Sync from SUSE:SLFO:Main stunnel revision b39bb9e9b4622b8141a923557fb7d761

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

harden_stunnel.service.patch

@@ -0,0 +1,24 @@
+Index: stunnel-5.69/tools/stunnel.service.in
+===================================================================
+--- stunnel-5.69.orig/tools/stunnel.service.in
++++ stunnel-5.69/tools/stunnel.service.in
+@@ -4,6 +4,19 @@ After=syslog.target network-online.targe
+ Wants=syslog.target network-online.target
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions
+ LimitNOFILE=20480
+ ExecStart=@bindir@/stunnel
+ ExecReload=/bin/kill -HUP $MAINPID

stunnel-5.59_service_always_after_network.patch

@@ -0,0 +1,12 @@
+Index: stunnel-5.69/tools/stunnel.service.in
+===================================================================
+--- stunnel-5.69.orig/tools/stunnel.service.in
++++ stunnel-5.69/tools/stunnel.service.in
+@@ -1,6 +1,7 @@
+ [Unit]
+ Description=TLS tunnel for network daemons
+ After=syslog.target network-online.target
++Wants=syslog.target network-online.target
+ 
+ [Service]
+ LimitNOFILE=20480

stunnel-5.69-default-tls-version.patch

@@ -0,0 +1,117 @@
+From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Mon, 12 Sep 2022 11:07:38 +0200
+Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
+
+Patch-name: stunnel-5.69-default-tls-version.patch
+Patch-id: 5
+From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
+---
+ src/ctx.c        | 34 ++++++++++++++++++++++------------
+ src/options.c    | 15 +++++++++++----
+ src/prototypes.h |  3 +++
+ 3 files changed, 36 insertions(+), 16 deletions(-)
+
+diff --git a/src/ctx.c b/src/ctx.c
+index 6a42a6b..cba24d9 100644
+--- a/src/ctx.c
++++ b/src/ctx.c
+@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */
+     section->ctx=SSL_CTX_new(section->option.client ?
+         TLS_client_method() : TLS_server_method());
+ #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
+-    if(section->min_proto_version &&
+-            !SSL_CTX_set_min_proto_version(section->ctx,
+-            section->min_proto_version)) {
+-        s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+-            section->min_proto_version);
+-        return 1; /* FAILED */
++    if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
++        s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
++                " crypto policies. Not setting explicitly.");
++    } else {
++        if(section->min_proto_version &&
++                !SSL_CTX_set_min_proto_version(section->ctx,
++                section->min_proto_version)) {
++            s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
++                section->min_proto_version);
++            return 1; /* FAILED */
++        }
+     }
+-    if(section->max_proto_version &&
+-            !SSL_CTX_set_max_proto_version(section->ctx,
+-            section->max_proto_version)) {
+-        s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+-            section->max_proto_version);
+-        return 1; /* FAILED */
++    if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
++        s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
++                " crypto policies. Not setting explicitly");
++    } else {
++        if(section->max_proto_version &&
++                !SSL_CTX_set_max_proto_version(section->ctx,
++                section->max_proto_version)) {
++            s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
++                section->max_proto_version);
++            return 1; /* FAILED */
++        }
+     }
+ #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
+     if(section->option.client)
+diff --git a/src/options.c b/src/options.c
+index 4d31815..2ec5934 100644
+--- a/src/options.c
++++ b/src/options.c
+@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+             return "Invalid protocol version";
+         return NULL; /* OK */
+     case CMD_INITIALIZE:
+-        if(section->max_proto_version && section->min_proto_version &&
+-                section->max_proto_version<section->min_proto_version)
++        if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
++                && section->min_proto_version != USE_DEFAULT_TLS_VERSION
++                && section->max_proto_version<section->min_proto_version)
+             return "Invalid protocol version range";
+         break;
+     case CMD_PRINT_DEFAULTS:
+@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+     /* sslVersionMax */
+     switch(cmd) {
+     case CMD_SET_DEFAULTS:
+-        section->max_proto_version=0; /* highest supported */
++        section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
++                                                               OpenSSL crypto
++                                                               policies.Do not
++                                                               override it */
+         break;
+     case CMD_SET_COPY:
+         section->max_proto_version=new_service_options.max_proto_version;
+@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr
+     /* sslVersionMin */
+     switch(cmd) {
+     case CMD_SET_DEFAULTS:
+-        section->min_proto_version=0; /* lowest supported */
++        section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
++                                                               OpenSSL crypto
++                                                               policies. Do not
++                                                               override it */
+         break;
+     case CMD_SET_COPY:
+         section->min_proto_version=new_service_options.min_proto_version;
+diff --git a/src/prototypes.h b/src/prototypes.h
+index 0ecd719..a126c9e 100644
+--- a/src/prototypes.h
++++ b/src/prototypes.h
+@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
+ ICON_IMAGE load_icon_file(const char *);
+ #endif
+ 
++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
++                                             crypto policies */
++
+ #endif /* defined PROTOTYPES_H */
+ 
+ /* end of prototypes.h */
+-- 
+2.39.2
+

stunnel-5.69-system-ciphers.patch

@@ -0,0 +1,37 @@
+From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
+From: Sahana Prasad <sprasad@localhost.localdomain>
+Date: Mon, 12 Sep 2022 11:07:38 +0200
+Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
+
+On Fedora, CentOS and RHEL, the system's crypto policies are the best
+source to determine which cipher suites to accept in TLS. On these
+platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
+policies. Change stunnel to default to this setting.
+
+Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
+Patch-name: stunnel-5.69-system-ciphers.patch
+Patch-id: 3
+From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
+---
+ src/options.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/options.c b/src/options.c
+index 6e4a18b..4d31815 100644
+--- a/src/options.c
++++ b/src/options.c
+@@ -321,9 +321,9 @@ static const char *option_not_found=
+     "Specified option name is not valid here";
+ 
+ static const char *stunnel_cipher_list=
+-    "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
++    "PROFILE=SYSTEM";
+ static const char *fips_cipher_list=
+-    "FIPS:!DH:!kDHEPSK";
++    "PROFILE=SYSTEM";
+ 
+ #ifndef OPENSSL_NO_TLS1_3
+ static const char *stunnel_ciphersuites=
+-- 
+2.39.2
+

stunnel-5.71.tar.gz.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmUKA7NfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
+QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
+4BS9ZxAAxK9dNbFrL3ZOmW18OT82LKza1Zli9grdiEx4GY6s+atY6DgrWiOfJi5A
+NQtwoeYRWcEkMgWKRev28zMEPzGkUzYyaBUbqDDisAziDXyyKfriqmkbG4jl8Gv+
+qY+SgrM2ElhZxTnvRtUvzG6dogBeA1iWcNANAYgYVxH2yOFcNB0HYA25aBrPpmO4
+37h7ZRc94Yn2fK4zdR7D8DxYEAkmrZJxMydytTwp4EHu2t3lmw+vJdzIS7RtJoRL
+Apd/Fh8USZB++Xx+4vFiuDcydGz5xdUNCB9jXYJoTCxFUP9mQsyR05Q8uscPunk9
+SfCd7pbzextsoFF5gOoee3tvwgwlhI7SR9eS585ni0oXyNaFUMwXS0qBVN1f86fr
+iAl3j8pGVnqJpmiZ8o4xGj3/g5Nvp14Ts/qXlRvqvzoU6Ka6MEefH2sMxzm5RCQr
+tAcrDROGUyN0HJcdy8TAWobqX0HWQqwlGjyeZAJAtFcmno00Au6FYnkn+dLkvxIx
+bsEaaG7QrP9p6JpEnQhsLLEKAgD9olmPWzFLCeeE1PZg/klSbVG4qmHv113ixlDy
+6smwnHDnb+UysgosKyAzWqlrLUhPYqca83Y8DFbpS9wi1AG6OjCuJ3jtdRq+HAjn
+l5PRZhWOTUi+weLWSpmGO2py5JfJm010grKdzA9d9YMR9YspSOU=
+=6RnW
+-----END PGP SIGNATURE-----

stunnel.README

@@ -0,0 +1,11 @@
+ 
+To create a new certificate, execute the following OpenSSL command:
+  (umask 077; \
+  /usr/bin/openssl req -new -x509 -days 365 -nodes \
+    -config /usr/share/doc/packages/stunnel/openssl.cnf \
+    -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem)
+ 
+Starting with v4, stunnel uses a configuration file. 
+Via the stunnel3 wrapper you can run stunnel with v3-style cmdline arguments. 
+
+

stunnel.keyring

@@ -0,0 +1,125 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
+hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
+ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
+fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
+kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
+1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
+rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
+RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
+Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
+sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
+4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
+tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
+iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT
+1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK
+JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan
+OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT
+JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe
+tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa
+sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx
+RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu
+XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc
+Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq
+HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA
+G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD
+ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu
+VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID
+AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj
+k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs
+pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq
+eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL
+CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG
+L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH
+xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez
+YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l
+qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR
+EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm
+qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c
+MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy
+b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb
+AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq
+owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U
+0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+
+B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN
+d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ
+zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx
+Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H
+3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV
+t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8
+eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b
+rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst
+r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb
+/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN
+aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI
+CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE
+iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl
+qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS
+bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ
+jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ
+Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj
+zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM
+f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM
+9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio
+bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e
+GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23
++6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU
+68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z
+kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6
+q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1
+3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb
+Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G
+KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ
+HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef
+wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1
+eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc
+gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE
+7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB
+AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA
+N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r
+PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f
+xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT
+3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp
+hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j
+KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv
+MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW
+Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY
+SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm
+CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE
+SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA
+q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/
+fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD
+Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g
+qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u
+/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F
+ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj
+PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK
+zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue
+Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU
+qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp
+42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB
+AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd
+f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz
+qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM
+UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN
+oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV
+wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW
+YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv
+WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG
+TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV
+AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz
+GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM
+eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8
+PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw
+I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2
+1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx
+dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml
+DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M
+5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+
+kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh
+NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b
+zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s
+wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B
+=EgcU
+-----END PGP PUBLIC KEY BLOCK-----

stunnel.rc

@@ -0,0 +1,245 @@
+#! /bin/sh
+# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH
+# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH
+# Copyright (c) 2002 SuSE Linux AG
+#
+# License: same as stunnel
+#
+# Author: Peter Poeml <poeml@suse.de>, 2002
+#
+# /etc/init.d/stunnel
+#   and its symbolic link
+# /usr/sbin/rcstunnel
+#
+### BEGIN INIT INFO
+# Provides:			stunnel
+# Required-Start:		$local_fs $remote_fs $network 
+# Should-Start:			$named $syslog $time 
+# Required-Stop:		$local_fs $remote_fs $network
+# Should-Stop:			$named $syslog $time
+# Default-Start:		3 5
+# Default-Stop:			0 1 2 6
+# Short-Description:		stunnel (universal SSL tunnel)
+# Description:			Start the universal SSL tunnel "stunnel"
+### END INIT INFO
+
+
+DAEMON="stunnel (SSL tunnel)"
+DAEMON_BIN=/usr/sbin/stunnel
+: ${STUNNEL_CONF:=/etc/stunnel/stunnel.conf}
+STARTPROC_LOGFILE=/var/log/rc.stunnel.log
+SUPPORTS_HUP=false
+
+test -x $DAEMON_BIN || exit 5
+
+#
+# read the configuration
+#
+STUNNEL_RUN_CHROOTED=false
+DAEMON_PIDFILE=/var/run/stunnel.pid
+EXECUTABLES=
+CHROOT_PREFIX=
+while read -a line; do 
+	case ${line} in 
+	chroot)	CHROOT_PREFIX=${line[2]}; STUNNEL_RUN_CHROOTED=true;;
+	pid) 	DAEMON_PIDFILE=${line[2]};;
+	exec) 	EXECUTABLES="$EXECUTABLES ${line[2]}";;
+	esac; 
+done < $STUNNEL_CONF
+DAEMON_PIDFILE="$CHROOT_PREFIX$DAEMON_PIDFILE"
+
+# Shell functions sourced from /etc/rc.status:
+#      rc_check         check and set local and overall rc status
+#      rc_status        check and set local and overall rc status
+#      rc_status -v     ditto but be verbose in local rc status
+#      rc_status -v -r  ditto and clear the local rc status
+#      rc_failed        set local and overall rc status to failed
+#      rc_failed <num>  set local and overall rc status to <num><num>
+#      rc_reset         clear local rc status (overall remains)
+#      rc_exit          exit appropriate to overall rc status
+. /etc/rc.status
+
+# First reset status of this service
+rc_reset
+
+# Return values acc. to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+# 
+# Note that starting an already running service, stopping
+# or restarting a not-running service as well as the restart
+# with force-reload (in case signalling is not supported) are
+# considered a success.
+
+# this seems to want to delete the pid file if it is empty
+test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE
+
+case "$1" in
+    start)
+	echo -n "Starting $DAEMON "
+
+        ## If there is no conf file, skip starting of stunnel
+        ## and return with "program not configured"
+	if ! [ -f $STUNNEL_CONF ]; then
+		echo -e -n "... no configuration file found";
+		# Tell the user this has skipped
+		rc_status -s
+		# service is not configured
+		exit 6;
+	fi
+
+	##
+	## set up chroot directory
+	##
+	if $STUNNEL_RUN_CHROOTED; then 
+		# /etc
+		for i in $STUNNEL_CONF /etc/{resolv.conf,host.conf,hosts,localtime,hosts.{allow,deny}}; do
+			cp -p $i $CHROOT_PREFIX/etc/ &>/dev/null \
+				|| { echo "...$0:$LINENO: could not copy $i to chroot jail"; rc_failed; rc_status -v1; exit 6; }
+		done
+		# executables
+		for i in $EXECUTABLES; do 
+			mkdir -p `dirname $CHROOT_PREFIX/$i`
+			cp -p $i $CHROOT_PREFIX/$i \
+				|| { echo "...$0:$LINENO: could not copy $i to chroot jail"; rc_failed; rc_status -v1; exit 6; }
+		done
+		# libs
+		libdir=/$(basename $(echo /var/lib/stunnel/lib*))
+		for i in $EXECUTABLES; do 
+			unset libs
+			ldd $i | grep '=> /' | while read -a line; do
+				cp -p ${line[2]} $CHROOT_PREFIX/$libdir \
+					|| { echo "...$0:$LINENO: could not copy $i to chroot jail"; rc_failed; rc_status -v1; exit 6; }
+			done
+		done
+	fi
+
+	rm -f $STARTPROC_LOGFILE # start log
+	error=0
+	## Start daemon with startproc(8). If this fails
+	## the echo return value is set appropriate.
+	# startproc should return 0, even if service is 
+	# already running to match LSB spec.
+
+	test "$2" = "-v" && echo -en \
+		"\nrunnning '$DAEMON_BIN '"
+	startproc -l $STARTPROC_LOGFILE $DAEMON_BIN ${STUNNEL_CONF}			|| error=1 
+	
+	if [ $error -eq 1 ]; then 
+		echo -e -n "  please see $STARTPROC_LOGFILE for details ";
+		## set status to failed
+		rc_failed
+	else
+		$STUNNEL_RUN_CHROOTED && echo -n "[chroot]" || :
+	fi
+
+	# Remember status and be verbose
+	rc_status -v
+	;;
+    stop)
+	echo -n "Shutting down $DAEMON "
+
+	## Stop daemon with killproc(8) and if this fails
+	## set echo the echo return value.
+
+	killproc -p $DAEMON_PIDFILE -TERM $DAEMON_BIN
+
+	# Remember status and be verbose
+	rc_status -v
+
+	# delete pidfile (stunnel cannot do it if it doesn't run as root)
+	rm -f $DAEMON_PIDFILE
+	;;
+    try-restart)
+	## Do a restart only if the service was active before.
+	## Note: try-restart is now part of LSB (as of 1.9).
+	## RH has a similar command named condrestart.
+	$0 status
+	if test $? = 0; then
+		$0 restart
+	else
+		rc_reset        # Not running is not a failure.
+	fi
+	# Remember status and be quiet
+	rc_status
+	;;
+    restart)
+	## Stop the service and regardless of whether it was
+	## running or not, start it again.
+	$0 stop
+	sleep 3
+	$0 start
+
+	# Remember status and be quiet
+	rc_status
+	;;
+    force-reload)
+	## Signal the daemon to reload its config. Most daemons
+	## do this on signal 1 (SIGHUP).
+	## If it does not support it, restart.
+
+	echo -n "Reload service $DAEMON"
+
+	if $SUPPORTS_HUP; then 
+		killproc -p $DAEMON_PIDFILE -HUP $DAEMON_BIN
+		#touch $DAEMON_PIDFILE
+		rc_status -v
+	else
+		$0 stop  &&  sleep 3  &&  $0 start
+		rc_status 
+	fi
+	;;
+    reload)
+	## Like force-reload, but if daemon does not support
+	## signalling, do nothing (!)
+
+	if $SUPPORTS_HUP; then
+		# If it supports signalling:
+		echo -n "Reload service $DAEMON"
+		killproc -p $DAEMON_PIDFILE -HUP $DAEMON_BIN
+		#touch $DAEMON_PIDFILE
+		rc_status -v
+	else
+		## Otherwise if it does not support reload:
+		rc_failed 3
+		rc_status -v
+	fi
+	;;
+    status)
+	echo -n "Checking for $DAEMON: "
+	## Check status with checkproc(8), if process is running
+	## checkproc will return with exit status 0.
+
+	# Status has a slightly different for the status command:
+	# 0 - service running
+	# 1 - service dead, but /var/run/  pid  file exists
+	# 2 - service dead, but /var/lock/ lock file exists
+	# 3 - service not running
+
+	# NOTE: checkproc returns LSB compliant status values.
+	checkproc -p $DAEMON_PIDFILE $DAEMON_BIN
+	rc_status -v
+	;;
+    probe)
+	## Optional: Probe for the necessity of a reload,
+	## give out the argument which is required for a reload.
+
+	rc=0
+	for i in $STUNNEL_CONF; do
+		test $i -nt $DAEMON_PIDFILE && rc=1
+	done
+	test $rc = 1 && echo restart
+	;;
+    *)
+	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe} [-v]"
+	exit 1
+esac
+rc_exit
+
+# vim: syntax=sh ai

stunnel.spec

@@ -0,0 +1,180 @@
+#
+# spec file for package stunnel
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define VENDORAFFIX openSUSE
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
+%endif
+Name:           stunnel
+Version:        5.71
+Release:        0
+Summary:        Universal TLS Tunnel
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/Security
+URL:            https://www.stunnel.org/
+Source:         https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz
+Source1:        https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz.asc
+Source2:        https://www.stunnel.org/pgp.asc#/%{name}.keyring
+Source3:        sysconfig.syslog-stunnel
+Source4:        stunnel.rc
+Source7:        stunnel.README
+# PATCH-FIX-UPSTREAM Fix service file, so it ensure we are starting after network is really up!
+Patch1:         stunnel-5.59_service_always_after_network.patch
+Patch2:         harden_stunnel.service.patch
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# PATCH-FIX-FEDORA bsc#1211301 Add crypto-policies support
+Patch3:         stunnel-5.69-system-ciphers.patch
+Patch4:         stunnel-5.69-default-tls-version.patch
+%endif
+BuildRequires:  libopenssl-devel
+# test dependencies
+BuildRequires:  netcat
+BuildRequires:  pkgconfig
+BuildRequires:  procps
+BuildRequires:  python3
+BuildRequires:  python3-cryptography
+BuildRequires:  tcpd-devel
+BuildRequires:  zlib-devel
+BuildRequires:  pkgconfig(systemd)
+#
+Requires(pre):  %fillup_prereq
+Requires(pre):  %{_sbindir}/useradd
+Requires(pre):  fileutils
+Requires(pre):  textutils
+Recommends:     stunnel-doc = %{version}
+%{?systemd_ordering}
+%if 0%{?suse_version} >= 1500
+Requires(pre):  group(nogroup)
+%endif
+
+%description
+Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without
+any changes in the programs' code. Its architecture is optimized for security, portability, and
+scalability (including load-balancing), making it suitable for large deployments.
+
+%package doc
+Summary:        Documentation for the universal TLS Tunnel
+Group:          Documentation/Other
+Requires:       stunnel = %{version}
+BuildArch:      noarch
+
+%description doc
+This package contains additional documentation for the stunnel program.
+
+%prep
+%setup -q -n stunnel-%{version}
+%patch1 -p1
+chmod -x %{_builddir}/stunnel-%{version}/tools/ca.*
+chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.*
+%patch2 -p1
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+%patch3 -p1
+%patch4 -p1
+%endif
+
+%build
+sed -i 's/-m 1770//g' tools/Makefile.in
+%configure \
+	--disable-static \
+	--bindir=%{_sbindir} \
+	--with-bashcompdir=%{_datadir}/bash-completion/completions
+%if 0%{?sle_version} < 150000
+  %define make_build %{__make} -O %{?_smp_mflags}
+%endif
+%make_build LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
+
+%install
+  %make_install
+
+mkdir -p %{buildroot}%{_docdir}
+mv %{buildroot}%{_datadir}/doc/stunnel %{buildroot}%{_docdir}/
+mkdir -p %{buildroot}%{_docdir}/stunnel/tools
+mkdir -p %{buildroot}%{_fillupdir}
+cp -p %{SOURCE3} %{buildroot}%{_fillupdir}/
+install -D -m 0644 %{buildroot}%{_docdir}/stunnel/examples/stunnel.service %{buildroot}/%{_unitdir}/stunnel.service
+ln -s service %{buildroot}%{_sbindir}/rcstunnel
+sed -i "s/^;setuid = nobody/setuid = stunnel/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
+sed -i "s/^;setgid =/setgid =/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
+sed -i "s/^;include =/include =/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
+sed -i '/gmail-pop3/,+25 s/^./;&/' %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
+sed -i "s/; Sample stunnel/# Sample stunnel/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
+sed -i "s/^;/#/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
+mv %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf
+
+find %{buildroot} -type f -name "*.la" -delete -print
+rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL
+rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.WCE.md
+rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.W32.md
+rm -rf %{buildroot}%{_docdir}/stunnel/ca-certs.pem
+rm -rf %{buildroot}%{_docdir}/stunnel/plugins/
+
+mkdir -p %{buildroot}%{_localstatedir}/lib/stunnel/{bin,etc,dev,%{_lib},sbin,var/run}
+install -d %{buildroot}%{_sysconfdir}/%{name}/conf.d
+
+%check
+# only works in Tumbleweed as of 2021-04-08
+%if 0%{?suse_version} > 1500
+  rm tests/plugins/*fips*.py
+  %make_build test
+%endif
+
+%pre
+if ! %{_bindir}/getent passwd stunnel >/dev/null; then
+   %{_sbindir}/useradd -r -c "Daemon user for stunnel (universal SSL tunnel)" -g nogroup -s /bin/false \
+   -d %{_localstatedir}/lib/stunnel stunnel
+fi
+
+%service_add_pre %{name}.service
+
+%post
+%service_add_post %{name}.service
+%{fillup_only -ans syslog stunnel}
+
+%preun
+%service_del_preun %{name}.service
+
+%postun
+%service_del_postun %{name}.service
+
+%files
+%license COPYING.md
+%{_sbindir}/rcstunnel
+%{_sbindir}/stunnel
+%{_sbindir}/stunnel3
+%{_libdir}/%{name}/
+%{_mandir}/man8/stunnel*8%{?ext_man}
+%dir %attr(700,root,root) %{_sysconfdir}/%{name}/
+%dir %attr(700,root,root) %{_sysconfdir}/%{name}//conf.d
+%config(noreplace) %{_sysconfdir}/%{name}/stunnel.conf
+%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel
+%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/bin
+%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_sysconfdir}
+%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/dev
+%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/%{_lib}
+%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/sbin
+%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_localstatedir}
+%dir %attr(755,stunnel,root) %{_localstatedir}/lib/stunnel%{_localstatedir}/run
+%{_fillupdir}/sysconfig.syslog-stunnel
+%{_unitdir}/stunnel.service
+%{_datadir}/bash-completion/completions/%{name}.bash
+
+%files doc
+%doc %{_docdir}/%{name}
+
+%changelog

sysconfig.syslog-stunnel

@@ -0,0 +1,12 @@
+## Type:	string
+## Default:	"/var/lib/stunnel/dev/log"
+## ServiceRestart: syslog
+#
+# The filename mentioned here will be added as "-a ..." to SYSLOGD_PARAMS when
+# syslogd is started.
+#
+# This additional socket is needed in case that syslogd is restarted. Otherwise
+# a chrooted stunnel won't be able to continue logging.
+#
+SYSLOGD_ADDITIONAL_SOCKET_STUNNEL="/var/lib/stunnel/dev/log"
+