Compare commits
1 Commits
Author | SHA1 | Date | |
---|---|---|---|
d9eb0fa3f8 |
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/stunnel-5.71.tar.gz
|
stunnel-5.72.tar.gz
|
||||||
|
@ -1 +0,0 @@
|
|||||||
dab534acc28f389f98bf8724d9f42ad9ca472691 SOURCES/stunnel-5.71.tar.gz
|
|
@ -1,37 +0,0 @@
|
|||||||
From 4ffcbcecaf901b13a36dba1e651cfc16e5242e5a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Thu, 19 Oct 2023 14:41:54 +0200
|
|
||||||
Subject: [PATCH] Preserve NO_TLSv1.[123] option compatibility
|
|
||||||
|
|
||||||
On RHEL 8, stunnel used to support the NO_TLSv1.1, NO_TLSv1.2, and
|
|
||||||
NO_TLSv1.3 values for the options directive. Since we do not break
|
|
||||||
compatibility, preserve these options for customers that have them set.
|
|
||||||
|
|
||||||
Related: RHEL-2340
|
|
||||||
---
|
|
||||||
src/options.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/options.c b/src/options.c
|
|
||||||
index a306c4c..c05692c 100644
|
|
||||||
--- a/src/options.c
|
|
||||||
+++ b/src/options.c
|
|
||||||
@@ -229,12 +229,15 @@ static const SSL_OPTION ssl_opts[] = {
|
|
||||||
#endif
|
|
||||||
#ifdef SSL_OP_NO_TLSv1_1
|
|
||||||
{"NO_TLSv1_1", SSL_OP_NO_TLSv1_1},
|
|
||||||
+ {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1},
|
|
||||||
#endif
|
|
||||||
#ifdef SSL_OP_NO_TLSv1_2
|
|
||||||
{"NO_TLSv1_2", SSL_OP_NO_TLSv1_2},
|
|
||||||
+ {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2},
|
|
||||||
#endif
|
|
||||||
#ifdef SSL_OP_NO_TLSv1_3
|
|
||||||
{"NO_TLSv1_3", SSL_OP_NO_TLSv1_3},
|
|
||||||
+ {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3},
|
|
||||||
#endif
|
|
||||||
#ifdef SSL_OP_PKCS1_CHECK_1
|
|
||||||
{"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1},
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmUKA7NfFIAAAAAALgAo
|
|
||||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
|
||||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
|
||||||
4BS9ZxAAxK9dNbFrL3ZOmW18OT82LKza1Zli9grdiEx4GY6s+atY6DgrWiOfJi5A
|
|
||||||
NQtwoeYRWcEkMgWKRev28zMEPzGkUzYyaBUbqDDisAziDXyyKfriqmkbG4jl8Gv+
|
|
||||||
qY+SgrM2ElhZxTnvRtUvzG6dogBeA1iWcNANAYgYVxH2yOFcNB0HYA25aBrPpmO4
|
|
||||||
37h7ZRc94Yn2fK4zdR7D8DxYEAkmrZJxMydytTwp4EHu2t3lmw+vJdzIS7RtJoRL
|
|
||||||
Apd/Fh8USZB++Xx+4vFiuDcydGz5xdUNCB9jXYJoTCxFUP9mQsyR05Q8uscPunk9
|
|
||||||
SfCd7pbzextsoFF5gOoee3tvwgwlhI7SR9eS585ni0oXyNaFUMwXS0qBVN1f86fr
|
|
||||||
iAl3j8pGVnqJpmiZ8o4xGj3/g5Nvp14Ts/qXlRvqvzoU6Ka6MEefH2sMxzm5RCQr
|
|
||||||
tAcrDROGUyN0HJcdy8TAWobqX0HWQqwlGjyeZAJAtFcmno00Au6FYnkn+dLkvxIx
|
|
||||||
bsEaaG7QrP9p6JpEnQhsLLEKAgD9olmPWzFLCeeE1PZg/klSbVG4qmHv113ixlDy
|
|
||||||
6smwnHDnb+UysgosKyAzWqlrLUhPYqca83Y8DFbpS9wi1AG6OjCuJ3jtdRq+HAjn
|
|
||||||
l5PRZhWOTUi+weLWSpmGO2py5JfJm010grKdzA9d9YMR9YspSOU=
|
|
||||||
=6RnW
|
|
||||||
-----END PGP SIGNATURE-----
|
|
@ -1,107 +0,0 @@
|
|||||||
From 5f0b818f62720d5bd8b8c9c631604ddb4c992be7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
|
||||||
Date: Wed, 31 Jul 2024 15:35:24 +0200
|
|
||||||
Subject: [PATCH] src/verify.c: Speed up loading client CA list
|
|
||||||
|
|
||||||
Do not attempt to load and print all trusted CAs unless we need them to
|
|
||||||
invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be
|
|
||||||
slow, especially if there are many. The CAdir format allows OpenSSL to
|
|
||||||
only load them on demand, avoiding this overhead.
|
|
||||||
|
|
||||||
Additionally, SSL_CTX_load_verify_locations(3) supports file formats
|
|
||||||
that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3)
|
|
||||||
do not support, for example certificates in the BEGIN TRUSTED
|
|
||||||
CERTIFICATE format. Valid configurations with older stunnel versions
|
|
||||||
that point to such a file would otherwise needlessly start failing.
|
|
||||||
|
|
||||||
Additionally, use SSL_load_client_CA_file(3) to load certificates from
|
|
||||||
a file rather than SSL_add_file_cert_subjects_to_stack(3), since the
|
|
||||||
former uses a hashtable for deduplication, but the latter relies on
|
|
||||||
a sorted STACK_OF(X509_NAME). The sorting is exceptionally slow in
|
|
||||||
OpenSSL, because the comparison function for X509_NAMEs converts them to
|
|
||||||
DER involving a memory allocation, which is already expensive, but even
|
|
||||||
more expensive when used with stunnel's custom allocator functions.
|
|
||||||
|
|
||||||
An upstream PR openssl/openssl#25056 will eventually fix this, but it
|
|
||||||
will take quite a while for this to arrive on users' systems, and it
|
|
||||||
will likely not be backported into older affected versions of OpenSSL or
|
|
||||||
their forks.
|
|
||||||
|
|
||||||
Related: RHEL-50154
|
|
||||||
Related: RHEL-46411
|
|
||||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
|
||||||
---
|
|
||||||
src/verify.c | 42 ++++++++++++++++++++++++++++--------------
|
|
||||||
1 file changed, 28 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/verify.c b/src/verify.c
|
|
||||||
index 56ab130..d1d3849 100644
|
|
||||||
--- a/src/verify.c
|
|
||||||
+++ b/src/verify.c
|
|
||||||
@@ -95,10 +95,35 @@ NOEXPORT int init_ca(SERVICE_OPTIONS *section) {
|
|
||||||
if(!SSL_CTX_load_verify_locations(section->ctx,
|
|
||||||
section->ca_file, section->ca_dir)) {
|
|
||||||
sslerror("SSL_CTX_load_verify_locations");
|
|
||||||
+ return 1; /* FAILED */
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- ca_dn=sk_X509_NAME_new_null();
|
|
||||||
+ /* Do not attempt to load and print all trusted CAs unless we need them to
|
|
||||||
+ invoke SSL_CTX_set_client_CA_list(3). Loading all trusted CAs can be
|
|
||||||
+ slow, especially if there are many. The CAdir format allows OpenSSL to
|
|
||||||
+ only load them on demand.
|
|
||||||
+ Additionally, SSL_CTX_load_verify_locations(3) supports file formats
|
|
||||||
+ that SSL_load_client_CA_file(3) and SSL_add_*_cert_subjects_to_stack(3)
|
|
||||||
+ do not support, for example certificates in the BEGIN TRUSTED
|
|
||||||
+ CERTIFICATE format. Valid configurations with older stunnel versions
|
|
||||||
+ that point to such a file would otherwise needlessly start failing. */
|
|
||||||
+ if(section->option.client)
|
|
||||||
+ return 0; /* OK */
|
|
||||||
+
|
|
||||||
+ if(section->ca_file)
|
|
||||||
+ /* SSL_load_client_CA_file is a lot faster than
|
|
||||||
+ SSL_add_file_cert_subjects_to_stack(). Use it for ca_file if
|
|
||||||
+ specified, then add the rest of the certificates to this stack. */
|
|
||||||
+ ca_dn=SSL_load_client_CA_file(section->ca_file);
|
|
||||||
+
|
|
||||||
+ if (!ca_dn)
|
|
||||||
+ /* ca_file not set, or SSL_load_client_CA_file(3) failed. */
|
|
||||||
+ ca_dn=sk_X509_NAME_new_null();
|
|
||||||
+
|
|
||||||
+ /* client CA list initialization from directory */
|
|
||||||
+ if(section->ca_dir)
|
|
||||||
+ SSL_add_dir_cert_subjects_to_stack(ca_dn, section->ca_dir);
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
|
||||||
/* CA and client CA list initialization with the engine */
|
|
||||||
@@ -115,24 +140,13 @@ NOEXPORT int init_ca(SERVICE_OPTIONS *section) {
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- /* client CA list initialization with the file and/or directory */
|
|
||||||
- if(section->ca_file)
|
|
||||||
- SSL_add_file_cert_subjects_to_stack(ca_dn, section->ca_file);
|
|
||||||
- if(section->ca_dir)
|
|
||||||
- SSL_add_dir_cert_subjects_to_stack(ca_dn, section->ca_dir);
|
|
||||||
-
|
|
||||||
if(!sk_X509_NAME_num(ca_dn)) {
|
|
||||||
sk_X509_NAME_pop_free(ca_dn, X509_NAME_free);
|
|
||||||
return 1; /* FAILED */
|
|
||||||
}
|
|
||||||
|
|
||||||
- if(section->option.client) {
|
|
||||||
- print_CA_list("Configured trusted server CA", ca_dn);
|
|
||||||
- sk_X509_NAME_pop_free(ca_dn, X509_NAME_free);
|
|
||||||
- } else { /* only set the client CA list on the server */
|
|
||||||
- print_CA_list("Configured trusted client CA", ca_dn);
|
|
||||||
- SSL_CTX_set_client_CA_list(section->ctx, ca_dn);
|
|
||||||
- }
|
|
||||||
+ print_CA_list("Configured trusted client CA", ca_dn);
|
|
||||||
+ SSL_CTX_set_client_CA_list(section->ctx, ca_dn);
|
|
||||||
|
|
||||||
return 0; /* OK */
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
|||||||
|
SHA512 (stunnel-5.72.tar.gz) = 2607bed1159412dc36ed0455ed158ab3141782f05ddaf3605076f1a0e371bc1ada1606cab65a6bc52d69a8c685345617578cb79d521330f2e1d12af3dcbd37ca
|
@ -1,9 +1,13 @@
|
|||||||
From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
|
From c104c853a545b00992c7c3b3aa0d625016dc1577 Mon Sep 17 00:00:00 2001
|
||||||
From: Clemens Lang <cllang@redhat.com>
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||||
Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
|
Subject: [PATCH 4/5] Use TLS version f/crypto-policies unless specified
|
||||||
|
|
||||||
Patch-name: stunnel-5.69-default-tls-version.patch
|
Do not explicitly set the TLS version and rely on the defaults from
|
||||||
|
crypto-policies unless a TLS minimum or maximum version are explicitly
|
||||||
|
specified in the stunnel configuration.
|
||||||
|
|
||||||
|
Patch-name: stunnel-5.72-default-tls-version.patch
|
||||||
Patch-id: 5
|
Patch-id: 5
|
||||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||||
---
|
---
|
||||||
@ -13,13 +17,13 @@ From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
|||||||
3 files changed, 36 insertions(+), 16 deletions(-)
|
3 files changed, 36 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/ctx.c b/src/ctx.c
|
diff --git a/src/ctx.c b/src/ctx.c
|
||||||
index 6a42a6b..cba24d9 100644
|
index 8d0e9de..3418779 100644
|
||||||
--- a/src/ctx.c
|
--- a/src/ctx.c
|
||||||
+++ b/src/ctx.c
|
+++ b/src/ctx.c
|
||||||
@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
|
@@ -163,19 +163,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
|
||||||
section->ctx=SSL_CTX_new(section->option.client ?
|
|
||||||
TLS_client_method() : TLS_server_method());
|
/* set supported protocol versions */
|
||||||
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
#if OPENSSL_VERSION_NUMBER>=0x10100000L
|
||||||
- if(section->min_proto_version &&
|
- if(section->min_proto_version &&
|
||||||
- !SSL_CTX_set_min_proto_version(section->ctx,
|
- !SSL_CTX_set_min_proto_version(section->ctx,
|
||||||
- section->min_proto_version)) {
|
- section->min_proto_version)) {
|
||||||
@ -56,13 +60,13 @@ index 6a42a6b..cba24d9 100644
|
|||||||
+ return 1; /* FAILED */
|
+ return 1; /* FAILED */
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
#endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
|
||||||
if(section->option.client)
|
|
||||||
diff --git a/src/options.c b/src/options.c
|
diff --git a/src/options.c b/src/options.c
|
||||||
index 4d31815..2ec5934 100644
|
index 12b57fe..816c06e 100644
|
||||||
--- a/src/options.c
|
--- a/src/options.c
|
||||||
+++ b/src/options.c
|
+++ b/src/options.c
|
||||||
@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
@@ -3433,8 +3433,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
return "Invalid protocol version";
|
return "Invalid protocol version";
|
||||||
return NULL; /* OK */
|
return NULL; /* OK */
|
||||||
case CMD_INITIALIZE:
|
case CMD_INITIALIZE:
|
||||||
@ -74,7 +78,7 @@ index 4d31815..2ec5934 100644
|
|||||||
return "Invalid protocol version range";
|
return "Invalid protocol version range";
|
||||||
break;
|
break;
|
||||||
case CMD_PRINT_DEFAULTS:
|
case CMD_PRINT_DEFAULTS:
|
||||||
@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
@@ -3452,7 +3453,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
/* sslVersionMax */
|
/* sslVersionMax */
|
||||||
switch(cmd) {
|
switch(cmd) {
|
||||||
case CMD_SET_DEFAULTS:
|
case CMD_SET_DEFAULTS:
|
||||||
@ -86,7 +90,7 @@ index 4d31815..2ec5934 100644
|
|||||||
break;
|
break;
|
||||||
case CMD_SET_COPY:
|
case CMD_SET_COPY:
|
||||||
section->max_proto_version=new_service_options.max_proto_version;
|
section->max_proto_version=new_service_options.max_proto_version;
|
||||||
@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
@@ -3483,7 +3487,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||||
/* sslVersionMin */
|
/* sslVersionMin */
|
||||||
switch(cmd) {
|
switch(cmd) {
|
||||||
case CMD_SET_DEFAULTS:
|
case CMD_SET_DEFAULTS:
|
||||||
@ -99,10 +103,10 @@ index 4d31815..2ec5934 100644
|
|||||||
case CMD_SET_COPY:
|
case CMD_SET_COPY:
|
||||||
section->min_proto_version=new_service_options.min_proto_version;
|
section->min_proto_version=new_service_options.min_proto_version;
|
||||||
diff --git a/src/prototypes.h b/src/prototypes.h
|
diff --git a/src/prototypes.h b/src/prototypes.h
|
||||||
index 0ecd719..a126c9e 100644
|
index a2b10aa..e76335e 100644
|
||||||
--- a/src/prototypes.h
|
--- a/src/prototypes.h
|
||||||
+++ b/src/prototypes.h
|
+++ b/src/prototypes.h
|
||||||
@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
@@ -956,6 +956,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||||
ICON_IMAGE load_icon_file(const char *);
|
ICON_IMAGE load_icon_file(const char *);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -113,5 +117,5 @@ index 0ecd719..a126c9e 100644
|
|||||||
|
|
||||||
/* end of prototypes.h */
|
/* end of prototypes.h */
|
||||||
--
|
--
|
||||||
2.39.2
|
2.43.0
|
||||||
|
|
16
stunnel-5.72.tar.gz.asc
Normal file
16
stunnel-5.72.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmXAl5kACgkQLvx/8NQW
|
||||||
|
4BSnAxAAxC0u/yksf+byWhqkl1txYaZ7tKv6sg8QramWhyCpnlEtBgxCP3I3baae
|
||||||
|
PQm5HkVgOHNSFNhzrIApEeaXJle4rgH7T+uRkl5mThWYMf47h55Ll70BBg3Mpsjz
|
||||||
|
iwubuWllA4cyEbd2yWYl1MTzcSxY8F05otQdg+vwIxrHNF26k+pvnYUfBJiw6/7V
|
||||||
|
1exig3ZF03umSGM/8JTRdkJw4oKxgWR0nvAY6s6C28Hs6ok+700r40pDinmQgYyC
|
||||||
|
Sb1DC2/SAjFhs8vlxUBtgWCLTQk/uGKWXUjPoG2KqQyhKMfY3ntZT3D9iOWpvC/p
|
||||||
|
vvZbd3k27a8/D4CyBiBSh+L/bZtOgdZrDPCDxbf2EG1zC8mBjA8A8NIzMVL0D3UL
|
||||||
|
FHKpPBpw5RMy7Zbrwn59ggVoTSJS8Bcr1khmUjpyTpCnbTOSdsIhFDG5EtPOkJoT
|
||||||
|
k/6qXMxFAUL8EX3PlPjMSSs8aPWB7BqSEowRYbMGxG7Iqr+z56LiTdGjra+JY6Pv
|
||||||
|
FrLHHqGB9Hh3YIYbbf5O61DkXNeDVEZlqd03CI5Q9v5r9OKnIdzg4NM3XJ2hBUf4
|
||||||
|
PuYKWMhg2gZTwTuQtEV7Py+52sbqdiKCiWyQy3P8vRV/RwKuu/+2vPsxUIxULFEV
|
||||||
|
0FSBp+BPuM/FPiYwqNam/C67qHZ03jndiOgsTRapsJnAFKT/nXQ=
|
||||||
|
=vtS5
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,13 @@
|
|||||||
|
## START: Set by rpmautospec
|
||||||
|
## (rpmautospec version 0.6.5)
|
||||||
|
## RPMAUTOSPEC: autorelease, autochangelog
|
||||||
|
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
|
||||||
|
release_number = 5;
|
||||||
|
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
|
||||||
|
print(release_number + base_release_number - 1);
|
||||||
|
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
|
||||||
|
## END: Set by rpmautospec
|
||||||
|
|
||||||
# Do not generate provides for private libraries
|
# Do not generate provides for private libraries
|
||||||
%global __provides_exclude_from ^%{_libdir}/stunnel/.*$
|
%global __provides_exclude_from ^%{_libdir}/stunnel/.*$
|
||||||
|
|
||||||
@ -7,12 +17,17 @@
|
|||||||
%bcond_without libwrap
|
%bcond_without libwrap
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?rhel} >= 10
|
||||||
|
%bcond openssl_engine 0
|
||||||
|
%else
|
||||||
|
%bcond openssl_engine 1
|
||||||
|
%endif
|
||||||
|
|
||||||
Summary: A TLS-encrypting socket wrapper
|
Summary: A TLS-encrypting socket wrapper
|
||||||
Name: stunnel
|
Name: stunnel
|
||||||
Version: 5.71
|
Version: 5.72
|
||||||
Release: 2%{?dist}
|
Release: %autorelease
|
||||||
License: GPLv2
|
License: GPL-2.0-or-later WITH stunnel-exception AND MIT
|
||||||
Group: Applications/Internet
|
|
||||||
URL: https://www.stunnel.org/
|
URL: https://www.stunnel.org/
|
||||||
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
||||||
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
|
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
|
||||||
@ -26,18 +41,33 @@ Source7: stunnel@.service
|
|||||||
# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
|
# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
|
||||||
# the remote one makes packit source-git choke.
|
# the remote one makes packit source-git choke.
|
||||||
Source99: pgp.asc
|
Source99: pgp.asc
|
||||||
|
# Apply patch stunnel-5.50-authpriv.patch
|
||||||
Patch0: stunnel-5.50-authpriv.patch
|
Patch0: stunnel-5.50-authpriv.patch
|
||||||
|
# Apply patch stunnel-5.61-systemd-service.patch
|
||||||
Patch1: stunnel-5.61-systemd-service.patch
|
Patch1: stunnel-5.61-systemd-service.patch
|
||||||
|
# Use cipher configuration from crypto-policies
|
||||||
|
#
|
||||||
|
# On Fedora, CentOS and RHEL, the system's crypto policies are the best
|
||||||
|
# source to determine which cipher suites to accept in TLS. On these
|
||||||
|
# platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
|
||||||
|
# policies. Change stunnel to default to this setting.
|
||||||
Patch3: stunnel-5.69-system-ciphers.patch
|
Patch3: stunnel-5.69-system-ciphers.patch
|
||||||
Patch5: stunnel-5.69-default-tls-version.patch
|
# Use TLS version f/crypto-policies unless specified
|
||||||
|
#
|
||||||
|
# Do not explicitly set the TLS version and rely on the defaults from
|
||||||
|
# crypto-policies unless a TLS minimum or maximum version are explicitly
|
||||||
|
# specified in the stunnel configuration.
|
||||||
|
Patch5: stunnel-5.72-default-tls-version.patch
|
||||||
|
# Apply patch stunnel-5.56-curves-doc-update.patch
|
||||||
Patch6: stunnel-5.56-curves-doc-update.patch
|
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||||
Patch7: stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch
|
|
||||||
Patch8: stunnel-5.72-speed-up-loading-client-CA-list.patch
|
|
||||||
# util-linux is needed for rename
|
# util-linux is needed for rename
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: gnupg2
|
BuildRequires: gnupg2
|
||||||
BuildRequires: openssl-devel, pkgconfig, util-linux
|
BuildRequires: openssl-devel, pkgconfig, util-linux
|
||||||
|
%if %{with openssl_engine} && 0%{?fedora} >= 41
|
||||||
|
BuildRequires: openssl-devel-engine
|
||||||
|
%endif
|
||||||
BuildRequires: autoconf automake libtool
|
BuildRequires: autoconf automake libtool
|
||||||
%if %{with libwrap}
|
%if %{with libwrap}
|
||||||
Buildrequires: tcp_wrappers-devel
|
Buildrequires: tcp_wrappers-devel
|
||||||
@ -46,7 +76,7 @@ BuildRequires: /usr/bin/pod2man
|
|||||||
BuildRequires: /usr/bin/pod2html
|
BuildRequires: /usr/bin/pod2html
|
||||||
# build test requirements
|
# build test requirements
|
||||||
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
|
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
|
||||||
BuildRequires: python3.11 python3.11-cryptography openssl
|
BuildRequires: python3 python3-cryptography openssl
|
||||||
BuildRequires: systemd systemd-devel
|
BuildRequires: systemd systemd-devel
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
|
|
||||||
@ -58,14 +88,7 @@ conjunction with imapd to create a TLS secure IMAP server.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
%{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
||||||
%setup -q
|
%autosetup -S gendiff -p1
|
||||||
%patch0 -p1 -b .authpriv
|
|
||||||
%patch1 -p1 -b .systemd-service
|
|
||||||
%patch3 -p1 -b .system-ciphers
|
|
||||||
%patch5 -p1 -b .default-tls-version
|
|
||||||
%patch6 -p1 -b .curves-doc-update
|
|
||||||
%patch7 -p1 -b .preserve-no-tlsv1-123-option-compatibility
|
|
||||||
%patch8 -p1 -b .speed-up-loading-client-CA-list
|
|
||||||
|
|
||||||
# Fix the stack protector flag
|
# Fix the stack protector flag
|
||||||
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
|
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
|
||||||
@ -77,6 +100,11 @@ if pkg-config openssl ; then
|
|||||||
CFLAGS="$CFLAGS `pkg-config --cflags openssl`";
|
CFLAGS="$CFLAGS `pkg-config --cflags openssl`";
|
||||||
LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS
|
LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
CPPFLAGS_NO_ENGINE=""
|
||||||
|
%if !%{with openssl_engine}
|
||||||
|
CPPFLAGS_NO_ENGINE="-DOPENSSL_NO_ENGINE"
|
||||||
|
%endif
|
||||||
%configure --enable-fips --enable-ipv6 --with-ssl=%{_prefix} \
|
%configure --enable-fips --enable-ipv6 --with-ssl=%{_prefix} \
|
||||||
%if %{with libwrap}
|
%if %{with libwrap}
|
||||||
--enable-libwrap \
|
--enable-libwrap \
|
||||||
@ -84,7 +112,7 @@ fi
|
|||||||
--disable-libwrap \
|
--disable-libwrap \
|
||||||
%endif
|
%endif
|
||||||
--with-bashcompdir=%{_datadir}/bash-completion/completions \
|
--with-bashcompdir=%{_datadir}/bash-completion/completions \
|
||||||
CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
|
CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"' $CPPFLAGS_NO_ENGINE"
|
||||||
make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
|
make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
|
||||||
|
|
||||||
%install
|
%install
|
||||||
@ -144,52 +172,140 @@ fi
|
|||||||
%systemd_postun_with_restart %{name}.service
|
%systemd_postun_with_restart %{name}.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Aug 07 2024 Clemens Lang <cllang@redhat.com> - 5.71-2
|
## START: Generated by rpmautospec
|
||||||
- Speed up loading client CA list from CAfile
|
* Tue Jul 02 2024 Clemens Lang <cllang@redhat.com> - 5.72-5
|
||||||
Resolves: RHEL-46411
|
- Fix build on Fedora rawhide
|
||||||
- Do not load all CAs in client mode to allow continued use of BEGIN TRUSTED CERTIFICATE format
|
|
||||||
Resolves: RHEL-50154
|
|
||||||
|
|
||||||
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 5.71-2
|
* Tue Jul 02 2024 Clemens Lang <cllang@redhat.com> - 5.72-4
|
||||||
- Restore support for the NO_TLSv1.[123] values for the option directive
|
- Fix building without OpenSSL ENGINEs
|
||||||
Resolves: RHEL-2340
|
|
||||||
|
|
||||||
* Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
|
* Mon Jul 01 2024 Clemens Lang <cllang@redhat.com> - 5.72-3
|
||||||
|
- Do not build OpenSSL ENGINE support on RHEL >= 10
|
||||||
|
|
||||||
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 5.72-2
|
||||||
|
- Bump release for June 2024 mass rebuild
|
||||||
|
|
||||||
|
* Mon Feb 05 2024 Clemens Lang <cllang@redhat.com> - 5.72-1
|
||||||
|
- New upstream release 5.72
|
||||||
|
Resolves: rhbz#2262756
|
||||||
|
|
||||||
|
* Thu Oct 5 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
|
||||||
- New upstream release 5.71
|
- New upstream release 5.71
|
||||||
Resolves: RHEL-2340
|
Resolves: rhbz#2239740
|
||||||
- Enable socket activation support
|
|
||||||
|
* Wed Aug 30 2023 Clemens Lang <cllang@redhat.com> - 5.70-3
|
||||||
|
- migrated to SPDX license
|
||||||
|
|
||||||
|
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.70-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 13 2023 Clemens Lang <cllang@redhat.com> - 5.70-1
|
||||||
|
- New upstream release 5.70
|
||||||
|
Resolves: rhbz#2222467
|
||||||
|
|
||||||
|
* Fri May 12 2023 Paul Wouters <paul.wouters@aiven.io - 5.69-2
|
||||||
|
- rebuilt with socket activation support
|
||||||
|
|
||||||
|
* Mon Mar 06 2023 Clemens Lang <cllang@redhat.com> - 5.69-1
|
||||||
|
- New upstream release 5.69
|
||||||
|
Resolves: rhbz#2139207
|
||||||
|
|
||||||
|
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.66-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Sep 12 2022 Clemens Lang <cllang@redhat.com> - 5.66-1
|
||||||
|
- New upstream release 5.66
|
||||||
|
Resolves: rhbz#2125932
|
||||||
|
|
||||||
|
* Sat Jul 23 2022 Todd Zullinger <tmz@pobox.com> - 5.62-5
|
||||||
- verify upstream source in %%prep
|
- verify upstream source in %%prep
|
||||||
- clean up stale conditionals
|
- clean up stale conditionals
|
||||||
|
|
||||||
* Tue Feb 23 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5
|
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.62-4
|
||||||
- Fixes CVE-2021-20230 stunnel: client certificate not
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||||
correctly verified when redirect and verifyChain options are used.
|
|
||||||
|
|
||||||
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
|
* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
|
||||||
|
- Fix stunnel in FIPS mode (with upcoming OpenSSL changes)
|
||||||
|
Related: rhbz#2050617
|
||||||
|
- Fail build if tests fail
|
||||||
|
Related: rhbz#2051083
|
||||||
|
|
||||||
|
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.62-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jan 18 2022 Clemens Lang <cllang@redhat.com> - 5.62-1
|
||||||
|
- New upstream release 5.62
|
||||||
|
|
||||||
|
* Mon Jan 10 2022 Clemens Lang <cllang@redhat.com> - 5.61-1
|
||||||
|
- New upstream release 5.61
|
||||||
|
|
||||||
|
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.58-4
|
||||||
|
- Rebuilt with OpenSSL 3.0.0
|
||||||
|
|
||||||
|
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.58-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.58-2
|
||||||
|
- Rebuilt for updated systemd-rpm-macros
|
||||||
|
See https://pagure.io/fesco/issue/2583.
|
||||||
|
|
||||||
|
* Mon Feb 22 2021 Sahana Prasad <sahana@redhat.com> - 5.58-1
|
||||||
|
- New upstream release 5.58
|
||||||
|
|
||||||
|
* Wed Feb 10 2021 Sahana Prasad <sahana@redhat.com> - 5.57-1
|
||||||
|
- New upstream release 5.57
|
||||||
|
- Fixes #1925229 - client certificate not correctly verified
|
||||||
|
when redirect and verifyChain options are used
|
||||||
|
|
||||||
|
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-10
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-9
|
||||||
|
- Second attempt - Rebuilt for
|
||||||
|
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-8
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-7
|
||||||
- Updates documentation to specify that the option "curves" can be used in server mode only.
|
- Updates documentation to specify that the option "curves" can be used in server mode only.
|
||||||
|
|
||||||
* Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
|
* Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-6
|
||||||
- Fixes default tls version patch to handle default values from OpenSSL crypto policies
|
- Fixes default tls version patch to handle default values from OpenSSL crypto policies
|
||||||
|
|
||||||
* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-2
|
* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-5
|
||||||
|
- Removes warnings caused by the patch
|
||||||
|
|
||||||
|
* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
|
||||||
- Adds default tls version patch to comply with OpenSSL crypto policies
|
- Adds default tls version patch to comply with OpenSSL crypto policies
|
||||||
|
|
||||||
* Fri Apr 03 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1
|
* Tue Mar 31 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
|
||||||
|
- Adds coverity patch
|
||||||
|
|
||||||
|
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jan 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1
|
||||||
- New upstream release 5.56
|
- New upstream release 5.56
|
||||||
|
|
||||||
* Tue Sep 4 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-5
|
* Thu Sep 19 2019 Sahana Prasad <sahana@redhat.com> - 5.55-1
|
||||||
- Fix -fstack-protector-strong build flag application
|
- New upstream release 5.55
|
||||||
- Fix bugs from Coverity scan
|
|
||||||
|
|
||||||
* Fri Aug 3 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-3
|
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-3
|
||||||
- Override system crypto policy for build tests
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-2
|
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-2
|
||||||
- Drop 042_inetd test which fails in the build environment
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jan 14 2019 Tomáš Mráz <tmraz@redhat.com> - 5.50-1
|
||||||
|
- New upstream release 5.50
|
||||||
|
|
||||||
* Tue Jul 24 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-1
|
* Tue Jul 24 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-1
|
||||||
- New upstream release 5.48
|
- New upstream release 5.48
|
||||||
|
|
||||||
|
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.46-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
* Thu May 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.46-1
|
* Thu May 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.46-1
|
||||||
- New upstream release 5.46
|
- New upstream release 5.46
|
||||||
|
|
||||||
@ -742,3 +858,5 @@ fi
|
|||||||
|
|
||||||
* Sat Nov 28 1998 Damien Miller <dmiller@ilogic.com.au>
|
* Sat Nov 28 1998 Damien Miller <dmiller@ilogic.com.au>
|
||||||
- Initial RPMification
|
- Initial RPMification
|
||||||
|
|
||||||
|
## END: Generated by rpmautospec
|
Loading…
Reference in New Issue
Block a user