pool/stunnel
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 783872 from security:Stunnel

Browse Source 
- Fixup stunnel.conf handling:
  * Remove old static openSUSE provided stunnel.conf.
  * Use upstream stunnel.conf and tailor it for openSUSE using sed.
  * Don't show README.openSUSE when installing.
- enable /etc/stunnel/conf.d
- re-enable openssl.cnf

OBS-URL: https://build.opensuse.org/request/show/783872
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/stunnel?expand=0&rev=17
This commit is contained in:
Dominique Leuenberger 2020-03-11 17:55:33 +00:00 committed by Git OBS Bridge
commit d95c1925a6
5 changed files with 45 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
stunnel.README
View File

@ -2,9 +2,10 @@
To create a new certificate, execute the following OpenSSL command: To create a new certificate, execute the following OpenSSL command:
(umask 077; \ (umask 077; \
/usr/bin/openssl req -new -x509 -days 365 -nodes \ /usr/bin/openssl req -new -x509 -days 365 -nodes \
-config /usr/share/doc/packages/stunnel/stunnel.cnf \ -config /usr/share/doc/packages/stunnel/openssl.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem) -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem)
Starting with v4, stunnel uses a configuration file. Starting with v4, stunnel uses a configuration file.
Via the stunnel3 wrapper you can run stunnel with v3-style cmdline arguments. Via the stunnel3 wrapper you can run stunnel with v3-style cmdline arguments.

14
stunnel.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Tue Mar 10 08:28:06 UTC 2020 - Andreas Vetter <vetter@physik.uni-wuerzburg.de>
- Fixup stunnel.conf handling:
* Remove old static openSUSE provided stunnel.conf.
* Use upstream stunnel.conf and tailor it for openSUSE using sed.
* Don't show README.openSUSE when installing.
-------------------------------------------------------------------
Thu Feb 27 10:14:30 UTC 2020 - Andreas Vetter <vetter@physik.uni-wuerzburg.de>
- enable /etc/stunnel/conf.d
- re-enable openssl.cnf
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Feb 3 16:32:15 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org> Mon Feb 3 16:32:15 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>

128
stunnel.conf
View File

@ -1,128 +0,0 @@
# Sample stunnel configuration file
# Copyright by Michal Trojnara 2002-2004
# --with changes for SuSE package
# client = yes | no
# client mode (remote service uses SSL)
# default: no (server mode)
client = no
#
# chroot + user (comment out to disable)
#
chroot = /var/lib/stunnel/
setuid = stunnel
setgid = nogroup
# note about the chroot feature and the "exec" keyword to start other services...
# while the init script /etc/init.d/stunnel will copy the binaries and libraries
# into the chroot jail, more files might be needed in the jail (configuration
# files etc.)
pid = /var/run/stunnel.pid
#
# debugging
#
#debug = 7
#output = stunnel.log
#
# Some performance tunings
#
# disable Nagle algorithm (a.k.a. tinygram prevention, see man 7 tcp)
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
#compression = rle
# Workaround for Eudora bug
#options = DONT_INSERT_EMPTY_FRAGMENTS
# Authentication stuff
#verify = 2
# Don't forget to c_rehash CApath; CApath is located inside chroot jail:
#CApath = /certs
# It's often easier to use CAfile:
#CAfile = /etc/stunnel/certs.pem
# Don't forget to c_rehash CRLpath; CRLpath is located inside chroot jail:
#CRLpath = /crls
# Alternatively you can use CRLfile:
#CRLfile = /etc/stunnel/crls.pem
cert = /etc/stunnel/stunnel.pem
#
# Examples for service-level configuration:
#
# [pop3s]
# accept = 995
# connect = 110
# [imaps]
# accept = 993
# connect = 143
# [imaps]
# accept = 993
# exec = /usr/sbin/imapd
# execargs = imapd
# pty = no
# [ssmtp]
# accept = 465
# connect = 25
# [s1]
# accept = 5000
# connect = mail.example.com:110
# delay = yes
# [s2]
# accept = 5001
# connect = mail.example.com:25
# [https]
# accept = 443
# connect = 80
# TIMEOUTclose = 0
# [swat]
# accept = 902
# connect = 901
#
# mysql over stunnel example:
#
# [mysqls] <-- on the server
# accept = 3307
# connect = localhost:mysql
#
# client = yes <-- on the client
# [mysqls]
# accept = 3307
# connect = remote-mysql-server.example.com:3307
#
# Hint. Use the mysql client with "-h 127.0.0.1", not "-h localhost", because
# "localhost" will mean it will go through the local socket and ignore the port.
#
# pppd over stunnel example:
# (note: read http://sites.inka.de/sites/bigred/devel/tcp-tcp.html , and
# look for better alternatives like cipe or openvpn.)
#
# [ppp] <-- on the server
# accept = 2020
# exec = /usr/sbin/pppd
# execargs = pppd local
# # the pty option doesn't work in chroot jail without further efforts
# #pty = yes
#
#
# [ppp] <-- on the "client"
# connect = host.example.com:2020
# exec = /usr/sbin/pppd
# execargs = pppd local nodeflate nobsdcomp 192.168.20.20:192.168.20.21
# # the pty option doesn't work in chroot jail without further efforts
# #pty = yes

2
stunnel.service
View File

@ -1,5 +1,5 @@
[Unit] [Unit]
Description=SSL tunnel for network daemons Description=TLS tunnel for network daemons
Wants=network-online.target Wants=network-online.target
After=syslog.target network-online.target After=syslog.target network-online.target

66
stunnel.spec
View File

@ -40,9 +40,10 @@ Requires(pre): /usr/sbin/useradd
Name: stunnel Name: stunnel
Version: 5.55 Version: 5.55
Release: 0 Release: 0
Summary: Universal SSL Tunnel Summary: Universal TLS Tunnel
License: GPL-2.0-or-later License: GPL-2.0-or-later
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Recommends: stunnel-doc = %version
URL: http://www.stunnel.org/ URL: http://www.stunnel.org/
Source: https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz Source: https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz
Source1: https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz.asc Source1: https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz.asc
@ -50,7 +51,6 @@ Source2: stunnel.keyring
Source3: sysconfig.syslog-stunnel Source3: sysconfig.syslog-stunnel
Source4: stunnel.rc Source4: stunnel.rc
Source5: stunnel.service Source5: stunnel.service
Source6: stunnel.conf
Source7: stunnel.README Source7: stunnel.README
BuildRequires: libopenssl-devel BuildRequires: libopenssl-devel
BuildRequires: tcpd-devel BuildRequires: tcpd-devel
@ -64,16 +64,12 @@ Requires(pre): group(nogroup)
%endif %endif
%description %description
The stunnel program is designed to work as an SSL encryption wrapper Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without
between remote clients and local (inetd-startable) or remote any changes in the programs' code. Its architecture is optimized for security, portability, and
servers. The concept is that, while having non-SSL aware daemons running on scalability (including load-balancing), making it suitable for large deployments.
your system, you can set them to communicate with clients over a
secure SSL channels. Stunnel can be used to add SSL functionality to
commonly used inetd daemons, such as POP-2, POP-3, and IMAP servers
without any changes to the program code.
%package doc %package doc
Summary: Documentation for the universal SSL Tunnel Summary: Documentation for the universal TLS Tunnel
Group: Documentation/Other Group: Documentation/Other
Requires: stunnel = %{version} Requires: stunnel = %{version}
%if 0%{?suse_version} >= 1210 %if 0%{?suse_version} >= 1210
@ -89,14 +85,14 @@ chmod -x %{_builddir}/stunnel-%{version}/tools/ca.*
chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.* chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.*
%build %build
sed -i 's/-m 1770 -g nogroup//g' tools/Makefile.in sed -i 's/-m 1770//g' tools/Makefile.in
%configure \ %configure \
%if 0%{?suse_version} == 1110 %if 0%{?suse_version} == 1110
--disable-fips \ --disable-fips \
%endif %endif
--disable-static \ --disable-static \
--bindir=%{_sbindir} --bindir=%{_sbindir}
make %{?_smp_mflags} LDADD="-pie -Wl,-z,defs,-z,relro" make %{?_smp_mflags} LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
# connot do checks with 5.49, checks depend on ncat and network interaction # connot do checks with 5.49, checks depend on ncat and network interaction
#%check #%check
@ -109,8 +105,9 @@ make %{?_smp_mflags} LDADD="-pie -Wl,-z,defs,-z,relro"
make install DESTDIR=$RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT
%endif %endif
cp -p %{SOURCE1} tools/stunnel.conf-sample.%{VENDORAFFIX} mkdir -p %{buildroot}%{_docdir}
cp -p %{SOURCE7} README.%{VENDORAFFIX} mv %{buildroot}%{_datadir}/doc/stunnel %{buildroot}%{_docdir}/
mkdir -p %{buildroot}%{_docdir}/stunnel/tools
mkdir -p %{buildroot}%{_fillupdir} mkdir -p %{buildroot}%{_fillupdir}
cp -p %{SOURCE3} %{buildroot}%{_fillupdir}/ cp -p %{SOURCE3} %{buildroot}%{_fillupdir}/
%if 0%{?has_systemd} %if 0%{?has_systemd}
@ -121,14 +118,23 @@ mkdir -p %{buildroot}%{_initddir}/
install -m 744 %{_sourcedir}/stunnel.rc %{buildroot}/%{_initddir}/stunnel install -m 744 %{_sourcedir}/stunnel.rc %{buildroot}/%{_initddir}/stunnel
ln -s ../..%{_initddir}/stunnel %{buildroot}%{_sbindir}/rcstunnel ln -s ../..%{_initddir}/stunnel %{buildroot}%{_sbindir}/rcstunnel
%endif %endif
mv %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample tools/stunnel.conf-sample sed -i "s/^;setuid = nobody/setuid = stunnel/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
sed -i "s/^;setgid =/setgid =/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
sed -i "s/^;include =/include =/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
sed -i '/gmail-pop3/,+25 s/^./;&/' %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
sed -i "s/; Sample stunnel/# Sample stunnel/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
sed -i "s/^;/#/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
mv %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf
find %{buildroot} -type f -name "*.la" -delete -print find %{buildroot} -type f -name "*.la" -delete -print
rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL
rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.WCE rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.WCE
rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.W32 rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.W32
rm -rf %{buildroot}%{_docdir}/stunnel/tools/stunnel.cnf rm -rf %{buildroot}%{_docdir}/stunnel/ca-certs.pem
rm -rf %{buildroot}%{_datadir}/doc/stunnel rm -rf %{buildroot}%{_docdir}/stunnel/plugins/
mkdir -p %{buildroot}%{_localstatedir}/lib/stunnel/{bin,etc,dev,%{_lib},sbin,var/run} mkdir -p %{buildroot}%{_localstatedir}/lib/stunnel/{bin,etc,dev,%{_lib},sbin,var/run}
install -d %{buildroot}%{_sysconfdir}/%{name}/conf.d
%pre %pre
if ! %{_bindir}/getent passwd stunnel >/dev/null; then if ! %{_bindir}/getent passwd stunnel >/dev/null; then
@ -147,14 +153,6 @@ fi
%{fillup_and_insserv -f} %{fillup_and_insserv -f}
%endif %endif
%{fillup_only -ans syslog stunnel} %{fillup_only -ans syslog stunnel}
if ! test -s etc/stunnel/stunnel.conf; then
cp -p usr/share/doc/packages/stunnel/stunnel.conf-sample etc/stunnel/stunnel.conf
echo copying default config file to %{_sysconfdir}/stunnel/stunnel.conf
fi
# first installation?
if [ $1 = 1 ] && [ ! -f etc/stunnel/stunnel.pem ]; then
cat usr/share/doc/packages/stunnel/README.%{VENDORAFFIX}
fi
%preun %preun
%if 0%{?has_systemd} %if 0%{?has_systemd}
@ -173,15 +171,12 @@ fi
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%doc COPYING COPYRIGHT.GPL CREDITS
%doc README.%{VENDORAFFIX}
%doc tools/ca.*
%doc tools/importCA.*
%doc tools/stunnel.conf-sample
%{_sbindir}/* %{_sbindir}/*
%{_libdir}/stunnel %{_libdir}/%{name}/
%{_mandir}/man8/* %{_mandir}/man8/*
%dir %attr(700,root,root) %{_sysconfdir}/stunnel %dir %attr(700,root,root) %{_sysconfdir}/%{name}/
%dir %attr(700,root,root) %{_sysconfdir}/%{name}//conf.d
%config %{_sysconfdir}/%{name}/stunnel.conf
%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel
%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/bin %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/bin
%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_sysconfdir} %dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_sysconfdir}
@ -199,11 +194,6 @@ fi
%files doc %files doc
%defattr(-,root,root) %defattr(-,root,root)
%doc AUTHORS BUGS COPYING COPYRIGHT.GPL CREDITS ChangeLog NEWS PORTS %doc %{_docdir}/%{name}
%doc README TODO
%doc doc/stunnel.html
%doc doc/stunnel.*.html
%doc doc/en/*
%doc doc/pl
%changelog %changelog