- update to version 5.35
- repackage source as bz2
- adjust systemd unit file to start after network-online.target
- bugixes:
* Fixed incorrectly enforced client certificate requests.
* Fixed thread safety of the configuration file reopening.
* Fixed malfunctioning "verify = 4".
* Only reset the watchdog if some data was actually transferred.
* Fixed logging an incorrect value of the round-robin starting point (thx to
Jose Alf.).
- new features:
* Added three new service-level options: requireCert, verifyChain, and
verifyPeer for fine-grained certificate verification control.
* SNI support also enabled on OpenSSL 0.9.8f and later (thx to Guillermo
Rodriguez Garcia).
* Added support for PKCS #12 (.p12/.pfx) certificates (thx to Dmitry
Bakshaev).
* New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
* Added logging the list of client CAs requested by the server.
OBS-URL: https://build.opensuse.org/request/show/429283
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=76
- update to version 5.19
Bugfixes:
- Improved socket error handling.
- Fixed handling of dynamic connect targets.
- Fixed handling of trailing whitespaces in the Content-Length header of the
NTLM authentication.
- Fixed memory leaks in certificate verification.
New features:
- The "redirect" option was improved to not only redirect sessions established
with an untrusted certificate, but also sessions established without a
client certificate.
- Randomize the initial value of the round-robin counter.
- Added "include" configuration file option to include all configuration file
parts located in a specified directory.
- Temporary DH parameters are refreshed every 24 hours, unless static DH
parameters were provided in the certificate file.
- Warnings are logged on potentially insecure authentication.
- stunnel-listenqueue-option.patch: Refresh.
- stunnel3-binpath.patch: Obsolete, dropped.
- stunnel.service: Modified to start after network.target, not syslog.target.
OBS-URL: https://build.opensuse.org/request/show/314344
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=69
- Default "pid" is now "", i.e. not to create a pid file at startup.
- Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to
AlFBPPS attack and bad performance of DH ciphersuites.
- New service-level option "redirect" to redirect SSL client connections on
authentication failures instead of rejecting them.
- New global "engineDefault" configuration file option to control which
OpenSSL tasks are delegated to the current engine.
- New service-level configuration file option "engineId" to select the engine
by identifier, e.g. "engineId = capi".
- Improved readability of error messages printed when stunnel refuses to start
due to a critical error.
- Patches:
- stunnel-CVE-2013-1762.patch obsoleted. Drpped.
- stunnel-default-fips-off.patch obsoleted. Dropped.
- stunnel-listenqueue-option.patch refreshed.
- update to version 4.56
OBS-URL: https://build.opensuse.org/package/show/security:Stunnel/stunnel?expand=0&rev=62
