- Install the correct file as README.openSUSE (bsc#1150730)
* stunnel.keyring was accidentally installed instead
- update to version 5.55
New features
New "ticketKeySecret" and "ticketMacSecret" options to control confidentiality
and integrity protection of the issued session tickets. These options allow for
session resumption on other nodes in a cluster.
Logging of the assigned bind address instead of the requested bind address.
Check whether "output" is not a relative file name.
Added sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later.
Hexadecimal PSK keys are automatically converted to binary.
Session ticket support (requires OpenSSL 1.1.1 or later). "connect" address
persistence is currently unsupported with session tickets.
SMTP HELO before authentication (thx to Jacopo Giudici).
New "curves" option to control the list of elliptic curves in OpenSSL 1.1.0 and later.
New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites.
Include file name and line number in OpenSSL errors.
Compatibility with the current OpenSSL 3.0.0-dev branch.
Better performance with SSL_set_read_ahead()/SSL_pending().
Bugfixes
A number of testing framework fixes and improvements.
Service threads are terminated before OpenSSL cleanup to prevent occasional stunnel crashes at shutdown.
Fixed data transfer stalls introduced in stunnel 5.51.
Fixed a transfer() loop bug introduced in stunnel 5.51.
Fixed PSKsecrets as a global option (thx to Teodor Robas).
Fixed a memory allocation bug (thx to matanfih).
Fixed PSK session resumption with TLS 1.3.
Fixed a memory leak in the WIN32 logging subsystem.
Allow for zero value (ignored) TLS options.
OBS-URL: https://build.opensuse.org/request/show/730771
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=107
- Drop use of $FIRST_ARG in .spec
The use of $FIRST_ARG was probably required because of the
%service_* rpm macros were playing tricks with the shell positional
parameters. This is bad practice and error prones so let's assume
that no macros should do that anymore and hence it's safe to assume
that positional parameters remains unchanged after any rpm macro
call.
OBS-URL: https://build.opensuse.org/request/show/678172
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=105
- update to version 5.35
- repackage source as bz2
- adjust systemd unit file to start after network-online.target
- bugixes:
* Fixed incorrectly enforced client certificate requests.
* Fixed thread safety of the configuration file reopening.
* Fixed malfunctioning "verify = 4".
* Only reset the watchdog if some data was actually transferred.
* Fixed logging an incorrect value of the round-robin starting point (thx to
Jose Alf.).
- new features:
* Added three new service-level options: requireCert, verifyChain, and
verifyPeer for fine-grained certificate verification control.
* SNI support also enabled on OpenSSL 0.9.8f and later (thx to Guillermo
Rodriguez Garcia).
* Added support for PKCS #12 (.p12/.pfx) certificates (thx to Dmitry
Bakshaev).
* New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
* Added logging the list of client CAs requested by the server.
OBS-URL: https://build.opensuse.org/request/show/429283
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=76
- update to version 5.22
New features
- "OCSPaia = yes" added to the configuration file templates.
- Improved double free detection.
Bugfixes
- Fixed a number of OCSP bugs. The most severe of those bugs caused stunnel to
treat OCSP responses that failed OCSP_basic_verify() checks as if they were
successful.
- Fixed the passive IPv6 resolver (broken in stunnel 5.21).
- Remove executable bit from sample scripts
- stunnel-5.22-code11-openssl-compat.diff: Compatibility for openssl on CODE11
OBS-URL: https://build.opensuse.org/request/show/319695
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=72
- update to version 5.21
New features
- Signal names are displayed instead of numbers.
- First resolve IPv4 addresses on passive resolver requests.
- More elaborate descriptions were added to the warning about using
"verify = 2" without "checkHost" or "checkIP".
- Performance optimization was performed on the debug code.
Bugfixes
- Fixed the FORK and UCONTEXT threading support.
- Fixed "failover=prio" (broken since stunnel 5.15).
- Added a retry when sleep(3) was interrupted by a signal in the cron
thread scheduler.
OBS-URL: https://build.opensuse.org/request/show/319059
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=71
- update to version 5.20
New features
- The SSL library detection algorithm was made a bit smarter.
- Warnings about insecure authentication were modified to include the name of
the affected service section.
- Documentation updates (closes Debian bug #781669).
Bugfixes
- Signal pipe reinitialization added to prevent turning the main accepting
thread into a busy wait loop when an external condition breaks the signal pipe.
This bug was found to surface on Win32, but other platforms may also be
affected.
- Generated temporary DH parameters are used for configuration reload instead
of the static defaults.
- Fixed the manual page headers (thx to Gleydson Soares).
OBS-URL: https://build.opensuse.org/request/show/316545
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=70
- update to version 5.19
Bugfixes:
- Improved socket error handling.
- Fixed handling of dynamic connect targets.
- Fixed handling of trailing whitespaces in the Content-Length header of the
NTLM authentication.
- Fixed memory leaks in certificate verification.
New features:
- The "redirect" option was improved to not only redirect sessions established
with an untrusted certificate, but also sessions established without a
client certificate.
- Randomize the initial value of the round-robin counter.
- Added "include" configuration file option to include all configuration file
parts located in a specified directory.
- Temporary DH parameters are refreshed every 24 hours, unless static DH
parameters were provided in the certificate file.
- Warnings are logged on potentially insecure authentication.
- stunnel-listenqueue-option.patch: Refresh.
- stunnel3-binpath.patch: Obsolete, dropped.
- stunnel.service: Modified to start after network.target, not syslog.target.
OBS-URL: https://build.opensuse.org/request/show/314344
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=69
- Default "pid" is now "", i.e. not to create a pid file at startup.
- Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to
AlFBPPS attack and bad performance of DH ciphersuites.
- New service-level option "redirect" to redirect SSL client connections on
authentication failures instead of rejecting them.
- New global "engineDefault" configuration file option to control which
OpenSSL tasks are delegated to the current engine.
- New service-level configuration file option "engineId" to select the engine
by identifier, e.g. "engineId = capi".
- Improved readability of error messages printed when stunnel refuses to start
due to a critical error.
- Patches:
- stunnel-CVE-2013-1762.patch obsoleted. Drpped.
- stunnel-default-fips-off.patch obsoleted. Dropped.
- stunnel-listenqueue-option.patch refreshed.
- update to version 4.56
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=62
- Usage of uninitialized variables fixed in exec+connect services.
- Fixed handling of a rare inetd mode use case, where either stdin
or stdout is a socket, but not both of them at the same time.
- Fixed crash on termination with FORK threading model.
- Fixed missing file descriptors passed to local mode processes.
- refreshed stunnel-listenqueue-option.patch to apply cleanly again
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=57
- update to version 4.49
- A bug was fixed causing crashes on MacOS X and some other
platforms.
- additional changes from 4.48
- FIPS support on Win32 platform added. OpenSSL 0.9.8r DLLs
based on FIPS 1.2.3 canister are included with this version of
stunnel. FIPS mode can be disabled with "fips = no"
configuration file option.
- Fixed canary initialization problem on Win32 platform.
OBS-URL: https://build.opensuse.org/request/show/94360
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=56
* New features
- New verify level 0 to request and ignore peer certificate.
- Manual page has been updated.
* Bugfixes
- Fixed a heap corruption vulnerability in versions 4.40 and 4.41.
It may possibly be leveraged to perform DoS or remote code
execution attacks (CVE-2011-2940).
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=51
* New features:
- Hardcoded 2048-bit DH parameters are used as a fallback if DH
parameters are not provided in stunnel.pem.
- Default "ciphers" value updated to prefer ECDH:
"ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
- Default ECDH curve updated to "prime256v1".
- Removed support for temporary RSA keys (used in obsolete
export ciphers).
- refresh stunnel-listenqueue-option.patch
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=49
* New features:
- Server-side SNI implemented (RFC 3546 section 3.1) with a new
service-level option "nsi".
- "socket" option also accepts "yes" and "no" for flags.
- Nagle's algorithm is now disabled by default for improved
interactivity.
* Bugfixes:
- A compilation fix was added for OpenSSL version < 1.0.0.
- Signal pipe set to non-blocking mode. This bug caused hangs
of stunnel features based on signals, e.g. local mode, FORK
threading, or configuration file reload on Unix.
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=46
- update package to 4.36
- obsoletes SOMAXCONN and libwrap disable patches (bnc#674554)
- forward port listenqueue patch (bnc#674554)
- explicitly enable libwrap in configure call
* New features
- Dynamic memory management for strings manipulation: no more static
STRLEN limit, lower stack footprint.
- Strict public key comparison added for "verify = 3" certificate checking
mode (thx to Philipp Hartwig).
- Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved
behavior on heavy load.
Old behavior can be restored with "listenqueue = 5" in stunnel.conf
* Bugfixes
- Missing pthread_attr_destroy() added to fix memory leak (thx to Paul
Allex and Peter Pentchev).
- Fixed the incorrect way of setting FD_CLOEXEC flag.
- Fixed --enable-libwrap option of ./configure script.
- Retry implemented on EAI_AGAIN error returned by resolver calls.
OBS-URL: https://build.opensuse.org/request/show/73837
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=40
