Compare commits
No commits in common. "imports/c8-beta/stunnel-5.48-5.el8" and "c8" have entirely different histories.
imports/c8
...
c8
|
@ -1 +1 @@
|
|||
SOURCES/stunnel-5.48.tar.gz
|
||||
SOURCES/stunnel-5.71.tar.gz
|
||||
|
|
|
@ -1 +1 @@
|
|||
8e8576abf9b143c7ef1b7390c35b46c4cf878ca0 SOURCES/stunnel-5.48.tar.gz
|
||||
dab534acc28f389f98bf8724d9f42ad9ca472691 SOURCES/stunnel-5.71.tar.gz
|
||||
|
|
|
@ -0,0 +1,125 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
|
||||
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
|
||||
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
|
||||
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
|
||||
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
|
||||
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
|
||||
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
|
||||
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
|
||||
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
|
||||
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
|
||||
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
|
||||
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
|
||||
iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT
|
||||
1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK
|
||||
JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan
|
||||
OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT
|
||||
JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe
|
||||
tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa
|
||||
sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx
|
||||
RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu
|
||||
XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc
|
||||
Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq
|
||||
HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA
|
||||
G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD
|
||||
ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu
|
||||
VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID
|
||||
AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj
|
||||
k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs
|
||||
pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq
|
||||
eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL
|
||||
CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG
|
||||
L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH
|
||||
xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez
|
||||
YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l
|
||||
qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR
|
||||
EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm
|
||||
qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c
|
||||
MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy
|
||||
b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb
|
||||
AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq
|
||||
owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U
|
||||
0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+
|
||||
B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN
|
||||
d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ
|
||||
zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx
|
||||
Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H
|
||||
3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV
|
||||
t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8
|
||||
eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b
|
||||
rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst
|
||||
r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb
|
||||
/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN
|
||||
aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI
|
||||
CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE
|
||||
iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl
|
||||
qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS
|
||||
bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ
|
||||
jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ
|
||||
Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj
|
||||
zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM
|
||||
f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM
|
||||
9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio
|
||||
bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e
|
||||
GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23
|
||||
+6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU
|
||||
68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z
|
||||
kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6
|
||||
q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1
|
||||
3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb
|
||||
Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G
|
||||
KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ
|
||||
HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef
|
||||
wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1
|
||||
eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc
|
||||
gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE
|
||||
7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB
|
||||
AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA
|
||||
N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r
|
||||
PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f
|
||||
xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT
|
||||
3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp
|
||||
hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j
|
||||
KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv
|
||||
MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW
|
||||
Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY
|
||||
SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm
|
||||
CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE
|
||||
SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA
|
||||
q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/
|
||||
fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD
|
||||
Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g
|
||||
qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u
|
||||
/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F
|
||||
ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj
|
||||
PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK
|
||||
zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue
|
||||
Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU
|
||||
qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp
|
||||
42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB
|
||||
AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd
|
||||
f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz
|
||||
qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM
|
||||
UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN
|
||||
oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV
|
||||
wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW
|
||||
YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv
|
||||
WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG
|
||||
TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV
|
||||
AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz
|
||||
GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM
|
||||
eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8
|
||||
PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw
|
||||
I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2
|
||||
1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx
|
||||
dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml
|
||||
DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M
|
||||
5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+
|
||||
kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh
|
||||
NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b
|
||||
zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s
|
||||
wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B
|
||||
=EgcU
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -1,56 +0,0 @@
|
|||
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
|
||||
index a00cc78..85a0123 100644
|
||||
--- a/doc/stunnel.8.in
|
||||
+++ b/doc/stunnel.8.in
|
||||
@@ -204,7 +204,7 @@ info (6), or debug (7). All logs for the specified level and
|
||||
all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
|
||||
\&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
|
||||
.Sp
|
||||
-The syslog facility 'daemon' will be used unless a facility name is supplied.
|
||||
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
|
||||
(Facilities are not supported on Win32.)
|
||||
.Sp
|
||||
Case is ignored for both facilities and levels.
|
||||
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
|
||||
index b7a0663..6bb01cd 100644
|
||||
--- a/doc/stunnel.html.in
|
||||
+++ b/doc/stunnel.html.in
|
||||
@@ -244,7 +244,7 @@
|
||||
|
||||
<p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
|
||||
|
||||
-<p>The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||
+<p>The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||
|
||||
<p>Case is ignored for both facilities and levels.</p>
|
||||
|
||||
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
|
||||
index 42d3a33..3806b5a 100644
|
||||
--- a/doc/stunnel.pod.in
|
||||
+++ b/doc/stunnel.pod.in
|
||||
@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for the specified level and
|
||||
all levels numerically less than it will be shown. Use I<debug = debug> or
|
||||
I<debug = 7> for greatest debugging output. The default is notice (5).
|
||||
|
||||
-The syslog facility 'daemon' will be used unless a facility name is supplied.
|
||||
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
|
||||
(Facilities are not supported on Win32.)
|
||||
|
||||
Case is ignored for both facilities and levels.
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index 5881486..345d274 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -1554,8 +1554,12 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section,
|
||||
case CMD_BEGIN:
|
||||
section->log_level=LOG_NOTICE;
|
||||
#if !defined (USE_WIN32) && !defined (__vms)
|
||||
+#if defined(LOG_AUTHPRIV)
|
||||
+ new_global_options.log_facility=LOG_AUTHPRIV;
|
||||
+#else
|
||||
new_global_options.log_facility=LOG_DAEMON;
|
||||
#endif
|
||||
+#endif
|
||||
break;
|
||||
case CMD_EXEC:
|
||||
if(strcasecmp(opt, "debug"))
|
|
@ -1,17 +0,0 @@
|
|||
diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
|
||||
index 53ad3e7..620a0e7 100644
|
||||
--- a/tools/stunnel.service.in
|
||||
+++ b/tools/stunnel.service.in
|
||||
@@ -1,10 +1,11 @@
|
||||
[Unit]
|
||||
Description=TLS tunnel for network daemons
|
||||
-After=syslog.target
|
||||
+After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=@bindir@/stunnel
|
||||
Type=forking
|
||||
+PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,12 +0,0 @@
|
|||
diff -up stunnel-5.46/src/options.c.system-ciphers stunnel-5.46/src/options.c
|
||||
--- stunnel-5.46/src/options.c.system-ciphers 2018-05-29 08:58:03.601089886 +0200
|
||||
+++ stunnel-5.46/src/options.c 2018-05-29 08:59:00.880244728 +0200
|
||||
@@ -252,7 +252,7 @@ static char *option_not_found=
|
||||
"Specified option name is not valid here";
|
||||
|
||||
static char *stunnel_cipher_list=
|
||||
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
||||
+ "PROFILE=SYSTEM";
|
||||
|
||||
/**************************************** parse commandline parameters */
|
||||
|
|
@ -1,55 +0,0 @@
|
|||
diff -up stunnel-5.48/src/file.c.coverity stunnel-5.48/src/file.c
|
||||
--- stunnel-5.48/src/file.c.coverity 2018-04-06 16:25:10.000000000 +0200
|
||||
+++ stunnel-5.48/src/file.c 2018-09-04 17:24:08.948928882 +0200
|
||||
@@ -120,7 +120,7 @@ DISK_FILE *file_open(char *name, FILE_MO
|
||||
return NULL;
|
||||
|
||||
/* setup df structure */
|
||||
- df=str_alloc(sizeof df);
|
||||
+ df=str_alloc(sizeof *df);
|
||||
df->fd=fd;
|
||||
return df;
|
||||
}
|
||||
diff -up stunnel-5.48/src/options.c.coverity stunnel-5.48/src/options.c
|
||||
--- stunnel-5.48/src/options.c.coverity 2018-09-04 17:24:08.946928836 +0200
|
||||
+++ stunnel-5.48/src/options.c 2018-09-04 18:47:03.135083884 +0200
|
||||
@@ -515,8 +515,7 @@ NOEXPORT int options_include(char *direc
|
||||
"%s/%s",
|
||||
#endif
|
||||
directory, namelist[i]->d_name);
|
||||
- stat(name, &sb);
|
||||
- if(S_ISREG(sb.st_mode))
|
||||
+ if(stat(name, &sb) == 0 && S_ISREG(sb.st_mode))
|
||||
err=options_file(name, CONF_FILE, section);
|
||||
else
|
||||
s_log(LOG_DEBUG, "\"%s\" is not a file", name);
|
||||
@@ -3773,6 +3772,7 @@ NOEXPORT PSK_KEYS *psk_dup(PSK_KEYS *src
|
||||
else
|
||||
head=curr;
|
||||
tail=curr;
|
||||
+ src=src->next;
|
||||
}
|
||||
return head;
|
||||
}
|
||||
diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c
|
||||
--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
||||
+++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200
|
||||
@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va
|
||||
for(;;) {
|
||||
va_copy(ap, start_ap);
|
||||
n=vsnprintf(p, size, format, ap);
|
||||
+ va_end(ap);
|
||||
if(n>-1 && n<(int)size)
|
||||
return p;
|
||||
if(n>-1) /* glibc 2.1 */
|
||||
diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c
|
||||
--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200
|
||||
+++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200
|
||||
@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O
|
||||
#endif
|
||||
if(create_client(fd, s, alloc_client_session(opt, s, s))) {
|
||||
s_log(LOG_ERR, "Connection rejected: create_client failed");
|
||||
- closesocket(s);
|
||||
#ifndef USE_FORK
|
||||
service_free(opt);
|
||||
#endif
|
|
@ -1,18 +0,0 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAls6m2RfFIAAAAAALgAo
|
||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
||||
4BTksRAAiWO5DWBpHrnDKy1jon+4lG/OPHe92nWxc6yH2HVeB064tXYeXYjRnnR4
|
||||
mItaO4wCJICd94+5EUO6DUfut4+7SIAWNPUnZd5OgFkgmGd0YEF6tEfM9z6BhMc3
|
||||
T8ZwKCP/hhU5oxqQyDO/esk2+Opps5ddsQLx84iUsylFwq8gK8BkVZrx2yLBX/fz
|
||||
wGpP1YnxLdx+rQQx/BkHd52nQAR3gqrGcZtMgchhTBsfZ4jgnr4Xr4XgXJPfe0Di
|
||||
xGCD7/sy+N8sNu4S6RER4qNV6PLBcZ6Bjp+VqMpODdoXlD0EQXundgbrg8Nuq8HR
|
||||
TTbL1pItHo0vy5QetFILJqlrdLw3sIG5Wy1+k87X485DKhJuvZqU0nKixYmaujB9
|
||||
as1YNccDb2FwF7Rzq4hF1J0IwYUsyfgbd58k1VdmtPp5TSUyd1lp+tpX0tEJePk6
|
||||
g1X3NecNVbw8p66gPiUadlTYkkUQdqDHnGxD9EKG7BwRE8lPR5CTJD1w8xEOzLMw
|
||||
tVKSBgcHeIA7Sn9mJtOFOJ7Y+aUccMIliprgk34P3+4bFFBxLQaRQycfLVIyRy4t
|
||||
3QRk+vsMxfuAVainN/yVU7hCtiL09ZHm3g8AnDZFKmtZzYcBbb24RWhONt0bz9j1
|
||||
fnYKvguL78ptBpsmPmXjwBY+qxmJx4LAWFxE7TUgqsaASJYWSH4=
|
||||
=KMsG
|
||||
-----END PGP SIGNATURE-----
|
|
@ -0,0 +1,73 @@
|
|||
From cfbf803dd3338a915f41bdfded69b34e7f21403d Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 1/7] Apply patch stunnel-5.50-authpriv.patch
|
||||
|
||||
Patch-name: stunnel-5.50-authpriv.patch
|
||||
Patch-id: 0
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
doc/stunnel.8.in | 2 +-
|
||||
doc/stunnel.html.in | 2 +-
|
||||
doc/stunnel.pod.in | 2 +-
|
||||
src/options.c | 4 ++++
|
||||
4 files changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
|
||||
index 8cd8bc0..b5d7d75 100644
|
||||
--- a/doc/stunnel.8.in
|
||||
+++ b/doc/stunnel.8.in
|
||||
@@ -209,7 +209,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
|
||||
.Sp
|
||||
The default logging level is notice (5).
|
||||
.Sp
|
||||
-The syslog 'daemon' facility will be used unless a facility name is supplied.
|
||||
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
|
||||
(Facilities are not supported on Win32.)
|
||||
.Sp
|
||||
Case is ignored for both facilities and levels.
|
||||
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
|
||||
index a7931aa..cda5993 100644
|
||||
--- a/doc/stunnel.html.in
|
||||
+++ b/doc/stunnel.html.in
|
||||
@@ -248,7 +248,7 @@
|
||||
|
||||
<p>The default logging level is notice (5).</p>
|
||||
|
||||
-<p>The syslog 'daemon' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||
+<p>The syslog 'authpriv' facility will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
|
||||
|
||||
<p>Case is ignored for both facilities and levels.</p>
|
||||
|
||||
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
|
||||
index a54b25d..f830cf3 100644
|
||||
--- a/doc/stunnel.pod.in
|
||||
+++ b/doc/stunnel.pod.in
|
||||
@@ -197,7 +197,7 @@ requested to do so by an stunnel developer, or when you intend to get confused.
|
||||
|
||||
The default logging level is notice (5).
|
||||
|
||||
-The syslog 'daemon' facility will be used unless a facility name is supplied.
|
||||
+The syslog 'authpriv' facility will be used unless a facility name is supplied.
|
||||
(Facilities are not supported on Win32.)
|
||||
|
||||
Case is ignored for both facilities and levels.
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index 5f8ad8b..6e4a18b 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -1960,7 +1960,11 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||
case CMD_SET_DEFAULTS:
|
||||
section->log_level=LOG_NOTICE;
|
||||
#if !defined (USE_WIN32) && !defined (__vms)
|
||||
+#if defined(LOG_AUTHPRIV)
|
||||
+ new_global_options.log_facility=LOG_AUTHPRIV;
|
||||
+#else
|
||||
new_global_options.log_facility=LOG_DAEMON;
|
||||
+#endif
|
||||
#endif
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
--
|
||||
2.39.2
|
||||
|
|
@ -0,0 +1,98 @@
|
|||
From e951a8a7edc87dbd608043f8aab67ef12979e3ca Mon Sep 17 00:00:00 2001
|
||||
From: Sahana Prasad <sahana@redhat.com>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 6/8] Apply patch stunnel-5.56-curves-doc-update.patch
|
||||
|
||||
Patch-name: stunnel-5.56-curves-doc-update.patch
|
||||
Patch-id: 6
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
doc/stunnel.8.in | 2 ++
|
||||
doc/stunnel.html.in | 2 ++
|
||||
doc/stunnel.pl.8.in | 2 ++
|
||||
doc/stunnel.pl.html.in | 2 ++
|
||||
doc/stunnel.pl.pod.in | 2 ++
|
||||
doc/stunnel.pod.in | 2 ++
|
||||
6 files changed, 12 insertions(+)
|
||||
|
||||
diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
|
||||
index a56f0b7..977a1a4 100644
|
||||
--- a/doc/stunnel.8.in
|
||||
+++ b/doc/stunnel.8.in
|
||||
@@ -475,6 +475,8 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and
|
||||
.IX Item "curves = list"
|
||||
\&\s-1ECDH\s0 curves separated with ':'
|
||||
.Sp
|
||||
+Note: This option is supported for server mode sockets only.
|
||||
+.Sp
|
||||
Only a single curve name is allowed for OpenSSL older than 1.1.1.
|
||||
.Sp
|
||||
To get a list of supported curves use:
|
||||
diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
|
||||
index 608afa9..cecc81a 100644
|
||||
--- a/doc/stunnel.html.in
|
||||
+++ b/doc/stunnel.html.in
|
||||
@@ -570,6 +570,8 @@
|
||||
|
||||
<p>ECDH curves separated with ':'</p>
|
||||
|
||||
+<p>Note: This option is supported for server mode sockets only.</p>
|
||||
+
|
||||
<p>Only a single curve name is allowed for OpenSSL older than 1.1.1.</p>
|
||||
|
||||
<p>To get a list of supported curves use:</p>
|
||||
diff --git a/doc/stunnel.pl.8.in b/doc/stunnel.pl.8.in
|
||||
index e2e6622..eae88f8 100644
|
||||
--- a/doc/stunnel.pl.8.in
|
||||
+++ b/doc/stunnel.pl.8.in
|
||||
@@ -492,6 +492,8 @@ przez opcje \fIverifyChain\fR i \fIverifyPeer\fR.
|
||||
.IX Item "curves = lista"
|
||||
krzywe \s-1ECDH\s0 odddzielone ':'
|
||||
.Sp
|
||||
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
||||
+.Sp
|
||||
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
|
||||
.Sp
|
||||
Listę dostępnych krzywych można uzyskać poleceniem:
|
||||
diff --git a/doc/stunnel.pl.html.in b/doc/stunnel.pl.html.in
|
||||
index 7be87f1..7fd7a7c 100644
|
||||
--- a/doc/stunnel.pl.html.in
|
||||
+++ b/doc/stunnel.pl.html.in
|
||||
@@ -568,6 +568,8 @@
|
||||
|
||||
<p>krzywe ECDH odddzielone ':'</p>
|
||||
|
||||
+<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p>
|
||||
+
|
||||
<p>Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.</p>
|
||||
|
||||
<p>Listę dostępnych krzywych można uzyskać poleceniem:</p>
|
||||
diff --git a/doc/stunnel.pl.pod.in b/doc/stunnel.pl.pod.in
|
||||
index dc6b255..712f751 100644
|
||||
--- a/doc/stunnel.pl.pod.in
|
||||
+++ b/doc/stunnel.pl.pod.in
|
||||
@@ -516,6 +516,8 @@ przez opcje I<verifyChain> i I<verifyPeer>.
|
||||
|
||||
krzywe ECDH odddzielone ':'
|
||||
|
||||
+Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.
|
||||
+
|
||||
Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.
|
||||
|
||||
Listę dostępnych krzywych można uzyskać poleceniem:
|
||||
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
|
||||
index 840c708..85cc199 100644
|
||||
--- a/doc/stunnel.pod.in
|
||||
+++ b/doc/stunnel.pod.in
|
||||
@@ -501,6 +501,8 @@ I<verifyPeer> options.
|
||||
|
||||
ECDH curves separated with ':'
|
||||
|
||||
+Note: This option is supported for server mode sockets only.
|
||||
+
|
||||
Only a single curve name is allowed for OpenSSL older than 1.1.1.
|
||||
|
||||
To get a list of supported curves use:
|
||||
--
|
||||
2.37.3
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
From 6cb73d824ac204f5680e469b0474855aaa6b8ddc Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 2/8] Apply patch stunnel-5.61-systemd-service.patch
|
||||
|
||||
Patch-name: stunnel-5.61-systemd-service.patch
|
||||
Patch-id: 1
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
tools/stunnel.service.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
|
||||
index fa98996..0c5a216 100644
|
||||
--- a/tools/stunnel.service.in
|
||||
+++ b/tools/stunnel.service.in
|
||||
@@ -6,6 +6,7 @@ After=syslog.target network-online.target
|
||||
ExecStart=@bindir@/stunnel
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
Type=forking
|
||||
+PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
--
|
||||
2.37.3
|
||||
|
|
@ -0,0 +1,117 @@
|
|||
From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
|
||||
|
||||
Patch-name: stunnel-5.69-default-tls-version.patch
|
||||
Patch-id: 5
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
src/ctx.c | 34 ++++++++++++++++++++++------------
|
||||
src/options.c | 15 +++++++++++----
|
||||
src/prototypes.h | 3 +++
|
||||
3 files changed, 36 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/ctx.c b/src/ctx.c
|
||||
index 6a42a6b..cba24d9 100644
|
||||
--- a/src/ctx.c
|
||||
+++ b/src/ctx.c
|
||||
@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
|
||||
section->ctx=SSL_CTX_new(section->option.client ?
|
||||
TLS_client_method() : TLS_server_method());
|
||||
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
|
||||
- if(section->min_proto_version &&
|
||||
- !SSL_CTX_set_min_proto_version(section->ctx,
|
||||
- section->min_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
- section->min_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
|
||||
+ " crypto policies. Not setting explicitly.");
|
||||
+ } else {
|
||||
+ if(section->min_proto_version &&
|
||||
+ !SSL_CTX_set_min_proto_version(section->ctx,
|
||||
+ section->min_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
||||
+ section->min_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
- if(section->max_proto_version &&
|
||||
- !SSL_CTX_set_max_proto_version(section->ctx,
|
||||
- section->max_proto_version)) {
|
||||
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
- section->max_proto_version);
|
||||
- return 1; /* FAILED */
|
||||
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
||||
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
|
||||
+ " crypto policies. Not setting explicitly");
|
||||
+ } else {
|
||||
+ if(section->max_proto_version &&
|
||||
+ !SSL_CTX_set_max_proto_version(section->ctx,
|
||||
+ section->max_proto_version)) {
|
||||
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
||||
+ section->max_proto_version);
|
||||
+ return 1; /* FAILED */
|
||||
+ }
|
||||
}
|
||||
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
||||
if(section->option.client)
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index 4d31815..2ec5934 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||
return "Invalid protocol version";
|
||||
return NULL; /* OK */
|
||||
case CMD_INITIALIZE:
|
||||
- if(section->max_proto_version && section->min_proto_version &&
|
||||
- section->max_proto_version<section->min_proto_version)
|
||||
+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
|
||||
+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
|
||||
+ && section->max_proto_version<section->min_proto_version)
|
||||
return "Invalid protocol version range";
|
||||
break;
|
||||
case CMD_PRINT_DEFAULTS:
|
||||
@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||
/* sslVersionMax */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
- section->max_proto_version=0; /* highest supported */
|
||||
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||
+ OpenSSL crypto
|
||||
+ policies.Do not
|
||||
+ override it */
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->max_proto_version=new_service_options.max_proto_version;
|
||||
@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
|
||||
/* sslVersionMin */
|
||||
switch(cmd) {
|
||||
case CMD_SET_DEFAULTS:
|
||||
- section->min_proto_version=0; /* lowest supported */
|
||||
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
||||
+ OpenSSL crypto
|
||||
+ policies. Do not
|
||||
+ override it */
|
||||
break;
|
||||
case CMD_SET_COPY:
|
||||
section->min_proto_version=new_service_options.min_proto_version;
|
||||
diff --git a/src/prototypes.h b/src/prototypes.h
|
||||
index 0ecd719..a126c9e 100644
|
||||
--- a/src/prototypes.h
|
||||
+++ b/src/prototypes.h
|
||||
@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
||||
ICON_IMAGE load_icon_file(const char *);
|
||||
#endif
|
||||
|
||||
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
|
||||
+ crypto policies */
|
||||
+
|
||||
#endif /* defined PROTOTYPES_H */
|
||||
|
||||
/* end of prototypes.h */
|
||||
--
|
||||
2.39.2
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
|
||||
From: Sahana Prasad <sprasad@localhost.localdomain>
|
||||
Date: Mon, 12 Sep 2022 11:07:38 +0200
|
||||
Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
|
||||
|
||||
On Fedora, CentOS and RHEL, the system's crypto policies are the best
|
||||
source to determine which cipher suites to accept in TLS. On these
|
||||
platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
|
||||
policies. Change stunnel to default to this setting.
|
||||
|
||||
Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
|
||||
Patch-name: stunnel-5.69-system-ciphers.patch
|
||||
Patch-id: 3
|
||||
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
|
||||
---
|
||||
src/options.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index 6e4a18b..4d31815 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -321,9 +321,9 @@ static const char *option_not_found=
|
||||
"Specified option name is not valid here";
|
||||
|
||||
static const char *stunnel_cipher_list=
|
||||
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
|
||||
+ "PROFILE=SYSTEM";
|
||||
static const char *fips_cipher_list=
|
||||
- "FIPS:!DH:!kDHEPSK";
|
||||
+ "PROFILE=SYSTEM";
|
||||
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
static const char *stunnel_ciphersuites=
|
||||
--
|
||||
2.39.2
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From 4ffcbcecaf901b13a36dba1e651cfc16e5242e5a Mon Sep 17 00:00:00 2001
|
||||
From: Clemens Lang <cllang@redhat.com>
|
||||
Date: Thu, 19 Oct 2023 14:41:54 +0200
|
||||
Subject: [PATCH] Preserve NO_TLSv1.[123] option compatibility
|
||||
|
||||
On RHEL 8, stunnel used to support the NO_TLSv1.1, NO_TLSv1.2, and
|
||||
NO_TLSv1.3 values for the options directive. Since we do not break
|
||||
compatibility, preserve these options for customers that have them set.
|
||||
|
||||
Related: RHEL-2340
|
||||
---
|
||||
src/options.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/options.c b/src/options.c
|
||||
index a306c4c..c05692c 100644
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -229,12 +229,15 @@ static const SSL_OPTION ssl_opts[] = {
|
||||
#endif
|
||||
#ifdef SSL_OP_NO_TLSv1_1
|
||||
{"NO_TLSv1_1", SSL_OP_NO_TLSv1_1},
|
||||
+ {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1},
|
||||
#endif
|
||||
#ifdef SSL_OP_NO_TLSv1_2
|
||||
{"NO_TLSv1_2", SSL_OP_NO_TLSv1_2},
|
||||
+ {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2},
|
||||
#endif
|
||||
#ifdef SSL_OP_NO_TLSv1_3
|
||||
{"NO_TLSv1_3", SSL_OP_NO_TLSv1_3},
|
||||
+ {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3},
|
||||
#endif
|
||||
#ifdef SSL_OP_PKCS1_CHECK_1
|
||||
{"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1},
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmUKA7NfFIAAAAAALgAo
|
||||
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
|
||||
QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
|
||||
4BS9ZxAAxK9dNbFrL3ZOmW18OT82LKza1Zli9grdiEx4GY6s+atY6DgrWiOfJi5A
|
||||
NQtwoeYRWcEkMgWKRev28zMEPzGkUzYyaBUbqDDisAziDXyyKfriqmkbG4jl8Gv+
|
||||
qY+SgrM2ElhZxTnvRtUvzG6dogBeA1iWcNANAYgYVxH2yOFcNB0HYA25aBrPpmO4
|
||||
37h7ZRc94Yn2fK4zdR7D8DxYEAkmrZJxMydytTwp4EHu2t3lmw+vJdzIS7RtJoRL
|
||||
Apd/Fh8USZB++Xx+4vFiuDcydGz5xdUNCB9jXYJoTCxFUP9mQsyR05Q8uscPunk9
|
||||
SfCd7pbzextsoFF5gOoee3tvwgwlhI7SR9eS585ni0oXyNaFUMwXS0qBVN1f86fr
|
||||
iAl3j8pGVnqJpmiZ8o4xGj3/g5Nvp14Ts/qXlRvqvzoU6Ka6MEefH2sMxzm5RCQr
|
||||
tAcrDROGUyN0HJcdy8TAWobqX0HWQqwlGjyeZAJAtFcmno00Au6FYnkn+dLkvxIx
|
||||
bsEaaG7QrP9p6JpEnQhsLLEKAgD9olmPWzFLCeeE1PZg/klSbVG4qmHv113ixlDy
|
||||
6smwnHDnb+UysgosKyAzWqlrLUhPYqca83Y8DFbpS9wi1AG6OjCuJ3jtdRq+HAjn
|
||||
l5PRZhWOTUi+weLWSpmGO2py5JfJm010grKdzA9d9YMR9YspSOU=
|
||||
=6RnW
|
||||
-----END PGP SIGNATURE-----
|
|
@ -1,7 +1,7 @@
|
|||
# Do not generate provides for private libraries
|
||||
%global __provides_exclude_from ^%{_libdir}/stunnel/.*$
|
||||
|
||||
%if 0%{?fedora} > 27 || 0%{?rhel} > 7
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||
%bcond_with libwrap
|
||||
%else
|
||||
%bcond_without libwrap
|
||||
|
@ -9,11 +9,11 @@
|
|||
|
||||
Summary: A TLS-encrypting socket wrapper
|
||||
Name: stunnel
|
||||
Version: 5.48
|
||||
Release: 5%{?dist}
|
||||
Version: 5.71
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2
|
||||
Group: Applications/Internet
|
||||
URL: http://www.stunnel.org/
|
||||
URL: https://www.stunnel.org/
|
||||
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
|
||||
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
|
||||
Source2: Certificate-Creation
|
||||
|
@ -22,12 +22,20 @@ Source4: stunnel-sfinger.conf
|
|||
Source5: pop3-redirect.xinetd
|
||||
Source6: stunnel-pop3s-client.conf
|
||||
Source7: stunnel@.service
|
||||
Patch0: stunnel-5.40-authpriv.patch
|
||||
Patch1: stunnel-5.40-systemd-service.patch
|
||||
Patch3: stunnel-5.46-system-ciphers.patch
|
||||
Patch4: stunnel-5.48-coverity.patch
|
||||
# Upstream release signing key
|
||||
# Upstream source is https://www.stunnel.org/pgp.asc; using a local URL because
|
||||
# the remote one makes packit source-git choke.
|
||||
Source99: pgp.asc
|
||||
Patch0: stunnel-5.50-authpriv.patch
|
||||
Patch1: stunnel-5.61-systemd-service.patch
|
||||
Patch3: stunnel-5.69-system-ciphers.patch
|
||||
Patch5: stunnel-5.69-default-tls-version.patch
|
||||
Patch6: stunnel-5.56-curves-doc-update.patch
|
||||
Patch7: stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch
|
||||
# util-linux is needed for rename
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gnupg2
|
||||
BuildRequires: openssl-devel, pkgconfig, util-linux
|
||||
BuildRequires: autoconf automake libtool
|
||||
%if %{with libwrap}
|
||||
|
@ -37,7 +45,8 @@ BuildRequires: /usr/bin/pod2man
|
|||
BuildRequires: /usr/bin/pod2html
|
||||
# build test requirements
|
||||
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
|
||||
BuildRequires: systemd
|
||||
BuildRequires: python3.11 python3.11-cryptography openssl
|
||||
BuildRequires: systemd systemd-devel
|
||||
%{?systemd_requires}
|
||||
|
||||
%description
|
||||
|
@ -47,17 +56,17 @@ to ordinary applications. For example, it can be used in
|
|||
conjunction with imapd to create a TLS secure IMAP server.
|
||||
|
||||
%prep
|
||||
%{gpgverify} --keyring='%{SOURCE99}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
||||
%setup -q
|
||||
%patch0 -p1 -b .authpriv
|
||||
%patch1 -p1 -b .systemd-service
|
||||
%patch3 -p1 -b .system-ciphers
|
||||
%patch4 -p1 -b .coverity
|
||||
%patch5 -p1 -b .default-tls-version
|
||||
%patch6 -p1 -b .curves-doc-update
|
||||
%patch7 -p1 -b .preserve-no-tlsv1-123-option-compatibility
|
||||
|
||||
# Fix the configure script output for FIPS mode and stack protector flag
|
||||
sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
|
||||
|
||||
# Fix a testcase with system-ciphers support
|
||||
sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets
|
||||
# Fix the stack protector flag
|
||||
sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
|
||||
|
||||
%build
|
||||
#autoreconf -v
|
||||
|
@ -72,6 +81,7 @@ fi
|
|||
%else
|
||||
--disable-libwrap \
|
||||
%endif
|
||||
--with-bashcompdir=%{_datadir}/bash-completion/completions \
|
||||
CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
|
||||
make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
|
||||
|
||||
|
@ -87,26 +97,22 @@ for lang in pl ; do
|
|||
done
|
||||
mkdir srpm-docs
|
||||
cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs
|
||||
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
|
||||
cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
|
||||
%endif
|
||||
|
||||
%check
|
||||
# For unknown reason the 042_inetd test fails in Brew. The failure is not reproducible
|
||||
# in Fedora or normal RHEL-8 install.
|
||||
rm tests/recipes/042_inetd
|
||||
# We override the security policy as it is too strict for the tests.
|
||||
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
||||
OPENSSL_CONF=
|
||||
export OPENSSL_CONF
|
||||
make test
|
||||
if ! make test; then
|
||||
for i in tests/logs/*.log; do
|
||||
echo "$i":
|
||||
cat "$i"
|
||||
done
|
||||
exit 1
|
||||
fi
|
||||
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%doc AUTHORS BUGS ChangeLog CREDITS PORTS README TODO
|
||||
%doc AUTHORS.md BUGS.md CREDITS.md PORTS.md README.md TODO.md
|
||||
%doc tools/stunnel.conf-sample
|
||||
%doc srpm-docs/*
|
||||
%license COPY*
|
||||
|
@ -121,9 +127,8 @@ make test
|
|||
%lang(pl) %{_mandir}/pl/man8/stunnel.8*
|
||||
%dir %{_sysconfdir}/%{name}
|
||||
%exclude %{_sysconfdir}/stunnel/*
|
||||
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
|
||||
%{_unitdir}/%{name}*.service
|
||||
%endif
|
||||
%{_datadir}/bash-completion/completions/%{name}.bash
|
||||
|
||||
%post
|
||||
/sbin/ldconfig
|
||||
|
@ -137,6 +142,33 @@ make test
|
|||
%systemd_postun_with_restart %{name}.service
|
||||
|
||||
%changelog
|
||||
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 5.71-2
|
||||
- Restore support for the NO_TLSv1.[123] values for the option directive
|
||||
Resolves: RHEL-2340
|
||||
|
||||
* Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
|
||||
- New upstream release 5.71
|
||||
Resolves: RHEL-2340
|
||||
- Enable socket activation support
|
||||
- verify upstream source in %%prep
|
||||
- clean up stale conditionals
|
||||
|
||||
* Tue Feb 23 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5
|
||||
- Fixes CVE-2021-20230 stunnel: client certificate not
|
||||
correctly verified when redirect and verifyChain options are used.
|
||||
|
||||
* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
|
||||
- Updates documentation to specify that the option "curves" can be used in server mode only.
|
||||
|
||||
* Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
|
||||
- Fixes default tls version patch to handle default values from OpenSSL crypto policies
|
||||
|
||||
* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-2
|
||||
- Adds default tls version patch to comply with OpenSSL crypto policies
|
||||
|
||||
* Fri Apr 03 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1
|
||||
- New upstream release 5.56
|
||||
|
||||
* Tue Sep 4 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-5
|
||||
- Fix -fstack-protector-strong build flag application
|
||||
- Fix bugs from Coverity scan
|
||||
|
|
Loading…
Reference in New Issue