diff --git a/stunnel-4.56.tar.gz b/stunnel-4.56.tar.gz deleted file mode 100644 index c6e5f4f..0000000 --- a/stunnel-4.56.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9cae2cfbe26d87443398ce50d7d5db54e5ea363889d5d2ec8d2778a01c871293 -size 540032 diff --git a/stunnel-5.00b1.tar.bz2 b/stunnel-5.00b1.tar.bz2 new file mode 100644 index 0000000..9f3dad3 --- /dev/null +++ b/stunnel-5.00b1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8d58708d075b75fd999815a85c4378c76a5c6f87b7d0b30846bb52f566e2e8cd +size 468718 diff --git a/stunnel-daemonize.diff b/stunnel-daemonize.diff deleted file mode 100644 index 4a7db73..0000000 --- a/stunnel-daemonize.diff +++ /dev/null @@ -1,31 +0,0 @@ ---- src/stunnel.c -+++ src/stunnel.c -@@ -429,8 +429,8 @@ - } - - static int daemonize(int fd) { /* go to background */ -- if(global_options.option.foreground) -- return 0; -+ if(!(global_options.option.foreground)) -+ { - dup2(fd, 0); - dup2(fd, 1); - dup2(fd, 2); -@@ -441,6 +441,7 @@ - ioerror("daemon"); - return 1; - } -+ - #else - chdir("/"); - switch(fork()) { -@@ -456,7 +457,9 @@ - #ifdef HAVE_SETSID - setsid(); /* ignore the error */ - #endif -+ } - return 0; -+ - } - - static int create_pid(void) { diff --git a/stunnel-listenqueue-option.patch b/stunnel-listenqueue-option.patch index 4830bf9..efbb4fc 100644 --- a/stunnel-listenqueue-option.patch +++ b/stunnel-listenqueue-option.patch @@ -1,14 +1,12 @@ -Index: src/options.c -=================================================================== ---- src/options.c.orig +--- src/options.c +++ src/options.c -@@ -1535,6 +1535,25 @@ static char *parse_service_option(CMD cm +@@ -1218,6 +1218,24 @@ break; } -+ /* listenqueue */ ++ /* listenqueue option */ + switch(cmd) { -+ case CMD_INIT: ++ case CMD_BEGIN: + section->listenqueue=SOMAXCONN; + break; + case CMD_EXEC: @@ -20,31 +18,26 @@ Index: src/options.c + s_log(LOG_NOTICE, "%-15s = %d", "listenqueue", SOMAXCONN); + break; + case CMD_HELP: -+ s_log(LOG_NOTICE, "%-15s = defines the maximum length the queue of pending onnections may grow to (max SOMAXCONN)", "listenqueue"); ++ s_log(LOG_NOTICE, "%-15s = defines the maximum length the queue of pending connections may grow to (max SOMAXCONN)", "listenqueue"); + break; + } + -+ - if(cmd==CMD_EXEC) - return option_not_found; - return NULL; /* OK */ -Index: src/prototypes.h -=================================================================== ---- src/prototypes.h.orig + #ifdef HAVE_OSSL_OCSP_H + + /* OCSP */ +--- src/prototypes.h +++ src/prototypes.h -@@ -170,6 +170,7 @@ typedef struct service_options_struct { +@@ -183,6 +183,7 @@ int timeout_close; /* maximum close_notify time */ int timeout_connect; /* maximum connect() time */ int timeout_idle; /* maximum idle connection time */ -+ int listenqueue; /* Listen backlog */ ++ int listenqueue; /* Listen backlog */ enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */ /* service-specific data for protocol.c */ -Index: src/stunnel.c -=================================================================== ---- src/stunnel.c.orig +--- src/stunnel.c +++ src/stunnel.c -@@ -363,7 +363,7 @@ +@@ -410,7 +410,7 @@ str_free(local_address); return 1; } @@ -52,5 +45,4 @@ Index: src/stunnel.c + if(listen(opt->fd, opt->listenqueue)) { sockerror("listen"); closesocket(opt->fd); - str_free(local_address); - + opt->fd=-1; diff --git a/stunnel.changes b/stunnel.changes index 8220d7a..cdfcb67 100644 --- a/stunnel.changes +++ b/stunnel.changes @@ -1,7 +1,28 @@ +------------------------------------------------------------------- +Wed Jan 29 16:23:28 UTC 2014 - drahn@suse.com + +- - Update to version 5.0b1 (FATE#315694) + - Default "pid" is now "", i.e. not to create a pid file at startup. + - Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to + AlFBPPS attack and bad performance of DH ciphersuites. + - New service-level option "redirect" to redirect SSL client connections on + authentication failures instead of rejecting them. + - New global "engineDefault" configuration file option to control which + OpenSSL tasks are delegated to the current engine. + - New service-level configuration file option "engineId" to select the engine + by identifier, e.g. "engineId = capi". + - Improved readability of error messages printed when stunnel refuses to start + due to a critical error. + +- Patches: + - stunnel-CVE-2013-1762.patch obsoleted. Drpped. + - stunnel-default-fips-off.patch obsoleted. Dropped. + - stunnel-listenqueue-option.patch refreshed. + ------------------------------------------------------------------- Fri Nov 1 15:34:45 UTC 2013 - michael@stroeder.com -- update to version 4.56 with important security fix! +- update to version 4.56 ------------------------------------------------------------------- Mon Jul 23 09:17:13 UTC 2012 - drahn@suse.com diff --git a/stunnel.service b/stunnel.service new file mode 100644 index 0000000..b8abe14 --- /dev/null +++ b/stunnel.service @@ -0,0 +1,10 @@ +[Unit] +Description=SSL tunnel for network daemons +After=syslog.target + +[Service] +ExecStart=/usr/sbin/stunnel +Type=forking + +[Install] +WantedBy=multi-user.target diff --git a/stunnel.spec b/stunnel.spec index 4ccf1d8..61c9013 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -19,7 +19,7 @@ BuildRequires: gcc-c++ tcp_wrappers %endif Summary: Universal SSL Tunnel License: GNU Library General Public License v. 2.0 and 2.1 (LGPL) -Version: 4.56 +Version: 5.00b1 Release: 0 Group: Productivity/Networking/Security URL: http://www.stunnel.org/ @@ -27,17 +27,22 @@ Autoreqprov: on %if %{?suse_version:%suse_version}%{?!suse_version:0} > 800 PreReq: /usr/sbin/useradd fileutils textutils %insserv_prereq %fillup_prereq %endif -Source: ftp://ftp.stunnel.org/stunnel/%{name}-%{version}.tar.gz +Source: ftp://ftp.stunnel.org/stunnel/%{name}-%{version}.tar.bz2 Source1: stunnel.conf Source2: stunnel.README Source3: sysconfig.syslog-stunnel Source4: stunnel.rc +Source5: stunnel.service Patch0: stunnel-listenqueue-option.patch -Patch1: stunnel3-binpath.patch -Patch2: stunnel-daemonize.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define VENDOR SUSE - +BuildRequires: openssl openssl-devel zlib-devel +BuildRequires: tcpd-devel +%define VENDOR openSUSE +%if 0%{?suse_version} >= 1210 +BuildRequires: systemd +%{?systemd_requires} +%define has_systemd 1 +%endif %description The stunnel program is designed to work as an SSL encryption wrapper @@ -59,10 +64,8 @@ This package contains additional documentation of the universal SSL tunnel stunnel. %prep -%setup -q -# %patch0 -p0 -%patch1 -p0 -%patch2 -p0 +%setup -q -n stunnel-5.00 +%patch0 -p0 %build #autoreconf -fi @@ -95,46 +98,64 @@ make \ cp -p %{S:1} tools/stunnel.conf-sample cp -p %{S:2} README.%VENDOR cp -p %{S:3} $RPM_BUILD_ROOT/var/adm/fillup-templates/ +%if 0%{?has_systemd} +install -D -m 0644 $RPM_SOURCE_DIR/stunnel.service $RPM_BUILD_ROOT/%_unitdir/stunnel.service +%else install -m 744 $RPM_SOURCE_DIR/stunnel.rc $RPM_BUILD_ROOT/etc/init.d/stunnel ln -s ../../etc/init.d/stunnel $RPM_BUILD_ROOT/usr/sbin/rcstunnel -ln -s stunnel3 $RPM_BUILD_ROOT/usr/sbin/stunnel3_wrapper +%endif mv $RPM_BUILD_ROOT/%{_bindir}/* $RPM_BUILD_ROOT/%{_sbindir} -rm $RPM_BUILD_ROOT/%{_sysconfdir}/stunnel/stunnel.pem rm $RPM_BUILD_ROOT/%{_sysconfdir}/stunnel/stunnel.conf-sample +rm $RPM_BUILD_ROOT/%{_libdir}/stunnel/*.la +rm -rf $RPM_BUILD_ROOT/usr/share/doc/packages/stunnel/INSTALL +rm -rf $RPM_BUILD_ROOT/usr/share/doc/packages/stunnel/INSTALL.WCE +rm -rf $RPM_BUILD_ROOT/usr/share/doc/packages/stunnel/INSTALL.W32 rm -rf $RPM_BUILD_ROOT/usr/share/doc/stunnel %clean rm -rf $RPM_BUILD_ROOT %pre -%if 0%{?suse_version} > 730 -system_user=-r +if ! /usr/bin/getent passwd stunnel >/dev/null; then + %{_sbindir}/useradd -r -c "Daemon user for stunnel (universal SSL tunnel)" -g nogroup -s /bin/false \ + -d /var/lib/stunnel stunnel 2> /dev/null || : +fi + +%if 0%{?has_systemd} +%service_add_pre %{name}.service %endif -/usr/sbin/useradd $system_user -g nogroup -s /bin/false -c "Daemon user for stunnel (universal SSL tunnel)" \ - -d /var/lib/stunnel stunnel 2> /dev/null ||: %post +%if 0%{?has_systemd} +%service_add_post %{name}.service +%else %{fillup_and_insserv -f} +%endif %{fillup_only -ans syslog stunnel} -/sbin/ldconfig if ! test -s etc/stunnel/stunnel.conf; then - cp -p usr/share/doc/packages/stunnel/stunnel.conf-sample etc/stunnel/stunnel.conf - echo copying default config file to /etc/stunnel/stunnel.conf + cp -p usr/share/doc/packages/stunnel/stunnel.conf-sample etc/stunnel/stunnel.conf + echo copying default config file to /etc/stunnel/stunnel.conf fi # first installation? if [ ${FIRST_ARG:-0} = 1 ]; then if ! test -f etc/stunnel/stunnel.pem; then - cat usr/share/doc/packages/stunnel/README.%VENDOR + cat usr/share/doc/packages/stunnel/README.%VENDOR fi fi + + %preun -%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 +%if 0%{?has_systemd} +%service_del_preun %{name}.service +%else %stop_on_removal stunnel %endif %postun -%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 +%if 0%{?has_systemd} +%service_del_postun %{name}.service +%else %restart_on_update stunnel %insserv_cleanup %endif @@ -145,7 +166,6 @@ fi %doc README.%VENDOR %doc tools/ca.* %doc tools/importCA.* -%doc tools/stunnel.cnf %doc tools/stunnel.conf-sample %{_sbindir}/* %{_libdir}/stunnel @@ -160,11 +180,15 @@ fi %dir %attr(755,root,root) /var/lib/stunnel/var %dir %attr(755,stunnel,root) /var/lib/stunnel/var/run /var/adm/fillup-templates/sysconfig.syslog-stunnel +%if 0%{?has_systemd} +%_unitdir/stunnel.service +%else %config /etc/init.d/* +%endif %files doc %defattr(-,root,root) -%doc AUTHORS BUGS COPYING COPYRIGHT.GPL CREDITS ChangeLog INSTALL NEWS PORTS +%doc AUTHORS BUGS COPYING COPYRIGHT.GPL CREDITS ChangeLog NEWS PORTS %doc README TODO %doc doc/stunnel.html %doc doc/stunnel.*.html diff --git a/stunnel3-binpath.patch b/stunnel3-binpath.patch deleted file mode 100644 index 0394ab1..0000000 --- a/stunnel3-binpath.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- src/stunnel3.in -+++ src/stunnel3.in -@@ -22,7 +22,7 @@ - use Getopt::Std; - - # Configuration - path to stunnel (version >=4.05) --$stunnel_bin='@prefix@/bin/stunnel'; -+$stunnel_bin='@prefix@/sbin/stunnel'; - - # stunnel3 script body begins here - ($read_fd, $write_fd)=POSIX::pipe();