pool/stunnel
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- - Update to version 5.0b1 (FATE#315694)

Browse Source 
- Default "pid" is now "", i.e. not to create a pid file at startup.
  - Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to
    AlFBPPS attack and bad performance of DH ciphersuites. 
  - New service-level option "redirect" to redirect SSL client connections on
    authentication failures instead of rejecting them.
  - New global "engineDefault" configuration file option to control which
    OpenSSL tasks are delegated to the current engine.
  - New service-level configuration file option "engineId" to select the engine
    by identifier, e.g. "engineId = capi". 
  - Improved readability of error messages printed when stunnel refuses to start
    due to a critical error.
- Patches:
  - stunnel-CVE-2013-1762.patch obsoleted. Drpped.
  - stunnel-default-fips-off.patch obsoleted. Dropped.
  - stunnel-listenqueue-option.patch refreshed.
- update to version 4.56

OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=62
This commit is contained in:
Daniel Rahn 2014-01-29 16:56:32 +00:00 committed by Git OBS Bridge
parent 4c843518d3
commit 5fada29b31
8 changed files with 97 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
stunnel-4.56.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9cae2cfbe26d87443398ce50d7d5db54e5ea363889d5d2ec8d2778a01c871293
size 540032

3
stunnel-5.00b1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8d58708d075b75fd999815a85c4378c76a5c6f87b7d0b30846bb52f566e2e8cd
size 468718

31
stunnel-daemonize.diff
View File

@ -1,31 +0,0 @@
--- src/stunnel.c
+++ src/stunnel.c
@@ -429,8 +429,8 @@
}
static int daemonize(int fd) { /* go to background */
- if(global_options.option.foreground)
- return 0;
+ if(!(global_options.option.foreground))
+ {
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
@@ -441,6 +441,7 @@
ioerror("daemon");
return 1;
}
+
#else
chdir("/");
switch(fork()) {
@@ -456,7 +457,9 @@
#ifdef HAVE_SETSID
setsid(); /* ignore the error */
#endif
+ }
return 0;
+
}
static int create_pid(void) {

36
stunnel-listenqueue-option.patch
View File

@ -1,14 +1,12 @@
Index: src/options.c --- src/options.c
===================================================================
--- src/options.c.orig
+++ src/options.c +++ src/options.c
@@ -1535,6 +1535,25 @@ static char *parse_service_option(CMD cm @@ -1218,6 +1218,24 @@
break; break;
} }
+ /* listenqueue */ + /* listenqueue option */
+ switch(cmd) { + switch(cmd) {
+ case CMD_INIT: + case CMD_BEGIN:
+ section->listenqueue=SOMAXCONN; + section->listenqueue=SOMAXCONN;
+ break; + break;
+ case CMD_EXEC: + case CMD_EXEC:
@ -20,31 +18,26 @@ Index: src/options.c
+ s_log(LOG_NOTICE, "%-15s = %d", "listenqueue", SOMAXCONN); + s_log(LOG_NOTICE, "%-15s = %d", "listenqueue", SOMAXCONN);
+ break; + break;
+ case CMD_HELP: + case CMD_HELP:
+ s_log(LOG_NOTICE, "%-15s = defines the maximum length the queue of pending onnections may grow to (max SOMAXCONN)", "listenqueue"); + s_log(LOG_NOTICE, "%-15s = defines the maximum length the queue of pending connections may grow to (max SOMAXCONN)", "listenqueue");
+ break; + break;
+ } + }
+ +
+ #ifdef HAVE_OSSL_OCSP_H
if(cmd==CMD_EXEC)
return option_not_found; /* OCSP */
return NULL; /* OK */ --- src/prototypes.h
Index: src/prototypes.h
===================================================================
--- src/prototypes.h.orig
+++ src/prototypes.h +++ src/prototypes.h
@@ -170,6 +170,7 @@ typedef struct service_options_struct { @@ -183,6 +183,7 @@
int timeout_close; /* maximum close_notify time */ int timeout_close; /* maximum close_notify time */
int timeout_connect; /* maximum connect() time */ int timeout_connect; /* maximum connect() time */
int timeout_idle; /* maximum idle connection time */ int timeout_idle; /* maximum idle connection time */
+ int listenqueue; /* Listen backlog */ + int listenqueue; /* Listen backlog */
enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */ enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */
/* service-specific data for protocol.c */ /* service-specific data for protocol.c */
Index: src/stunnel.c --- src/stunnel.c
===================================================================
--- src/stunnel.c.orig
+++ src/stunnel.c +++ src/stunnel.c
@@ -363,7 +363,7 @@ @@ -410,7 +410,7 @@
str_free(local_address); str_free(local_address);
return 1; return 1;
} }
@ -52,5 +45,4 @@ Index: src/stunnel.c
+ if(listen(opt->fd, opt->listenqueue)) { + if(listen(opt->fd, opt->listenqueue)) {
sockerror("listen"); sockerror("listen");
closesocket(opt->fd); closesocket(opt->fd);
str_free(local_address); opt->fd=-1;

23
stunnel.changes
View File

@ -1,7 +1,28 @@
-------------------------------------------------------------------
Wed Jan 29 16:23:28 UTC 2014 - drahn@suse.com
- - Update to version 5.0b1 (FATE#315694)
- Default "pid" is now "", i.e. not to create a pid file at startup.
- Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to
AlFBPPS attack and bad performance of DH ciphersuites.
- New service-level option "redirect" to redirect SSL client connections on
authentication failures instead of rejecting them.
- New global "engineDefault" configuration file option to control which
OpenSSL tasks are delegated to the current engine.
- New service-level configuration file option "engineId" to select the engine
by identifier, e.g. "engineId = capi".
- Improved readability of error messages printed when stunnel refuses to start
due to a critical error.
- Patches:
- stunnel-CVE-2013-1762.patch obsoleted. Drpped.
- stunnel-default-fips-off.patch obsoleted. Dropped.
- stunnel-listenqueue-option.patch refreshed.
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Nov 1 15:34:45 UTC 2013 - michael@stroeder.com Fri Nov 1 15:34:45 UTC 2013 - michael@stroeder.com
- update to version 4.56 with important security fix! - update to version 4.56
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jul 23 09:17:13 UTC 2012 - drahn@suse.com Mon Jul 23 09:17:13 UTC 2012 - drahn@suse.com

10
stunnel.service Normal file
View File

@ -0,0 +1,10 @@
[Unit]
Description=SSL tunnel for network daemons
After=syslog.target
[Service]
ExecStart=/usr/sbin/stunnel
Type=forking
[Install]
WantedBy=multi-user.target

72
stunnel.spec
View File

@ -19,7 +19,7 @@ BuildRequires: gcc-c++ tcp_wrappers
%endif %endif
Summary: Universal SSL Tunnel Summary: Universal SSL Tunnel
License: GNU Library General Public License v. 2.0 and 2.1 (LGPL) License: GNU Library General Public License v. 2.0 and 2.1 (LGPL)
Version: 4.56 Version: 5.00b1
Release: 0 Release: 0
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
URL: http://www.stunnel.org/ URL: http://www.stunnel.org/
@ -27,17 +27,22 @@ Autoreqprov: on
%if %{?suse_version:%suse_version}%{?!suse_version:0} > 800 %if %{?suse_version:%suse_version}%{?!suse_version:0} > 800
PreReq: /usr/sbin/useradd fileutils textutils %insserv_prereq %fillup_prereq PreReq: /usr/sbin/useradd fileutils textutils %insserv_prereq %fillup_prereq
%endif %endif
Source: ftp://ftp.stunnel.org/stunnel/%{name}-%{version}.tar.gz Source: ftp://ftp.stunnel.org/stunnel/%{name}-%{version}.tar.bz2
Source1: stunnel.conf Source1: stunnel.conf
Source2: stunnel.README Source2: stunnel.README
Source3: sysconfig.syslog-stunnel Source3: sysconfig.syslog-stunnel
Source4: stunnel.rc Source4: stunnel.rc
Source5: stunnel.service
Patch0: stunnel-listenqueue-option.patch Patch0: stunnel-listenqueue-option.patch
Patch1: stunnel3-binpath.patch
Patch2: stunnel-daemonize.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define VENDOR SUSE BuildRequires: openssl openssl-devel zlib-devel
BuildRequires: tcpd-devel
%define VENDOR openSUSE
%if 0%{?suse_version} >= 1210
BuildRequires: systemd
%{?systemd_requires}
%define has_systemd 1
%endif
%description %description
The stunnel program is designed to work as an SSL encryption wrapper The stunnel program is designed to work as an SSL encryption wrapper
@ -59,10 +64,8 @@ This package contains additional documentation of the universal SSL tunnel
stunnel. stunnel.
%prep %prep
%setup -q %setup -q -n stunnel-5.00
# %patch0 -p0 %patch0 -p0
%patch1 -p0
%patch2 -p0
%build %build
#autoreconf -fi #autoreconf -fi
@ -95,46 +98,64 @@ make \
cp -p %{S:1} tools/stunnel.conf-sample cp -p %{S:1} tools/stunnel.conf-sample
cp -p %{S:2} README.%VENDOR cp -p %{S:2} README.%VENDOR
cp -p %{S:3} $RPM_BUILD_ROOT/var/adm/fillup-templates/ cp -p %{S:3} $RPM_BUILD_ROOT/var/adm/fillup-templates/
%if 0%{?has_systemd}
install -D -m 0644 $RPM_SOURCE_DIR/stunnel.service $RPM_BUILD_ROOT/%_unitdir/stunnel.service
%else
install -m 744 $RPM_SOURCE_DIR/stunnel.rc $RPM_BUILD_ROOT/etc/init.d/stunnel install -m 744 $RPM_SOURCE_DIR/stunnel.rc $RPM_BUILD_ROOT/etc/init.d/stunnel
ln -s ../../etc/init.d/stunnel $RPM_BUILD_ROOT/usr/sbin/rcstunnel ln -s ../../etc/init.d/stunnel $RPM_BUILD_ROOT/usr/sbin/rcstunnel
ln -s stunnel3 $RPM_BUILD_ROOT/usr/sbin/stunnel3_wrapper %endif
mv $RPM_BUILD_ROOT/%{_bindir}/* $RPM_BUILD_ROOT/%{_sbindir} mv $RPM_BUILD_ROOT/%{_bindir}/* $RPM_BUILD_ROOT/%{_sbindir}
rm $RPM_BUILD_ROOT/%{_sysconfdir}/stunnel/stunnel.pem
rm $RPM_BUILD_ROOT/%{_sysconfdir}/stunnel/stunnel.conf-sample rm $RPM_BUILD_ROOT/%{_sysconfdir}/stunnel/stunnel.conf-sample
rm $RPM_BUILD_ROOT/%{_libdir}/stunnel/*.la
rm -rf $RPM_BUILD_ROOT/usr/share/doc/packages/stunnel/INSTALL
rm -rf $RPM_BUILD_ROOT/usr/share/doc/packages/stunnel/INSTALL.WCE
rm -rf $RPM_BUILD_ROOT/usr/share/doc/packages/stunnel/INSTALL.W32
rm -rf $RPM_BUILD_ROOT/usr/share/doc/stunnel rm -rf $RPM_BUILD_ROOT/usr/share/doc/stunnel
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%pre %pre
%if 0%{?suse_version} > 730 if ! /usr/bin/getent passwd stunnel >/dev/null; then
system_user=-r %{_sbindir}/useradd -r -c "Daemon user for stunnel (universal SSL tunnel)" -g nogroup -s /bin/false \
-d /var/lib/stunnel stunnel 2> /dev/null || :
fi
%if 0%{?has_systemd}
%service_add_pre %{name}.service
%endif %endif
/usr/sbin/useradd $system_user -g nogroup -s /bin/false -c "Daemon user for stunnel (universal SSL tunnel)" \
-d /var/lib/stunnel stunnel 2> /dev/null ||:
%post %post
%if 0%{?has_systemd}
%service_add_post %{name}.service
%else
%{fillup_and_insserv -f} %{fillup_and_insserv -f}
%endif
%{fillup_only -ans syslog stunnel} %{fillup_only -ans syslog stunnel}
/sbin/ldconfig
if ! test -s etc/stunnel/stunnel.conf; then if ! test -s etc/stunnel/stunnel.conf; then
cp -p usr/share/doc/packages/stunnel/stunnel.conf-sample etc/stunnel/stunnel.conf cp -p usr/share/doc/packages/stunnel/stunnel.conf-sample etc/stunnel/stunnel.conf
echo copying default config file to /etc/stunnel/stunnel.conf echo copying default config file to /etc/stunnel/stunnel.conf
fi fi
# first installation? # first installation?
if [ ${FIRST_ARG:-0} = 1 ]; then if [ ${FIRST_ARG:-0} = 1 ]; then
if ! test -f etc/stunnel/stunnel.pem; then if ! test -f etc/stunnel/stunnel.pem; then
cat usr/share/doc/packages/stunnel/README.%VENDOR cat usr/share/doc/packages/stunnel/README.%VENDOR
fi fi
fi fi
%preun %preun
%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 %if 0%{?has_systemd}
%service_del_preun %{name}.service
%else
%stop_on_removal stunnel %stop_on_removal stunnel
%endif %endif
%postun %postun
%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 %if 0%{?has_systemd}
%service_del_postun %{name}.service
%else
%restart_on_update stunnel %restart_on_update stunnel
%insserv_cleanup %insserv_cleanup
%endif %endif
@ -145,7 +166,6 @@ fi
%doc README.%VENDOR %doc README.%VENDOR
%doc tools/ca.* %doc tools/ca.*
%doc tools/importCA.* %doc tools/importCA.*
%doc tools/stunnel.cnf
%doc tools/stunnel.conf-sample %doc tools/stunnel.conf-sample
%{_sbindir}/* %{_sbindir}/*
%{_libdir}/stunnel %{_libdir}/stunnel
@ -160,11 +180,15 @@ fi
%dir %attr(755,root,root) /var/lib/stunnel/var %dir %attr(755,root,root) /var/lib/stunnel/var
%dir %attr(755,stunnel,root) /var/lib/stunnel/var/run %dir %attr(755,stunnel,root) /var/lib/stunnel/var/run
/var/adm/fillup-templates/sysconfig.syslog-stunnel /var/adm/fillup-templates/sysconfig.syslog-stunnel
%if 0%{?has_systemd}
%_unitdir/stunnel.service
%else
%config /etc/init.d/* %config /etc/init.d/*
%endif
%files doc %files doc
%defattr(-,root,root) %defattr(-,root,root)
%doc AUTHORS BUGS COPYING COPYRIGHT.GPL CREDITS ChangeLog INSTALL NEWS PORTS %doc AUTHORS BUGS COPYING COPYRIGHT.GPL CREDITS ChangeLog NEWS PORTS
%doc README TODO %doc README TODO
%doc doc/stunnel.html %doc doc/stunnel.html
%doc doc/stunnel.*.html %doc doc/stunnel.*.html

11
stunnel3-binpath.patch
View File

@ -1,11 +0,0 @@
--- src/stunnel3.in
+++ src/stunnel3.in
@@ -22,7 +22,7 @@
use Getopt::Std;
# Configuration - path to stunnel (version >=4.05)
-$stunnel_bin='@prefix@/bin/stunnel';
+$stunnel_bin='@prefix@/sbin/stunnel';
# stunnel3 script body begins here
($read_fd, $write_fd)=POSIX::pipe();