New upstream release 5.71

Drop patches that are no longer needed, sync patches from Fedora.
Backport spec file improvements from Fedora.

Resolves: RHEL-2468
Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang 2023-10-05 13:22:24 +02:00
parent 6e12981e3c
commit 6c91664a3d
14 changed files with 390 additions and 383 deletions

2
.gitignore vendored
View File

@ -122,3 +122,5 @@ stunnel-4.33.tar.gz.asc
/stunnel-5.61.tar.gz.asc
/stunnel-5.62.tar.gz
/stunnel-5.62.tar.gz.asc
/stunnel-5.71.tar.gz
/stunnel-5.71.tar.gz.asc

125
pgp.asc Normal file
View File

@ -0,0 +1,125 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT
1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK
JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan
OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT
JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe
tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa
sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx
RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu
XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc
Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq
HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA
G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD
ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu
VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID
AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj
k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs
pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq
eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL
CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG
L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH
xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez
YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l
qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR
EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm
qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c
MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy
b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb
AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq
owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U
0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+
B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN
d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ
zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx
Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H
3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV
t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8
eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b
rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst
r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb
/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN
aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI
CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE
iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl
qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS
bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ
jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ
Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj
zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM
f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM
9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio
bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e
GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23
+6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU
68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z
kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6
q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1
3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb
Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G
KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ
HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef
wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1
eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc
gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE
7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB
AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA
N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r
PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f
xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT
3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp
hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j
KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv
MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW
Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY
SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm
CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE
SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA
q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/
fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD
Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g
qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u
/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F
ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj
PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK
zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue
Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU
qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp
42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB
AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd
f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz
qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM
UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN
oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV
wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW
YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv
WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG
TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV
AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz
GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM
eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8
PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw
I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2
1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx
dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml
DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M
5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+
kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh
NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b
zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s
wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B
=EgcU
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -1,2 +1,2 @@
SHA512 (stunnel-5.62.tar.gz) = 4ce03faa27e417b49fbdf0fbac91befb2c05ce64694b4b6fd2fc482031ee4a229299627133a47ff3efdfdffce751e1300d95d0a8ac1f1858c7c96f0b067170de
SHA512 (stunnel-5.62.tar.gz.asc) = 983b41100e7ef6dba5a9b7e7cd64e50b1f6860a6bf18ca393e14d65680bfed951475e6f7f4ec9e8da036aaa86e0668f65e3df7025220eda7315de4d110a24ac5
SHA512 (stunnel-5.71.tar.gz) = c7004f48b93b3415305eec1193d51b7bf51a3bdd2cdc9f6ae588f563b32408b1ecde83b9f3f5b658f945ab5bcc5124390c38235394aad4471bf5b666081af2a2
SHA512 (stunnel-5.71.tar.gz.asc) = 513cd7bc9b46e92451ae1d48eb8dc7e64374c820cf8a3d86fcd04d365d673e632234af17880501ddc2e62e4d15e592e90ff308e47436b487b01160f905753ebc

View File

@ -1,43 +1,62 @@
diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in
--- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100
+++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100
@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
From cfbf803dd3338a915f41bdfded69b34e7f21403d Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 1/7] Apply patch stunnel-5.50-authpriv.patch
Patch-name: stunnel-5.50-authpriv.patch
Patch-id: 0
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
doc/stunnel.8.in | 2 +-
doc/stunnel.html.in | 2 +-
doc/stunnel.pod.in | 2 +-
src/options.c | 4 ++++
4 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
index 8cd8bc0..b5d7d75 100644
--- a/doc/stunnel.8.in
+++ b/doc/stunnel.8.in
@@ -209,7 +209,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
.Sp
-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
The default logging level is notice (5).
.Sp
-The syslog 'daemon' facility will be used unless a facility name is supplied.
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
.Sp
Case is ignored for both facilities and levels.
diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in
--- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100
+++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100
@@ -244,7 +244,7 @@
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
index a7931aa..cda5993 100644
--- a/doc/stunnel.html.in
+++ b/doc/stunnel.html.in
@@ -248,7 +248,7 @@
<p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
<p>The default logging level is notice (5).</p>
-<p>The syslog facility &#39;daemon&#39; will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
+<p>The syslog facility &#39;authpriv&#39; will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
-<p>The syslog &#39;daemon&#39; facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
+<p>The syslog &#39;authpriv&#39; facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
<p>Case is ignored for both facilities and levels.</p>
diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in
--- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100
+++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100
@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th
all levels numerically less than it will be shown. Use I<debug = debug> or
I<debug = 7> for greatest debugging output. The default is notice (5).
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
index a54b25d..f830cf3 100644
--- a/doc/stunnel.pod.in
+++ b/doc/stunnel.pod.in
@@ -197,7 +197,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
The default logging level is notice (5).
-The syslog 'daemon' facility will be used unless a facility name is supplied.
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
(Facilities are not supported on Win32.)
Case is ignored for both facilities and levels.
diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
--- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100
+++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100
@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD
diff --git a/src/options.c b/src/options.c
index 5f8ad8b..6e4a18b 100644
--- a/src/options.c
+++ b/src/options.c
@@ -1960,7 +1960,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
case CMD_SET_DEFAULTS:
section->log_level=LOG_NOTICE;
#if !defined (USE_WIN32) && !defined (__vms)
@ -45,8 +64,10 @@ diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c
+ new_global_options.log_facility=LOG_AUTHPRIV;
+#else
new_global_options.log_facility=LOG_DAEMON;
#endif
+#endif
#endif
break;
case CMD_SET_COPY:
section->log_level=new_service_options.log_level;
--
2.39.2

View File

@ -1,22 +0,0 @@
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
for(;;) {
va_copy(ap, start_ap);
n=vsnprintf(p, size, format, ap);
+ va_end(ap);
if(n>-1 && n<(int)size)
return p;
if(n>-1) /* glibc 2.1 */
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
#endif
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
s_log(LOG_ERR, "Connection rejected: create_client failed");
- closesocket(s);
#ifndef USE_FORK
service_free(opt);
#endif

View File

@ -1,6 +1,25 @@
--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200
+++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200
@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w
From e951a8a7edc87dbd608043f8aab67ef12979e3ca Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 6/8] Apply patch stunnel-5.56-curves-doc-update.patch
Patch-name: stunnel-5.56-curves-doc-update.patch
Patch-id: 6
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
doc/stunnel.8.in | 2 ++
doc/stunnel.html.in | 2 ++
doc/stunnel.pl.8.in | 2 ++
doc/stunnel.pl.html.in | 2 ++
doc/stunnel.pl.pod.in | 2 ++
doc/stunnel.pod.in | 2 ++
6 files changed, 12 insertions(+)
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
index a56f0b7..977a1a4 100644
--- a/doc/stunnel.8.in
+++ b/doc/stunnel.8.in
@@ -475,6 +475,8 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and
.IX Item "curves = list"
\&\s-1ECDH\s0 curves separated with ':'
.Sp
@ -9,9 +28,11 @@
Only a single curve name is allowed for OpenSSL older than 1.1.1.
.Sp
To get a list of supported curves use:
--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200
+++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200
@@ -568,6 +568,8 @@
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
index 608afa9..cecc81a 100644
--- a/doc/stunnel.html.in
+++ b/doc/stunnel.html.in
@@ -570,6 +570,8 @@
<p>ECDH curves separated with &#39;:&#39;</p>
@ -20,42 +41,11 @@
<p>Only a single curve name is allowed for OpenSSL older than 1.1.1.</p>
<p>To get a list of supported curves use:</p>
--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200
+++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200
@@ -499,6 +499,8 @@ I<verifyPeer> options.
ECDH curves separated with ':'
+Note: This option is supported for server mode sockets only.
+
Only a single curve name is allowed for OpenSSL older than 1.1.1.
To get a list of supported curves use:
--- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200
+++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200
@@ -507,6 +507,8 @@ przez opcje I<verifyChain> i I<verifyPee
krzywe ECDH odddzielone ':'
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
+
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
Listę dostępnych krzywych można uzyskać poleceniem:
--- stunnel-5.56/doc/stunnel.pl.html.in.curves-doc-update 2020-04-16 17:24:46.857579674 +0200
+++ stunnel-5.56/doc/stunnel.pl.html.in 2020-04-16 17:46:13.385404626 +0200
@@ -564,6 +564,8 @@
<p>krzywe ECDH odddzielone &#39;:&#39;</p>
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
+
<p>Wersje OpenSSL starsze ni&#x17C; 1.1.1 pozwalaj&#x105; na u&#x17C;ycie tylko jednej krzywej.</p>
<p>List&#x119; dost&#x119;pnych krzywych mo&#x17C;na uzyska&#x107; poleceniem:</p>
--- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200
+++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200
@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif
diff --git a/doc/stunnel.pl.8.in b/doc/stunnel.pl.8.in
index e2e6622..eae88f8 100644
--- a/doc/stunnel.pl.8.in
+++ b/doc/stunnel.pl.8.in
@@ -492,6 +492,8 @@ przez opcje \fIverifyChain\fR i \fIverifyPeer\fR.
.IX Item "curves = lista"
krzywe \s-1ECDH\s0 odddzielone ':'
.Sp
@ -64,3 +54,45 @@
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
.Sp
Listę dostępnych krzywych można uzyskać poleceniem:
diff --git a/doc/stunnel.pl.html.in b/doc/stunnel.pl.html.in
index 7be87f1..7fd7a7c 100644
--- a/doc/stunnel.pl.html.in
+++ b/doc/stunnel.pl.html.in
@@ -568,6 +568,8 @@
<p>krzywe ECDH odddzielone &#39;:&#39;</p>
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
+
<p>Wersje OpenSSL starsze ni&#x17C; 1.1.1 pozwalaj&#x105; na u&#x17C;ycie tylko jednej krzywej.</p>
<p>List&#x119; dost&#x119;pnych krzywych mo&#x17C;na uzyska&#x107; poleceniem:</p>
diff --git a/doc/stunnel.pl.pod.in b/doc/stunnel.pl.pod.in
index dc6b255..712f751 100644
--- a/doc/stunnel.pl.pod.in
+++ b/doc/stunnel.pl.pod.in
@@ -516,6 +516,8 @@ przez opcje I<verifyChain> i I<verifyPeer>.
krzywe ECDH odddzielone ':'
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
+
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
Listę dostępnych krzywych można uzyskać poleceniem:
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
index 840c708..85cc199 100644
--- a/doc/stunnel.pod.in
+++ b/doc/stunnel.pod.in
@@ -501,6 +501,8 @@ I<verifyPeer> options.
ECDH curves separated with ':'
+Note: This option is supported for server mode sockets only.
+
Only a single curve name is allowed for OpenSSL older than 1.1.1.
To get a list of supported curves use:
--
2.37.3

View File

@ -1,12 +0,0 @@
diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c
--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200
+++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200
@@ -277,7 +277,7 @@ static char *option_not_found=
"Specified option name is not valid here";
static char *stunnel_cipher_list=
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
#ifndef OPENSSL_NO_TLS1_3
static char *stunnel_ciphersuites=

View File

@ -1,19 +0,0 @@
tests: Adapt to OpenSSL 3.x FIPS mode
In OpenSSL 3.0 with FIPS enabled, this test no longer fails with
a human-readable error message (such as "no ciphers available"), but
instead causes an internal error. Extend the success regex list to also
accept this result.
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100
@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes
self.events.count = 1
self.events.success = [
"disabled for FIPS",
- "no ciphers available"
+ "no ciphers available",
+ "TLS alert \\(write\\): fatal: internal error"
]
self.events.failure = [
"peer did not return a certificate",

View File

@ -1,7 +1,20 @@
diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100
+++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100
@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
From 6cb73d824ac204f5680e469b0474855aaa6b8ddc Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 2/8] Apply patch stunnel-5.61-systemd-service.patch
Patch-name: stunnel-5.61-systemd-service.patch
Patch-id: 1
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
tools/stunnel.service.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
index fa98996..0c5a216 100644
--- a/tools/stunnel.service.in
+++ b/tools/stunnel.service.in
@@ -6,6 +6,7 @@ After=syslog.target network-online.target
ExecStart=@bindir@/stunnel
ExecReload=/bin/kill -HUP $MAINPID
Type=forking
@ -9,3 +22,6 @@ diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tool
[Install]
WantedBy=multi-user.target
--
2.37.3

View File

@ -1,57 +0,0 @@
Limit curves defaults in FIPS mode
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
but stunnel defaults to enabling them and then fails to do so.
Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
+++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
@@ -40,8 +40,10 @@
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
#else /* OpenSSL version < 1.1.1 */
#define DEFAULT_CURVES "prime256v1"
+#define DEFAULT_CURVES_FIPS "prime256v1"
#endif /* OpenSSL version >= 1.1.1 */
#if defined(_WIN32_WCE) && !defined(CONFDIR)
@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
/* curves */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->curves=str_dup_detached(DEFAULT_CURVES);
+ section->curves = NULL;
break;
case CMD_SET_COPY:
section->curves=str_dup_detached(new_service_options.curves);
@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
section->curves=str_dup_detached(arg);
return NULL; /* OK */
case CMD_INITIALIZE:
+ if(!section->curves) {
+ /* this is only executed for global options, because
+ * section->curves is no longer NULL in sections */
+#ifdef USE_FIPS
+ if(new_global_options.option.fips)
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
+ else
+#endif /* USE_FIPS */
+ section->curves=str_dup_detached(DEFAULT_CURVES);
+ }
break;
case CMD_PRINT_DEFAULTS:
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
+ if(fips_available()) {
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
+ DEFAULT_CURVES, "(with \"fips = no\")");
+ } else {
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
+ }
break;
case CMD_PRINT_HELP:
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");

View File

@ -1,140 +0,0 @@
From 6baa5762ea5edb192ec003333d62b1d0e56509bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Sun, 11 Sep 2022 23:52:18 +0200
Subject: [PATCH] stunnel-5.66
---
src/common.h | 6 +++++-
src/ctx.c | 58 +++++++++++++++++++++++++++++++++++++++++++---------
2 files changed, 53 insertions(+), 11 deletions(-)
diff --git a/src/common.h b/src/common.h
index bc37eb5..997e66e 100644
--- a/src/common.h
+++ b/src/common.h
@@ -491,7 +491,7 @@ extern char *sys_errlist[];
#include <openssl/dh.h>
#if OPENSSL_VERSION_NUMBER<0x10100000L
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-#endif /* OpenSSL older than 1.1.0 */
+#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */
#endif /* !defined(OPENSSL_NO_DH) */
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
@@ -503,8 +503,12 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
/* not defined in public headers before OpenSSL 0.9.8 */
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
#endif /* !defined(OPENSSL_NO_COMP) */
+#if OPENSSL_VERSION_NUMBER>=0x10101000L
+#include <openssl/storeerr.h>
+#endif /* OPENSSL_VERSION_NUMBER>=0x10101000L */
#if OPENSSL_VERSION_NUMBER>=0x30000000L
#include <openssl/provider.h>
+#include <openssl/proverr.h>
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
#ifndef OPENSSL_VERSION
diff --git a/src/ctx.c b/src/ctx.c
index a2202b7..cc0806c 100644
--- a/src/ctx.c
+++ b/src/ctx.c
@@ -1001,30 +1001,41 @@ NOEXPORT int ui_retry() {
unsigned long err=ERR_peek_error();
switch(ERR_GET_LIB(err)) {
- case ERR_LIB_ASN1:
- return 1;
- case ERR_LIB_PKCS12:
+ case ERR_LIB_EVP: /* 6 */
switch(ERR_GET_REASON(err)) {
- case PKCS12_R_MAC_VERIFY_FAILURE:
+ case EVP_R_BAD_DECRYPT:
return 1;
default:
+ s_log(LOG_ERR, "Unhandled ERR_LIB_EVP error reason: %d",
+ ERR_GET_REASON(err));
return 0;
}
- case ERR_LIB_EVP:
+ case ERR_LIB_PEM: /* 9 */
switch(ERR_GET_REASON(err)) {
- case EVP_R_BAD_DECRYPT:
+ case PEM_R_BAD_PASSWORD_READ:
+ case PEM_R_BAD_DECRYPT:
return 1;
default:
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PEM error reason: %d",
+ ERR_GET_REASON(err));
return 0;
}
- case ERR_LIB_PEM:
+ case ERR_LIB_ASN1: /* 13 */
+ return 1;
+ case ERR_LIB_PKCS12: /* 35 */
switch(ERR_GET_REASON(err)) {
- case PEM_R_BAD_PASSWORD_READ:
+ case PKCS12_R_MAC_VERIFY_FAILURE:
return 1;
default:
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PKCS12 error reason: %d",
+ ERR_GET_REASON(err));
return 0;
}
- case ERR_LIB_UI:
+#ifdef ERR_LIB_DSO /* 37 */
+ case ERR_LIB_DSO:
+ return 1;
+#endif
+ case ERR_LIB_UI: /* 40 */
switch(ERR_GET_REASON(err)) {
case UI_R_RESULT_TOO_LARGE:
case UI_R_RESULT_TOO_SMALL:
@@ -1033,17 +1044,44 @@ NOEXPORT int ui_retry() {
#endif
return 1;
default:
+ s_log(LOG_ERR, "Unhandled ERR_LIB_UI error reason: %d",
+ ERR_GET_REASON(err));
+ return 0;
+ }
+#ifdef ERR_LIB_OSSL_STORE
+ case ERR_LIB_OSSL_STORE: /* 44 - added in OpenSSL 1.1.1 */
+ switch(ERR_GET_REASON(err)) {
+ case OSSL_STORE_R_BAD_PASSWORD_READ:
+ return 1;
+ default:
+ s_log(LOG_ERR, "Unhandled ERR_LIB_OSSL_STORE error reason: %d",
+ ERR_GET_REASON(err));
+ return 0;
+ }
+#endif
+#ifdef ERR_LIB_PROV
+ case ERR_LIB_PROV: /* 57 - added in OpenSSL 3.0 */
+ switch(ERR_GET_REASON(err)) {
+ case PROV_R_BAD_DECRYPT:
+ return 1;
+ default:
+ s_log(LOG_ERR, "Unhandled ERR_LIB_PROV error reason: %d",
+ ERR_GET_REASON(err));
return 0;
}
- case ERR_LIB_USER: /* PKCS#11 hacks */
+#endif
+ case ERR_LIB_USER: /* 128 - PKCS#11 hacks */
switch(ERR_GET_REASON(err)) {
case 7UL: /* CKR_ARGUMENTS_BAD */
case 0xa0UL: /* CKR_PIN_INCORRECT */
return 1;
default:
+ s_log(LOG_ERR, "Unhandled ERR_LIB_USER error reason: %d",
+ ERR_GET_REASON(err));
return 0;
}
default:
+ s_log(LOG_ERR, "Unhandled error library: %d", ERR_GET_LIB(err));
return 0;
}
}
--
2.38.1

View File

@ -1,50 +1,68 @@
diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100
+++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100
@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio
From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
Patch-name: stunnel-5.69-default-tls-version.patch
Patch-id: 5
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/ctx.c | 34 ++++++++++++++++++++++------------
src/options.c | 15 +++++++++++----
src/prototypes.h | 3 +++
3 files changed, 36 insertions(+), 16 deletions(-)
diff --git a/src/ctx.c b/src/ctx.c
index 6a42a6b..cba24d9 100644
--- a/src/ctx.c
+++ b/src/ctx.c
@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
section->ctx=SSL_CTX_new(section->option.client ?
TLS_client_method() : TLS_server_method());
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
- if(!SSL_CTX_set_min_proto_version(section->ctx,
- if(section->min_proto_version &&
- !SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
- }
- if(!SSL_CTX_set_max_proto_version(section->ctx,
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
+ " crypto policies. Not setting explicitly.");
+ } else {
+ if(section->min_proto_version &&
+ !SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(section->max_proto_version &&
- !SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
+ "OpenSSL crypto policies. Not setting explicitly.");
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
+ " crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ if(section->max_proto_version &&
+ !SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
+ "OpenSSL crypto policies. Not setting explicitly");
+ } else {
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
+ }
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)
section->ctx=SSL_CTX_new(section->client_method);
diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c
--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100
+++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100
@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD
diff --git a/src/options.c b/src/options.c
index 4d31815..2ec5934 100644
--- a/src/options.c
+++ b/src/options.c
@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
return "Invalid protocol version";
return NULL; /* OK */
case CMD_INITIALIZE:
@ -56,7 +74,7 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options
return "Invalid protocol version range";
break;
case CMD_PRINT_DEFAULTS:
@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD
@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
/* sslVersionMax */
switch(cmd) {
case CMD_SET_DEFAULTS:
@ -68,11 +86,11 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options
break;
case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version;
@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD
@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
/* sslVersionMin */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->min_proto_version=TLS1_VERSION;
- section->min_proto_version=0; /* lowest supported */
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies. Do not
@ -80,10 +98,11 @@ diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options
break;
case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version;
diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h
--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100
+++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100
@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
diff --git a/src/prototypes.h b/src/prototypes.h
index 0ecd719..a126c9e 100644
--- a/src/prototypes.h
+++ b/src/prototypes.h
@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
@ -93,3 +112,6 @@ diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prot
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */
--
2.39.2

View File

@ -0,0 +1,37 @@
From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sprasad@localhost.localdomain>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
On Fedora, CentOS and RHEL, the system's crypto policies are the best
source to determine which cipher suites to accept in TLS. On these
platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
policies. Change stunnel to default to this setting.
Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
Patch-name: stunnel-5.69-system-ciphers.patch
Patch-id: 3
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/options.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/options.c b/src/options.c
index 6e4a18b..4d31815 100644
--- a/src/options.c
+++ b/src/options.c
@@ -321,9 +321,9 @@ static const char *option_not_found=
"Specified option name is not valid here";
static const char *stunnel_cipher_list=
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
static const char *fips_cipher_list=
- "FIPS:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
#ifndef OPENSSL_NO_TLS1_3
static const char *stunnel_ciphersuites=
--
2.39.2

View File

@ -1,7 +1,7 @@
# Do not generate provides for private libraries
%global __provides_exclude_from ^%{_libdir}/stunnel/.*$
%if 0%{?fedora} > 27 || 0%{?rhel} > 7
%if 0%{?fedora} || 0%{?rhel} > 7
%bcond_with libwrap
%else
%bcond_without libwrap
@ -9,8 +9,8 @@
Summary: A TLS-encrypting socket wrapper
Name: stunnel
Version: 5.62
Release: 3%{?dist}
Version: 5.71
Release: 1%{?dist}
License: GPLv2
URL: https://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
@ -21,18 +21,19 @@ Source4: stunnel-sfinger.conf
Source5: pop3-redirect.xinetd
Source6: stunnel-pop3s-client.conf
Source7: stunnel@.service
# Upstream release signing key
# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
# the remote one makes packit source-git choke.
Source99: pgp.asc
Patch0: stunnel-5.50-authpriv.patch
Patch1: stunnel-5.61-systemd-service.patch
Patch3: stunnel-5.56-system-ciphers.patch
Patch4: stunnel-5.56-coverity.patch
Patch5: stunnel-5.61-default-tls-version.patch
Patch3: stunnel-5.69-system-ciphers.patch
Patch5: stunnel-5.69-default-tls-version.patch
Patch6: stunnel-5.56-curves-doc-update.patch
Patch7: stunnel-5.61-openssl30-fips.patch
Patch8: stunnel-5.62-disabled-curves.patch
Patch9: stunnel-5.62-openssl3-error-handling.patch
# util-linux is needed for rename
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2
BuildRequires: openssl-devel, pkgconfig, util-linux
BuildRequires: autoconf automake libtool
%if %{with libwrap}
@ -42,8 +43,8 @@ BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/bin/pod2html
# build test requirements
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
BuildRequires: python3 openssl
BuildRequires: systemd
BuildRequires: python3 python3-cryptography openssl
BuildRequires: systemd systemd-devel
%{?systemd_requires}
%description
@ -53,16 +54,13 @@ to ordinary applications. For example, it can be used in
conjunction with imapd to create a TLS secure IMAP server.
%prep
%{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%setup -q
%patch0 -p1 -b .authpriv
%patch1 -p1 -b .systemd-service
%patch3 -p1 -b .system-ciphers
%patch4 -p1 -b .coverity
%patch5 -p1 -b .default-tls-version
%patch6 -p1 -b .curves-doc-update
%patch7 -p1 -b .openssl30-fips
%patch8 -p1 -b .disabled-curves
%patch9 -p1 -b .openssl3-error-handling
# Fix the stack protector flag
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
@ -80,6 +78,7 @@ fi
%else
--disable-libwrap \
%endif
--with-bashcompdir=%{_datadir}/bash-completion/completions \
CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
@ -95,11 +94,9 @@ for lang in pl ; do
done
mkdir srpm-docs
cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
mkdir -p %{buildroot}%{_unitdir}
cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
%endif
%check
if ! make test; then
@ -127,9 +124,7 @@ fi
%lang(pl) %{_mandir}/pl/man8/stunnel.8*
%dir %{_sysconfdir}/%{name}
%exclude %{_sysconfdir}/stunnel/*
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
%{_unitdir}/%{name}*.service
%endif
%{_datadir}/bash-completion/completions/%{name}.bash
%post
@ -144,6 +139,13 @@ fi
%systemd_postun_with_restart %{name}.service
%changelog
* Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
- New upstream release 5.71
Resolves: RHEL-2468
- Enable socket activation support
- verify upstream source in %%prep
- clean up stale conditionals
* Thu Dec 08 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
- Fix use of encrypted key files and password retry with OpenSSL 3
Resolves: rhbz#2151888