New upstream release 5.69
Resolves: rhbz#2139207 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
parent
057127f700
commit
9d17847efb
4
sources
4
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (stunnel-5.66.tar.gz) = 7034f4de953df2a55a0837ff1b5bddcec0bc89a6c2bd33371d0cb59125f0a6abb1540456603e0079727821654e20657844f8e38e8e801f2bdf86bc1b6490c0aa
|
SHA512 (stunnel-5.69.tar.gz) = 6ae7b3bc126d45a633e91a4c9e5841d321c8704753866c0e5d0e94cbb189288a5b699dfdbc4d0b26f0c39ca69bae2c8f96f26a3b2b4a7b626f457845e6a53d2d
|
||||||
SHA512 (stunnel-5.66.tar.gz.asc) = 6c1cc73752bf7068b5b865bdc1f2073ca755fa290e7687186878091cf8ead425bcfa8249f2588298565a71f0dad037247dc46391561702f298c3044ffb58b383
|
SHA512 (stunnel-5.69.tar.gz.asc) = cc4d28be3eece53bf3d8413c1855c70548d8d3bfee9fce3a31bc3c00f12eb6a4905de23875cbbbad7d99356d3f767792d823e132ab4222f515fbf314617496c3
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 9cd8694f2b742e46370d38c34a53523c1aafae93 Mon Sep 17 00:00:00 2001
|
From cfbf803dd3338a915f41bdfded69b34e7f21403d Mon Sep 17 00:00:00 2001
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||||
Subject: [PATCH 1/8] Apply patch stunnel-5.50-authpriv.patch
|
Subject: [PATCH 1/7] Apply patch stunnel-5.50-authpriv.patch
|
||||||
|
|
||||||
Patch-name: stunnel-5.50-authpriv.patch
|
Patch-name: stunnel-5.50-authpriv.patch
|
||||||
Patch-id: 0
|
Patch-id: 0
|
||||||
@ -14,49 +14,49 @@ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
|||||||
4 files changed, 7 insertions(+), 3 deletions(-)
|
4 files changed, 7 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
|
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
|
||||||
index d5de80b..a56f0b7 100644
|
index 8cd8bc0..b5d7d75 100644
|
||||||
--- a/doc/stunnel.8.in
|
--- a/doc/stunnel.8.in
|
||||||
+++ b/doc/stunnel.8.in
|
+++ b/doc/stunnel.8.in
|
||||||
@@ -204,7 +204,7 @@ info (6), or debug (7). All logs for the specified level and
|
@@ -209,7 +209,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
|
||||||
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
|
|
||||||
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
|
|
||||||
.Sp
|
.Sp
|
||||||
-The syslog facility 'daemon' will be used unless a facility name is supplied.
|
The default logging level is notice (5).
|
||||||
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
|
.Sp
|
||||||
|
-The syslog 'daemon' facility will be used unless a facility name is supplied.
|
||||||
|
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
|
||||||
(Facilities are not supported on Win32.)
|
(Facilities are not supported on Win32.)
|
||||||
.Sp
|
.Sp
|
||||||
Case is ignored for both facilities and levels.
|
Case is ignored for both facilities and levels.
|
||||||
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
|
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
|
||||||
index 4f84d5c..608afa9 100644
|
index a7931aa..cda5993 100644
|
||||||
--- a/doc/stunnel.html.in
|
--- a/doc/stunnel.html.in
|
||||||
+++ b/doc/stunnel.html.in
|
+++ b/doc/stunnel.html.in
|
||||||
@@ -244,7 +244,7 @@
|
@@ -248,7 +248,7 @@
|
||||||
|
|
||||||
<p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
|
<p>The default logging level is notice (5).</p>
|
||||||
|
|
||||||
-<p>The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
-<p>The syslog 'daemon' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||||
+<p>The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
+<p>The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||||
|
|
||||||
<p>Case is ignored for both facilities and levels.</p>
|
<p>Case is ignored for both facilities and levels.</p>
|
||||||
|
|
||||||
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
|
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
|
||||||
index 0246f82..840c708 100644
|
index a54b25d..f830cf3 100644
|
||||||
--- a/doc/stunnel.pod.in
|
--- a/doc/stunnel.pod.in
|
||||||
+++ b/doc/stunnel.pod.in
|
+++ b/doc/stunnel.pod.in
|
||||||
@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for the specified level and
|
@@ -197,7 +197,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
|
||||||
all levels numerically less than it will be shown. Use I<debug = debug> or
|
|
||||||
I<debug = 7> for greatest debugging output. The default is notice (5).
|
|
||||||
|
|
||||||
-The syslog facility 'daemon' will be used unless a facility name is supplied.
|
The default logging level is notice (5).
|
||||||
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
|
|
||||||
|
-The syslog 'daemon' facility will be used unless a facility name is supplied.
|
||||||
|
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
|
||||||
(Facilities are not supported on Win32.)
|
(Facilities are not supported on Win32.)
|
||||||
|
|
||||||
Case is ignored for both facilities and levels.
|
Case is ignored for both facilities and levels.
|
||||||
diff --git a/src/options.c b/src/options.c
|
diff --git a/src/options.c b/src/options.c
|
||||||
index 9ac9c7e..5007f83 100644
|
index 5f8ad8b..6e4a18b 100644
|
||||||
--- a/src/options.c
|
--- a/src/options.c
|
||||||
+++ b/src/options.c
|
+++ b/src/options.c
|
||||||
@@ -1878,7 +1878,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
@@ -1960,7 +1960,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
case CMD_SET_DEFAULTS:
|
case CMD_SET_DEFAULTS:
|
||||||
section->log_level=LOG_NOTICE;
|
section->log_level=LOG_NOTICE;
|
||||||
#if !defined (USE_WIN32) && !defined (__vms)
|
#if !defined (USE_WIN32) && !defined (__vms)
|
||||||
@ -69,5 +69,5 @@ index 9ac9c7e..5007f83 100644
|
|||||||
break;
|
break;
|
||||||
case CMD_SET_COPY:
|
case CMD_SET_COPY:
|
||||||
--
|
--
|
||||||
2.37.3
|
2.39.2
|
||||||
|
|
||||||
|
@ -1,30 +0,0 @@
|
|||||||
From 41fcdaf237b2ba32de266d6935f8e4dc58e8bcb2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sahana Prasad <sprasad@localhost.localdomain>
|
|
||||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
|
||||||
Subject: [PATCH 3/8] Apply patch stunnel-5.56-system-ciphers.patch
|
|
||||||
|
|
||||||
Patch-name: stunnel-5.56-system-ciphers.patch
|
|
||||||
Patch-id: 3
|
|
||||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
|
||||||
---
|
|
||||||
src/options.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/options.c b/src/options.c
|
|
||||||
index 5007f83..418f25d 100644
|
|
||||||
--- a/src/options.c
|
|
||||||
+++ b/src/options.c
|
|
||||||
@@ -320,8 +320,8 @@ static SERVICE_OPTIONS new_service_options;
|
|
||||||
static const char *option_not_found=
|
|
||||||
"Specified option name is not valid here";
|
|
||||||
|
|
||||||
-static const char *stunnel_cipher_list=
|
|
||||||
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
|
||||||
+static char *stunnel_cipher_list=
|
|
||||||
+ "PROFILE=SYSTEM";
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_TLS1_3
|
|
||||||
static const char *stunnel_ciphersuites=
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
@ -1,76 +0,0 @@
|
|||||||
From ba3b7eace6f1fd5797be649dd7ba87b3ec988293 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
|
||||||
Subject: [PATCH 7/8] Skip FIPS tests if FIPS is unconfigured
|
|
||||||
|
|
||||||
When built against OpenSSL 3 with the enable-fips option, the FIPS
|
|
||||||
shared library can be loaded, but unless the system administrator has
|
|
||||||
run openssl fipsinstall and modified the OpenSSL configuration, FIPS
|
|
||||||
mode will still fail with an error message saying it is missing config
|
|
||||||
data.
|
|
||||||
|
|
||||||
Since this does not indicate a problem with stunnel's code, but with the
|
|
||||||
underlying OpenSSL setup, skip the test if this occurs. This is the same
|
|
||||||
behavior when running against a copy of OpenSSL 3.x that was not built
|
|
||||||
with 'enable-fips'.
|
|
||||||
|
|
||||||
Upstream-Status: Inappropriate [configuration]
|
|
||||||
Patch-status: Skip FIPS tests if FIPS is unconfigured
|
|
||||||
Patch-name: stunnel-5.61-fips-test.patch
|
|
||||||
Patch-id: 7
|
|
||||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
|
||||||
---
|
|
||||||
tests/plugins/p10_fips.py | 3 ++-
|
|
||||||
tests/plugins/p11_fips_cipher.py | 8 +++++---
|
|
||||||
2 files changed, 7 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/plugins/p10_fips.py b/tests/plugins/p10_fips.py
|
|
||||||
index 5d2bc56..68680c0 100644
|
|
||||||
--- a/tests/plugins/p10_fips.py
|
|
||||||
+++ b/tests/plugins/p10_fips.py
|
|
||||||
@@ -29,7 +29,8 @@ class FIPSTest(StunnelTest):
|
|
||||||
self.events.skip = [
|
|
||||||
"FIPS provider not available",
|
|
||||||
"fips mode not supported",
|
|
||||||
- r"FIPS PROVIDER.*could not load the shared library"
|
|
||||||
+ r"FIPS PROVIDER.*could not load the shared library",
|
|
||||||
+ r"FIPS PROVIDER.*missing config data"
|
|
||||||
]
|
|
||||||
self.events.failure = [
|
|
||||||
"peer did not return a certificate",
|
|
||||||
diff --git a/tests/plugins/p11_fips_cipher.py b/tests/plugins/p11_fips_cipher.py
|
|
||||||
index 0280a1d..22eebd7 100644
|
|
||||||
--- a/tests/plugins/p11_fips_cipher.py
|
|
||||||
+++ b/tests/plugins/p11_fips_cipher.py
|
|
||||||
@@ -30,7 +30,8 @@ class FailureCipherFIPS(StunnelTest):
|
|
||||||
self.events.skip = [
|
|
||||||
"FIPS provider not available",
|
|
||||||
"fips mode not supported",
|
|
||||||
- r"FIPS PROVIDER.*could not load the shared library"
|
|
||||||
+ r"FIPS PROVIDER.*could not load the shared library",
|
|
||||||
+ r"FIPS PROVIDER.*missing config data"
|
|
||||||
]
|
|
||||||
self.events.count = 1
|
|
||||||
self.events.success = [
|
|
||||||
@@ -88,7 +89,7 @@ class FailureCiphersuitesFIPS(StunnelTest):
|
|
||||||
"FIPS provider not available",
|
|
||||||
"fips mode not supported",
|
|
||||||
r"FIPS PROVIDER.*could not load the shared library",
|
|
||||||
- "Specified option name is not valid here"
|
|
||||||
+ r"FIPS PROVIDER.*missing config data"
|
|
||||||
]
|
|
||||||
self.events.count = 1
|
|
||||||
self.events.success = [
|
|
||||||
@@ -147,7 +148,8 @@ class FailureEllipticCurveFIPS(StunnelTest):
|
|
||||||
self.events.skip = [
|
|
||||||
"FIPS provider not available",
|
|
||||||
"fips mode not supported",
|
|
||||||
- r"FIPS PROVIDER.*could not load the shared library"
|
|
||||||
+ r"FIPS PROVIDER.*could not load the shared library",
|
|
||||||
+ r"FIPS PROVIDER.*missing config data"
|
|
||||||
]
|
|
||||||
self.events.count = 1
|
|
||||||
self.events.success = [
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
@ -1,66 +1,68 @@
|
|||||||
From a8a49e5040e78200b6fb4220132c9e7c3aff1383 Mon Sep 17 00:00:00 2001
|
From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||||
Subject: [PATCH 5/8] Apply patch stunnel-5.61-default-tls-version.patch
|
Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
|
||||||
|
|
||||||
Patch-name: stunnel-5.61-default-tls-version.patch
|
Patch-name: stunnel-5.69-default-tls-version.patch
|
||||||
Patch-id: 5
|
Patch-id: 5
|
||||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||||
---
|
---
|
||||||
src/ctx.c | 32 +++++++++++++++++++++-----------
|
src/ctx.c | 34 ++++++++++++++++++++++------------
|
||||||
src/options.c | 15 +++++++++++----
|
src/options.c | 15 +++++++++++----
|
||||||
src/prototypes.h | 3 +++
|
src/prototypes.h | 3 +++
|
||||||
3 files changed, 35 insertions(+), 15 deletions(-)
|
3 files changed, 36 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/ctx.c b/src/ctx.c
|
diff --git a/src/ctx.c b/src/ctx.c
|
||||||
index cc0806c..309ed91 100644
|
index 6a42a6b..cba24d9 100644
|
||||||
--- a/src/ctx.c
|
--- a/src/ctx.c
|
||||||
+++ b/src/ctx.c
|
+++ b/src/ctx.c
|
||||||
@@ -152,18 +152,28 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
|
@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
|
||||||
section->ctx=SSL_CTX_new(section->option.client ?
|
section->ctx=SSL_CTX_new(section->option.client ?
|
||||||
TLS_client_method() : TLS_server_method());
|
TLS_client_method() : TLS_server_method());
|
||||||
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
||||||
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
- if(section->min_proto_version &&
|
||||||
|
- !SSL_CTX_set_min_proto_version(section->ctx,
|
||||||
- section->min_proto_version)) {
|
- section->min_proto_version)) {
|
||||||
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||||
- section->min_proto_version);
|
- section->min_proto_version);
|
||||||
- return 1; /* FAILED */
|
- return 1; /* FAILED */
|
||||||
- }
|
|
||||||
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
|
||||||
- section->max_proto_version)) {
|
|
||||||
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
|
||||||
- section->max_proto_version);
|
|
||||||
- return 1; /* FAILED */
|
|
||||||
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
|
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
|
||||||
+ "OpenSSL crypto policies. Not setting explicitly.");
|
+ " crypto policies. Not setting explicitly.");
|
||||||
+ } else {
|
+ } else {
|
||||||
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
+ if(section->min_proto_version &&
|
||||||
|
+ !SSL_CTX_set_min_proto_version(section->ctx,
|
||||||
+ section->min_proto_version)) {
|
+ section->min_proto_version)) {
|
||||||
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||||
+ section->min_proto_version);
|
+ section->min_proto_version);
|
||||||
+ return 1; /* FAILED */
|
+ return 1; /* FAILED */
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
|
- if(section->max_proto_version &&
|
||||||
|
- !SSL_CTX_set_max_proto_version(section->ctx,
|
||||||
|
- section->max_proto_version)) {
|
||||||
|
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||||
|
- section->max_proto_version);
|
||||||
|
- return 1; /* FAILED */
|
||||||
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||||
+ s_log(LOG_INFO, "Using the default TLS version as specified in "
|
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
|
||||||
+ "OpenSSL crypto policies. Not setting explicitly");
|
+ " crypto policies. Not setting explicitly");
|
||||||
+ } else {
|
+ } else {
|
||||||
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
+ if(section->max_proto_version &&
|
||||||
|
+ !SSL_CTX_set_max_proto_version(section->ctx,
|
||||||
+ section->max_proto_version)) {
|
+ section->max_proto_version)) {
|
||||||
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||||
+ section->max_proto_version);
|
+ section->max_proto_version);
|
||||||
+ return 1; /* FAILED */
|
+ return 1; /* FAILED */
|
||||||
+ }
|
+ }
|
||||||
+ }
|
}
|
||||||
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||||
if(section->option.client)
|
if(section->option.client)
|
||||||
section->ctx=SSL_CTX_new(section->client_method);
|
|
||||||
diff --git a/src/options.c b/src/options.c
|
diff --git a/src/options.c b/src/options.c
|
||||||
index 418f25d..09d02bd 100644
|
index 4d31815..2ec5934 100644
|
||||||
--- a/src/options.c
|
--- a/src/options.c
|
||||||
+++ b/src/options.c
|
+++ b/src/options.c
|
||||||
@@ -3289,8 +3289,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
return "Invalid protocol version";
|
return "Invalid protocol version";
|
||||||
return NULL; /* OK */
|
return NULL; /* OK */
|
||||||
case CMD_INITIALIZE:
|
case CMD_INITIALIZE:
|
||||||
@ -72,7 +74,7 @@ index 418f25d..09d02bd 100644
|
|||||||
return "Invalid protocol version range";
|
return "Invalid protocol version range";
|
||||||
break;
|
break;
|
||||||
case CMD_PRINT_DEFAULTS:
|
case CMD_PRINT_DEFAULTS:
|
||||||
@@ -3308,7 +3309,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
/* sslVersionMax */
|
/* sslVersionMax */
|
||||||
switch(cmd) {
|
switch(cmd) {
|
||||||
case CMD_SET_DEFAULTS:
|
case CMD_SET_DEFAULTS:
|
||||||
@ -84,11 +86,11 @@ index 418f25d..09d02bd 100644
|
|||||||
break;
|
break;
|
||||||
case CMD_SET_COPY:
|
case CMD_SET_COPY:
|
||||||
section->max_proto_version=new_service_options.max_proto_version;
|
section->max_proto_version=new_service_options.max_proto_version;
|
||||||
@@ -3339,7 +3343,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
/* sslVersionMin */
|
/* sslVersionMin */
|
||||||
switch(cmd) {
|
switch(cmd) {
|
||||||
case CMD_SET_DEFAULTS:
|
case CMD_SET_DEFAULTS:
|
||||||
- section->min_proto_version=TLS1_VERSION;
|
- section->min_proto_version=0; /* lowest supported */
|
||||||
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||||
+ OpenSSL crypto
|
+ OpenSSL crypto
|
||||||
+ policies. Do not
|
+ policies. Do not
|
||||||
@ -97,10 +99,10 @@ index 418f25d..09d02bd 100644
|
|||||||
case CMD_SET_COPY:
|
case CMD_SET_COPY:
|
||||||
section->min_proto_version=new_service_options.min_proto_version;
|
section->min_proto_version=new_service_options.min_proto_version;
|
||||||
diff --git a/src/prototypes.h b/src/prototypes.h
|
diff --git a/src/prototypes.h b/src/prototypes.h
|
||||||
index 89d77b8..23f6014 100644
|
index 0ecd719..a126c9e 100644
|
||||||
--- a/src/prototypes.h
|
--- a/src/prototypes.h
|
||||||
+++ b/src/prototypes.h
|
+++ b/src/prototypes.h
|
||||||
@@ -930,6 +930,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||||
ICON_IMAGE load_icon_file(const char *);
|
ICON_IMAGE load_icon_file(const char *);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -111,5 +113,5 @@ index 89d77b8..23f6014 100644
|
|||||||
|
|
||||||
/* end of prototypes.h */
|
/* end of prototypes.h */
|
||||||
--
|
--
|
||||||
2.37.3
|
2.39.2
|
||||||
|
|
37
stunnel-5.69-system-ciphers.patch
Normal file
37
stunnel-5.69-system-ciphers.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sahana Prasad <sprasad@localhost.localdomain>
|
||||||
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||||
|
Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
|
||||||
|
|
||||||
|
On Fedora, CentOS and RHEL, the system's crypto policies are the best
|
||||||
|
source to determine which cipher suites to accept in TLS. On these
|
||||||
|
platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
|
||||||
|
policies. Change stunnel to default to this setting.
|
||||||
|
|
||||||
|
Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
|
||||||
|
Patch-name: stunnel-5.69-system-ciphers.patch
|
||||||
|
Patch-id: 3
|
||||||
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||||
|
---
|
||||||
|
src/options.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/options.c b/src/options.c
|
||||||
|
index 6e4a18b..4d31815 100644
|
||||||
|
--- a/src/options.c
|
||||||
|
+++ b/src/options.c
|
||||||
|
@@ -321,9 +321,9 @@ static const char *option_not_found=
|
||||||
|
"Specified option name is not valid here";
|
||||||
|
|
||||||
|
static const char *stunnel_cipher_list=
|
||||||
|
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
||||||
|
+ "PROFILE=SYSTEM";
|
||||||
|
static const char *fips_cipher_list=
|
||||||
|
- "FIPS:!DH:!kDHEPSK";
|
||||||
|
+ "PROFILE=SYSTEM";
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_TLS1_3
|
||||||
|
static const char *stunnel_ciphersuites=
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
23
stunnel.spec
23
stunnel.spec
@ -9,8 +9,8 @@
|
|||||||
|
|
||||||
Summary: A TLS-encrypting socket wrapper
|
Summary: A TLS-encrypting socket wrapper
|
||||||
Name: stunnel
|
Name: stunnel
|
||||||
Version: 5.66
|
Version: 5.69
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
URL: https://www.stunnel.org/
|
URL: https://www.stunnel.org/
|
||||||
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
||||||
@ -27,16 +27,19 @@ Source99: https://www.stunnel.org/pgp.asc
|
|||||||
Patch0: stunnel-5.50-authpriv.patch
|
Patch0: stunnel-5.50-authpriv.patch
|
||||||
# Apply patch stunnel-5.61-systemd-service.patch
|
# Apply patch stunnel-5.61-systemd-service.patch
|
||||||
Patch1: stunnel-5.61-systemd-service.patch
|
Patch1: stunnel-5.61-systemd-service.patch
|
||||||
# Apply patch stunnel-5.56-system-ciphers.patch
|
# Use cipher configuration from crypto-policies
|
||||||
Patch3: stunnel-5.56-system-ciphers.patch
|
#
|
||||||
|
# On Fedora, CentOS and RHEL, the system's crypto policies are the best
|
||||||
|
# source to determine which cipher suites to accept in TLS. On these
|
||||||
|
# platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
|
||||||
|
# policies. Change stunnel to default to this setting.
|
||||||
|
Patch3: stunnel-5.69-system-ciphers.patch
|
||||||
# Apply patch stunnel-5.56-coverity.patch
|
# Apply patch stunnel-5.56-coverity.patch
|
||||||
Patch4: stunnel-5.56-coverity.patch
|
Patch4: stunnel-5.56-coverity.patch
|
||||||
# Apply patch stunnel-5.61-default-tls-version.patch
|
# Apply patch stunnel-5.69-default-tls-version.patch
|
||||||
Patch5: stunnel-5.61-default-tls-version.patch
|
Patch5: stunnel-5.69-default-tls-version.patch
|
||||||
# Apply patch stunnel-5.56-curves-doc-update.patch
|
# Apply patch stunnel-5.56-curves-doc-update.patch
|
||||||
Patch6: stunnel-5.56-curves-doc-update.patch
|
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||||
# Skip FIPS tests if FIPS is unconfigured
|
|
||||||
Patch7: stunnel-5.61-fips-test.patch
|
|
||||||
# Limit curves defaults in FIPS mode
|
# Limit curves defaults in FIPS mode
|
||||||
Patch8: stunnel-5.62-disabled-curves.patch
|
Patch8: stunnel-5.62-disabled-curves.patch
|
||||||
# util-linux is needed for rename
|
# util-linux is needed for rename
|
||||||
@ -143,6 +146,10 @@ fi
|
|||||||
%systemd_postun_with_restart %{name}.service
|
%systemd_postun_with_restart %{name}.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Mar 06 2023 Clemens Lang <cllang@redhat.com> - 5.69-1
|
||||||
|
- New upstream release 5.69
|
||||||
|
Resolves: rhbz#2139207
|
||||||
|
|
||||||
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.66-2
|
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.66-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user