diff --git a/stunnel.README b/stunnel.README index 4c5a5dc..0d467a0 100644 --- a/stunnel.README +++ b/stunnel.README @@ -2,9 +2,10 @@ To create a new certificate, execute the following OpenSSL command: (umask 077; \ /usr/bin/openssl req -new -x509 -days 365 -nodes \ - -config /usr/share/doc/packages/stunnel/stunnel.cnf \ + -config /usr/share/doc/packages/stunnel/openssl.cnf \ -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem) Starting with v4, stunnel uses a configuration file. Via the stunnel3 wrapper you can run stunnel with v3-style cmdline arguments. + diff --git a/stunnel.changes b/stunnel.changes index 0545b6b..aa87e3b 100644 --- a/stunnel.changes +++ b/stunnel.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Mar 10 08:28:06 UTC 2020 - Andreas Vetter + +- Fixup stunnel.conf handling: + * Remove old static openSUSE provided stunnel.conf. + * Use upstream stunnel.conf and tailor it for openSUSE using sed. + * Don't show README.openSUSE when installing. + +------------------------------------------------------------------- +Thu Feb 27 10:14:30 UTC 2020 - Andreas Vetter + +- enable /etc/stunnel/conf.d +- re-enable openssl.cnf + ------------------------------------------------------------------- Mon Feb 3 16:32:15 UTC 2020 - Dominique Leuenberger diff --git a/stunnel.conf b/stunnel.conf deleted file mode 100644 index 04ecf0f..0000000 --- a/stunnel.conf +++ /dev/null @@ -1,128 +0,0 @@ -# Sample stunnel configuration file -# Copyright by Michal Trojnara 2002-2004 -# --with changes for SuSE package - -# client = yes | no -# client mode (remote service uses SSL) -# default: no (server mode) -client = no - -# -# chroot + user (comment out to disable) -# -chroot = /var/lib/stunnel/ -setuid = stunnel -setgid = nogroup -# note about the chroot feature and the "exec" keyword to start other services... -# while the init script /etc/init.d/stunnel will copy the binaries and libraries -# into the chroot jail, more files might be needed in the jail (configuration -# files etc.) - -pid = /var/run/stunnel.pid - -# -# debugging -# -#debug = 7 -#output = stunnel.log - -# -# Some performance tunings -# -# disable Nagle algorithm (a.k.a. tinygram prevention, see man 7 tcp) -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 -#compression = rle - -# Workaround for Eudora bug -#options = DONT_INSERT_EMPTY_FRAGMENTS - -# Authentication stuff -#verify = 2 -# Don't forget to c_rehash CApath; CApath is located inside chroot jail: -#CApath = /certs -# It's often easier to use CAfile: -#CAfile = /etc/stunnel/certs.pem -# Don't forget to c_rehash CRLpath; CRLpath is located inside chroot jail: -#CRLpath = /crls -# Alternatively you can use CRLfile: -#CRLfile = /etc/stunnel/crls.pem - -cert = /etc/stunnel/stunnel.pem - - -# -# Examples for service-level configuration: -# - -# [pop3s] -# accept = 995 -# connect = 110 - -# [imaps] -# accept = 993 -# connect = 143 - -# [imaps] -# accept = 993 -# exec = /usr/sbin/imapd -# execargs = imapd -# pty = no - -# [ssmtp] -# accept = 465 -# connect = 25 - -# [s1] -# accept = 5000 -# connect = mail.example.com:110 -# delay = yes - -# [s2] -# accept = 5001 -# connect = mail.example.com:25 - -# [https] -# accept = 443 -# connect = 80 -# TIMEOUTclose = 0 - -# [swat] -# accept = 902 -# connect = 901 - -# -# mysql over stunnel example: -# -# [mysqls] <-- on the server -# accept = 3307 -# connect = localhost:mysql -# -# client = yes <-- on the client -# [mysqls] -# accept = 3307 -# connect = remote-mysql-server.example.com:3307 -# -# Hint. Use the mysql client with "-h 127.0.0.1", not "-h localhost", because -# "localhost" will mean it will go through the local socket and ignore the port. - -# -# pppd over stunnel example: -# (note: read http://sites.inka.de/sites/bigred/devel/tcp-tcp.html , and -# look for better alternatives like cipe or openvpn.) -# -# [ppp] <-- on the server -# accept = 2020 -# exec = /usr/sbin/pppd -# execargs = pppd local -# # the pty option doesn't work in chroot jail without further efforts -# #pty = yes -# -# -# [ppp] <-- on the "client" -# connect = host.example.com:2020 -# exec = /usr/sbin/pppd -# execargs = pppd local nodeflate nobsdcomp 192.168.20.20:192.168.20.21 -# # the pty option doesn't work in chroot jail without further efforts -# #pty = yes - diff --git a/stunnel.service b/stunnel.service index 998b3db..e853cca 100644 --- a/stunnel.service +++ b/stunnel.service @@ -1,5 +1,5 @@ [Unit] -Description=SSL tunnel for network daemons +Description=TLS tunnel for network daemons Wants=network-online.target After=syslog.target network-online.target diff --git a/stunnel.spec b/stunnel.spec index 25dc858..053a5f4 100644 --- a/stunnel.spec +++ b/stunnel.spec @@ -40,9 +40,10 @@ Requires(pre): /usr/sbin/useradd Name: stunnel Version: 5.55 Release: 0 -Summary: Universal SSL Tunnel +Summary: Universal TLS Tunnel License: GPL-2.0-or-later Group: Productivity/Networking/Security +Recommends: stunnel-doc = %version URL: http://www.stunnel.org/ Source: https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz Source1: https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz.asc @@ -50,7 +51,6 @@ Source2: stunnel.keyring Source3: sysconfig.syslog-stunnel Source4: stunnel.rc Source5: stunnel.service -Source6: stunnel.conf Source7: stunnel.README BuildRequires: libopenssl-devel BuildRequires: tcpd-devel @@ -64,16 +64,12 @@ Requires(pre): group(nogroup) %endif %description -The stunnel program is designed to work as an SSL encryption wrapper -between remote clients and local (inetd-startable) or remote -servers. The concept is that, while having non-SSL aware daemons running on -your system, you can set them to communicate with clients over a -secure SSL channels. Stunnel can be used to add SSL functionality to -commonly used inetd daemons, such as POP-2, POP-3, and IMAP servers -without any changes to the program code. +Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without +any changes in the programs' code. Its architecture is optimized for security, portability, and +scalability (including load-balancing), making it suitable for large deployments. %package doc -Summary: Documentation for the universal SSL Tunnel +Summary: Documentation for the universal TLS Tunnel Group: Documentation/Other Requires: stunnel = %{version} %if 0%{?suse_version} >= 1210 @@ -89,14 +85,14 @@ chmod -x %{_builddir}/stunnel-%{version}/tools/ca.* chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.* %build -sed -i 's/-m 1770 -g nogroup//g' tools/Makefile.in +sed -i 's/-m 1770//g' tools/Makefile.in %configure \ %if 0%{?suse_version} == 1110 --disable-fips \ %endif --disable-static \ --bindir=%{_sbindir} -make %{?_smp_mflags} LDADD="-pie -Wl,-z,defs,-z,relro" +make %{?_smp_mflags} LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" # connot do checks with 5.49, checks depend on ncat and network interaction #%check @@ -109,8 +105,9 @@ make %{?_smp_mflags} LDADD="-pie -Wl,-z,defs,-z,relro" make install DESTDIR=$RPM_BUILD_ROOT %endif -cp -p %{SOURCE1} tools/stunnel.conf-sample.%{VENDORAFFIX} -cp -p %{SOURCE7} README.%{VENDORAFFIX} +mkdir -p %{buildroot}%{_docdir} +mv %{buildroot}%{_datadir}/doc/stunnel %{buildroot}%{_docdir}/ +mkdir -p %{buildroot}%{_docdir}/stunnel/tools mkdir -p %{buildroot}%{_fillupdir} cp -p %{SOURCE3} %{buildroot}%{_fillupdir}/ %if 0%{?has_systemd} @@ -121,14 +118,23 @@ mkdir -p %{buildroot}%{_initddir}/ install -m 744 %{_sourcedir}/stunnel.rc %{buildroot}/%{_initddir}/stunnel ln -s ../..%{_initddir}/stunnel %{buildroot}%{_sbindir}/rcstunnel %endif -mv %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample tools/stunnel.conf-sample +sed -i "s/^;setuid = nobody/setuid = stunnel/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +sed -i "s/^;setgid =/setgid =/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +sed -i "s/^;include =/include =/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +sed -i '/gmail-pop3/,+25 s/^./;&/' %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +sed -i "s/; Sample stunnel/# Sample stunnel/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +sed -i "s/^;/#/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample +mv %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf + find %{buildroot} -type f -name "*.la" -delete -print rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.WCE rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.W32 -rm -rf %{buildroot}%{_docdir}/stunnel/tools/stunnel.cnf -rm -rf %{buildroot}%{_datadir}/doc/stunnel +rm -rf %{buildroot}%{_docdir}/stunnel/ca-certs.pem +rm -rf %{buildroot}%{_docdir}/stunnel/plugins/ + mkdir -p %{buildroot}%{_localstatedir}/lib/stunnel/{bin,etc,dev,%{_lib},sbin,var/run} +install -d %{buildroot}%{_sysconfdir}/%{name}/conf.d %pre if ! %{_bindir}/getent passwd stunnel >/dev/null; then @@ -147,14 +153,6 @@ fi %{fillup_and_insserv -f} %endif %{fillup_only -ans syslog stunnel} -if ! test -s etc/stunnel/stunnel.conf; then - cp -p usr/share/doc/packages/stunnel/stunnel.conf-sample etc/stunnel/stunnel.conf - echo copying default config file to %{_sysconfdir}/stunnel/stunnel.conf -fi -# first installation? -if [ $1 = 1 ] && [ ! -f etc/stunnel/stunnel.pem ]; then - cat usr/share/doc/packages/stunnel/README.%{VENDORAFFIX} -fi %preun %if 0%{?has_systemd} @@ -173,15 +171,12 @@ fi %files %defattr(-,root,root) -%doc COPYING COPYRIGHT.GPL CREDITS -%doc README.%{VENDORAFFIX} -%doc tools/ca.* -%doc tools/importCA.* -%doc tools/stunnel.conf-sample %{_sbindir}/* -%{_libdir}/stunnel +%{_libdir}/%{name}/ %{_mandir}/man8/* -%dir %attr(700,root,root) %{_sysconfdir}/stunnel +%dir %attr(700,root,root) %{_sysconfdir}/%{name}/ +%dir %attr(700,root,root) %{_sysconfdir}/%{name}//conf.d +%config %{_sysconfdir}/%{name}/stunnel.conf %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/bin %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_sysconfdir} @@ -199,11 +194,6 @@ fi %files doc %defattr(-,root,root) -%doc AUTHORS BUGS COPYING COPYRIGHT.GPL CREDITS ChangeLog NEWS PORTS -%doc README TODO -%doc doc/stunnel.html -%doc doc/stunnel.*.html -%doc doc/en/* -%doc doc/pl +%doc %{_docdir}/%{name} %changelog