New upstream release 5.71

Drop patches that are no longer needed, sync patches from Fedora.
Backport spec file improvements from Fedora.

Resolves: RHEL-2340
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2023-10-05 13:53:03 +02:00
parent c322d2e347
commit 49fc206f2d
13 changed files with 438 additions and 429 deletions

2
.gitignore vendored
View File

@ -110,3 +110,5 @@ stunnel-4.33.tar.gz.asc
/stunnel-5.48.tar.gz.asc /stunnel-5.48.tar.gz.asc
/stunnel-5.56.tar.gz /stunnel-5.56.tar.gz
/stunnel-5.56.tar.gz.asc /stunnel-5.56.tar.gz.asc
/stunnel-5.71.tar.gz
/stunnel-5.71.tar.gz.asc

125
pgp.asc Normal file
View File

@ -0,0 +1,125 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT
1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK
JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan
OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT
JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe
tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa
sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx
RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu
XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc
Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq
HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA
G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD
ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu
VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID
AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj
k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs
pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq
eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL
CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG
L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH
xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez
YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l
qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR
EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm
qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c
MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy
b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb
AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq
owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U
0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+
B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN
d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ
zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx
Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H
3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV
t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8
eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b
rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst
r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb
/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN
aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI
CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE
iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl
qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS
bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ
jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ
Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj
zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM
f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM
9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio
bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e
GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23
+6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU
68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z
kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6
q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1
3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb
Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G
KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ
HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef
wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1
eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc
gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE
7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB
AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA
N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r
PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f
xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT
3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp
hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j
KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv
MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW
Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY
SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm
CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE
SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA
q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/
fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD
Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g
qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u
/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F
ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj
PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK
zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue
Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU
qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp
42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB
AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd
f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz
qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM
UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN
oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV
wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW
YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv
WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG
TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV
AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz
GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM
eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8
PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw
I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2
1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx
dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml
DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M
5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+
kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh
NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b
zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s
wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B
=EgcU
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -1,2 +1,2 @@
SHA512 (stunnel-5.56.tar.gz.asc) = 0ae8531faf943e75fe17699c3ce2b7eb916c25f3217b8e3a22bd2ae03e8ce3f40849c5aa6b078d1fa9c9a9c066610f4e517bc99e7204be754bd4ec53c80964af SHA512 (stunnel-5.71.tar.gz) = c7004f48b93b3415305eec1193d51b7bf51a3bdd2cdc9f6ae588f563b32408b1ecde83b9f3f5b658f945ab5bcc5124390c38235394aad4471bf5b666081af2a2
SHA512 (stunnel-5.56.tar.gz) = db1be82b80bd5606568c5565f1c9a5710d4f7abca2d89388daa441bc395aaf2be998ac6403c7a17b8af01b89ade825186c20c50f73a809f9d64eca2e1b57a877 SHA512 (stunnel-5.71.tar.gz.asc) = 513cd7bc9b46e92451ae1d48eb8dc7e64374c820cf8a3d86fcd04d365d673e632234af17880501ddc2e62e4d15e592e90ff308e47436b487b01160f905753ebc

View File

@ -1,43 +1,62 @@
diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in From cfbf803dd3338a915f41bdfded69b34e7f21403d Mon Sep 17 00:00:00 2001
--- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100 From: Tomas Mraz <tmraz@fedoraproject.org>
+++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100 Date: Mon, 12 Sep 2022 11:07:38 +0200
@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th Subject: [PATCH 1/7] Apply patch stunnel-5.50-authpriv.patch
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). Patch-name: stunnel-5.50-authpriv.patch
Patch-id: 0
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
doc/stunnel.8.in | 2 +-
doc/stunnel.html.in | 2 +-
doc/stunnel.pod.in | 2 +-
src/options.c | 4 ++++
4 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
index 8cd8bc0..b5d7d75 100644
--- a/doc/stunnel.8.in
+++ b/doc/stunnel.8.in
@@ -209,7 +209,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
.Sp .Sp
-The syslog facility 'daemon' will be used unless a facility name is supplied. The default logging level is notice (5).
+The syslog facility 'authpriv' will be used unless a facility name is supplied. .Sp
-The syslog 'daemon' facility will be used unless a facility name is supplied.
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
(Facilities are not supported on Win32.) (Facilities are not supported on Win32.)
.Sp .Sp
Case is ignored for both facilities and levels. Case is ignored for both facilities and levels.
diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
--- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100 index a7931aa..cda5993 100644
+++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100 --- a/doc/stunnel.html.in
@@ -244,7 +244,7 @@ +++ b/doc/stunnel.html.in
@@ -248,7 +248,7 @@
<p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p> <p>The default logging level is notice (5).</p>
-<p>The syslog facility &#39;daemon&#39; will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p> -<p>The syslog &#39;daemon&#39; facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
+<p>The syslog facility &#39;authpriv&#39; will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p> +<p>The syslog &#39;authpriv&#39; facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
<p>Case is ignored for both facilities and levels.</p> <p>Case is ignored for both facilities and levels.</p>
diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
--- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100 index a54b25d..f830cf3 100644
+++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100 --- a/doc/stunnel.pod.in
@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th +++ b/doc/stunnel.pod.in
all levels numerically less than it will be shown. Use I<debug = debug> or @@ -197,7 +197,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
I<debug = 7> for greatest debugging output. The default is notice (5).
-The syslog facility 'daemon' will be used unless a facility name is supplied. The default logging level is notice (5).
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
-The syslog 'daemon' facility will be used unless a facility name is supplied.
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
(Facilities are not supported on Win32.) (Facilities are not supported on Win32.)
Case is ignored for both facilities and levels. Case is ignored for both facilities and levels.
diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c diff --git a/src/options.c b/src/options.c
--- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100 index 5f8ad8b..6e4a18b 100644
+++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100 --- a/src/options.c
@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD +++ b/src/options.c
@@ -1960,7 +1960,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
case CMD_SET_DEFAULTS: case CMD_SET_DEFAULTS:
section->log_level=LOG_NOTICE; section->log_level=LOG_NOTICE;
#if !defined (USE_WIN32) && !defined (__vms) #if !defined (USE_WIN32) && !defined (__vms)
@ -45,8 +64,10 @@ diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
+ new_global_options.log_facility=LOG_AUTHPRIV; + new_global_options.log_facility=LOG_AUTHPRIV;
+#else +#else
new_global_options.log_facility=LOG_DAEMON; new_global_options.log_facility=LOG_DAEMON;
#endif
+#endif +#endif
#endif
break; break;
case CMD_SET_COPY: case CMD_SET_COPY:
section->log_level=new_service_options.log_level; --
2.39.2

View File

@ -1,11 +0,0 @@
diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
@@ -5,6 +5,7 @@ After=syslog.target network.target
[Service]
ExecStart=@bindir@/stunnel
Type=forking
+PrivateTmp=true
[Install]
WantedBy=multi-user.target

View File

@ -1,22 +0,0 @@
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
for(;;) {
va_copy(ap, start_ap);
n=vsnprintf(p, size, format, ap);
+ va_end(ap);
if(n>-1 && n<(int)size)
return p;
if(n>-1) /* glibc 2.1 */
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
#endif
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
s_log(LOG_ERR, "Connection rejected: create_client failed");
- closesocket(s);
#ifndef USE_FORK
service_free(opt);
#endif

View File

@ -1,66 +1,98 @@
--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200 From e951a8a7edc87dbd608043f8aab67ef12979e3ca Mon Sep 17 00:00:00 2001
+++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200 From: Sahana Prasad <sahana@redhat.com>
@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 6/8] Apply patch stunnel-5.56-curves-doc-update.patch
Patch-name: stunnel-5.56-curves-doc-update.patch
Patch-id: 6
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
doc/stunnel.8.in | 2 ++
doc/stunnel.html.in | 2 ++
doc/stunnel.pl.8.in | 2 ++
doc/stunnel.pl.html.in | 2 ++
doc/stunnel.pl.pod.in | 2 ++
doc/stunnel.pod.in | 2 ++
6 files changed, 12 insertions(+)
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
index a56f0b7..977a1a4 100644
--- a/doc/stunnel.8.in
+++ b/doc/stunnel.8.in
@@ -475,6 +475,8 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and
.IX Item "curves = list" .IX Item "curves = list"
\&\s-1ECDH\s0 curves separated with ':' \&\s-1ECDH\s0 curves separated with ':'
.Sp .Sp
+Note: This option is supported for server mode sockets only. +Note: This option is supported for server mode sockets only.
+.Sp +.Sp
Only a single curve name is allowed for OpenSSL older than 1.1.0. Only a single curve name is allowed for OpenSSL older than 1.1.1.
.Sp .Sp
To get a list of supported curves use: To get a list of supported curves use:
--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200 diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
+++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200 index 608afa9..cecc81a 100644
@@ -568,6 +568,8 @@ --- a/doc/stunnel.html.in
+++ b/doc/stunnel.html.in
@@ -570,6 +570,8 @@
<p>ECDH curves separated with &#39;:&#39;</p> <p>ECDH curves separated with &#39;:&#39;</p>
+<p>Note: This option is supported for server mode sockets only.</p> +<p>Note: This option is supported for server mode sockets only.</p>
+ +
<p>Only a single curve name is allowed for OpenSSL older than 1.1.0.</p> <p>Only a single curve name is allowed for OpenSSL older than 1.1.1.</p>
<p>To get a list of supported curves use:</p> <p>To get a list of supported curves use:</p>
--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200 diff --git a/doc/stunnel.pl.8.in b/doc/stunnel.pl.8.in
+++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200 index e2e6622..eae88f8 100644
@@ -499,6 +499,8 @@ I<verifyPeer> options. --- a/doc/stunnel.pl.8.in
+++ b/doc/stunnel.pl.8.in
ECDH curves separated with ':' @@ -492,6 +492,8 @@ przez opcje \fIverifyChain\fR i \fIverifyPeer\fR.
+Note: This option is supported for server mode sockets only.
+
Only a single curve name is allowed for OpenSSL older than 1.1.0.
To get a list of supported curves use:
--- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200
+++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200
@@ -507,6 +507,8 @@ przez opcje I<verifyChain> i I<verifyPee
krzywe ECDH odddzielone ':'
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
+
Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
Listę dostępnych krzywych można uzyskać poleceniem:
--- stunnel-5.56/doc/stunnel.pl.html.in.curves-doc-update 2020-04-16 17:24:46.857579674 +0200
+++ stunnel-5.56/doc/stunnel.pl.html.in 2020-04-16 17:46:13.385404626 +0200
@@ -564,6 +564,8 @@
<p>krzywe ECDH odddzielone &#39;:&#39;</p>
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
+
<p>Wersje OpenSSL starsze ni&#x17C; 1.1.0 pozwalaj&#x105; na u&#x17C;ycie tylko jednej krzywej.</p>
<p>List&#x119; dost&#x119;pnych krzywych mo&#x17C;na uzyska&#x107; poleceniem:</p>
--- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200
+++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200
@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif
.IX Item "curves = lista" .IX Item "curves = lista"
krzywe \s-1ECDH\s0 odddzielone ':' krzywe \s-1ECDH\s0 odddzielone ':'
.Sp .Sp
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera. +Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
+.Sp +.Sp
Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej. Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
.Sp .Sp
Listę dostępnych krzywych można uzyskać poleceniem: Listę dostępnych krzywych można uzyskać poleceniem:
diff --git a/doc/stunnel.pl.html.in b/doc/stunnel.pl.html.in
index 7be87f1..7fd7a7c 100644
--- a/doc/stunnel.pl.html.in
+++ b/doc/stunnel.pl.html.in
@@ -568,6 +568,8 @@
<p>krzywe ECDH odddzielone &#39;:&#39;</p>
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
+
<p>Wersje OpenSSL starsze ni&#x17C; 1.1.1 pozwalaj&#x105; na u&#x17C;ycie tylko jednej krzywej.</p>
<p>List&#x119; dost&#x119;pnych krzywych mo&#x17C;na uzyska&#x107; poleceniem:</p>
diff --git a/doc/stunnel.pl.pod.in b/doc/stunnel.pl.pod.in
index dc6b255..712f751 100644
--- a/doc/stunnel.pl.pod.in
+++ b/doc/stunnel.pl.pod.in
@@ -516,6 +516,8 @@ przez opcje I<verifyChain> i I<verifyPeer>.
krzywe ECDH odddzielone ':'
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
+
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
Listę dostępnych krzywych można uzyskać poleceniem:
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
index 840c708..85cc199 100644
--- a/doc/stunnel.pod.in
+++ b/doc/stunnel.pod.in
@@ -501,6 +501,8 @@ I<verifyPeer> options.
ECDH curves separated with ':'
+Note: This option is supported for server mode sockets only.
+
Only a single curve name is allowed for OpenSSL older than 1.1.1.
To get a list of supported curves use:
--
2.37.3

View File

@ -1,12 +0,0 @@
diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c
--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200
+++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200
@@ -277,7 +277,7 @@ static char *option_not_found=
"Specified option name is not valid here";
static char *stunnel_cipher_list=
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
#ifndef OPENSSL_NO_TLS1_3
static char *stunnel_ciphersuites=

View File

@ -1,219 +0,0 @@
diff -up stunnel-5.56/src/ssl.c.verify-chain stunnel-5.56/src/ssl.c
--- stunnel-5.56/src/ssl.c.verify-chain 2021-02-17 00:37:28.950981672 +0100
+++ stunnel-5.56/src/ssl.c 2021-02-17 00:37:36.047053139 +0100
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -39,7 +39,12 @@
#include "prototypes.h"
/* global OpenSSL initialization: compression, engine, entropy */
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp);
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void **from_d, int idx, long argl, void *argp);
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
void *from_d, int idx, long argl, void *argp);
#else
@@ -72,7 +77,7 @@ int ssl_init(void) { /* init TLS before
index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
"SERVICE_OPTIONS pointer", NULL, NULL, NULL);
index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
- "session authenticated", NULL, NULL, NULL);
+ "session authenticated", cb_new_auth, NULL, NULL);
index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
"session connect address", NULL, cb_dup_addr, cb_free_addr);
if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
@@ -104,17 +109,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
BN_free(dh->p);
BN_free(dh->q);
BN_free(dh->g);
- dh->p = p;
- dh->q = q;
- dh->g = g;
+ dh->p=p;
+ dh->q=q;
+ dh->g=g;
if(q)
- dh->length = BN_num_bits(q);
+ dh->length=BN_num_bits(q);
return 1;
}
#endif
#endif
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int idx, long argl, void *argp) {
+ (void)parent; /* squash the unused parameter warning */
+ (void)ptr; /* squash the unused parameter warning */
+ (void)argl; /* squash the unused parameter warning */
+ s_log(LOG_DEBUG, "Initializing application specific data for %s",
+ (char *)argp);
+ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
+ sslerror("CRYPTO_set_ex_data");
+}
+
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void **from_d, int idx, long argl, void *argp) {
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
void *from_d, int idx, long argl, void *argp) {
#else
diff -up stunnel-5.56/src/verify.c.verify-chain stunnel-5.56/src/verify.c
--- stunnel-5.56/src/verify.c.verify-chain 2021-02-17 00:37:11.577806692 +0100
+++ stunnel-5.56/src/verify.c 2021-02-17 00:37:42.542118546 +0100
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preveri
s_log(LOG_INFO, "Certificate verification disabled");
return 1; /* accept */
}
- if(verify_checks(c, preverify_ok, callback_ctx)) {
+ if(verify_checks(c, preverify_ok, callback_ctx))
+ return 1; /* accept */
+ if(c->opt->option.client || c->opt->protocol)
+ return 0; /* reject */
+ if(c->opt->redirect_addr.names) {
SSL_SESSION *sess=SSL_get1_session(c->ssl);
if(sess) {
- int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated,
- (void *)(-1));
+ int ok=SSL_SESSION_set_ex_data(sess,
+ index_session_authenticated, NULL);
SSL_SESSION_free(sess);
if(!ok) {
sslerror("SSL_SESSION_set_ex_data");
@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preveri
}
return 1; /* accept */
}
- if(c->opt->option.client || c->opt->protocol)
- return 0; /* reject */
- if(c->opt->redirect_addr.names)
- return 1; /* accept */
return 0; /* reject */
}
diff -up stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain stunnel-5.56/tests/recipes/028_redirect_chain
--- stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain 2021-02-17 00:38:44.823745781 +0100
+++ stunnel-5.56/tests/recipes/028_redirect_chain 2021-02-17 00:38:16.143456937 +0100
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Redirect TLS client connections on certificate-based authentication failures.
+# [client_1] -> [server_1] -> [client_2] -> [server_2]
+# The success is expected because the client presents the *wrong* certificate
+# and the client connection is redirected.
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
+
+. $(dirname $0)/../test_library
+
+start() {
+ ../../src/stunnel -fd 0 <<EOT
+ debug = debug
+ syslog = no
+ pid = ${result_path}/stunnel.pid
+ output = ${result_path}/stunnel.log
+
+ [client_1]
+ client = yes
+ accept = 127.0.0.1:${http1}
+ connect = 127.0.0.1:${https1}
+ ;cert = ${script_path}/certs/client_cert.pem
+;wrong self signed certificate
+ cert = ${script_path}/certs/stunnel.pem
+
+ [client_2]
+ client = yes
+ accept = 127.0.0.1:${http2}
+ connect = 127.0.0.1:${https2}
+
+ [server_1]
+ accept = 127.0.0.1:${https1}
+ exec = ${script_path}/execute
+ execArgs = execute 028_redirect_chain_error
+ redirect = ${http2}
+ cert = ${script_path}/certs/server_cert.pem
+ verifyChain = yes
+ CAfile = ${script_path}/certs/CACert.pem
+
+ [server_2]
+ accept = 127.0.0.1:${https2}
+ cert = ${script_path}/certs/server_cert.pem
+ exec = ${script_path}/execute
+ execArgs = execute 028_redirect_chain
+
+EOT
+}
+
+test_log_for "028_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
+exit $?
diff -up stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain stunnel-5.56/tests/recipes/029_no_redirect_chain
--- stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain 2021-02-17 00:38:57.819876672 +0100
+++ stunnel-5.56/tests/recipes/029_no_redirect_chain 2021-02-17 00:38:24.895545080 +0100
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# Do not redirect TLS client connections on certificate-based authentication success.
+# [client_1] -> [server_1]
+# The success is expected because the client presents the *correct* certificate
+# and the client connection isn't redirected.
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
+
+. $(dirname $0)/../test_library
+
+start() {
+ ../../src/stunnel -fd 0 <<EOT
+ debug = debug
+ syslog = no
+ pid = ${result_path}/stunnel.pid
+ output = ${result_path}/stunnel.log
+
+ [client_1]
+ client = yes
+ accept = 127.0.0.1:${http1}
+ connect = 127.0.0.1:${https1}
+;correct certificate
+ cert = ${script_path}/certs/client_cert.pem
+
+ [client_2]
+ client = yes
+ accept = 127.0.0.1:${http2}
+ connect = 127.0.0.1:${https2}
+
+ [server_1]
+ accept = 127.0.0.1:${https1}
+ exec = ${script_path}/execute
+ execArgs = execute 029_no_redirect_chain
+ redirect = ${http2}
+ cert = ${script_path}/certs/server_cert.pem
+ verifyChain = yes
+ CAfile = ${script_path}/certs/CACert.pem
+
+ [server_2]
+ accept = 127.0.0.1:${https2}
+ cert = ${script_path}/certs/server_cert.pem
+ exec = ${script_path}/execute
+ execArgs = execute 029_no_redirect_chain_error
+
+EOT
+}
+
+test_log_for "029_no_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
+exit $?

View File

@ -0,0 +1,27 @@
From 6cb73d824ac204f5680e469b0474855aaa6b8ddc Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 2/8] Apply patch stunnel-5.61-systemd-service.patch
Patch-name: stunnel-5.61-systemd-service.patch
Patch-id: 1
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
tools/stunnel.service.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
index fa98996..0c5a216 100644
--- a/tools/stunnel.service.in
+++ b/tools/stunnel.service.in
@@ -6,6 +6,7 @@ After=syslog.target network-online.target
ExecStart=@bindir@/stunnel
ExecReload=/bin/kill -HUP $MAINPID
Type=forking
+PrivateTmp=true
[Install]
WantedBy=multi-user.target
--
2.37.3

View File

@ -1,18 +1,68 @@
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 From: Clemens Lang <cllang@redhat.com>
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); Date: Mon, 12 Sep 2022 11:07:38 +0200
ICON_IMAGE load_icon_file(const char *); Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
#endif
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL Patch-name: stunnel-5.69-default-tls-version.patch
+ crypto policies */ Patch-id: 5
+ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
#endif /* defined PROTOTYPES_H */ ---
src/ctx.c | 34 ++++++++++++++++++++++------------
src/options.c | 15 +++++++++++----
src/prototypes.h | 3 +++
3 files changed, 36 insertions(+), 16 deletions(-)
/* end of prototypes.h */ diff --git a/src/ctx.c b/src/ctx.c
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 index 6a42a6b..cba24d9 100644
+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 --- a/src/ctx.c
@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD +++ b/src/ctx.c
@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
section->ctx=SSL_CTX_new(section->option.client ?
TLS_client_method() : TLS_server_method());
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
- if(section->min_proto_version &&
- !SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
+ " crypto policies. Not setting explicitly.");
+ } else {
+ if(section->min_proto_version &&
+ !SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(section->max_proto_version &&
- !SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
+ " crypto policies. Not setting explicitly");
+ } else {
+ if(section->max_proto_version &&
+ !SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)
diff --git a/src/options.c b/src/options.c
index 4d31815..2ec5934 100644
--- a/src/options.c
+++ b/src/options.c
@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
return "Invalid protocol version"; return "Invalid protocol version";
return NULL; /* OK */ return NULL; /* OK */
case CMD_INITIALIZE: case CMD_INITIALIZE:
@ -24,7 +74,7 @@
return "Invalid protocol version range"; return "Invalid protocol version range";
break; break;
case CMD_PRINT_DEFAULTS: case CMD_PRINT_DEFAULTS:
@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD @@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
/* sslVersionMax */ /* sslVersionMax */
switch(cmd) { switch(cmd) {
case CMD_SET_DEFAULTS: case CMD_SET_DEFAULTS:
@ -36,11 +86,11 @@
break; break;
case CMD_SET_COPY: case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version; section->max_proto_version=new_service_options.max_proto_version;
@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD @@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
/* sslVersionMin */ /* sslVersionMin */
switch(cmd) { switch(cmd) {
case CMD_SET_DEFAULTS: case CMD_SET_DEFAULTS:
- section->min_proto_version=TLS1_VERSION; - section->min_proto_version=0; /* lowest supported */
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in + section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto + OpenSSL crypto
+ policies. Do not + policies. Do not
@ -48,45 +98,20 @@
break; break;
case CMD_SET_COPY: case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version; section->min_proto_version=new_service_options.min_proto_version;
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 diff --git a/src/prototypes.h b/src/prototypes.h
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 index 0ecd719..a126c9e 100644
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio --- a/src/prototypes.h
section->ctx=SSL_CTX_new(TLS_client_method()); +++ b/src/prototypes.h
else /* server mode */ @@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
section->ctx=SSL_CTX_new(TLS_server_method()); ICON_IMAGE load_icon_file(const char *);
- if(!SSL_CTX_set_min_proto_version(section->ctx, #endif
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
- section->min_proto_version); + crypto policies */
- return 1; /* FAILED */
+ +
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { #endif /* defined PROTOTYPES_H */
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly."); /* end of prototypes.h */
+ } else { --
+ if(!SSL_CTX_set_min_proto_version(section->ctx, 2.39.2
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(!SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
+ OpenSSL crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)

View File

@ -0,0 +1,37 @@
From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sprasad@localhost.localdomain>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
On Fedora, CentOS and RHEL, the system's crypto policies are the best
source to determine which cipher suites to accept in TLS. On these
platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
policies. Change stunnel to default to this setting.
Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
Patch-name: stunnel-5.69-system-ciphers.patch
Patch-id: 3
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/options.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/options.c b/src/options.c
index 6e4a18b..4d31815 100644
--- a/src/options.c
+++ b/src/options.c
@@ -321,9 +321,9 @@ static const char *option_not_found=
"Specified option name is not valid here";
static const char *stunnel_cipher_list=
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
static const char *fips_cipher_list=
- "FIPS:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
#ifndef OPENSSL_NO_TLS1_3
static const char *stunnel_ciphersuites=
--
2.39.2

View File

@ -1,7 +1,7 @@
# Do not generate provides for private libraries # Do not generate provides for private libraries
%global __provides_exclude_from ^%{_libdir}/stunnel/.*$ %global __provides_exclude_from ^%{_libdir}/stunnel/.*$
%if 0%{?fedora} > 27 || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
%bcond_with libwrap %bcond_with libwrap
%else %else
%bcond_without libwrap %bcond_without libwrap
@ -9,11 +9,11 @@
Summary: A TLS-encrypting socket wrapper Summary: A TLS-encrypting socket wrapper
Name: stunnel Name: stunnel
Version: 5.56 Version: 5.71
Release: 5%{?dist} Release: 1%{?dist}
License: GPLv2 License: GPLv2
Group: Applications/Internet Group: Applications/Internet
URL: http://www.stunnel.org/ URL: https://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
Source2: Certificate-Creation Source2: Certificate-Creation
@ -22,15 +22,19 @@ Source4: stunnel-sfinger.conf
Source5: pop3-redirect.xinetd Source5: pop3-redirect.xinetd
Source6: stunnel-pop3s-client.conf Source6: stunnel-pop3s-client.conf
Source7: stunnel@.service Source7: stunnel@.service
# Upstream release signing key
# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
# the remote one makes packit source-git choke.
Source99: pgp.asc
Patch0: stunnel-5.50-authpriv.patch Patch0: stunnel-5.50-authpriv.patch
Patch1: stunnel-5.50-systemd-service.patch Patch1: stunnel-5.61-systemd-service.patch
Patch3: stunnel-5.56-system-ciphers.patch Patch3: stunnel-5.69-system-ciphers.patch
Patch4: stunnel-5.56-coverity.patch Patch5: stunnel-5.69-default-tls-version.patch
Patch5: stunnel-5.56-default-tls-version.patch
Patch6: stunnel-5.56-curves-doc-update.patch Patch6: stunnel-5.56-curves-doc-update.patch
Patch7: stunnel-5.56-verify-chain.patch
# util-linux is needed for rename # util-linux is needed for rename
BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gnupg2
BuildRequires: openssl-devel, pkgconfig, util-linux BuildRequires: openssl-devel, pkgconfig, util-linux
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
%if %{with libwrap} %if %{with libwrap}
@ -40,7 +44,8 @@ BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/bin/pod2html BuildRequires: /usr/bin/pod2html
# build test requirements # build test requirements
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
BuildRequires: systemd BuildRequires: python3.11 python3.11-cryptography openssl
BuildRequires: systemd systemd-devel
%{?systemd_requires} %{?systemd_requires}
%description %description
@ -50,20 +55,16 @@ to ordinary applications. For example, it can be used in
conjunction with imapd to create a TLS secure IMAP server. conjunction with imapd to create a TLS secure IMAP server.
%prep %prep
%{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%setup -q %setup -q
%patch0 -p1 -b .authpriv %patch0 -p1 -b .authpriv
%patch1 -p1 -b .systemd-service %patch1 -p1 -b .systemd-service
%patch3 -p1 -b .system-ciphers %patch3 -p1 -b .system-ciphers
%patch4 -p1 -b .coverity
%patch5 -p1 -b .default-tls-version %patch5 -p1 -b .default-tls-version
%patch6 -p1 -b .curves-doc-update %patch6 -p1 -b .curves-doc-update
%patch7 -p1 -b .verify-chain
# Fix the configure script output for FIPS mode and stack protector flag # Fix the stack protector flag
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
# Fix a testcase with system-ciphers support
sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets
%build %build
#autoreconf -v #autoreconf -v
@ -78,6 +79,7 @@ fi
%else %else
--disable-libwrap \ --disable-libwrap \
%endif %endif
--with-bashcompdir=%{_datadir}/bash-completion/completions \
CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
@ -93,22 +95,18 @@ for lang in pl ; do
done done
mkdir srpm-docs mkdir srpm-docs
cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
mkdir -p %{buildroot}%{_unitdir} mkdir -p %{buildroot}%{_unitdir}
cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
%endif
%check %check
# For unknown reason the 042_inetd test fails in Brew. The failure is not reproducible if ! make test; then
# in Fedora or normal RHEL-8 install. for i in tests/logs/*.log; do
rm tests/recipes/042_inetd echo "$i":
# We override the security policy as it is too strict for the tests. cat "$i"
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file done
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE exit 1
OPENSSL_CONF= fi
export OPENSSL_CONF
make test
%files %files
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
@ -127,9 +125,8 @@ make test
%lang(pl) %{_mandir}/pl/man8/stunnel.8* %lang(pl) %{_mandir}/pl/man8/stunnel.8*
%dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}
%exclude %{_sysconfdir}/stunnel/* %exclude %{_sysconfdir}/stunnel/*
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
%{_unitdir}/%{name}*.service %{_unitdir}/%{name}*.service
%endif %{_datadir}/bash-completion/completions/%{name}.bash
%post %post
/sbin/ldconfig /sbin/ldconfig
@ -143,6 +140,13 @@ make test
%systemd_postun_with_restart %{name}.service %systemd_postun_with_restart %{name}.service
%changelog %changelog
* Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
- New upstream release 5.71
Resolves: RHEL-2340
- Enable socket activation support
- verify upstream source in %%prep
- clean up stale conditionals
* Tue Feb 23 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5 * Tue Feb 23 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5
- Fixes CVE-2021-20230 stunnel: client certificate not - Fixes CVE-2021-20230 stunnel: client certificate not
correctly verified when redirect and verifyChain options are used. correctly verified when redirect and verifyChain options are used.