Do not attempt to load and print all trusted CAs unless we need them to
invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be
slow, especially if there are many. The CAdir format allows OpenSSL to
only load them on demand, avoiding this overhead.
Additionally, SSL_CTX_load_verify_locations(3) supports file formats
that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3)
do not support, for example certificates in the BEGIN TRUSTED
CERTIFICATE format. Valid configurations with older stunnel versions
that point to such a file would otherwise needlessly start failing.
Additionally, use SSL_load_client_CA_file(3) to load certificates from
a file rather than SSL_add_file_cert_subjects_to_stack(3), since the
former uses a hashtable for deduplication, but the latter relies on
a sorted STACK_OF(X509_NAME). The sorting is exceptionally slow in
OpenSSL, because the comparison function for X509_NAMEs converts them to
DER involving a memory allocation, which is already expensive, but even
more expensive when used with stunnel's custom allocator functions.
An upstream PR openssl/openssl#25056 will eventually fix this, but it
will take quite a while for this to arrive on users' systems, and it
will likely not be backported into older affected versions of OpenSSL or
their forks.
Resolves: RHEL-52321
Resolves: RHEL-52317
Signed-off-by: Clemens Lang <cllang@redhat.com>
Drop patches that are no longer needed, sync patches from Fedora.
Backport spec file improvements from Fedora.
Resolves: RHEL-2468
Signed-off-by: Clemens Lang <cllang@redhat.com>
Stunnel has a ui_retry() function that inspects the topmost entry on the
OpenSSL error stack to decide whether it should re-try a certain
operation.
With OpenSSL 3, many of these error codes changed. For example, when
using an encrypted private key, stunnel will prompt for the password on
startup, but will not repeat the prompt with OpenSSL 3 when the password
is entered incorrectly, because the error code returned for this case
changed.
This problem becomes worse with OpenSSL 3.0.7 in RHEL 9.2: because of
the same root cause, stunnel no longer prompts for the password at all.
Fix this by backporting changes in the ui_retry() function from 5.66.
Resolves: rhbz#2151888
Signed-off-by: Clemens Lang <cllang@redhat.com>
The || section after make test replaced the return value of the entire
statement with 0. This hides error in test execution.
Resolves: rhbz#2051083
Signed-off-by: Clemens Lang <cllang@redhat.com>
Update the default TLS version patch to no longer include a large amount
of whitespace in its "Using the default TLS version as specified in its
OpenSSL crypto policies. Not setting explicitly." message. The
whitespace was caused by a line continuation, which is now replaced by
string literal concatenation.
Patch one of the FIPS tests to address changed error behavior when
a cipher suite is not available in OpenSSL 3.
Switch to package URL to https. Upstream has done the same in the spec
file in the tarball.
Add build dependencies for python3 and the openssl command line tool.
Both are used in tests now.
Drop a sed expression applied to the configure script that no longer
does anything and remove environment variables from testing that are no
longer required to make the tests pass.
Resolves: rhbz#2039299
Signed-off-by: Clemens Lang <cllang@redhat.com>
