* Features
- OCSP stapling is requested and verified in the client mode.
- Using "verifyChain" automatically enables OCSP stapling in the client
mode.
- OCSP stapling is always available in the server mode.
- An inconclusive OCSP verification breaks TLS negotiation. This can be
disabled with "OCSPrequire = no".
- Added the "TIMEOUTocsp" option to control the maximum time allowed
for connecting an OCSP responder.
- Added support for Red Hat OpenSSL 3.x patches.
Resolves: rhbz#2239740
Signed-off-by: Clemens Lang <cllang@redhat.com>
* Bugfixes
- Fixed TLS socket EOF handling with OpenSSL 3.x.
This bug caused major interoperability issues between
stunnel built with OpenSSL 3.x and Microsoft's
Schannel Security Support Provider (SSP).
- Fixed reading certificate chains from PKCS#12 files.
* Features
- Added configurable delay for the "retry" option.
Resolves: rhbz#2222467
Signed-off-by: Clemens Lang <cllang@redhat.com>
Fixes#1887204.
Update the default TLS version patch to no longer include a large amount
of whitespace in its "Using the default TLS version as specified in its
OpenSSL crypto policies. Not setting explicitly." message. The
whitespace was caused by a line continuation, which is now replaced by
string literal concatenation.
Patch the FIPS tests to be skipped when stunnel is compiled against an
OpenSSL 3.x configured with enable-fips, but without the required
configuration that would be installed by a system administrator using
openssl fipsinstall. This matches the behavior when compiled against
OpenSSL 3.x configured without enable-fips.
Switch to package URL to https. Upstream has done the same in the spec
file in the tarball.
Add build dependencies for python3 and the openssl command line tool.
Both are used in tests now.
Drop a sed expression applied to the configure script that no longer
does anything and remove environment variables from testing that are no
longer required to make the tests pass.
- Fixes#1925229 - client certificate not correctly verified
when redirect and verifyChain options are used.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
- Finally deleted the patch stunnel-5-sample.patch as upstream
has merged those changes.
- Fixes patches as per new code changes.
- Fixed systemd service file related changes.
- Fixed incorrect reporting of fips status in configure.ac
at compile time
- Fixed default OpenSSL directory issue by using with-ssl
- Updates local patches
- 1155977: Fixes man page issues
- Updated local patches
- The rhbz#530950 is tested and seems to work. STRLEN has
been no longer allocated statically since 4.36 version.
So it is possible that this bz might have got fixed
around 4.36 release.
- Fixes rpmlint errors
