Compare commits

..

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

2 changed files with 82 additions and 65 deletions

View File

@ -1,37 +0,0 @@
From 4ffcbcecaf901b13a36dba1e651cfc16e5242e5a Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Thu, 19 Oct 2023 14:41:54 +0200
Subject: [PATCH] Preserve NO_TLSv1.[123] option compatibility
On RHEL 8, stunnel used to support the NO_TLSv1.1, NO_TLSv1.2, and
NO_TLSv1.3 values for the options directive. Since we do not break
compatibility, preserve these options for customers that have them set.
Related: RHEL-2340
---
src/options.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/options.c b/src/options.c
index a306c4c..c05692c 100644
--- a/src/options.c
+++ b/src/options.c
@@ -229,12 +229,15 @@ static const SSL_OPTION ssl_opts[] = {
#endif
#ifdef SSL_OP_NO_TLSv1_1
{"NO_TLSv1_1", SSL_OP_NO_TLSv1_1},
+ {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1},
#endif
#ifdef SSL_OP_NO_TLSv1_2
{"NO_TLSv1_2", SSL_OP_NO_TLSv1_2},
+ {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2},
#endif
#ifdef SSL_OP_NO_TLSv1_3
{"NO_TLSv1_3", SSL_OP_NO_TLSv1_3},
+ {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3},
#endif
#ifdef SSL_OP_PKCS1_CHECK_1
{"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1},
--
2.41.0

View File

@ -12,7 +12,6 @@ Name: stunnel
Version: 5.71 Version: 5.71
Release: 2%{?dist} Release: 2%{?dist}
License: GPLv2 License: GPLv2
Group: Applications/Internet
URL: https://www.stunnel.org/ URL: https://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
@ -31,8 +30,7 @@ Patch1: stunnel-5.61-systemd-service.patch
Patch3: stunnel-5.69-system-ciphers.patch Patch3: stunnel-5.69-system-ciphers.patch
Patch5: stunnel-5.69-default-tls-version.patch Patch5: stunnel-5.69-default-tls-version.patch
Patch6: stunnel-5.56-curves-doc-update.patch Patch6: stunnel-5.56-curves-doc-update.patch
Patch7: stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch Patch7: stunnel-5.72-speed-up-loading-client-CA-list.patch
Patch8: stunnel-5.72-speed-up-loading-client-CA-list.patch
# util-linux is needed for rename # util-linux is needed for rename
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
@ -46,7 +44,7 @@ BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/bin/pod2html BuildRequires: /usr/bin/pod2html
# build test requirements # build test requirements
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
BuildRequires: python3.11 python3.11-cryptography openssl BuildRequires: python3 python3-cryptography openssl
BuildRequires: systemd systemd-devel BuildRequires: systemd systemd-devel
%{?systemd_requires} %{?systemd_requires}
@ -64,8 +62,7 @@ conjunction with imapd to create a TLS secure IMAP server.
%patch3 -p1 -b .system-ciphers %patch3 -p1 -b .system-ciphers
%patch5 -p1 -b .default-tls-version %patch5 -p1 -b .default-tls-version
%patch6 -p1 -b .curves-doc-update %patch6 -p1 -b .curves-doc-update
%patch7 -p1 -b .preserve-no-tlsv1-123-option-compatibility %patch7 -p1 -b .speed-up-loading-client-CA-list
%patch8 -p1 -b .speed-up-loading-client-CA-list
# Fix the stack protector flag # Fix the stack protector flag
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
@ -144,52 +141,109 @@ fi
%systemd_postun_with_restart %{name}.service %systemd_postun_with_restart %{name}.service
%changelog %changelog
* Wed Aug 07 2024 Clemens Lang <cllang@redhat.com> - 5.71-2 * Thu Aug 01 2024 Clemens Lang <cllang@redhat.com> - 5.71-2
- Speed up loading client CA list from CAfile - Speed up loading client CA list from CAfile
Resolves: RHEL-46411 Resolves: RHEL-52321
- Do not load all CAs in client mode to allow continued use of BEGIN TRUSTED CERTIFICATE format - Do not load all CAs in client mode to allow continued use of BEGIN TRUSTED CERTIFICATE format
Resolves: RHEL-50154 Resolves: RHEL-52317
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 5.71-2
- Restore support for the NO_TLSv1.[123] values for the option directive
Resolves: RHEL-2340
* Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1 * Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
- New upstream release 5.71 - New upstream release 5.71
Resolves: RHEL-2340 Resolves: RHEL-2468
- Enable socket activation support - Enable socket activation support
- verify upstream source in %%prep - verify upstream source in %%prep
- clean up stale conditionals - clean up stale conditionals
* Tue Feb 23 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5 * Thu Dec 08 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
- Fixes CVE-2021-20230 stunnel: client certificate not - Fix use of encrypted key files and password retry with OpenSSL 3
correctly verified when redirect and verifyChain options are used. Resolves: rhbz#2151888
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4 * Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-2
- Fix stunnel in FIPS mode
Resolves: rhbz#2050617
- Fail build if tests fail
Resolves: rhbz#2051083
* Tue Jan 18 2022 Clemens Lang <cllang@redhat.com> - 5.62-1
- New upstream release 5.62
Resolves: rhbz#2039299
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Aug 03 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 5.58-5
- Stunnel cannot use an encrypted private key being built against OpenSSL 3.0
- Resolves: rhbz#1976854
* Wed Jul 28 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 5.58-4
- Stunnel cannot use an encrypted private key being built against OpenSSL 3.0
- Resolves: rhbz#1976854
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Feb 22 2021 Sahana Prasad <sahana@redhat.com> - 5.58-1
- New upstream release 5.58
* Wed Feb 10 2021 Sahana Prasad <sahana@redhat.com> - 5.57-1
- New upstream release 5.57
- Fixes #1925229 - client certificate not correctly verified
when redirect and verifyChain options are used
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-9
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-7
- Updates documentation to specify that the option "curves" can be used in server mode only. - Updates documentation to specify that the option "curves" can be used in server mode only.
* Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3 * Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-6
- Fixes default tls version patch to handle default values from OpenSSL crypto policies - Fixes default tls version patch to handle default values from OpenSSL crypto policies
* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-2 * Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-5
- Removes warnings caused by the patch
* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
- Adds default tls version patch to comply with OpenSSL crypto policies - Adds default tls version patch to comply with OpenSSL crypto policies
* Fri Apr 03 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1 * Tue Mar 31 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
- Adds coverity patch
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Jan 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1
- New upstream release 5.56 - New upstream release 5.56
* Tue Sep 4 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-5 * Thu Sep 19 2019 Sahana Prasad <sahana@redhat.com> - 5.55-1
- Fix -fstack-protector-strong build flag application - New upstream release 5.55
- Fix bugs from Coverity scan
* Fri Aug 3 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-3 * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-3
- Override system crypto policy for build tests - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-2 * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-2
- Drop 042_inetd test which fails in the build environment - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Tomáš Mráz <tmraz@redhat.com> - 5.50-1
- New upstream release 5.50
* Tue Jul 24 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-1 * Tue Jul 24 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-1
- New upstream release 5.48 - New upstream release 5.48
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.46-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu May 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.46-1 * Thu May 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.46-1
- New upstream release 5.46 - New upstream release 5.46