debmon
/
stunnel4
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 3:4.53-1.1

This commit is contained in:
Salvatore Bonaccorso 2013-04-22 19:47:34 +02:00 committed by Mario Fetka
parent ce7eba2efe
commit 8e474e5321
34 changed files with 2855 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
debian/README.Debian vendored Normal file
View File

@ -0,0 +1,95 @@
This is the Stunnel 4.x package for Debian.
* Upgrading from stunnel to stunnel4
Stunnel 3 has been deprecated from Debian. The new stunnel4 has a
different command line syntax and configuration. You will need to
update your scripts.
The wrapper script /usr/bin/stunnel3 understands stunnel3 command line
syntax and calls stunnel4 with appropriate options. It appears to
support every stunnel3 option *except* -S (which controls the defaults
used for certificate sources).
To simplify migration, /usr/bin/stunnel is a symlink to the wrapper
script. A future version will make the link point to stunnel4.
* Changes from previous versions
Upstream versions 4.20 and earlier used to ship binaries in /usr/sbin
by default. If you are upgrading from a hand compiled version or from an
ancient Debian package you will need to update your scripts to refer
to /usr/bin.
This change was made in order to be FHS compliant (stunnel can be used by
normal users, and not only by admins).
* Basic configuration
After installation, you should :
- edit /etc/stunnel/stunnel.conf
- edit /etc/default/stunnel and set ENABLE=1, if you want your
configured tunnels to start automatically on boot.
- generate a certificate for use with stunnel if you want to use server mode
Sergio Rua <srua@debian.org> made a perl front-end for the stunnel
configuration. It is very simple and only includes a couple of configuration
options. This script is located in
/usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl
It requires libgnome2-perl and libgtk2-perl.
* How to create SSL keys for stunnel
The certificates default directory is /etc/ssl/certs, so cd into that dir
and issue the command:
openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem
Fill in the info requested.
Change 'stunnel.pem' to the name of the certificate you need to
create. stunnel.pem will be used by default by stunnel, but you want
to create different certificates for different services you run with
stunnel. Make sure only root can read the file (or only the user that
needs to read it, if stunnel is run as that user):
chmod 600 stunnel.pem
Now you need to append the DH parameters to the certificate.
First you need to generate some amount of random data:
dd if=/dev/urandom of=temp_file count=2
Use /dev/random if you want a more secure source of data, but make
sure you have enough entropy on you system (the output file should be
at least 512 bytes long).
And now make openssl generate the DH parameters and append them to the
certificate file:
openssl dhparam -rand temp_file 512 >> stunnel.pem
You also want to link the certificate to its hash name so that openssl
can find it also by that means:
ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0
Read the manual page for openssl for more info on the various options.
* FIPS
stunnel 4.21 includes support for OpenSSL's FIPS mode. However, using
it requieres stunnel to be compiled statically against OpenSSL and all
supporting libraries. Thus, this option is disabled in the Debian package.
See the OpenSSL FIPS FAQ at
http://oss-institute.org/fips-faq.html
- Julien LEMOINE <speedblue@debian.org>, Sun, 19 Feb 2006 17:31:24 +0100
-- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>, Sat, 30 Oct 2007 14:50:54 z

57
debian/README.source vendored Normal file
View File

@ -0,0 +1,57 @@
This package uses quilt to manage all modifications to the upstream
source. Changes are stored in the source package as diffs in
debian/patches and applied during the build.
To configure quilt to use debian/patches instead of patches, you want
either to export QUILT_PATCHES=debian/patches in your environment
or use this snippet in your ~/.quiltrc:
for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do
if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then
export QUILT_PATCHES=debian/patches
fi
done
To get the fully patched source after unpacking the source package, cd to
the root level of the source package and run:
quilt push -a
The last patch listed in debian/patches/series will become the current
patch.
To add a new set of changes, first run quilt push -a, and then run:
quilt new <patch>
where <patch> is a descriptive name for the patch, used as the filename in
debian/patches. Then, for every file that will be modified by this patch,
run:
quilt add <file>
before editing those files. You must tell quilt with quilt add what files
will be part of the patch before making changes or quilt will not work
properly. After editing the files, run:
quilt refresh
to save the results as a patch.
Alternately, if you already have an external patch and you just want to
add it to the build system, run quilt push -a and then:
quilt import -P <patch> /path/to/patch
quilt push -a
(add -p 0 to quilt import if needed). <patch> as above is the filename to
use in debian/patches. The last quilt push -a will apply the patch to
make sure it works properly.
To remove an existing patch from the list of patches that will be applied,
run:
quilt delete <patch>
You may need to run quilt pop -a to unapply patches first before running
this command.

477
debian/StunnelConf-0.1.pl vendored Normal file
View File

@ -0,0 +1,477 @@
#!/usr/bin/perl
# Copyright (C) 2004 Sergio Rua <srua@debian.org>
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
#
# On Debian GNU/Linux systems, the complete text of the GNU General
# Public License can be found in `/usr/share/common-licenses/GPL'.
use strict;
use Gtk2;
use Gnome2;
use Gtk2::SimpleList;
use constant TRUE => 1;
use constant FALSE => 0;
# Please configure if necessary!
my $cfgfile = "/etc/stunnel/stunnel.conf";
my $backup_cfg = 1;
my $base_cfg_dir = $cfgfile;$base_cfg_dir=~s/\/stunnel\.conf//g;
# global variables
my $ekey;
my $ecert;
my $verify;
my $app;
my $elog;
my $clientmode;
my $debuglevel;
my $capath;
my $list;
sub mydie
{
my ($msg)=@_;
print "$msg\n";
Gtk2->main_quit;
exit (-1);
}
sub sel_file
{
my ($title,$entry,$isfile)=@_;
my $fsel=Gtk2::FileSelection->new($title);
$fsel->ok_button->signal_connect("clicked",sub {
print "OK: ". $fsel->get_filename."\n";
$entry->set_text($fsel->get_filename);
$fsel->destroy;
});
$fsel->cancel_button->signal_connect("clicked",sub { $fsel->destroy; });
$fsel->show;
}
sub add_connection
{
my $win = new Gtk2::Window("toplevel");
$win->set_position("center");
my $vbox = new Gtk2::VBox( 0, 2 );
$win->add($vbox);
$vbox->show;
my $druid = new Gnome2::Druid;
$druid->signal_connect("cancel", sub { $win->destroy; } );
$vbox->pack_start($druid,0,0,0);
my $druid_start = new Gnome2::DruidPageEdge("GNOME_EDGE_START");
$druid_start->set_title("Connections setup");
$druid_start->set_text("Please follow this configuration wizard to ".
"configure your connections\n");
# $druid_start->set_watermark($logo);
$druid_start->show;
$druid->append_page($druid_start);
# Second Step: accepting connections
my $druid_name = new Gnome2::DruidPageStandard();
$druid_name->set_title("Connection name");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $label=new Gtk2::Label("Enter this connection name");
$dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0);
my $ename=new Gtk2::Entry();
$dtable->attach($ename,1,2,0,1,["fill"],["fill"],0,0);
$druid_name->append_item("",$dvbox,"");
$druid_name->show_all;
# add page to the druid
$druid->append_page($druid_name);
# Second Step: accepting connections
my $druid_accept = new Gnome2::DruidPageStandard();
$druid_accept->set_title("Accepting connections");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $accept_error=new Gtk2::Label("");
$dtable->attach($accept_error,0,1,0,1,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("IP or hostname");
$dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0);
my $eip=new Gtk2::Entry();
$dtable->attach($eip,1,2,1,2,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("Port number");
$dtable->attach($label,0,1,2,3,["fill"],["fill"],0,0);
my $eport=new Gtk2::Entry();
$dtable->attach($eport,1,2,2,3,["fill"],["fill"],0,0);
$druid_accept->append_item("",$dvbox,"");
$druid_accept->show_all;
# add page to the druid
$druid->append_page($druid_accept);
# Third Step: connecting to...
my $druid_connect = new Gnome2::DruidPageStandard();
$druid_connect->set_title("Connection To...");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $label=new Gtk2::Label("IP or hostname");
$dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0);
my $etoip=new Gtk2::Entry();
$dtable->attach($etoip,1,2,0,1,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("Port number");
$dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0);
my $etoport=new Gtk2::Entry();
$dtable->attach($etoport,1,2,1,2,["fill"],["fill"],0,0);
$druid_connect->append_item("",$dvbox,"");
$druid_connect->show_all;
# add page to the druid
$druid->append_page($druid_connect);
# Finishing and adding connection
my $druid_finish = new Gnome2::DruidPageEdge("GNOME_EDGE_FINISH");
$druid_finish->set_title("Configuration Finished.");
$druid_finish->set_text("The configuration has been finished. Click to either save or cancel");
# $druid_finish->set_logo($logo2);
$druid_finish->signal_connect("finish", sub {
my $acip=$eip->get_text();
my $acport=$eport->get_text();
my $coip=$etoip->get_text();
my $coport=$etoport->get_text();
my $dslist = $list->{data};
push @$dslist, [ $ename->get_text(), $acip.":".$acport, $coip.":".$coport ];
$win->destroy;
});
$druid_finish->show;
$druid->append_page($druid_finish);
$druid->show;
$win->show;
}
sub load_config_file
{
my $con=$list->{data};
my $name="";
my $accept="";
my $connect="";
if (! -s $cfgfile) {
print "Config file not found. Starting from scratch!\n";
return (0);
}
open F, "<$cfgfile" or die "$cfgfile: $!\n";
while (<F>) {
$_=~s/\n//g;
if ($_=~/^cert.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$ecert->set_text($value);
} elsif ($_=~/^key.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$ekey->set_text($value);
} elsif ($_=~/^verify.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
if ($value==1) {
$verify->entry->set_text("verify peer certificate if present");
} elsif ($value==2) {
$verify->entry->set_text("verify peer certificate");
} elsif ($value==3) {
$verify->entry->set_text("verify peer with locally installed certificate");
} else {
$verify->entry->set_text("no verify");
}
} elsif ($_=~/^client.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$clientmode->entry->set_text($value);
} elsif ($_=~/^(capath|CApath).*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$capath->set_text($value);
} elsif ($_=~/^debug.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$debuglevel->entry->set_text($value);
} elsif ($_=~/^output.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$elog->set_text($value);
} elsif ($_=~/^\[.*/) {
$_=~s/\[//g;
$_=~s/\]//g;
$name=$_;
} elsif ($_=~/^accept.*=.*/) {
(undef,$accept) = split "=",$_;
$accept=~s/(\ |\t)//g;
} elsif ($_=~/^connect.*=.*/) {
(undef,$connect) = split "=",$_;
$connect=~s/(\ |\t)//g;
}
# load connection
if (($accept) && ($name) && ($connect)) {
push @$con, [ $name, $accept, $connect ];
$name=$connect=$accept="";
}
}
close F;
}
sub save_config_file
{
if ($backup_cfg) {
chdir ($base_cfg_dir);
rename($cfgfile,$cfgfile.".$$") or
print "Error at \n$cfgfile: $!\nNo backup made!\n";
}
open O, ">$cfgfile" or
mydie "Cannot open config file: $!\n";
print "Saving $cfgfile\n\n\n";
print O "# Configuration file created by \"stunnelconf\" by ".
"Sergio Rua <srua\@debian.org>\n\n";
if ($ekey->get_text()) {
print O "key = ".$ekey->get_text()."\n";
}
if ($ecert->get_text()) {
print O "cert = ".$ecert->get_text()."\n";
}
print O "verify = ".$verify->entry->get_text()."\n";
print O "output = ".$elog->get_text()."\n";
print O "client = ".$clientmode->entry->get_text()."\n";
print O "debug = ".$debuglevel->entry->get_text()."\n";
print O "CApath = ".$capath->get_text()."\n";
print O "\n\n"; # just some spaces
my @rowref = @{$list->{data}};
my $i=0;
for $i (0 .. $#rowref) {
print O "[".$rowref[$i][0] . "]\n";
# if no hostname, ugly ":" to be removed
$rowref[$i][1]=~s/^://g;
$rowref[$i][2]=~s/^://g;
print O "accept = ".$rowref[$i][1] . "\n";
print O "connect = ".$rowref[$i][2] . "\n";
print O "\n"; # just some spaces
}
close O;
Gtk2->main_quit;
return 0;
}
sub create_main_win
{
$app = Gnome2::App->new ("stunnel-conf");
$app->set_default_size(470,410);
$app->signal_connect( 'destroy' => sub { Gtk2->main_quit; } );
$app->set_title("Stunnel Configuration");
my $vbox=Gtk2::VBox->new(FALSE,0);
my $frame=Gtk2::Frame->new("Common options");
$vbox->pack_start($frame,TRUE, TRUE, 0);
my $table=Gtk2::Table->new(6, 2, FALSE);
$frame->add($table);
my $label0=Gtk2::Label->new("Private Key");
$table->attach($label0,0,1,0,1,["fill"],["fill"],0,0);
my $label1=Gtk2::Label->new("Certificate");
$table->attach($label1,0,1,1,2,["fill"],["fill"],0,0);
my $label2=Gtk2::Label->new("Verify level");
$table->attach($label2,0,1,2,3,["fill"],["fill"],0,0);
my $label3=Gtk2::Label->new("Log output");
$table->attach($label3,0,1,3,4,["fill"],["fill"],0,0);
my $label4=Gtk2::Label->new("Client mode");
$table->attach($label4,0,1,4,5,["fill"],["fill"],0,0);
my $label5=Gtk2::Label->new("Debug level");
$table->attach($label5,0,1,5,6,["fill"],["fill"],0,0);
my $label6=Gtk2::Label->new("Certificates path");
$table->attach($label6,0,1,6,7,["fill"],["fill"],0,0);
# Private Key
my $hbox0=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox0,1,2,0,1,["fill"],["fill"],0,0);
$ekey=Gtk2::Entry->new();
$hbox0->pack_start($ekey,TRUE,TRUE,0);
my $bkey=Gtk2::Button->new_from_stock("gtk-open");
$bkey->signal_connect("clicked",sub {
sel_file("Select private key",$ekey);
});
$hbox0->pack_start($bkey,FALSE,FALSE,0);
# Certificate
my $hbox1=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox1,1,2,1,2,["fill"],["fill"],0,0);
$ecert=Gtk2::Entry->new();
$hbox1->pack_start($ecert,TRUE,TRUE,0);
my $bcert=Gtk2::Button->new_from_stock("gtk-open");
$bcert->signal_connect("clicked",sub {
sel_file("Select certificate",$ecert);
});
$hbox1->pack_start($bcert,FALSE,FALSE,0);
# Auth level - verify
$verify = Gtk2::Combo->new();
$verify->entry->set_text("no verify");
$verify->set_popdown_strings(("no verify",
"verify peer certificate if present",
"verify peer certificate",
"verify peer with locally installed certificate"));
$table->attach($verify,1,2,2,3,["fill"],["fill"],0,0);
# Log output
my $hbox2=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox2,1,2,3,4,["fill"],["fill"],0,0);
$elog=Gtk2::Entry->new();
$hbox2->pack_start($elog,TRUE,TRUE,0);
my $blog=Gtk2::Button->new_from_stock("gtk-open");
$blog->signal_connect("clicked",sub {
sel_file("Select log file",$elog);
});
$hbox2->pack_start($blog,FALSE,FALSE,0);
# Client mode
$clientmode = Gtk2::Combo->new();
$clientmode->entry->set_text("no verify");
$clientmode->set_popdown_strings(("yes","no"));
$table->attach($clientmode,1,2,4,5,["fill"],["fill"],0,0);
# Debug level
$debuglevel = Gtk2::Combo->new();
$debuglevel->entry->set_text("no verify");
$debuglevel->set_popdown_strings(("0","1","5","7"));
$table->attach($debuglevel,1,2,5,6,["fill"],["fill"],0,0);
# CA path
my $hbox3=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox3,1,2,6,7,["fill"],["fill"],0,0);
$capath=Gtk2::Entry->new();
$hbox3->pack_start($capath,TRUE,TRUE,0);
# my $bcapath=Gtk2::Button->new_from_stock("gtk-open");
# $bcapath->signal_connect("clicked",sub {
# sel_file("Select Certificates Path",$capath);
# });
# $hbox3->pack_start($bcapath,FALSE,FALSE,0);
# connections section
my $frame2=Gtk2::Frame->new("Connections");
$vbox->pack_start($frame2,TRUE, TRUE, 0);
my $hbox4=Gtk2::HBox->new(FALSE,0);
$list=Gtk2::SimpleList->new (
'Name' => 'text',
'Accept' => 'text',
'Connect' => 'text',
);
# $list->get_selection->set_mode ('multiple');
my $scwin = Gtk2::ScrolledWindow->new;
$scwin->set_policy (qw/automatic automatic/);
$scwin->add($list);
$hbox4->pack_start($scwin,TRUE,TRUE,0);
# list buttons
my $vbbox=Gtk2::VButtonBox->new();
$vbbox->set_layout('spread');
my $badd = Gtk2::Button->new_from_stock('gtk-add');
$badd->signal_connect( 'clicked' => sub { add_connection; } );
$vbbox->add($badd);
# my $bedit = Gtk2::Button->new_from_stock('gtk-properties');
# $bedit->signal_connect( 'clicked' => sub {
# print "Edit\n";
# } );
# $vbbox->add($bedit);
my $brem = Gtk2::Button->new_from_stock('gtk-remove');
$brem->signal_connect( 'clicked' => sub {
my @sel = $list->get_selected_indices;
print @sel;
foreach my $i (@sel) {
delete $list->{data}[$i];
}
} );
$vbbox->add($brem);
$hbox4->pack_start($vbbox,FALSE,FALSE,0);
# main buttons!!!
my $bbox=Gtk2::HButtonBox->new();
$bbox->set_layout('spread');
my $bok = Gtk2::Button->new_from_stock('gtk-ok');
$bok->signal_connect( 'clicked' => sub { save_config_file; } );
$bbox->add($bok);
my $bcancel = Gtk2::Button->new_from_stock('gtk-cancel');
$bcancel->signal_connect( 'clicked' => sub { Gtk2->main_quit;} );
$bbox->add($bcancel);
$vbox->pack_start($bbox,FALSE,FALSE,0);
$frame2->add($hbox4);
# App contents and show them
$app->set_contents($vbox);
$app->show_all;
}
#
# MAIN MAIN MAIN
#
#
Gnome2::Program->init ("stunnelconf", "0.1");
$app=create_main_win;
load_config_file;
Gtk2->main;
exit 0;

933
debian/changelog vendored Normal file
View File

@ -0,0 +1,933 @@
stunnel4 (3:4.53-1.1) unstable; urgency=high
* Non-maintainer upload.
* Add CVE-2013-1762.patch patch.
CVE-2013-1762: Fix buffer overflow in NTLM authentication of the CONNECT
protocol negotiation. (Closes: #702267)
-- Salvatore Bonaccorso <carnil@debian.org> Mon, 22 Apr 2013 19:47:34 +0200
stunnel4 (3:4.53-1) unstable; urgency=low
* New upstream version 4.53.
- Added client-mode "sni" option to directly control the value of
TLS Server Name Indication (RFC 3546) extension (Closes: #668041).
- Added support for IP_FREEBIND socket option with a pached Linux kernel.
- Glibc-specific dynamic allocation tuning was applied to help unused memory
deallocation.
- Non-blocking OCSP implementation.
- Various other bugfixes, see upstream changelog for details.
* Enabled hardening compile flags. There were NO compile time warning messages
or errors triggered because of this.
* Updated to Standards-Version 3.9.3. No changes required.
- Migrating to /run from /var/run will be a hard problem, because we expect
user written config files to refer to the directory. We'll punt on making
this change for now.
* Updated copyright years to 2012.
* Added Description: LSB header to init script.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Sun, 03 Jun 2012 11:34:36 -0700
stunnel4 (3:4.52-1) unstable; urgency=low
* New upstream version 4.52.
* Do not enable chroot in sample config file. It is misleading to users, it
suggests it can be used with no further changes. Closes: #652812
* Remove log files on purge. Closes: #657135
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Sun, 12 Feb 2012 12:06:37 -0800
stunnel4 (3:4.51~b5-1) experimental; urgency=low
* New upstream version
- Fixed exec+connect sections (Closes: #653882).
- New "compression = deflate" global option to enable RFC 2246 compression.
For compatibility with previous versions "compression = zlib" and
"compression = rle" also enable the deflate (RFC 2246) compression.
- Separate default ciphers and sslVersion for "fips = yes" and "fips = no".
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Wed, 04 Jan 2012 11:24:58 -0800
stunnel4 (3:4.50-1) unstable; urgency=low
* New Upstream Releases. Highlights:
+ 4.46:
- Added Unix socket support (e.g. "connect = /var/run/stunnel/socket").
- Added "verify = 4" mode to ignore CA chain and only verify peer
certificate.
- Removed the limit of 16 IP addresses for a single 'connect' option.
- Removed the limit of 256 stunnel.conf sections in PTHREAD threading
model.
+ 4.45:
- "protocol = proxy" support to send original client IP address to haproxy
http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
This requires accept-proxy bind option of haproxy 1.5-dev3 or later.
- Libwrap helper processes are no longer started if libwrap is disabled
in all sections of the configuration file.
- Fixed -l option handling in stunnel3 script (thx to Kai Gülzau).
- Script to build default stunnel.pem was fixed (thx to Sebastian Kayser).
+ 4.44:
- Heap buffer overflow protection with canaries.
- Stack buffer overflow protection with -fstack-protector.
- Fixed garbled error messages on errors with setuid/setgid options.
+ 4.43:
- Major optimization of the logging subsystem.
Benchmarks indicate up to 15% stunnel performance improvement.
* Remove config.guess and config.sub in clean target, otherwise build fails
because of changes in source outside of a patch. Found and fixed by
Peter Eisentraut <petere@debian.org> (Closes: #647176).
* Updated watchfile to new upstream's directory structure for archived
releases.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Thu, 29 Dec 2011 06:39:09 -0800
stunnel4 (3:4.42-1) unstable; urgency=low
* New Upstream Release.
- Fixed a heap corruption vulnerability in versions 4.40 and 4.41. It may
possibly be leveraged to perform DoS or remote code execution attacks.
(Closes: #638758)
- New verify level 0 to request and ignore peer certificate.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Sat, 27 Aug 2011 08:34:43 -0700
stunnel4 (3:4.40-1) unstable; urgency=low
* New Upstream Release:
- Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters
are not provided in stunnel.pem.
- Default "ciphers" value updated to prefer ECDH:
"ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
- Default ECDH curve updated to "prime256v1".
- Removed support for temporary RSA keys (used in obsolete export ciphers).
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Sun, 24 Jul 2011 11:06:57 -0700
stunnel4 (3:4.39-1) unstable; urgency=low
* New Upstream Releases. Highlights:
+ 4.38:
- Server-side SNI implemented (RFC 3546 section 3.1) with a new
service-level option "nsi".
- "socket" option also accepts "yes" and "no" for flags.
- Nagle's algorithm is now disabled by default for improved interactivity.
- Bugfix: Signal pipe set to non-blocking mode. This bug caused
hangs of stunnel features based on signals, e.g. local mode, FORK
threading, or configuration file reload on Unix. Win32 platform was
not affected.
+ 4.37:
- Client-side SNI implemented (RFC 3546 section 3.1).
- Default "ciphers" changed from the OpenSSL default to a more secure
and faster "RC4-MD5:HIGH:!aNULL:!SSLv2".
A paranoid (and usually slower) setting would be "HIGH:!aNULL:!SSLv2".
- Recommended "options = NO_SSLv2" added to the sample stunnel.conf file.
- Default client method upgraded from SSLv3 to TLSv1.
To connect servers without TLS support use "sslVersion = SSLv3" option.
- Bugfix: Non-blocking socket handling in local mode fixed
(Closes: #626856).
+ 4.36:
- Dynamic memory management for strings manipulation:
no more static STRLEN limit, lower stack footprint. (Closes: #594876).
- Strict public key comparison added for "verify = 3" certificate
checking mode (thx to Philipp Hartwig).
For more details see upstream ChangeLog.
* Removed /usr/lib/stunnel/libstunnel.la file.
* Support restarting selected stunnel instances. Thanks Peter Palfrader.
(Closes: #627765).
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Thu, 21 Jul 2011 15:46:25 -0700
stunnel4 (3:4.35-2) unstable; urgency=low
* Fix variable substitution in init script (Closes: #623221).
Thanks Tomas Kapralek <kapralek@cvut.cz> for report and diagnosis.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Mon, 18 Apr 2011 20:46:01 -0700
stunnel4 (3:4.35-1) unstable; urgency=low
* New Upstream Releases (Closes: #621987).
* Upstream incorporated our init script, so this package no longer carries
its own copy of it.
* Bump Standards-Version to 3.9.2. No changes needed.
* Remove /etc/stunnel/stunnel4.conf file as it is useless, except as a sample.
A README file for /etc/stunnel was provided (Closes: #549384).
* Minor cleanup of debian/rules, no longer runs configure twice.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Sun, 17 Apr 2011 22:04:53 -0700
stunnel4 (3:4.33-1) experimental; urgency=low
* New Upstream Releases
- 4.31
+ A SIGHUP to the server will cause it to reload the configuration file.
+ A SIGUSR1 to the server causes it to reopen its log files.
- 4.32
+ New service-level "libwrap" option for run-time control whether
/etc/hosts.allow and /etc/hosts.deny are used for access control.
Disabling libwrap significantly increases performance of stunnel.
- 4.33
+ Fixes to inetd mode
For more details please see upstream's ChangeLog.
* Init script now provides reload and reopen-log options (Closes: #323171).
* The logrotate config file now takes advantage of reopen-log option.
* Update config.{build,sub} on build. Closes: #535719.
* Add missing ${misc:Depends} entry to debian/control.
* Update copyright years.
* Update to Standards-Version: 3.9.1
- stunnel4 no longer Conflicts: stunnel, but merely Breaks: stunnel.
* Update packaging to source format 3.0 (quilt).
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Fri, 27 Aug 2010 16:58:44 -0700
stunnel4 (3:4.29-1) unstable; urgency=low
* New upstream version (Closes: #559270).
- sessiond, a high performance SSL session cache was built for stunnel.
A new service-level "sessiond" option was added. sessiond is
available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ .
stunnel clusters will be a lot faster, now!
- Transparent proxy support on Linux kernels >=2.6.28.
See the manual for details.
The old transproxy.txt file is no longer provided.
- New socket options to control TCP keepalive on Linux:
TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL.
- SSL options updated for the recent version of OpenSSL library.
- Bugfixes
+ Missing "fips" option was added to the manual.
+ A serious bug in asynchronous shutdown code fixed.
+ Data alignment updated in libwrap.c.
+ Polish manual encoding fixed. Debian's patch for this removed.
+ Notes on compression implementation in OpenSSL added to the manual.
* Use correct owner:group for logs after rotation. (Closes: #529481).
Thanks Brian 'morlenxus' Miculcy <morlenxus@gmx.net>
* Use copytruncate in logrotate file, instead of restarting the
daemon (Closes: #535915).
Thanks Andrew Buckeridge <andrewb@bgc.com.au>
* Bump Standards-Version to 3.8.3. No changes required.
* Do not specify path to true in postinst script.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Tue, 08 Dec 2009 19:34:21 -0800
stunnel4 (3:4.27-1) unstable; urgency=low
* New upstream release.
- Remove debian/patches/security-check_certificate, now included upstream.
Fixes: CVE-2008-2420
- Libwrap helper processes fixed to close standard
input/output/error file descriptors. (Closes: #482379)
* Rebase quilt patches to not require -p0. (Closes: #484966)
* Fix sample configuration file to use ssl cert from /etc/ssl/certs
(Closes: #460953).
* Warn if automatic startup is disabled in /etc/default/stunnel4
(Closes: #475599).
* Use invoke-rc.d in ppp start/stop scripts.
* Standards-Version: 3.8.1.
- Add README.source documenting use of quilt.
* Bump to debhelper 7
- Remove unused old option from dh_mkshlibs call
* Declare the polish pod's encoding and use unicode when converting it
to a manpage.
* Dummy upgrade package is priority: extra
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Fri, 24 Apr 2009 19:56:05 -0700
stunnel4 (3:4.22-2) unstable; urgency=low
* Check if a daemon is already running before trying to start it with the
same configuration file. Thanks Peter Palfrader <weasel@debian.org> for
the report (Closes: #506091).
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Tue, 18 Nov 2008 13:52:42 +0100
stunnel4 (3:4.22-1.1) unstable; urgency=high
* Non-maintainer upload by the security team
* Fix security bug in the OCSP functionality that allowed revoked
certificates to authenticate (Closes: #482644)
Fixes: CVE-2008-2420
-- Steffen Joeris <white@debian.org> Tue, 27 May 2008 18:28:56 +0200
stunnel4 (3:4.22-1) unstable; urgency=low
* New upstream release.
- Build system now uses standard automake dirs.
- Reworked logging system avoids outputing before log file is configured
(Closes: #460019).
- Simultaneous logging to a file and the syslog is now possible.
- A new service level option to control stack size:
stack = <number of bytes>
- Bugfixes in libwrap support code.
* debian/patches/setuid.patch: Removed, it's included upstream.
* debian/patches/fix-paths: Reworked to use automake's standard dirs.
* Rebase the rest of the patches.
* Update standards-version to 3.7.3. No changes needed.
* Fix build-dependencies on -1 revisions of libssl-dev, openssl and quilt.
* Register documentation in the System/Security section.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Tue, 01 Apr 2008 11:07:56 -0600
stunnel4 (3:4.21-1) unstable; urgency=low
* New upstream release.
- Binaries moved from /usr/sbin to /usr/bin. Thus, Debian no longer
diverges in that from upstream.
- libstunnel.so migrated inside /usr/lib/stunnel.
- Preliminary FIPS 140-2 support, but this package does not include it,
as it requires static compilation.
- Miscelaneous bugfixing.
* debian/patches/no_zlib_link:
- Rebased. Only line numbering changed.
* debian/patches/libstunnel_is_private_lib:
- Removed. Included upstream.
* debian/patches/fix-paths:
- Remove hunks related to moving binaries to /usr/bin. Refresh line numbers
in the rest.
* debian/patches/rename-binary:
- Rebased. Minor changes due to changed dates in the manpage and the use of
@prefix@ in src/stunnel3.in.
* debian/patches/setuid.patch:
- Patch from upstream to allow using setuid/setgid with /etc/passwd and
/etc/group not within chrooted directory.
* debian/README.Debian:
- Add explanation about not turning FIPS mode on.
- Reword warning about binaries changing place.
* debian/rules, debian/stunnel4.manpages:
- No longer need to move the binaries.
- Upstream location for manpages changed. We still install them by hand,
anyways.
- Ship fr and pl manpages.
- Do not pass --host to configure if not cross compiling.
- Reorder target dependencies. This should avoid problems when doing
paralell builds.
* debian/control:
- Remove XS- prefix from Vcs-* fields.
- Add Homepage: field.
- Correct minor typo in dummy package's description.
- Version build dependency on quilt, since we require
/usr/share/quilt/quilt.make (Closes: #447751).
- Change my maintainer address.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Wed, 05 Dec 2007 08:09:44 -0600
stunnel4 (3:4.20-5) unstable; urgency=low
* debian/stunnel3.8:
- Remove references to unsupported -S and -V options in manpage, and
include an explicit list of tunable parameters for -O and their
default values (Closes: #440718).
- Rewrite -P argument description. It must be a file to be created, or
empty (Closes: #398012).
-- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com> Thu, 27 Sep 2007 11:54:53 -0500
stunnel4 (3:4.20-4) unstable; urgency=low
* Add missing names and dates of copyright attributions to
debian/copyright. Update licencing blurb to mention the new FSF's
postal address.
* Restructure README.Debian into sections.
* Remove /usr/share/lintian/overrides and /usr/sbin from
debian/dirs. Explicitely create the first if needed to install an
override file, and explicitely remove the later after moving the
binaries, in debian/rules.
* Move StunnelConf-0.1.pl into /usr/share/doc/stunnel4/contrib. Remove
it from debian/docs and explicitely install it in dh_install call.
* Patch configure (debian/patches/no_zlib_link) to avoid linking to
zlib. This library is a dependency of openssl, but not of ours.
* Rewrite changelog entries from previous version, adding mention of
modified files.
* Use make -C dir instead of cd dir; make constructs in debian/rules.
-- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com> Mon, 27 Aug 2007 18:11:40 -0500
stunnel4 (3:4.20-3) unstable; urgency=low
* New Maintainer (Closes: #416955).
* Manage patches to upstream source with quilt.
- fix-paths changes references to /usr/sbin.
We install binaries in /usr/bin. It also removes bogus @PREFIX@ uses
from several paths.
- rename-binary changes the name of the executable to stunnel4.
- runas-user sets the default config to run as the stunnel4 user and group.
- connect-proxy-dunbar *unapplied* patch from upstream's
site. (It does not apply to 4.07 onwards)
- openssl0.9.8-initialization *unapplied* patch. Originaly meant to
close #334180, was disabled by previous maintainer without
explanation.
* Add stunnel dummy upgrade package.
- debian/control: Add package stanza.
- debian/rules: Modify to build the arch-indep package.
- debian/stunnel.NEWS: Add upgrade notice for stunnel 3 users.
* Shorten dh_* invocations in debian/rules.
- new files: stunnel4.examples, stunnel4.links, stunnel4.manpages.
* Ship upstream Changelog (Closes: #419842).
- Add ChangeLog to dh_installchangelogs call in debian/rules.
* Do not compress StunnelConf-0.1.pl (Closes: #432304).
- Add exclude entry to dh_compress call in debian/rules.
* Add watch file.
* Suggests: logcheck-database (Closes: #382099).
* Move libstunnel.so into /usr/lib/stunnel, as it is a private DSO.
- Remove lintian overrides.
- Added debian/patches/libstunnel_is_private_lib
- Remove ldconfig calls from post{inst,rm}
- Remove /usr/lib/libstunnel.so.4 link
* Use debhelper compat mode 5.
- Bump debhelper build-depends to >= 5. No other changes.
* Remove /var/lib/stunnel4 when purged, if empty (in debian/postinst).
* Remove manual call to invoke-rc.d from postinst. debhelper inserts it
automatically.
-- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com> Mon, 20 Aug 2007 23:18:31 -0500
stunnel4 (3:4.20-2) unstable; urgency=low
* Orphan package
-- Julien Lemoine <speedblue@debian.org> Sat, 31 Mar 2007 20:07:55 +0200
stunnel4 (3:4.20-1) unstable; urgency=low
* New upstream release
-- Julien Lemoine <speedblue@debian.org> Sat, 27 Jan 2007 21:43:19 +0100
stunnel4 (3:4.18-2) unstable; urgency=low
* Updated chroot default path in configuration file
* Added LSB section in init script
-- Julien Lemoine <speedblue@debian.org> Tue, 7 Nov 2006 20:22:04 +0100
stunnel4 (3:4.18-1) unstable; urgency=low
* New upstream release
-- Julien Lemoine <speedblue@debian.org> Wed, 27 Sep 2006 20:33:07 +0200
stunnel4 (3:4.17-2) unstable; urgency=low
* Check if pids are valid before trying to use kill
(Closes: #388379)
-- Julien Lemoine <speedblue@debian.org> Wed, 20 Sep 2006 22:04:41 +0200
stunnel4 (3:4.17-1) unstable; urgency=low
* New upstream release
-- Julien Lemoine <speedblue@debian.org> Mon, 11 Sep 2006 22:48:09 +0200
stunnel4 (3:4.16-1) unstable; urgency=low
* New upstream release
-- Julien Lemoine <speedblue@debian.org> Fri, 1 Sep 2006 22:11:10 +0200
stunnel4 (2:4.150-7) unstable; urgency=low
* Fixed a bug when pid is not given in configuration file :
init.d script was looking for /var/run/stunnel4/stunnel4.pid but
stunnel was creating /var/run/stunnel4.pid
(Closes: #384275)
* Added check during start to encourage users to fill the pid= section
of configuration file when start failed (for example if you use two
configuration files without pid= option)
-- Julien Lemoine <speedblue@debian.org> Thu, 24 Aug 2006 17:19:57 +0200
stunnel4 (2:4.150-6) unstable; urgency=low
* Updated to debian policy 3.7.2
* Fixed lintian warnings
-- Julien Lemoine <speedblue@debian.org> Tue, 22 Aug 2006 14:03:19 +0200
stunnel4 (2:4.150-5) unstable; urgency=low
* Fixed typo in postinst :
/var/lib/stunnel4/stunnel.log instead of /var/log/stunnel4/stunnel.org
(Closes: #381127)
-- Julien Lemoine <speedblue@debian.org> Wed, 2 Aug 2006 21:19:49 +0200
stunnel4 (2:4.150-4) unstable; urgency=low
* Create /var/lib/stunnel4 if it does not exist in postinst
(Closes: #377074)
-- Julien Lemoine <speedblue@debian.org> Sun, 16 Jul 2006 16:12:05 +0200
stunnel4 (2:4.150-3) unstable; urgency=low
* Fixed another problem with stunnel3 compatibility script
(call to /usr/sbin/stunnel4 instead of /usr/bin/stunnel4) and added
a check in debian/rules (Closes: #340113)
-- Julien Lemoine <speedblue@debian.org> Mon, 1 May 2006 17:58:39 +0200
stunnel4 (2:4.150-2) unstable; urgency=low
* Fixed stunnel3 compatibility script problem (infinite loop)
Thanks to "Martin Schwenke" <martin@meltin.net> for bug report.
* Added a check in debian/rules to ensure that stunnel3 compatibility script
does not contains infinite loop
-- Julien Lemoine <speedblue@debian.org> Mon, 27 Mar 2006 09:26:06 +0200
stunnel4 (2:4.150-1) unstable; urgency=low
* New upstream release
-- Julien Lemoine <speedblue@debian.org> Sun, 12 Mar 2006 21:30:08 +0100
stunnel4 (2:4.140-6) unstable; urgency=low
* Added check/creation of /var/run/stunnel4 directory in init.d script instead of
postinst in order to be FHS compliant when /var/run is cleared at startup
(note that /var/run/stunnel4 cleanup does not allow to have a chroot
in /var/run/stunnel4)
Thanks to Jim Helm : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343882;msg=25
-- Julien Lemoine <speedblue@debian.org> Sun, 5 Mar 2006 18:18:58 +0100
stunnel4 (2:4.140-5) unstable; urgency=low
* Move stunnel and stunnel-dsa from /usr/sbin to /usr/bin in order to be
compliant with FHS standard. The stunnel program is interesting for
"normal" users as well as administrator.
-- Julien Lemoine <speedblue@debian.org> Sun, 19 Feb 2006 17:47:55 +0100
stunnel4 (2:4.140-4) unstable; urgency=low
* Fixed problem with default directory (/etc/stunnel for configuration
directory and /var/run/stunnel4.pid for pid file) (Closes: #343882)
-- Julien Lemoine <speedblue@debian.org> Thu, 22 Dec 2005 16:32:20 +0100
stunnel4 (2:4.140-3) unstable; urgency=low
* Default configuration file is now filled with values for usage
in a chroot environment
(if you do not want chroot or want to use vserver, you need to edit it)
(Closes: #342507)
-- Julien Lemoine <speedblue@debian.org> Sat, 17 Dec 2005 10:00:40 +0100
stunnel4 (2:4.140-2) unstable; urgency=low
* Fixed stunnel3 compatibility script
(wrong binary : stunnel instead of stunnel4)
(Closes: #340113)
-- Julien Lemoine <speedblue@debian.org> Mon, 21 Nov 2005 07:57:02 +0100
stunnel4 (2:4.140-1) unstable; urgency=low
* New upstream release
-- Julien Lemoine <speedblue@debian.org> Wed, 2 Nov 2005 22:01:52 +0100
stunnel4 (2:4.120-1) unstable; urgency=low
* New upstream release
* Applied patch from Kurt Roeckx <kurt@roeckx.be> to fix initialization
problem with openssl 0.9.8 (Closes: #334180)
-- Julien Lemoine <speedblue@debian.org> Wed, 26 Oct 2005 17:53:55 +0200
stunnel4 (2:4.110-2) unstable; urgency=low
* Rebuild with openssl 0.9.8
-- Julien Lemoine <speedblue@debian.org> Mon, 10 Oct 2005 19:41:33 +0200
stunnel4 (2:4.110-1) unstable; urgency=low
* New upstream release
* Updated to Standards-Version 3.6.2
-- Julien Lemoine <speedblue@debian.org> Sun, 24 Jul 2005 11:21:14 +0200
stunnel4 (2:4.090-1) unstable; urgency=low
* New upstream release
* include better stunnel3 compability script from upstream, options
like -cd can now be use instead of -c -d ...
(closes: #305259)
* Added depends on perl-modules to allow use of stunnel3 compatibilty script
-- Julien Lemoine <speedblue@debian.org> Wed, 20 Apr 2005 21:07:50 +0200
stunnel4 (2:4.070-5) unstable; urgency=low
* Renamed stunnel3 compatibility script (/usr/sbin/stunnel) to be compatible
with stunnel package
* Added conflict with stunnel package (compatible, does not break user
configuration) since stunnel 4.x is more actively maintained
than stunnel 3.x
-- Julien Lemoine <speedblue@debian.org> Tue, 29 Mar 2005 22:16:43 +0200
stunnel4 (2:4.070-4) unstable; urgency=low
* Add an option (PPP_RESTART) in /etc/default/stunnel4 to enable/disable
restart scripts (closes: #298352)
-- Julien Lemoine <speedblue@debian.org> Mon, 7 Mar 2005 22:47:27 +0100
stunnel4 (2:4.070-3) unstable; urgency=low
* Do not remove user and group if there already exist in postinst
script (Closes: #290374)
-- Julien Lemoine <speedblue@debian.org> Mon, 17 Jan 2005 23:33:56 +0100
stunnel4 (2:4.070-2) unstable; urgency=low
* Fixed directory problem :
- confdir was /usr/etc/stunnel instead of /etc/stunnel (Closes: #289832)
- zlib compression was unable to start since /etc/stunnel/stunnel.conf
was not read (Closes: #289872)
-- Julien Lemoine <speedblue@debian.org> Tue, 11 Jan 2005 19:56:59 +0100
stunnel4 (2:4.070-1) unstable; urgency=low
* New upstream release : Add IPV6 support
* Disable proxy-connect patch (does not apply on 4.07 sources)
-- Julien Lemoine <speedblue@debian.org> Thu, 6 Jan 2005 07:23:48 +0100
stunnel4 (2:4.050-4) unstable; urgency=low
* Restart connection instead of stop when ppp is down. It is possible to
use stunnel for eth interfaces. (Closes: 271006)
-- Julien Lemoine <speedblue@debian.org> Sun, 26 Sep 2004 18:12:36 +0200
stunnel4 (2:4.050-3) unstable; urgency=low
* Added proxy-connect patch (Closes: #267533)
* Create directory /var/log/stunnel in postinst (Closes: #267093)
* Create user and group stunnel4 (Closes: #266339)
* Uncomment some line in default configuration file :
o Use /var/log/stunnel4/stunnel.log as default log file
o Use stunnel4 user and group as default
o Use /var/run/stunnel4/stunnel.pid as default pid file
-- Julien Lemoine <speedblue@debian.org> Wed, 1 Sep 2004 22:19:28 +0200
stunnel4 (2:4.050-2) unstable; urgency=low
* Fixed stoping problem in init.d script (Closes: #265449)
Thanks to Wilfried Goesgens <willi@almado.de>
* Added stunnel4 in logrotate (Closes: #265437)
Thanks to Wilfried Goesgens <willi@almado.de>
-- Julien Lemoine <speedblue@debian.org> Fri, 13 Aug 2004 21:42:23 +0200
stunnel4 (2:4.050-1) unstable; urgency=low
* By default, store pidfile in /var/run/stunnel4/stunnel.pid with
/var/run/stunnel4 owned by nobody:nogroup
* Oops, stunnel4 was a debian native package
-- Julien Lemoine <speedblue@debian.org> Mon, 7 Jun 2004 21:23:37 +0200
stunnel4 (2:4.05-1) unstable; urgency=low
* New upstream release
-- Julien Lemoine <speedblue@debian.org> Wed, 7 Apr 2004 22:08:42 +0200
stunnel4 (2:4.04.0-10) unstable; urgency=low
* Shut down stunnel4 in postinst (Closes: #234498)
-- Julien Lemoine <speedblue@debian.org> Tue, 24 Feb 2004 21:50:03 +0100
stunnel4 (2:4.04.0-9) unstable; urgency=low
* Added configuration script from "Sergio Rua" <srua@debian.org>
-- Julien Lemoine <speedblue@debian.org> Sun, 22 Feb 2004 23:26:38 +0100
stunnel4 (2:4.04.0-8) unstable; urgency=low
* Added ppp ip-up and ip-down scripts
(Closes: #227678)
-- Julien Lemoine <speedblue@debian.org> Sun, 22 Feb 2004 22:52:31 +0100
stunnel4 (2:4.04.0-7) unstable; urgency=low
* Fix problem in init.d script (was not sh compatible)
(Closes: #214818, #214823)
-- Julien Lemoine <speedblue@debian.org> Fri, 10 Oct 2003 00:47:57 +0200
stunnel4 (2:4.04.0-6) unstable; urgency=low
* Rewrite of /etc/init.d/stunnel4 :
o does not use kill -9, thus giving a chance to stunnel4 to clean up
puts common code in functions
o avoids calling ps twice
o uses fgrep
o does not print the conf file name if no processes exist for it
o corrects the `stoped' typo
Thanks to Francesco Potorti` <pot@gnu.org> (Closes: #214562)
-- Julien Lemoine <speedblue@debian.org> Tue, 7 Oct 2003 16:37:12 +0200
stunnel4 (2:4.04.0-5) unstable; urgency=low
* /etc/init.d/stunnel4 can load more than one configuration file.
It loads /etc/stunnel/*.conf. You can have a configuration file for
server mode and one for client mode. (Closes: #211870)
-- Julien Lemoine <speedblue@debian.org> Thu, 25 Sep 2003 18:05:01 +0200
stunnel4 (2:4.04.0-4) unstable; urgency=low
* Put stunnel.html in /usr/share/doc/stunnel4/ instead of
/usr/share/doc/stunnel
* Updated to Standards-Version 3.6.1
-- Julien Lemoine <speedblue@debian.org> Thu, 4 Sep 2003 13:39:51 +0200
stunnel4 (2:4.04.0-3) unstable; urgency=low
* Fixed wrong path search for stunnel.conf
(Closes: Bug#202931)
-- Julien Lemoine <speedblue@debian.org> Sat, 26 Jul 2003 11:00:46 +0200
stunnel4 (2:4.04.0-2) unstable; urgency=low
* Fixed stunnel.conf problems, file must be commented by default.
(Closes: #202693)
-- Julien Lemoine <speedblue@debian.org> Fri, 25 Jul 2003 11:38:47 +0200
stunnel4 (2:4.04.0-1) unstable; urgency=low
* Oops, stunnel4 is not a native package -> reupload it with a diff.gz
* Does not install stunnel.so since it is not used
* Updated clean rules to have a clean diff
* Updated to Standards-Version 3.6.0
-- Julien Lemoine <speedblue@debian.org> Sat, 19 Jul 2003 20:12:51 +0200
stunnel4 (2:4.04-2) unstable; urgency=low
* Fixed compilation errors (removed binary in clean rule)
* removed libstunnel.so since it is not used
-- Julien Lemoine <speedblue@debian.org> Sun, 13 Jul 2003 02:45:05 +0200
stunnel4 (2:4.04-1) unstable; urgency=low
* Stunnel versions 4.x are now in stunnel4 package and stunnel versions 3.x
are in stunnel package to keep backward compatibility.
-- Julien Lemoine <speedblue@debian.org> Fri, 4 Jul 2003 18:24:21 +0200
stunnel (4.04-5) unstable; urgency=low
* The "I need to sleep more to avoid making typos" release.
* Fixed typos in default/init file (ENABLED instead of ENABLE)
(Closes: #197958)
* Commented all stunnel.conf file, client=no is the default value
(Closes: #197961)
-- Julien Lemoine <speedblue@debian.org> Thu, 19 Jun 2003 00:40:28 +0200
stunnel (4.04-4) unstable; urgency=low
* Added /etc/default/stunnel with a variable ENABLE.
ENABLE=0 by default since stunnel segv on some computer when all lines
are commented (Closes: #197663, #197615)
-- Julien Lemoine <speedblue@debian.org> Mon, 16 Jun 2003 22:04:17 +0200
stunnel (4.04-3) unstable; urgency=low
* comment ldap sample (Closes: #197566)
-- Julien Lemoine <speedblue@debian.org> Mon, 9 Jun 2003 15:03:41 +0200
stunnel (4.04-2) unstable; urgency=low
* Fixed typo in init.d script (Closes: #197499)
* Added a commented example in stunnel.conf from Craig Sanders
-- Julien Lemoine <speedblue@debian.org> Sun, 15 Jun 2003 18:06:07 +0200
stunnel (4.04-1) unstable; urgency=low
* New upstream release (Closes: #177532, Closes: 188137)
* New maintainer
* Stunnel has no more -L option (Closes: #120265)
* Stunnel has no more -l option (Closes: #175844)
* Shutdown(1) problem was fixed (Closes: #111125)
* Problem with large data resolved (tested with a 5Mo file)
(Closes: #112287)
* Licence is now GPL version 2 with agreement to link with openssl
(Closes: #147665)
* stunnel can execute command (Closes: #147537)
* added a lintian overwrite for libstunnel.so since it is compiled with
-avoid-version
* Fixed problem with path (/etc/ instead of $(prefix)/etc, ...)
* Include default configuration file in /etc
* Upgraded to debian policy 3.5.10
* Added init.d file
-- Julien Lemoine <speedblue@debian.org> Sat, 24 May 2003 02:30:20 +0200
stunnel (3.22-1) unstable; urgency=high
* New upstream release (closes: bug#126627).
* Typo fix in postinst (closes: bug#120199, bug#121904)
-- Paolo Molaro <lupus@debian.org> Sun, 30 Dec 2001 10:31:46 +0100
stunnel (3.21.c-1) unstable; urgency=low
* New upstream release (Closes: bug#111139, bug#102834, bug#61427).
* Avoid generating automatically the initial stunnel.pem, openssl cannot be
reliably used in a non-interactive way (Closes: bug#60776, bug#98445). Info
on how to generate the certificate is now included in README.Debian.
* There is support for (re)setting OOB data handling in the new upstream
version (Closes: bug#107503).
* Include the sample /etc/iniy.d/stunnel file as an example in the package
(Closes: bug#114669).
-- Paolo Molaro <lupus@debian.org> Sat, 17 Nov 2001 12:31:04 +0100
stunnel (3.14-1) unstable; urgency=low
* New upstream release
* Actually compile it against the new libssl (Closes: #86916).
-- Paolo Molaro <lupus@debian.org> Fri, 23 Feb 2001 18:57:18 +0100
stunnel (3.13-1) unstable; urgency=low
* New upstream release.
* Recompile with and depend on libssl096 (Closes: #85000, #86385, #83857, #82500).
* Already fixed in previous aborted upload (Closes: #82105, #77227, #80079, #76576).
-- Paolo Molaro <lupus@debian.org> Sun, 18 Feb 2001 21:30:50 +0100
stunnel (3.10-1) unstable; urgency=high
* New upstream release.
-- Paolo Molaro <lupus@debian.org> Wed, 20 Dec 2000 15:14:08 +0100
stunnel (3.10-0potato1) stable; urgency=high
* New upstream release.
-- Paolo Molaro <lupus@debian.org> Wed, 20 Dec 2000 13:07:35 +0100
stunnel (3.9-0potato1) stable; urgency=high
* New upstream release: security fix (Closes: #80079, #76576).
* Use correct dir for pid (Closes: #77227).
-- Paolo Molaro <lupus@debian.org> Wed, 20 Dec 2000 11:24:18 +0100
stunnel (3.8-1) unstable; urgency=low
* New upstream version (Closes: #75117, #67010).
* Read 1k of random data in a temp file (Closes: #69808).
* Added a note in postrm about the stunnel.pem file that
is left in /etc/ssl/certs: it is safer if the user deals with
it since it may have been create by him and not stunnel (Closes: #57648).
-- Paolo Molaro <lupus@debian.org> Wed, 5 Jul 2000 16:43:07 +0000
stunnel (3.4a-6) unstable; urgency=low
* Depends on openssl 0.9.4 (closes: bug#53947).
-- Paolo Molaro <lupus@debian.org> Tue, 4 Jan 2000 12:37:24 +0100
stunnel (3.4a-5) unstable; urgency=medium
* Include upstream download info in copyright (closes: bug#53301).
* Include example from Steve Haslam to make stunnel run from a
init script (closes: bug#53300).
-- Paolo Molaro <lupus@debian.org> Thu, 23 Dec 1999 16:49:38 +0100
stunnel (3.4a-4) unstable; urgency=medium
* Depends on openssl instead of Suggests (Closes: bug#49238).
-- Paolo Molaro <lupus@debian.org> Sat, 13 Nov 1999 12:44:35 +0100
stunnel (3.4a-3) unstable; urgency=high
* Fixes security problem with the certificate.
-- Paolo Molaro <lupus@debian.org> Thu, 4 Nov 1999 17:33:52 +0100
stunnel (3.4a-2) unstable; urgency=low
* Suggest openssl instead of ssleay. (Closes: bug#47712)
-- Paolo Molaro <lupus@debian.org> Wed, 27 Oct 1999 18:24:27 +0200
stunnel (3.4a-1) unstable; urgency=low
* New upstream release.
* Put cert in /etc/ssl/certs (closes:#41099). I think this is
neither an openssl nor stunnel bug, but a dpkg one (other
similar bugs are already filed against dpkg).
-- Paolo Molaro <lupus@debian.org> Thu, 22 Jul 1999 16:50:32 +0200
stunnel (3.3-1) unstable; urgency=low
* New upstream release.
-- Paolo Molaro <lupus@debian.org> Fri, 18 Jun 1999 16:43:05 +0200
stunnel (3.2-2) unstable; urgency=low
* Fixed stupid coding error.
-- Paolo Molaro <lupus@debian.org> Sat, 29 May 1999 13:01:17 +0200
stunnel (3.2-1) unstable; urgency=low
* Recompilation with new ssl lib.
* New upstream release.
-- Paolo Molaro <lupus@debian.org> Mon, 24 May 1999 12:09:58 +0200
stunnel (2.1-2) unstable; urgency=low
* Added libwrap support (/etc/hosts.{allow,deny}).
* Recompilation with newer libc6.
* Better stunnel-config script.
-- Paolo Molaro <lupus@debian.org> Fri, 11 Dec 1998 11:57:52 +0100
stunnel (2.1-1) unstable; urgency=low
* Initial release.
-- Paolo Molaro <lupus@debian.org> Mon, 30 Nov 1998 11:41:29 +0100

1
debian/compat vendored Normal file
View File

@ -0,0 +1 @@
7

31
debian/control vendored Normal file
View File

@ -0,0 +1,31 @@
Source: stunnel4
Section: net
Priority: optional
Build-Depends: debhelper (>=7), libssl-dev (>= 0.9.8),
openssl (>= 0.9.8), libwrap0-dev, sdf, autotools-dev
Maintainer: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Standards-Version: 3.9.3
Vcs-Browser: http://git.debian.org/?p=collab-maint/stunnel.git
Vcs-Git: git://git.debian.org/git/collab-maint/stunnel.git
Homepage: http://www.stunnel.org/
Package: stunnel4
Architecture: any
Breaks: stunnel (<< 3:4.20-3)
Provides: stunnel
Replaces: stunnel
Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, netbase, perl-modules
Pre-Depends: adduser
Suggests: logcheck-database
Description: Universal SSL tunnel for network daemons
The stunnel program is designed to work as SSL encryption
wrapper between remote client and local (inetd-startable) or
remote server. The concept is that having non-SSL aware daemons
running on your system you can easily setup them to
communicate with clients over secure SSL channel.
.
stunnel can be used to add SSL functionality to commonly
used inetd daemons like POP-2, POP-3 and IMAP servers
without any changes in the programs' code.
.
This package contains a wrapper script for compatibility with stunnel 3.x

47
debian/copyright vendored Normal file
View File

@ -0,0 +1,47 @@
This package was dowloaded from http://www.stunnel.org/download/source.html
and debianized by Paolo Molaro <lupus@debian.org>.
Copyright (C) 1998-2012 Michal Trojnara <Michal.Trojnara@mirt.net>
src/pty.c is based on a Public Domain code by Tatu Ylonen <ylo@cs.hut.fi>
src/vc.mak contains modifications by David Gillingham <dgillingham@gmail.com>
src/mingw.mak contains modifications by Brian Hatch <bri@stunnel.org>
French documentation translation by Bernard Choppy <choppy@free.fr>
StunnelConf-0.1.pl is copyright (C) 2004 Sergio Rua <srua@debian.org>
The Debian packaging itself is
Copyright (C) 1998-2001 Paolo Molaro <lupus@debian.org>
Copyright (C) 2003-2007 Julien Lemoine <speedblue@debian.org>
Copyright (C) 2007-2012 Rodrigo Gallardo <rodrigo@debian.org>
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, Michal Trojnara gives
* permission to link the code of this program with the OpenSSL
* library (or with modified versions of OpenSSL that use the same
* license as OpenSSL), and distribute linked combinations including
* the two. You must obey the GNU General Public License in all
* respects for all of the code used other than OpenSSL. If you modify
* this file, you may extend this exception to your version of the
* file, but you are not obligated to do so. If you do not wish to
* do so, delete this exception statement from your version.
On Debian systems, the complete text of the GNU General Public
License can be found in /usr/share/common-licenses/GPL file.

3
debian/dirs vendored Normal file
View File

@ -0,0 +1,3 @@
usr/bin
etc/stunnel
usr/share/doc/

10
debian/doc-base vendored Normal file
View File

@ -0,0 +1,10 @@
Document: stunnel4
Title: Stunnel documentation
Author: Michal Trojnara
Abstract: This manual documents stunnel, a SSL-enhanced client and
server wrapper.
Section: System/Security
Format: HTML
Index: /usr/share/doc/stunnel4/stunnel.html
Files: /usr/share/doc/stunnel4/stunnel*.html

4
debian/docs vendored Normal file
View File

@ -0,0 +1,4 @@
BUGS
NEWS
README
TODO

2
debian/lintian.overrides vendored Normal file
View File

@ -0,0 +1,2 @@
# No character arrays anywhere in this .so
stunnel4: hardening-no-stackprotector usr/lib/stunnel/libstunnel.so

56
debian/patches/CVE-2013-1762.patch vendored Normal file
View File

@ -0,0 +1,56 @@
Description: Fix CVE-2013-1762
buffer overflow in NTLM authentication of the CONNECT protocol
negotiation
Origin: vendor
Bug-Debian: http://bugs.debian.org/702267
Forwarded: no
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2013-04-22
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -566,7 +566,7 @@
#define s_min(a, b) ((a)>(b)?(b):(a))
static void ntlm(CLI *c) {
- char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt;
+ char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr;
long content_length=0; /* no HTTP content */
/* send Proxy-Authorization (phase 1) */
@@ -582,8 +582,8 @@
line=fd_getline(c, c->remote_fd.fd);
/* receive Proxy-Authenticate (phase 2) */
- if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */
- s_log(LOG_ERR, "NTLM authorization request rejected");
+ if(!isprefix(line, "HTTP/1.0 407") && !isprefix(line, "HTTP/1.1 407")) {
+ s_log(LOG_ERR, "Proxy-Authenticate: NTLM authorization request rejected");
do { /* read all headers */
line=fd_getline(c, c->remote_fd.fd);
} while(*line);
@@ -594,8 +594,13 @@
line=fd_getline(c, c->remote_fd.fd);
if(isprefix(line, "Proxy-Authenticate: NTLM "))
ntlm2_txt=str_dup(line+25);
- else if(isprefix(line, "Content-Length: "))
- content_length=atol(line+16);
+ else if(isprefix(line, "Content-Length: ")) {
+ content_length=strtol(line+16, &tmpstr, 10);
+ if(tmpstr==line+16 || *tmpstr || content_length<0) {
+ s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length");
+ longjmp(c->err, 1);
+ }
+ }
} while(*line);
if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */
s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found");
@@ -603,7 +608,7 @@
}
/* read and ignore HTTP content (if any) */
- while(content_length) {
+ while(content_length>0) {
read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ));
content_length-=s_min(content_length, BUFSIZ);
}

62
debian/patches/fix-paths vendored Normal file
View File

@ -0,0 +1,62 @@
## Do several path fixups, removing unneeded @prefix@s and changing
## binaries install location from sbin to bin, to comply with the FHS
Index: stunnel4/tools/stunnel.conf-sample.in
===================================================================
--- stunnel4.orig/tools/stunnel.conf-sample.in
+++ stunnel4/tools/stunnel.conf-sample.in
@@ -9,7 +9,7 @@
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
-chroot = @prefix@/var/lib/stunnel/
+chroot = @localstatedir@/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = @DEFAULT_GROUP@
@@ -19,15 +19,15 @@
; Debugging stuff (may useful for troubleshooting)
;debug = 7
-;output = stunnel.log
+;output = @localstatedir@/log/stunnel/stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
-cert = @prefix@/etc/stunnel/mail.pem
-;key = @prefix@/etc/stunnel/mail.pem
+cert = @sysconfdir@/stunnel/mail.pem
+;key = @sysconfdir@/stunnel/mail.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
@@ -36,12 +36,12 @@
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
-;CAfile = @prefix@/etc/stunnel/certs.pem
+;CAfile = @sysconfdir@/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
-;CRLfile = @prefix@/etc/stunnel/crls.pem
+;CRLfile = @sysconfdir@/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
Index: stunnel4/tools/script.sh
===================================================================
--- stunnel4.orig/tools/script.sh
+++ stunnel4/tools/script.sh
@@ -2,7 +2,7 @@
REMOTE_HOST="www.mirt.net:443"
echo "client script connecting $REMOTE_HOST"
-/usr/local/bin/stunnel -fd 10 \
+/usr/bin/stunnel -fd 10 \
11<&0 <<EOT 10<&0 0<&11 11<&-
client=yes
connect=$REMOTE_HOST

17
debian/patches/init_script_description vendored Normal file
View File

@ -0,0 +1,17 @@
Add Description: LSB header to init script.
Index: stunnel4/tools/stunnel.init.in
===================================================================
--- stunnel4.orig/tools/stunnel.init.in
+++ stunnel4/tools/stunnel.init.in
@@ -8,6 +8,10 @@
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
+# Description: Starts or stops all configured SSL network tunnels. Each *.conf file in
+# /etc/stunnel/ will spawn a separate stunnel process. The list of files
+# can be overriden in /etc/default/stunnel, and that same file can be used
+# to completely disable *all* tunnels.
### END INIT INFO
DEFAULTPIDFILE="/var/run/stunnel4.pid"

26
debian/patches/logrotate_warning_in_sample_conf vendored Normal file
View File

@ -0,0 +1,26 @@
Disable chroot setting from default sample config. Using this requires more
tought from te user, including the logrotate configuration, and so it is
misleading to have it on as default.
This does not affect any current instalation, as this is only shipped as a
sample for users.
Index: stunnel4/tools/stunnel.conf-sample.in
===================================================================
--- stunnel4.orig/tools/stunnel.conf-sample.in
+++ stunnel4/tools/stunnel.conf-sample.in
@@ -9,10 +9,11 @@
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
-chroot = @localstatedir@/lib/stunnel4/
+; Remember also to update the logrotate configuration.
+;chroot = @localstatedir@/lib/stunnel4/
; Chroot jail can be escaped if setuid option is not used
-setuid = stunnel4
-setgid = stunnel4
+;setuid = stunnel4
+;setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

158
debian/patches/rename-binary vendored Normal file
View File

@ -0,0 +1,158 @@
# Change references to the binary from stunnel to stunnel4
Index: stunnel4/src/stunnel3.in
===================================================================
--- stunnel4.orig/src/stunnel3.in
+++ stunnel4/src/stunnel3.in
@@ -22,7 +22,7 @@
use Getopt::Std;
# Configuration - path to stunnel (version >=4.05)
-$stunnel_bin='@prefix@/bin/stunnel';
+$stunnel_bin='@prefix@/bin/stunnel4';
# stunnel3 script body begins here
($read_fd, $write_fd)=POSIX::pipe();
Index: stunnel4/doc/stunnel.8
===================================================================
--- stunnel4.orig/doc/stunnel.8
+++ stunnel4/doc/stunnel.8
@@ -61,8 +61,8 @@
.\}
.\" ========================================================================
.\"
-.IX Title "STUNNEL 8"
-.TH STUNNEL 8 "2012.01.14" "4.53" "stunnel"
+.IX Title "STUNNEL4 8"
+.TH STUNNEL 8 "2012.01.14" "4.53" "stunnel4"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Index: stunnel4/tools/stunnel.conf-sample.in
===================================================================
--- stunnel4.orig/tools/stunnel.conf-sample.in
+++ stunnel4/tools/stunnel.conf-sample.in
@@ -9,17 +9,17 @@
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
-chroot = @localstatedir@/lib/stunnel/
+chroot = @localstatedir@/lib/stunnel4/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = @DEFAULT_GROUP@
; PID is created inside the chroot jail
-pid = /stunnel.pid
+pid = /stunnel4.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
-;output = @localstatedir@/log/stunnel/stunnel.log
+;output = @localstatedir@/log/stunnel4/stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
Index: stunnel4/src/Makefile.am
===================================================================
--- stunnel4.orig/src/Makefile.am
+++ stunnel4/src/Makefile.am
@@ -25,7 +25,7 @@
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
-stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
+stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"'
# SSL library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
Index: stunnel4/src/Makefile.in
===================================================================
--- stunnel4.orig/src/Makefile.in
+++ stunnel4/src/Makefile.in
@@ -273,7 +273,7 @@
# Additional preprocesor definitions
stunnel_CPPFLAGS = -I/usr/kerberos/include -I$(SSLDIR)/include \
-DLIBDIR='"$(pkglibdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' \
- -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"'
+ -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"'
# Win32 executable
EXTRA_DIST = nogui.c make.bat makece.bat makew32.bat mingw.mak evc.mak \
Index: stunnel4/doc/stunnel.pl.8
===================================================================
--- stunnel4.orig/doc/stunnel.pl.8
+++ stunnel4/doc/stunnel.pl.8
@@ -61,8 +61,8 @@
.\}
.\" ========================================================================
.\"
-.IX Title "STUNNEL.PL 8"
-.TH STUNNEL.PL 8 "2012.01.14" "4.53" "stunnel"
+.IX Title "STUNNEL4.PL 8"
+.TH STUNNEL.PL 8 "2012.01.14" "4.53" "stunnel4"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Index: stunnel4/doc/stunnel.fr.8
===================================================================
--- stunnel4.orig/doc/stunnel.fr.8
+++ stunnel4/doc/stunnel.fr.8
@@ -61,8 +61,8 @@
.\}
.\" ========================================================================
.\"
-.IX Title "STUNNEL.FR 8"
-.TH STUNNEL.FR 8 "2012.01.12" "4.53" "stunnel"
+.IX Title "STUNNEL4.FR 8"
+.TH STUNNEL.FR 8 "2012.01.12" "4.53" "stunnel4"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Index: stunnel4/tools/stunnel.init.in
===================================================================
--- stunnel4.orig/tools/stunnel.init.in
+++ stunnel4/tools/stunnel.init.in
@@ -1,6 +1,6 @@
#! /bin/sh -e
### BEGIN INIT INFO
-# Provides: stunnel
+# Provides: stunnel4
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
@@ -10,8 +10,8 @@
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
### END INIT INFO
-DEFAULTPIDFILE="/var/run/stunnel.pid"
-DAEMON=@prefix@/bin/stunnel
+DEFAULTPIDFILE="/var/run/stunnel4.pid"
+DAEMON=@prefix@/bin/stunnel4
NAME=stunnel
DESC="SSL tunnels"
FILES="/etc/stunnel/*.conf"
@@ -33,9 +33,9 @@
}
startdaemons() {
- if ! [ -d /var/run/stunnel ]; then
- rm -rf /var/run/stunnel
- install -d -o stunnel -g stunnel /var/run/stunnel
+ if ! [ -d /var/run/stunnel4 ]; then
+ rm -rf /var/run/stunnel4
+ install -d -o stunnel4 -g stunnel4 /var/run/stunnel4
fi
for file in $FILES; do
if test -f $file; then
@@ -70,9 +70,9 @@
OPTIONS="-- $OPTIONS"
fi
-test -f /etc/default/stunnel && . /etc/default/stunnel
+test -f /etc/default/stunnel4 && . /etc/default/stunnel4
if [ "$ENABLED" = "0" ] ; then
- echo "$DESC disabled, see /etc/default/stunnel"
+ echo "$DESC disabled, see /etc/default/stunnel4"
exit 0
fi

16
debian/patches/runas-user vendored Normal file
View File

@ -0,0 +1,16 @@
# Change the default user the binary will run as to stunnel4
Index: stunnel4/tools/stunnel.conf-sample.in
===================================================================
--- stunnel4.orig/tools/stunnel.conf-sample.in
+++ stunnel4/tools/stunnel.conf-sample.in
@@ -11,8 +11,8 @@
; Chroot conflicts with configuration file reload and many other features
chroot = @localstatedir@/lib/stunnel4/
; Chroot jail can be escaped if setuid option is not used
-setuid = nobody
-setgid = @DEFAULT_GROUP@
+setuid = stunnel4
+setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

48
debian/patches/selective_tunnel_restart vendored Normal file
View File

@ -0,0 +1,48 @@
Subject: Support restarting only selected stunnel instances.
Author: Peter Palfrader <weasel@debian.org>
Bug-Debian: http://bugs.debian.org/627765
Index: stunnel4/tools/stunnel.init.in
===================================================================
--- stunnel4.orig/tools/stunnel.init.in
+++ stunnel4/tools/stunnel.init.in
@@ -14,7 +14,6 @@
DAEMON=@prefix@/bin/stunnel4
NAME=stunnel
DESC="SSL tunnels"
-FILES="/etc/stunnel/*.conf"
OPTIONS=""
ENABLED=0
@@ -76,6 +75,22 @@
exit 0
fi
+# If the user want to manage a single tunnel, the conf file's name
+# is in $2. Otherwise, respect /etc/default/stunnel4 setting. If no
+# setting there, use /etc/stunnel/*.conf
+if [ -n "${2:-}" ]; then
+ if [ -e "/etc/stunnel/$2.conf" ]; then
+ FILES="/etc/stunnel/$2.conf"
+ else
+ echo >&2 "/etc/stunnel/$2.conf does not exist."
+ exit 1
+ fi
+else
+ if [ -z "$FILES" ]; then
+ FILES="/etc/stunnel/*.conf"
+ fi
+fi
+
test -x $DAEMON || exit 0
set -e
@@ -110,7 +125,7 @@
;;
*)
N=/etc/init.d/$NAME
- echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2
+ echo "Usage: $N {start|stop|reload|reopen-logs|restart} [<stunnel instance>]" >&2
exit 1
;;
esac

7
debian/patches/series vendored Normal file
View File

@ -0,0 +1,7 @@
fix-paths
rename-binary
runas-user
selective_tunnel_restart
logrotate_warning_in_sample_conf
init_script_description
CVE-2013-1762.patch

67
debian/postinst vendored Normal file
View File

@ -0,0 +1,67 @@
#!/bin/sh
set -e
USER="stunnel4"
CHOWN="/bin/chown"
#USERDEL="/usr/sbin/userdel"
ADDUSER="/usr/sbin/adduser"
ID="/usr/bin/id"
GROUPMOD="/usr/sbin/groupmod"
#GROUPDEL="/usr/sbin/groupdel"
###
# 1. get current stunnel uid and gid if user exists.
set -e
if $ID $USER > /dev/null 2>&1; then
IUID=`$ID --user $USER`
IGID=`$ID --group $USER`
else
IUID="NONE"
IGID="NONE"
fi
###
# 2. Ensure that no standard account or group will remain before adding the
# new user
#if [ "$IUID" != "NONE" ]; then # remove existing user
# $USERDEL $USER
#fi
#if $GROUPMOD $USER > /dev/null 2>&1; then
# $GROUPDEL $USER;
#fi
if [ "$IUID" = "NONE" ]; then
$ADDUSER --system --disabled-password --disabled-login \
--home /var/run/stunnel4 \
--no-create-home --group $USER
fi
# /var/run/stunnel4 is not a directory, create it...
if ! test -d /var/run/stunnel4; then
rm -rf /var/run/stunnel4;
mkdir /var/run/stunnel4
fi
$CHOWN $USER:$USER /var/run/stunnel4 || true
# /var/log/stunnel4 is not a directory, create it...
if ! test -d /var/log/stunnel4; then
rm -rf /var/log/stunnel4;
mkdir /var/log/stunnel4
fi
$CHOWN -R $USER:$USER /var/log/stunnel4
# /var/lib/stunnel4 is not a directory, create it...
if ! test -d /var/lib/stunnel4; then
rm -rf /var/lib/stunnel4;
mkdir /var/lib/stunnel4
fi
$CHOWN -R $USER:$USER /var/lib/stunnel4
if ! test -f /var/log/stunnel4/stunnel.log; then
touch /var/log/stunnel4/stunnel.log
$CHOWN -R $USER:$USER /var/log/stunnel4/stunnel.log
fi
#DEBHELPER#

17
debian/postrm vendored Normal file
View File

@ -0,0 +1,17 @@
#!/bin/sh
set -e
if [ x$1 = "xpurge" ]; then
echo You may want to delete the generated stunnel.pem file
echo in /etc/ssl/certs.
# Remove chroot dir if present. It may contain logfiles
rm -rf /var/lib/stunnel4 || true
# Log files must be removed on purge (Policy 10.8)
rm -f /var/log/stunnel4/stunnel.log* || true
rmdir /var/log/stunnel4 || true
fi
#DEBHELPER#

113
debian/rules vendored Executable file
View File

@ -0,0 +1,113 @@
#!/usr/bin/make -f
# -*- makefile -*-
# debian/rules file for the Debian/GNU Linux stunnel package
# Copyright 2003 by Julien LEMOINE <speedblue@debian.org>
DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
SYSTEM = --build $(DEB_HOST_GNU_TYPE)
else
SYSTEM = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
endif
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_CFLAGS_MAINT_APPEND=-Wall
build: build-arch build-indep
build-arch: build-stamp
build-indep: build-stamp
build-stamp:
dh_testdir
ifneq "$(wildcard /usr/share/misc/config.sub)" ""
cp -f /usr/share/misc/config.sub config.sub
endif
ifneq "$(wildcard /usr/share/misc/config.guess)" ""
cp -f /usr/share/misc/config.guess config.guess
endif
./configure --prefix=/usr $(SYSTEM) \
$(shell dpkg-buildflags --export=configure) \
--localstatedir=/var --sysconfdir=/etc \
--enable-ipv6 --with-threads=pthread
$(MAKE) -C src
$(MAKE) -C doc
touch build-stamp
clean:
dh_testdir
dh_testroot
dh_clean build-stamp debian/stunnel4.init doc/stunnel4.8 doc/stunnel4.fr.8 doc/stunnel4.pl.8
[ ! -f Makefile ] || $(MAKE) distclean
rm -f config.guess config.sub
install: build-stamp
dh_testdir
dh_testroot
dh_prep
dh_installdirs
$(MAKE) -C src install prefix=$(CURDIR)/debian/stunnel4/usr
$(MAKE) -C doc install prefix=$(CURDIR)/debian/stunnel4/usr
# .la file is useless
rm $(CURDIR)/debian/stunnel4/usr/lib/stunnel/libstunnel.la
ln doc/stunnel.8 doc/stunnel4.8
ln doc/stunnel.fr.8 doc/stunnel4.fr.8
ln doc/stunnel.pl.8 doc/stunnel4.pl.8
# Manpages will be installed by dh_installman
rm -rf $(CURDIR)/debian/stunnel4/usr/share/man
# Rename binary
mv $(CURDIR)/debian/stunnel4/usr/bin/stunnel \
$(CURDIR)/debian/stunnel4/usr/bin/stunnel4
# Move docs into propper dir
mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel \
$(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
# Copy sample init script into place for dh_installinit
cp $(CURDIR)/tools/stunnel.init $(CURDIR)/debian/stunnel4.init
# Basic docs for the user on how to create an initial configuration
install -p -m 0644 $(CURDIR)/debian/stunnel4.conf.README \
$(CURDIR)/debian/stunnel4/etc/stunnel/README
[ ! -s debian/lintian.overrides ] || \
install -p -m 0644 -D $(CURDIR)/debian/lintian.overrides \
$(CURDIR)/debian/stunnel4/usr/share/lintian/overrides/stunnel4
binary-indep:
# There are no binary independent packages
binary-arch: install
dh_testdir
dh_testroot
dh_installdocs -a
dh_installexamples -a
dh_installman -a
dh_installchangelogs -a ChangeLog
dh_installinit -a --restart-after-upgrade -- defaults
dh_installppp -a --name=0stunnel4
dh_installlogrotate -a
dh_install -a debian/StunnelConf-0.1.pl usr/share/doc/stunnel4/contrib
dh_link -a
dh_strip -a
dh_compress -a --exclude=StunnelConf-0.1.pl
dh_fixperms -a
dh_makeshlibs -a
dh_installdeb -a
dh_shlibdeps -a
dh_gencontrol -a
dh_md5sums -a
dh_builddeb -a
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install

1
debian/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (quilt)

505
debian/stunnel3.8 vendored Normal file
View File

@ -0,0 +1,505 @@
.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. | will give a
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.\"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "STUNNEL 1"
.TH STUNNEL 8 "2003-08-01" " " " "
.SH "NAME"
stunnel \- universal SSL tunnel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O\ a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p\ pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a\ directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user]
[\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ filename\ |\ ''\ }\ ] [\-B\ bytes] [\-R\ randfile] [\-W] [\-E\ socket] [\-I\ host]
[\-d\ [host:]port\ [\-f]\ ] [\ \-r\ [host:]port\ |\ {\ \-l\ |\ \-L\ }\ program\ [\-\-\ progname\ args]\ ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption
wrapper between remote clients and local (\fIinetd\fR\-startable) or
remote servers. The concept is that having non-SSL aware daemons
running on your system you can easily set them up to communicate with
clients over secure \s-1SSL\s0 channels.
.PP
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used
\&\fIinetd\fR daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone
daemons like \s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network
sockets without changes to the source code.
.PP
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-h\fR" 4
.IX Item "-h"
Print stunnel help menu
.IP "\fB\-D\fR level" 4
.IX Item "-D level"
Debugging level
.Sp
Level is a one of the syslog level names or numbers emerg (0), alert
(1), crit (2), err (3), warning (4), notice (5), info (6), or debug
(7). All logs for the specified level and all levels numerically less
than it will be shown. Use \-D debug or \-D 7 for greatest debugging
output. The default is notice (5).
.Sp
The syslog facility 'daemon' will be used unless a facility name is
supplied. (Facilities are not supported on windows.)
.Sp
Case is ignored for both facilities and levels.
.IP "\fB\-O\fR a|l|r:option=value[:value]" 4
.IX Item "-O a|l|r:option=value[:value]"
Set an option on accept/local/remote socket
.Sp
The values for linger option are l_onof:l_linger. The values for time
are tv_sec:tv_usec.
.Sp
\&\fBExamples:\fR
.Sp
\&\fB\-O l:SO_LINGER=1:60\fR \- set one minute timeout for closing local
socket
.Sp
\&\fB\-O r:TCP_NODELAY=1\fR \- turn off the Nagle algorithm for remote
sockets
.Sp
\&\fB\-O r:SO_OOBINLINE=1\fR \- place out-of-band data directly into the
receive data stream for remote sockets
.Sp
\&\fB\-O a:SO_REUSEADDR=0\fR \- disable address reuse (enabled by default)
.Sp
\&\fB\-O a:SO_BINDTODEVICE=lo\fR \- only accept connections on loopback
interface
.Sp
The available options and their defaults are:
Option Accept Local Remote OS default
SO_DEBUG -- -- -- 0
SO_DONTROUTE -- -- -- 0
SO_KEEPALIVE -- -- -- 0
SO_LINGER -- -- -- 0:0
SO_OOBINLINE -- -- -- 0
SO_RCVBUF -- -- -- 87380
SO_SNDBUF -- -- -- 16384
SO_RCVLOWAT -- -- -- 1
SO_SNDLOWAT -- -- -- 1
SO_RCVTIMEO -- -- -- 0:0
SO_SNDTIMEO -- -- -- 0:0
SO_REUSEADDR 1 -- -- 0
SO_BINDTODEVICE -- -- -- --
IP_TOS -- -- -- 0
IP_TTL -- -- -- 64
TCP_NODELAY -- -- -- 0
.IP "\fB\-o\fR file" 4
.IX Item "-o file"
Append log messages to a file.
.IP "\fB\-C\fR cipherlist" 4
.IX Item "-C cipherlist"
Select permitted \s-1SSL\s0 ciphers
.Sp
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fB\-c\fR" 4
.IX Item "-c"
client mode (remote service uses \s-1SSL\s0)
.Sp
default: server mode
.IP "\fB\-T\fR" 4
.IX Item "-T"
transparent proxy mode
.Sp
Re-write address to appear as if wrapped daemon is connecting from the
\&\s-1SSL\s0 client machine instead of the machine running stunnel. Available
only on some operating systems (Linux only, we believe) and then only
in server mode. Note that this option will not combine with proxy mode
(\-r) unless the client's default route to the target machine lies
through the host running stunnel, which cannot be localhost.
.IP "\fB\-p\fR pemfile" 4
.IX Item "-p pemfile"
private key and certificate chain \s-1PEM\s0 file name
.Sp
A \s-1PEM\s0 is always needed in server mode (by default located in
\fI/etc/stunnel/stunnel.pem\fR). Specifying this flag in client mode
will use this key and certificate chain as a client side certificate
chain. Using client side certs is optional. The certificates must be
in \s-1PEM\s0 format and must be sorted starting with the certificate
to the highest level (root \s-1CA\s0).
.IP "\fB\-v\fR level" 4
.IX Item "-v level"
verify peer certificate
.RS 4
.IP "\(bu" 8
level 1 \- verify peer certificate if present
.IP "\(bu" 8
level 2 \- verify peer certificate
.IP "\(bu" 8
level 3 \- verify peer with locally installed certificate
.IP "\(bu" 8
default \- no verify
.RE
.RS 4
.RE
.IP "\fB\-a\fR directory" 4
.IX Item "-a directory"
client certificate directory
.Sp
This is the directory in which stunnel will look for certificates when
using the \fI\-v\fR options. Note that the certificates in this directory
should be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the
cert.
.IP "\fB\-A\fR certfile" 4
.IX Item "-A certfile"
Certificate Authority file
.Sp
This file contains multiple \s-1CA\s0 certificates, used with the \fI\-v\fR
options.
.IP "\fB\-t\fR timeout" 4
.IX Item "-t timeout"
session cache timeout
.Sp
default: 300 seconds.
.IP "\fB\-N\fR servicename" 4
.IX Item "-N servicename"
Service name to use for tcpwrappers. If not specified then a
tcpwrapper service name will be generated automatically for you. This
will also be used when auto-generating pid filenames.
.IP "\fB\-u\fR ident_username" 4
.IX Item "-u ident_username"
Use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
.IP "\fB\-n\fR proto" 4
.IX Item "-n proto"
Negotiate \s-1SSL\s0 with specified protocol
.Sp
currently supported: smtp, pop3, nntp
.IP "\fB\-E\fR socket" 4
.IX Item "-E socket"
Entropy Gathering Daemon socket to use to feed OpenSSL random number
generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
.IP "\fB\-R\fR filename" 4
.IX Item "-R filename"
File containing random input. The \s-1SSL\s0 library will use data from this
file first to seed the random number generator.
.IP "\fB\-W\fR" 4
.IX Item "-W"
Do not overwrite the random seed files with new random data.
.IP "\fB\-B\fR bytes" 4
.IX Item "-B bytes"
Number of bytes of data read from random seed files. With \s-1SSL\s0
versions less than 0.9.5a, also determines how many bytes of data are
considered sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions
have a builtin function to determine when sufficient randomness is
available.
.IP "\fB\-I\fR host" 4
.IX Item "-I host"
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
Use this option to bind a static local \s-1IP\s0 address, instead.
.IP "\fB\-d\fR [host:]port" 4
.IX Item "-d [host:]port"
daemon mode
.Sp
Listen for connections on [host:]port. If no host specified, defaults
to all \s-1IP\s0 addresses for the local host.
.Sp
default: inetd mode
.IP "\fB\-f\fR" 4
.IX Item "-f"
foreground mode
.Sp
Stay in foreground (don't fork) and log to stderr instead of via
syslog (unless \-o is specified).
.Sp
default: background in daemon mode
.IP "\fB\-l\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
.IX Item "-l program [-- programname [arg1 arg2 arg3...] ]"
execute local inetd-type program.
.IP "\fB\-L\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
.IX Item "-L program [-- programname [arg1 arg2 arg3...] ]"
open local pty and execute program.
.IP "\fB\-s\fR username" 4
.IX Item "-s username"
\&\fIsetuid()\fR to username in daemon mode
.IP "\fB\-g\fR groupname" 4
.IX Item "-g groupname"
\&\fIsetgid()\fR to groupname in daemon mode. Clears all other groups.
.IP "\fB\-P\fR { file | '' }" 4
.IX Item "-P { file | '' }"
Pid file location
.Sp
If the argument is a filename, then that filename will be used for the
pid. If the argument is empty ('', not missing), then no pid file will
be created.
.IP "\fB\-r\fR [host:]port" 4
.IX Item "-r [host:]port"
connect to remote service
.Sp
If no host specified, defaults to localhost.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service,
use
.PP
.Vb 1
\& stunnel \-d 993 \-l /usr/sbin/imapd \-\- imapd
.Ve
.PP
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
use something like
.PP
.Vb 1
\& stunnel \-d 2020 \-L /usr/sbin/pppd \-\- pppd local
.Ve
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
If Stunnel is used to create local processes using the \fB\-l\fR or \fB\-L\fR
options, it will set the following environment variables
.IP "\s-1REMOTE_HOST\s0" 4
.IX Item "REMOTE_HOST"
The \s-1IP\s0 address of the remote end of the connection.
.IP "\s-1SSL_CLIENT_DN\s0" 4
.IX Item "SSL_CLIENT_DN"
The \s-1DN\s0 (Distinguished Name, aka subject name) of the peer certificate,
if a certificate was present and verified.
.IP "\s-1SSL_CLIENT_I_DN\s0" 4
.IX Item "SSL_CLIENT_I_DN"
The Issuer's \s-1DN\s0 of the peer's certificate, if a certificate was
present and verified.
.SH "CERTIFICATES"
.IX Header "CERTIFICATES"
.IP "\(bu" 4
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to
the peer. It also needs a private key to decrypt the incoming data.
The easiest way to obtain a certificate and a key is to generate them
with the free \fIopenssl\fR package. You can find more information on
certificates generation on pages listed below.
.Sp
Two things are important when generating certificate-key pairs for
\&\fBstunnel\fR. The private key cannot be encrypted, because the server
has no way to obtain the password from the user. To produce an
unencrypted key add the \fI\-nodes\fR option when running the \fBreq\fR
command from the \fIopenssl\fR kit.
.Sp
The order of contents of the \fI.pem\fR file is also important. It should
contain the unencrypted private key first, then a signed certificate
(not certificate request). There should be also empty lines after
certificate and private key. Plaintext certificate information
appended on the top of generated certificate should be discarded. So
the file should look like this:
.Sp
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [encoded key]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [empty line]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [encoded certificate]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [empty line]
.Ve
.SH "RANDOMNESS"
.IX Header "RANDOMNESS"
.IP "\(bu" 4
\&\fIstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
order for \s-1SSL\s0 to use good randomness. The following sources are
loaded in order until sufficient random data has been gathered:
.RS 4
.IP "\(bu" 8
The file specified with the \fI\-R\fR flag.
.IP "\(bu" 8
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
.IP "\(bu" 8
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
.IP "\(bu" 8
The file specified with '\-\-with\-random' at compile time.
.IP "\(bu" 8
The contents of the screen if running on Windows.
.IP "\(bu" 8
The egd socket specified with the \fI\-E\fR flag.
.IP "\(bu" 8
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
.IP "\(bu" 8
The /dev/urandom device.
.RE
.RS 4
.Sp
With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading
random data automatically when sufficient entropy has been gathered.
With previous versions it will continue to gather from all the above
sources since no \s-1SSL\s0 function exists to tell when enough data is
available.
.Sp
Note that on Windows machines that do not have console user
interaction (mouse movements, creating windows, etc) the screen
contents are not variable enough to be sufficient, and you should
provide a random file for use with the \fI\-R\fR flag.
.Sp
Note that the file specified with the \fI\-R\fR flag should contain random
data \*(-- that means it should contain different information each time
\&\fIstunnel\fR is run. This is handled automatically unless the \fI\-W\fR
flag is used. If you wish to update this file manually, the \fIopenssl
rand\fR command in recent versions of OpenSSL, would be useful.
.Sp
One important note \*(-- if /dev/urandom is available, OpenSSL has a
habit of seeding the \s-1PRNG\s0 with it even when checking the random state,
so on systems with /dev/urandom you're likely to use it even though
it's listed at the very bottom of the list above. This isn't
stunnel's behaviour, it's OpenSSLs.
.RE
.SH "LIMITATIONS"
.IX Header "LIMITATIONS"
.IP "\(bu" 4
\&\fIstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature of
the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons,
however.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
.RS 4
.IP "\fItcpd\fR\|(8)" 8
.IX Item "tcpd"
access control facility for internet services
.IP "\fIinetd\fR\|(8)" 8
.IX Item "inetd"
internet ``super\-server''
.IP "\fIhttp://stunnel.mirt.net/\fR" 8
.IX Item "http://stunnel.mirt.net/"
Stunnel homepage
.IP "\fIhttp://www.stunnel.org/\fR" 8
.IX Item "http://www.stunnel.org/"
Stunnel Frequently Asked Questions
.IP "\fIhttp://www.openssl.org/\fR" 8
.IX Item "http://www.openssl.org/"
OpenSSL project website
.RE
.RS 4
.RE
.SH "AUTHOR"
.IX Header "AUTHOR"
.RS 4
.IP "Michal Trojnara" 8
.IX Item "Michal Trojnara"
<\fIMichal.Trojnara@mirt.net\fR>
.RE
.RS 4
.RE

9
debian/stunnel4.0stunnel4.ppp.ip-down vendored Normal file
View File

@ -0,0 +1,9 @@
#!/bin/sh
# if this script gets called, we assume that the machine has lost
# IPv4 connectivity -> restart stunnel (do not stop it, it is possible
# to have a eth connection)
test -f /etc/default/stunnel4 && . /etc/default/stunnel4
test "$PPP_RESTART" != "0" || exit 0
invoke-rc.d stunnel4 restart

7
debian/stunnel4.0stunnel4.ppp.ip-up vendored Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
test -f /etc/default/stunnel4 && . /etc/default/stunnel4
test "$PPP_RESTART" != "0" || exit 0
invoke-rc.d stunnel4 restart

29
debian/stunnel4.NEWS vendored Normal file
View File

@ -0,0 +1,29 @@
stunnel (3:4.33-1) experimental; urgency=low
This version introduces support for reloading the configuration file
and for closing/reopening log files. The init script has been
updated to provide these options, and the default logrotate
configuration has been updated to take advantage of them.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Thu, 04 Feb 2010 19:52:23 -0800
stunnel (3:4.28-1) unstable; urgency=low
The default behaviour of the logrotate configuration for stunnel4
has been changed. Instead of restarting stunnel after rotating the
log files we now use the 'copytruncate' keyword. This avoids the
problems associated with the restart, but introduces the possibility
of loosing small amounts of log data. Please see Debian bugs
#535915, #535924 and #323171 for more info.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Wed, 25 Nov 2009 17:12:42 -0800
stunnel (2:4.140-5) unstable; urgency=low
stunnel/stunnel4 binaries are located in /usr/bin instead of
/usr/sbin in order to be FHS compliant (they can be used by normal
user). You need to update your scripts to refer to this new location
-- Julien Lemoine <speedblue@debian.org> Sun, 19 Feb 2006 17:31:24 +0100

13
debian/stunnel4.conf.README vendored Normal file
View File

@ -0,0 +1,13 @@
Stunnel 4 configuration files.
Files found under the /etc/stunnel directory that end with .conf are
used by the stunnel4 service as configuration files, and each will be
used to start a daemon process setting up a tunnel with the given
configuration. Note that this directory is initially empty, as the
settings you may want for your tunnels are completely system dependent.
In order to have the tunnels start up automatically on system boot you
must *also* set ENABLED to 1 in /etc/default/stunnel4
A sample configuration file with defaults may be found at
/usr/share/doc/stunnel4/examples/stunnel.conf-sample

11
debian/stunnel4.default vendored Normal file
View File

@ -0,0 +1,11 @@
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=0
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0

6
debian/stunnel4.examples vendored Normal file
View File

@ -0,0 +1,6 @@
tools/ca.html
tools/ca.pl
tools/importCA.html
tools/importCA.sh
tools/stunnel.cnf
tools/stunnel.conf-sample

2
debian/stunnel4.links vendored Normal file
View File

@ -0,0 +1,2 @@
/usr/bin/stunnel3 /usr/bin/stunnel
/usr/share/man/man8/stunnel3.8.gz /usr/share/man/man8/stunnel.8.gz

13
debian/stunnel4.logrotate vendored Normal file
View File

@ -0,0 +1,13 @@
/var/log/stunnel4/*.log {
daily
missingok
rotate 356
compress
delaycompress
notifempty
create 640 stunnel4 stunnel4
sharedscripts
postrotate
/etc/init.d/stunnel4 reopen-logs > /dev/null
endscript
}

4
debian/stunnel4.manpages vendored Normal file
View File

@ -0,0 +1,4 @@
doc/stunnel4.8
doc/stunnel4.fr.8
doc/stunnel4.pl.8
debian/stunnel3.8

8
debian/watch vendored Normal file
View File

@ -0,0 +1,8 @@
version=3
# Latest version is directly at /stunnel
ftp://ftp.stunnel.org/stunnel/stunnel-(4).([\d]+)+\.tar\.gz debian
# Any previous versions are at /stunnel/obsolete/4.x
ftp://ftp.stunnel.org/stunnel/archive/4.x/stunnel-(4).([\d]+)+\.tar\.gz debian