2 changed files with 61 additions and 78 deletions
--- a/SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch
+++ b/SOURCES/stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch
@ -0,0 +1,37 @@
+From 4ffcbcecaf901b13a36dba1e651cfc16e5242e5a Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Thu, 19 Oct 2023 14:41:54 +0200
+Subject: [PATCH] Preserve NO_TLSv1.[123] option compatibility
+
+On RHEL 8, stunnel used to support the NO_TLSv1.1, NO_TLSv1.2, and
+NO_TLSv1.3 values for the options directive. Since we do not break
+compatibility, preserve these options for customers that have them set.
+
+Related: RHEL-2340
+---
+ src/options.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/options.c b/src/options.c
+index a306c4c..c05692c 100644
+--- a/src/options.c
+++ b/src/options.c
+@@ -229,12 +229,15 @@ static const SSL_OPTION ssl_opts[] = {
+ #endif
+ #ifdef SSL_OP_NO_TLSv1_1
+     {"NO_TLSv1_1", SSL_OP_NO_TLSv1_1},
+    {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1},
+ #endif
+ #ifdef SSL_OP_NO_TLSv1_2
+     {"NO_TLSv1_2", SSL_OP_NO_TLSv1_2},
+    {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2},
+ #endif
+ #ifdef SSL_OP_NO_TLSv1_3
+     {"NO_TLSv1_3", SSL_OP_NO_TLSv1_3},
+    {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3},
+ #endif
+ #ifdef SSL_OP_PKCS1_CHECK_1
+     {"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1},
+-- 
+2.41.0
+
--- a/SPECS/stunnel.spec
+++ b/SPECS/stunnel.spec
@ -10,8 +10,9 @@
 Summary: A TLS-encrypting socket wrapper
 Name: stunnel
 Version: 5.71
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2
+Group: Applications/Internet
 URL: https://www.stunnel.org/
 Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
 Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
@ -30,6 +31,7 @@ Patch1: stunnel-5.61-systemd-service.patch
 Patch3: stunnel-5.69-system-ciphers.patch
 Patch5: stunnel-5.69-default-tls-version.patch
 Patch6: stunnel-5.56-curves-doc-update.patch
+Patch7: stunnel-5.71-Preserve-NO_TLSv1.-123-option-compatibility.patch
 # util-linux is needed for rename
 BuildRequires: make
 BuildRequires: gcc
@ -43,7 +45,7 @@ BuildRequires: /usr/bin/pod2man
 BuildRequires: /usr/bin/pod2html
 # build test requirements
 BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
-BuildRequires: python3 python3-cryptography openssl
+BuildRequires: python3.11 python3.11-cryptography openssl
 BuildRequires: systemd systemd-devel
 %{?systemd_requires}

@ -61,6 +63,7 @@ conjunction with imapd to create a TLS secure IMAP server.
 %patch3 -p1 -b .system-ciphers
 %patch5 -p1 -b .default-tls-version
 %patch6 -p1 -b .curves-doc-update
+%patch7 -p1 -b .preserve-no-tlsv1-123-option-compatibility

 # Fix the stack protector flag
 sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
@ -139,103 +142,46 @@ fi
 %systemd_postun_with_restart %{name}.service

 %changelog
+* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 5.71-2
+- Restore support for the NO_TLSv1.[123] values for the option directive
+  Resolves: RHEL-2340
+
 * Thu Oct 05 2023 Clemens Lang <cllang@redhat.com> - 5.71-1
 - New upstream release 5.71
-  Resolves: RHEL-2468
+  Resolves: RHEL-2340
 - Enable socket activation support
 - verify upstream source in %%prep
 - clean up stale conditionals

-* Thu Dec 08 2022 Clemens Lang <cllang@redhat.com> - 5.62-3
- Fix use of encrypted key files and password retry with OpenSSL 3
-  Resolves: rhbz#2151888
+* Tue Feb 23 2021 Sahana Prasad <sahana@redhat.com> - 5.56-5
+- Fixes CVE-2021-20230 stunnel: client certificate not
+  correctly verified when redirect and verifyChain options are used.

-* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-2
- Fix stunnel in FIPS mode
-  Resolves: rhbz#2050617
- Fail build if tests fail
-  Resolves: rhbz#2051083
-
-* Tue Jan 18 2022 Clemens Lang <cllang@redhat.com> - 5.62-1
- New upstream release 5.62
-  Resolves: rhbz#2039299
-
-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Tue Aug 03 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 5.58-5
- Stunnel cannot use an encrypted private key being built against OpenSSL 3.0
- Resolves: rhbz#1976854
-
-* Wed Jul 28 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 5.58-4
- Stunnel cannot use an encrypted private key being built against OpenSSL 3.0
- Resolves: rhbz#1976854
-
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
-
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Mon Feb 22 2021 Sahana Prasad <sahana@redhat.com> - 5.58-1
- New upstream release 5.58
-
-* Wed Feb 10 2021 Sahana Prasad <sahana@redhat.com> - 5.57-1
- New upstream release 5.57
- Fixes #1925229 - client certificate not correctly verified
-  when redirect and verifyChain options are used
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-9
- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-7
+* Thu Apr 16 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
 - Updates documentation to specify that the option "curves" can be used in server mode only.

-* Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-6
+* Wed Apr 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
 - Fixes default tls version patch to handle default values from OpenSSL crypto policies

-* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-5
- Removes warnings caused by the patch
-
-* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-4
+* Mon Apr 06 2020 Sahana Prasad <sahana@redhat.com> - 5.56-2
 - Adds default tls version patch to comply with OpenSSL crypto policies

-* Tue Mar 31 2020 Sahana Prasad <sahana@redhat.com> - 5.56-3
- Adds coverity patch
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.56-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Wed Jan 08 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1
+* Fri Apr 03 2020 Sahana Prasad <sahana@redhat.com> - 5.56-1
 - New upstream release 5.56

-* Thu Sep 19 2019 Sahana Prasad <sahana@redhat.com> - 5.55-1
- New upstream release 5.55
+* Tue Sep  4 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-5
+- Fix -fstack-protector-strong build flag application
+- Fix bugs from Coverity scan

-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+* Fri Aug  3 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-3
+- Override system crypto policy for build tests

-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.50-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Jan 14 2019 Tomáš Mráz <tmraz@redhat.com> - 5.50-1
- New upstream release 5.50
+* Tue Jul 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-2
+- Drop 042_inetd test which fails in the build environment

 * Tue Jul 24 2018 Tomáš Mráz <tmraz@redhat.com> - 5.48-1
 - New upstream release 5.48

-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.46-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
 * Thu May 31 2018 Tomáš Mráz <tmraz@redhat.com> - 5.46-1
 - New upstream release 5.46