- update to version 5.19
Bugfixes:
- Improved socket error handling.
- Fixed handling of dynamic connect targets.
- Fixed handling of trailing whitespaces in the Content-Length header of the
NTLM authentication.
- Fixed memory leaks in certificate verification.
New features:
- The "redirect" option was improved to not only redirect sessions established
with an untrusted certificate, but also sessions established without a
client certificate.
- Randomize the initial value of the round-robin counter.
- Added "include" configuration file option to include all configuration file
parts located in a specified directory.
- Temporary DH parameters are refreshed every 24 hours, unless static DH
parameters were provided in the certificate file.
- Warnings are logged on potentially insecure authentication.
- stunnel-listenqueue-option.patch: Refresh.
- stunnel3-binpath.patch: Obsolete, dropped.
- stunnel.service: Modified to start after network.target, not syslog.target.
OBS-URL: https://build.opensuse.org/request/show/314344
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=69
- Default "pid" is now "", i.e. not to create a pid file at startup.
- Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to
AlFBPPS attack and bad performance of DH ciphersuites.
- New service-level option "redirect" to redirect SSL client connections on
authentication failures instead of rejecting them.
- New global "engineDefault" configuration file option to control which
OpenSSL tasks are delegated to the current engine.
- New service-level configuration file option "engineId" to select the engine
by identifier, e.g. "engineId = capi".
- Improved readability of error messages printed when stunnel refuses to start
due to a critical error.
- Patches:
- stunnel-CVE-2013-1762.patch obsoleted. Drpped.
- stunnel-default-fips-off.patch obsoleted. Dropped.
- stunnel-listenqueue-option.patch refreshed.
- update to version 4.56
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=62
- Usage of uninitialized variables fixed in exec+connect services.
- Fixed handling of a rare inetd mode use case, where either stdin
or stdout is a socket, but not both of them at the same time.
- Fixed crash on termination with FORK threading model.
- Fixed missing file descriptors passed to local mode processes.
- refreshed stunnel-listenqueue-option.patch to apply cleanly again
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=57
* New features:
- Hardcoded 2048-bit DH parameters are used as a fallback if DH
parameters are not provided in stunnel.pem.
- Default "ciphers" value updated to prefer ECDH:
"ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
- Default ECDH curve updated to "prime256v1".
- Removed support for temporary RSA keys (used in obsolete
export ciphers).
- refresh stunnel-listenqueue-option.patch
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=49
- update package to 4.36
- obsoletes SOMAXCONN and libwrap disable patches (bnc#674554)
- forward port listenqueue patch (bnc#674554)
- explicitly enable libwrap in configure call
* New features
- Dynamic memory management for strings manipulation: no more static
STRLEN limit, lower stack footprint.
- Strict public key comparison added for "verify = 3" certificate checking
mode (thx to Philipp Hartwig).
- Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved
behavior on heavy load.
Old behavior can be restored with "listenqueue = 5" in stunnel.conf
* Bugfixes
- Missing pthread_attr_destroy() added to fix memory leak (thx to Paul
Allex and Peter Pentchev).
- Fixed the incorrect way of setting FD_CLOEXEC flag.
- Fixed --enable-libwrap option of ./configure script.
- Retry implemented on EAI_AGAIN error returned by resolver calls.
OBS-URL: https://build.opensuse.org/request/show/73837
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=40
