- Update to version 5.74:

* Bugfixes
    - Fixed a stapling cache deallocation crash.
    - Fixed "redirect" with protocol negotiation.
  * Features
    - "protocolHost" support for "socks" protocol clients.
    - More detailed logs in OpenSSL 3.0 or later.

OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=178
This commit is contained in:
Andreas Vetter 2025-01-07 10:53:04 +00:00 committed by Git OBS Bridge
commit dfcdb1687f
18 changed files with 2502 additions and 0 deletions

23
.gitattributes vendored Normal file

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file

@ -0,0 +1 @@
.osc

@ -0,0 +1,24 @@
Index: stunnel-5.69/tools/stunnel.service.in
===================================================================
--- stunnel-5.69.orig/tools/stunnel.service.in
+++ stunnel-5.69/tools/stunnel.service.in
@@ -4,6 +4,19 @@ After=syslog.target network-online.targe
Wants=syslog.target network-online.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
LimitNOFILE=20480
ExecStart=@bindir@/stunnel
ExecReload=/bin/kill -HUP $MAINPID

@ -0,0 +1,12 @@
Index: stunnel-5.69/tools/stunnel.service.in
===================================================================
--- stunnel-5.69.orig/tools/stunnel.service.in
+++ stunnel-5.69/tools/stunnel.service.in
@@ -1,6 +1,7 @@
[Unit]
Description=TLS tunnel for network daemons
After=syslog.target network-online.target
+Wants=syslog.target network-online.target
[Service]
LimitNOFILE=20480

@ -0,0 +1,114 @@
From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
Patch-name: stunnel-5.69-default-tls-version.patch
Patch-id: 5
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/ctx.c | 34 ++++++++++++++++++++++------------
src/options.c | 15 +++++++++++----
src/prototypes.h | 3 +++
3 files changed, 36 insertions(+), 16 deletions(-)
Index: stunnel-5.72/src/ctx.c
===================================================================
--- stunnel-5.72.orig/src/ctx.c
+++ stunnel-5.72/src/ctx.c
@@ -163,19 +163,29 @@ int context_init(SERVICE_OPTIONS *sectio
/* set supported protocol versions */
#if OPENSSL_VERSION_NUMBER>=0x10100000L
- if(section->min_proto_version &&
- !SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
+ " crypto policies. Not setting explicitly.");
+ } else {
+ if(section->min_proto_version &&
+ !SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(section->max_proto_version &&
- !SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
+ " crypto policies. Not setting explicitly");
+ } else {
+ if(section->max_proto_version &&
+ !SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
#endif /* OPENSSL_VERSION_NUMBER>=0x10100000L */
Index: stunnel-5.72/src/options.c
===================================================================
--- stunnel-5.72.orig/src/options.c
+++ stunnel-5.72/src/options.c
@@ -3429,8 +3429,9 @@ NOEXPORT const char *parse_service_optio
return "Invalid protocol version";
return NULL; /* OK */
case CMD_INITIALIZE:
- if(section->max_proto_version && section->min_proto_version &&
- section->max_proto_version<section->min_proto_version)
+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
+ && section->max_proto_version<section->min_proto_version)
return "Invalid protocol version range";
break;
case CMD_PRINT_DEFAULTS:
@@ -3448,7 +3449,10 @@ NOEXPORT const char *parse_service_optio
/* sslVersionMax */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->max_proto_version=0; /* highest supported */
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies.Do not
+ override it */
break;
case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version;
@@ -3479,7 +3483,10 @@ NOEXPORT const char *parse_service_optio
/* sslVersionMin */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->min_proto_version=0; /* lowest supported */
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies. Do not
+ override it */
break;
case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version;
Index: stunnel-5.72/src/prototypes.h
===================================================================
--- stunnel-5.72.orig/src/prototypes.h
+++ stunnel-5.72/src/prototypes.h
@@ -956,6 +956,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
+ crypto policies */
+
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */

@ -0,0 +1,37 @@
From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sprasad@localhost.localdomain>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
On Fedora, CentOS and RHEL, the system's crypto policies are the best
source to determine which cipher suites to accept in TLS. On these
platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
policies. Change stunnel to default to this setting.
Co-Authored-by: Sahana Prasad <shebburn@redhat.com>
Patch-name: stunnel-5.69-system-ciphers.patch
Patch-id: 3
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/options.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/options.c b/src/options.c
index 6e4a18b..4d31815 100644
--- a/src/options.c
+++ b/src/options.c
@@ -321,9 +321,9 @@ static const char *option_not_found=
"Specified option name is not valid here";
static const char *stunnel_cipher_list=
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
static const char *fips_cipher_list=
- "FIPS:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
#ifndef OPENSSL_NO_TLS1_3
static const char *stunnel_ciphersuites=
--
2.39.2

BIN
stunnel-5.72.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
stunnel-5.72.tar.gz.asc Normal file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmXAl5kACgkQLvx/8NQW
4BSnAxAAxC0u/yksf+byWhqkl1txYaZ7tKv6sg8QramWhyCpnlEtBgxCP3I3baae
PQm5HkVgOHNSFNhzrIApEeaXJle4rgH7T+uRkl5mThWYMf47h55Ll70BBg3Mpsjz
iwubuWllA4cyEbd2yWYl1MTzcSxY8F05otQdg+vwIxrHNF26k+pvnYUfBJiw6/7V
1exig3ZF03umSGM/8JTRdkJw4oKxgWR0nvAY6s6C28Hs6ok+700r40pDinmQgYyC
Sb1DC2/SAjFhs8vlxUBtgWCLTQk/uGKWXUjPoG2KqQyhKMfY3ntZT3D9iOWpvC/p
vvZbd3k27a8/D4CyBiBSh+L/bZtOgdZrDPCDxbf2EG1zC8mBjA8A8NIzMVL0D3UL
FHKpPBpw5RMy7Zbrwn59ggVoTSJS8Bcr1khmUjpyTpCnbTOSdsIhFDG5EtPOkJoT
k/6qXMxFAUL8EX3PlPjMSSs8aPWB7BqSEowRYbMGxG7Iqr+z56LiTdGjra+JY6Pv
FrLHHqGB9Hh3YIYbbf5O61DkXNeDVEZlqd03CI5Q9v5r9OKnIdzg4NM3XJ2hBUf4
PuYKWMhg2gZTwTuQtEV7Py+52sbqdiKCiWyQy3P8vRV/RwKuu/+2vPsxUIxULFEV
0FSBp+BPuM/FPiYwqNam/C67qHZ03jndiOgsTRapsJnAFKT/nXQ=
=vtS5
-----END PGP SIGNATURE-----

BIN
stunnel-5.73.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
stunnel-5.73.tar.gz.asc Normal file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmbfHo0ACgkQLvx/8NQW
4BQATxAA031vYjFzvaH2h+70nmDRd0sUXyxavkDM+7GQgyMULvAcyG5z697zfuS7
eGW2Bo4/3Ztv8CsvCUyOb+WBo5tAg+FbyNHL5WNn3q2zat47vzMq6HGxvvwGetjS
YHlpG20Z2AFMpk/E6x2GhvqhVsxcUvGEAeYWlIiiQH4WOoOBN8vE9Lkz1ufggFAZ
z6PpK9DjXDyszoF0Cjyt79GZb+4x8Gsm9Pr9UAxP85sbsCWcQPTgXeznUj7fc2O2
c6kGWtP0UGGVkUjwz/YcgMubsc/WZWmzIKNBBCsKV3W8G3cfE9/8LZlicYwE5og+
WKLCXHp7RlpOFtQb13HTJzp8DgjQTg7HTidypxChWLARX74XwCMdHRtHakCzYiyr
a645n2MvYIpRrMrLVWMAHTLwK3XTAUE7vShtIdsDCW9CaVUCDyA8sCSxxidcNdcc
6K1mphqT9Dbd2UVey/6jl4FTmKEnQzsVGN8ZsOL+51ouo09DqR2NQo/lZd6IdwmO
rXO2Z9P098s4Sqn8YVRhcFD4C/11EQsSJFcthzzMzgpCMUgSuvTdS2DBG5qSiIuv
DMhS3vwyhKwNLj9dCaoiaqbr2+06YHjR++w+fLxThrhypiMe09qMIME9ullXL0no
26hkmqk82a/Fih7vLhL3cyt5CUuFkcGM+E5HZACNY7VDwq8uT5Q=
=6X84
-----END PGP SIGNATURE-----

3
stunnel-5.74.tar.gz Normal file

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9bef235ab5d24a2a8dff6485dfd782ed235f4407e9bc8716deb383fc80cd6230
size 904360

16
stunnel-5.74.tar.gz.asc Normal file

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmdcZ6EACgkQLvx/8NQW
4BRl/RAAjWHEueTMN6fvs79hKTSIWLiDNs5rTOPLylt69nlr5oYsUS9yfk0ox70j
IcaWBrLGZn5rEXf/J/D0wQW2Jqvl+R5TWPDiwq9N0VPI8LqH0cd0Yz5wW4vEsAIo
wlYeFJeaMjS9McYDfiuhRmhWvETV3bu2KPSiENLo/lTHYKh4apRN2opMWKjKh+/N
/wWUZByVogkjSNzM7lqqqOk6RVGaTcjWvfux3e+HN+/4AV0uSleF8k3N6nKrkJUs
OhZ8aIXheEIp/LoXnG5PxnOBzMg4pT47FphI8//5193CERgHiHjlsHuZwRqyYInp
B7fbPpDGtwCAOC42OZOzSpekDWbnvNgCT4e5NFkpaa6+UJ40rR1O+oCMcx+kSc+t
rZvapGT/zh+rYJnZ4wveaMY3NY/poUO7huFO4kVz/mgL550wfp2Xgx0y1GmvFas8
OMXFPtRCXUnkcmxPESHwtwHYCcJIxMjPKLHHzQ/m1DBnZTdfQWvhSWWhez+0SltS
Hh1ImQiWlFWzVhXtZIUi7FtGieybDMQgr/FEMsYX4e2NaSefKvHxur4S7QufKukX
rWjAlk7wUqHYTaRztiX81fXOwv7SGABEOfrMVRQ4Lxk0lLNAFdrPmRFSy14k4ObD
BTvq2QlPaOTiQLhNNVNCX6l57ODrF2QIsXUaOQU9JnL8f8uC1AY=
=Qhan
-----END PGP SIGNATURE-----

11
stunnel.README Normal file

@ -0,0 +1,11 @@
To create a new certificate, execute the following OpenSSL command:
(umask 077; \
/usr/bin/openssl req -new -x509 -days 365 -nodes \
-config /usr/share/doc/packages/stunnel/openssl.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem)
Starting with v4, stunnel uses a configuration file.
Via the stunnel3 wrapper you can run stunnel with v3-style cmdline arguments.

1660
stunnel.changes Normal file

File diff suppressed because it is too large Load Diff

125
stunnel.keyring Normal file

@ -0,0 +1,125 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
iQJSBBMBCAA8AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBKyRXqMGRdnT
1Nrk/rEEiTLdOqqjBQJiemhbAhkBAAoJELEEiTLdOqqjH/YP/i5fQuvTvwSHZAwK
JgSUijxD4z2jCtYvXIa7BPNiu8mnyupPAdoZE7BNehuvAc7kYj4dNmC/cY+CRcan
OW05ByU/N+RObQYs6dkSLuyzOfqdnA2SZgcPreOZyLe/Yz9nSh5BVigSyiNY+clT
JMfISdvfAxlxkVxyfJ293ePECZ7VKfzp18ntDBIY5yos4K0FXKpFVhhWHT9SlsQe
tAKTOm6WdJx852y53TvZYzPEVznZhLSj//yYWG7TVQ47oSrsUW5pGaQybtYNIwGa
sHGj0SFscYb8IBF4gOaTFPiwKJykmwfF0F7A6wO+oSs7By1o4fEoVr1y3UWO/ATx
RF3GyX/6NHTu2OwTmtWozTKkd4agGPmQgn+ApueaBq7Tn9EA+5e83hRY8/c0xOvu
XRHrB+PTp4HT3yPcVbGP6vRkpPsRIxtzzw+G1AdwIcMULg/J5qKilRyKLbN12cmc
Jjtk6Ii7cskgj/3iYVRy/Xtw9Q2+9aMPPs1H4QklimDuR/KWCqyd61e1ct+Y4XGq
HM93/GQuku1sGA6YsfUpDWv3rjwoGejyif3lyHjERaGh1BCYD6Olhe2QtCEuOvuA
G2qPT0gZ1q33JVN3wNJfD6JreG7HubG0le+iwLoQTXa3qjhF8DeAgOC+yLKYv3iD
ms49fpkKFScmRCmWU0C/2zqe0/GetCtNaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwu
VHJvam5hcmFAbWlydC5uZXQ+iQJPBBMBCAA5AhsDBgsJCAcDAgYVCAIJCgsEFgID
AQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhbAAoJELEEiTLdOqqj
k5UP/1G8u1Hpr0Ie4YXn1ru1hQaauEqTXGfgcsSuuqvS4GCgY93+Q0jv0YV1Owxs
pJWmN3aYKtsj86EAEkOcz23HkhwwvTKkhrZWCATQzhpGZfFWECPm+CycNksc+pkq
eykg5RN00DecGpG5x0p2twrRI4j+K4OKSGJvx8vjxBMGoGAoHtBl73nhwuY9CsqL
CnCn3lohv03GPvvlO6dhOordBI4U50ky5ZZsQ/qMD7vAGFktbJMyhYJ96ASdVqfG
L0DTQ6E1QwS4PQlyEt6PBCtt6T3kU7i9mYy+TQtI+wH3r2hx+UEQaC+9hzY4FZwH
xOdH7zumOthMu/uBGK2uMkj7mVpHEGU/69EvROYzf0HtN2vs2yCMirtrlbfQ0bez
YyXiTd8+ka0vTWM2rE6rav5RIRDmD7U3u4fPwnpSRTDxCHJglIisymLd01W0Qh8l
qCyHOOsRHu2k3RfdILd+F26Ii31073kAaga5iDlKrPyVV38upLIPy/G9QJ8rdYBR
EvF0VaYQW+rwsInE8mYfWgcwKT3ZeWop0dD7NFurbHZxfTkL1QCEo+EurrFxBLCm
qfPEbQwoMwS5hCAcGRjXDpt0ZZe55VdLXaW9E/GINHPVoM+dMqmmYxEOCvuOez4c
MMmt6a5kFPPtWo2o7dcBpDG7ZX3UkUGVAmQuSENIY3yXqYcXtC9NaWNoYcWCIFRy
b2puYXJhIDxNaWNoYWwuVHJvam5hcmFAbW9iaS1jb20ubmV0PokCTwQTAQgAOQIb
AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQSskV6jBkXZ09Ta5P6xBIky3Tqq
owUCYnpoUQAKCRCxBIky3Tqqo7cBD/sFjmAnOyuEvlVKXEihLmABFBeWjKiGaR4U
0+V8ZPvBEzHVQ5e2ywqa68xgFK66JlapnZlAeOoUZYc/uj0xzNwzS4sdnc/ejWn+
B0gM9ZLYs1BeYib2k4Bf0c8ccjjCX5r8+Uio8aCB4hSyckmyD+svfmnrzyMEEAZN
d+0uiwmmHNEDHqIg76xo7DO+DvV2+sEkLEtdKCfTws94qEWQHGHYwpcbDngSamVZ
zML48L4liQX0l7Dz8j09Tf1EYg2DRSvn4s2bzyrFIsnz6yrlf8K0hCYkaTLKnCSx
Bj7ESXj/bOQY4fBAHNy2gRXq3ELgdliCQHeT+9TD5JI58rWQBY48QGF7CAxMcC3H
3nI/Zq/DSaakOVwianqY2VJDFAYXogmEOR/kWE3lPerp6qum+n4WcDiteQXJMHmV
t/JYAZ3zbOhmu9F2NI7Ce4uZe8rQ0PG5Jgb5wE76i9zrCwFACPKhJVim4kWIOPf8
eT1LCC4adpyeUMrH342CVb2xpS+gQ89V7sTt9uFPp9wTl5QvsD3uTWKzGkRV9s7b
rnFuJYGDRM/EN0nFZF8D0RbrwYNK5KXSZ0VOTrud9ZcEsJQeISqLX4QBMrSl/Nst
r9MTUuBf6N3b5zDRmHJQ6+myyE/8cgHwEsmOIJCSEcQjkYsUruQhuW2Et1EZtrcb
/KHFRhRjP7RATWljaGHFgiBUcm9qbmFyYSAoYXV4aWxpYXJ5IGFkZHJlc3MpIDxN
aWNoYWwuVHJvam5hcmFAZ21haWwuY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI
CwIEFgIDAQIeAQIXgBYhBKyRXqMGRdnT1Nrk/rEEiTLdOqqjBQJiemhDAAoJELEE
iTLdOqqjWfkQALjs436L79R26iQc8aWu3IWAZ8FOv8VqbTcGH3fQ16DcJ+OaBQkl
qHTWsbs9Bhq49lU6WiZLIJWTp8bl6fdC5XbJYFYW7fMBSyUFpSqQFACY6EF3vdDS
bcVcT6aModzq1mG9CFuU5wt0GrZOy4v0pXvJK0Y+CzY3Rm/Nev0Ou3HUFWgsOpHZ
jnCCkNyQ1C1jJ9mDid55dID8byLvkmS8Z3pVhFQ3Ko9gZv47GeeNjG26rbNmsVwZ
Ki7c9iJM/RbCgr+LVElFVtFyJP2WUxHjl2RbrJIJB9YUNY1N7z0tDnqN1FCPbFkj
zkMuuj0yPp9CqGZge+A5tT5NfytGYPMSOD9up4SXVr+ejOtUL5riW3LsnewjTJuM
f2qP1h52FAduB9SfGTf0XlLlKJkjkw3Q9WmrOndJcEsKRGarfcWFPMOml3xmcoAM
9jU0H9P1ZAHlKON0eL1vKBgS5XL0s4pVvwsYZ+dfDcNU+bUCrTRLc0uccsIzDrio
bbaz7VtUzEsWqPozW6CTozDWDSfKRuWuB2vAYfqKJN8ZAkvOu00ZKwT/DiCpLQ6e
GQ8tcAvum9Sd9jydwqs89UNhKNkovwMwALjLITaZ72ILgYo3Mo57fT6MpVspxJ23
+6RP8+MAM+HhJYfODuGvNHR3n5aO0WnwM8YoH14hjHUKtr7z83iivhSOuQINBFTU
68MBEADyAgLrjV0rpqn1bUrcSSpGfTPrOLN1Uav+O9/zEVd5Sr5q7GLFnS0Rjo0z
kIFLJrkEIr0gZVaYk1trPJZRriWUDoS+ZTFxN4YTumlADgqXVvO9Srm6mj7z7RW6
q8sL9tXPQNScVJYlgcBms9n7I7TIyry9oZOjmTAqLFDg2L437USIAspl7HWDpRb1
3QcBxgRr+VNaHPcnRXXLJjhWi/fSC2ijrsqRIL9KzBnMhHTQJAavPe3CUa4HvdKb
Vh+oOptjx1Asl7JTSi8h5T3lUjlxAXoPUfxh1oxZCboy1UB8hflYygf56rgCeT2G
KVF4YA2QhY1KozbUOt27dytsYhiJk8Rp0p8bHCq7C9ENMSAPiCOoy8R3EDZbqzhZ
HfpLAyR460RKPbUyJHZgNxsjMhtSH2nQ/wNka9BxWHjmMKB05wvm2H1HTvqelcef
wUh7Yh8BmdfU6emwqf9ionTA0WEZhbFX/JkDXQ1sUoVeEPUUaqs7PqVKqaoPPTS1
eh8XjfZp77s/NM/2fhyKPiTRJgbWX8tOGc5gvdI1QIbesIBJ5aheaHEJhEaLRfDc
gmtylU2Y1AP5IstONUH3gCUONKXHWrRX73KaEYeLnXCwFJqMzAN7FpIj9YzXL2VE
7CXt54APjV88CvNOV4CpPz1qRYt69MEta+Pn2aS729kBbbr/VQARAQABiQIfBBgB
AgAJBQJU1OvDAhsMAAoJELEEiTLdOqqjY0IQAIcnt7SXw2FLiyV/N6PUABc7AvXA
N7Gfq2GmB7EDKpkshqJuqEjJuFKjUs4vU1j/nnK2xxs5Avs2WJEBdU3oX2Vx6v6r
PEvkmDHNRTp2vJqk1lizTq7fB+vxm1Ju8gA43/Dz22b20fGg1QhhllRlE4UFbp+f
xGSFuhCzSEkXFZ9aCE7GFLRNcnz8xnhhx8PL4TDosgDKbcDVdj777ZUwQeopzKFT
3lbmyoCx87kyRFZrQT0lNLZ1ZO141NY+ifLAkZf+ZJVUxmA5kXqjfZVv0tOcHrvp
hBo+IyW7aqD69GREz/PIaO8/HuGKV/rwJbFlwgeyV+nmAlXpG+2Ur6a4S8iRKY1j
KLyFCnVjkLq5Zv0la3/0hIn5fP6f7mcAcRTNb8t4QPKGNWVL286gADLXyvjuZDJv
MnarbM4ej3OXd8o4nZLhIUEoYe4iE87EbYKu6HE31Tn5HBMOooQJ64JlE4xhAvOW
Yg/a8z824VWFCbyI2FtO8R6eHiZYPgi44cmSq/MorMBeWWiy5QrgHSRuWHgZo5WY
SNpcbDzvz2s6VDMPnnrpKAo8M1S2ibn94hzLr9RgGgV3uUuW0hVJIIDVVQxTgxYm
CPBr2CTozGg17x1wnX3uhAx+Fk2MnzRLkL5rZqXjCtHa8v/eFeHLYzaQbvdEtLPE
SJWgmwb6FvM218hruQINBFTU7lkBEADWkatDVXdgxcXcPPC8D+5Zv3XanCpS8wAA
q9gIOIQsg4/Ttzfb7PTg39s5eOJnYlvwC4gKPi/3a1cDKC1/XzPHChTwA5eK5Jw/
fDLVmmsHDyTvV03LReYRduJfu2Quh7Q7NaUJo1NqNJdMQtP6dgdM6QGysLhP7LsD
Bi55AlhRpGQlH/lNzrxSdFI7b3mmAl3sShZYCTLdt0f5Mo3QyxqAInBr5GtcUa0g
qNTRcAqx11PFArHZJQYXRBV01n/XgO6jvdu2he0eAHSjF7CeyImnlcpZibntFI0u
/UsqvbqJJS1QzUIAhkAu4YwDJBdUSjs6bO5mY3TJFgzsVKekbisgOcPFiENNpr7F
ZvvfxXy4tANkBWcC4ESGrVFAQOtEz9ctuJu9UHOl34kj1ad40SnR6GrmwQLoVspj
PQepWTZIfUOlvS2Cu3HPdzus+zu9F2YUzFO5hy1LO6o0ekpf4LquDIBbazEQoPTK
zw5gRreG+tAVIDOcz+Pdfx2B7UOuIchB38O3j4sx09yxCTe+3LuljFkgNFr2GXue
Bp6xBJn/s9X9yPtTuqJ5OvW6U7UZzkZzJLYe7g/3XT0dfW0ERC8Yelup70tzZ3RU
qAdWMb28MusTWH+pcpuafQsXVhHh2Noz6xgJ9g475bNkpQAI90yrcuJ3/ehDvWnp
42C7qVByAQARAQABiQQ+BBgBAgAJBQJU1O5ZAhsCAikJELEEiTLdOqqjwV0gBBkB
AgAGBQJU1O5ZAAoJEC78f/DUFuAU3HoQAJHsIoHcy/aU1pFGtpVHCM2u6bI4Oqyd
f+h7eVp3TiIIFv0nEbI3JMYXSzq16hqhxfEh5nnRsXsa5hyd6kwameIwKQTbKaUz
qu4U01NRgLTYWyujApBugLtLkM3aXuVvieWDINfuc6U4yaFNzcP9Cx24zJL0fmSM
UUq3Mtg7BERX9Ecj/BBTJPLN7yqz8HGlPf8exIm4ZnJstJ39+Z4zjfGCFx18OApN
oaQWSGFbtRaC06FC1jGvRUPgcTDgL6czKSyooAgUwGMkCq2y5Z5KBq9WttTwqvOV
wkUdKui9ns+LSYoxgcaiY+y1lxnHCvXm3cGEO+iAxJGxxTWYtSKAsQaJbE9XG1CW
YdNl8yezgLLThLuMrgaLHQ83heL/2s5wsUJvnN11wtWuqK5P523879M8pQodO8sv
WAXgOXKlu7xNBa07vENI/LvBJ09ZQ3kYGOzFtl9WVam+9UyYZS7KAiXQuSsksobG
TfoCc2kQ+qxD171GyC7l0/2UY/PeKDETen5SWFajl6ompnAB8QVv7Q9DMpJDrMgV
AB/nR5Ij+lZ/5en1c5Pjt3jLxpbMcDtP+Nr21vJ356DvVk6o4W1U/zMVa+Y+eiiz
GsFHuor9EFjn89cqF8bXTIRhdKNNqnh2azLjfSXwxy6qjnmKLGBPm/Fl9N7IWNOM
eaO4cPWtNN+leTgP/0Yj1wh+tZzOGttY3wGg/roiYxelWFnMO3pLm710dI0l2qK8
PMKSS1v+mxcgu++7eouZvWcluw3M30Ymbouh27MInhKpqh2OEyQ2L9Nz3l3HSfZw
I/ZGH+O/OjvOupA7T1zxq3+kUSIXwuBSVzlBoH8Y2FcGomiDbI7NQ8YqrQ4zL/C2
1bjZMJ7tX4nx+efXrF8aGdXCaJZFBqp0KIUNjYiI4eGdHB8lUA2t11+5T8Any9jx
dfOvEjthkvjdXnfRaJyHVUHTRcsVTxqPTwWyN0W9HvsADEVT4J3qwfrKrqOxFeml
DQE47XlpH7CikS+0rAN1G7dNrB4LVcwstDhe431CXRswfR3rbq4wbbNR9kY7WM1M
5LixSESomwiZuwv+GA0Mpi9+jTBIc9aZCj2ePDtobwx7Lvsjd8vUQuP9N9rzqeM+
kn+2YUwtX2e1YAJxb9ze2iN1w/bvytPD/jOT5KvZm/7ds/XKMl3TPgHeBhjPYFRh
NTt3KIDjUqCThl9XWfY1QDFAljO8QgBlwwRYDes5Nv4CNwFVdfz0aTQETKRWYD0b
zTy1uYj7gNR3Zz/53XF659vjdMY6LAqrBj46z2J7LcVuyehi7Mo+x3ksHIkUS51s
wHXnaH3m783KxozQCML7I+2WlItQhoNRbvlUCVAo9aPUCDm5WlzZJwwSN69B
=EgcU
-----END PGP PUBLIC KEY BLOCK-----

245
stunnel.rc Normal file

@ -0,0 +1,245 @@
#! /bin/sh
# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH
# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH
# Copyright (c) 2002 SuSE Linux AG
#
# License: same as stunnel
#
# Author: Peter Poeml <poeml@suse.de>, 2002
#
# /etc/init.d/stunnel
# and its symbolic link
# /usr/sbin/rcstunnel
#
### BEGIN INIT INFO
# Provides: stunnel
# Required-Start: $local_fs $remote_fs $network
# Should-Start: $named $syslog $time
# Required-Stop: $local_fs $remote_fs $network
# Should-Stop: $named $syslog $time
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: stunnel (universal SSL tunnel)
# Description: Start the universal SSL tunnel "stunnel"
### END INIT INFO
DAEMON="stunnel (SSL tunnel)"
DAEMON_BIN=/usr/sbin/stunnel
: ${STUNNEL_CONF:=/etc/stunnel/stunnel.conf}
STARTPROC_LOGFILE=/var/log/rc.stunnel.log
SUPPORTS_HUP=false
test -x $DAEMON_BIN || exit 5
#
# read the configuration
#
STUNNEL_RUN_CHROOTED=false
DAEMON_PIDFILE=/var/run/stunnel.pid
EXECUTABLES=
CHROOT_PREFIX=
while read -a line; do
case ${line} in
chroot) CHROOT_PREFIX=${line[2]}; STUNNEL_RUN_CHROOTED=true;;
pid) DAEMON_PIDFILE=${line[2]};;
exec) EXECUTABLES="$EXECUTABLES ${line[2]}";;
esac;
done < $STUNNEL_CONF
DAEMON_PIDFILE="$CHROOT_PREFIX$DAEMON_PIDFILE"
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num><num>
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
. /etc/rc.status
# First reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signalling is not supported) are
# considered a success.
# this seems to want to delete the pid file if it is empty
test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE
case "$1" in
start)
echo -n "Starting $DAEMON "
## If there is no conf file, skip starting of stunnel
## and return with "program not configured"
if ! [ -f $STUNNEL_CONF ]; then
echo -e -n "... no configuration file found";
# Tell the user this has skipped
rc_status -s
# service is not configured
exit 6;
fi
##
## set up chroot directory
##
if $STUNNEL_RUN_CHROOTED; then
# /etc
for i in $STUNNEL_CONF /etc/{resolv.conf,host.conf,hosts,localtime,hosts.{allow,deny}}; do
cp -p $i $CHROOT_PREFIX/etc/ &>/dev/null \
|| { echo "...$0:$LINENO: could not copy $i to chroot jail"; rc_failed; rc_status -v1; exit 6; }
done
# executables
for i in $EXECUTABLES; do
mkdir -p `dirname $CHROOT_PREFIX/$i`
cp -p $i $CHROOT_PREFIX/$i \
|| { echo "...$0:$LINENO: could not copy $i to chroot jail"; rc_failed; rc_status -v1; exit 6; }
done
# libs
libdir=/$(basename $(echo /var/lib/stunnel/lib*))
for i in $EXECUTABLES; do
unset libs
ldd $i | grep '=> /' | while read -a line; do
cp -p ${line[2]} $CHROOT_PREFIX/$libdir \
|| { echo "...$0:$LINENO: could not copy $i to chroot jail"; rc_failed; rc_status -v1; exit 6; }
done
done
fi
rm -f $STARTPROC_LOGFILE # start log
error=0
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
# startproc should return 0, even if service is
# already running to match LSB spec.
test "$2" = "-v" && echo -en \
"\nrunnning '$DAEMON_BIN '"
startproc -l $STARTPROC_LOGFILE $DAEMON_BIN ${STUNNEL_CONF} || error=1
if [ $error -eq 1 ]; then
echo -e -n " please see $STARTPROC_LOGFILE for details ";
## set status to failed
rc_failed
else
$STUNNEL_RUN_CHROOTED && echo -n "[chroot]" || :
fi
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down $DAEMON "
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
killproc -p $DAEMON_PIDFILE -TERM $DAEMON_BIN
# Remember status and be verbose
rc_status -v
# delete pidfile (stunnel cannot do it if it doesn't run as root)
rm -f $DAEMON_PIDFILE
;;
try-restart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
sleep 3
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart.
echo -n "Reload service $DAEMON"
if $SUPPORTS_HUP; then
killproc -p $DAEMON_PIDFILE -HUP $DAEMON_BIN
#touch $DAEMON_PIDFILE
rc_status -v
else
$0 stop && sleep 3 && $0 start
rc_status
fi
;;
reload)
## Like force-reload, but if daemon does not support
## signalling, do nothing (!)
if $SUPPORTS_HUP; then
# If it supports signalling:
echo -n "Reload service $DAEMON"
killproc -p $DAEMON_PIDFILE -HUP $DAEMON_BIN
#touch $DAEMON_PIDFILE
rc_status -v
else
## Otherwise if it does not support reload:
rc_failed 3
rc_status -v
fi
;;
status)
echo -n "Checking for $DAEMON: "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Status has a slightly different for the status command:
# 0 - service running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running
# NOTE: checkproc returns LSB compliant status values.
checkproc -p $DAEMON_PIDFILE $DAEMON_BIN
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload,
## give out the argument which is required for a reload.
rc=0
for i in $STUNNEL_CONF; do
test $i -nt $DAEMON_PIDFILE && rc=1
done
test $rc = 1 && echo restart
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe} [-v]"
exit 1
esac
rc_exit
# vim: syntax=sh ai

181
stunnel.spec Normal file

@ -0,0 +1,181 @@
#
# spec file for package stunnel
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define VENDORAFFIX openSUSE
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: stunnel
Version: 5.74
Release: 0
Summary: Universal TLS Tunnel
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
URL: https://www.stunnel.org/
Source: https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz
Source1: https://www.stunnel.org/downloads/%{name}-%{version}.tar.gz.asc
Source2: https://www.stunnel.org/pgp.asc#/%{name}.keyring
Source3: sysconfig.syslog-stunnel
Source4: stunnel.rc
Source7: stunnel.README
# PATCH-FIX-UPSTREAM Fix service file, so it ensure we are starting after network is really up!
Patch1: stunnel-5.59_service_always_after_network.patch
Patch2: harden_stunnel.service.patch
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
# PATCH-FIX-FEDORA bsc#1211301 Add crypto-policies support
Patch3: stunnel-5.69-system-ciphers.patch
Patch4: stunnel-5.69-default-tls-version.patch
%endif
BuildRequires: libopenssl-devel
# test dependencies
BuildRequires: netcat
BuildRequires: pkgconfig
BuildRequires: procps
BuildRequires: python3
BuildRequires: python3-cryptography
BuildRequires: tcpd-devel
BuildRequires: zlib-devel
BuildRequires: pkgconfig(systemd)
#
Requires(pre): %fillup_prereq
Requires(pre): %{_sbindir}/useradd
Requires(pre): fileutils
Requires(pre): textutils
Recommends: stunnel-doc = %{version}
%{?systemd_ordering}
%if 0%{?suse_version} >= 1500
Requires(pre): group(nogroup)
%endif
Provides: user(stunnel)
%description
Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without
any changes in the programs' code. Its architecture is optimized for security, portability, and
scalability (including load-balancing), making it suitable for large deployments.
%package doc
Summary: Documentation for the universal TLS Tunnel
Group: Documentation/Other
Requires: stunnel = %{version}
BuildArch: noarch
%description doc
This package contains additional documentation for the stunnel program.
%prep
%setup -q -n stunnel-%{version}
%patch -P 1 -p1
chmod -x %{_builddir}/stunnel-%{version}/tools/ca.*
chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.*
%patch -P 2 -p1
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
%patch -P 3 -p1
%patch -P 4 -p1
%endif
%build
sed -i 's/-m 1770//g' tools/Makefile.in
%configure \
--disable-static \
--bindir=%{_sbindir} \
--with-bashcompdir=%{_datadir}/bash-completion/completions
%if 0%{?sle_version} < 150000
%define make_build %{__make} -O %{?_smp_mflags}
%endif
%make_build LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
%install
%make_install
mkdir -p %{buildroot}%{_docdir}
mv %{buildroot}%{_datadir}/doc/stunnel %{buildroot}%{_docdir}/
mkdir -p %{buildroot}%{_docdir}/stunnel/tools
mkdir -p %{buildroot}%{_fillupdir}
cp -p %{SOURCE3} %{buildroot}%{_fillupdir}/
install -D -m 0644 %{buildroot}%{_docdir}/stunnel/examples/stunnel.service %{buildroot}/%{_unitdir}/stunnel.service
ln -s service %{buildroot}%{_sbindir}/rcstunnel
sed -i "s/^;setuid = nobody/setuid = stunnel/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
sed -i "s/^;setgid =/setgid =/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
sed -i "s/^;include =/include =/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
sed -i '/gmail-pop3/,+25 s/^./;&/' %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
sed -i "s/; Sample stunnel/# Sample stunnel/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
sed -i "s/^;/#/" %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample
mv %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf-sample %{buildroot}/%{_sysconfdir}/stunnel/stunnel.conf
find %{buildroot} -type f -name "*.la" -delete -print
rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL
rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.WCE.md
rm -rf %{buildroot}%{_docdir}/stunnel/INSTALL.W32.md
rm -rf %{buildroot}%{_docdir}/stunnel/ca-certs.pem
rm -rf %{buildroot}%{_docdir}/stunnel/plugins/
mkdir -p %{buildroot}%{_localstatedir}/lib/stunnel/{bin,etc,dev,%{_lib},sbin,var/run}
install -d %{buildroot}%{_sysconfdir}/%{name}/conf.d
%check
# only works in Tumbleweed as of 2021-04-08
%if 0%{?suse_version} > 1500
rm tests/plugins/*fips*.py
%make_build test
%endif
%pre
if ! %{_bindir}/getent passwd stunnel >/dev/null; then
%{_sbindir}/useradd -r -c "Daemon user for stunnel (universal SSL tunnel)" -g nogroup -s /bin/false \
-d %{_localstatedir}/lib/stunnel stunnel
fi
%service_add_pre %{name}.service
%post
%service_add_post %{name}.service
%{fillup_only -ans syslog stunnel}
%preun
%service_del_preun %{name}.service
%postun
%service_del_postun %{name}.service
%files
%license COPYING.md
%{_sbindir}/rcstunnel
%{_sbindir}/stunnel
%{_sbindir}/stunnel3
%{_libdir}/%{name}/
%{_mandir}/man8/stunnel*8%{?ext_man}
%dir %attr(700,root,root) %{_sysconfdir}/%{name}/
%dir %attr(700,root,root) %{_sysconfdir}/%{name}//conf.d
%config(noreplace) %{_sysconfdir}/%{name}/stunnel.conf
%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel
%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/bin
%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_sysconfdir}
%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/dev
%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/%{_lib}
%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel/sbin
%dir %attr(755,root,root) %{_localstatedir}/lib/stunnel%{_localstatedir}
%dir %attr(755,stunnel,root) %{_localstatedir}/lib/stunnel%{_localstatedir}/run
%{_fillupdir}/sysconfig.syslog-stunnel
%{_unitdir}/stunnel.service
%{_datadir}/bash-completion/completions/%{name}.bash
%files doc
%doc %{_docdir}/%{name}
%changelog

12
sysconfig.syslog-stunnel Normal file

@ -0,0 +1,12 @@
## Type: string
## Default: "/var/lib/stunnel/dev/log"
## ServiceRestart: syslog
#
# The filename mentioned here will be added as "-a ..." to SYSLOGD_PARAMS when
# syslogd is started.
#
# This additional socket is needed in case that syslogd is restarted. Otherwise
# a chrooted stunnel won't be able to continue logging.
#
SYSLOGD_ADDITIONAL_SOCKET_STUNNEL="/var/lib/stunnel/dev/log"