import RHEL 10 Beta stunnel-5.72-5.el10

.gitignore

@@ -1 +1 @@
-SOURCES/stunnel-5.71.tar.gz
+stunnel-5.72.tar.gz

.stunnel.metadata

@@ -1 +0,0 @@
-dab534acc28f389f98bf8724d9f42ad9ca472691 SOURCES/stunnel-5.71.tar.gz

SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch

@@ -1,37 +0,0 @@
-From 4ffcbcecaf901b13a36dba1e651cfc16e5242e5a Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Thu, 19 Oct 2023 14:41:54 +0200
-Subject: [PATCH] Preserve NO_TLSv1.[123] option compatibility
-
-On RHEL 8, stunnel used to support the NO_TLSv1.1, NO_TLSv1.2, and
-NO_TLSv1.3 values for the options directive. Since we do not break
-compatibility, preserve these options for customers that have them set.
-
-Related: RHEL-2340
----
- src/options.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/options.c b/src/options.c
-index a306c4c..c05692c 100644
---- a/src/options.c
-+++ b/src/options.c
-@@ -229,12 +229,15 @@ static const SSL_OPTION ssl_opts[] = {
- #endif
- #ifdef SSL_OP_NO_TLSv1_1
-     {"NO_TLSv1_1", SSL_OP_NO_TLSv1_1},
-+    {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1},
- #endif
- #ifdef SSL_OP_NO_TLSv1_2
-     {"NO_TLSv1_2", SSL_OP_NO_TLSv1_2},
-+    {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2},
- #endif
- #ifdef SSL_OP_NO_TLSv1_3
-     {"NO_TLSv1_3", SSL_OP_NO_TLSv1_3},
-+    {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3},
- #endif
- #ifdef SSL_OP_PKCS1_CHECK_1
-     {"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1},
--- 
-2.41.0
-

SOURCES/stunnel-5.71.tar.gz.asc

@@ -1,18 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmUKA7NfFIAAAAAALgAo
-aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
-QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
-4BS9ZxAAxK9dNbFrL3ZOmW18OT82LKza1Zli9grdiEx4GY6s+atY6DgrWiOfJi5A
-NQtwoeYRWcEkMgWKRev28zMEPzGkUzYyaBUbqDDisAziDXyyKfriqmkbG4jl8Gv+
-qY+SgrM2ElhZxTnvRtUvzG6dogBeA1iWcNANAYgYVxH2yOFcNB0HYA25aBrPpmO4
-37h7ZRc94Yn2fK4zdR7D8DxYEAkmrZJxMydytTwp4EHu2t3lmw+vJdzIS7RtJoRL
-Apd/Fh8USZB++Xx+4vFiuDcydGz5xdUNCB9jXYJoTCxFUP9mQsyR05Q8uscPunk9
-SfCd7pbzextsoFF5gOoee3tvwgwlhI7SR9eS585ni0oXyNaFUMwXS0qBVN1f86fr
-iAl3j8pGVnqJpmiZ8o4xGj3/g5Nvp14Ts/qXlRvqvzoU6Ka6MEefH2sMxzm5RCQr
-tAcrDROGUyN0HJcdy8TAWobqX0HWQqwlGjyeZAJAtFcmno00Au6FYnkn+dLkvxIx
-bsEaaG7QrP9p6JpEnQhsLLEKAgD9olmPWzFLCeeE1PZg/klSbVG4qmHv113ixlDy
-6smwnHDnb+UysgosKyAzWqlrLUhPYqca83Y8DFbpS9wi1AG6OjCuJ3jtdRq+HAjn
-l5PRZhWOTUi+weLWSpmGO2py5JfJm010grKdzA9d9YMR9YspSOU=
-=6RnW
------END PGP SIGNATURE-----

SOURCES/stunnel-5.72-speed-up-loading-client-CA-list.patch

@@ -1,107 +0,0 @@
-From 5f0b818f62720d5bd8b8c9c631604ddb4c992be7 Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Wed, 31 Jul 2024 15:35:24 +0200
-Subject: [PATCH] src/verify.c: Speed up loading client CA list
-
-Do not attempt to load and print all trusted CAs unless we need them to
-invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be
-slow, especially if there are many. The CAdir format allows OpenSSL to
-only load them on demand, avoiding this overhead.
-
-Additionally, SSL_CTX_load_verify_locations(3) supports file formats
-that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3)
-do not support, for example certificates in the BEGIN TRUSTED
-CERTIFICATE format. Valid configurations with older stunnel versions
-that point to such a file would otherwise needlessly start failing.
-
-Additionally, use SSL_load_client_CA_file(3) to load certificates from
-a file rather than SSL_add_file_cert_subjects_to_stack(3), since the
-former uses a hashtable for deduplication, but the latter relies on
-a sorted STACK_OF(X509_NAME). The sorting is exceptionally slow in
-OpenSSL, because the comparison function for X509_NAMEs converts them to
-DER involving a memory allocation, which is already expensive, but even
-more expensive when used with stunnel's custom allocator functions.
-
-An upstream PR openssl/openssl#25056 will eventually fix this, but it
-will take quite a while for this to arrive on users' systems, and it
-will likely not be backported into older affected versions of OpenSSL or
-their forks.
-
-Related: RHEL-50154
-Related: RHEL-46411
-Signed-off-by: Clemens Lang <cllang@redhat.com>
----
- src/verify.c | 42 ++++++++++++++++++++++++++++--------------
- 1 file changed, 28 insertions(+), 14 deletions(-)
-
-diff --git a/src/verify.c b/src/verify.c
-index 56ab130..d1d3849 100644
---- a/src/verify.c
-+++ b/src/verify.c
-@@ -95,10 +95,35 @@ NOEXPORT int init_ca(SERVICE_OPTIONS *section) {
-         if(!SSL_CTX_load_verify_locations(section->ctx,
-                 section->ca_file, section->ca_dir)) {
-             sslerror("SSL_CTX_load_verify_locations");
-+            return 1; /* FAILED */
-         }
-     }
- 
--    ca_dn=sk_X509_NAME_new_null();
-+    /* Do not attempt to load and print all trusted CAs unless we need them to
-+       invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be
-+       slow, especially if there are many. The CAdir format allows OpenSSL to
-+       only load them on demand.
-+       Additionally, SSL_CTX_load_verify_locations(3) supports file formats
-+       that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3)
-+       do not support, for example certificates in the BEGIN TRUSTED
-+       CERTIFICATE format. Valid configurations with older stunnel versions
-+       that point to such a file would otherwise needlessly start failing. */
-+    if(section->option.client)
-+        return 0; /* OK */
-+
-+    if(section->ca_file)
-+        /* SSL_load_client_CA_file is a lot faster than
-+           SSL_add_file_cert_subjects_to_stack(). Use it for ca_file if
-+           specified, then add the rest of the certificates to this stack. */
-+        ca_dn=SSL_load_client_CA_file(section->ca_file);
-+
-+    if (!ca_dn)
-+        /* ca_file not set, or SSL_load_client_CA_file(3) failed. */
-+        ca_dn=sk_X509_NAME_new_null();
-+
-+    /* client CA list initialization from directory */
-+    if(section->ca_dir)
-+        SSL_add_dir_cert_subjects_to_stack(ca_dn, section->ca_dir);
- 
- #ifndef OPENSSL_NO_ENGINE
-     /* CA and client CA list initialization with the engine */
-@@ -115,24 +140,13 @@ NOEXPORT int init_ca(SERVICE_OPTIONS *section) {
-     }
- #endif
- 
--    /* client CA list initialization with the file and/or directory */
--    if(section->ca_file)
--        SSL_add_file_cert_subjects_to_stack(ca_dn, section->ca_file);
--    if(section->ca_dir)
--        SSL_add_dir_cert_subjects_to_stack(ca_dn, section->ca_dir);
--
-     if(!sk_X509_NAME_num(ca_dn)) {
-         sk_X509_NAME_pop_free(ca_dn, X509_NAME_free);
-         return 1; /* FAILED */
-     }
- 
--    if(section->option.client) {
--        print_CA_list("Configured trusted server CA", ca_dn);
--        sk_X509_NAME_pop_free(ca_dn, X509_NAME_free);
--    } else { /* only set the client CA list on the server */
--        print_CA_list("Configured trusted client CA", ca_dn);
--        SSL_CTX_set_client_CA_list(section->ctx, ca_dn);
--    }
-+    print_CA_list("Configured trusted client CA", ca_dn);
-+    SSL_CTX_set_client_CA_list(section->ctx, ca_dn);
- 
-     return 0; /* OK */
- }
--- 
-2.45.2
-

sources

@@ -0,0 +1 @@
+SHA512 (stunnel-5.72.tar.gz) = 2607bed1159412dc36ed0455ed158ab3141782f05ddaf3605076f1a0e371bc1ada1606cab65a6bc52d69a8c685345617578cb79d521330f2e1d12af3dcbd37ca

stunnel-5.72-default-tls-version.patch

@@ -1,9 +1,13 @@
-From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
+From c104c853a545b00992c7c3b3aa0d625016dc1577 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Mon, 12 Sep 2022 11:07:38 +0200
-Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
+Subject: [PATCH 4/5] Use TLS version f/crypto-policies unless specified
 
-Patch-name: stunnel-5.69-default-tls-version.patch
+Do not explicitly set the TLS version and rely on the defaults from
+crypto-policies unless a TLS minimum or maximum version are explicitly
+specified in the stunnel configuration.
+
+Patch-name: stunnel-5.72-default-tls-version.patch
 Patch-id: 5
 From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
 ---
@@ -13,13 +17,13 @@ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
  3 files changed, 36 insertions(+), 16 deletions(-)
 
 diff --git a/src/ctx.c b/src/ctx.c
-index 6a42a6b..cba24d9 100644
+index 8d0e9de..3418779 100644
 --- a/src/ctx.c
 +++ b/src/ctx.c
-@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
+@@ -163,19 +163,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
-     section->ctx=SSL_CTX_new(section->option.client ?
+ 
-         TLS_client_method() : TLS_server_method());
+     /* set supported protocol versions */
- #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
+ #if OPENSSL_VERSION_NUMBER>=0x10100000L
 -    if(section->min_proto_version &&
 -            !SSL_CTX_set_min_proto_version(section->ctx,
 -            section->min_proto_version)) {
@@ -56,13 +60,13 @@ index 6a42a6b..cba24d9 100644
 +            return 1; /* FAILED */
 +        }
      }
- #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
+ #endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
-     if(section->option.client)
+ 
 diff --git a/src/options.c b/src/options.c
-index 4d31815..2ec5934 100644
+index 12b57fe..816c06e 100644
 --- a/src/options.c
 +++ b/src/options.c
-@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+@@ -3433,8 +3433,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
              return "Invalid protocol version";
          return NULL; /* OK */
      case CMD_INITIALIZE:
@@ -74,7 +78,7 @@ index 4d31815..2ec5934 100644
              return "Invalid protocol version range";
          break;
      case CMD_PRINT_DEFAULTS:
-@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+@@ -3452,7 +3453,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
      /* sslVersionMax */
      switch(cmd) {
      case CMD_SET_DEFAULTS:
@@ -86,7 +90,7 @@ index 4d31815..2ec5934 100644
          break;
      case CMD_SET_COPY:
          section->max_proto_version=new_service_options.max_proto_version;
-@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+@@ -3483,7 +3487,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
      /* sslVersionMin */
      switch(cmd) {
      case CMD_SET_DEFAULTS:
@@ -99,10 +103,10 @@ index 4d31815..2ec5934 100644
      case CMD_SET_COPY:
          section->min_proto_version=new_service_options.min_proto_version;
 diff --git a/src/prototypes.h b/src/prototypes.h
-index 0ecd719..a126c9e 100644
+index a2b10aa..e76335e 100644
 --- a/src/prototypes.h
 +++ b/src/prototypes.h
-@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
+@@ -956,6 +956,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
  ICON_IMAGE load_icon_file(const char *);
  #endif
  
@@ -113,5 +117,5 @@ index 0ecd719..a126c9e 100644
  
  /* end of prototypes.h */
 -- 
-2.39.2
+2.43.0
 

stunnel-5.72.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmXAl5kACgkQLvx/8NQW
+4BSnAxAAxC0u/yksf+byWhqkl1txYaZ7tKv6sg8QramWhyCpnlEtBgxCP3I3baae
+PQm5HkVgOHNSFNhzrIApEeaXJle4rgH7T+uRkl5mThWYMf47h55Ll70BBg3Mpsjz
+iwubuWllA4cyEbd2yWYl1MTzcSxY8F05otQdg+vwIxrHNF26k+pvnYUfBJiw6/7V
+1exig3ZF03umSGM/8JTRdkJw4oKxgWR0nvAY6s6C28Hs6ok+700r40pDinmQgYyC
+Sb1DC2/SAjFhs8vlxUBtgWCLTQk/uGKWXUjPoG2KqQyhKMfY3ntZT3D9iOWpvC/p
+vvZbd3k27a8/D4CyBiBSh+L/bZtOgdZrDPCDxbf2EG1zC8mBjA8A8NIzMVL0D3UL
+FHKpPBpw5RMy7Zbrwn59ggVoTSJS8Bcr1khmUjpyTpCnbTOSdsIhFDG5EtPOkJoT
+k/6qXMxFAUL8EX3PlPjMSSs8aPWB7BqSEowRYbMGxG7Iqr+z56LiTdGjra+JY6Pv
+FrLHHqGB9Hh3YIYbbf5O61DkXNeDVEZlqd03CI5Q9v5r9OKnIdzg4NM3XJ2hBUf4
+PuYKWMhg2gZTwTuQtEV7Py+52sbqdiKCiWyQy3P8vRV/RwKuu/+2vPsxUIxULFEV
+0FSBp+BPuM/FPiYwqNam/C67qHZ03jndiOgsTRapsJnAFKT/nXQ=
+=vtS5
+-----END PGP SIGNATURE-----

stunnel.spec

@@ -1,3 +1,13 @@
+## START: Set by rpmautospec
+## (rpmautospec version 0.6.5)
+## RPMAUTOSPEC: autorelease, autochangelog
+%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
+    release_number = 5;
+    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
+    print(release_number + base_release_number - 1);
+}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## END: Set by rpmautospec
+
 # Do not generate provides for private libraries
 %global __provides_exclude_from ^%{_libdir}/stunnel/.*$
 
@@ -7,12 +17,17 @@
 %bcond_without libwrap
 %endif
 
+%if 0%{?rhel} >= 10
+%bcond openssl_engine 0
+%else
+%bcond openssl_engine 1
+%endif
+
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
-Version: 5.71
+Version: 5.72
-Release: 2%{?dist}
+Release: %autorelease
-License: GPLv2
+License: GPL-2.0-or-later WITH stunnel-exception AND MIT
-Group: Applications/Internet
 URL: https://www.stunnel.org/
 Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
 Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
@@ -26,18 +41,33 @@ Source7: stunnel@.service
 # Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
 # the remote one makes packit source-git choke.
 Source99: pgp.asc
-Patch0: stunnel-5.50-authpriv.patch
+# Apply patch stunnel-5.50-authpriv.patch
-Patch1: stunnel-5.61-systemd-service.patch
+Patch0:   stunnel-5.50-authpriv.patch
-Patch3: stunnel-5.69-system-ciphers.patch
+# Apply patch stunnel-5.61-systemd-service.patch
-Patch5: stunnel-5.69-default-tls-version.patch
+Patch1:   stunnel-5.61-systemd-service.patch
-Patch6: stunnel-5.56-curves-doc-update.patch
+# Use cipher configuration from crypto-policies
-Patch7: stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch
+# 
-Patch8: stunnel-5.72-speed-up-loading-client-CA-list.patch
+# On Fedora, CentOS and RHEL, the system's crypto policies are the best
+# source to determine which cipher suites to accept in TLS. On these
+# platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
+# policies. Change stunnel to default to this setting.
+Patch3:   stunnel-5.69-system-ciphers.patch
+# Use TLS version f/crypto-policies unless specified
+# 
+# Do not explicitly set the TLS version and rely on the defaults from
+# crypto-policies unless a TLS minimum or maximum version are explicitly
+# specified in the stunnel configuration.
+Patch5:   stunnel-5.72-default-tls-version.patch
+# Apply patch stunnel-5.56-curves-doc-update.patch
+Patch6:   stunnel-5.56-curves-doc-update.patch
 # util-linux is needed for rename
 BuildRequires: make
 BuildRequires: gcc
 BuildRequires: gnupg2
 BuildRequires: openssl-devel, pkgconfig, util-linux
+%if %{with openssl_engine} && 0%{?fedora} >= 41
+BuildRequires: openssl-devel-engine
+%endif
 BuildRequires: autoconf automake libtool
 %if %{with libwrap}
 Buildrequires: tcp_wrappers-devel
@@ -46,7 +76,7 @@ BuildRequires: /usr/bin/pod2man
 BuildRequires: /usr/bin/pod2html
 # build test requirements
 BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
-BuildRequires: python3.11 python3.11-cryptography openssl
+BuildRequires: python3 python3-cryptography openssl
 BuildRequires: systemd systemd-devel
 %{?systemd_requires}
 
@@ -58,14 +88,7 @@ conjunction with imapd to create a TLS secure IMAP server.
 
 %prep
 %{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%setup -q
+%autosetup -S gendiff -p1
-%patch0 -p1 -b .authpriv
-%patch1 -p1 -b .systemd-service
-%patch3 -p1 -b .system-ciphers
-%patch5 -p1 -b .default-tls-version
-%patch6 -p1 -b .curves-doc-update
-%patch7 -p1 -b .preserve-no-tlsv1-123-option-compatibility
-%patch8 -p1 -b .speed-up-loading-client-CA-list
 
 # Fix the stack protector flag
 sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
@@ -77,6 +100,11 @@ if pkg-config openssl ; then
 	CFLAGS="$CFLAGS `pkg-config --cflags openssl`";
 	LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS
 fi
+
+CPPFLAGS_NO_ENGINE=""
+%if !%{with openssl_engine}
+	CPPFLAGS_NO_ENGINE="-DOPENSSL_NO_ENGINE"
+%endif
 %configure --enable-fips --enable-ipv6 --with-ssl=%{_prefix} \
 %if %{with libwrap}
 --enable-libwrap \
@@ -84,7 +112,7 @@ fi
 --disable-libwrap \
 %endif
 	--with-bashcompdir=%{_datadir}/bash-completion/completions \
-	CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
+	CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"' $CPPFLAGS_NO_ENGINE"
 make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
 
 %install
@@ -144,52 +172,140 @@ fi
 %systemd_postun_with_restart %{name}.service
 
 %changelog
-* Wed Aug 07 2024 Clemens Lang <cllang@redhat.com> - 5.71-2
+## START: Generated by rpmautospec
-- Speed up loading client CA list from CAfile
+* Tue Jul 02 2024 Clemens Lang <cllang@redhat.com> - 5.72-5
-  Resolves: RHEL-46411
+- Fix build on Fedora rawhide
-- Do not load all CAs in client mode to allow continued use of BEGIN TRUSTED CERTIFICATE format
-  Resolves: RHEL-50154
 
-* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 5.71-2
+* Tue Jul 02 2024 Clemens Lang <cllang@redhat.com> - 5.72-4
-- Restore support for the NO_TLSv1.[123] values for the option directive
+- Fix building without OpenSSL ENGINEs
-  Resolves: RHEL-2340
 
-* Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
+* Mon Jul 01 2024 Clemens Lang <cllang@redhat.com> - 5.72-3
+- Do not build OpenSSL ENGINE support on RHEL >= 10
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 5.72-2
+- Bump release for June 2024 mass rebuild
+
+* Mon Feb 05 2024 Clemens Lang <cllang@redhat.com> - 5.72-1
+- New upstream release 5.72
+  Resolves: rhbz#2262756
+
+* Thu Oct 5 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
 - New upstream release 5.71
-  Resolves: RHEL-2340
+  Resolves: rhbz#2239740
-- Enable socket activation support
+
+* Wed Aug 30 2023 Clemens Lang <cllang@redhat.com> - 5.70-3
+- migrated to SPDX license
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.70-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jul 13 2023 Clemens Lang <cllang@redhat.com> - 5.70-1
+- New upstream release 5.70
+  Resolves: rhbz#2222467
+
+* Fri May 12 2023 Paul Wouters <paul.wouters@aiven.io - 5.69-2
+- rebuilt with socket activation support
+
+* Mon Mar 06 2023 Clemens Lang <cllang@redhat.com> - 5.69-1
+- New upstream release 5.69
+  Resolves: rhbz#2139207
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.66-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Mon Sep 12 2022 Clemens Lang <cllang@redhat.com> - 5.66-1
+- New upstream release 5.66
+  Resolves: rhbz#2125932
+
+* Sat Jul 23 2022 Todd Zullinger <tmz@pobox.com> - 5.62-5
 - verify upstream source in %%prep
 - clean up stale conditionals
 
-* Tue Feb 23 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.62-4
-- Fixes CVE-2021-20230 stunnel: client certificate not
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-  correctly verified when redirect and verifyChain options are used.
 
-* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
+* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
+- Fix stunnel in FIPS mode (with upcoming OpenSSL changes)
+  Related: rhbz#2050617
+- Fail build if tests fail
+  Related: rhbz#2051083
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.62-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Jan 18 2022 Clemens Lang <cllang@redhat.com> - 5.62-1
+- New upstream release 5.62
+
+* Mon Jan 10 2022 Clemens Lang <cllang@redhat.com> - 5.61-1
+- New upstream release 5.61
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.58-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.58-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.58-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Mon Feb 22 2021 Sahana Prasad <sahana@redhat.com> - 5.58-1
+- New upstream release 5.58
+
+* Wed Feb 10 2021 Sahana Prasad <sahana@redhat.com> - 5.57-1
+- New upstream release 5.57
+- Fixes #1925229 - client certificate not correctly verified
+  when redirect and verifyChain options are used
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-9
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-7
 - Updates documentation to specify that the option "curves" can be used in server mode only.
 
-* Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
+* Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-6
 - Fixes default tls version patch to handle default values from OpenSSL crypto policies
 
-* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-2
+* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-5
+- Removes warnings caused by the patch
+
+* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
 - Adds default tls version patch to comply with OpenSSL crypto policies
 
-* Fri Apr 03 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1
+* Tue Mar 31 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
+- Adds coverity patch
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jan 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1
 - New upstream release 5.56
 
-* Tue Sep  4 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-5
+* Thu Sep 19 2019 Sahana Prasad <sahana@redhat.com> - 5.55-1
-- Fix -fstack-protector-strong build flag application
+- New upstream release 5.55
-- Fix bugs from Coverity scan
 
-* Fri Aug  3 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-3
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-3
-- Override system crypto policy for build tests
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
-* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-2
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-2
-- Drop 042_inetd test which fails in the build environment
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 14 2019 Tomáš Mráz <tmraz@redhat.com> - 5.50-1
+- New upstream release 5.50
 
 * Tue Jul 24 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-1
 - New upstream release 5.48
 
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.46-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
 * Thu May 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.46-1
 - New upstream release 5.46
 
@@ -742,3 +858,5 @@ fi
 
 * Sat Nov 28 1998 Damien Miller <dmiller@ilogic.com.au>
 - Initial RPMification
+
+## END: Generated by rpmautospec