0.2.

Resolves: rhbz#2262756
Signed-off-by: Clemens Lang <cllang@redhat.com>
From-source-git-commit: fa190ce0a73e06265176ba1df80f67e557dcc5cd

changelog

@@ -1,3 +1,7 @@
+* Mon Feb 05 2024 Clemens Lang <cllang@redhat.com> - 5.72-1
+- New upstream release 5.72
+  Resolves: rhbz#2262756
+
 * Thu Oct 5 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
 - New upstream release 5.71
   Resolves: rhbz#2239740

sources

@@ -1,2 +1,2 @@
-SHA512 (stunnel-5.71.tar.gz) = c7004f48b93b3415305eec1193d51b7bf51a3bdd2cdc9f6ae588f563b32408b1ecde83b9f3f5b658f945ab5bcc5124390c38235394aad4471bf5b666081af2a2
-SHA512 (stunnel-5.71.tar.gz.asc) = 513cd7bc9b46e92451ae1d48eb8dc7e64374c820cf8a3d86fcd04d365d673e632234af17880501ddc2e62e4d15e592e90ff308e47436b487b01160f905753ebc
+SHA512 (stunnel-5.72.tar.gz) = 2607bed1159412dc36ed0455ed158ab3141782f05ddaf3605076f1a0e371bc1ada1606cab65a6bc52d69a8c685345617578cb79d521330f2e1d12af3dcbd37ca
+SHA512 (stunnel-5.72.tar.gz.asc) = 337da975137a2ee51054f3cf926ddb5b268f9740d463d6c7ac2d61599d99f2990c635f13979e4c3b25fc0ada631bb82183b9e93f3491ac7b20559c31f81ec537

stunnel-5.72-default-tls-version.patch

@@ -1,9 +1,13 @@
-From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
+From c104c853a545b00992c7c3b3aa0d625016dc1577 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Mon, 12 Sep 2022 11:07:38 +0200
-Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
+Subject: [PATCH 4/5] Use TLS version f/crypto-policies unless specified
 
-Patch-name: stunnel-5.69-default-tls-version.patch
+Do not explicitly set the TLS version and rely on the defaults from
+crypto-policies unless a TLS minimum or maximum version are explicitly
+specified in the stunnel configuration.
+
+Patch-name: stunnel-5.72-default-tls-version.patch
 Patch-id: 5
 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
 ---
@@ -13,13 +17,13 @@ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
  3 files changed, 36 insertions(+), 16 deletions(-)
 
 diff --git a/src/ctx.c b/src/ctx.c
-index 6a42a6b..cba24d9 100644
+index 8d0e9de..3418779 100644
 --- a/src/ctx.c
 +++ b/src/ctx.c
-@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
-     section->ctx=SSL_CTX_new(section->option.client ?
-         TLS_client_method() : TLS_server_method());
- #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
+@@ -163,19 +163,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
+ 
+     /* set supported protocol versions */
+ #if OPENSSL_VERSION_NUMBER>=0x10100000L
 -    if(section->min_proto_version &&
 -            !SSL_CTX_set_min_proto_version(section->ctx,
 -            section->min_proto_version)) {
@@ -56,13 +60,13 @@ index 6a42a6b..cba24d9 100644
 +            return 1; /* FAILED */
 +        }
      }
- #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
-     if(section->option.client)
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
+ 
 diff --git a/src/options.c b/src/options.c
-index 4d31815..2ec5934 100644
+index 12b57fe..816c06e 100644
 --- a/src/options.c
 +++ b/src/options.c
-@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+@@ -3433,8 +3433,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
              return "Invalid protocol version";
          return NULL; /* OK */
      case CMD_INITIALIZE:
@@ -74,7 +78,7 @@ index 4d31815..2ec5934 100644
              return "Invalid protocol version range";
          break;
      case CMD_PRINT_DEFAULTS:
-@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+@@ -3452,7 +3453,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
      /* sslVersionMax */
      switch(cmd) {
      case CMD_SET_DEFAULTS:
@@ -86,7 +90,7 @@ index 4d31815..2ec5934 100644
          break;
      case CMD_SET_COPY:
          section->max_proto_version=new_service_options.max_proto_version;
-@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+@@ -3483,7 +3487,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
      /* sslVersionMin */
      switch(cmd) {
      case CMD_SET_DEFAULTS:
@@ -99,10 +103,10 @@ index 4d31815..2ec5934 100644
      case CMD_SET_COPY:
          section->min_proto_version=new_service_options.min_proto_version;
 diff --git a/src/prototypes.h b/src/prototypes.h
-index 0ecd719..a126c9e 100644
+index a2b10aa..e76335e 100644
 --- a/src/prototypes.h
 +++ b/src/prototypes.h
-@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
+@@ -956,6 +956,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
  ICON_IMAGE load_icon_file(const char *);
  #endif
  
@@ -113,5 +117,5 @@ index 0ecd719..a126c9e 100644
  
  /* end of prototypes.h */
 -- 
-2.39.2
+2.43.0
 

stunnel.spec

@@ -9,7 +9,7 @@
 
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
-Version: 5.71
+Version: 5.72
 Release: %autorelease
 License: GPL-2.0-or-later WITH stunnel-exception AND MIT
 URL: https://www.stunnel.org/
@@ -36,8 +36,12 @@ Patch1:   stunnel-5.61-systemd-service.patch
 # platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
 # policies. Change stunnel to default to this setting.
 Patch3:   stunnel-5.69-system-ciphers.patch
-# Apply patch stunnel-5.69-default-tls-version.patch
-Patch5:   stunnel-5.69-default-tls-version.patch
+# Use TLS version f/crypto-policies unless specified
+# 
+# Do not explicitly set the TLS version and rely on the defaults from
+# crypto-policies unless a TLS minimum or maximum version are explicitly
+# specified in the stunnel configuration.
+Patch5:   stunnel-5.72-default-tls-version.patch
 # Apply patch stunnel-5.56-curves-doc-update.patch
 Patch6:   stunnel-5.56-curves-doc-update.patch
 # util-linux is needed for rename