diff options
40 files changed, 4102 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..d9a0f65 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,84 @@ +This is the Stunnel 4.x package for Debian. + +* Upgrading from stunnel to stunnel4 + +Stunnel 3 has been deprecated from Debian. The new stunnel4 has a +different command line syntax and configuration. You will need to +update your scripts. + +The wrapper script /usr/bin/stunnel3 understands stunnel3 command line +syntax and calls stunnel4 with appropriate options. It appears to +support every stunnel3 option *except* -S (which controls the defaults +used for certificate sources). + +* Basic configuration + +After installation, you should : + + - edit /etc/stunnel/stunnel.conf + + - edit /etc/default/stunnel and set ENABLE=1, if you want your + configured tunnels to start automatically on boot. + + - generate a certificate for use with stunnel if you want to use server mode + +Sergio Rua <srua@debian.org> made a perl front-end for the stunnel +configuration. It is very simple and only includes a couple of configuration +options. This script is located in + /usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl + +It requires libgnome2-perl and libgtk2-perl. + +* How to create SSL keys for stunnel + +The certificates default directory is /etc/ssl/certs, so cd into that dir +and issue the command: + + openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem + +Fill in the info requested. + +Change 'stunnel.pem' to the name of the certificate you need to +create. stunnel.pem will be used by default by stunnel, but you want +to create different certificates for different services you run with +stunnel. Make sure only root can read the file (or only the user that +needs to read it, if stunnel is run as that user): + + chmod 600 stunnel.pem + +Now you need to append the DH parameters to the certificate. + +First you need to generate some amount of random data: + + dd if=/dev/urandom of=temp_file count=2 + +Use /dev/random if you want a more secure source of data, but make +sure you have enough entropy on you system (the output file should be +at least 512 bytes long). + +And now make openssl generate the DH parameters and append them to the +certificate file: + + openssl dhparam -rand temp_file 512 >> stunnel.pem + +You also want to link the certificate to its hash name so that openssl +can find it also by that means: + + ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0 + +Read the manual page for openssl for more info on the various options. + +* FIPS + +Since version 4.21 stunnel includes support for OpenSSL's FIPS mode. However, +using it requires stunnel to be compiled statically against OpenSSL and all +supporting libraries. Thus, this option is disabled in the Debian package. + +See the OpenSSL FIPS User Guide at +https://www.openssl.org/docs/fips/UserGuide-2.0.pdf +and the OpenSSL notes about FIPS 140-2 at +https://www.openssl.org/docs/fips/fipsnotes.html + + - Julien LEMOINE <speedblue@debian.org>, Sun, 19 Feb 2006 17:31:24 +0100 + + -- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>, Sat, 30 Oct 2007 14:50:54 z diff --git a/debian/StunnelConf-0.1.pl b/debian/StunnelConf-0.1.pl new file mode 100644 index 0000000..e4e5d13 --- /dev/null +++ b/debian/StunnelConf-0.1.pl @@ -0,0 +1,477 @@ +#!/usr/bin/perl + +# Copyright (C) 2004 Sergio Rua <srua@debian.org> + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA +# 02111-1307, USA. +# +# On Debian GNU/Linux systems, the complete text of the GNU General +# Public License can be found in `/usr/share/common-licenses/GPL'. + +use strict; +use Gtk2; +use Gnome2; +use Gtk2::SimpleList; + +use constant TRUE => 1; +use constant FALSE => 0; +# Please configure if necessary! +my $cfgfile = "/etc/stunnel/stunnel.conf"; +my $backup_cfg = 1; +my $base_cfg_dir = $cfgfile;$base_cfg_dir=~s/\/stunnel\.conf//g; + +# global variables +my $ekey; +my $ecert; +my $verify; +my $app; +my $elog; +my $clientmode; +my $debuglevel; +my $capath; +my $list; + + +sub mydie +{ + my ($msg)=@_; + + print "$msg\n"; + Gtk2->main_quit; + exit (-1); +} + + +sub sel_file +{ + my ($title,$entry,$isfile)=@_; + + my $fsel=Gtk2::FileSelection->new($title); + $fsel->ok_button->signal_connect("clicked",sub { + print "OK: ". $fsel->get_filename."\n"; + $entry->set_text($fsel->get_filename); + $fsel->destroy; + }); + $fsel->cancel_button->signal_connect("clicked",sub { $fsel->destroy; }); + + $fsel->show; +} + +sub add_connection +{ + my $win = new Gtk2::Window("toplevel"); + $win->set_position("center"); + + my $vbox = new Gtk2::VBox( 0, 2 ); + $win->add($vbox); + $vbox->show; + my $druid = new Gnome2::Druid; + $druid->signal_connect("cancel", sub { $win->destroy; } ); + $vbox->pack_start($druid,0,0,0); + my $druid_start = new Gnome2::DruidPageEdge("GNOME_EDGE_START"); + $druid_start->set_title("Connections setup"); + $druid_start->set_text("Please follow this configuration wizard to ". + "configure your connections\n"); +# $druid_start->set_watermark($logo); + $druid_start->show; + $druid->append_page($druid_start); + +# Second Step: accepting connections + my $druid_name = new Gnome2::DruidPageStandard(); + $druid_name->set_title("Connection name"); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $label=new Gtk2::Label("Enter this connection name"); + $dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0); + my $ename=new Gtk2::Entry(); + $dtable->attach($ename,1,2,0,1,["fill"],["fill"],0,0); + $druid_name->append_item("",$dvbox,""); + $druid_name->show_all; + # add page to the druid + $druid->append_page($druid_name); + + +# Second Step: accepting connections + my $druid_accept = new Gnome2::DruidPageStandard(); + $druid_accept->set_title("Accepting connections"); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $accept_error=new Gtk2::Label(""); + $dtable->attach($accept_error,0,1,0,1,["fill"],["fill"],0,0); + my $label=new Gtk2::Label("IP or hostname"); + $dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0); + my $eip=new Gtk2::Entry(); + $dtable->attach($eip,1,2,1,2,["fill"],["fill"],0,0); + + my $label=new Gtk2::Label("Port number"); + $dtable->attach($label,0,1,2,3,["fill"],["fill"],0,0); + my $eport=new Gtk2::Entry(); + $dtable->attach($eport,1,2,2,3,["fill"],["fill"],0,0); + + $druid_accept->append_item("",$dvbox,""); + $druid_accept->show_all; + # add page to the druid + $druid->append_page($druid_accept); + +# Third Step: connecting to... + my $druid_connect = new Gnome2::DruidPageStandard(); + $druid_connect->set_title("Connection To..."); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $label=new Gtk2::Label("IP or hostname"); + $dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0); + my $etoip=new Gtk2::Entry(); + $dtable->attach($etoip,1,2,0,1,["fill"],["fill"],0,0); + + my $label=new Gtk2::Label("Port number"); + $dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0); + my $etoport=new Gtk2::Entry(); + $dtable->attach($etoport,1,2,1,2,["fill"],["fill"],0,0); + + $druid_connect->append_item("",$dvbox,""); + $druid_connect->show_all; + # add page to the druid + $druid->append_page($druid_connect); + + +# Finishing and adding connection + my $druid_finish = new Gnome2::DruidPageEdge("GNOME_EDGE_FINISH"); + $druid_finish->set_title("Configuration Finished."); + $druid_finish->set_text("The configuration has been finished. Click to either save or cancel"); +# $druid_finish->set_logo($logo2); + $druid_finish->signal_connect("finish", sub { + my $acip=$eip->get_text(); + my $acport=$eport->get_text(); + my $coip=$etoip->get_text(); + my $coport=$etoport->get_text(); + + my $dslist = $list->{data}; + push @$dslist, [ $ename->get_text(), $acip.":".$acport, $coip.":".$coport ]; + + + $win->destroy; + }); + $druid_finish->show; + $druid->append_page($druid_finish); + $druid->show; + $win->show; +} + +sub load_config_file +{ + my $con=$list->{data}; + my $name=""; + my $accept=""; + my $connect=""; + + if (! -s $cfgfile) { + print "Config file not found. Starting from scratch!\n"; + return (0); + } + + open F, "<$cfgfile" or die "$cfgfile: $!\n"; + + while (<F>) { + $_=~s/\n//g; + if ($_=~/^cert.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $ecert->set_text($value); + } elsif ($_=~/^key.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $ekey->set_text($value); + } elsif ($_=~/^verify.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + if ($value==1) { + $verify->entry->set_text("verify peer certificate if present"); + } elsif ($value==2) { + $verify->entry->set_text("verify peer certificate"); + } elsif ($value==3) { + $verify->entry->set_text("verify peer with locally installed certificate"); + } else { + $verify->entry->set_text("no verify"); + } + } elsif ($_=~/^client.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $clientmode->entry->set_text($value); + } elsif ($_=~/^(capath|CApath).*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $capath->set_text($value); + } elsif ($_=~/^debug.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $debuglevel->entry->set_text($value); + } elsif ($_=~/^output.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $elog->set_text($value); + } elsif ($_=~/^\[.*/) { + $_=~s/\[//g; + $_=~s/\]//g; + $name=$_; + } elsif ($_=~/^accept.*=.*/) { + (undef,$accept) = split "=",$_; + $accept=~s/(\ |\t)//g; + } elsif ($_=~/^connect.*=.*/) { + (undef,$connect) = split "=",$_; + $connect=~s/(\ |\t)//g; + } + + # load connection + if (($accept) && ($name) && ($connect)) { + push @$con, [ $name, $accept, $connect ]; + $name=$connect=$accept=""; + } + } + close F; + +} + +sub save_config_file +{ + if ($backup_cfg) { + chdir ($base_cfg_dir); + rename($cfgfile,$cfgfile.".$$") or + print "Error at \n$cfgfile: $!\nNo backup made!\n"; + } + open O, ">$cfgfile" or + mydie "Cannot open config file: $!\n"; + + print "Saving $cfgfile\n\n\n"; + print O "# Configuration file created by \"stunnelconf\" by ". + "Sergio Rua <srua\@debian.org>\n\n"; + if ($ekey->get_text()) { + print O "key = ".$ekey->get_text()."\n"; + } + if ($ecert->get_text()) { + print O "cert = ".$ecert->get_text()."\n"; + } + print O "verify = ".$verify->entry->get_text()."\n"; + print O "output = ".$elog->get_text()."\n"; + print O "client = ".$clientmode->entry->get_text()."\n"; + print O "debug = ".$debuglevel->entry->get_text()."\n"; + print O "CApath = ".$capath->get_text()."\n"; + print O "\n\n"; # just some spaces + + my @rowref = @{$list->{data}}; + my $i=0; + + for $i (0 .. $#rowref) { + print O "[".$rowref[$i][0] . "]\n"; + # if no hostname, ugly ":" to be removed + $rowref[$i][1]=~s/^://g; + $rowref[$i][2]=~s/^://g; + print O "accept = ".$rowref[$i][1] . "\n"; + print O "connect = ".$rowref[$i][2] . "\n"; + print O "\n"; # just some spaces + } + + close O; + Gtk2->main_quit; + return 0; +} + + +sub create_main_win +{ + $app = Gnome2::App->new ("stunnel-conf"); + $app->set_default_size(470,410); + $app->signal_connect( 'destroy' => sub { Gtk2->main_quit; } ); + $app->set_title("Stunnel Configuration"); + + my $vbox=Gtk2::VBox->new(FALSE,0); + my $frame=Gtk2::Frame->new("Common options"); + $vbox->pack_start($frame,TRUE, TRUE, 0); + + my $table=Gtk2::Table->new(6, 2, FALSE); + $frame->add($table); + + my $label0=Gtk2::Label->new("Private Key"); + $table->attach($label0,0,1,0,1,["fill"],["fill"],0,0); + my $label1=Gtk2::Label->new("Certificate"); + $table->attach($label1,0,1,1,2,["fill"],["fill"],0,0); + my $label2=Gtk2::Label->new("Verify level"); + $table->attach($label2,0,1,2,3,["fill"],["fill"],0,0); + my $label3=Gtk2::Label->new("Log output"); + $table->attach($label3,0,1,3,4,["fill"],["fill"],0,0); + my $label4=Gtk2::Label->new("Client mode"); + $table->attach($label4,0,1,4,5,["fill"],["fill"],0,0); + my $label5=Gtk2::Label->new("Debug level"); + $table->attach($label5,0,1,5,6,["fill"],["fill"],0,0); + my $label6=Gtk2::Label->new("Certificates path"); + $table->attach($label6,0,1,6,7,["fill"],["fill"],0,0); + + # Private Key + my $hbox0=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox0,1,2,0,1,["fill"],["fill"],0,0); + + $ekey=Gtk2::Entry->new(); + $hbox0->pack_start($ekey,TRUE,TRUE,0); + + my $bkey=Gtk2::Button->new_from_stock("gtk-open"); + $bkey->signal_connect("clicked",sub { + sel_file("Select private key",$ekey); + }); + $hbox0->pack_start($bkey,FALSE,FALSE,0); + + # Certificate + my $hbox1=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox1,1,2,1,2,["fill"],["fill"],0,0); + + $ecert=Gtk2::Entry->new(); + $hbox1->pack_start($ecert,TRUE,TRUE,0); + + my $bcert=Gtk2::Button->new_from_stock("gtk-open"); + $bcert->signal_connect("clicked",sub { + sel_file("Select certificate",$ecert); + }); + $hbox1->pack_start($bcert,FALSE,FALSE,0); + + # Auth level - verify + $verify = Gtk2::Combo->new(); + $verify->entry->set_text("no verify"); + $verify->set_popdown_strings(("no verify", + "verify peer certificate if present", + "verify peer certificate", + "verify peer with locally installed certificate")); + $table->attach($verify,1,2,2,3,["fill"],["fill"],0,0); + + # Log output + my $hbox2=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox2,1,2,3,4,["fill"],["fill"],0,0); + + $elog=Gtk2::Entry->new(); + $hbox2->pack_start($elog,TRUE,TRUE,0); + + my $blog=Gtk2::Button->new_from_stock("gtk-open"); + $blog->signal_connect("clicked",sub { + sel_file("Select log file",$elog); + }); + $hbox2->pack_start($blog,FALSE,FALSE,0); + + # Client mode + $clientmode = Gtk2::Combo->new(); + $clientmode->entry->set_text("no verify"); + $clientmode->set_popdown_strings(("yes","no")); + $table->attach($clientmode,1,2,4,5,["fill"],["fill"],0,0); + + # Debug level + $debuglevel = Gtk2::Combo->new(); + $debuglevel->entry->set_text("no verify"); + $debuglevel->set_popdown_strings(("0","1","5","7")); + $table->attach($debuglevel,1,2,5,6,["fill"],["fill"],0,0); + + # CA path + my $hbox3=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox3,1,2,6,7,["fill"],["fill"],0,0); + + $capath=Gtk2::Entry->new(); + $hbox3->pack_start($capath,TRUE,TRUE,0); + +# my $bcapath=Gtk2::Button->new_from_stock("gtk-open"); +# $bcapath->signal_connect("clicked",sub { +# sel_file("Select Certificates Path",$capath); +# }); +# $hbox3->pack_start($bcapath,FALSE,FALSE,0); + + # connections section + my $frame2=Gtk2::Frame->new("Connections"); + $vbox->pack_start($frame2,TRUE, TRUE, 0); + + my $hbox4=Gtk2::HBox->new(FALSE,0); + $list=Gtk2::SimpleList->new ( + 'Name' => 'text', + 'Accept' => 'text', + 'Connect' => 'text', + ); +# $list->get_selection->set_mode ('multiple'); + my $scwin = Gtk2::ScrolledWindow->new; + $scwin->set_policy (qw/automatic automatic/); + $scwin->add($list); + + $hbox4->pack_start($scwin,TRUE,TRUE,0); + + # list buttons + my $vbbox=Gtk2::VButtonBox->new(); + $vbbox->set_layout('spread'); + my $badd = Gtk2::Button->new_from_stock('gtk-add'); + $badd->signal_connect( 'clicked' => sub { add_connection; } ); + $vbbox->add($badd); + + +# my $bedit = Gtk2::Button->new_from_stock('gtk-properties'); +# $bedit->signal_connect( 'clicked' => sub { +# print "Edit\n"; +# } ); +# $vbbox->add($bedit); + + + my $brem = Gtk2::Button->new_from_stock('gtk-remove'); + $brem->signal_connect( 'clicked' => sub { + my @sel = $list->get_selected_indices; + print @sel; + foreach my $i (@sel) { + delete $list->{data}[$i]; + } + } ); + $vbbox->add($brem); + + $hbox4->pack_start($vbbox,FALSE,FALSE,0); + + # main buttons!!! + my $bbox=Gtk2::HButtonBox->new(); + $bbox->set_layout('spread'); + + my $bok = Gtk2::Button->new_from_stock('gtk-ok'); + $bok->signal_connect( 'clicked' => sub { save_config_file; } ); + $bbox->add($bok); + + my $bcancel = Gtk2::Button->new_from_stock('gtk-cancel'); + $bcancel->signal_connect( 'clicked' => sub { Gtk2->main_quit;} ); + $bbox->add($bcancel); + + $vbox->pack_start($bbox,FALSE,FALSE,0); + $frame2->add($hbox4); + + +# App contents and show them + $app->set_contents($vbox); + $app->show_all; +} + +# +# MAIN MAIN MAIN +# + + +# +Gnome2::Program->init ("stunnelconf", "0.1"); +$app=create_main_win; +load_config_file; + +Gtk2->main; + +exit 0; + diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..c84f490 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,1440 @@ +stunnel4 (3:5.52-1) UNRELEASED; urgency=medium + + * New upstream version: + - refresh the 02-rename-binary and 04-restore-pidfile-default patches + - add the 05-typos patch to correct a typographical error + + -- Peter Pentchev <roam@debian.org> Tue, 30 Apr 2019 12:15:59 +0300 + +stunnel4 (3:5.50-3) unstable; urgency=medium + + * Correct the name of the Debian branch in the git-buildpackage config. + * Make sure the src/dhparam.c file is never regenerated. + * Let the Perl test use 2048-bit DH keys to work with OpenSSL 1.1. + Closes: #923448; thanks, Sebastian Andrzej Siewior, for + the suggested fix! + * Use the test-name autopkgtest feature. + + -- Peter Pentchev <roam@debian.org> Sat, 02 Mar 2019 22:53:48 +0200 + +stunnel4 (3:5.50-2) unstable; urgency=medium + + * Declare compliance with Debian Policy 4.3.0 with no changes. + * Bump the debhelper compatibility level to 12 with no changes. + * Add the year 2019 to my debian/* copyright notice. + * Add a trivial git-buildpackage config file. + * Fix a FTBFS in the nodoc build: no "-o root -g root" needed. + + -- Peter Pentchev <roam@debian.org> Wed, 13 Feb 2019 20:33:03 +0200 + +stunnel4 (3:5.50-1) unstable; urgency=medium + + * New upstream version: + - drop the 05-author-tests and 07-path-max patches, integrated upstream + - refresh the 02-rename-binary and 04-restore-pidfile-default patches + + -- Peter Pentchev <roam@debian.org> Thu, 06 Dec 2018 17:05:38 +0200 + +stunnel4 (3:5.49-1) unstable; urgency=medium + + * Declare compliance with Debian Policy 4.2.1 with no changes. + * Use the B-D: debhelper-compat (= 11) mechanism. + * New upstream version: + - drop the 10-enabled and 11-killproc patches, integrated upstream + - refresh patch line numbers + - reenable the upstream test suite, both at build time and as + an autopkgtest, since this upstream version Closes: #906981 + + -- Peter Pentchev <roam@debian.org> Mon, 10 Sep 2018 12:05:18 +0300 + +stunnel4 (3:5.48-2) unstable; urgency=medium + + * Bring up to compliance with Debian Policy 4.2.0: install + the upstream release notes as "NEWS" instead of "changelog". + * Temporarily disable the upstream test suite, both during the build + and as an autopkgtest, until #906981 is fixed. Add the requisite + Perl module build dependencies. + * Also add Unicode::UTF8 as a dependency for our test program. + + -- Peter Pentchev <roam@debian.org> Fri, 24 Aug 2018 23:47:08 +0300 + +stunnel4 (3:5.48-1) unstable; urgency=high + + * Declare compliance with Debian Policy 4.1.5 with no changes. + * New upstream version. + + -- Peter Pentchev <roam@debian.org> Fri, 13 Jul 2018 17:18:17 +0300 + +stunnel4 (3:5.47-1) unstable; urgency=high + + * New upstream release with a fix for a SNI mode crash, + add a build and test dependency on net-tools now needed for + the upstream test suite. + + -- Peter Pentchev <roam@debian.org> Mon, 25 Jun 2018 11:28:17 +0300 + +stunnel4 (3:5.46-1) unstable; urgency=medium + + * New upstream release. + + -- Peter Pentchev <roam@debian.org> Tue, 29 May 2018 02:04:44 +0300 + +stunnel4 (3:5.45-1) unstable; urgency=medium + + * New upstream version: + - drop the 09-try-restart patch, integrated upstream + - drop the 12-disable-tests patch, no longer needed + - refresh patch line numbers + - update the upstream copyright years + + -- Peter Pentchev <roam@debian.org> Thu, 24 May 2018 17:15:06 +0300 + +stunnel4 (3:5.44-2) unstable; urgency=medium + + * Declare compliance with Debian Policy 4.1.4 with no changes. + * Add procps to the build dependencies for the upstream test suite. + * Bump the debhelper compat level to 11 with no changes. + * Bump the year on my debian/* copyright notice. + * Change the way the service handles the lack of default configuration: + - drop the ENABLED option from /etc/defaults/stunnel4 + - let debhelper take care of not starting the service immediately + after installation (when there are no valid config files yet) + - add a NEWS blurb pointing out how to disable the service if it + is indeed meant to only be started on demand + * Let the init script actually wait for the old stunnel instances to + stop before starting the new ones or even reporting that the old + ones are dead. Closes: #782030 + * Use my Debian e-mail address. + * Point the Vcs-* URLs to salsa.debian.org. + * Temporarily drop two tests that rely on an expired certificate and + an expired CRL. Closes: #895954, #899130 + * Drop an empty line at the end of the Debian changelog file. + * Drop the "CAs" spelling error override, since recent versions of + Lintian do not consider it an error any more. + * Add a trivial autopkgtest running adequate on the installed package. + + -- Peter Pentchev <roam@debian.org> Mon, 21 May 2018 18:23:00 +0300 + +stunnel4 (3:5.44-1) unstable; urgency=medium + + * New upstream release, drop the 10-accept patch taken from upstream. + + -- Peter Pentchev <roam@ringlet.net> Mon, 27 Nov 2017 14:12:39 +0200 + +stunnel4 (3:5.43-1) unstable; urgency=medium + + * Remove whitespace at the end of the lines in old changelog entries. + * Declare compliance with Debian Policy 4.1.1 with no changes. + * Fix some typographical errors in old changelog entries. + * Add "Rules-Requires-Root: no" to the source control stanza. + * New upstream release: + - add netcat-traditional to the build dependencies since + the new upstream test suite uses it + - also run the upstream test suite as an automated package test + - add an upstream patch for the behavior of the "accept" option + * Rename the automated test scripts without a language extension. + + -- Peter Pentchev <roam@ringlet.net> Wed, 15 Nov 2017 15:58:34 +0200 + +stunnel4 (3:5.42-1) unstable; urgency=medium + + * Add a simple autopkgtest suite. + * Declare compliance with Debian Policy 4.1.0: + - do not install documentation files if the "nodoc" build option is + set or the "nodoc" build profile is active. + - add the 09-try-restart patch to implement the "try-restart" action + in the SysV init script. + * New upstream version: + - drop the 08-session-free patch, fixed upstream in a better way + - refresh the 02-rename-binary, 04-restore-pidfile-default, and + 07-path-max patches + - add a Lintian override because "CAs" is not a typo for this package + - add a build dependency on autoconf-archive + - bump the year in the upstream copyright notice + * Drop the sdf build dependency, it does not seem to be needed any more. + + -- Peter Pentchev <roam@ringlet.net> Sat, 23 Sep 2017 16:25:21 +0300 + +stunnel4 (3:5.39-2) unstable; urgency=medium + + * Add the 08-session-free patch to avoid freeing the SSL session + twice, which will either be detected by the OpenSSL library and + crash the stunnel process, or cause use-after-free problems that + may lead to even worse results later. Closes: #850292 + + -- Peter Pentchev <roam@ringlet.net> Sun, 08 Jan 2017 17:30:12 +0200 + +stunnel4 (3:5.39-1) unstable; urgency=medium + + * New upstream version: + - drop the 08-dh-openssl-1.1 patch, dhparam.c was regenerated with + OpenSSL 1.1 again + - refresh the rest of the patches + * Remove the cybermirror sites from the watch file; their stunnel + mirror has been "undergoing maintenance" for at least three months. + * Bump the year of my debian/* copyright notice. + + -- Peter Pentchev <roam@ringlet.net> Tue, 03 Jan 2017 12:29:16 +0200 + +stunnel4 (3:5.38-1) unstable; urgency=medium + + * New upstream release: + - drop the 06-lfs, 08-typos, and 09-realloc patches, included upstream + - add the 08-dh-openssl-1.1.patch to fix the build with OpenSSL 1.1 + + -- Peter Pentchev <roam@ringlet.net> Sun, 27 Nov 2016 03:31:13 +0200 + +stunnel4 (3:5.37-2) unstable; urgency=medium + + * Add the 09-realloc patch to fix a reallocation / double-free bug. + Closes: #843988; thanks, Sebastian Andrzej Siewior and gregor + herrmann! + + -- Peter Pentchev <roam@ringlet.net> Wed, 16 Nov 2016 20:50:08 +0200 + +stunnel4 (3:5.37-1) unstable; urgency=medium + + * Reformat the build and runtime dependency lists in the control file. + * Add a runtime dependency on lsb-base for /lib/lsb/init-functions. + * Drop the dh_installinit override: --restart-after-upgrade is already + the default behavior in debhelper compatibility level 10. + * Update the watch file a bit: + - replace pgpmode=auto with pgpsigurlmangle - the former will not + fail on a missing upstream signature file + - make the version regular expression a bit more sane + - use v4's @ARCHIVE_EXT@ substitution variable + * Add another correction to the typos patch. + * New upstream release. + * Correct the download webpage's URL in the copyright file. + * Correct the project homepage's URL in the stunnel3 manual page. + * Use the HTTPS scheme for various upstream URLs. + + -- Peter Pentchev <roam@ringlet.net> Thu, 10 Nov 2016 02:57:28 +0200 + +stunnel4 (3:5.36-1) unstable; urgency=medium + + * Add the 24-typos patch to fix some typographical errors. + * New upstream version: + - drop the 10-no-zlib-compression patch, integrated upstream + * Bump the debhelper B-D to 10 and drop the Lintian override. + * Rename the patch files to "reindex" sequentially. + + -- Peter Pentchev <roam@ringlet.net> Sun, 25 Sep 2016 12:43:20 +0300 + +stunnel4 (3:5.35-1) unstable; urgency=medium + + * New upstream release: + - drop the 24-ssl23 patch, integrated upstream + - refresh the other patches + + -- Peter Pentchev <roam@ringlet.net> Mon, 18 Jul 2016 10:45:04 +0300 + +stunnel4 (3:5.33-1) unstable; urgency=medium + + * Switch the bugs.debian.org URL in a patch to HTTPS. + * Switch the copyright format URL to HTTPS. + * New upstream version: + - fix the build with OpenSSL-1.1; Closes: #828562 + - refresh the 12-restore-pidfile-default and 23-path-max patches + * Add the 24-ssl23.h patch to further fix the OpenSSL 1.1 build - + the ssl23.h file was removed. + + -- Peter Pentchev <roam@ringlet.net> Mon, 27 Jun 2016 13:51:43 +0300 + +stunnel4 (3:5.32-1) unstable; urgency=medium + + * Declare compliance with Debian Policy 3.9.8 with no changes. + * Remove the Breaks/Replaces relations for the old "stunnel" package; + it is not even present in oldstable. + * Update the watch file: + - switch to the HTTPS scheme for the upstream downloads page + - re-enable the ftp://ftp.stunnel.org/stunnel/archive/5.x/ location + and use FTP passive mode to access it + - actually include upstream's signing subkey in the key file! + - update to the watch file format 4 and use pgpmode=auto + * Use Autoconf's AC_SYS_LARGEFILE for Large File Support. + * New upstream release: + - update the upstream author's e-mail address in the copyright file, + the upstream metadata file, and the stunnel3.8 manual page + - refresh the 02-rename-binary patch + * Bump the debhelper compatibility level to 10: + - override the Lintian debhelper warning as it itself suggests + - let debhelper handle the parallel building and autoreconf by itself + * Add the 23-path-max patch to allocate the configuration filename + dynamically and avoid the use of the possibly undefined PATH_MAX. + + -- Peter Pentchev <roam@ringlet.net> Wed, 04 May 2016 14:54:45 +0300 + +stunnel4 (3:5.31-1) unstable; urgency=medium + + * New upstream release. + * Declare compliance with Debian Policy 3.9.7 with no changes. + + -- Peter Pentchev <roam@ringlet.net> Wed, 02 Mar 2016 11:29:06 +0200 + +stunnel4 (3:5.30-1) unstable; urgency=medium + + * New upstream release: + - bump the upstream copyright years + - refresh the 02-rename-binary patch + - refresh the 10-no-zlib-compression patch (line numbers only) + * Bump the year on my debian/* copyright notice. + + -- Peter Pentchev <roam@ringlet.net> Sun, 31 Jan 2016 15:40:22 +0200 + +stunnel4 (3:5.29-1) unstable; urgency=medium + + * New upstream release, refresh the patches' line numbers. + + -- Peter Pentchev <roam@ringlet.net> Fri, 08 Jan 2016 20:59:02 +0200 + +stunnel4 (3:5.28-1) unstable; urgency=high + + * New upstream release: + - high urgency: fix a bug introduced in 3:5.27-1: if an OpenSSL + engine is used, the SSL library's initialization would not be + performed completely, skipping, for instance, the proper + initialization of the pseudo-random number generator + - refresh the patches + + -- Peter Pentchev <roam@ringlet.net> Fri, 11 Dec 2015 23:24:40 +0200 + +stunnel4 (3:5.27-1) unstable; urgency=medium + + * New upstream release: + - refresh the patches + - drop the 19-typos patch, applied upstream + + -- Peter Pentchev <roam@ringlet.net> Fri, 04 Dec 2015 00:34:30 +0200 + +stunnel4 (3:5.26-1) unstable; urgency=medium + + * New upstream version: + - drop the 14-lsb-init-functions, 18-lsb-startup, and 20-comparison + patches, applied upstream + - rework the 02-rename-binary and 10-no-zlib-compression patches + - update the 19-typos patch: the fixes within it were applied + upstream, but a couple of new typos were introduced + - refresh patches + - add the 21-author-tests patch to make the building of the Win32 + binaries conditional on an environment variable and not on + the presence of the .git directory + - update the upstream copyright notice in debian/copyright + * Drop the perl-modules dependency - "perl", brought in by perl:Depends, + ought to be enough. + * Run the build in all of the source directories. Closes: #804292 + * Use an https:// URL for Vcs-Git. + + -- Peter Pentchev <roam@ringlet.net> Thu, 19 Nov 2015 20:44:33 +0200 + +stunnel4 (3:5.18-1) unstable; urgency=medium + + * Add the 17-upstream-hangup patch to fix prematurely closed + connections when there is still data to be written. + Thanks to Joachim Falk for backporting the patch! + Closes: #771241 + * Add the 18-lsb-startup patch to make the daemons' startup consistent + with the way things are done in Debian. + Among other things, Closes: #782030 + * Rework the patches a bit: + - update the description of 01-fix-paths + - move the tools/script.sh chunk from 01-fix-paths to 02-rename-binary + - drop 08-client-example: it was actually applied upstream, no need + to add the same text twice + - drop 11-no-rle-compression: the OpenSSL bug has been fixed + somewhere in the 1.x release timeframe + * Add the 19-typos patch to fix some minor documentation typos and + rework the 02-rename-binary patch to make the change in the manual page + during the stunnel.pod -> stunnel.8 rebuild + * Add the 20-comparison patch to fix a minor logging bug. + * Remove ${misc:Pre-Depends} as explained in debhelper's #783898. + * Bump the year on my debian/* copyright notice. + * Add --parallel to the debhelper invocation. + * New upstream version: + - rework the 01-fix-paths and the 10-zlib-compression patches to + catch up with upstream updates + - refresh patches + - drop the 05-logrotate-warning-in-sample-conf patch, applied upstream + - drop the 15-upstream-systemd-libs, 16-upstream-sslv23-method, and + 17-upstream-hangup patches since they were cherry-picked from + upstream to begin with + - remove handling for the dropped French manual page + + -- Peter Pentchev <roam@ringlet.net> Sun, 14 Jun 2015 04:13:02 +0300 + +stunnel4 (3:5.06-2) unstable; urgency=medium + + * Limit the systemd build dependency to Linux architectures only, + so that we actually give Stunnel a chance to build on kFreeBSD + or the Hurd. + * Add debian/upstream/metadata. + + -- Peter Pentchev <roam@ringlet.net> Mon, 20 Oct 2014 11:49:05 +0300 + +stunnel4 (3:5.06-1) unstable; urgency=medium + + * New upstream release: + - refresh patches + - drop 13-init-script-typo.patch, included upstream + * Update Standards-Version to 3.9.6. + + [ Santiago Vila <sanvila@unex.es> ] + * Fix logrotate typo (closes: #762242). + + [ Peter Pentchev ] + * Disable the autodetection of zlib in the configure script, + it will most probably not be used at all later. + * Fix the DEP-3 format of the 01-fix-paths, 02-rename-binary, and + 03-runas-user patches - use multiple "Author" headers. + * Switch to the cgit frontend for Vcs-Browser. + * New upstream release: + - refresh the patches + - add a build dependency on libsystemd-dev for the systemd socket + activation support + - add the 15-upstream-systemd-libs patch to fix the build with + the systemd version in unstable/testing + - add a news blurb about the disabled SSLv2 and SSLv3 protocols + and the configuration options to enable them + - add the 16-upstream-sslv23-method patch to fix the build for + OpenSSL with disabled SSLv2 and SSLv3 + - add Mark Theunissen's copyright notice for the systemd socket + activation code + * Drop an ancient README.Debian note about upgrading from 4.20 or + earlier, it has not even been in oldstable for quite some time now. + * Switch the /usr/bin/stunnel symlink from stunnel3 to stunnel4, + as README.Debian has threatened for ages. Add a news blurb. + * Add perl:Depends to the binary package. + + -- Peter Pentchev <roam@ringlet.net> Fri, 17 Oct 2014 12:04:50 +0300 + +stunnel4 (3:5.03-1) unstable; urgency=medium + + * New upstream version: + - refresh the 02-rename-binary, 10-no-zlib-compression, and + 12-restore-pidfile-default patches + - drop the 09-init-script-ulimits patch, it was actually + included upstream in 5.02 + - add the 13-init-script-typo patch to remove a stray quote + * Add the 14-lsb-init-functions patch to source /lib/lsb/init-functions, + although the init script does not use anything there yet. + + -- Peter Pentchev <roam@ringlet.net> Sun, 10 Aug 2014 01:55:32 +0300 + +stunnel4 (3:5.02-1) unstable; urgency=medium + + * New upstream version: + - drop the 04-selective-tunnel-restart, 06-init-script-description, + and 07-init-script-status patches, applied upstream + - refresh the 01-fix-paths, 02-rename-binary, 03-runas-user, + 05-logrotate-warning-in-sample-conf, 08-client-example, + 09-init-script-ulimits, and 12-restore-pidfile-default patches + - augment the 01-fix-paths patch to also move the pidfile to + /var/run/ and not /usr/var/run/. + + -- Peter Pentchev <roam@ringlet.net> Tue, 10 Jun 2014 17:23:32 +0300 + +stunnel4 (3:5.01-3) unstable; urgency=medium + + * Add the 12-restore-pidfile-default patch to restore stunnel's + "create the pid file by default" behavior, since the init script + has no way of monitoring the started stunnel4 processes otherwise. + The init script now warns about configurations with no "pid" + setting; in a future version it will refuse to start stunnel for + these configurations. Closes: #744851 + + -- Peter Pentchev <roam@ringlet.net> Fri, 18 Apr 2014 14:37:42 +0300 + +stunnel4 (3:5.01-2) unstable; urgency=medium + + * Add the 11-no-rle-compression patch to disable RLE compression since + OpenSSL does not really implement it. Closes: #744350 + * Modify the 10-no-zlib-compression patch to not even allow starting + a tunnel configured with "zlib" or "deflate" compression. + + -- Peter Pentchev <roam@ringlet.net> Mon, 14 Apr 2014 15:24:25 +0300 + +stunnel4 (3:5.01-1) unstable; urgency=medium + + * New maintainer. Closes: #738093 + * A new upload should fix the build with newer OpenSSL. + Closes: #737517 + * Add DEP-3 headers to the patch files. + * Switch to debhelper override rules. + * Use dh-autoreconf and retarget the rename-binary patch. + Closes: #727511 + * Canonicalize the Vcs-Git and Vcs-Browser source control fields. + * Update the watch file a bit: + - watch a mirror in addition to the main site, at least temporarily + until the main FTP site is fixed + - watch for 5.x versions, too + - add Michal Trojnara's PGP key + * Convert the copyright file to the 1.0 format and add my notice. + * Remove the README.source file, unnecessary in the 3.0 (quilt) format. + * Bump Standards-Version to 3.9.5 with no further changes. + * Bump the debhelper compatibility level to 9 with multiarch: + - let debhelper set the build environment variables + - add misc:Pre-Depends to the binary package + - remove the libtool .la file in the multiarch lib directory + * Drop the versions from the libssl-dev and openssl build dependencies. + * Drop two automatically-created directories from debian/dirs + * New upstream release: + - Closes: #723781 (package new upstream version) + - a fix for CVE-2014-0016 was included. Closes: #740802 + - refresh the rename-binary patch + - drop the CVE-2013-1762 patch, it was taken from stunnel-4.55 + - add a stunnel4.NEWS item to note the newly disabled by default + pidfile and libwrap options + - update the copyright file + * Build with Large File Support - no problems there, since stunnel + never really uses the position or the size of any open files. + * Add the init_script_status patch to support the 'status' command. + Closes: #548974 + * Rename the Debian patches following a number sequence. + * Modify the debian/stunnel3.8 and add the 08-client-example patch + to add a client configuration example to the English manual page. + Closes: #644398, although this one shall have to be referred to + upstream for inclusion in the rest of the documentation, too. + * Reword the note about FIPS support in README.Debian, fix a typo + and correct the URLs to the OpenSSL FIPS User Guide. + Closes: #642440 + * Optionally set resource limits on startup. Closes: #599138 + - add the RLIMITS variable to /etc/default/stunnel4 + - add the 09-init-script-ulimits patch to honor it + * Add the 10-no-zlib-compression patch to disable the hardcoded + addition of zlib as a compression algorithm for OpenSSL 0.9.8 and + later; the Debian OpenSSL package is compiled without support for + zlib compression since version 1.0.1e-5. + + -- Peter Pentchev <roam@ringlet.net> Tue, 08 Apr 2014 22:48:48 +0300 + +stunnel4 (3:4.53-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-1762.patch patch. + CVE-2013-1762: Fix buffer overflow in NTLM authentication of the CONNECT + protocol negotiation. (Closes: #702267) + + -- Salvatore Bonaccorso <carnil@debian.org> Mon, 22 Apr 2013 19:47:34 +0200 + +stunnel4 (3:4.53-1) unstable; urgency=low + + * New upstream version 4.53. + - Added client-mode "sni" option to directly control the value of + TLS Server Name Indication (RFC 3546) extension (Closes: #668041). + - Added support for IP_FREEBIND socket option with a pached Linux kernel. + - Glibc-specific dynamic allocation tuning was applied to help unused memory + deallocation. + - Non-blocking OCSP implementation. + - Various other bugfixes, see upstream changelog for details. + + * Enabled hardening compile flags. There were NO compile time warning messages + or errors triggered because of this. + + * Updated to Standards-Version 3.9.3. No changes required. + - Migrating to /run from /var/run will be a hard problem, because we expect + user written config files to refer to the directory. We'll punt on making + this change for now. + * Updated copyright years to 2012. + * Added Description: LSB header to init script. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Sun, 03 Jun 2012 11:34:36 -0700 + +stunnel4 (3:4.52-1) unstable; urgency=low + + * New upstream version 4.52. + * Do not enable chroot in sample config file. It is misleading to users, it + suggests it can be used with no further changes. Closes: #652812 + * Remove log files on purge. Closes: #657135 + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Sun, 12 Feb 2012 12:06:37 -0800 + +stunnel4 (3:4.51~b5-1) experimental; urgency=low + + * New upstream version + - Fixed exec+connect sections (Closes: #653882). + - New "compression = deflate" global option to enable RFC 2246 compression. + For compatibility with previous versions "compression = zlib" and + "compression = rle" also enable the deflate (RFC 2246) compression. + - Separate default ciphers and sslVersion for "fips = yes" and "fips = no". + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Wed, 04 Jan 2012 11:24:58 -0800 + +stunnel4 (3:4.50-1) unstable; urgency=low + + * New Upstream Releases. Highlights: + + 4.46: + - Added Unix socket support (e.g. "connect = /var/run/stunnel/socket"). + - Added "verify = 4" mode to ignore CA chain and only verify peer + certificate. + - Removed the limit of 16 IP addresses for a single 'connect' option. + - Removed the limit of 256 stunnel.conf sections in PTHREAD threading + model. + + 4.45: + - "protocol = proxy" support to send original client IP address to haproxy + http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt + This requires accept-proxy bind option of haproxy 1.5-dev3 or later. + - Libwrap helper processes are no longer started if libwrap is disabled + in all sections of the configuration file. + - Fixed -l option handling in stunnel3 script (thx to Kai Gülzau). + - Script to build default stunnel.pem was fixed (thx to Sebastian Kayser). + + 4.44: + - Heap buffer overflow protection with canaries. + - Stack buffer overflow protection with -fstack-protector. + - Fixed garbled error messages on errors with setuid/setgid options. + + 4.43: + - Major optimization of the logging subsystem. + Benchmarks indicate up to 15% stunnel performance improvement. + * Remove config.guess and config.sub in clean target, otherwise build fails + because of changes in source outside of a patch. Found and fixed by + Peter Eisentraut <petere@debian.org> (Closes: #647176). + * Updated watchfile to new upstream's directory structure for archived + releases. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Thu, 29 Dec 2011 06:39:09 -0800 + +stunnel4 (3:4.42-1) unstable; urgency=low + + * New Upstream Release. + - Fixed a heap corruption vulnerability in versions 4.40 and 4.41. It may + possibly be leveraged to perform DoS or remote code execution attacks. + (Closes: #638758) + - New verify level 0 to request and ignore peer certificate. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Sat, 27 Aug 2011 08:34:43 -0700 + +stunnel4 (3:4.40-1) unstable; urgency=low + + * New Upstream Release: + - Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters + are not provided in stunnel.pem. + - Default "ciphers" value updated to prefer ECDH: + "ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH". + - Default ECDH curve updated to "prime256v1". + - Removed support for temporary RSA keys (used in obsolete export ciphers). + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Sun, 24 Jul 2011 11:06:57 -0700 + +stunnel4 (3:4.39-1) unstable; urgency=low + + * New Upstream Releases. Highlights: + + 4.38: + - Server-side SNI implemented (RFC 3546 section 3.1) with a new + service-level option "nsi". + - "socket" option also accepts "yes" and "no" for flags. + - Nagle's algorithm is now disabled by default for improved interactivity. + - Bugfix: Signal pipe set to non-blocking mode. This bug caused + hangs of stunnel features based on signals, e.g. local mode, FORK + threading, or configuration file reload on Unix. Win32 platform was + not affected. + + 4.37: + - Client-side SNI implemented (RFC 3546 section 3.1). + - Default "ciphers" changed from the OpenSSL default to a more secure + and faster "RC4-MD5:HIGH:!aNULL:!SSLv2". + A paranoid (and usually slower) setting would be "HIGH:!aNULL:!SSLv2". + - Recommended "options = NO_SSLv2" added to the sample stunnel.conf file. + - Default client method upgraded from SSLv3 to TLSv1. + To connect servers without TLS support use "sslVersion = SSLv3" option. + - Bugfix: Non-blocking socket handling in local mode fixed + (Closes: #626856). + + 4.36: + - Dynamic memory management for strings manipulation: + no more static STRLEN limit, lower stack footprint. (Closes: #594876). + - Strict public key comparison added for "verify = 3" certificate + checking mode (thx to Philipp Hartwig). + For more details see upstream ChangeLog. + + * Removed /usr/lib/stunnel/libstunnel.la file. + * Support restarting selected stunnel instances. Thanks Peter Palfrader. + (Closes: #627765). + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Thu, 21 Jul 2011 15:46:25 -0700 + +stunnel4 (3:4.35-2) unstable; urgency=low + + * Fix variable substitution in init script (Closes: #623221). + Thanks Tomas Kapralek <kapralek@cvut.cz> for report and diagnosis. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Mon, 18 Apr 2011 20:46:01 -0700 + +stunnel4 (3:4.35-1) unstable; urgency=low + + * New Upstream Releases (Closes: #621987). + * Upstream incorporated our init script, so this package no longer carries + its own copy of it. + * Bump Standards-Version to 3.9.2. No changes needed. + * Remove /etc/stunnel/stunnel4.conf file as it is useless, except as a sample. + A README file for /etc/stunnel was provided (Closes: #549384). + * Minor cleanup of debian/rules, no longer runs configure twice. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Sun, 17 Apr 2011 22:04:53 -0700 + +stunnel4 (3:4.33-1) experimental; urgency=low + + * New Upstream Releases + - 4.31 + + A SIGHUP to the server will cause it to reload the configuration file. + + A SIGUSR1 to the server causes it to reopen its log files. + - 4.32 + + New service-level "libwrap" option for run-time control whether + /etc/hosts.allow and /etc/hosts.deny are used for access control. + Disabling libwrap significantly increases performance of stunnel. + - 4.33 + + Fixes to inetd mode + + For more details please see upstream's ChangeLog. + + * Init script now provides reload and reopen-log options (Closes: #323171). + * The logrotate config file now takes advantage of reopen-log option. + * Update config.{build,sub} on build. Closes: #535719. + * Add missing ${misc:Depends} entry to debian/control. + * Update copyright years. + * Update to Standards-Version: 3.9.1 + - stunnel4 no longer Conflicts: stunnel, but merely Breaks: stunnel. + * Update packaging to source format 3.0 (quilt). + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Fri, 27 Aug 2010 16:58:44 -0700 + +stunnel4 (3:4.29-1) unstable; urgency=low + + * New upstream version (Closes: #559270). + - sessiond, a high performance SSL session cache was built for stunnel. + A new service-level "sessiond" option was added. sessiond is + available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ . + stunnel clusters will be a lot faster, now! + - Transparent proxy support on Linux kernels >=2.6.28. + See the manual for details. + The old transproxy.txt file is no longer provided. + - New socket options to control TCP keepalive on Linux: + TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL. + - SSL options updated for the recent version of OpenSSL library. + - Bugfixes + + Missing "fips" option was added to the manual. + + A serious bug in asynchronous shutdown code fixed. + + Data alignment updated in libwrap.c. + + Polish manual encoding fixed. Debian's patch for this removed. + + Notes on compression implementation in OpenSSL added to the manual. + + * Use correct owner:group for logs after rotation. (Closes: #529481). + Thanks Brian 'morlenxus' Miculcy <morlenxus@gmx.net> + * Use copytruncate in logrotate file, instead of restarting the + daemon (Closes: #535915). + Thanks Andrew Buckeridge <andrewb@bgc.com.au> + * Bump Standards-Version to 3.8.3. No changes required. + * Do not specify path to true in postinst script. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Tue, 08 Dec 2009 19:34:21 -0800 + +stunnel4 (3:4.27-1) unstable; urgency=low + + * New upstream release. + - Remove debian/patches/security-check_certificate, now included upstream. + Fixes: CVE-2008-2420 + - Libwrap helper processes fixed to close standard + input/output/error file descriptors. (Closes: #482379) + * Rebase quilt patches to not require -p0. (Closes: #484966) + * Fix sample configuration file to use ssl cert from /etc/ssl/certs + (Closes: #460953). + * Warn if automatic startup is disabled in /etc/default/stunnel4 + (Closes: #475599). + * Use invoke-rc.d in ppp start/stop scripts. + * Standards-Version: 3.8.1. + - Add README.source documenting use of quilt. + * Bump to debhelper 7 + - Remove unused old option from dh_mkshlibs call + * Declare the polish pod's encoding and use unicode when converting it + to a manpage. + * Dummy upgrade package is priority: extra + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Fri, 24 Apr 2009 19:56:05 -0700 + +stunnel4 (3:4.22-2) unstable; urgency=low + + * Check if a daemon is already running before trying to start it with the + same configuration file. Thanks Peter Palfrader <weasel@debian.org> for + the report (Closes: #506091). + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Tue, 18 Nov 2008 13:52:42 +0100 + +stunnel4 (3:4.22-1.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix security bug in the OCSP functionality that allowed revoked + certificates to authenticate (Closes: #482644) + Fixes: CVE-2008-2420 + + -- Steffen Joeris <white@debian.org> Tue, 27 May 2008 18:28:56 +0200 + +stunnel4 (3:4.22-1) unstable; urgency=low + + * New upstream release. + - Build system now uses standard automake dirs. + - Reworked logging system avoids outputting before log file is configured + (Closes: #460019). + - Simultaneous logging to a file and the syslog is now possible. + - A new service level option to control stack size: + stack = <number of bytes> + - Bugfixes in libwrap support code. + * debian/patches/setuid.patch: Removed, it's included upstream. + * debian/patches/fix-paths: Reworked to use automake's standard dirs. + * Rebase the rest of the patches. + * Update standards-version to 3.7.3. No changes needed. + * Fix build-dependencies on -1 revisions of libssl-dev, openssl and quilt. + * Register documentation in the System/Security section. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Tue, 01 Apr 2008 11:07:56 -0600 + +stunnel4 (3:4.21-1) unstable; urgency=low + + * New upstream release. + - Binaries moved from /usr/sbin to /usr/bin. Thus, Debian no longer + diverges in that from upstream. + - libstunnel.so migrated inside /usr/lib/stunnel. + - Preliminary FIPS 140-2 support, but this package does not include it, + as it requires static compilation. + - Miscellaneous bugfixing. + * debian/patches/no_zlib_link: + - Rebased. Only line numbering changed. + * debian/patches/libstunnel_is_private_lib: + - Removed. Included upstream. + * debian/patches/fix-paths: + - Remove hunks related to moving binaries to /usr/bin. Refresh line numbers + in the rest. + * debian/patches/rename-binary: + - Rebased. Minor changes due to changed dates in the manpage and the use of + @prefix@ in src/stunnel3.in. + * debian/patches/setuid.patch: + - Patch from upstream to allow using setuid/setgid with /etc/passwd and + /etc/group not within chrooted directory. + * debian/README.Debian: + - Add explanation about not turning FIPS mode on. + - Reword warning about binaries changing place. + * debian/rules, debian/stunnel4.manpages: + - No longer need to move the binaries. + - Upstream location for manpages changed. We still install them by hand, + anyways. + - Ship fr and pl manpages. + - Do not pass --host to configure if not cross compiling. + - Reorder target dependencies. This should avoid problems when doing + parallel builds. + * debian/control: + - Remove XS- prefix from Vcs-* fields. + - Add Homepage: field. + - Correct minor typo in dummy package's description. + - Version build dependency on quilt, since we require + /usr/share/quilt/quilt.make (Closes: #447751). + - Change my maintainer address. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Wed, 05 Dec 2007 08:09:44 -0600 + +stunnel4 (3:4.20-5) unstable; urgency=low + + * debian/stunnel3.8: + - Remove references to unsupported -S and -V options in manpage, and + include an explicit list of tunable parameters for -O and their + default values (Closes: #440718). + - Rewrite -P argument description. It must be a file to be created, or + empty (Closes: #398012). + + -- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com> Thu, 27 Sep 2007 11:54:53 -0500 + +stunnel4 (3:4.20-4) unstable; urgency=low + + * Add missing names and dates of copyright attributions to + debian/copyright. Update licencing blurb to mention the new FSF's + postal address. + * Restructure README.Debian into sections. + * Remove /usr/share/lintian/overrides and /usr/sbin from + debian/dirs. Explicitly create the first if needed to install an + override file, and explicitly remove the later after moving the + binaries, in debian/rules. + * Move StunnelConf-0.1.pl into /usr/share/doc/stunnel4/contrib. Remove + it from debian/docs and explicitely install it in dh_install call. + * Patch configure (debian/patches/no_zlib_link) to avoid linking to + zlib. This library is a dependency of openssl, but not of ours. + * Rewrite changelog entries from previous version, adding mention of + modified files. + * Use make -C dir instead of cd dir; make constructs in debian/rules. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com> Mon, 27 Aug 2007 18:11:40 -0500 + +stunnel4 (3:4.20-3) unstable; urgency=low + + * New Maintainer (Closes: #416955). + * Manage patches to upstream source with quilt. + - fix-paths changes references to /usr/sbin. + We install binaries in /usr/bin. It also removes bogus @PREFIX@ uses + from several paths. + - rename-binary changes the name of the executable to stunnel4. + - runas-user sets the default config to run as the stunnel4 user and group. + - connect-proxy-dunbar *unapplied* patch from upstream's + site. (It does not apply to 4.07 onwards) + - openssl0.9.8-initialization *unapplied* patch. Originally meant to + close #334180, was disabled by previous maintainer without + explanation. + * Add stunnel dummy upgrade package. + - debian/control: Add package stanza. + - debian/rules: Modify to build the arch-indep package. + - debian/stunnel.NEWS: Add upgrade notice for stunnel 3 users. + * Shorten dh_* invocations in debian/rules. + - new files: stunnel4.examples, stunnel4.links, stunnel4.manpages. + * Ship upstream Changelog (Closes: #419842). + - Add ChangeLog to dh_installchangelogs call in debian/rules. + * Do not compress StunnelConf-0.1.pl (Closes: #432304). + - Add exclude entry to dh_compress call in debian/rules. + * Add watch file. + * Suggests: logcheck-database (Closes: #382099). + * Move libstunnel.so into /usr/lib/stunnel, as it is a private DSO. + - Remove lintian overrides. + - Added debian/patches/libstunnel_is_private_lib + - Remove ldconfig calls from post{inst,rm} + - Remove /usr/lib/libstunnel.so.4 link + * Use debhelper compat mode 5. + - Bump debhelper build-depends to >= 5. No other changes. + * Remove /var/lib/stunnel4 when purged, if empty (in debian/postinst). + * Remove manual call to invoke-rc.d from postinst. debhelper inserts it + automatically. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com> Mon, 20 Aug 2007 23:18:31 -0500 + +stunnel4 (3:4.20-2) unstable; urgency=low + + * Orphan package + + -- Julien Lemoine <speedblue@debian.org> Sat, 31 Mar 2007 20:07:55 +0200 + +stunnel4 (3:4.20-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine <speedblue@debian.org> Sat, 27 Jan 2007 21:43:19 +0100 + +stunnel4 (3:4.18-2) unstable; urgency=low + + * Updated chroot default path in configuration file + * Added LSB section in init script + + -- Julien Lemoine <speedblue@debian.org> Tue, 7 Nov 2006 20:22:04 +0100 + +stunnel4 (3:4.18-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine <speedblue@debian.org> Wed, 27 Sep 2006 20:33:07 +0200 + +stunnel4 (3:4.17-2) unstable; urgency=low + + * Check if pids are valid before trying to use kill + (Closes: #388379) + + -- Julien Lemoine <speedblue@debian.org> Wed, 20 Sep 2006 22:04:41 +0200 + +stunnel4 (3:4.17-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine <speedblue@debian.org> Mon, 11 Sep 2006 22:48:09 +0200 + +stunnel4 (3:4.16-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine <speedblue@debian.org> Fri, 1 Sep 2006 22:11:10 +0200 + +stunnel4 (2:4.150-7) unstable; urgency=low + + * Fixed a bug when pid is not given in configuration file : + init.d script was looking for /var/run/stunnel4/stunnel4.pid but + stunnel was creating /var/run/stunnel4.pid + (Closes: #384275) + * Added check during start to encourage users to fill the pid= section + of configuration file when start failed (for example if you use two + configuration files without pid= option) + + -- Julien Lemoine <speedblue@debian.org> Thu, 24 Aug 2006 17:19:57 +0200 + +stunnel4 (2:4.150-6) unstable; urgency=low + + * Updated to debian policy 3.7.2 + * Fixed lintian warnings + + -- Julien Lemoine <speedblue@debian.org> Tue, 22 Aug 2006 14:03:19 +0200 + +stunnel4 (2:4.150-5) unstable; urgency=low + + * Fixed typo in postinst : + /var/lib/stunnel4/stunnel.log instead of /var/log/stunnel4/stunnel.org + (Closes: #381127) + + -- Julien Lemoine <speedblue@debian.org> Wed, 2 Aug 2006 21:19:49 +0200 + +stunnel4 (2:4.150-4) unstable; urgency=low + + * Create /var/lib/stunnel4 if it does not exist in postinst + (Closes: #377074) + + -- Julien Lemoine <speedblue@debian.org> Sun, 16 Jul 2006 16:12:05 +0200 + +stunnel4 (2:4.150-3) unstable; urgency=low + + * Fixed another problem with stunnel3 compatibility script + (call to /usr/sbin/stunnel4 instead of /usr/bin/stunnel4) and added + a check in debian/rules (Closes: #340113) + + -- Julien Lemoine <speedblue@debian.org> Mon, 1 May 2006 17:58:39 +0200 + +stunnel4 (2:4.150-2) unstable; urgency=low + + * Fixed stunnel3 compatibility script problem (infinite loop) + Thanks to "Martin Schwenke" <martin@meltin.net> for bug report. + * Added a check in debian/rules to ensure that stunnel3 compatibility script + does not contains infinite loop + + -- Julien Lemoine <speedblue@debian.org> Mon, 27 Mar 2006 09:26:06 +0200 + +stunnel4 (2:4.150-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine <speedblue@debian.org> Sun, 12 Mar 2006 21:30:08 +0100 + +stunnel4 (2:4.140-6) unstable; urgency=low + + * Added check/creation of /var/run/stunnel4 directory in init.d script instead of + postinst in order to be FHS compliant when /var/run is cleared at startup + (note that /var/run/stunnel4 cleanup does not allow a chroot in /var/run/stunnel4) + Thanks to Jim Helm : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343882;msg=25 + + -- Julien Lemoine <speedblue@debian.org> Sun, 5 Mar 2006 18:18:58 +0100 + +stunnel4 (2:4.140-5) unstable; urgency=low + + * Move stunnel and stunnel-dsa from /usr/sbin to /usr/bin in order to be + compliant with FHS standard. The stunnel program is interesting for + "normal" users as well as administrator. + + -- Julien Lemoine <speedblue@debian.org> Sun, 19 Feb 2006 17:47:55 +0100 + +stunnel4 (2:4.140-4) unstable; urgency=low + + * Fixed problem with default directory (/etc/stunnel for configuration + directory and /var/run/stunnel4.pid for pid file) (Closes: #343882) + + -- Julien Lemoine <speedblue@debian.org> Thu, 22 Dec 2005 16:32:20 +0100 + +stunnel4 (2:4.140-3) unstable; urgency=low + + * Default configuration file is now filled with values for usage + in a chroot environment + (if you do not want chroot or want to use vserver, you need to edit it) + (Closes: #342507) + + -- Julien Lemoine <speedblue@debian.org> Sat, 17 Dec 2005 10:00:40 +0100 + +stunnel4 (2:4.140-2) unstable; urgency=low + + * Fixed stunnel3 compatibility script + (wrong binary : stunnel instead of stunnel4) + (Closes: #340113) + + -- Julien Lemoine <speedblue@debian.org> Mon, 21 Nov 2005 07:57:02 +0100 + +stunnel4 (2:4.140-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine <speedblue@debian.org> Wed, 2 Nov 2005 22:01:52 +0100 + +stunnel4 (2:4.120-1) unstable; urgency=low + + * New upstream release + * Applied patch from Kurt Roeckx <kurt@roeckx.be> to fix initialization + problem with openssl 0.9.8 (Closes: #334180) + + -- Julien Lemoine <speedblue@debian.org> Wed, 26 Oct 2005 17:53:55 +0200 + +stunnel4 (2:4.110-2) unstable; urgency=low + + * Rebuild with openssl 0.9.8 + + -- Julien Lemoine <speedblue@debian.org> Mon, 10 Oct 2005 19:41:33 +0200 + +stunnel4 (2:4.110-1) unstable; urgency=low + + * New upstream release + * Updated to Standards-Version 3.6.2 + + -- Julien Lemoine <speedblue@debian.org> Sun, 24 Jul 2005 11:21:14 +0200 + +stunnel4 (2:4.090-1) unstable; urgency=low + + * New upstream release + * include better stunnel3 compatibility script from upstream, options + like -cd can now be use instead of -c -d ... + (closes: #305259) + * Added depends on perl-modules to allow use of stunnel3 compatibility script + + -- Julien Lemoine <speedblue@debian.org> Wed, 20 Apr 2005 21:07:50 +0200 + +stunnel4 (2:4.070-5) unstable; urgency=low + + * Renamed stunnel3 compatibility script (/usr/sbin/stunnel) to be compatible + with stunnel package + * Added conflict with stunnel package (compatible, does not break user + configuration) since stunnel 4.x is more actively maintained + than stunnel 3.x + + -- Julien Lemoine <speedblue@debian.org> Tue, 29 Mar 2005 22:16:43 +0200 + +stunnel4 (2:4.070-4) unstable; urgency=low + + * Add an option (PPP_RESTART) in /etc/default/stunnel4 to enable/disable + restart scripts (closes: #298352) + + -- Julien Lemoine <speedblue@debian.org> Mon, 7 Mar 2005 22:47:27 +0100 + +stunnel4 (2:4.070-3) unstable; urgency=low + + * Do not remove user and group if there already exist in postinst + script (Closes: #290374) + + -- Julien Lemoine <speedblue@debian.org> Mon, 17 Jan 2005 23:33:56 +0100 + +stunnel4 (2:4.070-2) unstable; urgency=low + + * Fixed directory problem : + - confdir was /usr/etc/stunnel instead of /etc/stunnel (Closes: #289832) + - zlib compression was unable to start since /etc/stunnel/stunnel.conf + was not read (Closes: #289872) + + -- Julien Lemoine <speedblue@debian.org> Tue, 11 Jan 2005 19:56:59 +0100 + +stunnel4 (2:4.070-1) unstable; urgency=low + + * New upstream release : Add IPV6 support + * Disable proxy-connect patch (does not apply on 4.07 sources) + + -- Julien Lemoine <speedblue@debian.org> Thu, 6 Jan 2005 07:23:48 +0100 + +stunnel4 (2:4.050-4) unstable; urgency=low + + * Restart connection instead of stop when ppp is down. It is possible to + use stunnel for eth interfaces. (Closes: 271006) + + -- Julien Lemoine <speedblue@debian.org> Sun, 26 Sep 2004 18:12:36 +0200 + +stunnel4 (2:4.050-3) unstable; urgency=low + + * Added proxy-connect patch (Closes: #267533) + * Create directory /var/log/stunnel in postinst (Closes: #267093) + * Create user and group stunnel4 (Closes: #266339) + * Uncomment some line in default configuration file : + o Use /var/log/stunnel4/stunnel.log as default log file + o Use stunnel4 user and group as default + o Use /var/run/stunnel4/stunnel.pid as default pid file + + -- Julien Lemoine <speedblue@debian.org> Wed, 1 Sep 2004 22:19:28 +0200 + +stunnel4 (2:4.050-2) unstable; urgency=low + + * Fixed stopping problem in init.d script (Closes: #265449) + Thanks to Wilfried Goesgens <willi@almado.de> + * Added stunnel4 in logrotate (Closes: #265437) + Thanks to Wilfried Goesgens <willi@almado.de> + + -- Julien Lemoine <speedblue@debian.org> Fri, 13 Aug 2004 21:42:23 +0200 + +stunnel4 (2:4.050-1) unstable; urgency=low + + * By default, store pidfile in /var/run/stunnel4/stunnel.pid with + /var/run/stunnel4 owned by nobody:nogroup + * Oops, stunnel4 was a debian native package + + -- Julien Lemoine <speedblue@debian.org> Mon, 7 Jun 2004 21:23:37 +0200 + +stunnel4 (2:4.05-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine <speedblue@debian.org> Wed, 7 Apr 2004 22:08:42 +0200 + +stunnel4 (2:4.04.0-10) unstable; urgency=low + + * Shut down stunnel4 in postinst (Closes: #234498) + + -- Julien Lemoine <speedblue@debian.org> Tue, 24 Feb 2004 21:50:03 +0100 + +stunnel4 (2:4.04.0-9) unstable; urgency=low + + * Added configuration script from "Sergio Rua" <srua@debian.org> + + -- Julien Lemoine <speedblue@debian.org> Sun, 22 Feb 2004 23:26:38 +0100 + +stunnel4 (2:4.04.0-8) unstable; urgency=low + + * Added ppp ip-up and ip-down scripts + (Closes: #227678) + + -- Julien Lemoine <speedblue@debian.org> Sun, 22 Feb 2004 22:52:31 +0100 + +stunnel4 (2:4.04.0-7) unstable; urgency=low + + * Fix problem in init.d script (was not sh compatible) + (Closes: #214818, #214823) + + -- Julien Lemoine <speedblue@debian.org> Fri, 10 Oct 2003 00:47:57 +0200 + +stunnel4 (2:4.04.0-6) unstable; urgency=low + + * Rewrite of /etc/init.d/stunnel4 : + o does not use kill -9, thus giving a chance to stunnel4 to clean up + puts common code in functions + o avoids calling ps twice + o uses fgrep + o does not print the conf file name if no processes exist for it + o corrects the `stoped' typo + Thanks to Francesco Potorti` <pot@gnu.org> (Closes: #214562) + + -- Julien Lemoine <speedblue@debian.org> Tue, 7 Oct 2003 16:37:12 +0200 + +stunnel4 (2:4.04.0-5) unstable; urgency=low + + * /etc/init.d/stunnel4 can load more than one configuration file. + It loads /etc/stunnel/*.conf. You can have a configuration file for + server mode and one for client mode. (Closes: #211870) + + -- Julien Lemoine <speedblue@debian.org> Thu, 25 Sep 2003 18:05:01 +0200 + +stunnel4 (2:4.04.0-4) unstable; urgency=low + + * Put stunnel.html in /usr/share/doc/stunnel4/ instead of + /usr/share/doc/stunnel + * Updated to Standards-Version 3.6.1 + + -- Julien Lemoine <speedblue@debian.org> Thu, 4 Sep 2003 13:39:51 +0200 + +stunnel4 (2:4.04.0-3) unstable; urgency=low + + * Fixed wrong path search for stunnel.conf + (Closes: Bug#202931) + + -- Julien Lemoine <speedblue@debian.org> Sat, 26 Jul 2003 11:00:46 +0200 + +stunnel4 (2:4.04.0-2) unstable; urgency=low + + * Fixed stunnel.conf problems, file must be commented by default. + (Closes: #202693) + + -- Julien Lemoine <speedblue@debian.org> Fri, 25 Jul 2003 11:38:47 +0200 + +stunnel4 (2:4.04.0-1) unstable; urgency=low + + * Oops, stunnel4 is not a native package -> reupload it with a diff.gz + * Does not install stunnel.so since it is not used + * Updated clean rules to have a clean diff + * Updated to Standards-Version 3.6.0 + + -- Julien Lemoine <speedblue@debian.org> Sat, 19 Jul 2003 20:12:51 +0200 + +stunnel4 (2:4.04-2) unstable; urgency=low + + * Fixed compilation errors (removed binary in clean rule) + * removed libstunnel.so since it is not used + + -- Julien Lemoine <speedblue@debian.org> Sun, 13 Jul 2003 02:45:05 +0200 + +stunnel4 (2:4.04-1) unstable; urgency=low + + * Stunnel versions 4.x are now in stunnel4 package and stunnel versions 3.x + are in stunnel package to keep backward compatibility. + + -- Julien Lemoine <speedblue@debian.org> Fri, 4 Jul 2003 18:24:21 +0200 + +stunnel (4.04-5) unstable; urgency=low + + * The "I need to sleep more to avoid making typos" release. + * Fixed typos in default/init file (ENABLED instead of ENABLE) + (Closes: #197958) + * Commented all stunnel.conf file, client=no is the default value + (Closes: #197961) + + -- Julien Lemoine <speedblue@debian.org> Thu, 19 Jun 2003 00:40:28 +0200 + +stunnel (4.04-4) unstable; urgency=low + + * Added /etc/default/stunnel with a variable ENABLE. + ENABLE=0 by default since stunnel segv on some computer when all lines + are commented (Closes: #197663, #197615) + + -- Julien Lemoine <speedblue@debian.org> Mon, 16 Jun 2003 22:04:17 +0200 + +stunnel (4.04-3) unstable; urgency=low + + * comment ldap sample (Closes: #197566) + + -- Julien Lemoine <speedblue@debian.org> Mon, 9 Jun 2003 15:03:41 +0200 + +stunnel (4.04-2) unstable; urgency=low + + * Fixed typo in init.d script (Closes: #197499) + * Added a commented example in stunnel.conf from Craig Sanders + + -- Julien Lemoine <speedblue@debian.org> Sun, 15 Jun 2003 18:06:07 +0200 + +stunnel (4.04-1) unstable; urgency=low + + * New upstream release (Closes: #177532, Closes: 188137) + * New maintainer + * Stunnel has no more -L option (Closes: #120265) + * Stunnel has no more -l option (Closes: #175844) + * Shutdown(1) problem was fixed (Closes: #111125) + * Problem with large data resolved (tested with a 5Mo file) + (Closes: #112287) + * Licence is now GPL version 2 with agreement to link with openssl + (Closes: #147665) + * stunnel can execute command (Closes: #147537) + * added a lintian overwrite for libstunnel.so since it is compiled with + -avoid-version + * Fixed problem with path (/etc/ instead of $(prefix)/etc, ...) + * Include default configuration file in /etc + * Upgraded to debian policy 3.5.10 + * Added init.d file + + -- Julien Lemoine <speedblue@debian.org> Sat, 24 May 2003 02:30:20 +0200 + +stunnel (3.22-1) unstable; urgency=high + + * New upstream release (closes: bug#126627). + * Typo fix in postinst (closes: bug#120199, bug#121904) + + -- Paolo Molaro <lupus@debian.org> Sun, 30 Dec 2001 10:31:46 +0100 + +stunnel (3.21.c-1) unstable; urgency=low + + * New upstream release (Closes: bug#111139, bug#102834, bug#61427). + * Avoid generating automatically the initial stunnel.pem, openssl cannot be + reliably used in a non-interactive way (Closes: bug#60776, bug#98445). Info + on how to generate the certificate is now included in README.Debian. + * There is support for (re)setting OOB data handling in the new upstream + version (Closes: bug#107503). + * Include the sample /etc/iniy.d/stunnel file as an example in the package + (Closes: bug#114669). + + -- Paolo Molaro <lupus@debian.org> Sat, 17 Nov 2001 12:31:04 +0100 + +stunnel (3.14-1) unstable; urgency=low + + * New upstream release + * Actually compile it against the new libssl (Closes: #86916). + + -- Paolo Molaro <lupus@debian.org> Fri, 23 Feb 2001 18:57:18 +0100 + +stunnel (3.13-1) unstable; urgency=low + + * New upstream release. + * Recompile with and depend on libssl096 (Closes: #85000, #86385, #83857, #82500). + * Already fixed in previous aborted upload (Closes: #82105, #77227, #80079, #76576). + + -- Paolo Molaro <lupus@debian.org> Sun, 18 Feb 2001 21:30:50 +0100 + +stunnel (3.10-1) unstable; urgency=high + + * New upstream release. + + -- Paolo Molaro <lupus@debian.org> Wed, 20 Dec 2000 15:14:08 +0100 + +stunnel (3.10-0potato1) stable; urgency=high + + * New upstream release. + + -- Paolo Molaro <lupus@debian.org> Wed, 20 Dec 2000 13:07:35 +0100 + +stunnel (3.9-0potato1) stable; urgency=high + + * New upstream release: security fix (Closes: #80079, #76576). + * Use correct dir for pid (Closes: #77227). + + -- Paolo Molaro <lupus@debian.org> Wed, 20 Dec 2000 11:24:18 +0100 + +stunnel (3.8-1) unstable; urgency=low + + * New upstream version (Closes: #75117, #67010). + * Read 1k of random data in a temp file (Closes: #69808). + * Added a note in postrm about the stunnel.pem file that + is left in /etc/ssl/certs: it is safer if the user deals with + it since it may have been create by him and not stunnel (Closes: #57648). + + -- Paolo Molaro <lupus@debian.org> Wed, 5 Jul 2000 16:43:07 +0000 + +stunnel (3.4a-6) unstable; urgency=low + + * Depends on openssl 0.9.4 (closes: bug#53947). + + -- Paolo Molaro <lupus@debian.org> Tue, 4 Jan 2000 12:37:24 +0100 + +stunnel (3.4a-5) unstable; urgency=medium + + * Include upstream download info in copyright (closes: bug#53301). + * Include example from Steve Haslam to make stunnel run from a + init script (closes: bug#53300). + + -- Paolo Molaro <lupus@debian.org> Thu, 23 Dec 1999 16:49:38 +0100 + +stunnel (3.4a-4) unstable; urgency=medium + + * Depends on openssl instead of Suggests (Closes: bug#49238). + + -- Paolo Molaro <lupus@debian.org> Sat, 13 Nov 1999 12:44:35 +0100 + +stunnel (3.4a-3) unstable; urgency=high + + * Fixes security problem with the certificate. + + -- Paolo Molaro <lupus@debian.org> Thu, 4 Nov 1999 17:33:52 +0100 + +stunnel (3.4a-2) unstable; urgency=low + + * Suggest openssl instead of ssleay. (Closes: bug#47712) + + -- Paolo Molaro <lupus@debian.org> Wed, 27 Oct 1999 18:24:27 +0200 + +stunnel (3.4a-1) unstable; urgency=low + + * New upstream release. + * Put cert in /etc/ssl/certs (closes:#41099). I think this is + neither an openssl nor stunnel bug, but a dpkg one (other + similar bugs are already filed against dpkg). + + -- Paolo Molaro <lupus@debian.org> Thu, 22 Jul 1999 16:50:32 +0200 + +stunnel (3.3-1) unstable; urgency=low + + * New upstream release. + + -- Paolo Molaro <lupus@debian.org> Fri, 18 Jun 1999 16:43:05 +0200 + +stunnel (3.2-2) unstable; urgency=low + + * Fixed stupid coding error. + + -- Paolo Molaro <lupus@debian.org> Sat, 29 May 1999 13:01:17 +0200 + +stunnel (3.2-1) unstable; urgency=low + + * Recompilation with new ssl lib. + * New upstream release. + + -- Paolo Molaro <lupus@debian.org> Mon, 24 May 1999 12:09:58 +0200 + +stunnel (2.1-2) unstable; urgency=low + + * Added libwrap support (/etc/hosts.{allow,deny}). + * Recompilation with newer libc6. + * Better stunnel-config script. + + -- Paolo Molaro <lupus@debian.org> Fri, 11 Dec 1998 11:57:52 +0100 + +stunnel (2.1-1) unstable; urgency=low + + * Initial release. + + -- Paolo Molaro <lupus@debian.org> Mon, 30 Nov 1998 11:41:29 +0100 diff --git a/debian/clean b/debian/clean new file mode 100644 index 0000000..b973b8e --- /dev/null +++ b/debian/clean @@ -0,0 +1,6 @@ +build-stamp +debian/stunnel4.init +doc/stunnel.8 +doc/stunnel.html +doc/stunnel4.8 +doc/stunnel4.pl.8 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..b05ecba --- /dev/null +++ b/debian/control @@ -0,0 +1,49 @@ +Source: stunnel4 +Section: net +Priority: optional +Build-Depends: + debhelper-compat (= 12), + autoconf-archive, + libanyevent-perl, + libnet-ssleay-perl, + libpath-tiny-perl, + libssl-dev, + libsystemd-dev [linux-any], + libunicode-utf8-perl, + libwrap0-dev, + netcat-traditional, + net-tools, + openssl, + procps +Maintainer: Peter Pentchev <roam@debian.org> +Uploaders: Laszlo Boszormenyi (GCS) <gcs@debian.org> +Standards-Version: 4.3.0 +Vcs-Browser: https://salsa.debian.org/debian/stunnel/ +Vcs-Git: https://salsa.debian.org/debian/stunnel.git +Homepage: https://www.stunnel.org/ +Rules-Requires-Root: no + +Package: stunnel4 +Architecture: any +Provides: stunnel +Depends: + ${shlibs:Depends}, + ${misc:Depends}, + ${perl:Depends}, + lsb-base, + netbase, + openssl +Pre-Depends: adduser +Suggests: logcheck-database +Description: Universal SSL tunnel for network daemons + The stunnel program is designed to work as SSL encryption + wrapper between remote client and local (inetd-startable) or + remote server. The concept is that having non-SSL aware daemons + running on your system you can easily setup them to + communicate with clients over secure SSL channel. + . + stunnel can be used to add SSL functionality to commonly + used inetd daemons like POP-2, POP-3 and IMAP servers + without any changes in the programs' code. + . + This package contains a wrapper script for compatibility with stunnel 3.x diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..6e100e9 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,59 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: stunnel +Upstream-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org> +Source: https://www.stunnel.org/downloads.html +License: GPL-2+-openssl + +Files: * +Copyright: + (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org> + (c) 2014 Mark Theunissen +License: GPL-2+-openssl + +Files: src/stunnel3.in +Copyright: (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org> +License: GPL-2+ + +Files: debian/* +Copyright: + (C) 1998-2001 Paolo Molaro <lupus@debian.org> + (C) 2003-2007 Julien Lemoine <speedblue@debian.org> + (C) 2007-2012 Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> + (C) 2013 Salvatore Bonaccorso <carnil@debian.org> + (C) 2014-2019 Peter Pentchev <roam@debian.org> +License: GPL-2+-openssl + +License: GPL-2+-openssl + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + On Debian systems, the complete text of the GNU General Public License + can be found in file "/usr/share/common-licenses/GPL-2". + . + Linking stunnel statically or dynamically with other modules is making + a combined work based on stunnel. Thus, the terms and conditions of the + GNU General Public License cover the whole combination. + . + In addition, as a special exception, the copyright holder of stunnel gives you + permission to combine stunnel with free software programs or libraries that + are released under the GNU LGPL and with code included in the standard release + of OpenSSL under the OpenSSL License (or modified versions of such code, with + unchanged license). You may copy and distribute such a system following the + terms of the GNU GPL for stunnel and the licenses of the other code concerned. + . + Note that people who make modified versions of stunnel are not obligated to + grant this special exception for their modified versions; it is their choice + whether to do so. The GNU General Public License gives permission to release + a modified version without this exception; this exception also makes it + possible to release a modified version which carries forward this exception. + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + On Debian systems, the complete text of the GNU General Public License + can be found in file "/usr/share/common-licenses/GPL-2". diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..b8812d5 --- /dev/null +++ b/debian/dirs @@ -0,0 +1 @@ +etc/stunnel diff --git a/debian/doc-base b/debian/doc-base new file mode 100644 index 0000000..016cb25 --- /dev/null +++ b/debian/doc-base @@ -0,0 +1,10 @@ +Document: stunnel4 +Title: Stunnel documentation +Author: Michal Trojnara +Abstract: This manual documents stunnel, a SSL-enhanced client and + server wrapper. +Section: System/Security + +Format: HTML +Index: /usr/share/doc/stunnel4/stunnel.html +Files: /usr/share/doc/stunnel4/stunnel*.html diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..b5c7362 --- /dev/null +++ b/debian/docs @@ -0,0 +1,4 @@ +BUGS +NEWS +README +TODO diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..ebd0446 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,5 @@ +[DEFAULT] +pristine-tar = True +sign-tags = True +debian-branch = master +upstream-branch = upstream diff --git a/debian/patches/01-fix-paths.patch b/debian/patches/01-fix-paths.patch new file mode 100644 index 0000000..7b26356 --- /dev/null +++ b/debian/patches/01-fix-paths.patch @@ -0,0 +1,38 @@ +Description: Update the installation directories. + Change @prefix@/... to @localstatedir@ or @sysconfdir@ as appropriate + to comply with the FHS +Forwarded: not-needed +Author: Paolo Molaro <lupus@debian.org> +Author: Julien Lemoine <speedblue@debian.org> +Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> +Last-Update: 2016-07-06 + +--- a/tools/stunnel.conf-sample.in ++++ b/tools/stunnel.conf-sample.in +@@ -64,7 +64,7 @@ + accept = 127.0.0.1:110 + connect = pop.gmail.com:995 + verifyChain = yes +-CApath = /etc/ssl/certs ++CApath = @sysconfdir/ssl/certs + checkHost = pop.gmail.com + OCSPaia = yes + +@@ -73,7 +73,7 @@ + accept = 127.0.0.1:143 + connect = imap.gmail.com:993 + verifyChain = yes +-CApath = /etc/ssl/certs ++CApath = @sysconfdir/ssl/certs + checkHost = imap.gmail.com + OCSPaia = yes + +@@ -82,7 +82,7 @@ + accept = 127.0.0.1:25 + connect = smtp.gmail.com:465 + verifyChain = yes +-CApath = /etc/ssl/certs ++CApath = @sysconfdir/ssl/certs + checkHost = smtp.gmail.com + OCSPaia = yes + diff --git a/debian/patches/02-rename-binary.patch b/debian/patches/02-rename-binary.patch new file mode 100644 index 0000000..ad0a853 --- /dev/null +++ b/debian/patches/02-rename-binary.patch @@ -0,0 +1,100 @@ +Description: Change references to the binary from stunnel to stunnel4 +Forwarded: not-needed +Author: Julien Lemoine <speedblue@debian.org> +Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> +Last-Update: 2018-12-06 + +--- a/src/stunnel3.in ++++ b/src/stunnel3.in +@@ -22,7 +22,7 @@ + use Getopt::Std; + + # Configuration - path to stunnel (version >=4.05) +-$stunnel_bin='@bindir@/stunnel'; ++$stunnel_bin='@bindir@/stunnel4'; + + # stunnel3 script body begins here + ($read_fd, $write_fd)=POSIX::pipe(); +--- a/tools/stunnel.init.in ++++ b/tools/stunnel.init.in +@@ -1,6 +1,6 @@ + #! /bin/sh -e + ### BEGIN INIT INFO +-# Provides: stunnel ++# Provides: stunnel4 + # Required-Start: $local_fs $remote_fs + # Required-Stop: $local_fs $remote_fs + # Should-Start: $syslog +@@ -21,8 +21,8 @@ + + . /lib/lsb/init-functions + +-DEFAULTPIDFILE="/var/run/stunnel.pid" +-DAEMON=@bindir@/stunnel ++DEFAULTPIDFILE="/var/run/stunnel4.pid" ++DAEMON=@bindir@/stunnel4 + NAME=stunnel + DESC="TLS tunnels" + OPTIONS="" +@@ -48,9 +48,9 @@ + startdaemons() { + local res file args pidfile warn status + +- if ! [ -d /var/run/stunnel ]; then +- rm -rf /var/run/stunnel +- install -d -o stunnel -g stunnel /var/run/stunnel ++ if ! [ -d /var/run/stunnel4 ]; then ++ rm -rf /var/run/stunnel4 ++ install -d -o stunnel4 -g stunnel4 /var/run/stunnel4 + fi + if [ -n "$RLIMITS" ]; then + ulimit $RLIMITS +@@ -181,7 +181,7 @@ + OPTIONS="-- $OPTIONS" + fi + +-[ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel ++[ -f @sysconfdir@/default/stunnel4 ] && . @sysconfdir@/default/stunnel4 + + # If the user want to manage a single tunnel, the conf file's name + # is in $2. Otherwise, respect @sysconfdir@/default/stunnel4 setting. +--- a/tools/script.sh ++++ b/tools/script.sh +@@ -2,7 +2,7 @@ + + REMOTE_HOST="www.mirt.net:443" + echo "client script connecting $REMOTE_HOST" +-/usr/local/bin/stunnel -fd 10 \ ++/usr/bin/stunnel4 -fd 10 \ + 11<&0 <<EOT 10<&0 0<&11 11<&- + client=yes + connect=$REMOTE_HOST +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -15,11 +15,11 @@ + + .pod.in.8.in: + pod2man -u -n stunnel -s 8 -r $(VERSION) \ +- -c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@ ++ -c "stunnel4 TLS Proxy" -d `date +%Y.%m.%d` $< $@ + + .pod.in.html.in: + pod2html --index --backlink --header \ +- --title "stunnel TLS Proxy" --infile=$< --outfile=$@ ++ --title "stunnel4 TLS Proxy" --infile=$< --outfile=$@ + rm -f pod2htmd.tmp pod2htmi.tmp + + edit = sed \ +--- a/doc/stunnel.pl.8.in ++++ b/doc/stunnel.pl.8.in +@@ -66,8 +66,8 @@ + .\} + .\" ======================================================================== + .\" +-.IX Title "stunnel 8" +-.TH stunnel 8 "2019.04.04" "5.51" "stunnel TLS Proxy" ++.IX Title "stunnel4 8" ++.TH stunnel 8 "2019.04.04" "5.51" "stunnel4 TLS Proxy" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l diff --git a/debian/patches/03-runas-user.patch b/debian/patches/03-runas-user.patch new file mode 100644 index 0000000..e493fc8 --- /dev/null +++ b/debian/patches/03-runas-user.patch @@ -0,0 +1,19 @@ +Description: Change the default user the binary will run as to stunnel4 +Forwarded: not-needed +Author: Julien Lemoine <speedblue@debian.org> +Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> +Last-Update: 2015-06-13 + +--- a/tools/stunnel.conf-sample.in ++++ b/tools/stunnel.conf-sample.in +@@ -8,8 +8,8 @@ + ; ************************************************************************** + + ; It is recommended to drop root privileges if stunnel is started by root +-;setuid = nobody +-;setgid = @DEFAULT_GROUP@ ++;setuid = stunnel4 ++;setgid = stunnel4 + + ; PID file is created inside the chroot jail (if enabled) + ;pid = @localstatedir@/run/stunnel.pid diff --git a/debian/patches/04-restore-pidfile-default.patch b/debian/patches/04-restore-pidfile-default.patch new file mode 100644 index 0000000..09bfe97 --- /dev/null +++ b/debian/patches/04-restore-pidfile-default.patch @@ -0,0 +1,44 @@ +Description: Temporarily restore the pid file creation by default. + The init script will not be able to monitor the automatically-started + instances of stunnel if there is no pid file. For the present for the + upgrade from 4.53 the "create the pid file by default" behavior is + restored and the init script warns about configuration files that have + no "pid" setting. The intention is that in a future version the init + script will refuse to start stunnel for these configurations. +Forwarded: not-needed +Author: Peter Pentchev <roam@ringlet.net> +Bug-Debian: https://bugs.debian.org/744851 +Last-Update: 2018-12-06 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -33,6 +33,7 @@ + stunnel_CPPFLAGS += -I$(SSLDIR)/include + stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"' + stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"' ++stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"' + + # TLS library + stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto +--- a/src/options.c ++++ b/src/options.c +@@ -1038,7 +1038,7 @@ + #ifndef USE_WIN32 + switch(cmd) { + case CMD_SET_DEFAULTS: +- new_global_options.pidfile=NULL; /* do not create a pid file */ ++ new_global_options.pidfile=PIDFILE; + break; + case CMD_SET_COPY: /* not used for global options */ + break; +@@ -1062,9 +1062,10 @@ + return "Pid file must include full path name"; + break; + case CMD_PRINT_DEFAULTS: ++ s_log(LOG_NOTICE, "%-22s = %s", "pid", PIDFILE); + break; + case CMD_PRINT_HELP: +- s_log(LOG_NOTICE, "%-22s = pid file", "pid"); ++ s_log(LOG_NOTICE, "%-22s = pid file (empty to disable creating)", "pid"); + break; + } + #endif diff --git a/debian/patches/05-typos.patch b/debian/patches/05-typos.patch new file mode 100644 index 0000000..bb911e1 --- /dev/null +++ b/debian/patches/05-typos.patch @@ -0,0 +1,38 @@ +Description: Correct a typographical error. +Forwarded: no +Author: Peter Pentchev <roam@ringlet.net> +Last-Update: 2019-04-30 + +--- a/doc/stunnel.8.in ++++ b/doc/stunnel.8.in +@@ -414,7 +414,7 @@ + .IX Item "ciphersuites = CIPHERSUITES_LIST" + select permitted TLSv1.3 ciphersuites + .Sp +-A colon-delimited list of TLSv1.3 ciphersuites names in order of perference. ++A colon-delimited list of TLSv1.3 ciphersuites names in order of preference. + .Sp + This option requires OpenSSL 1.1.1 or later. + .Sp +--- a/doc/stunnel.html.in ++++ b/doc/stunnel.html.in +@@ -504,7 +504,7 @@ + + <p>select permitted TLSv1.3 ciphersuites</p> + +-<p>A colon-delimited list of TLSv1.3 ciphersuites names in order of perference.</p> ++<p>A colon-delimited list of TLSv1.3 ciphersuites names in order of preference.</p> + + <p>This option requires OpenSSL 1.1.1 or later.</p> + +--- a/doc/stunnel.pod.in ++++ b/doc/stunnel.pod.in +@@ -438,7 +438,7 @@ + + select permitted TLSv1.3 ciphersuites + +-A colon-delimited list of TLSv1.3 ciphersuites names in order of perference. ++A colon-delimited list of TLSv1.3 ciphersuites names in order of preference. + + This option requires OpenSSL 1.1.1 or later. + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..9308a05 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,5 @@ +01-fix-paths.patch +02-rename-binary.patch +03-runas-user.patch +04-restore-pidfile-default.patch +05-typos.patch diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..e052fe5 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,67 @@ +#!/bin/sh + +set -e + +USER="stunnel4" +CHOWN="/bin/chown" +#USERDEL="/usr/sbin/userdel" +ADDUSER="/usr/sbin/adduser" +ID="/usr/bin/id" +GROUPMOD="/usr/sbin/groupmod" +#GROUPDEL="/usr/sbin/groupdel" + +### +# 1. get current stunnel uid and gid if user exists. +set -e +if $ID $USER > /dev/null 2>&1; then + IUID=`$ID --user $USER` + IGID=`$ID --group $USER` +else + IUID="NONE" + IGID="NONE" +fi + +### +# 2. Ensure that no standard account or group will remain before adding the +# new user +#if [ "$IUID" != "NONE" ]; then # remove existing user +# $USERDEL $USER +#fi + +#if $GROUPMOD $USER > /dev/null 2>&1; then +# $GROUPDEL $USER; +#fi + +if [ "$IUID" = "NONE" ]; then + $ADDUSER --system --disabled-password --disabled-login \ + --home /var/run/stunnel4 \ + --no-create-home --group $USER +fi + +# /var/run/stunnel4 is not a directory, create it... +if ! test -d /var/run/stunnel4; then + rm -rf /var/run/stunnel4; + mkdir /var/run/stunnel4 +fi +$CHOWN $USER:$USER /var/run/stunnel4 || true + +# /var/log/stunnel4 is not a directory, create it... +if ! test -d /var/log/stunnel4; then + rm -rf /var/log/stunnel4; + mkdir /var/log/stunnel4 +fi +$CHOWN -R $USER:$USER /var/log/stunnel4 + +# /var/lib/stunnel4 is not a directory, create it... +if ! test -d /var/lib/stunnel4; then + rm -rf /var/lib/stunnel4; + mkdir /var/lib/stunnel4 +fi +$CHOWN -R $USER:$USER /var/lib/stunnel4 + +if ! test -f /var/log/stunnel4/stunnel.log; then + touch /var/log/stunnel4/stunnel.log + $CHOWN -R $USER:$USER /var/log/stunnel4/stunnel.log +fi + +#DEBHELPER# diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..a81c946 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e + +if [ x$1 = "xpurge" ]; then + echo You may want to delete the generated stunnel.pem file + echo in /etc/ssl/certs. + + # Remove chroot dir if present. It may contain logfiles + rm -rf /var/lib/stunnel4 || true + + # Log files must be removed on purge (Policy 10.8) + rm -f /var/log/stunnel4/stunnel.log* || true + rmdir /var/log/stunnel4 || true +fi + +#DEBHELPER# diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..72da349 --- /dev/null +++ b/debian/rules @@ -0,0 +1,97 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# debian/rules file for the Debian GNU/Linux stunnel package +# Copyright 2003 by Julien LEMOINE <speedblue@debian.org> +# Copyright 2014 by Peter Pentchev <roam@ringlet.net> + +ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES))) +DEB_NODOC=0 +else +DEB_NODOC=1 +endif + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +export DEB_CFLAGS_MAINT_APPEND=-Wall + +multiarch_path= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +override_dh_auto_configure: + dh_auto_configure -- \ + --enable-ipv6 --with-threads=pthread + + # Do not allow this file to be regenerated + [ -f src/dhparam.c ] + sleep 1 + touch src/dhparam.c + +override_dh_auto_test: +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) + env TEST_STUNNEL=$(CURDIR)/src/stunnel debian/tests/runtime + dh_auto_test +endif + +override_dh_auto_install: + dh_auto_install -- -C src +ifeq ($(DEB_NODOC),0) + dh_auto_install -- -C doc +endif + + # .la file is useless + rm $(CURDIR)/debian/stunnel4/usr/lib/$(multiarch_path)/stunnel/libstunnel.la + + # Rename binary + mv $(CURDIR)/debian/stunnel4/usr/bin/stunnel \ + $(CURDIR)/debian/stunnel4/usr/bin/stunnel4 + + # Copy sample init script into place for dh_installinit + cp $(CURDIR)/tools/stunnel.init $(CURDIR)/debian/stunnel4.init + +ifeq ($(DEB_NODOC),0) + ln doc/stunnel.8 doc/stunnel4.8 + ln doc/stunnel.pl.8 doc/stunnel4.pl.8 + + # Manpages will be installed by dh_installman + rm -rf $(CURDIR)/debian/stunnel4/usr/share/man + + # Move docs into proper dir + mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel \ + $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4 + + # Basic docs for the user on how to create an initial configuration + install -p -m 0644 $(CURDIR)/debian/stunnel4.conf.README \ + $(CURDIR)/debian/stunnel4/etc/stunnel/README +endif + +ifeq ($(DEB_NODOC),1) +override_dh_installdocs: + mkdir -p $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4 + install -p -m 644 $(CURDIR)/debian/copyright $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4/ + +override_dh_installman: + +override_dh_link: + dh_link + rm $(CURDIR)/debian/stunnel4/usr/share/man/man8/stunnel.8.gz + rmdir $(CURDIR)/debian/stunnel4/usr/share/man/man8 + rmdir $(CURDIR)/debian/stunnel4/usr/share/man +endif + +override_dh_installchangelogs: + dh_installchangelogs -X ChangeLog + install -m 644 ChangeLog $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4/NEWS + +override_dh_installinit: + dh_installinit --no-start + +override_dh_installppp: + dh_installppp --name=0stunnel4 + +override_dh_compress: + dh_compress --exclude=StunnelConf-0.1.pl + +%: + dh $@ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/stunnel3.8 b/debian/stunnel3.8 new file mode 100644 index 0000000..8273a50 --- /dev/null +++ b/debian/stunnel3.8 @@ -0,0 +1,510 @@ +.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13 +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "STUNNEL 1" +.TH STUNNEL 8 "2003-08-01" " " " " +.SH "NAME" +stunnel \- universal SSL tunnel +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O\ a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p\ pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a\ directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user] +[\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ filename\ |\ ''\ }\ ] [\-B\ bytes] [\-R\ randfile] [\-W] [\-E\ socket] [\-I\ host] +[\-d\ [host:]port\ [\-f]\ ] [\ \-r\ [host:]port\ |\ {\ \-l\ |\ \-L\ }\ program\ [\-\-\ progname\ args]\ ] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption +wrapper between remote clients and local (\fIinetd\fR\-startable) or +remote servers. The concept is that having non-SSL aware daemons +running on your system you can easily set them up to communicate with +clients over secure \s-1SSL\s0 channels. +.PP +\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used +\&\fIinetd\fR daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone +daemons like \s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network +sockets without changes to the source code. +.PP +This product includes cryptographic software written by Eric Young +(eay@cryptsoft.com) +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-h\fR" 4 +.IX Item "-h" +Print stunnel help menu +.IP "\fB\-D\fR level" 4 +.IX Item "-D level" +Debugging level +.Sp +Level is a one of the syslog level names or numbers emerg (0), alert +(1), crit (2), err (3), warning (4), notice (5), info (6), or debug +(7). All logs for the specified level and all levels numerically less +than it will be shown. Use \-D debug or \-D 7 for greatest debugging +output. The default is notice (5). +.Sp +The syslog facility 'daemon' will be used unless a facility name is +supplied. (Facilities are not supported on windows.) +.Sp +Case is ignored for both facilities and levels. +.IP "\fB\-O\fR a|l|r:option=value[:value]" 4 +.IX Item "-O a|l|r:option=value[:value]" +Set an option on accept/local/remote socket +.Sp +The values for linger option are l_onof:l_linger. The values for time +are tv_sec:tv_usec. +.Sp +\&\fBExamples:\fR +.Sp +\&\fB\-O l:SO_LINGER=1:60\fR \- set one minute timeout for closing local +socket +.Sp +\&\fB\-O r:TCP_NODELAY=1\fR \- turn off the Nagle algorithm for remote +sockets +.Sp +\&\fB\-O r:SO_OOBINLINE=1\fR \- place out-of-band data directly into the +receive data stream for remote sockets +.Sp +\&\fB\-O a:SO_REUSEADDR=0\fR \- disable address reuse (enabled by default) +.Sp +\&\fB\-O a:SO_BINDTODEVICE=lo\fR \- only accept connections on loopback +interface +.Sp +The available options and their defaults are: + Option Accept Local Remote OS default + SO_DEBUG -- -- -- 0 + SO_DONTROUTE -- -- -- 0 + SO_KEEPALIVE -- -- -- 0 + SO_LINGER -- -- -- 0:0 + SO_OOBINLINE -- -- -- 0 + SO_RCVBUF -- -- -- 87380 + SO_SNDBUF -- -- -- 16384 + SO_RCVLOWAT -- -- -- 1 + SO_SNDLOWAT -- -- -- 1 + SO_RCVTIMEO -- -- -- 0:0 + SO_SNDTIMEO -- -- -- 0:0 + SO_REUSEADDR 1 -- -- 0 + SO_BINDTODEVICE -- -- -- -- + IP_TOS -- -- -- 0 + IP_TTL -- -- -- 64 + TCP_NODELAY -- -- -- 0 +.IP "\fB\-o\fR file" 4 +.IX Item "-o file" +Append log messages to a file. +.IP "\fB\-C\fR cipherlist" 4 +.IX Item "-C cipherlist" +Select permitted \s-1SSL\s0 ciphers +.Sp +A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection. +For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0 +.IP "\fB\-c\fR" 4 +.IX Item "-c" +client mode (remote service uses \s-1SSL\s0) +.Sp +default: server mode +.IP "\fB\-T\fR" 4 +.IX Item "-T" +transparent proxy mode +.Sp +Re-write address to appear as if wrapped daemon is connecting from the +\&\s-1SSL\s0 client machine instead of the machine running stunnel. Available +only on some operating systems (Linux only, we believe) and then only +in server mode. Note that this option will not combine with proxy mode +(\-r) unless the client's default route to the target machine lies +through the host running stunnel, which cannot be localhost. +.IP "\fB\-p\fR pemfile" 4 +.IX Item "-p pemfile" +private key and certificate chain \s-1PEM\s0 file name +.Sp +A \s-1PEM\s0 is always needed in server mode (by default located in +\fI/etc/stunnel/stunnel.pem\fR). Specifying this flag in client mode +will use this key and certificate chain as a client side certificate +chain. Using client side certs is optional. The certificates must be +in \s-1PEM\s0 format and must be sorted starting with the certificate +to the highest level (root \s-1CA\s0). +.IP "\fB\-v\fR level" 4 +.IX Item "-v level" +verify peer certificate +.RS 4 +.IP "\(bu" 8 +level 1 \- verify peer certificate if present +.IP "\(bu" 8 +level 2 \- verify peer certificate +.IP "\(bu" 8 +level 3 \- verify peer with locally installed certificate +.IP "\(bu" 8 +default \- no verify +.RE +.RS 4 +.RE +.IP "\fB\-a\fR directory" 4 +.IX Item "-a directory" +client certificate directory +.Sp +This is the directory in which stunnel will look for certificates when +using the \fI\-v\fR options. Note that the certificates in this directory +should be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the +cert. +.IP "\fB\-A\fR certfile" 4 +.IX Item "-A certfile" +Certificate Authority file +.Sp +This file contains multiple \s-1CA\s0 certificates, used with the \fI\-v\fR +options. +.IP "\fB\-t\fR timeout" 4 +.IX Item "-t timeout" +session cache timeout +.Sp +default: 300 seconds. +.IP "\fB\-N\fR servicename" 4 +.IX Item "-N servicename" +Service name to use for tcpwrappers. If not specified then a +tcpwrapper service name will be generated automatically for you. This +will also be used when auto-generating pid filenames. +.IP "\fB\-u\fR ident_username" 4 +.IX Item "-u ident_username" +Use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking +.IP "\fB\-n\fR proto" 4 +.IX Item "-n proto" +Negotiate \s-1SSL\s0 with specified protocol +.Sp +currently supported: smtp, pop3, nntp +.IP "\fB\-E\fR socket" 4 +.IX Item "-E socket" +Entropy Gathering Daemon socket to use to feed OpenSSL random number +generator. (Available only if compiled with OpenSSL 0.9.5a or higher) +.IP "\fB\-R\fR filename" 4 +.IX Item "-R filename" +File containing random input. The \s-1SSL\s0 library will use data from this +file first to seed the random number generator. +.IP "\fB\-W\fR" 4 +.IX Item "-W" +Do not overwrite the random seed files with new random data. +.IP "\fB\-B\fR bytes" 4 +.IX Item "-B bytes" +Number of bytes of data read from random seed files. With \s-1SSL\s0 +versions less than 0.9.5a, also determines how many bytes of data are +considered sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions +have a builtin function to determine when sufficient randomness is +available. +.IP "\fB\-I\fR host" 4 +.IX Item "-I host" +\&\s-1IP\s0 of the outgoing interface is used as source for remote connections. +Use this option to bind a static local \s-1IP\s0 address, instead. +.IP "\fB\-d\fR [host:]port" 4 +.IX Item "-d [host:]port" +daemon mode +.Sp +Listen for connections on [host:]port. If no host specified, defaults +to all \s-1IP\s0 addresses for the local host. +.Sp +default: inetd mode +.IP "\fB\-f\fR" 4 +.IX Item "-f" +foreground mode +.Sp +Stay in foreground (don't fork) and log to stderr instead of via +syslog (unless \-o is specified). +.Sp +default: background in daemon mode +.IP "\fB\-l\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4 +.IX Item "-l program [-- programname [arg1 arg2 arg3...] ]" +execute local inetd-type program. +.IP "\fB\-L\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4 +.IX Item "-L program [-- programname [arg1 arg2 arg3...] ]" +open local pty and execute program. +.IP "\fB\-s\fR username" 4 +.IX Item "-s username" +\&\fIsetuid()\fR to username in daemon mode +.IP "\fB\-g\fR groupname" 4 +.IX Item "-g groupname" +\&\fIsetgid()\fR to groupname in daemon mode. Clears all other groups. +.IP "\fB\-P\fR { file | '' }" 4 +.IX Item "-P { file | '' }" +Pid file location +.Sp +If the argument is a filename, then that filename will be used for the +pid. If the argument is empty ('', not missing), then no pid file will +be created. +.IP "\fB\-r\fR [host:]port" 4 +.IX Item "-r [host:]port" +connect to remote service +.Sp +If no host specified, defaults to localhost. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, +use +.PP +.Vb 1 +\& stunnel \-d 993 \-l /usr/sbin/imapd \-\- imapd +.Ve +.PP +In order to let your local e-mail client connect to a \s-1SSL\s0-enabled +\fIimapd\fR service on another server, configure the e-mail client to connect to +localhost on port 119 and use: +.PP +.Vb 1 +\& stunnel \-c \-d 143 \-r servername:993 +.Ve +.PP +If you want to provide tunneling to your \fIpppd\fR daemon on port 2020, +use something like +.PP +.Vb 1 +\& stunnel \-d 2020 \-L /usr/sbin/pppd \-\- pppd local +.Ve +.SH "ENVIRONMENT" +.IX Header "ENVIRONMENT" +If Stunnel is used to create local processes using the \fB\-l\fR or \fB\-L\fR +options, it will set the following environment variables +.IP "\s-1REMOTE_HOST\s0" 4 +.IX Item "REMOTE_HOST" +The \s-1IP\s0 address of the remote end of the connection. +.IP "\s-1SSL_CLIENT_DN\s0" 4 +.IX Item "SSL_CLIENT_DN" +The \s-1DN\s0 (Distinguished Name, aka subject name) of the peer certificate, +if a certificate was present and verified. +.IP "\s-1SSL_CLIENT_I_DN\s0" 4 +.IX Item "SSL_CLIENT_I_DN" +The Issuer's \s-1DN\s0 of the peer's certificate, if a certificate was +present and verified. +.SH "CERTIFICATES" +.IX Header "CERTIFICATES" +.IP "\(bu" 4 +Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to +the peer. It also needs a private key to decrypt the incoming data. +The easiest way to obtain a certificate and a key is to generate them +with the free \fIopenssl\fR package. You can find more information on +certificates generation on pages listed below. +.Sp +Two things are important when generating certificate-key pairs for +\&\fBstunnel\fR. The private key cannot be encrypted, because the server +has no way to obtain the password from the user. To produce an +unencrypted key add the \fI\-nodes\fR option when running the \fBreq\fR +command from the \fIopenssl\fR kit. +.Sp +The order of contents of the \fI.pem\fR file is also important. It should +contain the unencrypted private key first, then a signed certificate +(not certificate request). There should be also empty lines after +certificate and private key. Plaintext certificate information +appended on the top of generated certificate should be discarded. So +the file should look like this: +.Sp +.Vb 8 +\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- +\& [encoded key] +\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- +\& [empty line] +\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- +\& [encoded certificate] +\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- +\& [empty line] +.Ve +.SH "RANDOMNESS" +.IX Header "RANDOMNESS" +.IP "\(bu" 4 +\&\fIstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in +order for \s-1SSL\s0 to use good randomness. The following sources are +loaded in order until sufficient random data has been gathered: +.RS 4 +.IP "\(bu" 8 +The file specified with the \fI\-R\fR flag. +.IP "\(bu" 8 +The file specified by the \s-1RANDFILE\s0 environment variable, if set. +.IP "\(bu" 8 +The file .rnd in your home directory, if \s-1RANDFILE\s0 not set. +.IP "\(bu" 8 +The file specified with '\-\-with\-random' at compile time. +.IP "\(bu" 8 +The contents of the screen if running on Windows. +.IP "\(bu" 8 +The egd socket specified with the \fI\-E\fR flag. +.IP "\(bu" 8 +The egd socket specified with '\-\-with\-egd\-sock' at compile time. +.IP "\(bu" 8 +The /dev/urandom device. +.RE +.RS 4 +.Sp +With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading +random data automatically when sufficient entropy has been gathered. +With previous versions it will continue to gather from all the above +sources since no \s-1SSL\s0 function exists to tell when enough data is +available. +.Sp +Note that on Windows machines that do not have console user +interaction (mouse movements, creating windows, etc) the screen +contents are not variable enough to be sufficient, and you should +provide a random file for use with the \fI\-R\fR flag. +.Sp +Note that the file specified with the \fI\-R\fR flag should contain random +data \*(-- that means it should contain different information each time +\&\fIstunnel\fR is run. This is handled automatically unless the \fI\-W\fR +flag is used. If you wish to update this file manually, the \fIopenssl +rand\fR command in recent versions of OpenSSL, would be useful. +.Sp +One important note \*(-- if /dev/urandom is available, OpenSSL has a +habit of seeding the \s-1PRNG\s0 with it even when checking the random state, +so on systems with /dev/urandom you're likely to use it even though +it's listed at the very bottom of the list above. This isn't +stunnel's behaviour, it's OpenSSLs. +.RE +.SH "LIMITATIONS" +.IX Header "LIMITATIONS" +.IP "\(bu" 4 +\&\fIstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature of +the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers. +There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, +however. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +.RS 4 +.IP "\fItcpd\fR\|(8)" 8 +.IX Item "tcpd" +access control facility for internet services +.IP "\fIinetd\fR\|(8)" 8 +.IX Item "inetd" +internet ``super\-server'' +.IP "\fIhttps://www.stunnel.org/\fR" 8 +.IX Item "https://www.stunnel.org/" +Stunnel homepage +.IP "\fIhttps://www.openssl.org/\fR" 8 +.IX Item "https://www.openssl.org/" +OpenSSL project website +.RE +.RS 4 +.RE +.SH "AUTHOR" +.IX Header "AUTHOR" +.RS 4 +.IP "Michal Trojnara" 8 +.IX Item "Michal Trojnara" +<\fIMichal.Trojnara@stunnel.org\fR> +.RE +.RS 4 +.RE diff --git a/debian/stunnel4.0stunnel4.ppp.ip-down b/debian/stunnel4.0stunnel4.ppp.ip-down new file mode 100644 index 0000000..bd093d4 --- /dev/null +++ b/debian/stunnel4.0stunnel4.ppp.ip-down @@ -0,0 +1,9 @@ +#!/bin/sh +# if this script gets called, we assume that the machine has lost +# IPv4 connectivity -> restart stunnel (do not stop it, it is possible +# to have a eth connection) + +test -f /etc/default/stunnel4 && . /etc/default/stunnel4 +test "$PPP_RESTART" != "0" || exit 0 + +invoke-rc.d stunnel4 restart diff --git a/debian/stunnel4.0stunnel4.ppp.ip-up b/debian/stunnel4.0stunnel4.ppp.ip-up new file mode 100644 index 0000000..3b81198 --- /dev/null +++ b/debian/stunnel4.0stunnel4.ppp.ip-up @@ -0,0 +1,7 @@ +#!/bin/sh + +test -f /etc/default/stunnel4 && . /etc/default/stunnel4 +test "$PPP_RESTART" != "0" || exit 0 + + +invoke-rc.d stunnel4 restart diff --git a/debian/stunnel4.NEWS b/debian/stunnel4.NEWS new file mode 100644 index 0000000..3d59650 --- /dev/null +++ b/debian/stunnel4.NEWS @@ -0,0 +1,112 @@ +stunnel4 (3:5.44-2) unstable; urgency=medium + + The ENABLED option has been removed from the /etc/default/stunnel4 + file and the stunnel4 init script no longer checks for it. Instead, + new installations of the stunnel4 package will not attempt to start + the service immediately after installation, because there are no + valid configuration files yet. + + For existing installations where ENABLED=0 was specified and stunnel + was e.g. only started on demand for certain tunnels, the service will + now need to be explicitly disabled by the following command: + + update-rc.d stunnel4 defaults-disabled + + -- Peter Pentchev <roam@debian.org> Mon, 21 May 2018 18:23:00 +0300 + +stunnel4 (3:5.06-1) unstable; urgency=medium + + There are two major changes in this version of stunnel. + + First, the /usr/bin/stunnel symlink has been switched from stunnel3 + to stunnel4. This should not affect any tools that invoke stunnel + using the stunnel4 name, and it should not affect any Debian packages + that use stunnel. However, any local tools that invoke stunnel with + 3.x-style command-line options instead of a 4.x-style configuration + file should make sure that they use the stunnel3 executable name and + not simply stunnel any more, or they should be converted to use + a 4.x-style configuration file (there is no need to create an actual + file on the filesystem, the configuration may be passed to stunnel + on its standard input using the "-fd 0" command-line option). + + Second, this version DISABLES support for the SSLv2 and SSLv3 protocols! + + If needed, it may be re-enabled by editing the stunnel configuration + file and adding "-NO_SSLv2" or "-NO_SSLv3" respectively to + the "options" setting; see /etc/stunnel/README for an example. + + -- Peter Pentchev <roam@ringlet.net> Thu, 16 Oct 2014 13:56:35 +0300 + +stunnel4 (3:5.01-3) unstable; urgency=medium + + This version temporarily brings back the creation of a default pid + file, /var/run/stunnel4.pid, if there is no "pid" setting in + the configuration file. The reason for this is that the init script + cannot monitor the started stunnel processes if there is no pid file + at all. + + The init script now warns about configuration files that have no + "pid" setting and will thus use the default pid file location. + In the future it will refuse to start with such configurations, so + it would be best to add the "pid" setting to all the *.conf files in + the /etc/stunnel/ directory. + + -- Peter Pentchev <roam@ringlet.net> Fri, 18 Apr 2014 14:37:42 +0300 + +stunnel (3:5.01-2) unstable; urgency=medium + + This version DISABLES the RLE compression method, too. This means + that stunnel currently has no compression methods available at all, + since the underlying OpenSSL library does not have any, either. + Tunnel configurations that explicitly set "compression" will NEED + to be modified. + + -- Peter Pentchev <roam@ringlet.net> Mon, 14 Apr 2014 15:04:56 +0300 + +stunnel (3:5.01-1) unstable; urgency=medium + + This version DISABLES the creation of the process ID file and + the use of TCP wrappers for access control by default! + + Tunnel configurations that use PID files (e.g. for monitoring) or + TCP wrappers (/etc/hosts.allow, /etc/hosts.deny) will NEED to be + modified to explicitly specify the 'pidfile' global option or + the 'libwrap' service-level option respectively. + + This version also DISABLES the "zlib" and "deflate" compression + algorithms because they are not supported in the Debian OpenSSL + package since version 1.0.1e-5. The only supported compression + algorithm is "rle". Tunnel configurations that explicitly set + "compression" to something other than "rle" will NEED to be modified. + + -- Peter Pentchev <roam@ringlet.net> Tue, 25 Mar 2014 18:05:11 +0200 + +stunnel (3:4.33-1) experimental; urgency=low + + This version introduces support for reloading the configuration file + and for closing/reopening log files. The init script has been + updated to provide these options, and the default logrotate + configuration has been updated to take advantage of them. + + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Thu, 04 Feb 2010 19:52:23 -0800 + +stunnel (3:4.28-1) unstable; urgency=low + + The default behaviour of the logrotate configuration for stunnel4 + has been changed. Instead of restarting stunnel after rotating the + log files we now use the 'copytruncate' keyword. This avoids the + problems associated with the restart, but introduces the possibility + of loosing small amounts of log data. Please see Debian bugs + #535915, #535924 and #323171 for more info. + + -- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Wed, 25 Nov 2009 17:12:42 -0800 + +stunnel (2:4.140-5) unstable; urgency=low + + stunnel/stunnel4 binaries are located in /usr/bin instead of + /usr/sbin in order to be FHS compliant (they can be used by normal + user). You need to update your scripts to refer to this new location + + -- Julien Lemoine <speedblue@debian.org> Sun, 19 Feb 2006 17:31:24 +0100 + diff --git a/debian/stunnel4.conf.README b/debian/stunnel4.conf.README new file mode 100644 index 0000000..fb56ac4 --- /dev/null +++ b/debian/stunnel4.conf.README @@ -0,0 +1,10 @@ +Stunnel 4 configuration files. + +Files found under the /etc/stunnel directory that end with .conf are +used by the stunnel4 service as configuration files, and each will be +used to start a daemon process setting up a tunnel with the given +configuration. Note that this directory is initially empty, as the +settings you may want for your tunnels are completely system dependent. + +A sample configuration file with defaults may be found at + /usr/share/doc/stunnel4/examples/stunnel.conf-sample diff --git a/debian/stunnel4.default b/debian/stunnel4.default new file mode 100644 index 0000000..41e9177 --- /dev/null +++ b/debian/stunnel4.default @@ -0,0 +1,16 @@ +# /etc/default/stunnel +# Julien LEMOINE <speedblue@debian.org> +# September 2003 + +FILES="/etc/stunnel/*.conf" +OPTIONS="" + +# Change to one to enable ppp restart scripts +PPP_RESTART=0 + +# Change to enable the setting of limits on the stunnel instances +# For example, to set a large limit on file descriptors (to enable +# more simultaneous client connections), set RLIMITS="-n 4096" +# More than one resource limit may be modified at the same time, +# e.g. RLIMITS="-n 4096 -d unlimited" +RLIMITS="" diff --git a/debian/stunnel4.examples b/debian/stunnel4.examples new file mode 100644 index 0000000..47d44fd --- /dev/null +++ b/debian/stunnel4.examples @@ -0,0 +1,6 @@ +tools/ca.html +tools/ca.pl +tools/importCA.html +tools/importCA.sh +tools/openssl.cnf +tools/stunnel.conf-sample diff --git a/debian/stunnel4.install b/debian/stunnel4.install new file mode 100644 index 0000000..f5a577a --- /dev/null +++ b/debian/stunnel4.install @@ -0,0 +1 @@ +debian/StunnelConf-0.1.pl usr/share/doc/stunnel4/contrib diff --git a/debian/stunnel4.links b/debian/stunnel4.links new file mode 100644 index 0000000..82b6c70 --- /dev/null +++ b/debian/stunnel4.links @@ -0,0 +1,2 @@ +/usr/bin/stunnel4 /usr/bin/stunnel +/usr/share/man/man8/stunnel4.8.gz /usr/share/man/man8/stunnel.8.gz diff --git a/debian/stunnel4.lintian-overrides b/debian/stunnel4.lintian-overrides new file mode 100644 index 0000000..06cfbb3 --- /dev/null +++ b/debian/stunnel4.lintian-overrides @@ -0,0 +1,2 @@ +# No character arrays anywhere in this .so +stunnel4: hardening-no-stackprotector usr/lib/stunnel/libstunnel.so diff --git a/debian/stunnel4.logrotate b/debian/stunnel4.logrotate new file mode 100644 index 0000000..4e85d61 --- /dev/null +++ b/debian/stunnel4.logrotate @@ -0,0 +1,13 @@ +/var/log/stunnel4/*.log { + daily + missingok + rotate 365 + compress + delaycompress + notifempty + create 640 stunnel4 stunnel4 + sharedscripts + postrotate + /etc/init.d/stunnel4 reopen-logs > /dev/null + endscript +} diff --git a/debian/stunnel4.manpages b/debian/stunnel4.manpages new file mode 100644 index 0000000..807dc48 --- /dev/null +++ b/debian/stunnel4.manpages @@ -0,0 +1,3 @@ +doc/stunnel4.8 +doc/stunnel4.pl.8 +debian/stunnel3.8 diff --git a/debian/tests/certs/certificate.pem b/debian/tests/certs/certificate.pem new file mode 100644 index 0000000..dfd8cd0 --- /dev/null +++ b/debian/tests/certs/certificate.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfDCCAmSgAwIBAgIJAPFcHvXjRYbZMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV +BAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwGA1UEBwwFU29maWExEDAOBgNVBAoM +B1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzA2MTIyMzAzMjdaFw0y +NzA2MTAyMzAzMjdaMFMxCzAJBgNVBAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwG +A1UEBwwFU29maWExEDAOBgNVBAoMB1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9z +dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp0QYS6IZ1To2h68NcZ +zmnAQfzodFcD7Lhp2CcDOBXRrKfPq1NUqUXMGvcHcPbmT84W2OGGfh11MKvksuof +4+juU4+1uujPJoOmREi7WjVzEVWUftvFUqeTigFz96EMsVui4UbTUxX6ACIsXXwg +v1b/rpyVZJvTucKsyP5ml5OXaPFe5mXUQtdaJsjpV4ikq4O9vcYdMt0Y8IVbxpCO +5CryW3KUHzBUS7uqO2nbLXZBOkJHCgxDawAlTeDRW/uJOl7nnSUgo0HiojG4qhY6 +spYmQ9ijtj1vX5H2tsf97rZCbU5JMFqX8XcJgTWKTYHlxkBYbB6QkPyhiOXDo/M/ +oJ8CAwEAAaNTMFEwHQYDVR0OBBYEFPwfXq4qd8stmvstPC3QdFL716XRMB8GA1Ud +IwQYMBaAFPwfXq4qd8stmvstPC3QdFL716XRMA8GA1UdEwEB/wQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBADkuMAUB2Uyx23oN9ZxZsAWOdJoSUIWs4qxc5eQ/qjj7 +64zm62ZaVc8F6AyMYxHZvOKxvN/Pg19dSZelvTpgSqXLbirstRgsBCIXO2q6UYo2 +BUpZovZ4DOll+sAbmrZJRDiVO1XeCqqjr0v0I7NfJ5r31K1tfaZxGovUdC+M3xJ6 +yRrFWfF+EdlvVRFQt97mZXtcTDFWk7+CT6fgfLnCxTuMcSNtzM60FCBS5wz0MPSA +BGje1qXUMzwN2T0aDyxWNRdvFGMHC8Z23EOa3roK+NybS2PVAu7MpxDTBZdHSGtG +5wqY6fq5kww8OI9AlPNYVtqXrFrF6Lj5m/jhUHcAIUU= +-----END CERTIFICATE----- diff --git a/debian/tests/certs/key.pem b/debian/tests/certs/key.pem new file mode 100644 index 0000000..d65c321 --- /dev/null +++ b/debian/tests/certs/key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKdEGEuiGdU6No +evDXGc5pwEH86HRXA+y4adgnAzgV0aynz6tTVKlFzBr3B3D25k/OFtjhhn4ddTCr +5LLqH+Po7lOPtbrozyaDpkRIu1o1cxFVlH7bxVKnk4oBc/ehDLFbouFG01MV+gAi +LF18IL9W/66clWSb07nCrMj+ZpeTl2jxXuZl1ELXWibI6VeIpKuDvb3GHTLdGPCF +W8aQjuQq8ltylB8wVEu7qjtp2y12QTpCRwoMQ2sAJU3g0Vv7iTpe550lIKNB4qIx +uKoWOrKWJkPYo7Y9b1+R9rbH/e62Qm1OSTBal/F3CYE1ik2B5cZAWGwekJD8oYjl +w6PzP6CfAgMBAAECggEAf+TrUuamv5WLoEAyDyCdVg7/YL6UaDfxfhpXU2XkM1xu +vuAg8haEjLRAwJdx1HdwKNgkEGx/FSroIV7ra53Tw11zalC6j8H1KauKbYv1k9hq +Ne8GKN3Btl0tDHfvEk1LaYE+4Rg036g8F1qBgB3L4jDJZN+3W/1n10SCALxcuv4G +XMJOcrhW3KBlEJpIBhz+ROPeiZX8VwB2iK7jg0Bebh7XuNFCFOiFqq6UfFRNeGBi +Ca9rZdUP0YmxNPEXzGu1TEv1edX0Nf3jRKERQrZ3Sg6ogPcqQSQ1VP052Hc0Tqpl +akrRrVMfbbQQIMc9JrxJmXb7/OHeS1R50Ci5x7weoQKBgQDwYSGSypJl6lWpgrm6 +5HuIem0AK9gmOAyiR0UdjMwVybeHhcldK8ABFcsdUt7v84+kCKkRhEX//QWjowMF +0OJ2i7Y1VbdyNd7exPW5zmYAiBX+oR3JKMekjPRCUamg5P2fSrVqDHvz7WU7hoQb +0jcIu8kwtPjw5uz13OWWbmEjTwKBgQDXnDZ0nQoXUO8VkNYaWQzukIcKdB71v2DZ +KiaJvPFjTGPUwwd/kEcU7/wMet4UKff4XjOaX+f2tFZm+vrYs6RfqnLlRFlkhKJZ +HColltm8KV6w+LnwkPUuY4HnDJepU6eBC2wtGPU1n1YXCwgDL+MTIpLFuveQ9w/N +wTRP3USZsQKBgDy9Tm55IWT/QYYDskq3UT+7L6/LZGLD5u1adOxyl18qCWYFOEyC +sZGUoC5YslyPfsxEI/R5J/b3SGWA21Ks5Yxu4Su47RG+6wH/YtgAf2XC/UvKCmy6 +EThTJaVcXTB6rFuD1TNm1Cte4SWZZ+hfxeg/CydzkzPMJjQ6DQll+sWhAoGBAKJj +tV//JyqIeonznE4b4/GKSStGaksM6RSm+n+jHut7DXWhrnQVZnQOi/eaUsk9Etat +nJAYy8yz5p+JSIUOSC8FYaPr5qgefWhAHj5Rb4yYXAlOTD0z8HYP3Db49QFDUFWR +FNiig4zvhRe150L/PjebQpBKUUuNyQlfCtdb/98BAoGARMZNl+0FEzw714ataoWk +1IPoe7oIzaoYTqPcpQT0AGOdfYRS3ffJFe2Foa0K7MVyxNA/OjyheYVtD2IgmoTv +WkRr6xM4nphza595yB5q+psKwOdQvP5XsyiJOXDixzn+yFIqrdQlmBNZHT1z/jwr +oBRWtTVO2aX5pBUjvBu3eQ0= +-----END PRIVATE KEY----- diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..ca7328f --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,12 @@ +Test-Command: env TEST_STUNNEL=/usr/bin/stunnel4 debian/tests/runtime +Depends: @, perl, libanyevent-perl, libnet-ssleay-perl, libpath-tiny-perl, libunicode-utf8-perl +Restrictions: allow-stderr +Features: test-name=debian-perl + +Test-Command: debian/tests/upstream +Depends: @, netcat-traditional, net-tools +Features: test-name=upstream + +Test-Command: adequate stunnel4 +Depends: @, adequate +Features: test-name=adequate diff --git a/debian/tests/runtime b/debian/tests/runtime new file mode 100755 index 0000000..5e856df --- /dev/null +++ b/debian/tests/runtime @@ -0,0 +1,650 @@ +#!/usr/bin/perl + +use v5.14; +use strict; +use warnings; + +use AnyEvent; +use AnyEvent::Handle; +use AnyEvent::Socket qw(tcp_connect tcp_server); +use AnyEvent::Util qw(portable_socketpair); +use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC); +use IO::Handle; +use Path::Tiny 0.097; +use POSIX qw(WNOHANG); +use Socket; + +# AnyEvent's TLS support seems to require this... +use threads; + +my %children; +my $child_reaper_w; + +my $greeting = 'Well hello there!'; + +sub reap_leftover_children(); +sub child_reaper(); + +sub register_child_reaper() +{ + $child_reaper_w = AnyEvent->signal( + signal => 'CHLD', + cb => \&child_reaper, + ); + $SIG{__DIE__} = sub { + my ($msg) = @_; + warn "__DIE__ handler invoked: ".($msg =~ s/[\r\n]*$//sr)."\n"; + reap_leftover_children; + }; +} + +sub unregister_child_reaper() +{ + undef $child_reaper_w; +} + +sub child_reaper() +{ + while (1) { + my $pid = waitpid -1, WNOHANG; + my $status = $?; + + if (!defined $pid) { + die "Could not waitpid() in a SIGCHLD handler: $!\n"; + } elsif ($pid == 0 || $pid == -1) { + last; + } else { + $children{$pid}{cv} //= AnyEvent->condvar; + $children{$pid}{cv}->send($status); + } + } +} + +sub register_child($ $) +{ + my ($pid, $desc) = @_; + + # Weird, but we want it to be at least reasonably atomic-like + $children{$pid}{cv} //= AnyEvent->condvar; + + my $ch = $children{$pid}; + $ch->{pid} = $pid; + $ch->{desc} = $desc; +} + +sub dump_children() +{ + join '', map { + my $ch = $children{$_}; + + "\t$ch->{pid}\t". + ($ch->{cv}->ready + ? $ch->{cv}->recv + : '(none)' + ). + "\t$ch->{desc}\n" + } sort { $a <=> $b } keys %children +} + +sub wait_for_child($) +{ + my ($pid) = @_; + + if (!defined $children{$pid}) { + die "Internal error: wait_for_child() invoked for ". + "unregistered pid $pid\n".dump_children; + } + my $status = $children{$pid}{cv}->recv; + delete $children{$pid}; + return $status; +} + +sub reap_leftover_children() +{ + say 'Oof, let us see if there are any children left'; + if (!%children) { + say 'Everyone has been accounted for; great!'; + return; + } + + for my $pid (keys %children) { + my $ch = $children{$pid}; + if ($ch->{cv}->ready) { + my $status = wait_for_child $pid; + say "Hm, child $pid seems to have finished already, status $status"; + } + } + if (!%children) { + say 'Everyone has actually been accounted for; great!'; + return; + } + + for my $pid (keys %children) { + say "Pffth, sending a SIGKILL to $pid"; + kill 'KILL', $pid; + } + for my $pid (keys %children) { + my $ch = $children{$pid}; + if ($ch->{cv}->ready) { + wait_for_child $pid; + say "OK, $pid done"; + } + } + # Bah, figure out some way to let the loop run even if we're within the loop... + if (%children) { + say 'Some children remaining, laying low for a second...'; + sleep 1; + for my $pid (keys %children) { + say "- waiting for $pid ($children{$pid}{desc})"; + wait_for_child $pid; + say "- OK, $pid done"; + } + } + if (%children) { + say 'Something really weird happened, why are there still children around?'; + say dump_children; + } +} + +sub close_on_exec($ $) +{ + my ($fh, $close) = @_; + + my $flags = fcntl $fh, F_GETFD, 0 or + die "Could not obtain a file descriptor's flags: $!\n"; + my $nflags = $close + ? ($flags | FD_CLOEXEC) + : ($flags & ~FD_CLOEXEC); + fcntl $fh, F_SETFD, $nflags or + die "Could not set a file descriptor's flags: $!\n"; +} + +sub anyevent_socketpair($) +{ + my ($name) = @_; + my ($fh1, $fh2) = portable_socketpair; + if (!defined $fh1) { + die "Could not create the $name socketpair: $!\n"; + } + $fh1->autoflush(1); + $fh2->autoflush(1); + return (AnyEvent::Handle->new(fh => $fh1), AnyEvent::Handle->new(fh => $fh2)); +} + +sub find_listening_port($ $ $ $ $) +{ + my ($address, $port_start, $step, $count, $cb) = @_; + + my $res; + my $port = $port_start; + for (1..$count) { + eval { + $res = tcp_server $address, $port, $cb; + }; + last if $res; + say "Could not listen on $address:$port: $@"; + $port += $step; + } + if (!defined $res) { + die "Could not find a listening port on $address\n"; + } + return ($port, $res); +} + +my %conns; + +sub register_client_connection($) +{ + my ($fh) = @_; + + my $sockaddr = getsockname $fh; + if (!defined $sockaddr) { + die "Could not obtain the local address of the just-connected socket: $!\n"; + } + my ($port, $addr_num) = sockaddr_in $sockaddr; + if (!defined $port || !defined $addr_num) { + die "Could not decode the address and port from a sockaddr_in structure: $!\n"; + } + my $addr = inet_ntoa $addr_num; + if (!defined $addr) { + die "Could not decode a numeric address: $!\n"; + } + + my $id = "$addr:$port"; + $conns{$id}{cv} //= AnyEvent->condvar; + $conns{$id}{fh} //= $fh; + return $id; +} + +sub await_client_connection($ $; $) +{ + my ($lis_main, $cv, $skip_register) = @_; + + my $die = sub { + warn "@_"; + $cv->send(undef); + }; + + $lis_main->rtimeout(10); + $lis_main->on_rtimeout(sub { $die->("The listener's accept message timed out\n") }); + $lis_main->push_read(line => sub { + my ($handle, $line) = @_; + + if ($line !~ m{^ accept \s+ (?<id> \S+ ) $}x) { + return $die->("The accept server did not send an 'accept' message: $line\n"); + } + my ($id) = $+{id}; + $conns{$id}{cv} //= AnyEvent->condvar unless $skip_register; + + $lis_main->rtimeout(10); + $lis_main->on_rtimeout(sub { $die->("The listener's close message timed out\n") }); + $lis_main->push_read(line => sub { + my ($handle, $line) = @_; + + if ($line !~ m{^ close \s+ (?<id> \S+ ) $}x) { + return $die->("The accept server did not send an 'close' message: $line\n"); + } + my ($cid) = $+{id}; + if ($cid ne $id) { + return $die->("The accept server's 'close' message had id '$cid' instead of the accepted one '$id'\n"); + } + $lis_main->rtimeout(0); + $cv->send($id); + }); + }); +} + +sub adopt_client_connection($ $) +{ + my ($id, $opts) = @_; + + my $w; + my $do_close = sub { + my ($err) = @_; + $w->push_shutdown; + $w->destroy; + undef $w; + undef $conns{$id}{handle}; + #close $conns{$id}{fh}; + if (defined $err) { + warn "$err\n"; + $conns{$id}{cv}->send(undef); + } else { + $conns{$id}{cv}->send(1); + } + }; + $w = AnyEvent::Handle->new( + fh => $conns{$id}{fh}, + + %{$opts}, # TLS or something? + + on_error => sub { + my ($handle, $fatal, $message) = @_; + + if (!$fatal) { + warn "A non-fatal error occurred reading from the $id connection: $message\n"; + } else { + $do_close->("A fatal error occurred reading from the $id connection: $message"); + } + }, + + rtimeout => 10, + on_rtimeout => sub { + $do_close->("Reading from the $id connection timed out"); + }, + ); + + $w->push_read(line => sub { + my ($handle, $line) = @_; + $w->rtimeout(0); + if ($line ne $greeting) { + $do_close->("The $id connection sent us a line that was not the greeting: expected '$greeting', got '$line'"); + } else { + $do_close->(undef); + } + }); + + $conns{$id}{handle} = $w; +} + +sub client_connect($ $ $) +{ + my ($address, $port, $cv) = @_; + + return tcp_connect $address, $port, sub { + my ($fh) = @_; + if (!defined $fh) { + die "Could not connect to the cleartext listening socket on $address:$port: $!\n"; + } + my $id = register_client_connection $fh; + say "Connected to $address:$port, local $id"; + $cv->send($id); + + adopt_client_connection($id, { tls_ctx => { dh => 'schmorp2048', }, }); + }; +} + +MAIN: +{ + my $stunnel = $ENV{TEST_STUNNEL} // 'stunnel4'; + my $test_done = AnyEvent->condvar; + + my ($certsdir, $certfile, $keyfile); + for my $name (qw(certs debian/tests/certs)) { + my $dir = path($name); + if (-d $dir) { + $certfile = $dir->child('certificate.pem'); + $keyfile = $dir->child('key.pem'); + if (-f $certfile && -f $keyfile) { + $certsdir = path($dir); + last; + } + } + } + die "Could not locate the test certificates directory\n" unless defined $certsdir; + say "Found the certificate at $certfile and the private key at $keyfile"; + + my $tempdir = Path::Tiny->tempdir; + say "Using the $tempdir temporary directory"; + + register_child_reaper; + + { + say 'About to get the stunnel version information'; + pipe my $s_in, my $s_out or die "Could not create an fd pair: $!\n"; + close_on_exec $s_in, 0; + close_on_exec $s_out, 0; + + my $pid = fork; + if (!defined $pid) { + die "Could not fork for stunnel: $!\n"; + } elsif ($pid == 0) { + open STDERR, '>&', $s_out or + die "Could not reopen stderr in the child process: $!\n"; + close STDIN or + die "Could not close stdin in the child process: $!\n"; + close STDOUT or + die "Could not close stdout in the child process: $!\n"; + close $s_in or + die "Could not close the reader fd in the child process: $!\n"; + + exec $stunnel, '-version'; + die "Could not execute '$stunnel': $!\n"; + } + register_child $pid, "$stunnel -version"; + close $s_out or + die "Could not close the writer fd in the parent process: $!\n"; + + my ($got_version, $before_version) = (undef, ''); + my $eof = AnyEvent->condvar; + my $f_out = AnyEvent->io( + fh => $s_in, + poll => 'r', + cb => sub { + my $line = <$s_in>; + + if (!defined $line) { + $eof->send($got_version); + } elsif (!$got_version) { + if ($line =~ m{^ + stunnel \s+ + (?<version> \d+ \. \S+) + \s+ on \s+ + }x) { + $got_version = $+{version}; + } else { + $before_version .= $line; + } + } + }); + $eof->recv; + + if ($before_version ne '') { + warn "stunnel produced output before the version number:\n$before_version\n"; + } + if (!defined $got_version) { + die "Could not get the stunnel version number\n"; + } + say "Got stunnel version $got_version"; + + my $status = wait_for_child $pid; + if ($status != 0) { + die "stunnel -version did not exit successfully, status $status\n"; + } + } + + my ($lis_listener, $lis_main) = anyevent_socketpair 'listener'; + my $listen_address = '127.0.0.1'; + my %listen_clear_conns; + my ($listen_clear_port, $listen_clear) = find_listening_port $listen_address, 6502, 200, 100, sub { + my ($fh, $host, $port) = @_; + my $id = "$host:$port"; + + say "Accepted a connection from $id"; + $lis_listener->push_write("accept $id\n"); + my $w; + my $do_close = sub { + $w->destroy; + delete $listen_clear_conns{$id}; + }; + $w = AnyEvent::Handle->new( + fh => $fh, + + on_error => sub { + my ($handle, $fatal, $message) = @_; + + warn "A ".($fatal ? 'fatal' : 'non-fatal'). + "error occurred writing to the $id connection: $message\n"; + $do_close->(); + }, + + timeout => 10, + on_timeout => sub { + my ($handle) = @_; + + warn "Writing to the $id connection timed out\n"; + $do_close->(); + }, + + on_read => sub { + my ($handle) = @_; + + warn "The $id connection sent data to the server?!\n"; + $do_close->(); + }, + + on_eof => sub { + my ($handle) = @_; + + say "Got an eof from $id, all seems well"; + $do_close->(); + $lis_listener->push_write("close $id\n"); + }, + ); + $w->push_write("$greeting\n"); + $w->push_shutdown; + $listen_clear_conns{$id} = $w; + }; + say "Listening for cleartext connections on $listen_address:$listen_clear_port"; + + { + my $listener_test_id_cv = AnyEvent->condvar; + my $check_listen_clear = client_connect $listen_address, $listen_clear_port, $listener_test_id_cv; + my $id = $listener_test_id_cv->recv; + if (!defined $id) { + die "Could not connect to the cleartext server\n"; + } + say "Got a local connection id $id"; + my $listener_test_done = AnyEvent->condvar; + await_client_connection $lis_main, $listener_test_done; + say 'Waiting for the server to acknowledge a completed client connection'; + my $sid = $listener_test_done->recv; + if (!defined $sid) { + die "The listener did not acknowledge the connection\n"; + } elsif ($sid ne $id) { + die "The listener did not acknowledge the same connection: expected '$id', got '$sid'\n"; + } + say 'Waiting for the client connection itself to report completion'; + my $res = $conns{$id}{cv}->recv; + if (!defined $res) { + die "The client connection did not complete the chat with the cleartext server\n"; + } + say 'Looks like we are done with the test cleartext connection!'; + } + + my $st_server_port; + { + my $dummy; + ($st_server_port, $dummy) = find_listening_port $listen_address, 8086, 200, 100, sub { + my ($fh) = @_; + say "Eh, we really didn't expect a connection here, did we now..."; + $fh->close; + }; + say "Got listening port $st_server_port for the stunnel server"; + undef $dummy; + say 'Let us hope this was enough to get stunnel to listen there...'; + } + + my ($st_pid, $st_logfile); + { + my $st_config = $tempdir->child('stunnel.conf'); + $st_logfile = $tempdir->child('stunnel.log'); + my $st_pidfile = $tempdir->child('stunnel.pid'); + $st_config->spew_utf8(<<"EOCONF") or die "Could not create the $st_config stunnel config file: $!\n"; +pid = $st_pidfile +foreground = yes +output = $st_logfile + +cert = $certfile +key = $keyfile + +[test] +accept = $listen_address:$st_server_port +connect = $listen_address:$listen_clear_port +EOCONF + say "Created the stunnel config file $st_config:\n======\n".$st_config->slurp_utf8.'======'; + + $st_pid = fork; + if (!defined $st_pid) { + die "Could not fork for the stunnel server: $!\n"; + } elsif ($st_pid == 0) { + my @cmd = ($stunnel, $st_config); + exec { $cmd[0] } @cmd; + die "Could not execute '@cmd': $!\n"; + } + say "Started the stunnel server, pid $st_pid"; + register_child $st_pid, "stunnel server ($listen_address:$st_server_port)"; + } + + { + for my $iter (1..10) { + say "Trying a connection through stunnel, iteration $iter"; + + my $st_conn_cv = AnyEvent->condvar; + my $st_conn; + { + my $st_conn_attempts = 10; + my $st_conn_timer; + $st_conn_timer = AnyEvent->timer(after => 0.1, interval => 1, cb => sub { + say "Trying to connect to the stunnel server at $listen_address:$st_server_port"; + $st_conn = tcp_connect $listen_address, $st_server_port, sub { + my ($fh) = @_; + if (!defined $fh) { + # FIXME: Eh, well, reschedule, right? + say "Could not connect to $listen_address:$st_server_port: $!"; + if ($children{$st_pid}{cv}->ready) { + say 'Err, the stunnel process seems to have terminated'; + undef $st_conn_timer; + $st_conn_cv->send(undef); + return; + } + $st_conn_attempts--; + if ($st_conn_attempts == 0) { + say 'Time after time...'; + undef $st_conn_timer; + $st_conn_cv->send(undef); + return; + } + say 'Will retry in a little while'; + return; + } + say '...connected!'; + $st_conn_timer = undef; + $st_conn_cv->send($fh); + }; + }); + } + + my $st_conn_fh = $st_conn_cv->recv; + if (!defined $st_conn_fh) { + my $log_text = (-f $st_logfile) + ? "$st_logfile contents:\n".$st_logfile->slurp_utf8 + : "(no log information)"; + $log_text .= "\n" unless $log_text =~ /\n\Z/ms; + die "Could not connect to the stunnel service:\n$log_text"; + } + my $id = register_client_connection $st_conn_fh; + say "Registered a client connection as $id"; + adopt_client_connection $id, { + tls => 'connect', + tls_ctx => { dh => 'schmorp2048', }, + }; + say 'Waiting for the cleartext listener to receive this connection'; + my $stunnel_test_done = AnyEvent->condvar; + await_client_connection $lis_main, $stunnel_test_done, 1; + my $sid = $stunnel_test_done->recv; + if (!defined $sid) { + die "The listener did not acknowledge the connection\n"; + } elsif ($sid eq $id) { + die "The listener reported the same connection ID '$id'?!\n"; + } + say "The server reported a completed connection: $sid"; + my $res = $conns{$id}{cv}->recv; + if (!defined $res) { + die "The connection to stunnel did not report a successful chat\n"; + } + say "The stunnel connection seems to have gone through for iteration $iter"; + } + } + + { + say "Trying to stop stunnel at pid $st_pid"; + kill 'TERM', $st_pid or + die "Could not send a terminate signal to the stunnel at pid $st_pid: $!\n"; + my $status = wait_for_child $st_pid; + if ($status != 0) { + die "The stunnel process terminated with exit status $status\n"; + } else { + say 'The stunnel process terminated successfully'; + } + } + + { + say 'Checking for leftover children'; + + if (%children) { + # Our 'die' handler will kill and reap them. + die "Child processes left over:\n". + dump_children; + } else { + say 'No child processes left over'; + } + + unregister_child_reaper; + }; + + { + say 'Making sure the AnyEvent loop is still sane'; + + if ($test_done->ready) { + die "The AnyEvent loop raised the flag prematurely\n"; + } + + $test_done->send(42); + my $res = $test_done->recv; + if ($res != 42) { + die "The AnyEvent loop does not seem to be quite alive and sane, got a result of '$res' instead of 42\n"; + } + say 'Fine!'; + }; +} diff --git a/debian/tests/upstream b/debian/tests/upstream new file mode 100755 index 0000000..638b820 --- /dev/null +++ b/debian/tests/upstream @@ -0,0 +1,15 @@ +#!/bin/sh + +set -e + +ln -s /usr/bin/stunnel4 src/stunnel + +cd tests +if ! ./make_test; then + printf '\n\n=== Some tests failed; here are all the logs...\n\n' 1>&2 + for fname in logs/*.log; do + printf -- '\n\n=== %s\n\n' "$fname" 1>&2 + cat -- "$fname" 1>&2 + done + false +fi diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..d746dd7 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,5 @@ +Name: stunnel +Bug-Submit: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users +Contact: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users +FAQ: https://www.stunnel.org/faq.html +Security-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org> diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 0000000..50bf0cc --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,111 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0 +hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf +ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S +fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY +kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX +1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8 +rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn +RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN +Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E +sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk +4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB +tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+ +iQI4BBMBAgAiBQJU1Q1lAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCx +BIky3Tqqo71TEACWO31ZIOrknCsgmE90Q0yBPYD8CA8aM9OLO9qVYRR+SKQ6VAFn +/qWCoG/z3aMOUJJFDMmBDTSiGZ43jReQVc1PvoNUKFXkD13vrDNGg+IMr+jefjy/ +RkFC5rdIAOzl6nMRFH5D/KDtvuXUGfjaN9NorCyv5acOa6GinTFANHYW79DSvt0d +aTG0RFimVTKtAh8oxxBGGUvZ/60SJT5I3pwKKX5t6t+LaUgUz/55p5j36dyhZTmk +X6jVyczkfjBwy9i2jD8kZ1w+EQOPGy1hHCHaaN5ku3Bh4hiZrlh8ncpipOMeOJ5Y +71Cze/JROyu3jkR/59LuPJLbUkwNPZXuMM+D4EY19NWKqWFgcsjaF5juS36xgblQ +odAOXBZcnzH14bxlRElWNLhMib+piIL0BaK2cpplwJ+bzQRkyWzqrl5xu/AeE/fQ +BdeRxL1jg4e9Ozei4Pkz0acoxIg2mdR6b36UpOWKvBQYZ8m4TbsWBRrDjcxKeul7 +ObsodFoGTteRxqN9glhNd+n5bJAesGzUN86e3NmCoxCUQMaKlrMEVUMwaaSOVWYN +CfwXSe42dK2ZrV4psIYIwfktTkF60N3KeBbTs7/HhS/R229+lQCL90bcKRiv2Szc +vqR6v78xnbnANm0SX/b6M7xNBf8lWXwS9TlR9AzA4XC7FqNLYTMGV56TmLQrTWlj +aGHFgiBUcm9qbmFyYSA8TWljaGFsLlRyb2puYXJhQG1pcnQubmV0PokCOAQTAQIA +IgUCVNTpjAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQsQSJMt06qqOP +9Q/+MNv7sHcx1y4xH4iysPmjL+ABTonZeUIW/j1Mlgve8jxta7ApuDm0WIgMQd/p +WgjG88g/2hSs1DRmuo67pP+v3l+HgmhQaqQe9XoaQHyygfrDwGEKAjA5++6hg88X +F5GNuchUoY2wHCLByuxdaaT9wDSUGHzj+VlQYcaVqry/u8+wRhuxr89avh7nebj2 +Dw1qkIuR6+wuaYAU19mazzmdnDLh/3rYHT7vVJt751JHyx4fnJtKI7eDWxpSGfhc +K63SWtHToJKg4jbdIZMORVVvOetpRbPvF8qoR32LZSfF/rPJtNhWgcsLUCpZn6Ey +G6jigx8mhY2WupRNHutSES+qKNffCMi7fbpQfl4wJqzlNxJJK1zGu2ox255l+fXJ +eQJh7fvvcNieuQApKhOL+mOz1fyRnUhx/GjGncOmCgZldTLEF8DeHuuluXgFlDXJ +cX6poh7vyt3uJ14SCyiV1cLnXmCoxXRmQNlb4zTGoAvfOw/DFH3EzQ44dK/Z1HOI +fJeYILxe+JP2E8TNXUvr/wck12yQ8kaqFzHSQBcV+0S49+pIpoK475LVrOs6S9Jj +hMt4WVfX4PY+IE8wGnZyJw1gvPXdk1P98lHR/Fv0WG/kWiemrDXPM1tjnIas6EGm +zxT/iywGF4tdsVHviETVgRGpKHgEtB/hwsCeGUTAmHDbXQS0L01pY2hhxYIgVHJv +am5hcmEgPE1pY2hhbC5Ucm9qbmFyYUBtb2JpLWNvbS5uZXQ+iQI4BBMBAgAiBQJU +1Q03AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCxBIky3TqqoyVkEACt +MHa7x5PQ0ZNJ8TrvVd/VrT5USuHwwFwnnsYUNzSc95gSwSEaPC3xwgs9cX3VRmOw +b3IiCQQ7R0EamH/ydmZnlesbCsnamLl6dEmzS284lnnMd5X0wep2qq3SlS1z+5wW +4ZnoodX98E7RyecjMYPLH+uAqGqg3nHG8eOpoSDMvIOJtOIvDc9Y6tbNsBbeKbOC +yB7A08TMzVqayQvXzm6QShHTicra69oqIzhmu2zII3ZWVwkfEGweuN0vdocoXiqr +entcyF3KLUX/LooDzdCAxuoJdovg41E69rXEWF//IP5XBT0LUDTzqwmBe7nOfoJF +2RAHn3ySogdL6WNSGaH5B5NK1jGflj/Hr/HBHIYYx820P4aEXSyxbLQW1F0HWlAA +Q9+EmjJssbv7cIq2DV2Ls3AOeY0GAWhTdvUVdVpOG+TuWRUi61XwjWPfvrJDH8ME +oLRb2MhNRffle8hSdF8TP4CO1TCxtSFs0NXT1I/HazvacHzvbXspFDJvbYJsy+pR +vOsf2QCcY5xb633duU60+IHJ9GMOV/ZqQR744wAxu+e/ZHpa2+mpI9VpTMuBTMFC +OQKbiLacsDJtFqsenZAyhcTU4DPFa0bkMO67Gwl0skuk2x8/0R3EgJ9JvNlsEz6v +BaHpWhEddU1m6FMKKZkfo0xnyFr/WPT6zti9iKTnIbkCDQRU1OvDARAA8gIC641d +K6ap9W1K3EkqRn0z6zizdVGr/jvf8xFXeUq+auxixZ0tEY6NM5CBSya5BCK9IGVW +mJNbazyWUa4llA6EvmUxcTeGE7ppQA4Kl1bzvUq5upo+8+0VuqvLC/bVz0DUnFSW +JYHAZrPZ+yO0yMq8vaGTo5kwKixQ4Ni+N+1EiALKZex1g6UW9d0HAcYEa/lTWhz3 +J0V1yyY4Vov30gtoo67KkSC/SswZzIR00CQGrz3twlGuB73Sm1YfqDqbY8dQLJey +U0ovIeU95VI5cQF6D1H8YdaMWQm6MtVAfIX5WMoH+eq4Ank9hilReGANkIWNSqM2 +1Drdu3crbGIYiZPEadKfGxwquwvRDTEgD4gjqMvEdxA2W6s4WR36SwMkeOtESj21 +MiR2YDcbIzIbUh9p0P8DZGvQcVh45jCgdOcL5th9R076npXHn8FIe2IfAZnX1Onp +sKn/YqJ0wNFhGYWxV/yZA10NbFKFXhD1FGqrOz6lSqmqDz00tXofF432ae+7PzTP +9n4cij4k0SYG1l/LThnOYL3SNUCG3rCASeWoXmhxCYRGi0Xw3IJrcpVNmNQD+SLL +TjVB94AlDjSlx1q0V+9ymhGHi51wsBSajMwDexaSI/WM1y9lROwl7eeAD41fPArz +TleAqT89akWLevTBLWvj59mku9vZAW26/1UAEQEAAYkCHwQYAQIACQUCVNTrwwIb +DAAKCRCxBIky3Tqqo2NCEACHJ7e0l8NhS4slfzej1AAXOwL1wDexn6thpgexAyqZ +LIaibqhIybhSo1LOL1NY/55ytscbOQL7NliRAXVN6F9lcer+qzxL5JgxzUU6drya +pNZYs06u3wfr8ZtSbvIAON/w89tm9tHxoNUIYZZUZROFBW6fn8RkhboQs0hJFxWf +WghOxhS0TXJ8/MZ4YcfDy+Ew6LIAym3A1XY+++2VMEHqKcyhU95W5sqAsfO5MkRW +a0E9JTS2dWTteNTWPonywJGX/mSVVMZgOZF6o32Vb9LTnB676YQaPiMlu2qg+vRk +RM/zyGjvPx7hilf68CWxZcIHslfp5gJV6RvtlK+muEvIkSmNYyi8hQp1Y5C6uWb9 +JWt/9ISJ+Xz+n+5nAHEUzW/LeEDyhjVlS9vOoAAy18r47mQybzJ2q2zOHo9zl3fK +OJ2S4SFBKGHuIhPOxG2CruhxN9U5+RwTDqKECeuCZROMYQLzlmIP2vM/NuFVhQm8 +iNhbTvEenh4mWD4IuOHJkqvzKKzAXllosuUK4B0kblh4GaOVmEjaXGw8789rOlQz +D5566SgKPDNUtom5/eIcy6/UYBoFd7lLltIVSSCA1VUMU4MWJgjwa9gk6MxoNe8d +cJ197oQMfhZNjJ80S5C+a2al4wrR2vL/3hXhy2M2kG73RLSzxEiVoJsG+hbzNtfI +a7kCDQRU1O5ZARAA1pGrQ1V3YMXF3DzwvA/uWb912pwqUvMAAKvYCDiELIOP07c3 +2+z04N/bOXjiZ2Jb8AuICj4v92tXAygtf18zxwoU8AOXiuScP3wy1ZprBw8k71dN +y0XmEXbiX7tkLoe0OzWlCaNTajSXTELT+nYHTOkBsrC4T+y7AwYueQJYUaRkJR/5 +Tc68UnRSO295pgJd7EoWWAky3bdH+TKN0MsagCJwa+RrXFGtIKjU0XAKsddTxQKx +2SUGF0QVdNZ/14Duo73btoXtHgB0oxewnsiJp5XKWYm57RSNLv1LKr26iSUtUM1C +AIZALuGMAyQXVEo7OmzuZmN0yRYM7FSnpG4rIDnDxYhDTaa+xWb738V8uLQDZAVn +AuBEhq1RQEDrRM/XLbibvVBzpd+JI9WneNEp0ehq5sEC6FbKYz0HqVk2SH1Dpb0t +grtxz3c7rPs7vRdmFMxTuYctSzuqNHpKX+C6rgyAW2sxEKD0ys8OYEa3hvrQFSAz +nM/j3X8dge1DriHIQd/Dt4+LMdPcsQk3vty7pYxZIDRa9hl7ngaesQSZ/7PV/cj7 +U7qieTr1ulO1Gc5GcyS2Hu4P9109HX1tBEQvGHpbqe9Lc2d0VKgHVjG9vDLrE1h/ +qXKbmn0LF1YR4djaM+sYCfYOO+WzZKUACPdMq3Lid/3oQ71p6eNgu6lQcgEAEQEA +AYkEPgQYAQIACQUCVNTuWQIbAgIpCRCxBIky3Tqqo8FdIAQZAQIABgUCVNTuWQAK +CRAu/H/w1BbgFNx6EACR7CKB3Mv2lNaRRraVRwjNrumyODqsnX/oe3lad04iCBb9 +JxGyNyTGF0s6teoaocXxIeZ50bF7GuYcnepMGpniMCkE2ymlM6ruFNNTUYC02Fsr +owKQboC7S5DN2l7lb4nlgyDX7nOlOMmhTc3D/QsduMyS9H5kjFFKtzLYOwREV/RH +I/wQUyTyze8qs/BxpT3/HsSJuGZybLSd/fmeM43xghcdfDgKTaGkFkhhW7UWgtOh +QtYxr0VD4HEw4C+nMyksqKAIFMBjJAqtsuWeSgavVrbU8KrzlcJFHSrovZ7Pi0mK +MYHGomPstZcZxwr15t3BhDvogMSRscU1mLUigLEGiWxPVxtQlmHTZfMns4Cy04S7 +jK4Gix0PN4Xi/9rOcLFCb5zddcLVrqiuT+dt/O/TPKUKHTvLL1gF4Dlypbu8TQWt +O7xDSPy7wSdPWUN5GBjsxbZfVlWpvvVMmGUuygIl0LkrJLKGxk36AnNpEPqsQ9e9 +Rsgu5dP9lGPz3igxE3p+UlhWo5eqJqZwAfEFb+0PQzKSQ6zIFQAf50eSI/pWf+Xp +9XOT47d4y8aWzHA7T/ja9tbyd+eg71ZOqOFtVP8zFWvmPnoosxrBR7qK/RBY5/PX +KhfG10yEYXSjTap4dmsy430l8Mcuqo55iixgT5vxZfTeyFjTjHmjuHD1rTTfpXk4 +D/9GI9cIfrWczhrbWN8BoP66ImMXpVhZzDt6S5u9dHSNJdqivDzCkktb/psXILvv +u3qLmb1nJbsNzN9GJm6LoduzCJ4SqaodjhMkNi/Tc95dx0n2cCP2Rh/jvzo7zrqQ +O09c8at/pFEiF8LgUlc5QaB/GNhXBqJog2yOzUPGKq0OMy/wttW42TCe7V+J8fnn +16xfGhnVwmiWRQaqdCiFDY2IiOHhnRwfJVANrddfuU/AJ8vY8XXzrxI7YZL43V53 +0Wich1VB00XLFU8aj08FsjdFvR77AAxFU+Cd6sH6yq6jsRXppQ0BOO15aR+wopEv +tKwDdRu3TaweC1XMLLQ4XuN9Ql0bMH0d626uMG2zUfZGO1jNTOS4sUhEqJsImbsL +/hgNDKYvfo0wSHPWmQo9njw7aG8Mey77I3fL1ELj/Tfa86njPpJ/tmFMLV9ntWAC +cW/c3tojdcP278rTw/4zk+Sr2Zv+3bP1yjJd0z4B3gYYz2BUYTU7dyiA41Kgk4Zf +V1n2NUAxQJYzvEIAZcMEWA3rOTb+AjcBVXX89Gk0BEykVmA9G808tbmI+4DUd2c/ ++d1xeufb43TGOiwKqwY+Os9iey3FbsnoYuzKPsd5LByJFEudbMB152h95u/NysaM +0AjC+yPtlpSLUIaDUW75VAlQKPWj1Ag5uVpc2ScMEjevQQ== +=muMw +-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..139aa28 --- /dev/null +++ b/debian/watch @@ -0,0 +1,8 @@ +version=4 + +# Latest version is directly at /stunnel +opts=pgpsigurlmangle=s/$/.asc/ \ +https://www.stunnel.org/downloads.html downloads/stunnel-([\d.]+)@ARCHIVE_EXT@ debian + +opts=pgpsigurlmangle=s/$/.asc/,pasv \ +ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-([\d.]+)@ARCHIVE_EXT@ |