Update the Debian package to stunnel4-3:5.06-1.

This version disables SSLv2 and SSLv3 support by default, so add a news blurb on re-enabling them.
author: Peter Pentchev <roam@ringlet.net> 2014-10-16 14:34:53 +0300
committer: Peter Pentchev <roam@ringlet.net> 2014-10-16 14:34:53 +0300
commit: f037ae7866c4ac0032d79a2a73fea3897a752873 (patch)
tree: 19001043fcc8a1490174616a06c65fe2c581422f /debian/patches
parent: cab863ff50d7298874a58ab377276ec1ccbfd957 (diff)
8 files changed, 49 insertions, 14 deletions
diff --git a/debian/patches/01-fix-paths.patch b/debian/patches/01-fix-paths.patch
index 390b47d..25761c7 100644
--- a/debian/patches/01-fix-paths.patch
+++ b/debian/patches/01-fix-paths.patch
@@ -5,7 +5,7 @@ Forwarded: not-needed
 Author: Paolo Molaro <lupus@debian.org>
 Author: Julien Lemoine <speedblue@debian.org>
 Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
-Last-Update: 2014-06-10
+Last-Update: 2014-10-16
 
 --- a/tools/stunnel.conf-sample.in
 +++ b/tools/stunnel.conf-sample.in
@@ -53,8 +53,8 @@ Last-Update: 2014-06-10
 -;CRLfile = @prefix@/etc/stunnel/crls.pem
 +;CRLfile = @sysconfdir@/stunnel/crls.pem
  
- ; Disable support for insecure SSLv2 protocol
- options = NO_SSLv2
+ ; Enable support for the insecure SSLv2 protocol
+ ;options = -NO_SSLv2
 --- a/tools/script.sh
 +++ b/tools/script.sh
 @@ -2,7 +2,7 @@
diff --git a/debian/patches/02-rename-binary.patch b/debian/patches/02-rename-binary.patch
index a105a58..5bef3b8 100644
--- a/debian/patches/02-rename-binary.patch
+++ b/debian/patches/02-rename-binary.patch
@@ -17,14 +17,14 @@ Last-Update: 2014-10-16
  ($read_fd, $write_fd)=POSIX::pipe();
 --- a/doc/stunnel.8
 +++ b/doc/stunnel.8
-@@ -61,8 +61,8 @@
- .\}
+@@ -70,8 +70,8 @@
+ .rr rF
  .\" ========================================================================
  .\"
 -.IX Title "STUNNEL 8"
--.TH STUNNEL 8 "2014.10.06" "5.05" "stunnel"
+-.TH STUNNEL 8 "2014.10.15" "5.06" "stunnel"
 +.IX Title "STUNNEL4 8"
-+.TH STUNNEL 8 "2014.10.06" "5.05" "stunnel4"
++.TH STUNNEL 8 "2014.10.15" "5.06" "stunnel4"
  .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
  .\" way too many mistakes in technical documents.
  .if n .ad l
@@ -58,9 +58,9 @@ Last-Update: 2014-10-16
  .\" ========================================================================
  .\"
 -.IX Title "STUNNEL.PL 8"
--.TH STUNNEL.PL 8 "2014.10.06" "5.05" "stunnel"
+-.TH STUNNEL.PL 8 "2014.10.15" "5.06" "stunnel"
 +.IX Title "STUNNEL4.PL 8"
-+.TH STUNNEL.PL 8 "2014.10.06" "5.05" "stunnel4"
++.TH STUNNEL.PL 8 "2014.10.15" "5.06" "stunnel4"
  .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
  .\" way too many mistakes in technical documents.
  .if n .ad l
diff --git a/debian/patches/08-client-example.patch b/debian/patches/08-client-example.patch
index 4bf2d99..7e2e9ce 100644
--- a/debian/patches/08-client-example.patch
+++ b/debian/patches/08-client-example.patch
@@ -6,7 +6,7 @@ Last-Update: 2014-10-16
 
 --- a/doc/stunnel.8
 +++ b/doc/stunnel.8
-@@ -917,6 +917,17 @@
+@@ -929,6 +929,17 @@
  \&    connect = servername:993
  .Ve
  .PP
diff --git a/debian/patches/10-no-zlib-compression.patch b/debian/patches/10-no-zlib-compression.patch
index 7f8516d..1f8f388 100644
--- a/debian/patches/10-no-zlib-compression.patch
+++ b/debian/patches/10-no-zlib-compression.patch
@@ -41,7 +41,7 @@ Last-Update: 2014-10-16
      if(!comp->method || comp->method->type==NID_undef) {
 --- a/src/options.c
 +++ b/src/options.c
-@@ -346,9 +346,9 @@
+@@ -425,9 +425,9 @@
          if(strcasecmp(opt, "compression"))
              break;
          if(SSLeay()>=0x00908051L && !strcasecmp(arg, "deflate"))
diff --git a/debian/patches/11-no-rle-compression.patch b/debian/patches/11-no-rle-compression.patch
index bd2f029..a309f4d 100644
--- a/debian/patches/11-no-rle-compression.patch
+++ b/debian/patches/11-no-rle-compression.patch
@@ -10,7 +10,7 @@ Last-Update: 2014-10-16
 
 --- a/src/options.c
 +++ b/src/options.c
-@@ -350,7 +350,16 @@
+@@ -429,7 +429,16 @@
          else if(!strcasecmp(arg, "zlib"))
              return "zlib compression is disabled in the Debian package of OpenSSL";
          else if(!strcasecmp(arg, "rle"))
diff --git a/debian/patches/12-restore-pidfile-default.patch b/debian/patches/12-restore-pidfile-default.patch
index 93f0856..effdd52 100644
--- a/debian/patches/12-restore-pidfile-default.patch
+++ b/debian/patches/12-restore-pidfile-default.patch
@@ -22,7 +22,7 @@ Last-Update: 2014-10-16
  stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
 --- a/src/options.c
 +++ b/src/options.c
-@@ -693,7 +693,7 @@
+@@ -772,7 +772,7 @@
  #ifndef USE_WIN32
      switch(cmd) {
      case CMD_BEGIN:
@@ -31,7 +31,7 @@ Last-Update: 2014-10-16
          break;
      case CMD_EXEC:
          if(strcasecmp(opt, "pid"))
-@@ -708,9 +708,10 @@
+@@ -787,9 +787,10 @@
      case CMD_FREE:
          break;
      case CMD_DEFAULT:
diff --git a/debian/patches/16-upstream-sslv23-method.patch b/debian/patches/16-upstream-sslv23-method.patch
new file mode 100644
index 0000000..6edb3c5
--- /dev/null
+++ b/debian/patches/16-upstream-sslv23-method.patch
@@ -0,0 +1,34 @@
+Description: Fix the build for OpenSSL with disabled SSLv2/3.
+Origin: upstream; http://www.stunnel.org/pipermail/stunnel-users/2014-October/004806.html
+Last-Update: 2014-10-16
+
+--- a/src/options.c
++++ b/src/options.c
+@@ -2129,15 +2129,18 @@
+     case CMD_END:
+ #ifdef USE_FIPS
+         if(new_global_options.option.fips) {
+-            if(section->option.client) {
+-                if(section->client_method==(SSL_METHOD *)SSLv2_client_method() ||
+-                        section->client_method==(SSL_METHOD *)SSLv3_client_method())
+-                    return "FIPS mode requires sslVersion to be TLSv1 or later";
+-            } else {
+-                if(section->server_method==(SSL_METHOD *)SSLv2_server_method() ||
+-                        section->server_method==(SSL_METHOD *)SSLv3_server_method())
+-                    return "FIPS mode requires sslVersion to be TLSv1 or later";
+-            }
++#ifndef OPENSSL_NO_SSL2
++            if(section->option.client ?
++                    section->client_method==(SSL_METHOD *)SSLv2_client_method() :
++                    section->server_method==(SSL_METHOD *)SSLv2_server_method())
++                return "\"sslVersion = SSLv2\" not supported in FIPS mode";
++#endif
++#ifndef OPENSSL_NO_SSL3
++            if(section->option.client ?
++                    section->client_method==(SSL_METHOD *)SSLv3_client_method() :
++                    section->server_method==(SSL_METHOD *)SSLv3_server_method())
++                return "\"sslVersion = SSLv3\" not supported in FIPS mode";
++#endif
+         }
+ #endif /* USE_FIPS */
+         break;
diff --git a/debian/patches/series b/debian/patches/series
index a95ef80..d6d5079 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
 12-restore-pidfile-default.patch
 14-lsb-init-functions.patch
 15-upstream-systemd-libs.patch
+16-upstream-sslv23-method.patch
author	Peter Pentchev <roam@ringlet.net>	2014-10-16 14:34:53 +0300
committer	Peter Pentchev <roam@ringlet.net>	2014-10-16 14:34:53 +0300
commit	f037ae7866c4ac0032d79a2a73fea3897a752873 (patch)
tree	19001043fcc8a1490174616a06c65fe2c581422f /debian/patches
parent	cab863ff50d7298874a58ab377276ec1ccbfd957 (diff)