# # spec file for package stunnel (Version 4.15) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild Name: stunnel BuildRequires: openssl-devel %if 0%{?suse_version} BuildRequires: tcpd-devel %endif Summary: Universal SSL Tunnel License: LGPL, Other License(s), see package Version: 4.15 Release: 1 Group: Productivity/Networking/Security URL: http://www.stunnel.org/ Autoreqprov: on %if %{?suse_version:%suse_version}%{?!suse_version:0} > 800 PreReq: /usr/sbin/useradd fileutils textutils %insserv_prereq %fillup_prereq %endif Source: http://www.stunnel.org/download/stunnel/src/%{name}-%{version}.tar.bz2 Source1: stunnel.conf Source2: stunnel.README Source3: sysconfig.syslog-stunnel Source4: stunnel.rc Patch1: stunnel-4.14-write_pid_as_root.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %define VENDOR SUSE %description The stunnel program is designed to work as an SSL encryption wrapper between a remote client and the local (inetd-startable) or remote server. The concept is that by having non-SSL aware daemons running on your system, you can easily set them to communicate with clients over a secure SSL channel. Stunnel can be used to add SSL functionality to commonly used inetd daemons, such as POP-2, POP-3, and IMAP servers, without any changes to the program code. %prep %setup -q %patch1 -p1 %build #autoreconf -fi sed -i 's/-m 1770 -g nogroup//g' tools/Makefile.in %if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930 fPIE="-fPIE" pie="-pie" %endif export CFLAGS="$RPM_OPT_FLAGS $fPIE" %configure \ --with-tcp-wrappers \ --localstatedir=/var \ --with-pem-dir=%{_sysconfdir}/stunnel echo -e ".\n.\n.\n.\n.\n" | make LDADD="$pie -Wl,-z,defs,-z,relro" %install rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/var/lib/stunnel/{etc,dev,bin,sbin,%_lib} mkdir -p $RPM_BUILD_ROOT/var/lib/stunnel mkdir -p $RPM_BUILD_ROOT/etc/init.d/ mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates make \ confdir=%{_sysconfdir}/stunnel \ sbindir=%{_sbindir} \ libdir=%{_libdir} \ mandir=%{_mandir} \ docdir=%{_docdir}/%{name} \ DESTDIR=$RPM_BUILD_ROOT \ install cp -p %{S:1} tools/stunnel.conf-sample cp -p %{S:2} README.%VENDOR cp -p %{S:3} $RPM_BUILD_ROOT/var/adm/fillup-templates/ install -m 744 $RPM_SOURCE_DIR/stunnel.rc $RPM_BUILD_ROOT/etc/init.d/stunnel ln -s ../../etc/init.d/stunnel $RPM_BUILD_ROOT/usr/sbin/rcstunnel ln -s stunnel3 $RPM_BUILD_ROOT/usr/sbin/stunnel3_wrapper rm $RPM_BUILD_ROOT/%{_sysconfdir}/stunnel/stunnel.pem rm $RPM_BUILD_ROOT/%{_sysconfdir}/stunnel/stunnel.conf-sample %clean rm -rf $RPM_BUILD_ROOT %pre %if 0%{?suse_version} > 730 system_user=-r %endif /usr/sbin/useradd $system_user -g nogroup -s /bin/false -c "Daemon user for stunnel (universal SSL tunnel)" \ -d /var/lib/stunnel stunnel 2> /dev/null ||: %post %{fillup_and_insserv -f} %{fillup_only -ans syslog stunnel} %run_ldconfig if ! test -s etc/stunnel/stunnel.conf; then cp -p usr/share/doc/packages/stunnel/stunnel.conf-sample etc/stunnel/stunnel.conf echo copying default config file to /etc/stunnel/stunnel.conf fi # first installation? if [ ${FIRST_ARG:-0} = 1 ]; then if ! test -f etc/stunnel/stunnel.pem; then cat usr/share/doc/packages/stunnel/README.%VENDOR fi fi %preun %if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 %stop_on_removal stunnel %endif %postun %if %{?suse_version:%suse_version}%{?!suse_version:0} > 820 %restart_on_update stunnel %insserv_cleanup %endif %files %defattr(-, root, root) %doc AUTHORS BUGS COPYING COPYRIGHT.GPL CREDITS ChangeLog INSTALL NEWS PORTS README TODO %doc README.%VENDOR %doc doc/stunnel.html %doc doc/stunnel.*.html %doc doc/en/* %doc doc/pl %doc tools/ca.* %doc tools/importCA.* %doc tools/stunnel.cnf %doc tools/stunnel.conf-sample %{_sbindir}/* %{_libdir}/libstunnel* %{_mandir}/man8/* %dir %attr(700,root,root) %{_sysconfdir}/stunnel %dir %attr(755,root,root) /var/lib/stunnel %dir %attr(755,root,root) /var/lib/stunnel/bin %dir %attr(755,root,root) /var/lib/stunnel/etc %dir %attr(755,root,root) /var/lib/stunnel/dev %dir %attr(755,root,root) /var/lib/stunnel/%_lib %dir %attr(755,root,root) /var/lib/stunnel/sbin /var/adm/fillup-templates/sysconfig.syslog-stunnel %config /etc/init.d/* %changelog -n stunnel * Fri Jun 23 2006 - poeml@suse.de - build as non-root - build with fPIE/pie on SUSE 10.0 or newer, or on any other platform - fix BuildRequires for Fedora Core, and wrap suse_version macros - upstream 4.1.5 (out since 3 months, which makes me confident) * Release notes - There are a lot of new features in this version. I recommend to test it well before upgrading your mission-critical systems. * Bugfixes - Default threading model changed to pthread for better portability. - DH parameters are not included in the certificate by default. * New features sponsored by Software House http://www.swhouse.com/ - Most SSL-related options (including client, cert, key) are now available on service level, so it is possible to have an SSL client and an SSL server in a single stunnel process. * New features - Client mode CONNECT protocol support (RFC 2817 section 5.2). http://www.ietf.org/rfc/rfc2817.txt - Retrying exec+connect services added. * File locations are more compliant to Filesystem Hierarchy Standard 2.3 - configuration and certificates are in $prefix/etc/stunnel/ - binaries are in $prefix/sbin/ - default pid file is $prefix/var/run/stunnel.pid - manual is $prefix/man/man8/stunnel.8 - other docs are in $prefix/share/doc/stunnel/ - libstunnel is in $prefix/lib - chroot directory is setup in $prefix/var/lib/stunnel/ this directory is chmoded 1770 and group nogroup * Wed Jan 25 2006 - mls@suse.de - converted neededforbuild to BuildRequires * Sun Nov 27 2005 - lmuelle@suse.de - update to 4.14 * Thu Oct 06 2005 - poeml@suse.de - fix hang/segfault upon connect. Use pthreads by removing configure check for ucontext.h [#119650] * Tue Aug 30 2005 - poeml@suse.de - fix parsing of ldd output when setting up the chroot jail [#114090] * Tue Jun 21 2005 - poeml@suse.de - update to 4.10 - Some bugfixes and code cleanup were done. - A new user-level non-preemptive thread model was added for even greater scalability. - The stunnel3 script was improved to be more compatible with getopt. - add post-4.10 stunnel-4.10-inetd.patch - compile with tcp wrappers - compile as PIE and link with -z relro * Tue Jan 04 2005 - poeml@suse.de - update to 4.07 * Bugfixes - Problem with infinite poll() timeout negative, but not equal to -1 fixed. - Problem with a file descriptor ready to be read just after a non-blocking connect call fixed. - Compile error with EAI_NODATA not defined or equal to EAI_NONAME fixed. - IP address and TCP port textual representation length (IPLEN) increased to 128 bytes. - OpenSSL engine support is only used if engine.h header file exists. - Broken NT Service mode on WIN32 platform fixed. - Support for IPv4-only WIN32 machines restored. * Tue Dec 28 2004 - poeml@suse.de - update to 4.06 In this version, IPv6 support, compression support, hardware engine selection and many other features were added. A new stunnel3 Perl script to emulate version 3.x command line options was added. poll() is used instead of select() where available, so FD_SETSIZE no longer limits the number of concurrent connections. - add stunnel-4.06-nfds.dif stunnel-4.06-poll_timeout.patch stunnel-4.06-race_condition.patch * Thu Nov 11 2004 - poeml@suse.de - fix filelist for /usr/lib * Fri Mar 05 2004 - poeml@suse.de - update to 4.05. new features (excerpt): * New feature sponsored by SURFnet http://www.surfnet.nl/ - Support for CIFS aka SMB protocol SSL negotiation. * New features - CRL support with new CApath and CAfile global options. - New -fd command line parameter to read configuration from a specified file descriptor instead of a file. - accept is reported as error with [section] defined (in stunnel 4.04 it was silently ignored causing problems for lusers that did not read the fine manual). - Use fcntl() instead of ioctlsocket() to set socket nonblocking when it is supported. - Basic support for hardware engines with OpenSSL >= 0.9.7. - French manual by Bernard Choppy . - Thread stack size reduced to 64KB for maximum scalability. - Added optional code to debug thread stack usage. - Support for nsr-tandem-nsk (thx to Tom Bates ). * Bugfixes - TCP wrappers code moved to CRIT_NTOA critical section since it uses static inet_ntoa() result buffer. - SSL_ERROR_SYSCALL handling problems fixed. - added code to retry nonblocking SSL_shutdown() calls. - Use FD_SETSIZE instead of 16 file descriptors in inetd mode. - fdscanf groks lowercase protocol negotiation commands. - Libwrap detection bug in ./configure script fixed. - Some other minor updates. - show readme only at first installation * Tue Aug 26 2003 - poeml@suse.de - add Config: syslog-ng to sysconfig.syslog-stunnel * Thu Aug 14 2003 - poeml@suse.de - add activation metadata to sysconfig template [#28954] - rename README.SuSE to README.{SuSE,UnitedLinux} - don't show blurb in %%post if a certificate exists * Tue Aug 12 2003 - poeml@suse.de - implement 'try-restart' in rcstunnel correctly [#28636] * Wed Jul 30 2003 - poeml@suse.de - add an example configuration for tunneling MySQL - make stunnel3_wrapper compatible to more shells, and merge it with stunnel3_convert (which becomes a symlink) - new macros for stop/restart of services on rpm update/removal * Tue May 13 2003 - poeml@suse.de - delete (from the build root) files not to be packaged - package the libtool library file - add a commented option to the sample configuration * Thu Mar 13 2003 - poeml@suse.de - rc.stunnel: do not write the startup log to a world writable directory [cf. #25239] * Mon Feb 17 2003 - poeml@suse.de - Version 4.04, 2003.01.12, urgency: MEDIUM: * New features [excerpt] - New 'options' configuration option to setup OpenSSL library hacks with SSL_CTX_set_options(). - 'service' option also changes the name for TCP Wrappers access control in inetd mode. - SSL is negotiated before connecting remote host or spawning local process whenever possible. - REMOTE_HOST variable is always placed in the enrivonment of a process spawned with 'exec'. - Whole SSL error stack is dumped on errors. - 'make cert' rule is back (was missing since 4.00). - Manual page updated (special thanks to Brian Hatch). * Bugfixes - Major code cleanup (thx to Steve Grubb ). - Unsafe functions are removed from SIGCHLD handler. - Several bugs in auth_user() fixed. - Incorrect port when using 'local' option fixed. - OpenSSL tools '-rand' option is no longer directly used with a device (like '/dev/urandom'). Temporary random file is created with 'dd' instead. - fix typo in conf file example * Wed Feb 12 2003 - mmj@suse.de - Add sysconfig metadata [#22699] * Thu Oct 31 2002 - poeml@suse.de - update to 4.03 - add stunnel3_wrapper that translates the cmdline arguments into a configuration file - fix default path of pidfile - more examples * Fri Oct 25 2002 - poeml@suse.de - write the pid file before dropping the privileges * Fri Oct 25 2002 - poeml@suse.de - major version upgrade to 4.02 - better permissions for /etc/stunnel and keys [#18557] - run as "stunnel" user in chroot jail - add sysconfig.syslog-stunnel template and /var/lib/stunnel/dev for an additional syslog socket - added init script and example configuration * Sat Jul 27 2002 - adrian@suse.de - use %%run_ldconfig * Thu Mar 08 2001 - bk@suse.de - update to 3.14 and fix localstatedir (/var/run/stunnel) * Mon Feb 05 2001 - bk@suse.de - fixed neededforbuild * Sun Feb 04 2001 - bk@suse.de - new package