From 8e474e5321818b0121633c5fe071606cb3dcbe69 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Mon, 22 Apr 2013 19:47:34 +0200 Subject: [PATCH] Imported Debian patch 3:4.53-1.1 --- debian/README.Debian | 95 ++ debian/README.source | 57 ++ debian/StunnelConf-0.1.pl | 477 +++++++++ debian/changelog | 933 ++++++++++++++++++ debian/compat | 1 + debian/control | 31 + debian/copyright | 47 + debian/dirs | 3 + debian/doc-base | 10 + debian/docs | 4 + debian/lintian.overrides | 2 + debian/patches/CVE-2013-1762.patch | 56 ++ debian/patches/fix-paths | 62 ++ debian/patches/init_script_description | 17 + .../patches/logrotate_warning_in_sample_conf | 26 + debian/patches/rename-binary | 158 +++ debian/patches/runas-user | 16 + debian/patches/selective_tunnel_restart | 48 + debian/patches/series | 7 + debian/postinst | 67 ++ debian/postrm | 17 + debian/rules | 113 +++ debian/source/format | 1 + debian/stunnel3.8 | 505 ++++++++++ debian/stunnel4.0stunnel4.ppp.ip-down | 9 + debian/stunnel4.0stunnel4.ppp.ip-up | 7 + debian/stunnel4.NEWS | 29 + debian/stunnel4.conf.README | 13 + debian/stunnel4.default | 11 + debian/stunnel4.examples | 6 + debian/stunnel4.links | 2 + debian/stunnel4.logrotate | 13 + debian/stunnel4.manpages | 4 + debian/watch | 8 + 34 files changed, 2855 insertions(+) create mode 100644 debian/README.Debian create mode 100644 debian/README.source create mode 100644 debian/StunnelConf-0.1.pl create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/dirs create mode 100644 debian/doc-base create mode 100644 debian/docs create mode 100644 debian/lintian.overrides create mode 100644 debian/patches/CVE-2013-1762.patch create mode 100644 debian/patches/fix-paths create mode 100644 debian/patches/init_script_description create mode 100644 debian/patches/logrotate_warning_in_sample_conf create mode 100644 debian/patches/rename-binary create mode 100644 debian/patches/runas-user create mode 100644 debian/patches/selective_tunnel_restart create mode 100644 debian/patches/series create mode 100644 debian/postinst create mode 100644 debian/postrm create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100644 debian/stunnel3.8 create mode 100644 debian/stunnel4.0stunnel4.ppp.ip-down create mode 100644 debian/stunnel4.0stunnel4.ppp.ip-up create mode 100644 debian/stunnel4.NEWS create mode 100644 debian/stunnel4.conf.README create mode 100644 debian/stunnel4.default create mode 100644 debian/stunnel4.examples create mode 100644 debian/stunnel4.links create mode 100644 debian/stunnel4.logrotate create mode 100644 debian/stunnel4.manpages create mode 100644 debian/watch diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..c793874 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,95 @@ +This is the Stunnel 4.x package for Debian. + +* Upgrading from stunnel to stunnel4 + +Stunnel 3 has been deprecated from Debian. The new stunnel4 has a +different command line syntax and configuration. You will need to +update your scripts. + +The wrapper script /usr/bin/stunnel3 understands stunnel3 command line +syntax and calls stunnel4 with appropriate options. It appears to +support every stunnel3 option *except* -S (which controls the defaults +used for certificate sources). + +To simplify migration, /usr/bin/stunnel is a symlink to the wrapper +script. A future version will make the link point to stunnel4. + +* Changes from previous versions + +Upstream versions 4.20 and earlier used to ship binaries in /usr/sbin +by default. If you are upgrading from a hand compiled version or from an +ancient Debian package you will need to update your scripts to refer +to /usr/bin. + +This change was made in order to be FHS compliant (stunnel can be used by +normal users, and not only by admins). + +* Basic configuration + +After installation, you should : + + - edit /etc/stunnel/stunnel.conf + + - edit /etc/default/stunnel and set ENABLE=1, if you want your + configured tunnels to start automatically on boot. + + - generate a certificate for use with stunnel if you want to use server mode + +Sergio Rua made a perl front-end for the stunnel +configuration. It is very simple and only includes a couple of configuration +options. This script is located in + /usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl + +It requires libgnome2-perl and libgtk2-perl. + +* How to create SSL keys for stunnel + +The certificates default directory is /etc/ssl/certs, so cd into that dir +and issue the command: + + openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem + +Fill in the info requested. + +Change 'stunnel.pem' to the name of the certificate you need to +create. stunnel.pem will be used by default by stunnel, but you want +to create different certificates for different services you run with +stunnel. Make sure only root can read the file (or only the user that +needs to read it, if stunnel is run as that user): + + chmod 600 stunnel.pem + +Now you need to append the DH parameters to the certificate. + +First you need to generate some amount of random data: + + dd if=/dev/urandom of=temp_file count=2 + +Use /dev/random if you want a more secure source of data, but make +sure you have enough entropy on you system (the output file should be +at least 512 bytes long). + +And now make openssl generate the DH parameters and append them to the +certificate file: + + openssl dhparam -rand temp_file 512 >> stunnel.pem + +You also want to link the certificate to its hash name so that openssl +can find it also by that means: + + ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0 + +Read the manual page for openssl for more info on the various options. + +* FIPS + +stunnel 4.21 includes support for OpenSSL's FIPS mode. However, using +it requieres stunnel to be compiled statically against OpenSSL and all +supporting libraries. Thus, this option is disabled in the Debian package. + +See the OpenSSL FIPS FAQ at +http://oss-institute.org/fips-faq.html + + - Julien LEMOINE , Sun, 19 Feb 2006 17:31:24 +0100 + + -- Luis Rodrigo Gallardo Cruz , Sat, 30 Oct 2007 14:50:54 z diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..8646078 --- /dev/null +++ b/debian/README.source @@ -0,0 +1,57 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To configure quilt to use debian/patches instead of patches, you want +either to export QUILT_PATCHES=debian/patches in your environment +or use this snippet in your ~/.quiltrc: + + for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do + if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then + export QUILT_PATCHES=debian/patches + fi + done + +To get the fully patched source after unpacking the source package, cd to +the root level of the source package and run: + + quilt push -a + +The last patch listed in debian/patches/series will become the current +patch. + +To add a new set of changes, first run quilt push -a, and then run: + + quilt new + +where is a descriptive name for the patch, used as the filename in +debian/patches. Then, for every file that will be modified by this patch, +run: + + quilt add + +before editing those files. You must tell quilt with quilt add what files +will be part of the patch before making changes or quilt will not work +properly. After editing the files, run: + + quilt refresh + +to save the results as a patch. + +Alternately, if you already have an external patch and you just want to +add it to the build system, run quilt push -a and then: + + quilt import -P /path/to/patch + quilt push -a + +(add -p 0 to quilt import if needed). as above is the filename to +use in debian/patches. The last quilt push -a will apply the patch to +make sure it works properly. + +To remove an existing patch from the list of patches that will be applied, +run: + + quilt delete + +You may need to run quilt pop -a to unapply patches first before running +this command. diff --git a/debian/StunnelConf-0.1.pl b/debian/StunnelConf-0.1.pl new file mode 100644 index 0000000..e4e5d13 --- /dev/null +++ b/debian/StunnelConf-0.1.pl @@ -0,0 +1,477 @@ +#!/usr/bin/perl + +# Copyright (C) 2004 Sergio Rua + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA +# 02111-1307, USA. +# +# On Debian GNU/Linux systems, the complete text of the GNU General +# Public License can be found in `/usr/share/common-licenses/GPL'. + +use strict; +use Gtk2; +use Gnome2; +use Gtk2::SimpleList; + +use constant TRUE => 1; +use constant FALSE => 0; +# Please configure if necessary! +my $cfgfile = "/etc/stunnel/stunnel.conf"; +my $backup_cfg = 1; +my $base_cfg_dir = $cfgfile;$base_cfg_dir=~s/\/stunnel\.conf//g; + +# global variables +my $ekey; +my $ecert; +my $verify; +my $app; +my $elog; +my $clientmode; +my $debuglevel; +my $capath; +my $list; + + +sub mydie +{ + my ($msg)=@_; + + print "$msg\n"; + Gtk2->main_quit; + exit (-1); +} + + +sub sel_file +{ + my ($title,$entry,$isfile)=@_; + + my $fsel=Gtk2::FileSelection->new($title); + $fsel->ok_button->signal_connect("clicked",sub { + print "OK: ". $fsel->get_filename."\n"; + $entry->set_text($fsel->get_filename); + $fsel->destroy; + }); + $fsel->cancel_button->signal_connect("clicked",sub { $fsel->destroy; }); + + $fsel->show; +} + +sub add_connection +{ + my $win = new Gtk2::Window("toplevel"); + $win->set_position("center"); + + my $vbox = new Gtk2::VBox( 0, 2 ); + $win->add($vbox); + $vbox->show; + my $druid = new Gnome2::Druid; + $druid->signal_connect("cancel", sub { $win->destroy; } ); + $vbox->pack_start($druid,0,0,0); + my $druid_start = new Gnome2::DruidPageEdge("GNOME_EDGE_START"); + $druid_start->set_title("Connections setup"); + $druid_start->set_text("Please follow this configuration wizard to ". + "configure your connections\n"); +# $druid_start->set_watermark($logo); + $druid_start->show; + $druid->append_page($druid_start); + +# Second Step: accepting connections + my $druid_name = new Gnome2::DruidPageStandard(); + $druid_name->set_title("Connection name"); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $label=new Gtk2::Label("Enter this connection name"); + $dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0); + my $ename=new Gtk2::Entry(); + $dtable->attach($ename,1,2,0,1,["fill"],["fill"],0,0); + $druid_name->append_item("",$dvbox,""); + $druid_name->show_all; + # add page to the druid + $druid->append_page($druid_name); + + +# Second Step: accepting connections + my $druid_accept = new Gnome2::DruidPageStandard(); + $druid_accept->set_title("Accepting connections"); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $accept_error=new Gtk2::Label(""); + $dtable->attach($accept_error,0,1,0,1,["fill"],["fill"],0,0); + my $label=new Gtk2::Label("IP or hostname"); + $dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0); + my $eip=new Gtk2::Entry(); + $dtable->attach($eip,1,2,1,2,["fill"],["fill"],0,0); + + my $label=new Gtk2::Label("Port number"); + $dtable->attach($label,0,1,2,3,["fill"],["fill"],0,0); + my $eport=new Gtk2::Entry(); + $dtable->attach($eport,1,2,2,3,["fill"],["fill"],0,0); + + $druid_accept->append_item("",$dvbox,""); + $druid_accept->show_all; + # add page to the druid + $druid->append_page($druid_accept); + +# Third Step: connecting to... + my $druid_connect = new Gnome2::DruidPageStandard(); + $druid_connect->set_title("Connection To..."); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $label=new Gtk2::Label("IP or hostname"); + $dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0); + my $etoip=new Gtk2::Entry(); + $dtable->attach($etoip,1,2,0,1,["fill"],["fill"],0,0); + + my $label=new Gtk2::Label("Port number"); + $dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0); + my $etoport=new Gtk2::Entry(); + $dtable->attach($etoport,1,2,1,2,["fill"],["fill"],0,0); + + $druid_connect->append_item("",$dvbox,""); + $druid_connect->show_all; + # add page to the druid + $druid->append_page($druid_connect); + + +# Finishing and adding connection + my $druid_finish = new Gnome2::DruidPageEdge("GNOME_EDGE_FINISH"); + $druid_finish->set_title("Configuration Finished."); + $druid_finish->set_text("The configuration has been finished. Click to either save or cancel"); +# $druid_finish->set_logo($logo2); + $druid_finish->signal_connect("finish", sub { + my $acip=$eip->get_text(); + my $acport=$eport->get_text(); + my $coip=$etoip->get_text(); + my $coport=$etoport->get_text(); + + my $dslist = $list->{data}; + push @$dslist, [ $ename->get_text(), $acip.":".$acport, $coip.":".$coport ]; + + + $win->destroy; + }); + $druid_finish->show; + $druid->append_page($druid_finish); + $druid->show; + $win->show; +} + +sub load_config_file +{ + my $con=$list->{data}; + my $name=""; + my $accept=""; + my $connect=""; + + if (! -s $cfgfile) { + print "Config file not found. Starting from scratch!\n"; + return (0); + } + + open F, "<$cfgfile" or die "$cfgfile: $!\n"; + + while () { + $_=~s/\n//g; + if ($_=~/^cert.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $ecert->set_text($value); + } elsif ($_=~/^key.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $ekey->set_text($value); + } elsif ($_=~/^verify.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + if ($value==1) { + $verify->entry->set_text("verify peer certificate if present"); + } elsif ($value==2) { + $verify->entry->set_text("verify peer certificate"); + } elsif ($value==3) { + $verify->entry->set_text("verify peer with locally installed certificate"); + } else { + $verify->entry->set_text("no verify"); + } + } elsif ($_=~/^client.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $clientmode->entry->set_text($value); + } elsif ($_=~/^(capath|CApath).*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $capath->set_text($value); + } elsif ($_=~/^debug.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $debuglevel->entry->set_text($value); + } elsif ($_=~/^output.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $elog->set_text($value); + } elsif ($_=~/^\[.*/) { + $_=~s/\[//g; + $_=~s/\]//g; + $name=$_; + } elsif ($_=~/^accept.*=.*/) { + (undef,$accept) = split "=",$_; + $accept=~s/(\ |\t)//g; + } elsif ($_=~/^connect.*=.*/) { + (undef,$connect) = split "=",$_; + $connect=~s/(\ |\t)//g; + } + + # load connection + if (($accept) && ($name) && ($connect)) { + push @$con, [ $name, $accept, $connect ]; + $name=$connect=$accept=""; + } + } + close F; + +} + +sub save_config_file +{ + if ($backup_cfg) { + chdir ($base_cfg_dir); + rename($cfgfile,$cfgfile.".$$") or + print "Error at \n$cfgfile: $!\nNo backup made!\n"; + } + open O, ">$cfgfile" or + mydie "Cannot open config file: $!\n"; + + print "Saving $cfgfile\n\n\n"; + print O "# Configuration file created by \"stunnelconf\" by ". + "Sergio Rua \n\n"; + if ($ekey->get_text()) { + print O "key = ".$ekey->get_text()."\n"; + } + if ($ecert->get_text()) { + print O "cert = ".$ecert->get_text()."\n"; + } + print O "verify = ".$verify->entry->get_text()."\n"; + print O "output = ".$elog->get_text()."\n"; + print O "client = ".$clientmode->entry->get_text()."\n"; + print O "debug = ".$debuglevel->entry->get_text()."\n"; + print O "CApath = ".$capath->get_text()."\n"; + print O "\n\n"; # just some spaces + + my @rowref = @{$list->{data}}; + my $i=0; + + for $i (0 .. $#rowref) { + print O "[".$rowref[$i][0] . "]\n"; + # if no hostname, ugly ":" to be removed + $rowref[$i][1]=~s/^://g; + $rowref[$i][2]=~s/^://g; + print O "accept = ".$rowref[$i][1] . "\n"; + print O "connect = ".$rowref[$i][2] . "\n"; + print O "\n"; # just some spaces + } + + close O; + Gtk2->main_quit; + return 0; +} + + +sub create_main_win +{ + $app = Gnome2::App->new ("stunnel-conf"); + $app->set_default_size(470,410); + $app->signal_connect( 'destroy' => sub { Gtk2->main_quit; } ); + $app->set_title("Stunnel Configuration"); + + my $vbox=Gtk2::VBox->new(FALSE,0); + my $frame=Gtk2::Frame->new("Common options"); + $vbox->pack_start($frame,TRUE, TRUE, 0); + + my $table=Gtk2::Table->new(6, 2, FALSE); + $frame->add($table); + + my $label0=Gtk2::Label->new("Private Key"); + $table->attach($label0,0,1,0,1,["fill"],["fill"],0,0); + my $label1=Gtk2::Label->new("Certificate"); + $table->attach($label1,0,1,1,2,["fill"],["fill"],0,0); + my $label2=Gtk2::Label->new("Verify level"); + $table->attach($label2,0,1,2,3,["fill"],["fill"],0,0); + my $label3=Gtk2::Label->new("Log output"); + $table->attach($label3,0,1,3,4,["fill"],["fill"],0,0); + my $label4=Gtk2::Label->new("Client mode"); + $table->attach($label4,0,1,4,5,["fill"],["fill"],0,0); + my $label5=Gtk2::Label->new("Debug level"); + $table->attach($label5,0,1,5,6,["fill"],["fill"],0,0); + my $label6=Gtk2::Label->new("Certificates path"); + $table->attach($label6,0,1,6,7,["fill"],["fill"],0,0); + + # Private Key + my $hbox0=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox0,1,2,0,1,["fill"],["fill"],0,0); + + $ekey=Gtk2::Entry->new(); + $hbox0->pack_start($ekey,TRUE,TRUE,0); + + my $bkey=Gtk2::Button->new_from_stock("gtk-open"); + $bkey->signal_connect("clicked",sub { + sel_file("Select private key",$ekey); + }); + $hbox0->pack_start($bkey,FALSE,FALSE,0); + + # Certificate + my $hbox1=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox1,1,2,1,2,["fill"],["fill"],0,0); + + $ecert=Gtk2::Entry->new(); + $hbox1->pack_start($ecert,TRUE,TRUE,0); + + my $bcert=Gtk2::Button->new_from_stock("gtk-open"); + $bcert->signal_connect("clicked",sub { + sel_file("Select certificate",$ecert); + }); + $hbox1->pack_start($bcert,FALSE,FALSE,0); + + # Auth level - verify + $verify = Gtk2::Combo->new(); + $verify->entry->set_text("no verify"); + $verify->set_popdown_strings(("no verify", + "verify peer certificate if present", + "verify peer certificate", + "verify peer with locally installed certificate")); + $table->attach($verify,1,2,2,3,["fill"],["fill"],0,0); + + # Log output + my $hbox2=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox2,1,2,3,4,["fill"],["fill"],0,0); + + $elog=Gtk2::Entry->new(); + $hbox2->pack_start($elog,TRUE,TRUE,0); + + my $blog=Gtk2::Button->new_from_stock("gtk-open"); + $blog->signal_connect("clicked",sub { + sel_file("Select log file",$elog); + }); + $hbox2->pack_start($blog,FALSE,FALSE,0); + + # Client mode + $clientmode = Gtk2::Combo->new(); + $clientmode->entry->set_text("no verify"); + $clientmode->set_popdown_strings(("yes","no")); + $table->attach($clientmode,1,2,4,5,["fill"],["fill"],0,0); + + # Debug level + $debuglevel = Gtk2::Combo->new(); + $debuglevel->entry->set_text("no verify"); + $debuglevel->set_popdown_strings(("0","1","5","7")); + $table->attach($debuglevel,1,2,5,6,["fill"],["fill"],0,0); + + # CA path + my $hbox3=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox3,1,2,6,7,["fill"],["fill"],0,0); + + $capath=Gtk2::Entry->new(); + $hbox3->pack_start($capath,TRUE,TRUE,0); + +# my $bcapath=Gtk2::Button->new_from_stock("gtk-open"); +# $bcapath->signal_connect("clicked",sub { +# sel_file("Select Certificates Path",$capath); +# }); +# $hbox3->pack_start($bcapath,FALSE,FALSE,0); + + # connections section + my $frame2=Gtk2::Frame->new("Connections"); + $vbox->pack_start($frame2,TRUE, TRUE, 0); + + my $hbox4=Gtk2::HBox->new(FALSE,0); + $list=Gtk2::SimpleList->new ( + 'Name' => 'text', + 'Accept' => 'text', + 'Connect' => 'text', + ); +# $list->get_selection->set_mode ('multiple'); + my $scwin = Gtk2::ScrolledWindow->new; + $scwin->set_policy (qw/automatic automatic/); + $scwin->add($list); + + $hbox4->pack_start($scwin,TRUE,TRUE,0); + + # list buttons + my $vbbox=Gtk2::VButtonBox->new(); + $vbbox->set_layout('spread'); + my $badd = Gtk2::Button->new_from_stock('gtk-add'); + $badd->signal_connect( 'clicked' => sub { add_connection; } ); + $vbbox->add($badd); + + +# my $bedit = Gtk2::Button->new_from_stock('gtk-properties'); +# $bedit->signal_connect( 'clicked' => sub { +# print "Edit\n"; +# } ); +# $vbbox->add($bedit); + + + my $brem = Gtk2::Button->new_from_stock('gtk-remove'); + $brem->signal_connect( 'clicked' => sub { + my @sel = $list->get_selected_indices; + print @sel; + foreach my $i (@sel) { + delete $list->{data}[$i]; + } + } ); + $vbbox->add($brem); + + $hbox4->pack_start($vbbox,FALSE,FALSE,0); + + # main buttons!!! + my $bbox=Gtk2::HButtonBox->new(); + $bbox->set_layout('spread'); + + my $bok = Gtk2::Button->new_from_stock('gtk-ok'); + $bok->signal_connect( 'clicked' => sub { save_config_file; } ); + $bbox->add($bok); + + my $bcancel = Gtk2::Button->new_from_stock('gtk-cancel'); + $bcancel->signal_connect( 'clicked' => sub { Gtk2->main_quit;} ); + $bbox->add($bcancel); + + $vbox->pack_start($bbox,FALSE,FALSE,0); + $frame2->add($hbox4); + + +# App contents and show them + $app->set_contents($vbox); + $app->show_all; +} + +# +# MAIN MAIN MAIN +# + + +# +Gnome2::Program->init ("stunnelconf", "0.1"); +$app=create_main_win; +load_config_file; + +Gtk2->main; + +exit 0; + diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..6c6a8a0 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,933 @@ +stunnel4 (3:4.53-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-1762.patch patch. + CVE-2013-1762: Fix buffer overflow in NTLM authentication of the CONNECT + protocol negotiation. (Closes: #702267) + + -- Salvatore Bonaccorso Mon, 22 Apr 2013 19:47:34 +0200 + +stunnel4 (3:4.53-1) unstable; urgency=low + + * New upstream version 4.53. + - Added client-mode "sni" option to directly control the value of + TLS Server Name Indication (RFC 3546) extension (Closes: #668041). + - Added support for IP_FREEBIND socket option with a pached Linux kernel. + - Glibc-specific dynamic allocation tuning was applied to help unused memory + deallocation. + - Non-blocking OCSP implementation. + - Various other bugfixes, see upstream changelog for details. + + * Enabled hardening compile flags. There were NO compile time warning messages + or errors triggered because of this. + + * Updated to Standards-Version 3.9.3. No changes required. + - Migrating to /run from /var/run will be a hard problem, because we expect + user written config files to refer to the directory. We'll punt on making + this change for now. + * Updated copyright years to 2012. + * Added Description: LSB header to init script. + + -- Luis Rodrigo Gallardo Cruz Sun, 03 Jun 2012 11:34:36 -0700 + +stunnel4 (3:4.52-1) unstable; urgency=low + + * New upstream version 4.52. + * Do not enable chroot in sample config file. It is misleading to users, it + suggests it can be used with no further changes. Closes: #652812 + * Remove log files on purge. Closes: #657135 + + -- Luis Rodrigo Gallardo Cruz Sun, 12 Feb 2012 12:06:37 -0800 + +stunnel4 (3:4.51~b5-1) experimental; urgency=low + + * New upstream version + - Fixed exec+connect sections (Closes: #653882). + - New "compression = deflate" global option to enable RFC 2246 compression. + For compatibility with previous versions "compression = zlib" and + "compression = rle" also enable the deflate (RFC 2246) compression. + - Separate default ciphers and sslVersion for "fips = yes" and "fips = no". + + -- Luis Rodrigo Gallardo Cruz Wed, 04 Jan 2012 11:24:58 -0800 + +stunnel4 (3:4.50-1) unstable; urgency=low + + * New Upstream Releases. Highlights: + + 4.46: + - Added Unix socket support (e.g. "connect = /var/run/stunnel/socket"). + - Added "verify = 4" mode to ignore CA chain and only verify peer + certificate. + - Removed the limit of 16 IP addresses for a single 'connect' option. + - Removed the limit of 256 stunnel.conf sections in PTHREAD threading + model. + + 4.45: + - "protocol = proxy" support to send original client IP address to haproxy + http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt + This requires accept-proxy bind option of haproxy 1.5-dev3 or later. + - Libwrap helper processes are no longer started if libwrap is disabled + in all sections of the configuration file. + - Fixed -l option handling in stunnel3 script (thx to Kai Gülzau). + - Script to build default stunnel.pem was fixed (thx to Sebastian Kayser). + + 4.44: + - Heap buffer overflow protection with canaries. + - Stack buffer overflow protection with -fstack-protector. + - Fixed garbled error messages on errors with setuid/setgid options. + + 4.43: + - Major optimization of the logging subsystem. + Benchmarks indicate up to 15% stunnel performance improvement. + * Remove config.guess and config.sub in clean target, otherwise build fails + because of changes in source outside of a patch. Found and fixed by + Peter Eisentraut (Closes: #647176). + * Updated watchfile to new upstream's directory structure for archived + releases. + + -- Luis Rodrigo Gallardo Cruz Thu, 29 Dec 2011 06:39:09 -0800 + +stunnel4 (3:4.42-1) unstable; urgency=low + + * New Upstream Release. + - Fixed a heap corruption vulnerability in versions 4.40 and 4.41. It may + possibly be leveraged to perform DoS or remote code execution attacks. + (Closes: #638758) + - New verify level 0 to request and ignore peer certificate. + + -- Luis Rodrigo Gallardo Cruz Sat, 27 Aug 2011 08:34:43 -0700 + +stunnel4 (3:4.40-1) unstable; urgency=low + + * New Upstream Release: + - Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters + are not provided in stunnel.pem. + - Default "ciphers" value updated to prefer ECDH: + "ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH". + - Default ECDH curve updated to "prime256v1". + - Removed support for temporary RSA keys (used in obsolete export ciphers). + + -- Luis Rodrigo Gallardo Cruz Sun, 24 Jul 2011 11:06:57 -0700 + +stunnel4 (3:4.39-1) unstable; urgency=low + + * New Upstream Releases. Highlights: + + 4.38: + - Server-side SNI implemented (RFC 3546 section 3.1) with a new + service-level option "nsi". + - "socket" option also accepts "yes" and "no" for flags. + - Nagle's algorithm is now disabled by default for improved interactivity. + - Bugfix: Signal pipe set to non-blocking mode. This bug caused + hangs of stunnel features based on signals, e.g. local mode, FORK + threading, or configuration file reload on Unix. Win32 platform was + not affected. + + 4.37: + - Client-side SNI implemented (RFC 3546 section 3.1). + - Default "ciphers" changed from the OpenSSL default to a more secure + and faster "RC4-MD5:HIGH:!aNULL:!SSLv2". + A paranoid (and usually slower) setting would be "HIGH:!aNULL:!SSLv2". + - Recommended "options = NO_SSLv2" added to the sample stunnel.conf file. + - Default client method upgraded from SSLv3 to TLSv1. + To connect servers without TLS support use "sslVersion = SSLv3" option. + - Bugfix: Non-blocking socket handling in local mode fixed + (Closes: #626856). + + 4.36: + - Dynamic memory management for strings manipulation: + no more static STRLEN limit, lower stack footprint. (Closes: #594876). + - Strict public key comparison added for "verify = 3" certificate + checking mode (thx to Philipp Hartwig). + For more details see upstream ChangeLog. + + * Removed /usr/lib/stunnel/libstunnel.la file. + * Support restarting selected stunnel instances. Thanks Peter Palfrader. + (Closes: #627765). + + -- Luis Rodrigo Gallardo Cruz Thu, 21 Jul 2011 15:46:25 -0700 + +stunnel4 (3:4.35-2) unstable; urgency=low + + * Fix variable substitution in init script (Closes: #623221). + Thanks Tomas Kapralek for report and diagnosis. + + -- Luis Rodrigo Gallardo Cruz Mon, 18 Apr 2011 20:46:01 -0700 + +stunnel4 (3:4.35-1) unstable; urgency=low + + * New Upstream Releases (Closes: #621987). + * Upstream incorporated our init script, so this package no longer carries + its own copy of it. + * Bump Standards-Version to 3.9.2. No changes needed. + * Remove /etc/stunnel/stunnel4.conf file as it is useless, except as a sample. + A README file for /etc/stunnel was provided (Closes: #549384). + * Minor cleanup of debian/rules, no longer runs configure twice. + + -- Luis Rodrigo Gallardo Cruz Sun, 17 Apr 2011 22:04:53 -0700 + +stunnel4 (3:4.33-1) experimental; urgency=low + + * New Upstream Releases + - 4.31 + + A SIGHUP to the server will cause it to reload the configuration file. + + A SIGUSR1 to the server causes it to reopen its log files. + - 4.32 + + New service-level "libwrap" option for run-time control whether + /etc/hosts.allow and /etc/hosts.deny are used for access control. + Disabling libwrap significantly increases performance of stunnel. + - 4.33 + + Fixes to inetd mode + + For more details please see upstream's ChangeLog. + + * Init script now provides reload and reopen-log options (Closes: #323171). + * The logrotate config file now takes advantage of reopen-log option. + * Update config.{build,sub} on build. Closes: #535719. + * Add missing ${misc:Depends} entry to debian/control. + * Update copyright years. + * Update to Standards-Version: 3.9.1 + - stunnel4 no longer Conflicts: stunnel, but merely Breaks: stunnel. + * Update packaging to source format 3.0 (quilt). + + -- Luis Rodrigo Gallardo Cruz Fri, 27 Aug 2010 16:58:44 -0700 + +stunnel4 (3:4.29-1) unstable; urgency=low + + * New upstream version (Closes: #559270). + - sessiond, a high performance SSL session cache was built for stunnel. + A new service-level "sessiond" option was added. sessiond is + available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ . + stunnel clusters will be a lot faster, now! + - Transparent proxy support on Linux kernels >=2.6.28. + See the manual for details. + The old transproxy.txt file is no longer provided. + - New socket options to control TCP keepalive on Linux: + TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL. + - SSL options updated for the recent version of OpenSSL library. + - Bugfixes + + Missing "fips" option was added to the manual. + + A serious bug in asynchronous shutdown code fixed. + + Data alignment updated in libwrap.c. + + Polish manual encoding fixed. Debian's patch for this removed. + + Notes on compression implementation in OpenSSL added to the manual. + + * Use correct owner:group for logs after rotation. (Closes: #529481). + Thanks Brian 'morlenxus' Miculcy + * Use copytruncate in logrotate file, instead of restarting the + daemon (Closes: #535915). + Thanks Andrew Buckeridge + * Bump Standards-Version to 3.8.3. No changes required. + * Do not specify path to true in postinst script. + + -- Luis Rodrigo Gallardo Cruz Tue, 08 Dec 2009 19:34:21 -0800 + +stunnel4 (3:4.27-1) unstable; urgency=low + + * New upstream release. + - Remove debian/patches/security-check_certificate, now included upstream. + Fixes: CVE-2008-2420 + - Libwrap helper processes fixed to close standard + input/output/error file descriptors. (Closes: #482379) + * Rebase quilt patches to not require -p0. (Closes: #484966) + * Fix sample configuration file to use ssl cert from /etc/ssl/certs + (Closes: #460953). + * Warn if automatic startup is disabled in /etc/default/stunnel4 + (Closes: #475599). + * Use invoke-rc.d in ppp start/stop scripts. + * Standards-Version: 3.8.1. + - Add README.source documenting use of quilt. + * Bump to debhelper 7 + - Remove unused old option from dh_mkshlibs call + * Declare the polish pod's encoding and use unicode when converting it + to a manpage. + * Dummy upgrade package is priority: extra + + -- Luis Rodrigo Gallardo Cruz Fri, 24 Apr 2009 19:56:05 -0700 + +stunnel4 (3:4.22-2) unstable; urgency=low + + * Check if a daemon is already running before trying to start it with the + same configuration file. Thanks Peter Palfrader for + the report (Closes: #506091). + + -- Luis Rodrigo Gallardo Cruz Tue, 18 Nov 2008 13:52:42 +0100 + +stunnel4 (3:4.22-1.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix security bug in the OCSP functionality that allowed revoked + certificates to authenticate (Closes: #482644) + Fixes: CVE-2008-2420 + + -- Steffen Joeris Tue, 27 May 2008 18:28:56 +0200 + +stunnel4 (3:4.22-1) unstable; urgency=low + + * New upstream release. + - Build system now uses standard automake dirs. + - Reworked logging system avoids outputing before log file is configured + (Closes: #460019). + - Simultaneous logging to a file and the syslog is now possible. + - A new service level option to control stack size: + stack = + - Bugfixes in libwrap support code. + * debian/patches/setuid.patch: Removed, it's included upstream. + * debian/patches/fix-paths: Reworked to use automake's standard dirs. + * Rebase the rest of the patches. + * Update standards-version to 3.7.3. No changes needed. + * Fix build-dependencies on -1 revisions of libssl-dev, openssl and quilt. + * Register documentation in the System/Security section. + + -- Luis Rodrigo Gallardo Cruz Tue, 01 Apr 2008 11:07:56 -0600 + +stunnel4 (3:4.21-1) unstable; urgency=low + + * New upstream release. + - Binaries moved from /usr/sbin to /usr/bin. Thus, Debian no longer + diverges in that from upstream. + - libstunnel.so migrated inside /usr/lib/stunnel. + - Preliminary FIPS 140-2 support, but this package does not include it, + as it requires static compilation. + - Miscelaneous bugfixing. + * debian/patches/no_zlib_link: + - Rebased. Only line numbering changed. + * debian/patches/libstunnel_is_private_lib: + - Removed. Included upstream. + * debian/patches/fix-paths: + - Remove hunks related to moving binaries to /usr/bin. Refresh line numbers + in the rest. + * debian/patches/rename-binary: + - Rebased. Minor changes due to changed dates in the manpage and the use of + @prefix@ in src/stunnel3.in. + * debian/patches/setuid.patch: + - Patch from upstream to allow using setuid/setgid with /etc/passwd and + /etc/group not within chrooted directory. + * debian/README.Debian: + - Add explanation about not turning FIPS mode on. + - Reword warning about binaries changing place. + * debian/rules, debian/stunnel4.manpages: + - No longer need to move the binaries. + - Upstream location for manpages changed. We still install them by hand, + anyways. + - Ship fr and pl manpages. + - Do not pass --host to configure if not cross compiling. + - Reorder target dependencies. This should avoid problems when doing + paralell builds. + * debian/control: + - Remove XS- prefix from Vcs-* fields. + - Add Homepage: field. + - Correct minor typo in dummy package's description. + - Version build dependency on quilt, since we require + /usr/share/quilt/quilt.make (Closes: #447751). + - Change my maintainer address. + + -- Luis Rodrigo Gallardo Cruz Wed, 05 Dec 2007 08:09:44 -0600 + +stunnel4 (3:4.20-5) unstable; urgency=low + + * debian/stunnel3.8: + - Remove references to unsupported -S and -V options in manpage, and + include an explicit list of tunable parameters for -O and their + default values (Closes: #440718). + - Rewrite -P argument description. It must be a file to be created, or + empty (Closes: #398012). + + -- Luis Rodrigo Gallardo Cruz Thu, 27 Sep 2007 11:54:53 -0500 + +stunnel4 (3:4.20-4) unstable; urgency=low + + * Add missing names and dates of copyright attributions to + debian/copyright. Update licencing blurb to mention the new FSF's + postal address. + * Restructure README.Debian into sections. + * Remove /usr/share/lintian/overrides and /usr/sbin from + debian/dirs. Explicitely create the first if needed to install an + override file, and explicitely remove the later after moving the + binaries, in debian/rules. + * Move StunnelConf-0.1.pl into /usr/share/doc/stunnel4/contrib. Remove + it from debian/docs and explicitely install it in dh_install call. + * Patch configure (debian/patches/no_zlib_link) to avoid linking to + zlib. This library is a dependency of openssl, but not of ours. + * Rewrite changelog entries from previous version, adding mention of + modified files. + * Use make -C dir instead of cd dir; make constructs in debian/rules. + + -- Luis Rodrigo Gallardo Cruz Mon, 27 Aug 2007 18:11:40 -0500 + +stunnel4 (3:4.20-3) unstable; urgency=low + + * New Maintainer (Closes: #416955). + * Manage patches to upstream source with quilt. + - fix-paths changes references to /usr/sbin. + We install binaries in /usr/bin. It also removes bogus @PREFIX@ uses + from several paths. + - rename-binary changes the name of the executable to stunnel4. + - runas-user sets the default config to run as the stunnel4 user and group. + - connect-proxy-dunbar *unapplied* patch from upstream's + site. (It does not apply to 4.07 onwards) + - openssl0.9.8-initialization *unapplied* patch. Originaly meant to + close #334180, was disabled by previous maintainer without + explanation. + * Add stunnel dummy upgrade package. + - debian/control: Add package stanza. + - debian/rules: Modify to build the arch-indep package. + - debian/stunnel.NEWS: Add upgrade notice for stunnel 3 users. + * Shorten dh_* invocations in debian/rules. + - new files: stunnel4.examples, stunnel4.links, stunnel4.manpages. + * Ship upstream Changelog (Closes: #419842). + - Add ChangeLog to dh_installchangelogs call in debian/rules. + * Do not compress StunnelConf-0.1.pl (Closes: #432304). + - Add exclude entry to dh_compress call in debian/rules. + * Add watch file. + * Suggests: logcheck-database (Closes: #382099). + * Move libstunnel.so into /usr/lib/stunnel, as it is a private DSO. + - Remove lintian overrides. + - Added debian/patches/libstunnel_is_private_lib + - Remove ldconfig calls from post{inst,rm} + - Remove /usr/lib/libstunnel.so.4 link + * Use debhelper compat mode 5. + - Bump debhelper build-depends to >= 5. No other changes. + * Remove /var/lib/stunnel4 when purged, if empty (in debian/postinst). + * Remove manual call to invoke-rc.d from postinst. debhelper inserts it + automatically. + + -- Luis Rodrigo Gallardo Cruz Mon, 20 Aug 2007 23:18:31 -0500 + +stunnel4 (3:4.20-2) unstable; urgency=low + + * Orphan package + + -- Julien Lemoine Sat, 31 Mar 2007 20:07:55 +0200 + +stunnel4 (3:4.20-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Sat, 27 Jan 2007 21:43:19 +0100 + +stunnel4 (3:4.18-2) unstable; urgency=low + + * Updated chroot default path in configuration file + * Added LSB section in init script + + -- Julien Lemoine Tue, 7 Nov 2006 20:22:04 +0100 + +stunnel4 (3:4.18-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Wed, 27 Sep 2006 20:33:07 +0200 + +stunnel4 (3:4.17-2) unstable; urgency=low + + * Check if pids are valid before trying to use kill + (Closes: #388379) + + -- Julien Lemoine Wed, 20 Sep 2006 22:04:41 +0200 + +stunnel4 (3:4.17-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Mon, 11 Sep 2006 22:48:09 +0200 + +stunnel4 (3:4.16-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Fri, 1 Sep 2006 22:11:10 +0200 + +stunnel4 (2:4.150-7) unstable; urgency=low + + * Fixed a bug when pid is not given in configuration file : + init.d script was looking for /var/run/stunnel4/stunnel4.pid but + stunnel was creating /var/run/stunnel4.pid + (Closes: #384275) + * Added check during start to encourage users to fill the pid= section + of configuration file when start failed (for example if you use two + configuration files without pid= option) + + -- Julien Lemoine Thu, 24 Aug 2006 17:19:57 +0200 + +stunnel4 (2:4.150-6) unstable; urgency=low + + * Updated to debian policy 3.7.2 + * Fixed lintian warnings + + -- Julien Lemoine Tue, 22 Aug 2006 14:03:19 +0200 + +stunnel4 (2:4.150-5) unstable; urgency=low + + * Fixed typo in postinst : + /var/lib/stunnel4/stunnel.log instead of /var/log/stunnel4/stunnel.org + (Closes: #381127) + + -- Julien Lemoine Wed, 2 Aug 2006 21:19:49 +0200 + +stunnel4 (2:4.150-4) unstable; urgency=low + + * Create /var/lib/stunnel4 if it does not exist in postinst + (Closes: #377074) + + -- Julien Lemoine Sun, 16 Jul 2006 16:12:05 +0200 + +stunnel4 (2:4.150-3) unstable; urgency=low + + * Fixed another problem with stunnel3 compatibility script + (call to /usr/sbin/stunnel4 instead of /usr/bin/stunnel4) and added + a check in debian/rules (Closes: #340113) + + -- Julien Lemoine Mon, 1 May 2006 17:58:39 +0200 + +stunnel4 (2:4.150-2) unstable; urgency=low + + * Fixed stunnel3 compatibility script problem (infinite loop) + Thanks to "Martin Schwenke" for bug report. + * Added a check in debian/rules to ensure that stunnel3 compatibility script + does not contains infinite loop + + -- Julien Lemoine Mon, 27 Mar 2006 09:26:06 +0200 + +stunnel4 (2:4.150-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Sun, 12 Mar 2006 21:30:08 +0100 + +stunnel4 (2:4.140-6) unstable; urgency=low + + * Added check/creation of /var/run/stunnel4 directory in init.d script instead of + postinst in order to be FHS compliant when /var/run is cleared at startup + (note that /var/run/stunnel4 cleanup does not allow to have a chroot + in /var/run/stunnel4) + Thanks to Jim Helm : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343882;msg=25 + + -- Julien Lemoine Sun, 5 Mar 2006 18:18:58 +0100 + +stunnel4 (2:4.140-5) unstable; urgency=low + + * Move stunnel and stunnel-dsa from /usr/sbin to /usr/bin in order to be + compliant with FHS standard. The stunnel program is interesting for + "normal" users as well as administrator. + + -- Julien Lemoine Sun, 19 Feb 2006 17:47:55 +0100 + +stunnel4 (2:4.140-4) unstable; urgency=low + + * Fixed problem with default directory (/etc/stunnel for configuration + directory and /var/run/stunnel4.pid for pid file) (Closes: #343882) + + -- Julien Lemoine Thu, 22 Dec 2005 16:32:20 +0100 + +stunnel4 (2:4.140-3) unstable; urgency=low + + * Default configuration file is now filled with values for usage + in a chroot environment + (if you do not want chroot or want to use vserver, you need to edit it) + (Closes: #342507) + + -- Julien Lemoine Sat, 17 Dec 2005 10:00:40 +0100 + +stunnel4 (2:4.140-2) unstable; urgency=low + + * Fixed stunnel3 compatibility script + (wrong binary : stunnel instead of stunnel4) + (Closes: #340113) + + -- Julien Lemoine Mon, 21 Nov 2005 07:57:02 +0100 + +stunnel4 (2:4.140-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Wed, 2 Nov 2005 22:01:52 +0100 + +stunnel4 (2:4.120-1) unstable; urgency=low + + * New upstream release + * Applied patch from Kurt Roeckx to fix initialization + problem with openssl 0.9.8 (Closes: #334180) + + -- Julien Lemoine Wed, 26 Oct 2005 17:53:55 +0200 + +stunnel4 (2:4.110-2) unstable; urgency=low + + * Rebuild with openssl 0.9.8 + + -- Julien Lemoine Mon, 10 Oct 2005 19:41:33 +0200 + +stunnel4 (2:4.110-1) unstable; urgency=low + + * New upstream release + * Updated to Standards-Version 3.6.2 + + -- Julien Lemoine Sun, 24 Jul 2005 11:21:14 +0200 + +stunnel4 (2:4.090-1) unstable; urgency=low + + * New upstream release + * include better stunnel3 compability script from upstream, options + like -cd can now be use instead of -c -d ... + (closes: #305259) + * Added depends on perl-modules to allow use of stunnel3 compatibilty script + + -- Julien Lemoine Wed, 20 Apr 2005 21:07:50 +0200 + +stunnel4 (2:4.070-5) unstable; urgency=low + + * Renamed stunnel3 compatibility script (/usr/sbin/stunnel) to be compatible + with stunnel package + * Added conflict with stunnel package (compatible, does not break user + configuration) since stunnel 4.x is more actively maintained + than stunnel 3.x + + -- Julien Lemoine Tue, 29 Mar 2005 22:16:43 +0200 + +stunnel4 (2:4.070-4) unstable; urgency=low + + * Add an option (PPP_RESTART) in /etc/default/stunnel4 to enable/disable + restart scripts (closes: #298352) + + -- Julien Lemoine Mon, 7 Mar 2005 22:47:27 +0100 + +stunnel4 (2:4.070-3) unstable; urgency=low + + * Do not remove user and group if there already exist in postinst + script (Closes: #290374) + + -- Julien Lemoine Mon, 17 Jan 2005 23:33:56 +0100 + +stunnel4 (2:4.070-2) unstable; urgency=low + + * Fixed directory problem : + - confdir was /usr/etc/stunnel instead of /etc/stunnel (Closes: #289832) + - zlib compression was unable to start since /etc/stunnel/stunnel.conf + was not read (Closes: #289872) + + -- Julien Lemoine Tue, 11 Jan 2005 19:56:59 +0100 + +stunnel4 (2:4.070-1) unstable; urgency=low + + * New upstream release : Add IPV6 support + * Disable proxy-connect patch (does not apply on 4.07 sources) + + -- Julien Lemoine Thu, 6 Jan 2005 07:23:48 +0100 + +stunnel4 (2:4.050-4) unstable; urgency=low + + * Restart connection instead of stop when ppp is down. It is possible to + use stunnel for eth interfaces. (Closes: 271006) + + -- Julien Lemoine Sun, 26 Sep 2004 18:12:36 +0200 + +stunnel4 (2:4.050-3) unstable; urgency=low + + * Added proxy-connect patch (Closes: #267533) + * Create directory /var/log/stunnel in postinst (Closes: #267093) + * Create user and group stunnel4 (Closes: #266339) + * Uncomment some line in default configuration file : + o Use /var/log/stunnel4/stunnel.log as default log file + o Use stunnel4 user and group as default + o Use /var/run/stunnel4/stunnel.pid as default pid file + + -- Julien Lemoine Wed, 1 Sep 2004 22:19:28 +0200 + +stunnel4 (2:4.050-2) unstable; urgency=low + + * Fixed stoping problem in init.d script (Closes: #265449) + Thanks to Wilfried Goesgens + * Added stunnel4 in logrotate (Closes: #265437) + Thanks to Wilfried Goesgens + + -- Julien Lemoine Fri, 13 Aug 2004 21:42:23 +0200 + +stunnel4 (2:4.050-1) unstable; urgency=low + + * By default, store pidfile in /var/run/stunnel4/stunnel.pid with + /var/run/stunnel4 owned by nobody:nogroup + * Oops, stunnel4 was a debian native package + + -- Julien Lemoine Mon, 7 Jun 2004 21:23:37 +0200 + +stunnel4 (2:4.05-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Wed, 7 Apr 2004 22:08:42 +0200 + +stunnel4 (2:4.04.0-10) unstable; urgency=low + + * Shut down stunnel4 in postinst (Closes: #234498) + + -- Julien Lemoine Tue, 24 Feb 2004 21:50:03 +0100 + +stunnel4 (2:4.04.0-9) unstable; urgency=low + + * Added configuration script from "Sergio Rua" + + -- Julien Lemoine Sun, 22 Feb 2004 23:26:38 +0100 + +stunnel4 (2:4.04.0-8) unstable; urgency=low + + * Added ppp ip-up and ip-down scripts + (Closes: #227678) + + -- Julien Lemoine Sun, 22 Feb 2004 22:52:31 +0100 + +stunnel4 (2:4.04.0-7) unstable; urgency=low + + * Fix problem in init.d script (was not sh compatible) + (Closes: #214818, #214823) + + -- Julien Lemoine Fri, 10 Oct 2003 00:47:57 +0200 + +stunnel4 (2:4.04.0-6) unstable; urgency=low + + * Rewrite of /etc/init.d/stunnel4 : + o does not use kill -9, thus giving a chance to stunnel4 to clean up + puts common code in functions + o avoids calling ps twice + o uses fgrep + o does not print the conf file name if no processes exist for it + o corrects the `stoped' typo + Thanks to Francesco Potorti` (Closes: #214562) + + -- Julien Lemoine Tue, 7 Oct 2003 16:37:12 +0200 + +stunnel4 (2:4.04.0-5) unstable; urgency=low + + * /etc/init.d/stunnel4 can load more than one configuration file. + It loads /etc/stunnel/*.conf. You can have a configuration file for + server mode and one for client mode. (Closes: #211870) + + -- Julien Lemoine Thu, 25 Sep 2003 18:05:01 +0200 + +stunnel4 (2:4.04.0-4) unstable; urgency=low + + * Put stunnel.html in /usr/share/doc/stunnel4/ instead of + /usr/share/doc/stunnel + * Updated to Standards-Version 3.6.1 + + -- Julien Lemoine Thu, 4 Sep 2003 13:39:51 +0200 + +stunnel4 (2:4.04.0-3) unstable; urgency=low + + * Fixed wrong path search for stunnel.conf + (Closes: Bug#202931) + + -- Julien Lemoine Sat, 26 Jul 2003 11:00:46 +0200 + +stunnel4 (2:4.04.0-2) unstable; urgency=low + + * Fixed stunnel.conf problems, file must be commented by default. + (Closes: #202693) + + -- Julien Lemoine Fri, 25 Jul 2003 11:38:47 +0200 + +stunnel4 (2:4.04.0-1) unstable; urgency=low + + * Oops, stunnel4 is not a native package -> reupload it with a diff.gz + * Does not install stunnel.so since it is not used + * Updated clean rules to have a clean diff + * Updated to Standards-Version 3.6.0 + + -- Julien Lemoine Sat, 19 Jul 2003 20:12:51 +0200 + +stunnel4 (2:4.04-2) unstable; urgency=low + + * Fixed compilation errors (removed binary in clean rule) + * removed libstunnel.so since it is not used + + -- Julien Lemoine Sun, 13 Jul 2003 02:45:05 +0200 + +stunnel4 (2:4.04-1) unstable; urgency=low + + * Stunnel versions 4.x are now in stunnel4 package and stunnel versions 3.x + are in stunnel package to keep backward compatibility. + + -- Julien Lemoine Fri, 4 Jul 2003 18:24:21 +0200 + +stunnel (4.04-5) unstable; urgency=low + + * The "I need to sleep more to avoid making typos" release. + * Fixed typos in default/init file (ENABLED instead of ENABLE) + (Closes: #197958) + * Commented all stunnel.conf file, client=no is the default value + (Closes: #197961) + + -- Julien Lemoine Thu, 19 Jun 2003 00:40:28 +0200 + +stunnel (4.04-4) unstable; urgency=low + + * Added /etc/default/stunnel with a variable ENABLE. + ENABLE=0 by default since stunnel segv on some computer when all lines + are commented (Closes: #197663, #197615) + + -- Julien Lemoine Mon, 16 Jun 2003 22:04:17 +0200 + +stunnel (4.04-3) unstable; urgency=low + + * comment ldap sample (Closes: #197566) + + -- Julien Lemoine Mon, 9 Jun 2003 15:03:41 +0200 + +stunnel (4.04-2) unstable; urgency=low + + * Fixed typo in init.d script (Closes: #197499) + * Added a commented example in stunnel.conf from Craig Sanders + + -- Julien Lemoine Sun, 15 Jun 2003 18:06:07 +0200 + +stunnel (4.04-1) unstable; urgency=low + + * New upstream release (Closes: #177532, Closes: 188137) + * New maintainer + * Stunnel has no more -L option (Closes: #120265) + * Stunnel has no more -l option (Closes: #175844) + * Shutdown(1) problem was fixed (Closes: #111125) + * Problem with large data resolved (tested with a 5Mo file) + (Closes: #112287) + * Licence is now GPL version 2 with agreement to link with openssl + (Closes: #147665) + * stunnel can execute command (Closes: #147537) + * added a lintian overwrite for libstunnel.so since it is compiled with + -avoid-version + * Fixed problem with path (/etc/ instead of $(prefix)/etc, ...) + * Include default configuration file in /etc + * Upgraded to debian policy 3.5.10 + * Added init.d file + + -- Julien Lemoine Sat, 24 May 2003 02:30:20 +0200 + +stunnel (3.22-1) unstable; urgency=high + + * New upstream release (closes: bug#126627). + * Typo fix in postinst (closes: bug#120199, bug#121904) + + -- Paolo Molaro Sun, 30 Dec 2001 10:31:46 +0100 + +stunnel (3.21.c-1) unstable; urgency=low + + * New upstream release (Closes: bug#111139, bug#102834, bug#61427). + * Avoid generating automatically the initial stunnel.pem, openssl cannot be + reliably used in a non-interactive way (Closes: bug#60776, bug#98445). Info + on how to generate the certificate is now included in README.Debian. + * There is support for (re)setting OOB data handling in the new upstream + version (Closes: bug#107503). + * Include the sample /etc/iniy.d/stunnel file as an example in the package + (Closes: bug#114669). + + -- Paolo Molaro Sat, 17 Nov 2001 12:31:04 +0100 + +stunnel (3.14-1) unstable; urgency=low + + * New upstream release + * Actually compile it against the new libssl (Closes: #86916). + + -- Paolo Molaro Fri, 23 Feb 2001 18:57:18 +0100 + +stunnel (3.13-1) unstable; urgency=low + + * New upstream release. + * Recompile with and depend on libssl096 (Closes: #85000, #86385, #83857, #82500). + * Already fixed in previous aborted upload (Closes: #82105, #77227, #80079, #76576). + + -- Paolo Molaro Sun, 18 Feb 2001 21:30:50 +0100 + +stunnel (3.10-1) unstable; urgency=high + + * New upstream release. + + -- Paolo Molaro Wed, 20 Dec 2000 15:14:08 +0100 + +stunnel (3.10-0potato1) stable; urgency=high + + * New upstream release. + + -- Paolo Molaro Wed, 20 Dec 2000 13:07:35 +0100 + +stunnel (3.9-0potato1) stable; urgency=high + + * New upstream release: security fix (Closes: #80079, #76576). + * Use correct dir for pid (Closes: #77227). + + -- Paolo Molaro Wed, 20 Dec 2000 11:24:18 +0100 + +stunnel (3.8-1) unstable; urgency=low + + * New upstream version (Closes: #75117, #67010). + * Read 1k of random data in a temp file (Closes: #69808). + * Added a note in postrm about the stunnel.pem file that + is left in /etc/ssl/certs: it is safer if the user deals with + it since it may have been create by him and not stunnel (Closes: #57648). + + -- Paolo Molaro Wed, 5 Jul 2000 16:43:07 +0000 + +stunnel (3.4a-6) unstable; urgency=low + + * Depends on openssl 0.9.4 (closes: bug#53947). + + -- Paolo Molaro Tue, 4 Jan 2000 12:37:24 +0100 + +stunnel (3.4a-5) unstable; urgency=medium + + * Include upstream download info in copyright (closes: bug#53301). + * Include example from Steve Haslam to make stunnel run from a + init script (closes: bug#53300). + + -- Paolo Molaro Thu, 23 Dec 1999 16:49:38 +0100 + +stunnel (3.4a-4) unstable; urgency=medium + + * Depends on openssl instead of Suggests (Closes: bug#49238). + + -- Paolo Molaro Sat, 13 Nov 1999 12:44:35 +0100 + +stunnel (3.4a-3) unstable; urgency=high + + * Fixes security problem with the certificate. + + -- Paolo Molaro Thu, 4 Nov 1999 17:33:52 +0100 + +stunnel (3.4a-2) unstable; urgency=low + + * Suggest openssl instead of ssleay. (Closes: bug#47712) + + -- Paolo Molaro Wed, 27 Oct 1999 18:24:27 +0200 + +stunnel (3.4a-1) unstable; urgency=low + + * New upstream release. + * Put cert in /etc/ssl/certs (closes:#41099). I think this is + neither an openssl nor stunnel bug, but a dpkg one (other + similar bugs are already filed against dpkg). + + -- Paolo Molaro Thu, 22 Jul 1999 16:50:32 +0200 + +stunnel (3.3-1) unstable; urgency=low + + * New upstream release. + + -- Paolo Molaro Fri, 18 Jun 1999 16:43:05 +0200 + +stunnel (3.2-2) unstable; urgency=low + + * Fixed stupid coding error. + + -- Paolo Molaro Sat, 29 May 1999 13:01:17 +0200 + +stunnel (3.2-1) unstable; urgency=low + + * Recompilation with new ssl lib. + * New upstream release. + + -- Paolo Molaro Mon, 24 May 1999 12:09:58 +0200 + +stunnel (2.1-2) unstable; urgency=low + + * Added libwrap support (/etc/hosts.{allow,deny}). + * Recompilation with newer libc6. + * Better stunnel-config script. + + -- Paolo Molaro Fri, 11 Dec 1998 11:57:52 +0100 + +stunnel (2.1-1) unstable; urgency=low + + * Initial release. + + -- Paolo Molaro Mon, 30 Nov 1998 11:41:29 +0100 + diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7f8f011 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +7 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..5e4eb8d --- /dev/null +++ b/debian/control @@ -0,0 +1,31 @@ +Source: stunnel4 +Section: net +Priority: optional +Build-Depends: debhelper (>=7), libssl-dev (>= 0.9.8), + openssl (>= 0.9.8), libwrap0-dev, sdf, autotools-dev +Maintainer: Luis Rodrigo Gallardo Cruz +Standards-Version: 3.9.3 +Vcs-Browser: http://git.debian.org/?p=collab-maint/stunnel.git +Vcs-Git: git://git.debian.org/git/collab-maint/stunnel.git +Homepage: http://www.stunnel.org/ + +Package: stunnel4 +Architecture: any +Breaks: stunnel (<< 3:4.20-3) +Provides: stunnel +Replaces: stunnel +Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, netbase, perl-modules +Pre-Depends: adduser +Suggests: logcheck-database +Description: Universal SSL tunnel for network daemons + The stunnel program is designed to work as SSL encryption + wrapper between remote client and local (inetd-startable) or + remote server. The concept is that having non-SSL aware daemons + running on your system you can easily setup them to + communicate with clients over secure SSL channel. + . + stunnel can be used to add SSL functionality to commonly + used inetd daemons like POP-2, POP-3 and IMAP servers + without any changes in the programs' code. + . + This package contains a wrapper script for compatibility with stunnel 3.x diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..d27b064 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,47 @@ +This package was dowloaded from http://www.stunnel.org/download/source.html +and debianized by Paolo Molaro . + +Copyright (C) 1998-2012 Michal Trojnara + +src/pty.c is based on a Public Domain code by Tatu Ylonen + +src/vc.mak contains modifications by David Gillingham + +src/mingw.mak contains modifications by Brian Hatch + +French documentation translation by Bernard Choppy + +StunnelConf-0.1.pl is copyright (C) 2004 Sergio Rua + +The Debian packaging itself is +Copyright (C) 1998-2001 Paolo Molaro +Copyright (C) 2003-2007 Julien Lemoine +Copyright (C) 2007-2012 Rodrigo Gallardo + + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + * + * In addition, as a special exception, Michal Trojnara gives + * permission to link the code of this program with the OpenSSL + * library (or with modified versions of OpenSSL that use the same + * license as OpenSSL), and distribute linked combinations including + * the two. You must obey the GNU General Public License in all + * respects for all of the code used other than OpenSSL. If you modify + * this file, you may extend this exception to your version of the + * file, but you are not obligated to do so. If you do not wish to + * do so, delete this exception statement from your version. + +On Debian systems, the complete text of the GNU General Public +License can be found in /usr/share/common-licenses/GPL file. + diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..3c8c479 --- /dev/null +++ b/debian/dirs @@ -0,0 +1,3 @@ +usr/bin +etc/stunnel +usr/share/doc/ diff --git a/debian/doc-base b/debian/doc-base new file mode 100644 index 0000000..016cb25 --- /dev/null +++ b/debian/doc-base @@ -0,0 +1,10 @@ +Document: stunnel4 +Title: Stunnel documentation +Author: Michal Trojnara +Abstract: This manual documents stunnel, a SSL-enhanced client and + server wrapper. +Section: System/Security + +Format: HTML +Index: /usr/share/doc/stunnel4/stunnel.html +Files: /usr/share/doc/stunnel4/stunnel*.html diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..b5c7362 --- /dev/null +++ b/debian/docs @@ -0,0 +1,4 @@ +BUGS +NEWS +README +TODO diff --git a/debian/lintian.overrides b/debian/lintian.overrides new file mode 100644 index 0000000..06cfbb3 --- /dev/null +++ b/debian/lintian.overrides @@ -0,0 +1,2 @@ +# No character arrays anywhere in this .so +stunnel4: hardening-no-stackprotector usr/lib/stunnel/libstunnel.so diff --git a/debian/patches/CVE-2013-1762.patch b/debian/patches/CVE-2013-1762.patch new file mode 100644 index 0000000..eaed1cc --- /dev/null +++ b/debian/patches/CVE-2013-1762.patch @@ -0,0 +1,56 @@ +Description: Fix CVE-2013-1762 + buffer overflow in NTLM authentication of the CONNECT protocol + negotiation +Origin: vendor +Bug-Debian: http://bugs.debian.org/702267 +Forwarded: no +Author: Salvatore Bonaccorso +Last-Update: 2013-04-22 + +--- a/src/protocol.c ++++ b/src/protocol.c +@@ -566,7 +566,7 @@ + #define s_min(a, b) ((a)>(b)?(b):(a)) + + static void ntlm(CLI *c) { +- char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt; ++ char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr; + long content_length=0; /* no HTTP content */ + + /* send Proxy-Authorization (phase 1) */ +@@ -582,8 +582,8 @@ + line=fd_getline(c, c->remote_fd.fd); + + /* receive Proxy-Authenticate (phase 2) */ +- if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */ +- s_log(LOG_ERR, "NTLM authorization request rejected"); ++ if(!isprefix(line, "HTTP/1.0 407") && !isprefix(line, "HTTP/1.1 407")) { ++ s_log(LOG_ERR, "Proxy-Authenticate: NTLM authorization request rejected"); + do { /* read all headers */ + line=fd_getline(c, c->remote_fd.fd); + } while(*line); +@@ -594,8 +594,13 @@ + line=fd_getline(c, c->remote_fd.fd); + if(isprefix(line, "Proxy-Authenticate: NTLM ")) + ntlm2_txt=str_dup(line+25); +- else if(isprefix(line, "Content-Length: ")) +- content_length=atol(line+16); ++ else if(isprefix(line, "Content-Length: ")) { ++ content_length=strtol(line+16, &tmpstr, 10); ++ if(tmpstr==line+16 || *tmpstr || content_length<0) { ++ s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length"); ++ longjmp(c->err, 1); ++ } ++ } + } while(*line); + if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */ + s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found"); +@@ -603,7 +608,7 @@ + } + + /* read and ignore HTTP content (if any) */ +- while(content_length) { ++ while(content_length>0) { + read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ)); + content_length-=s_min(content_length, BUFSIZ); + } diff --git a/debian/patches/fix-paths b/debian/patches/fix-paths new file mode 100644 index 0000000..e37aace --- /dev/null +++ b/debian/patches/fix-paths @@ -0,0 +1,62 @@ +## Do several path fixups, removing unneeded @prefix@s and changing +## binaries install location from sbin to bin, to comply with the FHS +Index: stunnel4/tools/stunnel.conf-sample.in +=================================================================== +--- stunnel4.orig/tools/stunnel.conf-sample.in ++++ stunnel4/tools/stunnel.conf-sample.in +@@ -9,7 +9,7 @@ + + ; A copy of some devices and system files is needed within the chroot jail + ; Chroot conflicts with configuration file reload and many other features +-chroot = @prefix@/var/lib/stunnel/ ++chroot = @localstatedir@/lib/stunnel/ + ; Chroot jail can be escaped if setuid option is not used + setuid = nobody + setgid = @DEFAULT_GROUP@ +@@ -19,15 +19,15 @@ + + ; Debugging stuff (may useful for troubleshooting) + ;debug = 7 +-;output = stunnel.log ++;output = @localstatedir@/log/stunnel/stunnel.log + + ; ************************************************************************** + ; * Service defaults may also be specified in individual service sections * + ; ************************************************************************** + + ; Certificate/key is needed in server mode and optional in client mode +-cert = @prefix@/etc/stunnel/mail.pem +-;key = @prefix@/etc/stunnel/mail.pem ++cert = @sysconfdir@/stunnel/mail.pem ++;key = @sysconfdir@/stunnel/mail.pem + + ; Authentication stuff needs to be configured to prevent MITM attacks + ; It is not enabled by default! +@@ -36,12 +36,12 @@ + ; CApath is located inside chroot jail + ;CApath = /certs + ; It's often easier to use CAfile +-;CAfile = @prefix@/etc/stunnel/certs.pem ++;CAfile = @sysconfdir@/stunnel/certs.pem + ; Don't forget to c_rehash CRLpath + ; CRLpath is located inside chroot jail + ;CRLpath = /crls + ; Alternatively CRLfile can be used +-;CRLfile = @prefix@/etc/stunnel/crls.pem ++;CRLfile = @sysconfdir@/stunnel/crls.pem + + ; Disable support for insecure SSLv2 protocol + options = NO_SSLv2 +Index: stunnel4/tools/script.sh +=================================================================== +--- stunnel4.orig/tools/script.sh ++++ stunnel4/tools/script.sh +@@ -2,7 +2,7 @@ + + REMOTE_HOST="www.mirt.net:443" + echo "client script connecting $REMOTE_HOST" +-/usr/local/bin/stunnel -fd 10 \ ++/usr/bin/stunnel -fd 10 \ + 11<&0 <=4.05) +-$stunnel_bin='@prefix@/bin/stunnel'; ++$stunnel_bin='@prefix@/bin/stunnel4'; + + # stunnel3 script body begins here + ($read_fd, $write_fd)=POSIX::pipe(); +Index: stunnel4/doc/stunnel.8 +=================================================================== +--- stunnel4.orig/doc/stunnel.8 ++++ stunnel4/doc/stunnel.8 +@@ -61,8 +61,8 @@ + .\} + .\" ======================================================================== + .\" +-.IX Title "STUNNEL 8" +-.TH STUNNEL 8 "2012.01.14" "4.53" "stunnel" ++.IX Title "STUNNEL4 8" ++.TH STUNNEL 8 "2012.01.14" "4.53" "stunnel4" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +Index: stunnel4/tools/stunnel.conf-sample.in +=================================================================== +--- stunnel4.orig/tools/stunnel.conf-sample.in ++++ stunnel4/tools/stunnel.conf-sample.in +@@ -9,17 +9,17 @@ + + ; A copy of some devices and system files is needed within the chroot jail + ; Chroot conflicts with configuration file reload and many other features +-chroot = @localstatedir@/lib/stunnel/ ++chroot = @localstatedir@/lib/stunnel4/ + ; Chroot jail can be escaped if setuid option is not used + setuid = nobody + setgid = @DEFAULT_GROUP@ + + ; PID is created inside the chroot jail +-pid = /stunnel.pid ++pid = /stunnel4.pid + + ; Debugging stuff (may useful for troubleshooting) + ;debug = 7 +-;output = @localstatedir@/log/stunnel/stunnel.log ++;output = @localstatedir@/log/stunnel4/stunnel.log + + ; ************************************************************************** + ; * Service defaults may also be specified in individual service sections * +Index: stunnel4/src/Makefile.am +=================================================================== +--- stunnel4.orig/src/Makefile.am ++++ stunnel4/src/Makefile.am +@@ -25,7 +25,7 @@ + stunnel_CPPFLAGS += -I$(SSLDIR)/include + stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"' + stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"' +-stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"' ++stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"' + + # SSL library + stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto +Index: stunnel4/src/Makefile.in +=================================================================== +--- stunnel4.orig/src/Makefile.in ++++ stunnel4/src/Makefile.in +@@ -273,7 +273,7 @@ + # Additional preprocesor definitions + stunnel_CPPFLAGS = -I/usr/kerberos/include -I$(SSLDIR)/include \ + -DLIBDIR='"$(pkglibdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' \ +- -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"' ++ -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"' + + # Win32 executable + EXTRA_DIST = nogui.c make.bat makece.bat makew32.bat mingw.mak evc.mak \ +Index: stunnel4/doc/stunnel.pl.8 +=================================================================== +--- stunnel4.orig/doc/stunnel.pl.8 ++++ stunnel4/doc/stunnel.pl.8 +@@ -61,8 +61,8 @@ + .\} + .\" ======================================================================== + .\" +-.IX Title "STUNNEL.PL 8" +-.TH STUNNEL.PL 8 "2012.01.14" "4.53" "stunnel" ++.IX Title "STUNNEL4.PL 8" ++.TH STUNNEL.PL 8 "2012.01.14" "4.53" "stunnel4" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +Index: stunnel4/doc/stunnel.fr.8 +=================================================================== +--- stunnel4.orig/doc/stunnel.fr.8 ++++ stunnel4/doc/stunnel.fr.8 +@@ -61,8 +61,8 @@ + .\} + .\" ======================================================================== + .\" +-.IX Title "STUNNEL.FR 8" +-.TH STUNNEL.FR 8 "2012.01.12" "4.53" "stunnel" ++.IX Title "STUNNEL4.FR 8" ++.TH STUNNEL.FR 8 "2012.01.12" "4.53" "stunnel4" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +Index: stunnel4/tools/stunnel.init.in +=================================================================== +--- stunnel4.orig/tools/stunnel.init.in ++++ stunnel4/tools/stunnel.init.in +@@ -1,6 +1,6 @@ + #! /bin/sh -e + ### BEGIN INIT INFO +-# Provides: stunnel ++# Provides: stunnel4 + # Required-Start: $local_fs $remote_fs + # Required-Stop: $local_fs $remote_fs + # Should-Start: $syslog +@@ -10,8 +10,8 @@ + # Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons) + ### END INIT INFO + +-DEFAULTPIDFILE="/var/run/stunnel.pid" +-DAEMON=@prefix@/bin/stunnel ++DEFAULTPIDFILE="/var/run/stunnel4.pid" ++DAEMON=@prefix@/bin/stunnel4 + NAME=stunnel + DESC="SSL tunnels" + FILES="/etc/stunnel/*.conf" +@@ -33,9 +33,9 @@ + } + + startdaemons() { +- if ! [ -d /var/run/stunnel ]; then +- rm -rf /var/run/stunnel +- install -d -o stunnel -g stunnel /var/run/stunnel ++ if ! [ -d /var/run/stunnel4 ]; then ++ rm -rf /var/run/stunnel4 ++ install -d -o stunnel4 -g stunnel4 /var/run/stunnel4 + fi + for file in $FILES; do + if test -f $file; then +@@ -70,9 +70,9 @@ + OPTIONS="-- $OPTIONS" + fi + +-test -f /etc/default/stunnel && . /etc/default/stunnel ++test -f /etc/default/stunnel4 && . /etc/default/stunnel4 + if [ "$ENABLED" = "0" ] ; then +- echo "$DESC disabled, see /etc/default/stunnel" ++ echo "$DESC disabled, see /etc/default/stunnel4" + exit 0 + fi + diff --git a/debian/patches/runas-user b/debian/patches/runas-user new file mode 100644 index 0000000..06642bc --- /dev/null +++ b/debian/patches/runas-user @@ -0,0 +1,16 @@ +# Change the default user the binary will run as to stunnel4 +Index: stunnel4/tools/stunnel.conf-sample.in +=================================================================== +--- stunnel4.orig/tools/stunnel.conf-sample.in ++++ stunnel4/tools/stunnel.conf-sample.in +@@ -11,8 +11,8 @@ + ; Chroot conflicts with configuration file reload and many other features + chroot = @localstatedir@/lib/stunnel4/ + ; Chroot jail can be escaped if setuid option is not used +-setuid = nobody +-setgid = @DEFAULT_GROUP@ ++setuid = stunnel4 ++setgid = stunnel4 + + ; PID is created inside the chroot jail + pid = /stunnel4.pid diff --git a/debian/patches/selective_tunnel_restart b/debian/patches/selective_tunnel_restart new file mode 100644 index 0000000..94682bc --- /dev/null +++ b/debian/patches/selective_tunnel_restart @@ -0,0 +1,48 @@ +Subject: Support restarting only selected stunnel instances. +Author: Peter Palfrader +Bug-Debian: http://bugs.debian.org/627765 + +Index: stunnel4/tools/stunnel.init.in +=================================================================== +--- stunnel4.orig/tools/stunnel.init.in ++++ stunnel4/tools/stunnel.init.in +@@ -14,7 +14,6 @@ + DAEMON=@prefix@/bin/stunnel4 + NAME=stunnel + DESC="SSL tunnels" +-FILES="/etc/stunnel/*.conf" + OPTIONS="" + ENABLED=0 + +@@ -76,6 +75,22 @@ + exit 0 + fi + ++# If the user want to manage a single tunnel, the conf file's name ++# is in $2. Otherwise, respect /etc/default/stunnel4 setting. If no ++# setting there, use /etc/stunnel/*.conf ++if [ -n "${2:-}" ]; then ++ if [ -e "/etc/stunnel/$2.conf" ]; then ++ FILES="/etc/stunnel/$2.conf" ++ else ++ echo >&2 "/etc/stunnel/$2.conf does not exist." ++ exit 1 ++ fi ++else ++ if [ -z "$FILES" ]; then ++ FILES="/etc/stunnel/*.conf" ++ fi ++fi ++ + test -x $DAEMON || exit 0 + + set -e +@@ -110,7 +125,7 @@ + ;; + *) + N=/etc/init.d/$NAME +- echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2 ++ echo "Usage: $N {start|stop|reload|reopen-logs|restart} []" >&2 + exit 1 + ;; + esac diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..3c84cca --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,7 @@ +fix-paths +rename-binary +runas-user +selective_tunnel_restart +logrotate_warning_in_sample_conf +init_script_description +CVE-2013-1762.patch diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..e052fe5 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,67 @@ +#!/bin/sh + +set -e + +USER="stunnel4" +CHOWN="/bin/chown" +#USERDEL="/usr/sbin/userdel" +ADDUSER="/usr/sbin/adduser" +ID="/usr/bin/id" +GROUPMOD="/usr/sbin/groupmod" +#GROUPDEL="/usr/sbin/groupdel" + +### +# 1. get current stunnel uid and gid if user exists. +set -e +if $ID $USER > /dev/null 2>&1; then + IUID=`$ID --user $USER` + IGID=`$ID --group $USER` +else + IUID="NONE" + IGID="NONE" +fi + +### +# 2. Ensure that no standard account or group will remain before adding the +# new user +#if [ "$IUID" != "NONE" ]; then # remove existing user +# $USERDEL $USER +#fi + +#if $GROUPMOD $USER > /dev/null 2>&1; then +# $GROUPDEL $USER; +#fi + +if [ "$IUID" = "NONE" ]; then + $ADDUSER --system --disabled-password --disabled-login \ + --home /var/run/stunnel4 \ + --no-create-home --group $USER +fi + +# /var/run/stunnel4 is not a directory, create it... +if ! test -d /var/run/stunnel4; then + rm -rf /var/run/stunnel4; + mkdir /var/run/stunnel4 +fi +$CHOWN $USER:$USER /var/run/stunnel4 || true + +# /var/log/stunnel4 is not a directory, create it... +if ! test -d /var/log/stunnel4; then + rm -rf /var/log/stunnel4; + mkdir /var/log/stunnel4 +fi +$CHOWN -R $USER:$USER /var/log/stunnel4 + +# /var/lib/stunnel4 is not a directory, create it... +if ! test -d /var/lib/stunnel4; then + rm -rf /var/lib/stunnel4; + mkdir /var/lib/stunnel4 +fi +$CHOWN -R $USER:$USER /var/lib/stunnel4 + +if ! test -f /var/log/stunnel4/stunnel.log; then + touch /var/log/stunnel4/stunnel.log + $CHOWN -R $USER:$USER /var/log/stunnel4/stunnel.log +fi + +#DEBHELPER# diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..a81c946 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e + +if [ x$1 = "xpurge" ]; then + echo You may want to delete the generated stunnel.pem file + echo in /etc/ssl/certs. + + # Remove chroot dir if present. It may contain logfiles + rm -rf /var/lib/stunnel4 || true + + # Log files must be removed on purge (Policy 10.8) + rm -f /var/log/stunnel4/stunnel.log* || true + rmdir /var/log/stunnel4 || true +fi + +#DEBHELPER# diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..ea06076 --- /dev/null +++ b/debian/rules @@ -0,0 +1,113 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# debian/rules file for the Debian/GNU Linux stunnel package +# Copyright 2003 by Julien LEMOINE + +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) + SYSTEM = --build $(DEB_HOST_GNU_TYPE) +else + SYSTEM = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +export DEB_CFLAGS_MAINT_APPEND=-Wall + +build: build-arch build-indep + +build-arch: build-stamp + +build-indep: build-stamp + +build-stamp: + dh_testdir + +ifneq "$(wildcard /usr/share/misc/config.sub)" "" + cp -f /usr/share/misc/config.sub config.sub +endif +ifneq "$(wildcard /usr/share/misc/config.guess)" "" + cp -f /usr/share/misc/config.guess config.guess +endif + + ./configure --prefix=/usr $(SYSTEM) \ + $(shell dpkg-buildflags --export=configure) \ + --localstatedir=/var --sysconfdir=/etc \ + --enable-ipv6 --with-threads=pthread + $(MAKE) -C src + $(MAKE) -C doc + touch build-stamp + +clean: + dh_testdir + dh_testroot + dh_clean build-stamp debian/stunnel4.init doc/stunnel4.8 doc/stunnel4.fr.8 doc/stunnel4.pl.8 + + [ ! -f Makefile ] || $(MAKE) distclean + rm -f config.guess config.sub + +install: build-stamp + dh_testdir + dh_testroot + dh_prep + dh_installdirs + + $(MAKE) -C src install prefix=$(CURDIR)/debian/stunnel4/usr + $(MAKE) -C doc install prefix=$(CURDIR)/debian/stunnel4/usr + + # .la file is useless + rm $(CURDIR)/debian/stunnel4/usr/lib/stunnel/libstunnel.la + + ln doc/stunnel.8 doc/stunnel4.8 + ln doc/stunnel.fr.8 doc/stunnel4.fr.8 + ln doc/stunnel.pl.8 doc/stunnel4.pl.8 + + # Manpages will be installed by dh_installman + rm -rf $(CURDIR)/debian/stunnel4/usr/share/man + + # Rename binary + mv $(CURDIR)/debian/stunnel4/usr/bin/stunnel \ + $(CURDIR)/debian/stunnel4/usr/bin/stunnel4 + + # Move docs into propper dir + mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel \ + $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4 + + # Copy sample init script into place for dh_installinit + cp $(CURDIR)/tools/stunnel.init $(CURDIR)/debian/stunnel4.init + + # Basic docs for the user on how to create an initial configuration + install -p -m 0644 $(CURDIR)/debian/stunnel4.conf.README \ + $(CURDIR)/debian/stunnel4/etc/stunnel/README + + [ ! -s debian/lintian.overrides ] || \ + install -p -m 0644 -D $(CURDIR)/debian/lintian.overrides \ + $(CURDIR)/debian/stunnel4/usr/share/lintian/overrides/stunnel4 + +binary-indep: + # There are no binary independent packages + +binary-arch: install + dh_testdir + dh_testroot + dh_installdocs -a + dh_installexamples -a + dh_installman -a + dh_installchangelogs -a ChangeLog + dh_installinit -a --restart-after-upgrade -- defaults + dh_installppp -a --name=0stunnel4 + dh_installlogrotate -a + dh_install -a debian/StunnelConf-0.1.pl usr/share/doc/stunnel4/contrib + dh_link -a + dh_strip -a + dh_compress -a --exclude=StunnelConf-0.1.pl + dh_fixperms -a + dh_makeshlibs -a + dh_installdeb -a + dh_shlibdeps -a + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/stunnel3.8 b/debian/stunnel3.8 new file mode 100644 index 0000000..9a51bb0 --- /dev/null +++ b/debian/stunnel3.8 @@ -0,0 +1,505 @@ +.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13 +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "STUNNEL 1" +.TH STUNNEL 8 "2003-08-01" " " " " +.SH "NAME" +stunnel \- universal SSL tunnel +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O\ a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p\ pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a\ directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user] +[\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ filename\ |\ ''\ }\ ] [\-B\ bytes] [\-R\ randfile] [\-W] [\-E\ socket] [\-I\ host] +[\-d\ [host:]port\ [\-f]\ ] [\ \-r\ [host:]port\ |\ {\ \-l\ |\ \-L\ }\ program\ [\-\-\ progname\ args]\ ] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption +wrapper between remote clients and local (\fIinetd\fR\-startable) or +remote servers. The concept is that having non-SSL aware daemons +running on your system you can easily set them up to communicate with +clients over secure \s-1SSL\s0 channels. +.PP +\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used +\&\fIinetd\fR daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone +daemons like \s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network +sockets without changes to the source code. +.PP +This product includes cryptographic software written by Eric Young +(eay@cryptsoft.com) +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-h\fR" 4 +.IX Item "-h" +Print stunnel help menu +.IP "\fB\-D\fR level" 4 +.IX Item "-D level" +Debugging level +.Sp +Level is a one of the syslog level names or numbers emerg (0), alert +(1), crit (2), err (3), warning (4), notice (5), info (6), or debug +(7). All logs for the specified level and all levels numerically less +than it will be shown. Use \-D debug or \-D 7 for greatest debugging +output. The default is notice (5). +.Sp +The syslog facility 'daemon' will be used unless a facility name is +supplied. (Facilities are not supported on windows.) +.Sp +Case is ignored for both facilities and levels. +.IP "\fB\-O\fR a|l|r:option=value[:value]" 4 +.IX Item "-O a|l|r:option=value[:value]" +Set an option on accept/local/remote socket +.Sp +The values for linger option are l_onof:l_linger. The values for time +are tv_sec:tv_usec. +.Sp +\&\fBExamples:\fR +.Sp +\&\fB\-O l:SO_LINGER=1:60\fR \- set one minute timeout for closing local +socket +.Sp +\&\fB\-O r:TCP_NODELAY=1\fR \- turn off the Nagle algorithm for remote +sockets +.Sp +\&\fB\-O r:SO_OOBINLINE=1\fR \- place out-of-band data directly into the +receive data stream for remote sockets +.Sp +\&\fB\-O a:SO_REUSEADDR=0\fR \- disable address reuse (enabled by default) +.Sp +\&\fB\-O a:SO_BINDTODEVICE=lo\fR \- only accept connections on loopback +interface +.Sp +The available options and their defaults are: + Option Accept Local Remote OS default + SO_DEBUG -- -- -- 0 + SO_DONTROUTE -- -- -- 0 + SO_KEEPALIVE -- -- -- 0 + SO_LINGER -- -- -- 0:0 + SO_OOBINLINE -- -- -- 0 + SO_RCVBUF -- -- -- 87380 + SO_SNDBUF -- -- -- 16384 + SO_RCVLOWAT -- -- -- 1 + SO_SNDLOWAT -- -- -- 1 + SO_RCVTIMEO -- -- -- 0:0 + SO_SNDTIMEO -- -- -- 0:0 + SO_REUSEADDR 1 -- -- 0 + SO_BINDTODEVICE -- -- -- -- + IP_TOS -- -- -- 0 + IP_TTL -- -- -- 64 + TCP_NODELAY -- -- -- 0 +.IP "\fB\-o\fR file" 4 +.IX Item "-o file" +Append log messages to a file. +.IP "\fB\-C\fR cipherlist" 4 +.IX Item "-C cipherlist" +Select permitted \s-1SSL\s0 ciphers +.Sp +A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection. +For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0 +.IP "\fB\-c\fR" 4 +.IX Item "-c" +client mode (remote service uses \s-1SSL\s0) +.Sp +default: server mode +.IP "\fB\-T\fR" 4 +.IX Item "-T" +transparent proxy mode +.Sp +Re-write address to appear as if wrapped daemon is connecting from the +\&\s-1SSL\s0 client machine instead of the machine running stunnel. Available +only on some operating systems (Linux only, we believe) and then only +in server mode. Note that this option will not combine with proxy mode +(\-r) unless the client's default route to the target machine lies +through the host running stunnel, which cannot be localhost. +.IP "\fB\-p\fR pemfile" 4 +.IX Item "-p pemfile" +private key and certificate chain \s-1PEM\s0 file name +.Sp +A \s-1PEM\s0 is always needed in server mode (by default located in +\fI/etc/stunnel/stunnel.pem\fR). Specifying this flag in client mode +will use this key and certificate chain as a client side certificate +chain. Using client side certs is optional. The certificates must be +in \s-1PEM\s0 format and must be sorted starting with the certificate +to the highest level (root \s-1CA\s0). +.IP "\fB\-v\fR level" 4 +.IX Item "-v level" +verify peer certificate +.RS 4 +.IP "\(bu" 8 +level 1 \- verify peer certificate if present +.IP "\(bu" 8 +level 2 \- verify peer certificate +.IP "\(bu" 8 +level 3 \- verify peer with locally installed certificate +.IP "\(bu" 8 +default \- no verify +.RE +.RS 4 +.RE +.IP "\fB\-a\fR directory" 4 +.IX Item "-a directory" +client certificate directory +.Sp +This is the directory in which stunnel will look for certificates when +using the \fI\-v\fR options. Note that the certificates in this directory +should be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the +cert. +.IP "\fB\-A\fR certfile" 4 +.IX Item "-A certfile" +Certificate Authority file +.Sp +This file contains multiple \s-1CA\s0 certificates, used with the \fI\-v\fR +options. +.IP "\fB\-t\fR timeout" 4 +.IX Item "-t timeout" +session cache timeout +.Sp +default: 300 seconds. +.IP "\fB\-N\fR servicename" 4 +.IX Item "-N servicename" +Service name to use for tcpwrappers. If not specified then a +tcpwrapper service name will be generated automatically for you. This +will also be used when auto-generating pid filenames. +.IP "\fB\-u\fR ident_username" 4 +.IX Item "-u ident_username" +Use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking +.IP "\fB\-n\fR proto" 4 +.IX Item "-n proto" +Negotiate \s-1SSL\s0 with specified protocol +.Sp +currently supported: smtp, pop3, nntp +.IP "\fB\-E\fR socket" 4 +.IX Item "-E socket" +Entropy Gathering Daemon socket to use to feed OpenSSL random number +generator. (Available only if compiled with OpenSSL 0.9.5a or higher) +.IP "\fB\-R\fR filename" 4 +.IX Item "-R filename" +File containing random input. The \s-1SSL\s0 library will use data from this +file first to seed the random number generator. +.IP "\fB\-W\fR" 4 +.IX Item "-W" +Do not overwrite the random seed files with new random data. +.IP "\fB\-B\fR bytes" 4 +.IX Item "-B bytes" +Number of bytes of data read from random seed files. With \s-1SSL\s0 +versions less than 0.9.5a, also determines how many bytes of data are +considered sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions +have a builtin function to determine when sufficient randomness is +available. +.IP "\fB\-I\fR host" 4 +.IX Item "-I host" +\&\s-1IP\s0 of the outgoing interface is used as source for remote connections. +Use this option to bind a static local \s-1IP\s0 address, instead. +.IP "\fB\-d\fR [host:]port" 4 +.IX Item "-d [host:]port" +daemon mode +.Sp +Listen for connections on [host:]port. If no host specified, defaults +to all \s-1IP\s0 addresses for the local host. +.Sp +default: inetd mode +.IP "\fB\-f\fR" 4 +.IX Item "-f" +foreground mode +.Sp +Stay in foreground (don't fork) and log to stderr instead of via +syslog (unless \-o is specified). +.Sp +default: background in daemon mode +.IP "\fB\-l\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4 +.IX Item "-l program [-- programname [arg1 arg2 arg3...] ]" +execute local inetd-type program. +.IP "\fB\-L\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4 +.IX Item "-L program [-- programname [arg1 arg2 arg3...] ]" +open local pty and execute program. +.IP "\fB\-s\fR username" 4 +.IX Item "-s username" +\&\fIsetuid()\fR to username in daemon mode +.IP "\fB\-g\fR groupname" 4 +.IX Item "-g groupname" +\&\fIsetgid()\fR to groupname in daemon mode. Clears all other groups. +.IP "\fB\-P\fR { file | '' }" 4 +.IX Item "-P { file | '' }" +Pid file location +.Sp +If the argument is a filename, then that filename will be used for the +pid. If the argument is empty ('', not missing), then no pid file will +be created. +.IP "\fB\-r\fR [host:]port" 4 +.IX Item "-r [host:]port" +connect to remote service +.Sp +If no host specified, defaults to localhost. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, +use +.PP +.Vb 1 +\& stunnel \-d 993 \-l /usr/sbin/imapd \-\- imapd +.Ve +.PP +If you want to provide tunneling to your \fIpppd\fR daemon on port 2020, +use something like +.PP +.Vb 1 +\& stunnel \-d 2020 \-L /usr/sbin/pppd \-\- pppd local +.Ve +.SH "ENVIRONMENT" +.IX Header "ENVIRONMENT" +If Stunnel is used to create local processes using the \fB\-l\fR or \fB\-L\fR +options, it will set the following environment variables +.IP "\s-1REMOTE_HOST\s0" 4 +.IX Item "REMOTE_HOST" +The \s-1IP\s0 address of the remote end of the connection. +.IP "\s-1SSL_CLIENT_DN\s0" 4 +.IX Item "SSL_CLIENT_DN" +The \s-1DN\s0 (Distinguished Name, aka subject name) of the peer certificate, +if a certificate was present and verified. +.IP "\s-1SSL_CLIENT_I_DN\s0" 4 +.IX Item "SSL_CLIENT_I_DN" +The Issuer's \s-1DN\s0 of the peer's certificate, if a certificate was +present and verified. +.SH "CERTIFICATES" +.IX Header "CERTIFICATES" +.IP "\(bu" 4 +Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to +the peer. It also needs a private key to decrypt the incoming data. +The easiest way to obtain a certificate and a key is to generate them +with the free \fIopenssl\fR package. You can find more information on +certificates generation on pages listed below. +.Sp +Two things are important when generating certificate-key pairs for +\&\fBstunnel\fR. The private key cannot be encrypted, because the server +has no way to obtain the password from the user. To produce an +unencrypted key add the \fI\-nodes\fR option when running the \fBreq\fR +command from the \fIopenssl\fR kit. +.Sp +The order of contents of the \fI.pem\fR file is also important. It should +contain the unencrypted private key first, then a signed certificate +(not certificate request). There should be also empty lines after +certificate and private key. Plaintext certificate information +appended on the top of generated certificate should be discarded. So +the file should look like this: +.Sp +.Vb 8 +\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- +\& [encoded key] +\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- +\& [empty line] +\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- +\& [encoded certificate] +\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- +\& [empty line] +.Ve +.SH "RANDOMNESS" +.IX Header "RANDOMNESS" +.IP "\(bu" 4 +\&\fIstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in +order for \s-1SSL\s0 to use good randomness. The following sources are +loaded in order until sufficient random data has been gathered: +.RS 4 +.IP "\(bu" 8 +The file specified with the \fI\-R\fR flag. +.IP "\(bu" 8 +The file specified by the \s-1RANDFILE\s0 environment variable, if set. +.IP "\(bu" 8 +The file .rnd in your home directory, if \s-1RANDFILE\s0 not set. +.IP "\(bu" 8 +The file specified with '\-\-with\-random' at compile time. +.IP "\(bu" 8 +The contents of the screen if running on Windows. +.IP "\(bu" 8 +The egd socket specified with the \fI\-E\fR flag. +.IP "\(bu" 8 +The egd socket specified with '\-\-with\-egd\-sock' at compile time. +.IP "\(bu" 8 +The /dev/urandom device. +.RE +.RS 4 +.Sp +With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading +random data automatically when sufficient entropy has been gathered. +With previous versions it will continue to gather from all the above +sources since no \s-1SSL\s0 function exists to tell when enough data is +available. +.Sp +Note that on Windows machines that do not have console user +interaction (mouse movements, creating windows, etc) the screen +contents are not variable enough to be sufficient, and you should +provide a random file for use with the \fI\-R\fR flag. +.Sp +Note that the file specified with the \fI\-R\fR flag should contain random +data \*(-- that means it should contain different information each time +\&\fIstunnel\fR is run. This is handled automatically unless the \fI\-W\fR +flag is used. If you wish to update this file manually, the \fIopenssl +rand\fR command in recent versions of OpenSSL, would be useful. +.Sp +One important note \*(-- if /dev/urandom is available, OpenSSL has a +habit of seeding the \s-1PRNG\s0 with it even when checking the random state, +so on systems with /dev/urandom you're likely to use it even though +it's listed at the very bottom of the list above. This isn't +stunnel's behaviour, it's OpenSSLs. +.RE +.SH "LIMITATIONS" +.IX Header "LIMITATIONS" +.IP "\(bu" 4 +\&\fIstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature of +the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers. +There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, +however. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +.RS 4 +.IP "\fItcpd\fR\|(8)" 8 +.IX Item "tcpd" +access control facility for internet services +.IP "\fIinetd\fR\|(8)" 8 +.IX Item "inetd" +internet ``super\-server'' +.IP "\fIhttp://stunnel.mirt.net/\fR" 8 +.IX Item "http://stunnel.mirt.net/" +Stunnel homepage +.IP "\fIhttp://www.stunnel.org/\fR" 8 +.IX Item "http://www.stunnel.org/" +Stunnel Frequently Asked Questions +.IP "\fIhttp://www.openssl.org/\fR" 8 +.IX Item "http://www.openssl.org/" +OpenSSL project website +.RE +.RS 4 +.RE +.SH "AUTHOR" +.IX Header "AUTHOR" +.RS 4 +.IP "Michal Trojnara" 8 +.IX Item "Michal Trojnara" +<\fIMichal.Trojnara@mirt.net\fR> +.RE +.RS 4 +.RE diff --git a/debian/stunnel4.0stunnel4.ppp.ip-down b/debian/stunnel4.0stunnel4.ppp.ip-down new file mode 100644 index 0000000..bd093d4 --- /dev/null +++ b/debian/stunnel4.0stunnel4.ppp.ip-down @@ -0,0 +1,9 @@ +#!/bin/sh +# if this script gets called, we assume that the machine has lost +# IPv4 connectivity -> restart stunnel (do not stop it, it is possible +# to have a eth connection) + +test -f /etc/default/stunnel4 && . /etc/default/stunnel4 +test "$PPP_RESTART" != "0" || exit 0 + +invoke-rc.d stunnel4 restart diff --git a/debian/stunnel4.0stunnel4.ppp.ip-up b/debian/stunnel4.0stunnel4.ppp.ip-up new file mode 100644 index 0000000..3b81198 --- /dev/null +++ b/debian/stunnel4.0stunnel4.ppp.ip-up @@ -0,0 +1,7 @@ +#!/bin/sh + +test -f /etc/default/stunnel4 && . /etc/default/stunnel4 +test "$PPP_RESTART" != "0" || exit 0 + + +invoke-rc.d stunnel4 restart diff --git a/debian/stunnel4.NEWS b/debian/stunnel4.NEWS new file mode 100644 index 0000000..e8693df --- /dev/null +++ b/debian/stunnel4.NEWS @@ -0,0 +1,29 @@ +stunnel (3:4.33-1) experimental; urgency=low + + This version introduces support for reloading the configuration file + and for closing/reopening log files. The init script has been + updated to provide these options, and the default logrotate + configuration has been updated to take advantage of them. + + + -- Luis Rodrigo Gallardo Cruz Thu, 04 Feb 2010 19:52:23 -0800 + +stunnel (3:4.28-1) unstable; urgency=low + + The default behaviour of the logrotate configuration for stunnel4 + has been changed. Instead of restarting stunnel after rotating the + log files we now use the 'copytruncate' keyword. This avoids the + problems associated with the restart, but introduces the possibility + of loosing small amounts of log data. Please see Debian bugs + #535915, #535924 and #323171 for more info. + + -- Luis Rodrigo Gallardo Cruz Wed, 25 Nov 2009 17:12:42 -0800 + +stunnel (2:4.140-5) unstable; urgency=low + + stunnel/stunnel4 binaries are located in /usr/bin instead of + /usr/sbin in order to be FHS compliant (they can be used by normal + user). You need to update your scripts to refer to this new location + + -- Julien Lemoine Sun, 19 Feb 2006 17:31:24 +0100 + diff --git a/debian/stunnel4.conf.README b/debian/stunnel4.conf.README new file mode 100644 index 0000000..2ab3bb8 --- /dev/null +++ b/debian/stunnel4.conf.README @@ -0,0 +1,13 @@ +Stunnel 4 configuration files. + +Files found under the /etc/stunnel directory that end with .conf are +used by the stunnel4 service as configuration files, and each will be +used to start a daemon process setting up a tunnel with the given +configuration. Note that this directory is initially empty, as the +settings you may want for your tunnels are completely system dependent. + +In order to have the tunnels start up automatically on system boot you +must *also* set ENABLED to 1 in /etc/default/stunnel4 + +A sample configuration file with defaults may be found at + /usr/share/doc/stunnel4/examples/stunnel.conf-sample diff --git a/debian/stunnel4.default b/debian/stunnel4.default new file mode 100644 index 0000000..3c8bbef --- /dev/null +++ b/debian/stunnel4.default @@ -0,0 +1,11 @@ +# /etc/default/stunnel +# Julien LEMOINE +# September 2003 + +# Change to one to enable stunnel automatic startup +ENABLED=0 +FILES="/etc/stunnel/*.conf" +OPTIONS="" + +# Change to one to enable ppp restart scripts +PPP_RESTART=0 diff --git a/debian/stunnel4.examples b/debian/stunnel4.examples new file mode 100644 index 0000000..f2135f9 --- /dev/null +++ b/debian/stunnel4.examples @@ -0,0 +1,6 @@ +tools/ca.html +tools/ca.pl +tools/importCA.html +tools/importCA.sh +tools/stunnel.cnf +tools/stunnel.conf-sample diff --git a/debian/stunnel4.links b/debian/stunnel4.links new file mode 100644 index 0000000..e8fe13b --- /dev/null +++ b/debian/stunnel4.links @@ -0,0 +1,2 @@ +/usr/bin/stunnel3 /usr/bin/stunnel +/usr/share/man/man8/stunnel3.8.gz /usr/share/man/man8/stunnel.8.gz diff --git a/debian/stunnel4.logrotate b/debian/stunnel4.logrotate new file mode 100644 index 0000000..697c85a --- /dev/null +++ b/debian/stunnel4.logrotate @@ -0,0 +1,13 @@ +/var/log/stunnel4/*.log { + daily + missingok + rotate 356 + compress + delaycompress + notifempty + create 640 stunnel4 stunnel4 + sharedscripts + postrotate + /etc/init.d/stunnel4 reopen-logs > /dev/null + endscript +} diff --git a/debian/stunnel4.manpages b/debian/stunnel4.manpages new file mode 100644 index 0000000..53bb5dc --- /dev/null +++ b/debian/stunnel4.manpages @@ -0,0 +1,4 @@ +doc/stunnel4.8 +doc/stunnel4.fr.8 +doc/stunnel4.pl.8 +debian/stunnel3.8 diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..7455594 --- /dev/null +++ b/debian/watch @@ -0,0 +1,8 @@ +version=3 + +# Latest version is directly at /stunnel +ftp://ftp.stunnel.org/stunnel/stunnel-(4).([\d]+)+\.tar\.gz debian + +# Any previous versions are at /stunnel/obsolete/4.x +ftp://ftp.stunnel.org/stunnel/archive/4.x/stunnel-(4).([\d]+)+\.tar\.gz debian +