- Update to 5.71:
* Security bugfixes:
- OpenSSL DLLs updated to version 3.1.3.
* Bugfixes:
- Fixed the console output of tstunnel.exe.
* Features sponsored by SAE IT-systems:
- OCSP stapling is requested and verified in the client mode.
- Using "verifyChain" automatically enables OCSP stapling in
the client mode.
- OCSP stapling is always available in the server mode.
- An inconclusive OCSP verification breaks TLS negotiation.
This can be disabled with "OCSPrequire = no".
- Added the "TIMEOUTocsp" option to control the maximum time
allowed for connecting an OCSP responder.
* Features:
- Added support for Red Hat OpenSSL 3.x patches.
OBS-URL: https://build.opensuse.org/request/show/1113392
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=168
- Enable crypto-policies support: [bsc#1211301]
* The system's crypto-policies are the best source to determine
which cipher suites to accept in TLS. OpenSSL supports the
PROFILE=SYSTEM setting to use those policies. Change stunnel
to default to the system settings.
* Add patches:
- stunnel-5.69-system-ciphers.patch
- stunnel-5.69-default-tls-version.patch
- Enable bash completion support
OBS-URL: https://build.opensuse.org/request/show/1109525
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=166
- Update to 5.70:
- Security bugfixes
* OpenSSL DLLs updated to version 3.0.9.
* OpenSSL FIPS Provider updated to version 3.0.8.
- Bugfixes
* Fixed TLS socket EOF handling with OpenSSL 3.x. This bug caused major interoperability issues between stunnel built with OpenSSL 3.x and Microsoft's Schannel Security Support Provider (SSP).
* Fixed reading certificate chains from PKCS#12 files.
- Features
* Added configurable delay for the "retry" option.
OBS-URL: https://build.opensuse.org/request/show/1099863
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=164
- Update to 5.68:
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.8.
* New features
- Added the new 'CAengine' service-level option
to load a trusted CA certificate from an engine.
- Added requesting client certificates in server
mode with 'CApath' besides 'CAfile'.
* Bugfixes
- Fixed EWOULDBLOCK errors in protocol negotiation.
- Fixed handling TLS errors in protocol negotiation.
- Prevented following fatal TLS alerts with TCP resets.
- Improved OpenSSL initialization on WIN32.
- Improved testing suite stability.
- Improved file read performance.
- Improved logging performance.
OBS-URL: https://build.opensuse.org/request/show/1067560
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=158
- update to 5.56:
- Various text files converted to Markdown format.
- Support for realpath(3) implementations incompatible
with POSIX.1-2008, such as 4.4BSD or Solaris.
- Support for engines without PRNG seeding methods (thx to
Petr Mikhalitsyn).
- Retry unsuccessful port binding on configuration
file reload.
- Thread safety fixes in SSL_SESSION object handling.
- Terminate clients on exit in the FORK threading model.
OBS-URL: https://build.opensuse.org/request/show/829030
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=114
- Install the correct file as README.openSUSE (bsc#1150730)
* stunnel.keyring was accidentally installed instead
- update to version 5.55
New features
New "ticketKeySecret" and "ticketMacSecret" options to control confidentiality
and integrity protection of the issued session tickets. These options allow for
session resumption on other nodes in a cluster.
Logging of the assigned bind address instead of the requested bind address.
Check whether "output" is not a relative file name.
Added sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later.
Hexadecimal PSK keys are automatically converted to binary.
Session ticket support (requires OpenSSL 1.1.1 or later). "connect" address
persistence is currently unsupported with session tickets.
SMTP HELO before authentication (thx to Jacopo Giudici).
New "curves" option to control the list of elliptic curves in OpenSSL 1.1.0 and later.
New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites.
Include file name and line number in OpenSSL errors.
Compatibility with the current OpenSSL 3.0.0-dev branch.
Better performance with SSL_set_read_ahead()/SSL_pending().
Bugfixes
A number of testing framework fixes and improvements.
Service threads are terminated before OpenSSL cleanup to prevent occasional stunnel crashes at shutdown.
Fixed data transfer stalls introduced in stunnel 5.51.
Fixed a transfer() loop bug introduced in stunnel 5.51.
Fixed PSKsecrets as a global option (thx to Teodor Robas).
Fixed a memory allocation bug (thx to matanfih).
Fixed PSK session resumption with TLS 1.3.
Fixed a memory leak in the WIN32 logging subsystem.
Allow for zero value (ignored) TLS options.
OBS-URL: https://build.opensuse.org/request/show/730771
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=107
- Drop use of $FIRST_ARG in .spec
The use of $FIRST_ARG was probably required because of the
%service_* rpm macros were playing tricks with the shell positional
parameters. This is bad practice and error prones so let's assume
that no macros should do that anymore and hence it's safe to assume
that positional parameters remains unchanged after any rpm macro
call.
OBS-URL: https://build.opensuse.org/request/show/678172
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=105
