Commit Graph

15 Commits

Author SHA1 Message Date
Clemens Lang
a154e02ce9 Speed up loading client CA list
Do not attempt to load and print all trusted CAs unless we need them to
invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be
slow, especially if there are many. The CAdir format allows OpenSSL to
only load them on demand, avoiding this overhead.

Additionally, SSL_CTX_load_verify_locations(3) supports file formats
that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3)
do not support, for example certificates in the BEGIN TRUSTED
CERTIFICATE format. Valid configurations with older stunnel versions
that point to such a file would otherwise needlessly start failing.

Additionally, use SSL_load_client_CA_file(3) to load certificates from
a file rather than SSL_add_file_cert_subjects_to_stack(3), since the
former uses a hashtable for deduplication, but the latter relies on
a sorted STACK_OF(X509_NAME). The sorting is exceptionally slow in
OpenSSL, because the comparison function for X509_NAMEs converts them to
DER involving a memory allocation, which is already expensive, but even
more expensive when used with stunnel's custom allocator functions.

An upstream PR openssl/openssl#25056 will eventually fix this, but it
will take quite a while for this to arrive on users' systems, and it
will likely not be backported into older affected versions of OpenSSL or
their forks.

Resolves: RHEL-52321
Resolves: RHEL-52317
Signed-off-by: Clemens Lang <cllang@redhat.com>
2024-08-01 14:36:43 +02:00
Clemens Lang
6c91664a3d New upstream release 5.71
Drop patches that are no longer needed, sync patches from Fedora.
Backport spec file improvements from Fedora.

Resolves: RHEL-2468
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-10-05 13:55:13 +02:00
Clemens Lang
6e12981e3c Fix encrypted keys and pw prompt retry w/OpenSSL 3
Stunnel has a ui_retry() function that inspects the topmost entry on the
OpenSSL error stack to decide whether it should re-try a certain
operation.

With OpenSSL 3, many of these error codes changed. For example, when
using an encrypted private key, stunnel will prompt for the password on
startup, but will not repeat the prompt with OpenSSL 3 when the password
is entered incorrectly, because the error code returned for this case
changed.

This problem becomes worse with OpenSSL 3.0.7 in RHEL 9.2: because of
the same root cause, stunnel no longer prompts for the password at all.

Fix this by backporting changes in the ui_retry() function from 5.66.

Resolves: rhbz#2151888
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-12-08 14:24:25 +01:00
Clemens Lang
c97482468c Fail build if tests fail
The || section after make test replaced the return value of the entire
statement with 0. This hides error in test execution.

Resolves: rhbz#2051083
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-07 11:53:57 +01:00
Clemens Lang
ecdba103e6 Fix stunnel in FIPS mode
Resolves: rhbz#2050617
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-04 15:46:55 +01:00
Clemens Lang
a7cc901333 New upstream release 5.62
Update the default TLS version patch to no longer include a large amount
of whitespace in its "Using the default TLS version as specified in its
OpenSSL crypto policies. Not setting explicitly." message. The
whitespace was caused by a line continuation, which is now replaced by
string literal concatenation.

Patch one of the FIPS tests to address changed error behavior when
a cipher suite is not available in OpenSSL 3.

Switch to package URL to https. Upstream has done the same in the spec
file in the tarball.

Add build dependencies for python3 and the openssl command line tool.
Both are used in tests now.

Drop a sed expression applied to the configure script that no longer
does anything and remove environment variables from testing that are no
longer required to make the tests pass.

Resolves: rhbz#2039299
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-01-18 12:16:49 +01:00
Mohan Boddu
8e36d91cb1 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-10 00:59:25 +00:00
Dmitry Belyavskiy
6f7d71c02c Stunnel cannot use an encrypted private key being built against OpenSSL 3.0
Resolves: rhbz#1976854
2021-08-03 14:19:09 +00:00
Dmitry Belyavskiy
befa250b4d Stunnel cannot use an encrypted private key being built against OpenSSL 3.0
Resolves: rhbz#1976854
2021-07-28 14:48:06 +02:00
Mohan Boddu
74e2723cf4 Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-06-16 03:39:22 +00:00
Mohan Boddu
c7930c45c5 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-16 05:46:28 +00:00
DistroBaker
774321a4a6 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/stunnel.git#c067aa65bf5100074bcf22339e80b36bb1bb5933
2021-02-22 09:45:17 +00:00
DistroBaker
eb40a112d0 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/stunnel.git#ced24bae40632c738935474fbf5fab0e23dedaa7
2021-02-11 17:09:19 +00:00
DistroBaker
1c036d5114 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/stunnel.git#5708e2f381957b311ef6f6ad7dcd1b0c0f2ddc94
2021-02-04 21:02:53 +00:00
Troy Dawson
f5cf6420c2 RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/stunnel#f9ca4da8a2d51f8ede0dc3bd12b1df466ad9786a
2020-10-15 10:04:32 -07:00