From d9eb0fa3f8aabfa74da2d7c7cf5e15325fa3342d Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 20 Nov 2024 13:50:52 +0000 Subject: [PATCH] import RHEL 10 Beta stunnel-5.72-5.el10 --- .gitignore | 2 +- .stunnel.metadata | 1 - ...rtificate-Creation => Certificate-Creation | 0 ...e-NO_TLSv1.-123-option-compatibility.patch | 37 --- SOURCES/stunnel-5.71.tar.gz.asc | 18 -- ...5.72-speed-up-loading-client-CA-list.patch | 107 --------- SOURCES/pgp.asc => pgp.asc | 0 ...p3-redirect.xinetd => pop3-redirect.xinetd | 0 SOURCES/sfinger.xinetd => sfinger.xinetd | 0 sources | 1 + ...hpriv.patch => stunnel-5.50-authpriv.patch | 0 ...ch => stunnel-5.56-curves-doc-update.patch | 0 ...atch => stunnel-5.61-systemd-service.patch | 0 ...patch => stunnel-5.69-system-ciphers.patch | 0 ... => stunnel-5.72-default-tls-version.patch | 38 ++-- stunnel-5.72.tar.gz.asc | 16 ++ ...s-client.conf => stunnel-pop3s-client.conf | 0 ...unnel-sfinger.conf => stunnel-sfinger.conf | 0 SPECS/stunnel.spec => stunnel.spec | 210 ++++++++++++++---- SOURCES/stunnel@.service => stunnel@.service | 0 20 files changed, 203 insertions(+), 227 deletions(-) delete mode 100644 .stunnel.metadata rename SOURCES/Certificate-Creation => Certificate-Creation (100%) delete mode 100644 SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch delete mode 100644 SOURCES/stunnel-5.71.tar.gz.asc delete mode 100644 SOURCES/stunnel-5.72-speed-up-loading-client-CA-list.patch rename SOURCES/pgp.asc => pgp.asc (100%) rename SOURCES/pop3-redirect.xinetd => pop3-redirect.xinetd (100%) rename SOURCES/sfinger.xinetd => sfinger.xinetd (100%) create mode 100644 sources rename SOURCES/stunnel-5.50-authpriv.patch => stunnel-5.50-authpriv.patch (100%) rename SOURCES/stunnel-5.56-curves-doc-update.patch => stunnel-5.56-curves-doc-update.patch (100%) rename SOURCES/stunnel-5.61-systemd-service.patch => stunnel-5.61-systemd-service.patch (100%) rename SOURCES/stunnel-5.69-system-ciphers.patch => stunnel-5.69-system-ciphers.patch (100%) rename SOURCES/stunnel-5.69-default-tls-version.patch => stunnel-5.72-default-tls-version.patch (82%) create mode 100644 stunnel-5.72.tar.gz.asc rename SOURCES/stunnel-pop3s-client.conf => stunnel-pop3s-client.conf (100%) rename SOURCES/stunnel-sfinger.conf => stunnel-sfinger.conf (100%) rename SPECS/stunnel.spec => stunnel.spec (78%) rename SOURCES/stunnel@.service => stunnel@.service (100%) diff --git a/.gitignore b/.gitignore index a0c6578..e1a4c52 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/stunnel-5.71.tar.gz +stunnel-5.72.tar.gz diff --git a/.stunnel.metadata b/.stunnel.metadata deleted file mode 100644 index f05f04b..0000000 --- a/.stunnel.metadata +++ /dev/null @@ -1 +0,0 @@ -dab534acc28f389f98bf8724d9f42ad9ca472691 SOURCES/stunnel-5.71.tar.gz diff --git a/SOURCES/Certificate-Creation b/Certificate-Creation similarity index 100% rename from SOURCES/Certificate-Creation rename to Certificate-Creation diff --git a/SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch b/SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch deleted file mode 100644 index 8b11a61..0000000 --- a/SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 4ffcbcecaf901b13a36dba1e651cfc16e5242e5a Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 19 Oct 2023 14:41:54 +0200 -Subject: [PATCH] Preserve NO_TLSv1.[123] option compatibility - -On RHEL 8, stunnel used to support the NO_TLSv1.1, NO_TLSv1.2, and -NO_TLSv1.3 values for the options directive. Since we do not break -compatibility, preserve these options for customers that have them set. - -Related: RHEL-2340 ---- - src/options.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/options.c b/src/options.c -index a306c4c..c05692c 100644 ---- a/src/options.c -+++ b/src/options.c -@@ -229,12 +229,15 @@ static const SSL_OPTION ssl_opts[] = { - #endif - #ifdef SSL_OP_NO_TLSv1_1 - {"NO_TLSv1_1", SSL_OP_NO_TLSv1_1}, -+ {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1}, - #endif - #ifdef SSL_OP_NO_TLSv1_2 - {"NO_TLSv1_2", SSL_OP_NO_TLSv1_2}, -+ {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2}, - #endif - #ifdef SSL_OP_NO_TLSv1_3 - {"NO_TLSv1_3", SSL_OP_NO_TLSv1_3}, -+ {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3}, - #endif - #ifdef SSL_OP_PKCS1_CHECK_1 - {"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1}, --- -2.41.0 - diff --git a/SOURCES/stunnel-5.71.tar.gz.asc b/SOURCES/stunnel-5.71.tar.gz.asc deleted file mode 100644 index 6c33f21..0000000 --- a/SOURCES/stunnel-5.71.tar.gz.asc +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmUKA7NfFIAAAAAALgAo -aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC -QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW -4BS9ZxAAxK9dNbFrL3ZOmW18OT82LKza1Zli9grdiEx4GY6s+atY6DgrWiOfJi5A -NQtwoeYRWcEkMgWKRev28zMEPzGkUzYyaBUbqDDisAziDXyyKfriqmkbG4jl8Gv+ -qY+SgrM2ElhZxTnvRtUvzG6dogBeA1iWcNANAYgYVxH2yOFcNB0HYA25aBrPpmO4 -37h7ZRc94Yn2fK4zdR7D8DxYEAkmrZJxMydytTwp4EHu2t3lmw+vJdzIS7RtJoRL -Apd/Fh8USZB++Xx+4vFiuDcydGz5xdUNCB9jXYJoTCxFUP9mQsyR05Q8uscPunk9 -SfCd7pbzextsoFF5gOoee3tvwgwlhI7SR9eS585ni0oXyNaFUMwXS0qBVN1f86fr -iAl3j8pGVnqJpmiZ8o4xGj3/g5Nvp14Ts/qXlRvqvzoU6Ka6MEefH2sMxzm5RCQr -tAcrDROGUyN0HJcdy8TAWobqX0HWQqwlGjyeZAJAtFcmno00Au6FYnkn+dLkvxIx -bsEaaG7QrP9p6JpEnQhsLLEKAgD9olmPWzFLCeeE1PZg/klSbVG4qmHv113ixlDy -6smwnHDnb+UysgosKyAzWqlrLUhPYqca83Y8DFbpS9wi1AG6OjCuJ3jtdRq+HAjn -l5PRZhWOTUi+weLWSpmGO2py5JfJm010grKdzA9d9YMR9YspSOU= -=6RnW ------END PGP SIGNATURE----- diff --git a/SOURCES/stunnel-5.72-speed-up-loading-client-CA-list.patch b/SOURCES/stunnel-5.72-speed-up-loading-client-CA-list.patch deleted file mode 100644 index 7c16aa8..0000000 --- a/SOURCES/stunnel-5.72-speed-up-loading-client-CA-list.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 5f0b818f62720d5bd8b8c9c631604ddb4c992be7 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Wed, 31 Jul 2024 15:35:24 +0200 -Subject: [PATCH] src/verify.c: Speed up loading client CA list - -Do not attempt to load and print all trusted CAs unless we need them to -invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be -slow, especially if there are many. The CAdir format allows OpenSSL to -only load them on demand, avoiding this overhead. - -Additionally, SSL_CTX_load_verify_locations(3) supports file formats -that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3) -do not support, for example certificates in the BEGIN TRUSTED -CERTIFICATE format. Valid configurations with older stunnel versions -that point to such a file would otherwise needlessly start failing. - -Additionally, use SSL_load_client_CA_file(3) to load certificates from -a file rather than SSL_add_file_cert_subjects_to_stack(3), since the -former uses a hashtable for deduplication, but the latter relies on -a sorted STACK_OF(X509_NAME). The sorting is exceptionally slow in -OpenSSL, because the comparison function for X509_NAMEs converts them to -DER involving a memory allocation, which is already expensive, but even -more expensive when used with stunnel's custom allocator functions. - -An upstream PR openssl/openssl#25056 will eventually fix this, but it -will take quite a while for this to arrive on users' systems, and it -will likely not be backported into older affected versions of OpenSSL or -their forks. - -Related: RHEL-50154 -Related: RHEL-46411 -Signed-off-by: Clemens Lang ---- - src/verify.c | 42 ++++++++++++++++++++++++++++-------------- - 1 file changed, 28 insertions(+), 14 deletions(-) - -diff --git a/src/verify.c b/src/verify.c -index 56ab130..d1d3849 100644 ---- a/src/verify.c -+++ b/src/verify.c -@@ -95,10 +95,35 @@ NOEXPORT int init_ca(SERVICE_OPTIONS *section) { - if(!SSL_CTX_load_verify_locations(section->ctx, - section->ca_file, section->ca_dir)) { - sslerror("SSL_CTX_load_verify_locations"); -+ return 1; /* FAILED */ - } - } - -- ca_dn=sk_X509_NAME_new_null(); -+ /* Do not attempt to load and print all trusted CAs unless we need them to -+ invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be -+ slow, especially if there are many. The CAdir format allows OpenSSL to -+ only load them on demand. -+ Additionally, SSL_CTX_load_verify_locations(3) supports file formats -+ that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3) -+ do not support, for example certificates in the BEGIN TRUSTED -+ CERTIFICATE format. Valid configurations with older stunnel versions -+ that point to such a file would otherwise needlessly start failing. */ -+ if(section->option.client) -+ return 0; /* OK */ -+ -+ if(section->ca_file) -+ /* SSL_load_client_CA_file is a lot faster than -+ SSL_add_file_cert_subjects_to_stack(). Use it for ca_file if -+ specified, then add the rest of the certificates to this stack. */ -+ ca_dn=SSL_load_client_CA_file(section->ca_file); -+ -+ if (!ca_dn) -+ /* ca_file not set, or SSL_load_client_CA_file(3) failed. */ -+ ca_dn=sk_X509_NAME_new_null(); -+ -+ /* client CA list initialization from directory */ -+ if(section->ca_dir) -+ SSL_add_dir_cert_subjects_to_stack(ca_dn, section->ca_dir); - - #ifndef OPENSSL_NO_ENGINE - /* CA and client CA list initialization with the engine */ -@@ -115,24 +140,13 @@ NOEXPORT int init_ca(SERVICE_OPTIONS *section) { - } - #endif - -- /* client CA list initialization with the file and/or directory */ -- if(section->ca_file) -- SSL_add_file_cert_subjects_to_stack(ca_dn, section->ca_file); -- if(section->ca_dir) -- SSL_add_dir_cert_subjects_to_stack(ca_dn, section->ca_dir); -- - if(!sk_X509_NAME_num(ca_dn)) { - sk_X509_NAME_pop_free(ca_dn, X509_NAME_free); - return 1; /* FAILED */ - } - -- if(section->option.client) { -- print_CA_list("Configured trusted server CA", ca_dn); -- sk_X509_NAME_pop_free(ca_dn, X509_NAME_free); -- } else { /* only set the client CA list on the server */ -- print_CA_list("Configured trusted client CA", ca_dn); -- SSL_CTX_set_client_CA_list(section->ctx, ca_dn); -- } -+ print_CA_list("Configured trusted client CA", ca_dn); -+ SSL_CTX_set_client_CA_list(section->ctx, ca_dn); - - return 0; /* OK */ - } --- -2.45.2 - diff --git a/SOURCES/pgp.asc b/pgp.asc similarity index 100% rename from SOURCES/pgp.asc rename to pgp.asc diff --git a/SOURCES/pop3-redirect.xinetd b/pop3-redirect.xinetd similarity index 100% rename from SOURCES/pop3-redirect.xinetd rename to pop3-redirect.xinetd diff --git a/SOURCES/sfinger.xinetd b/sfinger.xinetd similarity index 100% rename from SOURCES/sfinger.xinetd rename to sfinger.xinetd diff --git a/sources b/sources new file mode 100644 index 0000000..3b7bec9 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (stunnel-5.72.tar.gz) = 2607bed1159412dc36ed0455ed158ab3141782f05ddaf3605076f1a0e371bc1ada1606cab65a6bc52d69a8c685345617578cb79d521330f2e1d12af3dcbd37ca diff --git a/SOURCES/stunnel-5.50-authpriv.patch b/stunnel-5.50-authpriv.patch similarity index 100% rename from SOURCES/stunnel-5.50-authpriv.patch rename to stunnel-5.50-authpriv.patch diff --git a/SOURCES/stunnel-5.56-curves-doc-update.patch b/stunnel-5.56-curves-doc-update.patch similarity index 100% rename from SOURCES/stunnel-5.56-curves-doc-update.patch rename to stunnel-5.56-curves-doc-update.patch diff --git a/SOURCES/stunnel-5.61-systemd-service.patch b/stunnel-5.61-systemd-service.patch similarity index 100% rename from SOURCES/stunnel-5.61-systemd-service.patch rename to stunnel-5.61-systemd-service.patch diff --git a/SOURCES/stunnel-5.69-system-ciphers.patch b/stunnel-5.69-system-ciphers.patch similarity index 100% rename from SOURCES/stunnel-5.69-system-ciphers.patch rename to stunnel-5.69-system-ciphers.patch diff --git a/SOURCES/stunnel-5.69-default-tls-version.patch b/stunnel-5.72-default-tls-version.patch similarity index 82% rename from SOURCES/stunnel-5.69-default-tls-version.patch rename to stunnel-5.72-default-tls-version.patch index 36ac353..67c22e5 100644 --- a/SOURCES/stunnel-5.69-default-tls-version.patch +++ b/stunnel-5.72-default-tls-version.patch @@ -1,9 +1,13 @@ -From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001 +From c104c853a545b00992c7c3b3aa0d625016dc1577 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Mon, 12 Sep 2022 11:07:38 +0200 -Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch +Subject: [PATCH 4/5] Use TLS version f/crypto-policies unless specified -Patch-name: stunnel-5.69-default-tls-version.patch +Do not explicitly set the TLS version and rely on the defaults from +crypto-policies unless a TLS minimum or maximum version are explicitly +specified in the stunnel configuration. + +Patch-name: stunnel-5.72-default-tls-version.patch Patch-id: 5 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 --- @@ -13,13 +17,13 @@ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 3 files changed, 36 insertions(+), 16 deletions(-) diff --git a/src/ctx.c b/src/ctx.c -index 6a42a6b..cba24d9 100644 +index 8d0e9de..3418779 100644 --- a/src/ctx.c +++ b/src/ctx.c -@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ - section->ctx=SSL_CTX_new(section->option.client ? - TLS_client_method() : TLS_server_method()); - #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ +@@ -163,19 +163,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ + + /* set supported protocol versions */ + #if OPENSSL_VERSION_NUMBER>=0x10100000L - if(section->min_proto_version && - !SSL_CTX_set_min_proto_version(section->ctx, - section->min_proto_version)) { @@ -56,13 +60,13 @@ index 6a42a6b..cba24d9 100644 + return 1; /* FAILED */ + } } - #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ - if(section->option.client) + #endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */ + diff --git a/src/options.c b/src/options.c -index 4d31815..2ec5934 100644 +index 12b57fe..816c06e 100644 --- a/src/options.c +++ b/src/options.c -@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr +@@ -3433,8 +3433,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr return "Invalid protocol version"; return NULL; /* OK */ case CMD_INITIALIZE: @@ -74,7 +78,7 @@ index 4d31815..2ec5934 100644 return "Invalid protocol version range"; break; case CMD_PRINT_DEFAULTS: -@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr +@@ -3452,7 +3453,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr /* sslVersionMax */ switch(cmd) { case CMD_SET_DEFAULTS: @@ -86,7 +90,7 @@ index 4d31815..2ec5934 100644 break; case CMD_SET_COPY: section->max_proto_version=new_service_options.max_proto_version; -@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr +@@ -3483,7 +3487,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr /* sslVersionMin */ switch(cmd) { case CMD_SET_DEFAULTS: @@ -99,10 +103,10 @@ index 4d31815..2ec5934 100644 case CMD_SET_COPY: section->min_proto_version=new_service_options.min_proto_version; diff --git a/src/prototypes.h b/src/prototypes.h -index 0ecd719..a126c9e 100644 +index a2b10aa..e76335e 100644 --- a/src/prototypes.h +++ b/src/prototypes.h -@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); +@@ -956,6 +956,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); ICON_IMAGE load_icon_file(const char *); #endif @@ -113,5 +117,5 @@ index 0ecd719..a126c9e 100644 /* end of prototypes.h */ -- -2.39.2 +2.43.0 diff --git a/stunnel-5.72.tar.gz.asc b/stunnel-5.72.tar.gz.asc new file mode 100644 index 0000000..fa75e5a --- /dev/null +++ b/stunnel-5.72.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmXAl5kACgkQLvx/8NQW +4BSnAxAAxC0u/yksf+byWhqkl1txYaZ7tKv6sg8QramWhyCpnlEtBgxCP3I3baae +PQm5HkVgOHNSFNhzrIApEeaXJle4rgH7T+uRkl5mThWYMf47h55Ll70BBg3Mpsjz +iwubuWllA4cyEbd2yWYl1MTzcSxY8F05otQdg+vwIxrHNF26k+pvnYUfBJiw6/7V +1exig3ZF03umSGM/8JTRdkJw4oKxgWR0nvAY6s6C28Hs6ok+700r40pDinmQgYyC +Sb1DC2/SAjFhs8vlxUBtgWCLTQk/uGKWXUjPoG2KqQyhKMfY3ntZT3D9iOWpvC/p +vvZbd3k27a8/D4CyBiBSh+L/bZtOgdZrDPCDxbf2EG1zC8mBjA8A8NIzMVL0D3UL +FHKpPBpw5RMy7Zbrwn59ggVoTSJS8Bcr1khmUjpyTpCnbTOSdsIhFDG5EtPOkJoT +k/6qXMxFAUL8EX3PlPjMSSs8aPWB7BqSEowRYbMGxG7Iqr+z56LiTdGjra+JY6Pv +FrLHHqGB9Hh3YIYbbf5O61DkXNeDVEZlqd03CI5Q9v5r9OKnIdzg4NM3XJ2hBUf4 +PuYKWMhg2gZTwTuQtEV7Py+52sbqdiKCiWyQy3P8vRV/RwKuu/+2vPsxUIxULFEV +0FSBp+BPuM/FPiYwqNam/C67qHZ03jndiOgsTRapsJnAFKT/nXQ= +=vtS5 +-----END PGP SIGNATURE----- diff --git a/SOURCES/stunnel-pop3s-client.conf b/stunnel-pop3s-client.conf similarity index 100% rename from SOURCES/stunnel-pop3s-client.conf rename to stunnel-pop3s-client.conf diff --git a/SOURCES/stunnel-sfinger.conf b/stunnel-sfinger.conf similarity index 100% rename from SOURCES/stunnel-sfinger.conf rename to stunnel-sfinger.conf diff --git a/SPECS/stunnel.spec b/stunnel.spec similarity index 78% rename from SPECS/stunnel.spec rename to stunnel.spec index b698e34..229807b 100644 --- a/SPECS/stunnel.spec +++ b/stunnel.spec @@ -1,3 +1,13 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 5; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + # Do not generate provides for private libraries %global __provides_exclude_from ^%{_libdir}/stunnel/.*$ @@ -7,12 +17,17 @@ %bcond_without libwrap %endif +%if 0%{?rhel} >= 10 +%bcond openssl_engine 0 +%else +%bcond openssl_engine 1 +%endif + Summary: A TLS-encrypting socket wrapper Name: stunnel -Version: 5.71 -Release: 2%{?dist} -License: GPLv2 -Group: Applications/Internet +Version: 5.72 +Release: %autorelease +License: GPL-2.0-or-later WITH stunnel-exception AND MIT URL: https://www.stunnel.org/ Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc @@ -26,18 +41,33 @@ Source7: stunnel@.service # Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because # the remote one makes packit source-git choke. Source99: pgp.asc -Patch0: stunnel-5.50-authpriv.patch -Patch1: stunnel-5.61-systemd-service.patch -Patch3: stunnel-5.69-system-ciphers.patch -Patch5: stunnel-5.69-default-tls-version.patch -Patch6: stunnel-5.56-curves-doc-update.patch -Patch7: stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch -Patch8: stunnel-5.72-speed-up-loading-client-CA-list.patch +# Apply patch stunnel-5.50-authpriv.patch +Patch0: stunnel-5.50-authpriv.patch +# Apply patch stunnel-5.61-systemd-service.patch +Patch1: stunnel-5.61-systemd-service.patch +# Use cipher configuration from crypto-policies +# +# On Fedora, CentOS and RHEL, the system's crypto policies are the best +# source to determine which cipher suites to accept in TLS. On these +# platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those +# policies. Change stunnel to default to this setting. +Patch3: stunnel-5.69-system-ciphers.patch +# Use TLS version f/crypto-policies unless specified +# +# Do not explicitly set the TLS version and rely on the defaults from +# crypto-policies unless a TLS minimum or maximum version are explicitly +# specified in the stunnel configuration. +Patch5: stunnel-5.72-default-tls-version.patch +# Apply patch stunnel-5.56-curves-doc-update.patch +Patch6: stunnel-5.56-curves-doc-update.patch # util-linux is needed for rename BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 BuildRequires: openssl-devel, pkgconfig, util-linux +%if %{with openssl_engine} && 0%{?fedora} >= 41 +BuildRequires: openssl-devel-engine +%endif BuildRequires: autoconf automake libtool %if %{with libwrap} Buildrequires: tcp_wrappers-devel @@ -46,7 +76,7 @@ BuildRequires: /usr/bin/pod2man BuildRequires: /usr/bin/pod2html # build test requirements BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps -BuildRequires: python3.11 python3.11-cryptography openssl +BuildRequires: python3 python3-cryptography openssl BuildRequires: systemd systemd-devel %{?systemd_requires} @@ -58,14 +88,7 @@ conjunction with imapd to create a TLS secure IMAP server. %prep %{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%setup -q -%patch0 -p1 -b .authpriv -%patch1 -p1 -b .systemd-service -%patch3 -p1 -b .system-ciphers -%patch5 -p1 -b .default-tls-version -%patch6 -p1 -b .curves-doc-update -%patch7 -p1 -b .preserve-no-tlsv1-123-option-compatibility -%patch8 -p1 -b .speed-up-loading-client-CA-list +%autosetup -S gendiff -p1 # Fix the stack protector flag sed -i 's/-fstack-protector/-fstack-protector-strong/' configure @@ -77,6 +100,11 @@ if pkg-config openssl ; then CFLAGS="$CFLAGS `pkg-config --cflags openssl`"; LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS fi + +CPPFLAGS_NO_ENGINE="" +%if !%{with openssl_engine} + CPPFLAGS_NO_ENGINE="-DOPENSSL_NO_ENGINE" +%endif %configure --enable-fips --enable-ipv6 --with-ssl=%{_prefix} \ %if %{with libwrap} --enable-libwrap \ @@ -84,7 +112,7 @@ fi --disable-libwrap \ %endif --with-bashcompdir=%{_datadir}/bash-completion/completions \ - CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" + CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"' $CPPFLAGS_NO_ENGINE" make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" %install @@ -144,52 +172,140 @@ fi %systemd_postun_with_restart %{name}.service %changelog -* Wed Aug 07 2024 Clemens Lang - 5.71-2 -- Speed up loading client CA list from CAfile - Resolves: RHEL-46411 -- Do not load all CAs in client mode to allow continued use of BEGIN TRUSTED CERTIFICATE format - Resolves: RHEL-50154 +## START: Generated by rpmautospec +* Tue Jul 02 2024 Clemens Lang - 5.72-5 +- Fix build on Fedora rawhide -* Thu Oct 19 2023 Clemens Lang - 5.71-2 -- Restore support for the NO_TLSv1.[123] values for the option directive - Resolves: RHEL-2340 +* Tue Jul 02 2024 Clemens Lang - 5.72-4 +- Fix building without OpenSSL ENGINEs -* Thu Oct 05 2023 Clemens Lang - 5.71-1 +* Mon Jul 01 2024 Clemens Lang - 5.72-3 +- Do not build OpenSSL ENGINE support on RHEL >= 10 + +* Mon Jun 24 2024 Troy Dawson - 5.72-2 +- Bump release for June 2024 mass rebuild + +* Mon Feb 05 2024 Clemens Lang - 5.72-1 +- New upstream release 5.72 + Resolves: rhbz#2262756 + +* Thu Oct 5 2023 Clemens Lang - 5.71-1 - New upstream release 5.71 - Resolves: RHEL-2340 -- Enable socket activation support + Resolves: rhbz#2239740 + +* Wed Aug 30 2023 Clemens Lang - 5.70-3 +- migrated to SPDX license + +* Sat Jul 22 2023 Fedora Release Engineering - 5.70-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jul 13 2023 Clemens Lang - 5.70-1 +- New upstream release 5.70 + Resolves: rhbz#2222467 + +* Fri May 12 2023 Paul Wouters - 5.69-1 +- New upstream release 5.69 + Resolves: rhbz#2139207 + +* Sat Jan 21 2023 Fedora Release Engineering - 5.66-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Sep 12 2022 Clemens Lang - 5.66-1 +- New upstream release 5.66 + Resolves: rhbz#2125932 + +* Sat Jul 23 2022 Todd Zullinger - 5.62-5 - verify upstream source in %%prep - clean up stale conditionals -* Tue Feb 23 2021 Sahana Prasad - 5.56-5 -- Fixes CVE-2021-20230 stunnel: client certificate not - correctly verified when redirect and verifyChain options are used. +* Sat Jul 23 2022 Fedora Release Engineering - 5.62-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild -* Thu Apr 16 2020 Sahana Prasad - 5.56-4 +* Fri Feb 04 2022 Clemens Lang - 5.62-3 +- Fix stunnel in FIPS mode (with upcoming OpenSSL changes) + Related: rhbz#2050617 +- Fail build if tests fail + Related: rhbz#2051083 + +* Sat Jan 22 2022 Fedora Release Engineering - 5.62-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Jan 18 2022 Clemens Lang - 5.62-1 +- New upstream release 5.62 + +* Mon Jan 10 2022 Clemens Lang - 5.61-1 +- New upstream release 5.61 + +* Tue Sep 14 2021 Sahana Prasad - 5.58-4 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 5.58-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 5.58-2 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Mon Feb 22 2021 Sahana Prasad - 5.58-1 +- New upstream release 5.58 + +* Wed Feb 10 2021 Sahana Prasad - 5.57-1 +- New upstream release 5.57 +- Fixes #1925229 - client certificate not correctly verified + when redirect and verifyChain options are used + +* Wed Jan 27 2021 Fedora Release Engineering - 5.56-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sat Aug 01 2020 Fedora Release Engineering - 5.56-9 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 5.56-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Apr 16 2020 Sahana Prasad - 5.56-7 - Updates documentation to specify that the option "curves" can be used in server mode only. -* Wed Apr 08 2020 Sahana Prasad - 5.56-3 +* Wed Apr 08 2020 Sahana Prasad - 5.56-6 - Fixes default tls version patch to handle default values from OpenSSL crypto policies -* Mon Apr 06 2020 Sahana Prasad - 5.56-2 +* Mon Apr 06 2020 Sahana Prasad - 5.56-5 +- Removes warnings caused by the patch + +* Mon Apr 06 2020 Sahana Prasad - 5.56-4 - Adds default tls version patch to comply with OpenSSL crypto policies -* Fri Apr 03 2020 Sahana Prasad - 5.56-1 +* Tue Mar 31 2020 Sahana Prasad - 5.56-3 +- Adds coverity patch + +* Fri Jan 31 2020 Fedora Release Engineering - 5.56-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jan 08 2020 Sahana Prasad - 5.56-1 - New upstream release 5.56 -* Tue Sep 4 2018 Tomáš Mráz - 5.48-5 -- Fix -fstack-protector-strong build flag application -- Fix bugs from Coverity scan +* Thu Sep 19 2019 Sahana Prasad - 5.55-1 +- New upstream release 5.55 -* Fri Aug 3 2018 Tomáš Mráz - 5.48-3 -- Override system crypto policy for build tests +* Sat Jul 27 2019 Fedora Release Engineering - 5.50-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild -* Tue Jul 31 2018 Tomáš Mráz - 5.48-2 -- Drop 042_inetd test which fails in the build environment +* Sun Feb 03 2019 Fedora Release Engineering - 5.50-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 14 2019 Tomáš Mráz - 5.50-1 +- New upstream release 5.50 * Tue Jul 24 2018 Tomáš Mráz - 5.48-1 - New upstream release 5.48 +* Sat Jul 14 2018 Fedora Release Engineering - 5.46-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Thu May 31 2018 Tomáš Mráz - 5.46-1 - New upstream release 5.46 @@ -742,3 +858,5 @@ fi * Sat Nov 28 1998 Damien Miller - Initial RPMification + +## END: Generated by rpmautospec diff --git a/SOURCES/stunnel@.service b/stunnel@.service similarity index 100% rename from SOURCES/stunnel@.service rename to stunnel@.service