commit ea7aa74d50e5118997b5b239d20737e787e2b48ea34d3c642fd3041b2822c300 Author: Adrian Schröter Date: Sat May 4 00:53:31 2024 +0200 Sync from SUSE:SLFO:Main stunnel revision b39bb9e9b4622b8141a923557fb7d761 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/harden_stunnel.service.patch b/harden_stunnel.service.patch new file mode 100644 index 0000000..0eaa9e6 --- /dev/null +++ b/harden_stunnel.service.patch @@ -0,0 +1,24 @@ +Index: stunnel-5.69/tools/stunnel.service.in +=================================================================== +--- stunnel-5.69.orig/tools/stunnel.service.in ++++ stunnel-5.69/tools/stunnel.service.in +@@ -4,6 +4,19 @@ After=syslog.target network-online.targe + Wants=syslog.target network-online.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + LimitNOFILE=20480 + ExecStart=@bindir@/stunnel + ExecReload=/bin/kill -HUP $MAINPID diff --git a/stunnel-5.59_service_always_after_network.patch b/stunnel-5.59_service_always_after_network.patch new file mode 100644 index 0000000..6e30a4a --- /dev/null +++ b/stunnel-5.59_service_always_after_network.patch @@ -0,0 +1,12 @@ +Index: stunnel-5.69/tools/stunnel.service.in +=================================================================== +--- stunnel-5.69.orig/tools/stunnel.service.in ++++ stunnel-5.69/tools/stunnel.service.in +@@ -1,6 +1,7 @@ + [Unit] + Description=TLS tunnel for network daemons + After=syslog.target network-online.target ++Wants=syslog.target network-online.target + + [Service] + LimitNOFILE=20480 diff --git a/stunnel-5.69-default-tls-version.patch b/stunnel-5.69-default-tls-version.patch new file mode 100644 index 0000000..1884af0 --- /dev/null +++ b/stunnel-5.69-default-tls-version.patch @@ -0,0 +1,117 @@ +From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch + +Patch-name: stunnel-5.69-default-tls-version.patch +Patch-id: 5 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + src/ctx.c | 34 ++++++++++++++++++++++------------ + src/options.c | 15 +++++++++++---- + src/prototypes.h | 3 +++ + 3 files changed, 36 insertions(+), 16 deletions(-) + +diff --git a/src/ctx.c b/src/ctx.c +index 6a42a6b..cba24d9 100644 +--- a/src/ctx.c ++++ b/src/ctx.c +@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ + section->ctx=SSL_CTX_new(section->option.client ? + TLS_client_method() : TLS_server_method()); + #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ +- if(section->min_proto_version && +- !SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS minimum version as specified in" ++ " crypto policies. Not setting explicitly."); ++ } else { ++ if(section->min_proto_version && ++ !SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } +- if(section->max_proto_version && +- !SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS maximum version as specified in" ++ " crypto policies. Not setting explicitly"); ++ } else { ++ if(section->max_proto_version && ++ !SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } + } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) +diff --git a/src/options.c b/src/options.c +index 4d31815..2ec5934 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr + return "Invalid protocol version"; + return NULL; /* OK */ + case CMD_INITIALIZE: +- if(section->max_proto_version && section->min_proto_version && +- section->max_proto_versionmin_proto_version) ++ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->min_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->max_proto_versionmin_proto_version) + return "Invalid protocol version range"; + break; + case CMD_PRINT_DEFAULTS: +@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr + /* sslVersionMax */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->max_proto_version=0; /* highest supported */ ++ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies.Do not ++ override it */ + break; + case CMD_SET_COPY: + section->max_proto_version=new_service_options.max_proto_version; +@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr + /* sslVersionMin */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->min_proto_version=0; /* lowest supported */ ++ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies. Do not ++ override it */ + break; + case CMD_SET_COPY: + section->min_proto_version=new_service_options.min_proto_version; +diff --git a/src/prototypes.h b/src/prototypes.h +index 0ecd719..a126c9e 100644 +--- a/src/prototypes.h ++++ b/src/prototypes.h +@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL ++ crypto policies */ ++ + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ +-- +2.39.2 + diff --git a/stunnel-5.69-system-ciphers.patch b/stunnel-5.69-system-ciphers.patch new file mode 100644 index 0000000..f328be0 --- /dev/null +++ b/stunnel-5.69-system-ciphers.patch @@ -0,0 +1,37 @@ +From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001 +From: Sahana Prasad +Date: Mon, 12 Sep 2022 11:07:38 +0200 +Subject: [PATCH 3/7] Use cipher configuration from crypto-policies + +On Fedora, CentOS and RHEL, the system's crypto policies are the best +source to determine which cipher suites to accept in TLS. On these +platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those +policies. Change stunnel to default to this setting. + +Co-Authored-by: Sahana Prasad +Patch-name: stunnel-5.69-system-ciphers.patch +Patch-id: 3 +From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3 +--- + src/options.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/options.c b/src/options.c +index 6e4a18b..4d31815 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -321,9 +321,9 @@ static const char *option_not_found= + "Specified option name is not valid here"; + + static const char *stunnel_cipher_list= +- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + static const char *fips_cipher_list= +- "FIPS:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + + #ifndef OPENSSL_NO_TLS1_3 + static const char *stunnel_ciphersuites= +-- +2.39.2 + diff --git a/stunnel-5.71.tar.gz b/stunnel-5.71.tar.gz new file mode 100644 index 0000000..86cf8c2 --- /dev/null +++ b/stunnel-5.71.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f023aae837c2d32deb920831a5ee1081e11c78a5d57340f8e6f0829f031017f5 +size 895646 diff --git a/stunnel-5.71.tar.gz.asc b/stunnel-5.71.tar.gz.asc new file mode 100644 index 0000000..79559c3 --- /dev/null +++ b/stunnel-5.71.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmUKA7NfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC +QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW +4BS9ZxAAxK9dNbFrL3ZOmW18OT82LKza1Zli9grdiEx4GY6s+atY6DgrWiOfJi5A +NQtwoeYRWcEkMgWKRev28zMEPzGkUzYyaBUbqDDisAziDXyyKfriqmkbG4jl8Gv+ +qY+SgrM2ElhZxTnvRtUvzG6dogBeA1iWcNANAYgYVxH2yOFcNB0HYA25aBrPpmO4 +37h7ZRc94Yn2fK4zdR7D8DxYEAkmrZJxMydytTwp4EHu2t3lmw+vJdzIS7RtJoRL +Apd/Fh8USZB++Xx+4vFiuDcydGz5xdUNCB9jXYJoTCxFUP9mQsyR05Q8uscPunk9 +SfCd7pbzextsoFF5gOoee3tvwgwlhI7SR9eS585ni0oXyNaFUMwXS0qBVN1f86fr +iAl3j8pGVnqJpmiZ8o4xGj3/g5Nvp14Ts/qXlRvqvzoU6Ka6MEefH2sMxzm5RCQr +tAcrDROGUyN0HJcdy8TAWobqX0HWQqwlGjyeZAJAtFcmno00Au6FYnkn+dLkvxIx +bsEaaG7QrP9p6JpEnQhsLLEKAgD9olmPWzFLCeeE1PZg/klSbVG4qmHv113ixlDy +6smwnHDnb+UysgosKyAzWqlrLUhPYqca83Y8DFbpS9wi1AG6OjCuJ3jtdRq+HAjn +l5PRZhWOTUi+weLWSpmGO2py5JfJm010grKdzA9d9YMR9YspSOU= +=6RnW +-----END PGP SIGNATURE----- diff --git a/stunnel.README b/stunnel.README new file mode 100644 index 0000000..0d467a0 --- /dev/null +++ b/stunnel.README @@ -0,0 +1,11 @@ + +To create a new certificate, execute the following OpenSSL command: + (umask 077; \ + /usr/bin/openssl req -new -x509 -days 365 -nodes \ + -config /usr/share/doc/packages/stunnel/openssl.cnf \ + -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem) + +Starting with v4, stunnel uses a configuration file. +Via the stunnel3 wrapper you can run stunnel with v3-style cmdline arguments. + + diff --git a/stunnel.changes b/stunnel.changes new file mode 100644 index 0000000..ff6b330 --- /dev/null +++ b/stunnel.changes @@ -0,0 +1,1602 @@ +------------------------------------------------------------------- +Mon Sep 25 08:46:41 UTC 2023 - Pedro Monreal + +- Update to 5.71: + * Security bugfixes: + - OpenSSL DLLs updated to version 3.1.3. + * Bugfixes: + - Fixed the console output of tstunnel.exe. + * Features sponsored by SAE IT-systems: + - OCSP stapling is requested and verified in the client mode. + - Using "verifyChain" automatically enables OCSP stapling in + the client mode. + - OCSP stapling is always available in the server mode. + - An inconclusive OCSP verification breaks TLS negotiation. + This can be disabled with "OCSPrequire = no". + - Added the "TIMEOUTocsp" option to control the maximum time + allowed for connecting an OCSP responder. + * Features: + - Added support for Red Hat OpenSSL 3.x patches. + +------------------------------------------------------------------- +Thu Sep 7 11:01:11 UTC 2023 - Pedro Monreal + +- Enable crypto-policies support: [bsc#1211301] + * The system's crypto-policies are the best source to determine + which cipher suites to accept in TLS. OpenSSL supports the + PROFILE=SYSTEM setting to use those policies. Change stunnel + to default to the system settings. + * Add patches: + - stunnel-5.69-system-ciphers.patch + - stunnel-5.69-default-tls-version.patch + +------------------------------------------------------------------- +Thu Sep 7 10:34:18 UTC 2023 - Pedro Monreal + +- Enable bash completion support + +------------------------------------------------------------------- +Fri Jul 21 07:37:10 UTC 2023 - Andreas Vetter + +- Update to 5.70: + + - Security bugfixes + * OpenSSL DLLs updated to version 3.0.9. + * OpenSSL FIPS Provider updated to version 3.0.8. + - Bugfixes + * Fixed TLS socket EOF handling with OpenSSL 3.x. This bug caused major interoperability issues between stunnel built with OpenSSL 3.x and Microsoft's Schannel Security Support Provider (SSP). + * Fixed reading certificate chains from PKCS#12 files. + - Features + * Added configurable delay for the "retry" option. + +------------------------------------------------------------------- +Wed Apr 26 09:43:10 UTC 2023 - Andreas Vetter + +- Fix build on SLE12: + - add macro make_build + +------------------------------------------------------------------- +Mon Apr 3 20:05:38 UTC 2023 - Dirk Müller + +- update to 5.69: + * Improved logging performance with the "output" option. + * Improved file read performance on the WIN32 platform. + * DH and kDHEPSK ciphersuites removed from FIPS defaults. + * Set the LimitNOFILE ulimit in stunnel.service to allow + * for up to 10,000 concurrent clients. + * Fixed the "CApath" option on the WIN32 platform by + * applying https://github.com/openssl/openssl/pull/20312. + * Fixed stunnel.spec used for building rpm packages. + * Fixed tests on some OSes and architectures by merging + +------------------------------------------------------------------- +Fri Feb 24 09:09:03 UTC 2023 - Pedro Monreal + +- Update to 5.68: + * Security bugfixes + - OpenSSL DLLs updated to version 3.0.8. + * New features + - Added the new 'CAengine' service-level option + to load a trusted CA certificate from an engine. + - Added requesting client certificates in server + mode with 'CApath' besides 'CAfile'. + * Bugfixes + - Fixed EWOULDBLOCK errors in protocol negotiation. + - Fixed handling TLS errors in protocol negotiation. + - Prevented following fatal TLS alerts with TCP resets. + - Improved OpenSSL initialization on WIN32. + - Improved testing suite stability. + - Improved file read performance. + - Improved logging performance. + +------------------------------------------------------------------- +Tue Nov 1 19:41:16 UTC 2022 - Michael Ströder + +- Update to 5.67 + * New features + - Provided a logging callback to custom engines. + * Bugfixes + - Fixed "make cert" with OpenSSL older than 3.0. + - Fixed the code and the documentation to use conscious + language for SNI servers (thx to Clemens Lang). + +------------------------------------------------------------------- +Mon Sep 12 13:31:16 UTC 2022 - Dirk Müller + +- update to 5.66: + * Fixed building on machines without pkg-config. + * Added the missing "environ" declaration for BSD-based operating systems. + * Fixed the passphrase dialog with OpenSSL 3.0. +- package license +- remove non-systemd case from spec file + +------------------------------------------------------------------- +Mon Jul 18 13:59:13 UTC 2022 - Pedro Monreal + +- Update to 5.65: + * Security bugfixes + - OpenSSL DLLs updated to version 3.0.5. + * Bugfixes + - Fixed handling globally enabled FIPS. + - Fixed openssl.cnf processing in WIN32 GUI. + - Fixed a number of compiler warnings. + - Fixed tests on older versions of OpenSSL. + +------------------------------------------------------------------- +Fri Jun 3 10:02:00 UTC 2022 - pgajdos@suse.com + +- adding missing bug, CVE and fate references: + * CVE-2015-3644 [bsc#931517], one of previous version updates + (https://bugzilla.suse.com/show_bug.cgi?id=931517#c0) + * [bsc#990797], see stunnel.service.in + * [bsc#862294], README.SUSE not shipped + * CVE-2013-1762 [bsc#807440], one of previous version updates + (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1762) + * [bsc#776756] and [bsc#775262] not applicable (openssl versions) + * [fate#307180], adding to 11sp1 + * [fate#311400], updating to new version + * [fate#314256], updating to new version + +------------------------------------------------------------------- +Sat May 7 13:54:59 UTC 2022 - Dirk Müller + +- update to 5.64: + * Security bugfixes + - OpenSSL DLLs updated to version 3.0.3. + * New features + - Updated the pkcs11 engine for Windows. + * Bugfixes + - Removed the SERVICE_INTERACTIVE_PROCESS flag in + "stunnel -install". + +------------------------------------------------------------------- +Sun Mar 20 20:11:23 UTC 2022 - Dirk Müller + +- update to 5.63: + * Security bugfixes + - OpenSSL DLLs updated to version 3.0.2. + * New features + - Updated stunnel.spec to support bash completion + * Bugfixes + - Fixed possible PRNG initialization crash (thx to Gleydson Soares). + +------------------------------------------------------------------- +Tue Feb 22 16:08:48 UTC 2022 - Pedro Monreal + +- Update to 5.62: + * New features + - Added a bash completion script. + * Bugfixes + - Fixed a transfer() loop bug. +- Update to 5.61: + * New features + - Added new "protocol = capwin" and "protocol = capwinctrl" + configuration file options. + - Rewritten the testing framework in python. + - Added support for missing SSL_set_options() values. + - Updated stunnel.spec to support RHEL8. + * Bugfixes + - Fixed OpenSSL 3.0 build. + - Fixed reloading configuration with "systemctl reload stunnel.service". + - Fixed incorrect messages logged for OpenSSL errors. + - Fixed printing IPv6 socket option defaults on FreeBSD. +- Rebase harden_stunnel.service.patch +- Remove FIPS-related regression tests +- Remove obsolete version checks + +------------------------------------------------------------------- +Wed Nov 24 08:51:33 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_stunnel.service.patch + +------------------------------------------------------------------- +Tue Aug 17 10:35:45 UTC 2021 - Andreas Vetter + +- Update to 5.60: + * New features + - New 'sessionResume' service-level option to allow + or disallow session resumption + - Added support for the new SSL_set_options() values. + - Download fresh ca-certs.pem for each new release. + * Bugfixes + - Fixed 'redirect' with 'protocol'. This combination is + not supported by 'smtp', 'pop3' and 'imap' protocols. + +------------------------------------------------------------------- +Tue Apr 13 14:35:20 UTC 2021 - Dirk Stoecker + +- ensure proper startup after network: stunnel-5.59_service_always_after_network.patch + +------------------------------------------------------------------- +Thu Apr 8 09:24:35 UTC 2021 - Andreas Vetter + +- Disable testsuite for everything except Tumbleweed since it does not work on Leap/SLE + +------------------------------------------------------------------- +Tue Apr 6 16:58:52 UTC 2021 - Andreas Stieger + +- update to 5.59: + * new feature: Client-side "protocol = ldap" support + * Fix configuration reload when compression is used + * Fix paths in generated manuals + * Fix test suite fixed not to require external connectivity +- run testsuite during package build + +------------------------------------------------------------------- +Sun Feb 21 07:29:45 UTC 2021 - Andreas Vetter + +- Update to 5.58: + * Security bugfixes + - The "redirect" option was fixed to properly handle unauthenticated requests (thx to Martin Stein). boo#1182529 + - Fixed a double free with OpenSSL older than 1.1.0 (thx to Petr Strukov). + * New features + - New 'protocolHeader' service-level option to insert custom 'connect' protocol negotiation headers. + This feature can be used to impersonate other software (e.g. web browsers). + - 'protocolHost' can also be used to control the client SMTP protocol negotiation HELO/EHLO value. + - Initial FIPS 3.0 support. + * Bugfixes + - X.509v3 extensions required by modern versions of OpenSSL are added to generated self-signed test certificates. + - Fixed a tiny memory leak in configuration file reload error handling (thx to Richard Könning). + - Merged Debian 05-typos.patch (thx to Peter Pentchev). + - Merged with minor changes Debian 06-hup-separate.patch (thx to Peter Pentchev). + - Merged Debian 07-imap-capabilities.patch (thx to Ansgar). + - Merged Debian 08-addrconfig-workaround.patch (thx to Peter Pentchev). + - Fixed engine initialization (thx to Petr Strukov). + - FIPS TLS feature is reported when a provider or container is available, and not when FIPS control API is available. + +------------------------------------------------------------------- +Tue Jan 26 14:01:11 UTC 2021 - Dirk Stoecker + +- Do not replace the active config file: boo#1182376 + +------------------------------------------------------------------- +Mon Nov 30 14:36:45 UTC 2020 - Andreas Vetter + +- Remove pidfile from service file fixes start bug: boo#1178533 + +------------------------------------------------------------------- +Sun Oct 11 18:05:36 UTC 2020 - Michael Ströder + +- update to 5.57: + * Security bugfixes + - The "redirect" option was fixed to properly + handle "verifyChain = yes" boo#1177580 + * New features + - New securityLevel configuration file option. + - Support for modern PostgreSQL clients + - TLS 1.3 configuration updated for better compatibility. + * Bugfixes + - Fixed a transfer() loop bug. + - Fixed memory leaks on configuration reloading errors. + - DH/ECDH initialization restored for client sections. + - Delay startup with systemd until network is online. + - A number of testing framework fixes and improvements. + +------------------------------------------------------------------- +Mon Aug 24 18:20:57 UTC 2020 - Dirk Mueller + +- update to 5.56: + - Various text files converted to Markdown format. + - Support for realpath(3) implementations incompatible + with POSIX.1-2008, such as 4.4BSD or Solaris. + - Support for engines without PRNG seeding methods (thx to + Petr Mikhalitsyn). + - Retry unsuccessful port binding on configuration + file reload. + - Thread safety fixes in SSL_SESSION object handling. + - Terminate clients on exit in the FORK threading model. + +------------------------------------------------------------------- +Tue Mar 10 08:28:06 UTC 2020 - Andreas Vetter + +- Fixup stunnel.conf handling: + * Remove old static openSUSE provided stunnel.conf. + * Use upstream stunnel.conf and tailor it for openSUSE using sed. + * Don't show README.openSUSE when installing. + +------------------------------------------------------------------- +Thu Feb 27 10:14:30 UTC 2020 - Andreas Vetter + +- enable /etc/stunnel/conf.d +- re-enable openssl.cnf + +------------------------------------------------------------------- +Mon Feb 3 16:32:15 UTC 2020 - Dominique Leuenberger + +- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to + shortcut through the -mini flavors. + +------------------------------------------------------------------- +Fri Sep 13 14:49:32 UTC 2019 - Vítězslav Čížek + +- Install the correct file as README.openSUSE (bsc#1150730) + * stunnel.keyring was accidentally installed instead + +------------------------------------------------------------------- +Fri Sep 13 13:02:46 UTC 2019 - Vítězslav Čížek + +- update to version 5.55 + New features + New "ticketKeySecret" and "ticketMacSecret" options to control confidentiality + and integrity protection of the issued session tickets. These options allow for + session resumption on other nodes in a cluster. + Logging of the assigned bind address instead of the requested bind address. + Check whether "output" is not a relative file name. + Added sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later. + Hexadecimal PSK keys are automatically converted to binary. + Session ticket support (requires OpenSSL 1.1.1 or later). "connect" address + persistence is currently unsupported with session tickets. + SMTP HELO before authentication (thx to Jacopo Giudici). + New "curves" option to control the list of elliptic curves in OpenSSL 1.1.0 and later. + New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites. + Include file name and line number in OpenSSL errors. + Compatibility with the current OpenSSL 3.0.0-dev branch. + Better performance with SSL_set_read_ahead()/SSL_pending(). + Bugfixes + A number of testing framework fixes and improvements. + Service threads are terminated before OpenSSL cleanup to prevent occasional stunnel crashes at shutdown. + Fixed data transfer stalls introduced in stunnel 5.51. + Fixed a transfer() loop bug introduced in stunnel 5.51. + Fixed PSKsecrets as a global option (thx to Teodor Robas). + Fixed a memory allocation bug (thx to matanfih). + Fixed PSK session resumption with TLS 1.3. + Fixed a memory leak in the WIN32 logging subsystem. + Allow for zero value (ignored) TLS options. + Partially refactored configuration file parsing and logging subsystems for clearer code and minor bugfixes. + Caveats + We removed FIPS support from our standard builds. FIPS will still be available with custom builds. +- drop stunnel-listenqueue-option.patch + Its original purpose (from bsc#674554) was to allow setting a higher + backlog value for listen(). As that value was raised to SOMAXCONN + years ago (in 4.36), we don't need it anymore + +------------------------------------------------------------------- +Fri Feb 22 07:49:21 UTC 2019 - Franck Bui + +- Drop use of $FIRST_ARG in .spec + + The use of $FIRST_ARG was probably required because of the + %service_* rpm macros were playing tricks with the shell positional + parameters. This is bad practice and error prones so let's assume + that no macros should do that anymore and hence it's safe to assume + that positional parameters remains unchanged after any rpm macro + call. + +------------------------------------------------------------------- +Sun Nov 11 11:08:22 UTC 2018 - obs@botter.cc + +- disabled checks; checks depend on ncat and network accessibility + +------------------------------------------------------------------- +Sun Nov 11 09:15:49 UTC 2018 - obs@botter.cc + +- update to version 5.49 + * Logging of negotiated or resumed TLS session IDs (thx to ANSSI - National Cybersecurity Agency of France). + * Merged Debian 10-enabled.patch and 11-killproc.patch (thx to Peter Pentchev). + * OpenSSL DLLs updated to version 1.0.2p. + * PKCS#11 engine DLL updated to version 0.4.9. + * Fixed a crash in the session persistence implementation. + * Fixed syslog identifier after configuration file reload. + * Fixed non-interactive "make check" invocations. + * Fixed reloading syslog configuration. + * stunnel.pem created with SHA-256 instead of SHA-1. + * SHA-256 "make check" certificates. + +- includes new version 5.48 + * Fixed requesting client certificate when specified as a global option. + * Certificate subject checks modified to accept certificates if at least one of the specified checks matches. + +- includes new version 5.47 + * Fast add_lock_callback for OpenSSL < 1.1.0. This largely improves performance on heavy load. + * Automatic detection of Homebrew OpenSSL. + * Clarified port binding error logs. + * Various "make test" improvements. + * Fixed a crash on switching to SNI slave sections. + +- includes new version 5.46 + * The default cipher list was updated to a safer value: "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK". + * Default accept address restored to INADDR_ANY. + +- includes new version 5.45 + * Implemented delayed deallocation of service sections after configuration file reload. + * OpenSSL DLLs updated to version 1.0.2o. + * Deprecated the sslVersion option. + * The "socket" option is now also available in service sections. + * Implemented try-restart in the SysV init script (thx to Peter Pentchev). + * TLS 1.3 compliant session handling for OpenSSL 1.1.1. + * Default "failover" value changed from "rr" to "prio". + * New "make check" tests. + * A service no longer refuses to start if binding fails for some (but not all) addresses:ports. + * Fixed compression handling with OpenSSL 1.1.0 and later. + * _beginthread() replaced with safer _beginthreadex(). + * Fixed exception handling in libwrap. + * Fixed exec+connect services. + * Fixed automatic resolver delaying. + * Fixed a Gentoo cross-compilation bug (thx to Joe Harvell). + * A number of "make check" framework fixes. + * Fixed false postive memory leak logs. + * Build fixes for OpenSSL versions down to 0.9.7. + * Fixed (again) round-robin failover in the FORK threading model. + +------------------------------------------------------------------- +Tue Feb 6 13:51:49 UTC 2018 - vetter@physik.uni-wuerzburg.de + +- Revamp SLE11 builds + +------------------------------------------------------------------- +Thu Feb 1 23:07:21 UTC 2018 - jengelh@inai.de + +- Do not ignore errors from useradd. Ensure nogroup exists + beforehand. +- Replace old $RPM_ variables. Combine two nested ifs. + +------------------------------------------------------------------- +Wed Jan 24 00:16:02 UTC 2018 - avindra@opensuse.org + +- update to version 5.44 + * Default accept address restored to INADDR_ANY + * Fix race condition in "make check" + * Fix removing the pid file after configuration reload +- includes 5.43 + * Allow for multiple "accept" ports per section + * Self-test framework (make check) + * Added config load before OpenSSL init + * OpenSSL 1.1.1-dev compilation fixes + * Fixed round-robin failover in the FORK threading model + * Fixed handling SSL_ERROR_ZERO_RETURN in SSL_shutdown() + * Minor fixes of the logging subsystem + * OpenSSL DLLs updated to version 1.0.2m +- add new checking to build +- rebase stunnel-listenqueue-option.patch +- Cleanup with spec-cleaner + +------------------------------------------------------------------- +Thu Nov 23 13:54:29 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Thu Aug 17 12:23:45 UTC 2017 - vetter@physik.uni-wuerzburg.de + +- add more verbose change log: + Version 5.42, 2017.07.16, urgency: HIGH + +- New features + * "redirect" also supports "exec" and not only "connect". + * PKCS#11 engine DLL updated to version 0.4.7. +- Bugfixes + * Fixed premature cron thread initialization causing hangs. + * Fixed "verifyPeer = yes" on OpenSSL <= 1.0.1. + * Fixed pthreads support on OpenSolaris. + +------------------------------------------------------------------- +Wed Jul 19 09:29:34 UTC 2017 - michael@stroeder.com + +- update to version 5.42 + +------------------------------------------------------------------- +Thu Apr 6 09:05:55 UTC 2017 - werner@suse.de + +- Require package config for libsystemd to help the configure script + to detect and enable systemd socket activation (boo#1032557) +- Refresh patch stunnel-listenqueue-option.patch + +------------------------------------------------------------------- +Sat Apr 1 19:07:51 UTC 2017 - michael@stroeder.com + +- update to version 5.41 + +------------------------------------------------------------------- +Fri Feb 10 21:58:34 UTC 2017 - kukuk@suse.de + +- Don't require insserv if we don't use it + +------------------------------------------------------------------- +Sat Jan 28 12:05:03 UTC 2017 - michael@stroeder.com + +- update to version 5.40 + +------------------------------------------------------------------- +Mon Jan 2 14:39:51 UTC 2017 - michael@stroeder.com + +- update to version 5.39 + +------------------------------------------------------------------- +Thu Dec 8 12:18:23 UTC 2016 - michael@stroeder.com + +- update to version 5.38 + +------------------------------------------------------------------- +Sun Oct 16 23:03:35 UTC 2016 - jengelh@inai.de + +- Update rpm group and description and make -doc noarch +- Do not suppress errors from useradd +- Remove redundant %clean section + +------------------------------------------------------------------- +Fri Oct 14 08:03:59 UTC 2016 - drahn@suse.com + +- update to version 5.36 +- Removed direct zlib dependency. + +------------------------------------------------------------------- +Wed Sep 21 10:51:09 UTC 2016 - drahn@suse.com + +- update to version 5.35 +- repackage source as bz2 +- adjust systemd unit file to start after network-online.target +- bugixes: + * Fixed incorrectly enforced client certificate requests. + * Fixed thread safety of the configuration file reopening. + * Fixed malfunctioning "verify = 4". + * Only reset the watchdog if some data was actually transferred. + * Fixed logging an incorrect value of the round-robin starting point (thx to + Jose Alf.). +- new features: + * Added three new service-level options: requireCert, verifyChain, and + verifyPeer for fine-grained certificate verification control. + * SNI support also enabled on OpenSSL 0.9.8f and later (thx to Guillermo + Rodriguez Garcia). + * Added support for PKCS #12 (.p12/.pfx) certificates (thx to Dmitry + Bakshaev). + * New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6. + * Added logging the list of client CAs requested by the server. + +------------------------------------------------------------------- +Wed Feb 3 10:45:58 UTC 2016 - michael@stroeder.com + +- update to 5.30 + + New features + Improved compatibility with the current OpenSSL 1.1.0-dev tree. + Added OpenSSL autodetection for the recent versions of Xcode. + Bugfixes + Fixed references to /etc removed from stunnel.init.in. + Stopped even trying -fstack-protector on unsupported platforms + (thx to Rob Lockhart). + +------------------------------------------------------------------- +Wed Jan 20 20:13:10 UTC 2016 - opensuse@dstoecker.de + +- update to 5.29 +- system script restarts stunnel after a crash +- readd rcstunnel macro for systemd systems +- drop stunnel-ocsp-host.patch (included upstream) + +------------------------------------------------------------------- +Thu Aug 6 08:16:48 UTC 2015 - drahn@suse.com + +- stunnel-ocsp-host.patch: Fix compatibility issues with older OpenSSL + versions. Replaces stunnel-5.22-code11-openssl-compat.diff. + +------------------------------------------------------------------- +Fri Jul 31 05:49:10 UTC 2015 - drahn@suse.com + +- update to version 5.22 + + New features + + - "OCSPaia = yes" added to the configuration file templates. + - Improved double free detection. + + Bugfixes + + - Fixed a number of OCSP bugs. The most severe of those bugs caused stunnel to + treat OCSP responses that failed OCSP_basic_verify() checks as if they were + successful. + - Fixed the passive IPv6 resolver (broken in stunnel 5.21). + +- Remove executable bit from sample scripts +- stunnel-5.22-code11-openssl-compat.diff: Compatibility for openssl on CODE11 + +------------------------------------------------------------------- +Tue Jul 28 06:05:13 UTC 2015 - drahn@suse.com + +- update to version 5.21 + + New features + + - Signal names are displayed instead of numbers. + - First resolve IPv4 addresses on passive resolver requests. + - More elaborate descriptions were added to the warning about using + "verify = 2" without "checkHost" or "checkIP". + - Performance optimization was performed on the debug code. + + Bugfixes + + - Fixed the FORK and UCONTEXT threading support. + - Fixed "failover=prio" (broken since stunnel 5.15). + - Added a retry when sleep(3) was interrupted by a signal in the cron + thread scheduler. + +------------------------------------------------------------------- +Tue Jul 14 06:10:21 UTC 2015 - drahn@suse.com + +- update to version 5.20 + + New features + + - The SSL library detection algorithm was made a bit smarter. + - Warnings about insecure authentication were modified to include the name of + the affected service section. + - Documentation updates (closes Debian bug #781669). + + Bugfixes + + - Signal pipe reinitialization added to prevent turning the main accepting + thread into a busy wait loop when an external condition breaks the signal pipe. + This bug was found to surface on Win32, but other platforms may also be + affected. + - Generated temporary DH parameters are used for configuration reload instead + of the static defaults. + - Fixed the manual page headers (thx to Gleydson Soares). + +------------------------------------------------------------------- +Mon Jun 29 09:51:58 UTC 2015 - drahn@suse.com + +- update to version 5.19 + + Bugfixes: + - Improved socket error handling. + - Fixed handling of dynamic connect targets. + - Fixed handling of trailing whitespaces in the Content-Length header of the + NTLM authentication. + - Fixed memory leaks in certificate verification. + + New features: + - The "redirect" option was improved to not only redirect sessions established + with an untrusted certificate, but also sessions established without a + client certificate. + - Randomize the initial value of the round-robin counter. + - Added "include" configuration file option to include all configuration file + parts located in a specified directory. + - Temporary DH parameters are refreshed every 24 hours, unless static DH + parameters were provided in the certificate file. + - Warnings are logged on potentially insecure authentication. + +- stunnel-listenqueue-option.patch: Refresh. +- stunnel3-binpath.patch: Obsolete, dropped. +- stunnel.service: Modified to start after network.target, not syslog.target. + +------------------------------------------------------------------- +Wed Jan 14 11:29:38 UTC 2015 - michael@stroeder.com + +- Update to version 5.09 + +Version 5.09, 2015.01.02, urgency: LOW: +* New features + - Added PSK authentication with two new service-level + configuration file options "PSKsecrets" and "PSKidentity". + - Added additional security checks to the OpenSSL memory + management functions. + - Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE + OpenSSL configuration flags. + - Added compatibility with the current OpenSSL 1.1.0-dev tree. +* Bugfixes + - Removed defective s_poll_error() code occasionally causing + connections to be prematurely closed (truncated). + This bug was introduced in stunnel 4.34. + - Fixed ./configure systemd detection (thx to Kip Walraven). + - Fixed ./configure sysroot detection (thx to Kip Walraven). + - Fixed compilation against old versions of OpenSSL. + - Removed outdated French manual page. + +Version 5.08, 2014.12.09, urgency: MEDIUM: +* New features + - Added SOCKS4/SOCKS4a protocol support. + - Added SOCKS5 protocol support. + - Added SOCKS RESOLVE [F0] TOR extension support. + - Updated automake to version 1.14.1. + - OpenSSL directory searching is now relative to the sysroot. +* Bugfixes + - Fixed improper hangup condition handling. + - Fixed missing -pic linker option. This is required for + Android 5.0 and improves security. + +Version 5.07, 2014.11.01, urgency: MEDIUM: +* New features + - Several SMTP server protocol negotiation improvements. + - Added UTF-8 byte order marks to stunnel.conf templates. + - DH parameters are no longer generated by "make cert". + The hardcoded DH parameters are sufficiently secure, + and modern TLS implementations will use ECDH anyway. + - Updated manual for the "options" configuration file option. + - Added support for systemd 209 or later. + - New --disable-systemd ./configure option. + - setuid/setgid commented out in stunnel.conf-sample. +* Bugfixes + - Added support for UTF-8 byte order mark in stunnel.conf. + - Compilation fix for OpenSSL with disabled SSLv2 or SSLv3. + - Non-blocking mode set on inetd and systemd descriptors. + - shfolder.h replaced with shlobj.h for compatibility + with modern Microsoft compilers. + +Version 5.06, 2014.10.15, urgency: HIGH: +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.1j. + https://www.openssl.org/news/secadv_20141015.txt + - The insecure SSLv2 protocol is now disabled by default. + It can be enabled with "options = -NO_SSLv2". + - The insecure SSLv3 protocol is now disabled by default. + It can be enabled with "options = -NO_SSLv3". + - Default sslVersion changed to "all" (also in FIPS mode) + to autonegotiate the highest supported TLS version. +* New features + - Added missing SSL options to match OpenSSL 1.0.1j. + - New "-options" commandline option to display the list + of supported SSL options. +* Bugfixes + - Fixed FORK threading build regression bug. + - Fixed missing periodic Win32 GUI log updates. + +Version 5.05, 2014.10.10, urgency: MEDIUM: +* New features + - Asynchronous communication with the GUI thread for faster + logging on Win32. + - systemd socket activation (thx to Mark Theunissen). + - The parameter of "options" can now be prefixed with "-" + to clear an SSL option, for example: + "options = -LEGACY_SERVER_CONNECT". + - Improved "transparent = destination" manual page (thx to + Vadim Penzin). +* Bugfixes + - Fixed POLLIN|POLLHUP condition handling error resulting + in prematurely closed (truncated) connection. + - Fixed a null pointer dereference regression bug in the + "transparent = destination" functionality (thx to + Vadim Penzin). This bug was introduced in stunnel 5.00. + - Fixed startup thread synchronization with Win32 GUI. + - Fixed erroneously closed stdin/stdout/stderr if specified + as the -fd commandline option parameter. + - A number of minor Win32 GUI bugfixes and improvements. + - Merged most of the Windows CE patches (thx to Pierre Delaage). + - Fixed incorrect CreateService() error message on Win32. + - Implemented a workaround for defective Cygwin file + descriptor passing breaking the libwrap support: + http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors + +Version 5.04, 2014.09.21, urgency: LOW: +* New features + - Support for local mode ("exec" option) on Win32. + - Support for UTF-8 config file and log file. + - Win32 UTF-16 build (thx to Pierre Delaage for support). + - Support for Unicode file names on Win32. + - A more explicit service description provided for the + Windows SCM (thx to Pierre Delaage). + - TCP/IP dependency added for NT service in order to prevent + initialization failure at boot time. + - FIPS canister updated to version 2.0.8 in the Win32 binary + build. +* Bugfixes + - load_icon_default() modified to return copies of default icons + instead of the original resources to prevent the resources + from being destroyed. + - Partially merged Windows CE patches (thx to Pierre Delaage). + - Fixed typos in stunnel.init.in and vc.mak. + - Fixed incorrect memory allocation statistics update in + str_realloc(). + - Missing REMOTE_PORT environmental variable is provided to + processes spawned with "exec" on Unix platforms. + - Taskbar icon is no longer disabled for NT service. + - Fixed taskbar icon initialization when commandline options are + specified. + - Reportedly more compatible values used for the dwDesiredAccess + parameter of the CreateFile() function (thx to Pierre Delaage). + - A number of minor Win32 GUI bugfixes and improvements. + +------------------------------------------------------------------- +Thu Sep 18 08:06:36 UTC 2014 - asvetter@cip.physik.uni-wuerzburg.de + +- Cleanup of spec file. +- Build for SLE11-SP3 with --disable-fips +- Build for SLE11-Security-Module (with enabled fips) + +------------------------------------------------------------------- +Thu Aug 21 08:31:46 UTC 2014 - asvetter@cip.physik.uni-wuerzburg.de + +- Update to version 5.03 + +Version 5.03, 2014.08.07, urgency: HIGH: +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.1i. + See https://www.openssl.org/news/secadv_20140806.txt +* New features + - FIPS autoconfiguration cleanup. + - FIPS canister updated to version 2.0.6. + - Improved SNI diagnostic logging. +* Bugfixes + - Compilation fixes for old versions of OpenSSL. + - Fixed whitespace handling in the stunnel.init script. + +Version 5.02, 2014.06.09, urgency: HIGH: +* Security bugfixes + - OpenSSL DLLs updated to version 1.0.1h. + See https://www.openssl.org/news/secadv_20140605.txt +* New features + - Major rewrite of the protocol.c interface: it is now possible to add + protocol negotiations at multiple connection phases, protocols can + individually decide whether the remote connection will be + established before or after SSL/TLS is negotiated. + - Heap memory blocks are wiped before release. This only works for + block allocated by stunnel, and not by OpenSSL or other libraries. + - The safe_memcmp() function implemented with execution time not + dependent on the compared data. + - Updated the stunnel.conf and stunnel.init templates. + - Added a client-mode example to the manual. +* Bugfixes + - Fixed "failover = rr" broken since version 5.00. + - Fixed "taskbar = no" broken since version 5.00. + - Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option. +------------------------------------------------------------------- +Sun Apr 20 17:37:59 UTC 2014 - michael@stroeder.com + +- update to upstream v5.01 code +- original ChangeLog: + Security bugfixes + OpenSSL DLLs updated to version 1.0.1g. This version mitigates TLS heartbeat read overrun (CVE-2014-0160). + New features + X.509 extensions added to the created self-signed stunnel.pem. + "FIPS = no" also allowed in non-FIPS builds of stunnel. + Search all certificates with the same subject name for a matching public key rather than only the first one (thx to Leon Winter). + Create logs in the local application data folder if stunnel folder is not writable on Win32. + Bugfixes + close_notify not sent when SSL still has some data buffered. + Protocol negotiation with server-side SNI fixed. + A Mac OS X missing symbols fixed. + Win32 configuration file reload crash fixed. + Added s_pool_free() on exec+connect service retires. + Line-buffering enforced on stderr output. + +------------------------------------------------------------------- +Thu Mar 6 16:06:04 UTC 2014 - drahn@suse.com + +- update to final v5.00 code +- security fix: Added PRNG state update in fork threading (CVE-2014-0016). +- Patches: + - stunnel-listenqueue-option.patch refreshed. + +------------------------------------------------------------------- +Wed Feb 5 12:13:44 UTC 2014 - drahn@suse.com + +- re-add openssl cert conf file stunnel.cnf dropped by oversight. + +------------------------------------------------------------------- +Wed Jan 29 16:23:28 UTC 2014 - drahn@suse.com + +- - Update to version 5.0b1 (FATE#315694) + - Default "pid" is now "", i.e. not to create a pid file at startup. + - Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to + AlFBPPS attack and bad performance of DH ciphersuites. + - New service-level option "redirect" to redirect SSL client connections on + authentication failures instead of rejecting them. + - New global "engineDefault" configuration file option to control which + OpenSSL tasks are delegated to the current engine. + - New service-level configuration file option "engineId" to select the engine + by identifier, e.g. "engineId = capi". + - Improved readability of error messages printed when stunnel refuses to start + due to a critical error. + +- Patches: + - stunnel-CVE-2013-1762.patch obsoleted. Drpped. + - stunnel-default-fips-off.patch obsoleted. Dropped. + - stunnel-listenqueue-option.patch refreshed. + +------------------------------------------------------------------- +Fri Nov 1 15:34:45 UTC 2013 - michael@stroeder.com + +- update to version 4.56 + +------------------------------------------------------------------- +Mon Jul 23 09:17:13 UTC 2012 - drahn@suse.com + +- Fix background operation to really go into background + (stunnel-daemonize.diff) + +------------------------------------------------------------------- +Sat Jul 21 06:19:39 UTC 2012 - drahn@suse.com + +- update to version 4.53 + - Usage of uninitialized variables fixed in exec+connect services. + - Fixed handling of a rare inetd mode use case, where either stdin + or stdout is a socket, but not both of them at the same time. + - Fixed crash on termination with FORK threading model. + - Fixed missing file descriptors passed to local mode processes. +- refreshed stunnel-listenqueue-option.patch to apply cleanly again + +------------------------------------------------------------------- +Tue Nov 29 18:35:32 UTC 2011 - darix@nordisch.org + +- update to version 4.49 + - A bug was fixed causing crashes on MacOS X and some other + platforms. +- additional changes from 4.48 + - FIPS support on Win32 platform added. OpenSSL 0.9.8r DLLs + based on FIPS 1.2.3 canister are included with this version of + stunnel. FIPS mode can be disabled with "fips = no" + configuration file option. + - Fixed canary initialization problem on Win32 platform. + +------------------------------------------------------------------- +Thu Nov 24 16:39:23 UTC 2011 - darix@nordisch.org + +- refreshed stunnel-listenqueue-option.patch to apply cleanly again +- pass the path to the config file to the binary in the init + script: without this the init script does not work for me. + +------------------------------------------------------------------- +Thu Nov 24 16:19:39 UTC 2011 - darix@nordisch.org + +- update to version 4.47 + * Internal improvements + - CVE-2010-3864 workaround improved to check runtime version of + OpenSSL rather than compiled version, and to allow OpenSSL + 0.x.x >= 0.9.8p. + - Encoding of man page sources changed to UTF-8. + * Bugfixes + - Handling of socket/SSL close in transfer() function was + fixed. + - Logging was modified to save and restore system error codes. + - Option "service" was restricted to Unix, as since stunnel + 4.42 it wasn't doing anything useful on Windows platform. +- additional changes from version 4.46 + * New features + - Added Unix socket support (e.g. "connect = + /var/run/stunnel/socket"). + - Added "verify = 4" mode to ignore CA chain and only verify + peer certificate. + - Removed the limit of 16 IP addresses for a single 'connect' + option. + - Removed the limit of 256 stunnel.conf sections in PTHREAD + threading model. It is still not possible have more than 63 + sections on WIN32 platform. + http://msdn.microsoft.com/en-us/library/windows/desktop/ms740141(v=vs.85).aspx + * Optimizations + - Reduced per-connection memory usage. + - Performed a major refactoring of internal data structures. Extensive + internal testing was performed, but some regression bugs are expected. + * Bugfixes + - Fixed WIN32 compilation with Mingw32. + - Fixed non-blocking API emulation layer in UCONTEXT threading model. + - Fixed signal handling in UCONTEXT threading model. +- additional changes from version 4.45 + * New features + - "protocol = proxy" support to send original client IP address to haproxy: + http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt + This requires accept-proxy bind option of haproxy 1.5-dev3 or later. + - Added Win32 configuration reload without a valid configuration loaded. + - Added compatibility with LTS OpenSSL versions 0.9.6 and 0.9.7. + Some features are only available in OpenSSL 1.0.0 and later. + * Performance optimizations + - Use SSL_MODE_RELEASE_BUFFERS if supported by the OpenSSL library. + - Libwrap helper processes are no longer started if libwrap is disabled + in all sections of the configuration file. + * Internal improvements + - Protocol negotiation framework was rewritten to support + additional code to be executed after + SSL_accept()/SSL_connect(). + - Handling of memory allocation errors was rewritten to + gracefully + terminate the process (thx to regenrecht for the idea). + * Bugfixes + - Fixed -l option handling in stunnel3 script + (thx to Kai Gülzau). + - Script to build default stunnel.pem was fixed + (thx to Sebastian Kayser). + - MinGW compilation script (mingw.mak) was fixed + (thx to Jose Alf). + - MSVC compilation script (vc.mak) was fixed. + - A number of problems in WINSOCK error handling were fixed. +- additional changes from version 4.44 + * New features + - Major automake/autoconf cleanup. + - Heap buffer overflow protection with canaries. + - Stack buffer overflow protection with -fstack-protector. + * Bugfixes + - Fixed garbled error messages on errors with setuid/setgid + options. + - SNI fixes (thx to Alexey Drozdov). + - Use after free in fdprintf() (thx to Alexey Drozdov). This + issue might cause GPF with "protocol" or "ident" options. + +------------------------------------------------------------------- +Fri Sep 9 13:45:49 UTC 2011 - drahn@suse.com + +- update to version 4.43 +* New features: + - Major optimization of the logging subsystem. +* Bugfixes + - Fixed FORK and UCONTEXT threading models. + +------------------------------------------------------------------- +Fri Sep 2 08:12:24 UTC 2011 - drahn@suse.com + +- update to version 4.42 +* New features + - New verify level 0 to request and ignore peer certificate. + - Manual page has been updated. +* Bugfixes + - Fixed a heap corruption vulnerability in versions 4.40 and 4.41. + It may possibly be leveraged to perform DoS or remote code + execution attacks (CVE-2011-2940). + +------------------------------------------------------------------- +Sun Aug 7 14:30:37 UTC 2011 - drahn@suse.com + +- correct path in stunnel3 (bnc#710879) + +------------------------------------------------------------------- +Mon Jul 25 06:42:40 UTC 2011 - drahn@suse.com + +- update package to 4.40 +* New features: + - Hardcoded 2048-bit DH parameters are used as a fallback if DH + parameters are not provided in stunnel.pem. + - Default "ciphers" value updated to prefer ECDH: + "ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH". + - Default ECDH curve updated to "prime256v1". + - Removed support for temporary RSA keys (used in obsolete + export ciphers). +- refresh stunnel-listenqueue-option.patch + +------------------------------------------------------------------- +Wed Jun 29 13:01:51 UTC 2011 - daniel.rahn@novell.com + +- split off doc package + +------------------------------------------------------------------- +Wed Jun 29 06:08:34 UTC 2011 - daniel.rahn@novell.com + +- update package to 4.38 +* New features: + - Server-side SNI implemented (RFC 3546 section 3.1) with a new + service-level option "nsi". + - "socket" option also accepts "yes" and "no" for flags. + - Nagle's algorithm is now disabled by default for improved + interactivity. +* Bugfixes: + - A compilation fix was added for OpenSSL version < 1.0.0. + - Signal pipe set to non-blocking mode. This bug caused hangs + of stunnel features based on signals, e.g. local mode, FORK + threading, or configuration file reload on Unix. + +------------------------------------------------------------------- +Mon Jun 20 07:49:41 UTC 2011 - daniel.rahn@novell.com + +- disable the previous two patches for the time being +- create debug packages + +------------------------------------------------------------------- +Sat Jun 18 10:04:29 UTC 2011 - daniel.rahn@novell.com + +- fix ucontext handling (backport from v4.37) + +------------------------------------------------------------------- +Sat Jun 18 03:59:20 UTC 2011 - daniel.rahn@novell.com + +- fix non-blocking socket handling (backport from v4.37) + +------------------------------------------------------------------- +Thu Jun 16 11:44:32 UTC 2011 - daniel.rahn@novell.com + +- update package to 4.36 +- obsoletes SOMAXCONN and libwrap disable patches (bnc#674554) +- forward port listenqueue patch (bnc#674554) +- explicitly enable libwrap in configure call + +* New features + - Dynamic memory management for strings manipulation: no more static + STRLEN limit, lower stack footprint. + - Strict public key comparison added for "verify = 3" certificate checking + mode (thx to Philipp Hartwig). + - Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved + behavior on heavy load. + Old behavior can be restored with "listenqueue = 5" in stunnel.conf + +* Bugfixes + - Missing pthread_attr_destroy() added to fix memory leak (thx to Paul + Allex and Peter Pentchev). + - Fixed the incorrect way of setting FD_CLOEXEC flag. + - Fixed --enable-libwrap option of ./configure script. + - Retry implemented on EAI_AGAIN error returned by resolver calls. + +------------------------------------------------------------------- +Mon Feb 7 15:10:17 CET 2011 - asvetter@cip.physik.uni-wuerzburg.de + +- update to 4.35: +* New features + - Updated Win32 DLLs for OpenSSL 1.0.0c. + - Transparent source (non-local bind) added for FreeBSD 8.x. + - Transparent destination ("transparent = destination") added for Linux. +* Bugfixes + - Fixed reload of FIPS-enabled stunnel. + - Compiler options are now auto-detected by ./configure script + in order to support obsolete versions of gcc. + - Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler. + - CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10. + Irreparable race condition leaks remain on other Unix platforms. + This issue may have security implications on some deployments. + - Directory lib64 included in the OpenSSL library search path. + - Windows CE compilation fixes (thx to Pierre Delaage). + - Deprecated RSA_generate_key() replaced with RSA_generate_key_ex(). +* Domain name changes (courtesy of Bri Hatch) + - http://stunnel.mirt.net/ --> http://www.stunnel.org/ + - ftp://stunnel.mirt.net/ --> http://ftp.stunnel.org/ + - stunnel.mirt.net::stunnel --> rsync.stunnel.org::stunnel + - stunnel-users@mirt.net --> stunnel-users@stunnel.org + - stunnel-announce@mirt.net --> stunnel-announce@stunnel.org + +------------------------------------------------------------------- +Tue Sep 28 23:06:16 CEST 2010 - dmueller@suse.de + +- update to 4.34: + - Added ECC support with a new service-level "curve" option. + - DH support is now enabled by default. + - Added support for OpenSSL builds with some algorithms disabled. + - ./configure modified to support cross-compilation. + - Implemented fixes in user interface to enter engine PIN. + - Fixed a transfer() loop issue on socket errors. + - Fixed missing WIN32 taskbar icon while displaying a global option error. + - Inetd mode fixed. + - New service-level "libwrap" option for run-time control whether + /etc/hosts.allow and /etc/hosts.deny are used for access control. + Disabling libwrap significantly increases performance of stunnel. + - Win32 DLLs for OpenSSL 0.9.8m. + - Fixed a transfer() loop issue with SSLv2 connections. + - Fixed a "setsockopt IP_TRANSPARENT" warning with "local" option. + - Logging subsystem bugfixes and cleanup. + - Installer bugfixes for Vista and later versions of Windows. + - FIPS mode can be enabled/disabled at runtime. + - Log file reopen on USR1 signal was added. + - Some regression issues introduced in 4.30 were fixed. + - Graceful configuration reload with HUP signal on Unix + and with GUI on Windows. + - A serious bug in asynchronous shutdown code fixed. + - Data alignment updated in libwrap.c. + - Polish manual encoding fixed. + - Notes on compression implementation in OpenSSL added to the manual. + +------------------------------------------------------------------- +Fri Nov 27 11:11:59 CET 2009 - vetter@physik.uni-wuerzburg.de + +- fix compile problems with openssl 0.9.7d + +------------------------------------------------------------------- +Fri Nov 27 09:45:54 CET 2009 - vetter@physik.uni-wuerzburg.de + +- bugfixes for 4.28 + * Bugfixes + o "execargs" defaults to the "exec" parameter (thx to Peter Pentchev). + o no_ticket.patch + +- update to 4.27: + * New features + o Win32 DLLs for OpenSSL 0.9.8l. + o Transparent proxy support on Linux kernels >=2.6.28. See the manual for details. + o New socket options to control TCP keepalive on Linux: TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL. + o SSL options updated for the recent version of OpenSSL library. + * Bugfixes + o A serious bug in asynchronous shutdown code fixed. + o Data alignment updated in libwrap.c. + o Polish manual encoding fixed. + o Notes on compression implementation in OpenSSL added to the manual. + + + +------------------------------------------------------------------- +Fri Apr 17 16:34:22 CEST 2009 - vetter@physik.uni-wuerzburg.de + +- update to 4.27: + * New features + - Win32 DLLs for OpenSSL 0.9.8k. + - FIPS support was updated for openssl-fips 1.2. + - New priority failover strategy for multiple "connect" targets, + controlled with "failover=rr" (default) or "failover=prio". + - pgsql protocol negotiation by Marko Kreen . + - Building instructions were updated in INSTALL.W32 file. + * Bugfixes + - Libwrap helper processes fixed to close standard + input/output/error file descriptors. + - OS2 compilation fixes. + - WCE fixes by Pierre Delaage . + +------------------------------------------------------------------- +Wed Feb 18 20:15:22 CEST 2009 - vetter@physik.uni-wuerzburg.de + +- set ownership of /var/lib/stunnel/var/run to stunnel for pid file + +- update to 4.26: + + Version 4.26, 2008.09.20, urgency: MEDIUM: + * New features + - Win32 DLLs for OpenSSL 0.9.8i. + - /etc/hosts.allow and /etc/hosts.deny no longer need to be copied to + the chrooted directory, as the libwrap processes are no longer + chrooted. + - A more informative error messages for invalid port number specified + in stunnel.conf file. + - Support for Microsoft Visual C++ 9.0 Express Edition. + * Bugfixes + - Killing all libwrap processes at stunnel shutdown fixed. + - A minor bug in stunnel.init sample SysV startup file fixed. + + +------------------------------------------------------------------- +Tue Sep 16 00:10:22 CEST 2008 - poeml@suse.de + +- update to 4.25. Changelog excerpt, only platform relevant changes + shown here: + * SECURITY FIX: + - OCSP code was fixed to properly reject revocated certificates. + * New features + - Makefile was updated to use standard autoconf variables: + sysconfdir, localstatedir and pkglibdir. + - A new global option to control logging to syslog: + syslog = yes|no + Simultaneous logging to a file and the syslog is now possible. + - A new service level option to control stack size: + stack = + * Bugfixes + - Spawning libwrap processes delayed until privileges are dropped. + - Compilation fix for systems without struct msghdr.msg_control. + - Restored chroot() to be executed after decoding numerical + userid and groupid values in drop_privileges(). + - A few bugs fixed the in the new libwrap support code. + - TLSv1 method used by default in FIPS mode instead of + SSLv3 client and SSLv23 server methods. + - OpenSSL GPL license exception update based on + http://www.gnu.org/licenses/gpl-faq.html#GPLIncompatibleLibs + +- dropped stunnel-4.21-write_pid_as_root.diff, and instead fix the + init script to add chroot prefix when dealing with the pid file + +------------------------------------------------------------------- +Mon Sep 15 11:44:47 CEST 2008 - poeml@suse.de + +- fix init script's LSB headers + +------------------------------------------------------------------- +Tue Feb 5 15:42:28 CET 2008 - poeml@suse.de + +- create $chroot_dir/var/run for the new pidfile location + +------------------------------------------------------------------- +Mon Jan 28 11:56:41 CET 2008 - poeml@suse.de + +- make the filelist own /usr/lib*/stunnel + +------------------------------------------------------------------- +Fri Jan 25 11:23:01 CET 2008 - poeml@suse.de + +- fix build (re-diff stunnel-4.21-write_pid_as_root.diff) +- fix filelist (make sure that the binaries stay in /usr/sbin) + +------------------------------------------------------------------- +Mon Oct 29 17:54:21 CET 2007 - poeml@suse.de + +- update to 4.21: Changes: + Initial FIPS 140-2 support was added. Non-MT-safe libwrap (TCP + Wrappers) library support was rewritten. It's currently based on + pre-forked processes and should be much faster. Some bugfixes + were also added. + +------------------------------------------------------------------- +Thu Aug 16 09:21:23 CEST 2007 - poeml@suse.de + +- update to 4.20. Changes (edited): + Version 4.20, 2006.11.30, urgency: MEDIUM: + * Release notes + - There are a lot of new features in this version. + * New features + - New service-level option to specify OCSP server flag: + OCSPflag = + - "protocolCredentials" option changed to "protocolUsername" + and "protocolPassword" + - NTLM support to be enabled with the new service-level option: + protocolAuthentication = NTLM + - imap protocol negotiation support added. + - Passphrase cache was added so the user does not need to reenter + the same passphrase for each defined service any more. + - New service-level option to retry connect+exec section: + retry = yes|no + - Local IP and port is logged for each established connection. + * Bugfixes + - Serious problem with SSL_WANT_* retries fixed. + The new code requires extensive testing! + - Problem with detecting getaddrinfo() in ./configure fixed. + - Compilation problem due to misplaced #endif in ssl.c fixed. + - Duplicate 220 in smtp_server() function in protocol.c fixed. + - Minor update of safestring()/safename() macros. + +------------------------------------------------------------------- +Thu May 10 23:52:22 CEST 2007 - ro@suse.de + +- added openssl to buildrequires + +------------------------------------------------------------------- +Mon Apr 2 16:18:41 CEST 2007 - rguenther@suse.de + +- add zlib-devel BuildRequires + +------------------------------------------------------------------- +Tue Oct 17 20:31:20 CEST 2006 - poeml@suse.de + +- there is no SuSEconfig.syslog script anymore, thus remove the + YaST hint from the sysconfig template + +------------------------------------------------------------------- +Wed Sep 27 15:09:23 CEST 2006 - poeml@suse.de + +- upstream 4.16 + * New features sponsored by Hewlett-Packard + - A new global option to control engine: engineCtrl = [:] + - A new service-level option to select engine to read private key: engineNum = + - OCSP support: ocsp = + * New features + - A new option to select version of SSL protocol: sslVersion = all|SSLv2|SSLv3|TLSv1 + - Visual Studio vc.mak by David Gillingham . + - OS2 support by Paul Smedley (http://smedley.info) + * Bugfixes + - An ordinary user can install stunnel again. + - Compilation problem with --enable-dh fixed. + - Some minor compilation warnings fixed. + - Service-level CRL cert store implemented. + - GPF on protocol negotiations fixed. + - Problem detecting addrinfo() on Tru64 fixed. + - Default group is now detected by configure script. + - Check for maximum number of defined services added. + - OpenSSL_add_all_algorithms() added to SSL initialization. + - configure script sections reordered to detect pthread library funcions. + - RFC 2487 autdetection improved (thx to Hans Werner Strube). High + resolution s_poll_wait() not currently supported by UCONTEXT threading. + - More precise description of cert directory file names (thx to Muhammad + Muquit). + * Other changes + - Maximum number of services increased from 64 to 256 when poll() is used. +- add BuildRequires: tcp_wrappers gcc-c++ for building on Fedora +- remove doc files installed by make install, which are picked up + by %doc + +------------------------------------------------------------------- +Fri Jun 23 15:11:22 CEST 2006 - poeml@suse.de + +- build as non-root +- build with fPIE/pie on SUSE 10.0 or newer, or on any other + platform +- fix BuildRequires for Fedora Core, and wrap suse_version macros +- upstream 4.15 + * Release notes + - There are a lot of new features in this version. I recommend + to test it well before upgrading your mission-critical systems. + [note by packager: out since 3 months, without major problems] + * Bugfixes + - Default threading model changed to pthread for better portability. + - DH parameters are not included in the certificate by default. + * New features sponsored by Software House http://www.swhouse.com/ + - Most SSL-related options (including client, cert, key) are now + available on service level, so it is possible to have an SSL + client and an SSL server in a single stunnel process. + * New features + - Client mode CONNECT protocol support (RFC 2817 section 5.2). + http://www.ietf.org/rfc/rfc2817.txt + - Retrying exec+connect services added. +- make install now tries to create /var/lib/stunnel chmoded 1770 + and group nogroup, which we don't do. + +------------------------------------------------------------------- +Wed Jan 25 21:41:50 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Sun Nov 27 18:05:05 CET 2005 - lmuelle@suse.de + +- update to 4.14 + +------------------------------------------------------------------- +Thu Oct 6 14:16:25 CEST 2005 - poeml@suse.de + +- fix hang/segfault upon connect. Use pthreads by removing + configure check for ucontext.h [#119650] + +------------------------------------------------------------------- +Tue Aug 30 15:54:37 CEST 2005 - poeml@suse.de + +- fix parsing of ldd output when setting up the chroot jail [#114090] + +------------------------------------------------------------------- +Tue Jun 21 14:39:34 CEST 2005 - poeml@suse.de + +- update to 4.10 + - Some bugfixes and code cleanup were done. + - A new user-level non-preemptive thread model was added for even + greater scalability. + - The stunnel3 script was improved to be more compatible with + getopt. +- add post-4.10 stunnel-4.10-inetd.patch +- compile with tcp wrappers +- compile as PIE and link with -z relro + +------------------------------------------------------------------- +Tue Jan 4 10:46:20 CET 2005 - poeml@suse.de + +- update to 4.07 + * Bugfixes + - Problem with infinite poll() timeout negative, but not equal + to -1 fixed. + - Problem with a file descriptor ready to be read just after a + non-blocking connect call fixed. + - Compile error with EAI_NODATA not defined or equal to + EAI_NONAME fixed. + - IP address and TCP port textual representation length (IPLEN) + increased to 128 bytes. + - OpenSSL engine support is only used if engine.h header file + exists. + - Broken NT Service mode on WIN32 platform fixed. + - Support for IPv4-only WIN32 machines restored. + +------------------------------------------------------------------- +Tue Dec 28 15:28:18 CET 2004 - poeml@suse.de + +- update to 4.06 + In this version, IPv6 support, compression support, hardware + engine selection and many other features were added. A new + stunnel3 Perl script to emulate version 3.x command line options + was added. poll() is used instead of select() where available, + so FD_SETSIZE no longer limits the number of concurrent + connections. +- add stunnel-4.06-nfds.dif + stunnel-4.06-poll_timeout.patch + stunnel-4.06-race_condition.patch + +------------------------------------------------------------------- +Thu Nov 11 12:57:47 CET 2004 - poeml@suse.de + +- fix filelist for /usr/lib + +------------------------------------------------------------------- +Fri Mar 5 17:20:21 CET 2004 - poeml@suse.de + +- update to 4.05. new features (excerpt): + * New feature sponsored by SURFnet http://www.surfnet.nl/ + - Support for CIFS aka SMB protocol SSL negotiation. + * New features + - CRL support with new CApath and CAfile global options. + - New -fd command line parameter to read configuration + from a specified file descriptor instead of a file. + - accept is reported as error with [section] defined (in + stunnel 4.04 it was silently ignored causing problems + for lusers that did not read the fine manual). + - Use fcntl() instead of ioctlsocket() to set socket + nonblocking when it is supported. + - Basic support for hardware engines with OpenSSL >= 0.9.7. + - French manual by Bernard Choppy . + - Thread stack size reduced to 64KB for maximum scalability. + - Added optional code to debug thread stack usage. + - Support for nsr-tandem-nsk (thx to Tom Bates ). + * Bugfixes + - TCP wrappers code moved to CRIT_NTOA critical section + since it uses static inet_ntoa() result buffer. + - SSL_ERROR_SYSCALL handling problems fixed. + - added code to retry nonblocking SSL_shutdown() calls. + - Use FD_SETSIZE instead of 16 file descriptors in inetd + mode. + - fdscanf groks lowercase protocol negotiation commands. + - Libwrap detection bug in ./configure script fixed. + - Some other minor updates. +- show readme only at first installation + +------------------------------------------------------------------- +Tue Aug 26 18:15:22 CEST 2003 - poeml@suse.de + +- add Config: syslog-ng to sysconfig.syslog-stunnel + +------------------------------------------------------------------- +Thu Aug 14 21:10:14 CEST 2003 - poeml@suse.de + +- add activation metadata to sysconfig template [#28954] +- rename README.SuSE to README.{SuSE,UnitedLinux} +- don't show blurb in %post if a certificate exists + +------------------------------------------------------------------- +Tue Aug 12 15:50:51 CEST 2003 - poeml@suse.de + +- implement 'try-restart' in rcstunnel correctly [#28636] + +------------------------------------------------------------------- +Wed Jul 30 18:06:49 CEST 2003 - poeml@suse.de + +- add an example configuration for tunneling MySQL +- make stunnel3_wrapper compatible to more shells, and merge it + with stunnel3_convert (which becomes a symlink) +- new macros for stop/restart of services on rpm update/removal + +------------------------------------------------------------------- +Tue May 13 12:00:38 CEST 2003 - poeml@suse.de + +- delete (from the build root) files not to be packaged +- package the libtool library file +- add a commented option to the sample configuration + +------------------------------------------------------------------- +Thu Mar 13 14:10:53 CET 2003 - poeml@suse.de + +- rc.stunnel: do not write the startup log to a world writable + directory [cf. #25239] + +------------------------------------------------------------------- +Mon Feb 17 18:22:36 CET 2003 - poeml@suse.de + +- Version 4.04, 2003.01.12, urgency: MEDIUM: + * New features [excerpt] + - New 'options' configuration option to setup + OpenSSL library hacks with SSL_CTX_set_options(). + - 'service' option also changes the name for + TCP Wrappers access control in inetd mode. + - SSL is negotiated before connecting remote host + or spawning local process whenever possible. + - REMOTE_HOST variable is always placed in the + enrivonment of a process spawned with 'exec'. + - Whole SSL error stack is dumped on errors. + - 'make cert' rule is back (was missing since 4.00). + - Manual page updated (special thanks to Brian Hatch). + * Bugfixes + - Major code cleanup (thx to Steve Grubb ). + - Unsafe functions are removed from SIGCHLD handler. + - Several bugs in auth_user() fixed. + - Incorrect port when using 'local' option fixed. + - OpenSSL tools '-rand' option is no longer directly + used with a device (like '/dev/urandom'). + Temporary random file is created with 'dd' instead. +- fix typo in conf file example + +------------------------------------------------------------------- +Wed Feb 12 15:33:39 CET 2003 - mmj@suse.de + +- Add sysconfig metadata [#22699] + +------------------------------------------------------------------- +Thu Oct 31 21:38:10 CET 2002 - poeml@suse.de + +- update to 4.03 +- add stunnel3_wrapper that translates the cmdline arguments into a + configuration file +- fix default path of pidfile +- more examples + +------------------------------------------------------------------- +Fri Oct 25 22:27:10 CEST 2002 - poeml@suse.de + +- write the pid file before dropping the privileges + +------------------------------------------------------------------- +Fri Oct 25 20:22:23 CEST 2002 - poeml@suse.de + +- major version upgrade to 4.02 +- better permissions for /etc/stunnel and keys [#18557] +- run as "stunnel" user in chroot jail +- add sysconfig.syslog-stunnel template and /var/lib/stunnel/dev + for an additional syslog socket +- added init script and example configuration + +------------------------------------------------------------------- +Sat Jul 27 14:20:01 CEST 2002 - adrian@suse.de + +- use %run_ldconfig + +------------------------------------------------------------------- +Thu Mar 8 11:50:46 CET 2001 - bk@suse.de + +- update to 3.14 and fix localstatedir (/var/run/stunnel) + +------------------------------------------------------------------- +Mon Feb 5 16:11:33 CET 2001 - bk@suse.de + +- fixed neededforbuild + +------------------------------------------------------------------- +Sun Feb 4 23:55:48 CET 2001 - bk@suse.de + +- new package + diff --git a/stunnel.keyring b/stunnel.keyring new file mode 100644 index 0000000..cb6173b --- /dev/null +++ b/stunnel.keyring @@ -0,0 +1,125 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0 +hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf +ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S +fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY +kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX +1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8 +rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn +RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN +Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E +sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk +4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB +tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+ +iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT +1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK +JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan +OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT +JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe +tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa +sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx +RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu +XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc +Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq +HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA +G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD +ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu +VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID +AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj +k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs +pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq +eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL +CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG +L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH +xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez +YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l +qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR +EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm +qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c +MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy +b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb +AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq +owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U +0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+ +B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN +d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ +zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx +Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H +3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV +t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8 +eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b +rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst +r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb +/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN +aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE +iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl +qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS +bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ +jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ +Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj +zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM +f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM +9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio +bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e +GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23 ++6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU +68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z +kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6 +q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1 +3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb +Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G +KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ +HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef +wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1 +eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc +gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE +7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB +AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA +N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r +PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f +xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT +3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp +hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j +KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv +MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW +Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY +SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm +CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE +SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA +q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/ +fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD +Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g +qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u +/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F +ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj +PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK +zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue +Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU +qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp +42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB +AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd +f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz +qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM +UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN +oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV +wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW +YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv +WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG +TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV +AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz +GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM +eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8 +PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw +I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2 +1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx +dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml +DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M +5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+ +kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh +NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b +zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s +wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B +=EgcU +-----END PGP PUBLIC KEY BLOCK----- diff --git a/stunnel.rc b/stunnel.rc new file mode 100644 index 0000000..f1cf76f --- /dev/null +++ b/stunnel.rc @@ -0,0 +1,245 @@ +#! /bin/sh +# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH +# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH +# Copyright (c) 2002 SuSE Linux AG +# +# License: same as stunnel +# +# Author: Peter Poeml , 2002 +# +# /etc/init.d/stunnel +# and its symbolic link +# /usr/sbin/rcstunnel +# +### BEGIN INIT INFO +# Provides: stunnel +# Required-Start: $local_fs $remote_fs $network +# Should-Start: $named $syslog $time +# Required-Stop: $local_fs $remote_fs $network +# Should-Stop: $named $syslog $time +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: stunnel (universal SSL tunnel) +# Description: Start the universal SSL tunnel "stunnel" +### END INIT INFO + + +DAEMON="stunnel (SSL tunnel)" +DAEMON_BIN=/usr/sbin/stunnel +: ${STUNNEL_CONF:=/etc/stunnel/stunnel.conf} +STARTPROC_LOGFILE=/var/log/rc.stunnel.log +SUPPORTS_HUP=false + +test -x $DAEMON_BIN || exit 5 + +# +# read the configuration +# +STUNNEL_RUN_CHROOTED=false +DAEMON_PIDFILE=/var/run/stunnel.pid +EXECUTABLES= +CHROOT_PREFIX= +while read -a line; do + case ${line} in + chroot) CHROOT_PREFIX=${line[2]}; STUNNEL_RUN_CHROOTED=true;; + pid) DAEMON_PIDFILE=${line[2]};; + exec) EXECUTABLES="$EXECUTABLES ${line[2]}";; + esac; +done < $STUNNEL_CONF +DAEMON_PIDFILE="$CHROOT_PREFIX$DAEMON_PIDFILE" + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v ditto but be verbose in local rc status +# rc_status -v -r ditto and clear the local rc status +# rc_failed set local and overall rc status to failed +# rc_failed set local and overall rc status to +# rc_reset clear local rc status (overall remains) +# rc_exit exit appropriate to overall rc status +. /etc/rc.status + +# First reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - insufficient privilege +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signalling is not supported) are +# considered a success. + +# this seems to want to delete the pid file if it is empty +test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE + +case "$1" in + start) + echo -n "Starting $DAEMON " + + ## If there is no conf file, skip starting of stunnel + ## and return with "program not configured" + if ! [ -f $STUNNEL_CONF ]; then + echo -e -n "... no configuration file found"; + # Tell the user this has skipped + rc_status -s + # service is not configured + exit 6; + fi + + ## + ## set up chroot directory + ## + if $STUNNEL_RUN_CHROOTED; then + # /etc + for i in $STUNNEL_CONF /etc/{resolv.conf,host.conf,hosts,localtime,hosts.{allow,deny}}; do + cp -p $i $CHROOT_PREFIX/etc/ &>/dev/null \ + || { echo "...$0:$LINENO: could not copy $i to chroot jail"; rc_failed; rc_status -v1; exit 6; } + done + # executables + for i in $EXECUTABLES; do + mkdir -p `dirname $CHROOT_PREFIX/$i` + cp -p $i $CHROOT_PREFIX/$i \ + || { echo "...$0:$LINENO: could not copy $i to chroot jail"; rc_failed; rc_status -v1; exit 6; } + done + # libs + libdir=/$(basename $(echo /var/lib/stunnel/lib*)) + for i in $EXECUTABLES; do + unset libs + ldd $i | grep '=> /' | while read -a line; do + cp -p ${line[2]} $CHROOT_PREFIX/$libdir \ + || { echo "...$0:$LINENO: could not copy $i to chroot jail"; rc_failed; rc_status -v1; exit 6; } + done + done + fi + + rm -f $STARTPROC_LOGFILE # start log + error=0 + ## Start daemon with startproc(8). If this fails + ## the echo return value is set appropriate. + # startproc should return 0, even if service is + # already running to match LSB spec. + + test "$2" = "-v" && echo -en \ + "\nrunnning '$DAEMON_BIN '" + startproc -l $STARTPROC_LOGFILE $DAEMON_BIN ${STUNNEL_CONF} || error=1 + + if [ $error -eq 1 ]; then + echo -e -n " please see $STARTPROC_LOGFILE for details "; + ## set status to failed + rc_failed + else + $STUNNEL_RUN_CHROOTED && echo -n "[chroot]" || : + fi + + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down $DAEMON " + + ## Stop daemon with killproc(8) and if this fails + ## set echo the echo return value. + + killproc -p $DAEMON_PIDFILE -TERM $DAEMON_BIN + + # Remember status and be verbose + rc_status -v + + # delete pidfile (stunnel cannot do it if it doesn't run as root) + rm -f $DAEMON_PIDFILE + ;; + try-restart) + ## Do a restart only if the service was active before. + ## Note: try-restart is now part of LSB (as of 1.9). + ## RH has a similar command named condrestart. + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + # Remember status and be quiet + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + sleep 3 + $0 start + + # Remember status and be quiet + rc_status + ;; + force-reload) + ## Signal the daemon to reload its config. Most daemons + ## do this on signal 1 (SIGHUP). + ## If it does not support it, restart. + + echo -n "Reload service $DAEMON" + + if $SUPPORTS_HUP; then + killproc -p $DAEMON_PIDFILE -HUP $DAEMON_BIN + #touch $DAEMON_PIDFILE + rc_status -v + else + $0 stop && sleep 3 && $0 start + rc_status + fi + ;; + reload) + ## Like force-reload, but if daemon does not support + ## signalling, do nothing (!) + + if $SUPPORTS_HUP; then + # If it supports signalling: + echo -n "Reload service $DAEMON" + killproc -p $DAEMON_PIDFILE -HUP $DAEMON_BIN + #touch $DAEMON_PIDFILE + rc_status -v + else + ## Otherwise if it does not support reload: + rc_failed 3 + rc_status -v + fi + ;; + status) + echo -n "Checking for $DAEMON: " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Status has a slightly different for the status command: + # 0 - service running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running + + # NOTE: checkproc returns LSB compliant status values. + checkproc -p $DAEMON_PIDFILE $DAEMON_BIN + rc_status -v + ;; + probe) + ## Optional: Probe for the necessity of a reload, + ## give out the argument which is required for a reload. + + rc=0 + for i in $STUNNEL_CONF; do + test $i -nt $DAEMON_PIDFILE && rc=1 + done + test $rc = 1 && echo restart + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe} [-v]" + exit 1 +esac +rc_exit + +# vim: syntax=sh ai diff --git a/stunnel.spec b/stunnel.spec new file mode 100644 index 0000000..5f8e2ab --- /dev/null +++ b/stunnel.spec @@ -0,0 +1,180 @@ +# +# spec file for package stunnel +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define VENDORAFFIX openSUSE +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +Name: stunnel +Version: 5.71 +Release: 0 +Summary: Universal TLS Tunnel +License: GPL-2.0-or-later +Group: Productivity/Networking/Security +URL: https://www.stunnel.org/ +Source: https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz +Source1: https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz.asc +Source2: https://www.stunnel.org/pgp.asc#/%{name}.keyring +Source3: sysconfig.syslog-stunnel +Source4: stunnel.rc +Source7: stunnel.README +# PATCH-FIX-UPSTREAM Fix service file, so it ensure we are starting after network is really up! +Patch1: stunnel-5.59_service_always_after_network.patch +Patch2: harden_stunnel.service.patch +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +# PATCH-FIX-FEDORA bsc#1211301 Add crypto-policies support +Patch3: stunnel-5.69-system-ciphers.patch +Patch4: stunnel-5.69-default-tls-version.patch +%endif +BuildRequires: libopenssl-devel +# test dependencies +BuildRequires: netcat +BuildRequires: pkgconfig +BuildRequires: procps +BuildRequires: python3 +BuildRequires: python3-cryptography +BuildRequires: tcpd-devel +BuildRequires: zlib-devel +BuildRequires: pkgconfig(systemd) +# +Requires(pre): %fillup_prereq +Requires(pre): %{_sbindir}/useradd +Requires(pre): fileutils +Requires(pre): textutils +Recommends: stunnel-doc = %{version} +%{?systemd_ordering} +%if 0%{?suse_version} >= 1500 +Requires(pre): group(nogroup) +%endif + +%description +Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without +any changes in the programs' code. Its architecture is optimized for security, portability, and +scalability (including load-balancing), making it suitable for large deployments. + +%package doc +Summary: Documentation for the universal TLS Tunnel +Group: Documentation/Other +Requires: stunnel = %{version} +BuildArch: noarch + +%description doc +This package contains additional documentation for the stunnel program. + +%prep +%setup -q -n stunnel-%{version} +%patch1 -p1 +chmod -x %{_builddir}/stunnel-%{version}/tools/ca.* +chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.* +%patch2 -p1 +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +%patch3 -p1 +%patch4 -p1 +%endif + +%build +sed -i 's/-m 1770//g' tools/Makefile.in +%configure \ + --disable-static \ + --bindir=%{_sbindir} \ + --with-bashcompdir=%{_datadir}/bash-completion/completions +%if 0%{?sle_version} < 150000 + %define make_build %{__make} -O %{?_smp_mflags} +%endif +%make_build LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" + +%install + %make_install + +mkdir -p %{buildroot}%{_docdir} +mv %{buildroot}%{_datadir}/doc/stunnel %{buildroot}%{_docdir}/ +mkdir -p %{buildroot}%{_docdir}/stunnel/tools +mkdir -p %{buildroot}%{_fillupdir} +cp -p %{SOURCE3} %{buildroot}%{_fillupdir}/ +install -D -m 0644 %{buildroot}%{_docdir}/stunnel/examples/stunnel.service %{buildroot}/%{_unitdir}/stunnel.service +ln -s service %{buildroot}%{_sbindir}/rcstunnel +sed -i "s/^;setuid = nobody/setuid = stunnel/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +sed -i "s/^;setgid =/setgid =/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +sed -i "s/^;include =/include =/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +sed -i '/gmail-pop3/,+25 s/^./;&/' %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +sed -i "s/; Sample stunnel/# Sample stunnel/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +sed -i "s/^;/#/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +mv %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf + +find %{buildroot} -type f -name "*.la" -delete -print +rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL +rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.WCE.md +rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.W32.md +rm -rf %{buildroot}%{_docdir}/stunnel/ca-certs.pem +rm -rf %{buildroot}%{_docdir}/stunnel/plugins/ + +mkdir -p %{buildroot}%{_localstatedir}/lib/stunnel/{bin,etc,dev,%{_lib},sbin,var/run} +install -d %{buildroot}%{_sysconfdir}/%{name}/conf.d + +%check +# only works in Tumbleweed as of 2021-04-08 +%if 0%{?suse_version} > 1500 + rm tests/plugins/*fips*.py + %make_build test +%endif + +%pre +if ! %{_bindir}/getent passwd stunnel >/dev/null; then + %{_sbindir}/useradd -r -c "Daemon user for stunnel (universal SSL tunnel)" -g nogroup -s /bin/false \ + -d %{_localstatedir}/lib/stunnel stunnel +fi + +%service_add_pre %{name}.service + +%post +%service_add_post %{name}.service +%{fillup_only -ans syslog stunnel} + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service + +%files +%license COPYING.md +%{_sbindir}/rcstunnel +%{_sbindir}/stunnel +%{_sbindir}/stunnel3 +%{_libdir}/%{name}/ +%{_mandir}/man8/stunnel*8%{?ext_man} +%dir %attr(700,root,root) %{_sysconfdir}/%{name}/ +%dir %attr(700,root,root) %{_sysconfdir}/%{name}//conf.d +%config(noreplace) %{_sysconfdir}/%{name}/stunnel.conf +%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel +%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/bin +%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_sysconfdir} +%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/dev +%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/%{_lib} +%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/sbin +%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_localstatedir} +%dir %attr(755,stunnel,root) %{_localstatedir}/lib/stunnel%{_localstatedir}/run +%{_fillupdir}/sysconfig.syslog-stunnel +%{_unitdir}/stunnel.service +%{_datadir}/bash-completion/completions/%{name}.bash + +%files doc +%doc %{_docdir}/%{name} + +%changelog diff --git a/sysconfig.syslog-stunnel b/sysconfig.syslog-stunnel new file mode 100644 index 0000000..52add08 --- /dev/null +++ b/sysconfig.syslog-stunnel @@ -0,0 +1,12 @@ +## Type: string +## Default: "/var/lib/stunnel/dev/log" +## ServiceRestart: syslog +# +# The filename mentioned here will be added as "-a ..." to SYSLOGD_PARAMS when +# syslogd is started. +# +# This additional socket is needed in case that syslogd is restarted. Otherwise +# a chrooted stunnel won't be able to continue logging. +# +SYSLOGD_ADDITIONAL_SOCKET_STUNNEL="/var/lib/stunnel/dev/log" +