The OpenSSL engine headers were moved to a separate package on Fedora
41, so add the necessary dependency on the new subpackage if engine
support is enabled on Fedora >= 41.
(cherry picked from commit 9cc9c05fe514c0dd195aef4e7bb9d72dff13477a)
Resolves: RHEL-33749
Signed-off-by: Clemens Lang <cllang@redhat.com>
From-source-git-commit: f8c86bc84c27e8e74722b390232c83e68b497ba5
The %bcond_without macro adds a command line option to build without
openssl engine, but the default is always the opposite of what the macro
name suggests, i.e., using %bcond_without enables engines by default.
This was not what I had intended, and I also messed up and used
%bcond_without in both branches of the if.
Switch to the newer %bcond <option> <default>, which does not suffer
from the potential confusion.
(cherry picked from commit afc85f9971952832fee2e8b8935fc0b5d8be8752)
Resolves: RHEL-33749
Signed-off-by: Clemens Lang <cllang@redhat.com>
From-source-git-commit: 497113266bda485407d0f22563043c5171569f11
OpenSSL ENGINEs are deprecated upstream, have subtle bugs, and (as all
deprecated functionality) are not supposed to be used in FIPS mode.
There is now a good alternative in pkcs11-provider, so remove support
for ENGINEs from stunnel.
Resolves: RHEL-33749
Signed-off-by: Clemens Lang <cllang@redhat.com>
* Features
- OCSP stapling is requested and verified in the client mode.
- Using "verifyChain" automatically enables OCSP stapling in the client
mode.
- OCSP stapling is always available in the server mode.
- An inconclusive OCSP verification breaks TLS negotiation. This can be
disabled with "OCSPrequire = no".
- Added the "TIMEOUTocsp" option to control the maximum time allowed
for connecting an OCSP responder.
- Added support for Red Hat OpenSSL 3.x patches.
Resolves: rhbz#2239740
Signed-off-by: Clemens Lang <cllang@redhat.com>
stunnel-exception is not yet in the license exception list v3.21
published at https://spdx.org/licenses/exceptions-index.html, but it has
been merged upstream in github.com/spdx/license-list-XML#2074 and will
appear in a future release.
Additionally switch to %autorelease and %autochangelog.
Signed-off-by: Clemens Lang <cllang@redhat.com>
* Bugfixes
- Fixed TLS socket EOF handling with OpenSSL 3.x.
This bug caused major interoperability issues between
stunnel built with OpenSSL 3.x and Microsoft's
Schannel Security Support Provider (SSP).
- Fixed reading certificate chains from PKCS#12 files.
* Features
- Added configurable delay for the "retry" option.
Resolves: rhbz#2222467
Signed-off-by: Clemens Lang <cllang@redhat.com>
Avoid manually listing the patches by switching to %autosetup. Keep the
backup files by using the 'gendiff' version control system option of
%autosetup available in rpm >= 4.14.
All but two of the `%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7`
conditionals were removed in 76c7fad (Fix systemd
executions/requirements, 2018-01-25). Remove the others.
Remove Fedora version from `%if 0%{?fedora} > 27 || 0%{?rhel} > 7`.
Fedora 27 has been EOL since 2018-11-30.
The || section after make test replaced the return value of the entire
statement with 0. This hides error in test execution.
Related: rhbz#2051083
Signed-off-by: Clemens Lang <cllang@redhat.com>
Fixes#1887204.
Update the default TLS version patch to no longer include a large amount
of whitespace in its "Using the default TLS version as specified in its
OpenSSL crypto policies. Not setting explicitly." message. The
whitespace was caused by a line continuation, which is now replaced by
string literal concatenation.
Patch the FIPS tests to be skipped when stunnel is compiled against an
OpenSSL 3.x configured with enable-fips, but without the required
configuration that would be installed by a system administrator using
openssl fipsinstall. This matches the behavior when compiled against
OpenSSL 3.x configured without enable-fips.
Switch to package URL to https. Upstream has done the same in the spec
file in the tarball.
Add build dependencies for python3 and the openssl command line tool.
Both are used in tests now.
Drop a sed expression applied to the configure script that no longer
does anything and remove environment variables from testing that are no
longer required to make the tests pass.
- Fixes#1925229 - client certificate not correctly verified
when redirect and verifyChain options are used.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
With this patch, the stunnel defaults defined in sslVersionMin and sslVersionMax
cannot override the default versions defined in OpenSSL crypto policies.
