New upstream release 5.71
* Features - OCSP stapling is requested and verified in the client mode. - Using "verifyChain" automatically enables OCSP stapling in the client mode. - OCSP stapling is always available in the server mode. - An inconclusive OCSP verification breaks TLS negotiation. This can be disabled with "OCSPrequire = no". - Added the "TIMEOUTocsp" option to control the maximum time allowed for connecting an OCSP responder. - Added support for Red Hat OpenSSL 3.x patches. Resolves: rhbz#2239740 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang
parent
a0c4ac9d12
commit
c27f314594
@ -1,3 +1,7 @@
|
||||
* Thu Oct 5 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
|
||||
- New upstream release 5.71
|
||||
Resolves: rhbz#2239740
|
||||
|
||||
* Wed Aug 30 2023 Clemens Lang <cllang@redhat.com> - 5.70-3
|
||||
- migrated to SPDX license
|
||||
|
||||
|
||||
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (stunnel-5.70.tar.gz) = f3fd1c248561d300932ebf64988f4de6596be898bbfe8f370566d9fd9eafef294704f85ed9699410377d7f1c4c27f8ba0edbaabccca87fac7d5a40ac90a3b837
|
||||
SHA512 (stunnel-5.70.tar.gz.asc) = 453496109a4da4b931da6c202ec1db2bb959b6a2698789236bf00022d2f21f468dc7cf6464fc1132c7d91225c41a69e4a6a03f571e305297e8b2b265bf68bb2c
|
||||
SHA512 (stunnel-5.71.tar.gz) = c7004f48b93b3415305eec1193d51b7bf51a3bdd2cdc9f6ae588f563b32408b1ecde83b9f3f5b658f945ab5bcc5124390c38235394aad4471bf5b666081af2a2
|
||||
SHA512 (stunnel-5.71.tar.gz.asc) = 513cd7bc9b46e92451ae1d48eb8dc7e64374c820cf8a3d86fcd04d365d673e632234af17880501ddc2e62e4d15e592e90ff308e47436b487b01160f905753ebc
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
From c705c47f486cff5b6d79ca3183a6faec015f3ac1 Mon Sep 17 00:00:00 2001
|
||||
From: Sahana Prasad <sahana@redhat.com>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 4/8] Apply patch stunnel-5.56-coverity.patch
|
||||
|
||||
Patch-name: stunnel-5.56-coverity.patch
|
||||
Patch-id: 4
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
src/str.c | 1 +
|
||||
src/stunnel.c | 1 -
|
||||
2 files changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/str.c b/src/str.c
|
||||
index b9eca81..fd62db8 100644
|
||||
--- a/src/str.c
|
||||
+++ b/src/str.c
|
||||
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va_list start_ap) {
|
||||
for(;;) {
|
||||
va_copy(ap, start_ap);
|
||||
n=vsnprintf(p, size, format, ap);
|
||||
+ va_end(ap);
|
||||
if(n>-1 && n<(int)size)
|
||||
return p;
|
||||
if(n>-1) /* glibc 2.1 */
|
||||
diff --git a/src/stunnel.c b/src/stunnel.c
|
||||
index 4ce906b..31115ea 100644
|
||||
--- a/src/stunnel.c
|
||||
+++ b/src/stunnel.c
|
||||
@@ -445,7 +445,6 @@ NOEXPORT int accept_connection(SERVICE_OPTIONS *opt, unsigned i) {
|
||||
#endif
|
||||
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
|
||||
s_log(LOG_ERR, "Connection rejected: create_client failed");
|
||||
- closesocket(s);
|
||||
#ifndef USE_FORK
|
||||
service_free(opt);
|
||||
#endif
|
||||
--
|
||||
2.37.3
|
||||
|
||||
@ -1,71 +0,0 @@
|
||||
From 2043ed7c27e14310bec49e1df6348af3882db7bb Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 8/8] Limit curves defaults in FIPS mode
|
||||
|
||||
Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
|
||||
but stunnel defaults to enabling them and then fails to do so.
|
||||
|
||||
Patch-name: stunnel-5.62-disabled-curves.patch
|
||||
Patch-status: Limit curves defaults in FIPS mode
|
||||
Patch-id: 8
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
src/options.c | 23 +++++++++++++++++++++--
|
||||
1 file changed, 21 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index 09d02bd..fe4e776 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -39,8 +39,10 @@
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||
#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
|
||||
+#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
|
||||
#else /* OpenSSL version < 1.1.1 */
|
||||
#define DEFAULT_CURVES "prime256v1"
|
||||
+#define DEFAULT_CURVES_FIPS "prime256v1"
|
||||
#endif /* OpenSSL version >= 1.1.1 */
|
||||
|
||||
#if defined(_WIN32_WCE) && !defined(CONFDIR)
|
||||
@@ -1847,7 +1849,7 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||
/* curves */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
- section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||
+ section->curves = NULL;
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->curves=str_dup_detached(new_service_options.curves);
|
||||
@@ -1862,9 +1864,26 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||
section->curves=str_dup_detached(arg);
|
||||
return NULL; /* OK */
|
||||
case CMD_INITIALIZE:
|
||||
+ if(!section->curves) {
|
||||
+ /* this is only executed for global options, because
|
||||
+ * section->curves is no longer NULL in sections */
|
||||
+#ifdef USE_FIPS
|
||||
+ if(new_global_options.option.fips)
|
||||
+ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
|
||||
+ else
|
||||
+#endif /* USE_FIPS */
|
||||
+ section->curves=str_dup_detached(DEFAULT_CURVES);
|
||||
+ }
|
||||
break;
|
||||
case CMD_PRINT_DEFAULTS:
|
||||
- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||
+ if(fips_available()) {
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||
+ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
|
||||
+ DEFAULT_CURVES, "(with \"fips = no\")");
|
||||
+ } else {
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
|
||||
+ }
|
||||
break;
|
||||
case CMD_PRINT_HELP:
|
||||
s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
|
||||
--
|
||||
2.37.3
|
||||
|
||||
12
stunnel.spec
12
stunnel.spec
@ -9,7 +9,7 @@
|
||||
|
||||
Summary: A TLS-encrypting socket wrapper
|
||||
Name: stunnel
|
||||
Version: 5.70
|
||||
Version: 5.71
|
||||
Release: %autorelease
|
||||
License: GPL-2.0-or-later WITH stunnel-exception AND MIT
|
||||
URL: https://www.stunnel.org/
|
||||
@ -22,7 +22,9 @@ Source5: pop3-redirect.xinetd
|
||||
Source6: stunnel-pop3s-client.conf
|
||||
Source7: stunnel@.service
|
||||
# Upstream release signing key
|
||||
Source99: https://www.stunnel.org/pgp.asc
|
||||
# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
|
||||
# the remote one makes packit source-git choke.
|
||||
Source99: pgp.asc
|
||||
# Apply patch stunnel-5.50-authpriv.patch
|
||||
Patch0: stunnel-5.50-authpriv.patch
|
||||
# Apply patch stunnel-5.61-systemd-service.patch
|
||||
@ -34,14 +36,10 @@ Patch1: stunnel-5.61-systemd-service.patch
|
||||
# platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
|
||||
# policies. Change stunnel to default to this setting.
|
||||
Patch3: stunnel-5.69-system-ciphers.patch
|
||||
# Apply patch stunnel-5.56-coverity.patch
|
||||
Patch4: stunnel-5.56-coverity.patch
|
||||
# Apply patch stunnel-5.69-default-tls-version.patch
|
||||
Patch5: stunnel-5.69-default-tls-version.patch
|
||||
# Apply patch stunnel-5.56-curves-doc-update.patch
|
||||
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||
# Limit curves defaults in FIPS mode
|
||||
Patch8: stunnel-5.62-disabled-curves.patch
|
||||
# util-linux is needed for rename
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
@ -55,7 +53,7 @@ BuildRequires: /usr/bin/pod2man
|
||||
BuildRequires: /usr/bin/pod2html
|
||||
# build test requirements
|
||||
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
|
||||
BuildRequires: python3 openssl
|
||||
BuildRequires: python3 python3-cryptography openssl
|
||||
BuildRequires: systemd systemd-devel
|
||||
%{?systemd_requires}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user