Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package stunnel for openSUSE:Factory checked in at 2026-02-26 19:00:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/stunnel (Old) and /work/SRC/openSUSE:Factory/.stunnel.new.29461 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "stunnel" Thu Feb 26 19:00:11 2026 rev:49 rq:1335294 version:5.77 Changes: -------- --- /work/SRC/openSUSE:Factory/stunnel/stunnel.changes 2026-01-30 18:28:09.244330219 +0100 +++ /work/SRC/openSUSE:Factory/.stunnel.new.29461/stunnel.changes 2026-02-26 19:02:23.391913216 +0100 @@ -1,0 +2,15 @@ +Thu Feb 26 12:44:31 UTC 2026 - Pedro Monreal <[email protected]> + +- Update to 5.77: + * Bugfixes + - Avoid attempting to fetch OCSP stapling for PSK-only + configuration sections. + * Features + - Merged applicable patches from Fedora and Debian: + - Use SOURCE_DATE_EPOCH for reproducible builds. + - Skip the OpenSSL version check when AUTOPKGTEST_TMP is set. + - Enable PrivateTmp in the stunnel.service template. + - Clarify the manual page for the "curves" option. + - Log client IP addresses on TLS errors. + +------------------------------------------------------------------- Old: ---- stunnel-5.76.tar.gz stunnel-5.76.tar.gz.asc New: ---- stunnel-5.77.tar.gz stunnel-5.77.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ stunnel.spec ++++++ --- /var/tmp/diff_new_pack.SqLEnv/_old 2026-02-26 19:02:25.323993949 +0100 +++ /var/tmp/diff_new_pack.SqLEnv/_new 2026-02-26 19:02:25.323993949 +0100 @@ -22,7 +22,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: stunnel -Version: 5.76 +Version: 5.77 Release: 0 Summary: Universal TLS Tunnel License: GPL-2.0-or-later ++++++ stunnel-5.76.tar.gz -> stunnel-5.77.tar.gz ++++++ ++++ 1696 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/NEWS.md new/stunnel-5.77/NEWS.md --- old/stunnel-5.76/NEWS.md 2025-10-18 17:45:42.000000000 +0200 +++ new/stunnel-5.77/NEWS.md 2026-02-17 17:50:58.000000000 +0100 @@ -1,6 +1,20 @@ # stunnel change log +### Version 5.77, 2026.02.17, urgency: MEDIUM +* Security bugfixes + - OpenSSL DLLs updated to version 3.5.5. +* Bugfixes + - Avoid attempting to fetch OCSP stapling for PSK-only + configuration sections. +* Features + - Merged applicable patches from Fedora and Debian: + - Use SOURCE_DATE_EPOCH for reproducible builds. + - Skip the OpenSSL version check when AUTOPKGTEST_TMP is set. + - Enable PrivateTmp in the stunnel.service template. + - Clarify the manual page for the "curves" option. + - Log client IP addresses on TLS errors. + ### Version 5.76, 2025.10.18, urgency: MEDIUM * Security bugfixes - OpenSSL DLLs updated to version 3.5.4. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/TODO.md new/stunnel-5.77/TODO.md --- old/stunnel-5.76/TODO.md 2025-06-23 12:57:20.000000000 +0200 +++ new/stunnel-5.77/TODO.md 2026-02-10 23:20:59.000000000 +0100 @@ -11,6 +11,7 @@ These features will likely be supported some day. A sponsor could allocate my time to get them faster. +* DTLS support (transport = UDP). * Add client certificate autoselection based on the list of accepted issuers: SSL_CTX_set_client_cert_cb(), SSL_get_client_CA_list(). * Indirect CRL support (RFC 3280, section 5). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/configure.ac new/stunnel-5.77/configure.ac --- old/stunnel-5.76/configure.ac 2025-07-02 13:04:50.000000000 +0200 +++ new/stunnel-5.77/configure.ac 2025-11-04 11:40:43.000000000 +0100 @@ -1,6 +1,6 @@ # Process this file with autoconf to produce a configure script. -AC_INIT([stunnel],[5.76]) +AC_INIT([stunnel],[5.77]) AC_MSG_NOTICE([**************************************** initialization]) AC_CONFIG_AUX_DIR(auto) AC_CONFIG_MACRO_DIR([m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/doc/Makefile.am new/stunnel-5.77/doc/Makefile.am --- old/stunnel-5.76/doc/Makefile.am 2025-01-31 13:35:04.000000000 +0100 +++ new/stunnel-5.77/doc/Makefile.am 2025-11-07 13:16:59.000000000 +0100 @@ -14,9 +14,11 @@ SUFFIXES = .pod.in .8.in .html.in +BUILD_DATE = $(shell date --utc --date=@$(or $(SOURCE_DATE_EPOCH),$(shell date +%s)) +%Y.%m.%d) + .pod.in.8.in: pod2man -u -n stunnel -s 8 -r $(VERSION) \ - -c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@ + -c "stunnel TLS Proxy" -d '$(BUILD_DATE)' $< $@ .pod.in.html.in: pod2html --index --backlink --header \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/doc/stunnel.8.in new/stunnel-5.77/doc/stunnel.8.in --- old/stunnel-5.76/doc/stunnel.8.in 2025-09-19 13:30:36.000000000 +0200 +++ new/stunnel-5.77/doc/stunnel.8.in 2025-11-07 13:17:29.000000000 +0100 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "stunnel 8" -.TH stunnel 8 2025.09.19 5.76 "stunnel TLS Proxy" +.TH stunnel 8 2025.11.07 5.77 "stunnel TLS Proxy" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -531,6 +531,8 @@ .IX Item "curves = list" ECDH curves separated with ':' .Sp +Note: This option is supported for server mode sockets only. +.Sp Only a single curve name is allowed for OpenSSL older than 1.1.1. .Sp To get a list of supported curves use: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/doc/stunnel.html.in new/stunnel-5.77/doc/stunnel.html.in --- old/stunnel-5.76/doc/stunnel.html.in 2025-09-19 13:30:36.000000000 +0200 +++ new/stunnel-5.77/doc/stunnel.html.in 2025-11-07 13:17:29.000000000 +0100 @@ -634,6 +634,8 @@ <p>ECDH curves separated with ':'</p> +<p>Note: This option is supported for server mode sockets only.</p> + <p>Only a single curve name is allowed for OpenSSL older than 1.1.1.</p> <p>To get a list of supported curves use:</p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/doc/stunnel.pl.8.in new/stunnel-5.77/doc/stunnel.pl.8.in --- old/stunnel-5.76/doc/stunnel.pl.8.in 2025-09-19 13:30:36.000000000 +0200 +++ new/stunnel-5.77/doc/stunnel.pl.8.in 2025-11-07 13:17:29.000000000 +0100 @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "stunnel 8" -.TH stunnel 8 2025.09.19 5.76 "stunnel TLS Proxy" +.TH stunnel 8 2025.11.07 5.77 "stunnel TLS Proxy" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -535,6 +535,8 @@ .IX Item "curves = lista" krzywe ECDH odddzielone ':' .Sp +Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera. +.Sp Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej. .Sp Listę dostępnych krzywych można uzyskać poleceniem: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/doc/stunnel.pl.html.in new/stunnel-5.77/doc/stunnel.pl.html.in --- old/stunnel-5.76/doc/stunnel.pl.html.in 2025-09-19 13:30:36.000000000 +0200 +++ new/stunnel-5.77/doc/stunnel.pl.html.in 2025-11-07 13:17:29.000000000 +0100 @@ -624,6 +624,8 @@ <p>krzywe ECDH odddzielone ':'</p> +<p>Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.</p> + <p>Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej.</p> <p>Listę dostępnych krzywych można uzyskać poleceniem:</p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/doc/stunnel.pl.pod.in new/stunnel-5.77/doc/stunnel.pl.pod.in --- old/stunnel-5.76/doc/stunnel.pl.pod.in 2025-09-19 13:15:13.000000000 +0200 +++ new/stunnel-5.77/doc/stunnel.pl.pod.in 2025-11-07 13:17:25.000000000 +0100 @@ -580,6 +580,8 @@ krzywe ECDH odddzielone ':' +Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera. + Wersje OpenSSL starsze niż 1.1.1 pozwalają na użycie tylko jednej krzywej. Listę dostępnych krzywych można uzyskać poleceniem: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/doc/stunnel.pod.in new/stunnel-5.77/doc/stunnel.pod.in --- old/stunnel-5.76/doc/stunnel.pod.in 2025-09-19 13:15:13.000000000 +0200 +++ new/stunnel-5.77/doc/stunnel.pod.in 2025-11-07 13:17:25.000000000 +0100 @@ -578,6 +578,8 @@ ECDH curves separated with ':' +Note: This option is supported for server mode sockets only. + Only a single curve name is allowed for OpenSSL older than 1.1.1. To get a list of supported curves use: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/client.c new/stunnel-5.77/src/client.c --- old/stunnel-5.76/src/client.c 2025-10-02 17:35:24.000000000 +0200 +++ new/stunnel-5.77/src/client.c 2025-11-14 15:42:02.000000000 +0100 @@ -544,19 +544,19 @@ c->ssl=SSL_new(c->opt->ctx); if(!c->ssl) { - sslerror("SSL_new"); + ssl_error(c, "SSL_new"); throw_exception(c, 1); } /* for callbacks */ if(!SSL_set_ex_data(c->ssl, index_ssl_cli, c)) { - sslerror("SSL_set_ex_data"); + ssl_error(c, "SSL_set_ex_data"); throw_exception(c, 1); } if(c->opt->option.client) { #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_OCSP if(!SSL_set_tlsext_status_type(c->ssl, TLSEXT_STATUSTYPE_ocsp)) { - sslerror("OCSP: SSL_set_tlsext_status_type"); + ssl_error(c, "OCSP: SSL_set_tlsext_status_type"); throw_exception(c, 1); } #endif /* !defined(OPENSSL_NO_OCSP) */ @@ -566,7 +566,7 @@ if(c->opt->sni && *c->opt->sni) { s_log(LOG_INFO, "SNI: sending servername: %s", c->opt->sni); if(!SSL_set_tlsext_host_name(c->ssl, c->opt->sni)) { - sslerror("SSL_set_tlsext_host_name"); + ssl_error(c, "SSL_set_tlsext_host_name"); throw_exception(c, 1); } } else { /* c->opt->sni was set to an empty value */ @@ -652,7 +652,7 @@ sockerror(c->opt->option.client ? "SSL_connect" : "SSL_accept"); throw_exception(c, 1); } - sslerror(c->opt->option.client ? "SSL_connect" : "SSL_accept"); + ssl_error(c, c->opt->option.client ? "SSL_connect" : "SSL_accept"); throw_exception(c, 1); } ERR_clear_error(); /* silence any cached errors */ @@ -665,7 +665,7 @@ } else { /* no authentication was performed */ if(!SSL_SESSION_set_ex_data(sess, index_session_authenticated, NULL)) { - sslerror("SSL_SESSION_set_ex_data"); + ssl_error(c, "SSL_SESSION_set_ex_data"); SSL_SESSION_free(sess); throw_exception(c, 1); } @@ -1013,7 +1013,7 @@ shutdown_wants_write=0; break; case SSL_ERROR_SSL: /* TLS error */ - sslerror("SSL_shutdown"); + ssl_error(c, "SSL_shutdown"); throw_exception(c, 1); case SSL_ERROR_ZERO_RETURN: /* received a close_notify alert */ SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); @@ -1111,7 +1111,7 @@ "SSL_write returned WANT_X509_LOOKUP: retrying"); break; case SSL_ERROR_SSL: - sslerror("SSL_write"); + ssl_error(c, "SSL_write"); throw_exception(c, 1); case SSL_ERROR_ZERO_RETURN: /* a buffered close_notify alert */ /* fall through */ @@ -1185,7 +1185,7 @@ break; } #endif /* SSL_R_UNEXPECTED_EOF_WHILE_READING */ - sslerror("SSL_read"); + ssl_error(c, "SSL_read"); throw_exception(c, 1); case SSL_ERROR_ZERO_RETURN: /* received a close_notify alert */ s_log(LOG_INFO, "TLS closed (SSL_read)"); @@ -1396,7 +1396,7 @@ while(*user==' ') /* skip leading spaces */ ++user; if(strcmp(user, c->opt->username)) { - s_log(LOG_WARNING, "Connection from %s REFUSED by IDENT (user \"%s\")", + s_log(LOG_ERR, "Connection from %s REFUSED by IDENT (user \"%s\")", c->accepted_address, user); str_free(line); throw_exception(c, 1); @@ -1639,7 +1639,7 @@ if(ok) { str_free(old_addr); /* NULL pointers are ignored */ } else { /* failed to store new_addr -> remove it */ - sslerror("SSL_SESSION_set_ex_data"); + ssl_error(NULL, "SSL_SESSION_set_ex_data"); str_free(new_addr); /* NULL pointers are ignored */ } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/cron.c new/stunnel-5.77/src/cron.c --- old/stunnel-5.76/src/cron.c 2025-01-31 13:34:12.000000000 +0100 +++ new/stunnel-5.77/src/cron.c 2025-11-14 15:39:07.000000000 +0100 @@ -220,7 +220,9 @@ /* update stapling caches and release the references */ while(num--) { - ocsp_stapling(srv[num]); + if(SSL_CTX_get0_certificate(srv[num]->ctx)) { + ocsp_stapling(srv[num]); + } service_free(srv[num]); } str_free(srv); @@ -287,18 +289,18 @@ /* generate 2048-bit DH parameters */ dh=DH_new(); if(!dh) { - sslerror("DH_new"); + ssl_error(NULL, "DH_new"); return; } if(!DH_generate_parameters_ex(dh, 2048, 2, bn_gencb)) { DH_free(dh); - sslerror("DH_generate_parameters_ex"); + ssl_error(NULL, "DH_generate_parameters_ex"); return; } #else /* OpenSSL older than 0.9.8 */ dh=DH_generate_parameters(2048, 2, dh_callback, NULL); if(!dh) { - sslerror("DH_generate_parameters"); + ssl_error(NULL, "DH_generate_parameters"); return; } #endif /* OpenSSL 0.9.8 or later */ @@ -326,7 +328,7 @@ bn_gencb=BN_GENCB_new(); if(!bn_gencb) { - sslerror("BN_GENCB_new"); + ssl_error(NULL, "BN_GENCB_new"); return NULL; } BN_GENCB_set(bn_gencb, bn_callback, NULL); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/ctx.c new/stunnel-5.77/src/ctx.c --- old/stunnel-5.76/src/ctx.c 2025-10-18 16:38:03.000000000 +0200 +++ new/stunnel-5.77/src/ctx.c 2025-11-14 15:55:44.000000000 +0100 @@ -183,7 +183,7 @@ section->client_method : section->server_method); #endif if(!section->ctx) { - sslerror("SSL_CTX_new"); + ssl_error(NULL, "SSL_CTX_new"); return 1; /* FAILED */ } @@ -207,7 +207,7 @@ /* allow callbacks to access their SERVICE_OPTIONS structure */ if(!SSL_CTX_set_ex_data(section->ctx, index_ssl_ctx_opt, section)) { - sslerror("SSL_CTX_set_ex_data"); + ssl_error(NULL, "SSL_CTX_set_ex_data"); return 1; /* FAILED */ } current_section=section; /* setup current section for callbacks */ @@ -234,7 +234,7 @@ if(section->cipher_list) { s_log(LOG_DEBUG, "Ciphers: %s", section->cipher_list); if(!SSL_CTX_set_cipher_list(section->ctx, section->cipher_list)) { - sslerror("SSL_CTX_set_cipher_list"); + ssl_error(NULL, "SSL_CTX_set_cipher_list"); return 1; /* FAILED */ } } @@ -247,7 +247,7 @@ tmp_cipher_list=sk_SSL_CIPHER_dup(SSL_CTX_get_ciphers(section->ctx)); if(!SSL_CTX_set_ciphersuites(section->ctx, section->ciphersuites)) { - sslerror("SSL_CTX_set_ciphersuites"); + ssl_error(NULL, "SSL_CTX_set_ciphersuites"); return 1; /* FAILED */ } cipher_list=SSL_CTX_get_ciphers(section->ctx); @@ -331,13 +331,13 @@ #ifndef OPENSSL_NO_TLS1_3 /* suppress all tickets (stateful and stateless) in TLSv1.3 */ if(!section->option.session_resume && !SSL_CTX_set_num_tickets(section->ctx, 0)) { - sslerror("SSL_CTX_set_num_tickets"); + ssl_error(NULL, "SSL_CTX_set_num_tickets"); return 1; /* FAILED */ } #endif /* TLS 1.3 */ if(!SSL_CTX_set_session_id_context(section->ctx, (unsigned char *)section->servname, servname_len)) { - sslerror("SSL_CTX_set_session_id_context"); + ssl_error(NULL, "SSL_CTX_set_session_id_context"); return 1; /* FAILED */ } } @@ -591,7 +591,7 @@ } bio=BIO_new_file(cert, "r"); if(!bio) { - sslerror("BIO_new_file"); + ssl_error(NULL, "BIO_new_file"); return NULL; /* FAILED */ } dh=PEM_read_bio_DHparams(bio, NULL, NULL, NULL); @@ -626,11 +626,11 @@ } ecdh=EC_KEY_new_by_curve_name(nid); if(!ecdh) { - sslerror("EC_KEY_new_by_curve_name"); + ssl_error(NULL, "EC_KEY_new_by_curve_name"); return 0; /* FAILED */ } if(!SSL_CTX_set_tmp_ecdh(ctx, ecdh)) { - sslerror("SSL_CTX_set_tmp_ecdhSSL_CTX_set_tmp_ecdh"); + ssl_error(NULL, "SSL_CTX_set_tmp_ecdhSSL_CTX_set_tmp_ecdh"); EC_KEY_free(ecdh); return 0; /* FAILED */ } @@ -663,7 +663,7 @@ return 0; /* OK */ cctx=SSL_CONF_CTX_new(); if(!cctx) { - sslerror("SSL_CONF_CTX_new"); + ssl_error(NULL, "SSL_CONF_CTX_new"); return 1; /* FAILED */ } SSL_CONF_CTX_set_ssl_ctx(cctx, section->ctx); @@ -697,7 +697,7 @@ SSL_CONF_CTX_free(cctx); return 1; /* FAILED */ default: - sslerror("SSL_CONF_cmd"); + ssl_error(NULL, "SSL_CONF_cmd"); str_free(cmd); SSL_CONF_CTX_free(cctx); return 1; /* FAILED */ @@ -706,7 +706,7 @@ } if(!SSL_CONF_CTX_finish(cctx)) { - sslerror("SSL_CONF_CTX_finish"); + ssl_error(NULL, "SSL_CONF_CTX_finish"); SSL_CONF_CTX_free(cctx); return 1; /* FAILED */ } @@ -792,7 +792,7 @@ /* validate the private key against the certificate */ if(!SSL_CTX_check_private_key(section->ctx)) { - sslerror("Private key does not match the certificate"); + ssl_error(NULL, "Private key does not match the certificate"); return 1; /* FAILED */ } s_log(LOG_DEBUG, "Private key check succeeded"); @@ -928,12 +928,12 @@ bio=BIO_new_file(file, "rb"); if(!bio) { - sslerror("BIO_new_file"); + ssl_error(NULL, "BIO_new_file"); return 1; /* FAILED */ } p12=d2i_PKCS12_bio(bio, NULL); if(!p12) { - sslerror("d2i_PKCS12_bio"); + ssl_error(NULL, "d2i_PKCS12_bio"); BIO_free(bio); return 1; /* FAILED */ } @@ -962,7 +962,7 @@ success=PKCS12_parse(p12, pass, &pkey, &cert, &ca); } if(!success) { - sslerror("PKCS12_parse"); + ssl_error(NULL, "PKCS12_parse"); PKCS12_free(p12); return 1; /* FAILED */ } @@ -970,18 +970,18 @@ PKCS12_free(p12); if(!SSL_CTX_use_certificate(section->ctx, cert)) { - sslerror("SSL_CTX_use_certificate"); + ssl_error(NULL, "SSL_CTX_use_certificate"); return 1; /* FAILED */ } *cert_needed = 0; if(!SSL_CTX_use_PrivateKey(section->ctx, pkey)) { - sslerror("SSL_CTX_use_PrivateKey"); + ssl_error(NULL, "SSL_CTX_use_PrivateKey"); return 1; /* FAILED */ } *key_needed = 0; #if OPENSSL_VERSION_NUMBER>=0x10002000L if(!SSL_CTX_set0_chain(section->ctx, ca)) { - sslerror("SSL_CTX_set0_chain"); + ssl_error(NULL, "SSL_CTX_set0_chain"); return 1; /* FAILED */ } #else /* OPENSSL_VERSION_NUMBER>=0x10002000L */ @@ -1008,7 +1008,7 @@ * clear any existing chain associated with the current certificate of * ctx, and add the other certs to the store of chain certificates */ if(!SSL_CTX_use_certificate_chain_file(section->ctx, file)) { - sslerror("SSL_CTX_use_certificate_chain_file"); + ssl_error(NULL, "SSL_CTX_use_certificate_chain_file"); return 1; /* FAILED */ } *cert_needed = 0; @@ -1021,25 +1021,25 @@ s_log(LOG_DEBUG, "Loading certificate chain from file: %s", file); bio=BIO_new_file(file, "rb"); if(!bio) { - sslerror("BIO_new_file"); + ssl_error(NULL, "BIO_new_file"); return 1; /* FAILED */ } ca=X509_new(); if(!ca) { - sslerror("X509_new"); + ssl_error(NULL, "X509_new"); BIO_free(bio); return 1; /* FAILED */ } if(!PEM_read_bio_X509(bio, &ca, NULL, NULL)) { X509_free(ca); BIO_free(bio); - sslerror("PEM_read_bio_X509"); + ssl_error(NULL, "PEM_read_bio_X509"); return 1; /* FAILED */ } BIO_free(bio); if(!SSL_CTX_add1_chain_cert(section->ctx, ca)) { X509_free(ca); - sslerror("SSL_CTX_add1_chain_cert"); + ssl_error(NULL, "SSL_CTX_add1_chain_cert"); return 1; /* FAILED */ } X509_free(ca); @@ -1081,7 +1081,7 @@ SSL_FILETYPE_PEM); } if(!success) { - sslerror("SSL_CTX_use_PrivateKey_file"); + ssl_error(NULL, "SSL_CTX_use_PrivateKey_file"); return 1; /* FAILED */ } *key_needed = 0; @@ -1104,7 +1104,7 @@ if(!cert) return 1; /* FAILED */ if(!SSL_CTX_use_certificate(section->ctx, cert)) { - sslerror("SSL_CTX_use_certificate"); + ssl_error(NULL, "SSL_CTX_use_certificate"); X509_free(cert); return 1; /* FAILED */ } @@ -1193,7 +1193,7 @@ return ui_method; ui_method=UI_create_method("stunnel UI"); if(!ui_method) { - sslerror("UI_create_method"); + ssl_error(NULL, "UI_create_method"); return NULL; } #if OPENSSL_VERSION_NUMBER>=0x10000000L @@ -1230,12 +1230,12 @@ s_log(LOG_ERR, "Wrong PIN: retrying"); continue; } - sslerror("ENGINE_load_private_key"); + ssl_error(NULL, "ENGINE_load_private_key"); return 1; /* FAILED */ } if(SSL_CTX_use_PrivateKey(section->ctx, pkey)) break; /* success */ - sslerror("SSL_CTX_use_PrivateKey"); + ssl_error(NULL, "SSL_CTX_use_PrivateKey"); return 1; /* FAILED */ } s_log(LOG_INFO, "Private key initialized on engine ID: %s", file); @@ -1289,7 +1289,7 @@ if(key_needed && *key_needed) { /* found the first private key */ if(!SSL_CTX_use_PrivateKey(ctx, OSSL_STORE_INFO_get0_PKEY(object))) { - sslerror("SSL_CTX_use_PrivateKey"); + ssl_error(NULL, "SSL_CTX_use_PrivateKey"); OSSL_STORE_INFO_free(object); OSSL_STORE_close(store_ctx); return 0; /* FAILED */ @@ -1303,7 +1303,7 @@ if(cert_needed && *cert_needed) { /* found the first certificate */ if(!SSL_CTX_use_certificate(ctx, OSSL_STORE_INFO_get0_CERT(object))) { - sslerror("SSL_CTX_use_certificate"); + ssl_error(NULL, "SSL_CTX_use_certificate"); OSSL_STORE_INFO_free(object); OSSL_STORE_close(store_ctx); return 0; /* FAILED */ @@ -1314,7 +1314,7 @@ /* add it to the certificate chain */ if(!SSL_CTX_add1_chain_cert(ctx, OSSL_STORE_INFO_get0_CERT(object))) { - sslerror("SSL_CTX_add1_chain_cert"); + ssl_error(NULL, "SSL_CTX_add1_chain_cert"); OSSL_STORE_INFO_free(object); OSSL_STORE_close(store_ctx); return 0; /* FAILED */ @@ -1598,7 +1598,7 @@ str_free(old_addr); /* NULL pointers are ignored */ } else { /* failed to store ticket_data->addr */ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]); - sslerror("SSL_SESSION_set_ex_data"); + ssl_error(c, "SSL_SESSION_set_ex_data"); } } else { s_log(LOG_INFO, "Decrypted ticket did not include a persistence address"); @@ -2116,7 +2116,7 @@ /**************************************** TLS error reporting */ -void sslerror(const char *txt) { /* OpenSSL error handler */ +void ssl_error(CLI *c, const char *txt) { /* OpenSSL error handler */ char *errors[MAX_ERRORS]; char *error_string; int i; @@ -2139,13 +2139,15 @@ } ERR_error_string_n(err, error_string, MAX_ERROR_LEN); - errors[i]=str_printf("%s: %s%s%s:%d: %s%s%s", + errors[i]=str_printf("%s: %s%s%s:%d: %s%s%s%s%s", txt && i==0 ? txt : "error queue", func && *func ? func : "", func && *func ? "@" : "", file, line, error_string, flags&ERR_TXT_STRING && data && *data ? ": " : "", - flags&ERR_TXT_STRING && data && *data ? data : ""); + flags&ERR_TXT_STRING && data && *data ? data : "", + c && c->accepted_address && i==0 ? ": client " : "", + c && c->accepted_address && i==0 ? c->accepted_address : ""); } str_free(error_string); ERR_clear_error(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/dhparam.c new/stunnel-5.77/src/dhparam.c --- old/stunnel-5.76/src/dhparam.c 2025-07-02 13:04:50.000000000 +0200 +++ new/stunnel-5.77/src/dhparam.c 2025-11-14 13:52:51.000000000 +0100 @@ -4,28 +4,28 @@ #define DN_new DH_new DH *get_dh2048(void) { static unsigned char dhp_2048[] = { - 0xba, 0xd2, 0x5c, 0x68, 0x1f, 0x88, 0xfd, 0x3a, 0x57, 0x35, 0x34, 0xaa, - 0xfa, 0xcd, 0x2b, 0x14, 0xfd, 0x7c, 0xb4, 0x82, 0x9a, 0x3e, 0x03, 0x03, - 0x74, 0xaf, 0x4c, 0x0a, 0x3e, 0x3d, 0x3f, 0x52, 0xc3, 0x2e, 0x8f, 0xe6, - 0xdb, 0x7c, 0x9e, 0xf3, 0x8f, 0x3e, 0x01, 0x10, 0x3f, 0xeb, 0x16, 0x21, - 0xc2, 0xb6, 0xef, 0x3e, 0xde, 0x05, 0xbf, 0x95, 0x6b, 0x5b, 0x2f, 0x5d, - 0xc8, 0x2b, 0xb4, 0x68, 0x4a, 0xb7, 0xc9, 0x08, 0x76, 0xfc, 0x68, 0x1e, - 0xd6, 0xd8, 0x41, 0x21, 0x67, 0xd3, 0x6c, 0x84, 0xe0, 0xcc, 0x57, 0x90, - 0xc1, 0x7d, 0x60, 0xb7, 0xe9, 0x33, 0x42, 0x8d, 0x57, 0x3c, 0x7e, 0x64, - 0x03, 0x4e, 0x62, 0x4e, 0x5a, 0x19, 0xeb, 0x82, 0x0c, 0x1b, 0xe6, 0xb2, - 0xe4, 0xcc, 0x00, 0x36, 0x2f, 0x40, 0x0d, 0xf6, 0x2d, 0xab, 0x72, 0xb4, - 0x81, 0x09, 0x5c, 0xee, 0x37, 0xad, 0xed, 0xf2, 0xc8, 0xd3, 0x3f, 0x3c, - 0xf9, 0x24, 0xa8, 0x08, 0xb3, 0xb2, 0x97, 0xa8, 0x32, 0x7b, 0xed, 0x3c, - 0x68, 0x3d, 0x4c, 0xe1, 0x6b, 0xe7, 0x5c, 0x96, 0x3f, 0x65, 0xcb, 0x8b, - 0x42, 0x9f, 0x01, 0x9e, 0x4d, 0xe4, 0xbb, 0xf9, 0x04, 0xba, 0x8a, 0xf0, - 0x5b, 0xca, 0x25, 0xd9, 0xe5, 0x97, 0x11, 0x10, 0xa6, 0xb4, 0x3c, 0xbe, - 0x64, 0x9f, 0x9f, 0xc3, 0x0e, 0x2c, 0x71, 0x46, 0x00, 0xd2, 0x08, 0xc3, - 0x73, 0xa4, 0x2c, 0x33, 0x52, 0xd2, 0xc1, 0x22, 0x79, 0xf3, 0xe8, 0xc6, - 0xe5, 0xcf, 0x35, 0x5e, 0x2a, 0x6b, 0xaf, 0xfd, 0xea, 0x1f, 0xfe, 0x04, - 0x5f, 0xe7, 0x3b, 0x02, 0x07, 0x25, 0xc7, 0xf0, 0xe2, 0xfa, 0x43, 0xe8, - 0x49, 0xf7, 0xdd, 0x8c, 0x62, 0x71, 0xd0, 0x9d, 0x3a, 0x5a, 0x65, 0xb6, - 0x81, 0xf1, 0xe3, 0xf2, 0x32, 0xe4, 0x72, 0x99, 0x0f, 0xfa, 0x17, 0x16, - 0xcd, 0x1e, 0x9c, 0x07 + 0xd1, 0x40, 0xf3, 0x58, 0x71, 0xd6, 0x81, 0xa8, 0x65, 0x1e, 0x6e, 0xdf, + 0xc6, 0xbd, 0xb6, 0x46, 0x1c, 0x96, 0x3e, 0xfc, 0x2a, 0x9c, 0x7d, 0xda, + 0x86, 0x8d, 0x82, 0xa3, 0x5f, 0x36, 0x04, 0x65, 0xce, 0xb0, 0x62, 0xac, + 0x62, 0x0a, 0x31, 0x69, 0xd8, 0x2a, 0x66, 0x0f, 0x8b, 0x1d, 0x7c, 0x94, + 0x97, 0x75, 0x9b, 0x61, 0x7c, 0x5c, 0xe0, 0xb8, 0x5a, 0x0b, 0xa0, 0xfe, + 0xab, 0x53, 0xf7, 0x12, 0xfe, 0x0e, 0x8b, 0xfa, 0xea, 0x8e, 0x5c, 0x7a, + 0x34, 0xd4, 0x17, 0x68, 0x9c, 0x81, 0x9d, 0xa3, 0x96, 0xd3, 0x69, 0x96, + 0xac, 0x36, 0xd7, 0xc4, 0x4b, 0x34, 0xd1, 0x8c, 0x9e, 0x69, 0xf2, 0x36, + 0x9d, 0x22, 0xe3, 0xf8, 0x81, 0xab, 0x60, 0x53, 0x08, 0xb8, 0xee, 0x57, + 0x6f, 0x9d, 0xce, 0x4d, 0x49, 0x60, 0xf8, 0x82, 0x54, 0x99, 0xaa, 0x0a, + 0xb7, 0xcd, 0xf1, 0x9a, 0xe4, 0xc4, 0x2b, 0x45, 0xdd, 0xb3, 0x57, 0xb3, + 0x0d, 0xf7, 0xfa, 0xb7, 0x9d, 0x32, 0xcc, 0xfd, 0xec, 0xed, 0x01, 0x9b, + 0x5b, 0x47, 0x1c, 0xfb, 0x0e, 0xf6, 0xf5, 0x6e, 0xa7, 0x10, 0x79, 0xd1, + 0x0a, 0xd0, 0xe9, 0x66, 0x67, 0x8a, 0x92, 0x66, 0xba, 0xa4, 0x21, 0xf0, + 0xde, 0x4d, 0xb4, 0x55, 0x98, 0x46, 0xaa, 0x1f, 0xd3, 0x01, 0x90, 0x07, + 0xf0, 0x5e, 0x90, 0x14, 0x28, 0xbb, 0x5f, 0xc3, 0x44, 0x6b, 0xc2, 0xdd, + 0xc5, 0xb3, 0xbe, 0x16, 0x40, 0x03, 0xe2, 0x66, 0x6c, 0x3b, 0x49, 0xa3, + 0xd4, 0xd6, 0x0c, 0x6a, 0x53, 0x8f, 0x7e, 0xa5, 0x9c, 0xfe, 0xb3, 0x87, + 0xcc, 0x27, 0x1b, 0x27, 0x19, 0x00, 0xc3, 0x3d, 0xb9, 0x3d, 0xba, 0x7e, + 0x10, 0x6b, 0xa4, 0xb1, 0x18, 0xc0, 0xa1, 0x60, 0xd1, 0xf3, 0x22, 0x70, + 0xb7, 0xb0, 0xfd, 0x39, 0x68, 0x18, 0xb8, 0x29, 0x05, 0x98, 0x4e, 0xdf, + 0x64, 0x13, 0x54, 0x47 }; static unsigned char dhg_2048[] = { 0x02 @@ -47,4 +47,4 @@ return dh; } #endif /* OPENSSL_NO_DH */ -/* built for stunnel 5.76 */ +/* built for stunnel 5.77 */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/network.c new/stunnel-5.77/src/network.c --- old/stunnel-5.76/src/network.c 2025-01-31 13:34:12.000000000 +0100 +++ new/stunnel-5.77/src/network.c 2025-11-14 14:55:20.000000000 +0100 @@ -828,7 +828,7 @@ } else if(err==SSL_ERROR_WANT_WRITE) { s_log(LOG_DEBUG, "s_ssl_write: SSL_ERROR_WANT_WRITE: Retrying"); } else if(err==SSL_ERROR_SSL) { - sslerror("s_ssl_write: SSL_write"); + ssl_error(c, "s_ssl_write: SSL_write"); throw_exception(c, 1); } else if(err==SSL_ERROR_SYSCALL) { if(!socket_needs_retry(c, "s_ssl_write: SSL_write")) { @@ -893,7 +893,7 @@ break; /* EOF */ } #endif /* SSL_R_UNEXPECTED_EOF_WHILE_READING */ - sslerror("s_ssl_read_eof: SSL_read"); + ssl_error(c, "s_ssl_read_eof: SSL_read"); throw_exception(c, 1); } else if(err==SSL_ERROR_SYSCALL) { if(!socket_needs_retry(c, "s_ssl_read_eof: SSL_read")) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/ocsp.c new/stunnel-5.77/src/ocsp.c --- old/stunnel-5.76/src/ocsp.c 2025-09-24 13:40:55.000000000 +0200 +++ new/stunnel-5.77/src/ocsp.c 2026-01-28 13:39:23.000000000 +0100 @@ -87,10 +87,10 @@ NOEXPORT void ocsp_ctx_free(OCSP_CTX *); NOEXPORT void ocsp_ctx_cleanup(OCSP_CTX *); NOEXPORT int ocsp_verify(CLI *, OCSP_CTX *); -NOEXPORT int check_aia(SERVICE_OPTIONS *, OCSP_CTX *); -NOEXPORT int ocsp_request(SERVICE_OPTIONS *, OCSP_CTX *); +NOEXPORT int check_aia(CLI *, SERVICE_OPTIONS *, OCSP_CTX *); +NOEXPORT int ocsp_request(CLI *c, SERVICE_OPTIONS *, OCSP_CTX *); NOEXPORT int ocsp_get_response(SERVICE_OPTIONS *, OCSP_CTX *); -NOEXPORT int ocsp_response_validate(SERVICE_OPTIONS *, OCSP_CTX *); +NOEXPORT int ocsp_response_validate(CLI *, SERVICE_OPTIONS *, OCSP_CTX *); NOEXPORT void ocsp_ctx_setup_cert_id(OCSP_CTX *); NOEXPORT int ocsp_ctx_append_root_ca(SERVICE_OPTIONS *, OCSP_CTX *); NOEXPORT void log_time(const int, const char *, ASN1_GENERALIZEDTIME *); @@ -104,13 +104,13 @@ section->ocsp_response_lock=CRYPTO_THREAD_lock_new(); if(section->option.client) { if(!SSL_CTX_set_tlsext_status_cb(section->ctx, ocsp_client_cb)) { - sslerror("OCSP: SSL_CTX_set_tlsext_status_cb"); + ssl_error(NULL, "OCSP: SSL_CTX_set_tlsext_status_cb"); return 1; /* FAILED */ } s_log(LOG_DEBUG, "OCSP: Client OCSP stapling enabled"); } else { #if OPENSSL_VERSION_NUMBER>=0x10002000L -#if !defined(OPENSSL_NO_PSK) +#ifndef OPENSSL_NO_PSK if(!section->psk_keys) { #endif /* !defined(OPENSSL_NO_PSK) */ if(SSL_CTX_set_tlsext_status_cb(section->ctx, ocsp_server_cb)) { @@ -119,7 +119,7 @@ } else { s_log(LOG_NOTICE, "OCSP: Server OCSP stapling not supported"); } -#if !defined(OPENSSL_NO_PSK) +#ifndef OPENSSL_NO_PSK } else { s_log(LOG_NOTICE, "OCSP: Server OCSP stapling is incompatible with PSK"); } @@ -392,7 +392,7 @@ ocsp.response=d2i_OCSP_RESPONSE(NULL, &response_tmp, response_len); /* validate */ - ocsp_status=ocsp_response_validate(opt, &ocsp); + ocsp_status=ocsp_response_validate(NULL, opt, &ocsp); /* cleanup */ ERR_clear_error(); /* silence any cached errors */ @@ -420,7 +420,7 @@ CRYPTO_THREAD_unlock(opt->ocsp_response_lock); /* try fetching response from the OCSP responder */ - ocsp_status=check_aia(opt, &ocsp); + ocsp_status=check_aia(NULL, opt, &ocsp); if(ocsp_status==V_OCSP_CERTSTATUS_UNKNOWN) { /* no useful response */ s_log(LOG_INFO, "OCSP: No OCSP stapling response to send"); ret=SSL_TLSEXT_ERR_NOACK; @@ -510,7 +510,7 @@ s_log(LOG_INFO, "OCSP: OCSP stapling response received"); ocsp->response=d2i_OCSP_RESPONSE(NULL, &resp_der, resp_der_len); /* validate */ - ocsp_status=ocsp_response_validate(c->opt, ocsp); + ocsp_status=ocsp_response_validate(c, c->opt, ocsp); if(ocsp_status!=V_OCSP_CERTSTATUS_UNKNOWN) ocsp->source_found=1; /* conclusive stapling found */ } else { @@ -522,13 +522,13 @@ /* ocsp_request() from a statically configured responder URL */ s_log(LOG_NOTICE, "OCSP: Connecting the configured responder \"%s\"", ocsp->url); - ocsp_status=ocsp_request(c->opt, ocsp); + ocsp_status=ocsp_request(c, c->opt, ocsp); } } if(ocsp_status==V_OCSP_CERTSTATUS_UNKNOWN) /* ocsp_request() from AIA responders defined in the certificate */ - ocsp_status=check_aia(c->opt, ocsp); + ocsp_status=check_aia(c, c->opt, ocsp); if(!ocsp->source_found) /* to conclusive stapling or ocsp_request() */ return 1; /* accept */ @@ -555,7 +555,7 @@ * - V_OCSP_CERTSTATUS_REVOKED * - V_OCSP_CERTSTATUS_UNKNOWN */ -NOEXPORT int check_aia(SERVICE_OPTIONS *opt, OCSP_CTX *ocsp) { +NOEXPORT int check_aia(CLI *c, SERVICE_OPTIONS *opt, OCSP_CTX *ocsp) { int ocsp_status=V_OCSP_CERTSTATUS_UNKNOWN; STACK_OF(OPENSSL_STRING) *aia; int i, num; @@ -575,7 +575,7 @@ for(i=0; i<num; i++) { ocsp->url=sk_OPENSSL_STRING_value(aia, i); s_log(LOG_NOTICE, "OCSP: Connecting the AIA responder \"%s\"", ocsp->url); - ocsp_status=ocsp_request(opt, ocsp); + ocsp_status=ocsp_request(c, opt, ocsp); if(ocsp_status!=V_OCSP_CERTSTATUS_UNKNOWN) break; /* we received a definitive response */ } @@ -592,7 +592,7 @@ * - V_OCSP_CERTSTATUS_REVOKED * - V_OCSP_CERTSTATUS_UNKNOWN */ -NOEXPORT int ocsp_request(SERVICE_OPTIONS *opt, OCSP_CTX *ocsp) { +NOEXPORT int ocsp_request(CLI *c, SERVICE_OPTIONS *opt, OCSP_CTX *ocsp) { int ocsp_status=V_OCSP_CERTSTATUS_UNKNOWN; /* prepare params for reuse */ @@ -602,7 +602,7 @@ ocsp->source_found=1; /* ether AIA or a configured responder */ ocsp->request=OCSP_REQUEST_new(); if(!ocsp->request) { - sslerror("OCSP: OCSP_REQUEST_new"); + ssl_error(c, "OCSP: OCSP_REQUEST_new"); goto cleanup; } ocsp_ctx_setup_cert_id(ocsp); @@ -610,7 +610,7 @@ goto cleanup; if(!OCSP_request_add0_id(ocsp->request, OCSP_CERTID_dup(ocsp->cert_id))) { - sslerror("OCSP: OCSP_request_add0_id"); + ssl_error(c, "OCSP: OCSP_request_add0_id"); goto cleanup; } if(ocsp->use_nonce) { @@ -623,7 +623,7 @@ } /* validate */ - ocsp_status=ocsp_response_validate(opt, ocsp); + ocsp_status=ocsp_response_validate(NULL, opt, ocsp); if(ocsp_status==V_OCSP_CERTSTATUS_REVOKED) ocsp->callback_ctx_error=X509_V_ERR_CERT_REVOKED; @@ -631,8 +631,10 @@ return ocsp_status; } +#if defined(__GNUC__) && !defined(__clang__) #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wclobbered" +#endif /* * Send the OCSP request over HTTP and read the responder's reply. * A lightweight CLI structure is created only for socket handling. @@ -684,7 +686,7 @@ goto cleanup; bio=BIO_new_socket((int)c->fd, BIO_NOCLOSE); if(!bio) { - sslerror("OCSP: BIO_new_socket"); + ssl_error(c, "OCSP: BIO_new_socket"); goto cleanup; } s_log(LOG_DEBUG, "OCSP: Connected %s:%s", host, port); @@ -697,22 +699,22 @@ req_ctx=OCSP_sendreq_new(bio, path, ocsp->request, -1); #endif /* OpenSSL version 1.0.0 or later */ if(!req_ctx) { - sslerror("OCSP: OCSP_sendreq_new"); + ssl_error(c, "OCSP: OCSP_sendreq_new"); goto cleanup; } #if OPENSSL_VERSION_NUMBER>=0x10000000L /* add the HTTP headers */ if(!OCSP_REQ_CTX_add1_header(req_ctx, "Host", host)) { - sslerror("OCSP: OCSP_REQ_CTX_add1_header"); + ssl_error(c, "OCSP: OCSP_REQ_CTX_add1_header"); goto cleanup; } if(!OCSP_REQ_CTX_add1_header(req_ctx, "User-Agent", "stunnel")) { - sslerror("OCSP: OCSP_REQ_CTX_add1_header"); + ssl_error(c, "OCSP: OCSP_REQ_CTX_add1_header"); goto cleanup; } /* add the remaining HTTP headers and the OCSP request body */ if(!OCSP_REQ_CTX_set1_req(req_ctx, ocsp->request)) { - sslerror("OCSP: OCSP_REQ_CTX_set1_req"); + ssl_error(c, "OCSP: OCSP_REQ_CTX_set1_req"); goto cleanup; } #endif /* OpenSSL version 1.0.0 or later */ @@ -739,7 +741,7 @@ ret=1; } else { if(ERR_peek_error()) - sslerror("OCSP: OCSP_sendreq_nbio"); + ssl_error(c, "OCSP: OCSP_sendreq_nbio"); else /* OpenSSL error: OCSP_sendreq_nbio does not use OCSPerr */ s_log(LOG_ERR, "OCSP: OCSP_sendreq_nbio: OpenSSL internal error"); } @@ -763,7 +765,9 @@ str_free(c); /* TODO */ return ret; } +#if defined(__GNUC__) && !defined(__clang__) #pragma GCC diagnostic pop +#endif /* * Validates the cached or fetched OCSP response. @@ -772,7 +776,7 @@ * - V_OCSP_CERTSTATUS_REVOKED * - V_OCSP_CERTSTATUS_UNKNOWN */ -NOEXPORT int ocsp_response_validate(SERVICE_OPTIONS *opt, OCSP_CTX *ocsp) { +NOEXPORT int ocsp_response_validate(CLI *c, SERVICE_OPTIONS *opt, OCSP_CTX *ocsp) { int response_status, reason; OCSP_BASICRESP *basic_response=NULL; int ocsp_status=V_OCSP_CERTSTATUS_UNKNOWN; @@ -800,7 +804,7 @@ } if(OCSP_basic_verify(basic_response, ocsp->chain_to_verify, SSL_CTX_get_cert_store(opt->ctx), ocsp->flags)<=0) { - sslerror("OCSP: OCSP_basic_verify"); + ssl_error(c, "OCSP: OCSP_basic_verify"); goto cleanup; } ocsp_ctx_setup_cert_id(ocsp); @@ -816,7 +820,7 @@ if(ocsp->next_update) log_time(LOG_INFO, "OCSP: Next update", ocsp->next_update); if(!OCSP_check_validity(ocsp->this_update, ocsp->next_update, ocsp->leeway, -1)) { - sslerror("OCSP: OCSP_check_validity"); + ssl_error(c, "OCSP: OCSP_check_validity"); ocsp_status=V_OCSP_CERTSTATUS_UNKNOWN; /* override an invalid response */ } switch(ocsp_status) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/options.c new/stunnel-5.77/src/options.c --- old/stunnel-5.76/src/options.c 2025-10-02 16:52:19.000000000 +0200 +++ new/stunnel-5.77/src/options.c 2025-11-14 14:58:18.000000000 +0100 @@ -5069,7 +5069,7 @@ s_log(LOG_DEBUG, "Enabling support for engine \"%s\"", name); e=ENGINE_by_id(name); if(!e) { - sslerror("ENGINE_by_id"); + ssl_error(NULL, "ENGINE_by_id"); return "Failed to open the engine"; } engine_initialized=0; @@ -5107,7 +5107,7 @@ else s_log(LOG_DEBUG, "Executing engine control command %s", cmd); if(!ENGINE_ctrl_cmd_string(engines[current_engine], cmd, arg, 0)) { - sslerror("ENGINE_ctrl_cmd_string"); + ssl_error(NULL, "ENGINE_ctrl_cmd_string"); return "Failed to execute the engine control command"; } return NULL; /* OK */ @@ -5117,7 +5117,7 @@ if(current_engine<0) return "No engine was defined"; if(!ENGINE_set_default_string(engines[current_engine], list)) { - sslerror("ENGINE_set_default_string"); + ssl_error(NULL, "ENGINE_set_default_string"); return "Failed to set engine as default"; } s_log(LOG_INFO, "Engine #%d (%s) set as default for %s", @@ -5132,7 +5132,7 @@ current_engine+1, ENGINE_get_id(engines[current_engine])); if(!ENGINE_init(engines[current_engine])) { if(ERR_peek_last_error()) /* really an error */ - sslerror("ENGINE_init"); + ssl_error(NULL, "ENGINE_init"); else s_log(LOG_ERR, "Engine #%d (%s) not initialized", current_engine+1, ENGINE_get_id(engines[current_engine])); @@ -5142,7 +5142,7 @@ /* it is a bad idea to set the engine as default for all sections */ /* the "engine=auto" or "engineDefault" options should be used instead */ if(!ENGINE_set_default(engines[current_engine], ENGINE_METHOD_ALL)) { - sslerror("ENGINE_set_default"); + ssl_error(NULL, "ENGINE_set_default"); return "Selecting default engine failed"; } #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/os2.mak new/stunnel-5.77/src/os2.mak --- old/stunnel-5.76/src/os2.mak 2025-10-18 17:58:47.000000000 +0200 +++ new/stunnel-5.77/src/os2.mak 2026-02-17 18:25:56.000000000 +0100 @@ -1,11 +1,11 @@ prefix=. DEFS = -DPACKAGE_NAME=\"stunnel\" \ -DPACKAGE_TARNAME=\"stunnel\" \ - -DPACKAGE_VERSION=\"5.76\" \ - -DPACKAGE_STRING=\"stunnel\ 5.76\" \ + -DPACKAGE_VERSION=\"5.77\" \ + -DPACKAGE_STRING=\"stunnel\ 5.77\" \ -DPACKAGE_BUGREPORT=\"\" \ -DPACKAGE=\"stunnel\" \ - -DVERSION=\"5.76\" \ + -DVERSION=\"5.77\" \ -DSTDC_HEADERS=1 \ -DHAVE_SYS_TYPES_H=1 \ -DHAVE_SYS_STAT_H=1 \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/prototypes.h new/stunnel-5.77/src/prototypes.h --- old/stunnel-5.76/src/prototypes.h 2025-09-19 13:15:13.000000000 +0200 +++ new/stunnel-5.77/src/prototypes.h 2025-11-14 14:55:20.000000000 +0100 @@ -670,7 +670,7 @@ UI_METHOD *ui_stunnel(void); #endif /* !defined(OPENSSL_NO_ENGINE) || OPENSSL_VERSION_NUMBER>=0x10101000L*/ void print_session_id(const char *, SSL_SESSION *); -void sslerror(const char *); +void ssl_error(CLI *, const char *); /**************************************** prototypes for verify.c */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/ssl.c new/stunnel-5.77/src/ssl.c --- old/stunnel-5.76/src/ssl.c 2025-07-24 12:48:01.000000000 +0200 +++ new/stunnel-5.77/src/ssl.c 2025-11-14 15:41:38.000000000 +0100 @@ -251,7 +251,7 @@ (void)argl; /* squash the unused parameter warning */ (void)argp; /* squash the unused parameter warning */ if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1))) - sslerror("CRYPTO_set_ex_data"); + ssl_error(NULL, "CRYPTO_set_ex_data"); #if OPENSSL_VERSION_NUMBER<0x10100000L return 1; /* success */ #endif /* OPENSSL_VERSION_NUMBER<0x10100000L */ @@ -301,7 +301,7 @@ EVP_default_properties_is_fips_enabled(NULL))) { if(global->option.fips) { /* need to enable */ if(!fips_available()) { - sslerror("FIPS PROVIDER"); + ssl_error(NULL, "FIPS PROVIDER"); return 1; } if(!EVP_default_properties_enable_fips(NULL, 1)) { @@ -332,7 +332,7 @@ #else ERR_load_crypto_strings(); #endif - sslerror("FIPS_mode_set"); + ssl_error(NULL, "FIPS_mode_set"); return 1; } } @@ -542,7 +542,7 @@ readbytes=RAND_load_file(filename, global->random_bytes); if(readbytes<0) { - sslerror("RAND_load_file"); + ssl_error(NULL, "RAND_load_file"); s_log(LOG_INFO, "Cannot retrieve any random data from %s", filename); return 0; @@ -561,7 +561,7 @@ writebytes=RAND_write_file(filename); if(writebytes<0) { - sslerror("RAND_write_file"); + ssl_error(NULL, "RAND_write_file"); s_log(LOG_WARNING, "Failed to write strong random data to %s - " "may be a permissions or seeding problem", filename); return; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/verify.c new/stunnel-5.77/src/verify.c --- old/stunnel-5.76/src/verify.c 2025-06-19 15:33:35.000000000 +0200 +++ new/stunnel-5.77/src/verify.c 2026-01-28 13:39:23.000000000 +0100 @@ -93,13 +93,13 @@ if(section->ca_file || section->ca_dir) { if(!SSL_CTX_load_verify_locations(section->ctx, section->ca_file, section->ca_dir)) { - sslerror("SSL_CTX_load_verify_locations"); + ssl_error(NULL, "SSL_CTX_load_verify_locations"); } } #if OPENSSL_VERSION_NUMBER>=0x30000000L if(section->ca_store) { if(!SSL_CTX_load_verify_store(section->ctx, section->ca_store)) { - sslerror("SSL_CTX_load_verify_store"); + ssl_error(NULL, "SSL_CTX_load_verify_store"); } } #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */ @@ -175,12 +175,12 @@ lookup=X509_STORE_add_lookup(store, X509_LOOKUP_file()); if(!lookup) { - sslerror("X509_STORE_add_lookup(X509_LOOKUP_file)"); + ssl_error(NULL, "X509_STORE_add_lookup(X509_LOOKUP_file)"); return 1; /* FAILED */ } if(!X509_load_crl_file(lookup, name, X509_FILETYPE_PEM)) { s_log(LOG_ERR, "Failed to load %s revocation lookup file", name); - sslerror("X509_load_crl_file"); + ssl_error(NULL, "X509_load_crl_file"); return 1; /* FAILED */ } s_log(LOG_DEBUG, "Loaded %s revocation lookup file", name); @@ -192,12 +192,12 @@ lookup=X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); if(!lookup) { - sslerror("X509_STORE_add_lookup(X509_LOOKUP_hash_dir)"); + ssl_error(NULL, "X509_STORE_add_lookup(X509_LOOKUP_hash_dir)"); return 1; /* FAILED */ } if(!X509_LOOKUP_add_dir(lookup, name, X509_FILETYPE_PEM)) { s_log(LOG_ERR, "Failed to add %s revocation lookup directory", name); - sslerror("X509_LOOKUP_add_dir"); + ssl_error(NULL, "X509_LOOKUP_add_dir"); return 1; /* FAILED */ } s_log(LOG_DEBUG, "Added %s revocation lookup directory", name); @@ -263,7 +263,7 @@ return 0; /* reject */ if(!SSL_SESSION_set_ex_data(sess, index_session_authenticated, NULL)) { - sslerror("SSL_SESSION_set_ex_data"); + ssl_error(c, "SSL_SESSION_set_ex_data"); SSL_SESSION_free(sess); return 0; /* reject */ } @@ -444,8 +444,8 @@ #endif /* OPENSSL_VERSION_NUMBER>=0x10000000L */ NOEXPORT int compare_pubkeys(X509 *c1, X509 *c2) { - ASN1_BIT_STRING *k1=X509_get0_pubkey_bitstr(c1); - ASN1_BIT_STRING *k2=X509_get0_pubkey_bitstr(c2); + const ASN1_BIT_STRING *k1=X509_get0_pubkey_bitstr(c1); + const ASN1_BIT_STRING *k2=X509_get0_pubkey_bitstr(c2); if(!k1 || !k2 || k1->length!=k2->length || k1->length<0 || safe_memcmp(k1->data, k2->data, (size_t)k1->length)) return 0; /* reject */ @@ -465,7 +465,7 @@ params.cert=NULL; ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, ¶ms, NULL, 1); if(!params.cert) - sslerror("ENGINE_ctrl_cmd"); + ssl_error(NULL, "ENGINE_ctrl_cmd"); return params.cert; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/src/version.h new/stunnel-5.77/src/version.h --- old/stunnel-5.76/src/version.h 2025-07-02 13:04:50.000000000 +0200 +++ new/stunnel-5.77/src/version.h 2025-11-04 11:40:57.000000000 +0100 @@ -65,7 +65,7 @@ /* START CUSTOMIZE */ #define VERSION_MAJOR 5 -#define VERSION_MINOR 76 +#define VERSION_MINOR 77 /* END CUSTOMIZE */ /* all the following macros are ABSOLUTELY NECESSARY to have proper string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/tests/maketest.py new/stunnel-5.77/tests/maketest.py --- old/stunnel-5.76/tests/maketest.py 2025-07-28 18:08:35.000000000 +0200 +++ new/stunnel-5.77/tests/maketest.py 2026-01-02 19:50:21.000000000 +0100 @@ -31,7 +31,6 @@ TypeVar ) from datetime import datetime, timedelta, timezone -from functools import partial from urllib.parse import urlparse from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer from cryptography.hazmat.primitives import hashes, serialization @@ -48,25 +47,12 @@ DEFAULT_LOGS = os.path.join(RESULT_PATH, "logs") DEFAULT_LEVEL = logging.INFO DEFAULT_PORT = 19254 -OCSP_INDEX=os.path.join(DEFAULT_CERTS, "index.txt") +OCSP_INDEX = os.path.join(DEFAULT_CERTS, "index.txt") -RE_STUNNEL_VERSION = re.compile( - r""" ^ - stunnel\s+ - (?P<version> (?: [5-9] | [1-9][0-9]* ) \. \S+ ) - (?: \s .* )? - $ """, - re.X -) - -RE_OPENSSL_VERSION = re.compile( - r""" ^ - Compiled\/running\swith\sOpenSSL\s+ - (?P<version> (?: [0-3]\.[0-9]\.[0-9]* ) \S+) - (?: \s .* )? - $ """, - re.X -) +RE_VERSIONS = re.compile(r"""\A + (?=.*^stunnel\s+(?P<stunnel_version>(?:[5-9]|[1-9]\d+)\.\d\d\S*)(?:\s.*)?$)? + (?=.*^Compiled/running\swith\sOpenSSL\s+(?P<openssl_version>\d+\.\d+\.\d+\S*)(?:\s.*)?$)? + .*\Z""", re.X | re.M | re.S) RE_LINE_IDX = re.compile(r" ^ Hello \s+ (?P<idx> 0 | [1-9][0-9]* ) $ ", re.X) @@ -357,9 +343,9 @@ await self.cfg.logsq.put(evt) num = await self.remove_connection(evt, num) elif evt.etype == "set_result_event": - succeeded += 1 if evt.result=="succeeded" else 0 - failed += 1 if evt.result=="failed" else 0 - skipped += 1 if evt.result=="skipped" else 0 + succeeded += 1 if evt.result == "succeeded" else 0 + failed += 1 if evt.result == "failed" else 0 + skipped += 1 if evt.result == "skipped" else 0 await self.cfg.logsq.put(evt) elif evt.etype == "finish_event": await self.cfg.logsq.put(evt) @@ -367,33 +353,23 @@ async def check_version(self, cmd_str: str, p_err: str) -> None: - """Check the version of python, stunnel and openssl""" + """Check the version of python, stunnel and OpenSSL""" tag = "check_version" - lines = p_err.splitlines() - if not lines: - raise OutputError(f"Expected at least one line of output from `{cmd_str}`") - openssl_version = None - stunnel_version = None - for line in lines: - match = RE_STUNNEL_VERSION.match(line) - if match: - stunnel_version = match.group("version") - match = RE_OPENSSL_VERSION.match(line) - if match: - openssl_version = match.group("version") - if not openssl_version: - raise UnsupportedVersion("Stunnel was compiled and run with different OpenSSL versions") - #TLSv1.1 and TLSv1.2 available only with OpenSSL version 1.0.1 and later - if openssl_version < "1.0.1": - raise UnsupportedVersion( - f"OpenSSL version {openssl_version} is deprecated and not supported") + + # Check Python version first if not (sys.version_info.major == 3 and sys.version_info.minor >= 7): raise UnsupportedVersion("Python 3.7 or higher is required.\n" - + "You are using Python {sys.version_info.major}.{sys.version_info.minor}.") + f"You are using Python {sys.version_info.major}.{sys.version_info.minor}.") + + # Parse stunnel output + search = RE_VERSIONS.search(p_err) + + # Log and check stunnel version + stunnel_version = search.group("stunnel_version") if not stunnel_version: raise UnsupportedVersion( f"Could not find the version line in the `{cmd_str}` output:\n" - + "\n".join(lines) + + p_err ) await self.cfg.mainq.put( LogEvent( @@ -403,6 +379,27 @@ ) ) + # Log and check OpenSSL version + openssl_version = search.group("openssl_version") + if not openssl_version: + raise UnsupportedVersion("Stunnel was compiled and run with different OpenSSL versions") + #TLSv1.1 and TLSv1.2 available only with OpenSSL version 1.0.1 and later + await self.cfg.mainq.put( + LogEvent( + etype="log", + level=20, + log=f"[{tag}] Got OpenSSL version {openssl_version}" + ) + ) + if 'AUTOPKGTEST_TMP' not in os.environ: + match = re.match(r"(\d+)\.(\d+)\.(\d+)", openssl_version) + if not match: + raise UnsupportedVersion(f"Could not parse OpenSSL version: {openssl_version}") + numeric_version = tuple(int(x) for x in match.groups()) + if numeric_version < (1, 0, 1): + raise UnsupportedVersion( + f"OpenSSL version {openssl_version} is deprecated and not supported") + async def get_version(self, logger:logging.Logger) -> str: """Obtain the version of stunnel.""" tag = "get_version" @@ -466,7 +463,7 @@ def __init__(self, cfg: Config, logger: logging.Logger): self.cfg = cfg - self.logger=logger + self.logger = logger self.events = TestEvents( skip=[], success=[], @@ -527,7 +524,7 @@ def __init__(self, cfg: Config, logger: logging.Logger): super().__init__(cfg, logger) - self.logger=logger + self.logger = logger self.conns = TestConnections( by_id={}, pending={} @@ -932,7 +929,7 @@ cafile=str(self.cfg.certdir / "CACert.pem") ) else: - ctx=None + ctx = None protocol = "HTTPS" if self.params.ssl_server else "HTTP" await self.cfg.mainq.put( @@ -1517,8 +1514,8 @@ def __init__(self, cfg: Config, logger: logging.Logger): super().__init__(cfg, logger) self.cfg = cfg - self.reader=subprocess.DEVNULL - self.writer=subprocess.DEVNULL + self.reader = subprocess.DEVNULL + self.writer = subprocess.DEVNULL async def check_listening_port(self, port:int, service: str) -> int: @@ -1573,7 +1570,7 @@ super().__init__(cfg, logger) self.cfg = cfg self.path = path - self.idx=0 + self.idx = 0 async def check_listening_port(self, port:int, service: str) -> int: @@ -1677,7 +1674,7 @@ task=False ) ) - self.idx +=1 + self.idx += 1 async def start_socket_connections(self) -> None: @@ -1727,7 +1724,7 @@ """Start OCSP responder""" tag = "start_responder" try: - server=HttpServerThread(self.cfg) + server = HttpServerThread(self.cfg) await server.start_server() except OSError as err: await self.cfg.mainq.put( @@ -1775,12 +1772,10 @@ class OCSPHandler(SimpleHTTPRequestHandler): """Handle the HTTP POST request that arrive at the server""" - def __init__(self, cfg, database, request, client_address, server): - #pylint: disable=too-many-arguments - self.cfg=cfg - self.database = database - self.server=server - SimpleHTTPRequestHandler.__init__(self, request, client_address, server) + def __init__(self, request, client_address, server): + self.cfg = server.cfg + self.database = server.database + super().__init__(request, client_address, server) def log_message(self, format, *args): @@ -1794,7 +1789,7 @@ def do_POST(self): # pylint: disable=invalid-name """"Serves the POST request type""" try: - url=urlparse(self.path) + url = urlparse(self.path) if url.path == "/kill_server": self.send_response(200) self.send_header('Content-type', 'text/plain') @@ -1802,9 +1797,9 @@ self.wfile.write(bytes('Shutting down HTTP server', 'utf-8')) self.server.shutdown() elif url.path == "/ocsp": - content_length=int(self.headers['Content-Length']) - request_data=self.rfile.read(content_length) - request=ocsp.load_der_ocsp_request(request_data) + content_length = int(self.headers['Content-Length']) + request_data = self.rfile.read(content_length) + request = ocsp.load_der_ocsp_request(request_data) self.process_ocsp_request(request) except Exception as err: # pylint: disable=broad-except @@ -1813,33 +1808,33 @@ def process_ocsp_request(self, request: ocsp.OCSPRequest): """Process OCSP request data""" - response=None - this_update=datetime.now(timezone.utc) + response = None + this_update = datetime.now(timezone.utc) try: issuer = self.database.get(request.issuer_key_hash) if issuer is None: - response=ocsp.OCSPResponseBuilder.build_unsuccessful( + response = ocsp.OCSPResponseBuilder.build_unsuccessful( ocsp.OCSPResponseStatus.UNAUTHORIZED) else: - serial=request.serial_number + serial = request.serial_number subject_cert = issuer.get('certificates').get(serial) if subject_cert is None: - response=ocsp.OCSPResponseBuilder.build_unsuccessful( + response = ocsp.OCSPResponseBuilder.build_unsuccessful( ocsp.OCSPResponseStatus.UNAUTHORIZED) else: - ocsp_cert=issuer.get('ocsp_cert') - cert_info=issuer.get('revocations').get(serial) - revoked=cert_info is not None + ocsp_cert = issuer.get('ocsp_cert') + cert_info = issuer.get('revocations').get(serial) + revoked = cert_info is not None if revoked: - cert_status=ocsp.OCSPCertStatus.REVOKED + cert_status = ocsp.OCSPCertStatus.REVOKED else: - cert_status=ocsp.OCSPCertStatus.GOOD + cert_status = ocsp.OCSPCertStatus.GOOD # create a OCSPResponse object - builder=ocsp.OCSPResponseBuilder() + builder = ocsp.OCSPResponseBuilder() # add status information about the certificate that was requested - builder=builder.add_response( + builder = builder.add_response( cert=subject_cert, issuer=ocsp_cert, algorithm=request.hash_algorithm, @@ -1851,7 +1846,7 @@ # set the responderID on the OCSP response # encode the X.509 NAME of the certificate or HASH of the public key - builder=builder.responder_id(ocsp.OCSPResponderEncoding.NAME, ocsp_cert) + builder = builder.responder_id(ocsp.OCSPResponderEncoding.NAME, ocsp_cert) # add OCSP nonce if present try: @@ -1861,10 +1856,10 @@ pass # create the SUCCESSFUL response that can then be serialized and sent - response=builder.sign(issuer.get('ocsp_key'), hashes.SHA256()) + response = builder.sign(issuer.get('ocsp_key'), hashes.SHA256()) except Exception: # pylint: disable=broad-except - response=ocsp.OCSPResponseBuilder.build_unsuccessful( + response = ocsp.OCSPResponseBuilder.build_unsuccessful( ocsp.OCSPResponseStatus.INTERNAL_ERROR) self.send_response(200) @@ -1878,18 +1873,19 @@ def __init__(self, cfg: Config): self.cfg = cfg - self.server=None - self.server_thread=None + self.server = None + self.server_thread = None async def start_server(self) -> (int): """Starting HTTP server on localhost and a given port""" tag = "start_server" - database=self.load_database() - ocsp_handler = partial(OCSPHandler, self.cfg, database) - self.server=ThreadingHTTPServer(('localhost', self.cfg.port), ocsp_handler) - self.server_thread=threading.Thread(target=self.server.serve_forever) + database = self.load_database() + self.server = ThreadingHTTPServer(("localhost", self.cfg.port), OCSPHandler) + self.server.cfg = self.cfg + self.server.database = database + self.server_thread = threading.Thread(target=self.server.serve_forever) self.server_thread.start() - hostname, port=self.server.server_address[:2] + hostname, port = self.server.server_address[:2] await self.cfg.mainq.put( LogEvent( etype="log", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/tools/ca-certs.pem new/stunnel-5.77/tools/ca-certs.pem --- old/stunnel-5.76/tools/ca-certs.pem 2025-10-18 17:56:54.000000000 +0200 +++ new/stunnel-5.77/tools/ca-certs.pem 2026-02-17 18:23:51.000000000 +0100 @@ -1145,96 +1145,6 @@ /bpV6wfEU6s3qe4hsiFbYI89MvHVI5TWWA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIICHTCCAaOgAwIBAgIUQ3CCd89NXTTxyq4yLzf39H91oJ4wCgYIKoZIzj0EAwMw -TjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwiQ29t -bVNjb3BlIFB1YmxpYyBUcnVzdCBFQ0MgUm9vdC0wMTAeFw0yMTA0MjgxNzM1NDNa -Fw00NjA0MjgxNzM1NDJaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21tU2Nv -cGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgRUNDIFJvb3QtMDEw -djAQBgcqhkjOPQIBBgUrgQQAIgNiAARLNumuV16ocNfQj3Rid8NeeqrltqLxeP0C -flfdkXmcbLlSiFS8LwS+uM32ENEp7LXQoMPwiXAZu1FlxUOcw5tjnSCDPgYLpkJE -hRGnSjot6dZoL0hOUysHP029uax3OVejQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYD -VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSOB2LAUN3GGQYARnQE9/OufXVNMDAKBggq -hkjOPQQDAwNoADBlAjEAnDPfQeMjqEI2Jpc1XHvr20v4qotzVRVcrHgpD7oh2MSg -2NED3W3ROT3Ek2DS43KyAjB8xX6I01D1HiXo+k515liWpDVfG2XqYZpwI7UNo5uS -Um9poIyNStDuiw7LR47QjRE= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIICHDCCAaOgAwIBAgIUKP2ZYEFHpgE6yhR7H+/5aAiDXX0wCgYIKoZIzj0EAwMw -TjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwiQ29t -bVNjb3BlIFB1YmxpYyBUcnVzdCBFQ0MgUm9vdC0wMjAeFw0yMTA0MjgxNzQ0NTRa -Fw00NjA0MjgxNzQ0NTNaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21tU2Nv -cGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgRUNDIFJvb3QtMDIw -djAQBgcqhkjOPQIBBgUrgQQAIgNiAAR4MIHoYx7l63FRD/cHB8o5mXxO1Q/MMDAL -j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU -v4RDsNuESgMjGWdqb8FuvAY5N9GIIvejQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYD -VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTmGHX/72DehKT1RsfeSlXjMjZ59TAKBggq -hkjOPQQDAwNnADBkAjAmc0l6tqvmSfR9Uj/UQQSugEODZXW5hYA4O9Zv5JOGq4/n -ich/m35rChJVYaoR4HkCMHfoMXGsPHED1oQmHhS48zs73u1Z/GtMMH9ZzkXpc2AV -mkzw5l4lIhVtwodZ0LKOag== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFbDCCA1SgAwIBAgIUPgNJgXUWdDGOTKvVxZAplsU5EN0wDQYJKoZIhvcNAQEL -BQAwTjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwi -Q29tbVNjb3BlIFB1YmxpYyBUcnVzdCBSU0EgUm9vdC0wMTAeFw0yMTA0MjgxNjQ1 -NTRaFw00NjA0MjgxNjQ1NTNaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21t -U2NvcGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgUlNBIFJvb3Qt -MDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwSGWjDR1C45FtnYSk -YZYSwu3D2iM0GXb26v1VWvZVAVMP8syMl0+5UMuzAURWlv2bKOx7dAvnQmtVzslh -suitQDy6uUEKBU8bJoWPQ7VAtYXR1HHcg0Hz9kXHgKKEUJdGzqAMxGBWBB0HW0al -DrJLpA6lfO741GIDuZNqihS4cPgugkY4Iw50x2tBt9Apo52AsH53k2NC+zSDO3Oj -WiE260f6GBfZumbCk6SP/F2krfxQapWsvCQz0b2If4b19bJzKo98rwjyGpg/qYFl -P8GMicWWMJoKz/TUyDTtnS+8jTiGU+6Xn6myY5QXjQ/cZip8UlF1y5mO6D1cv547 -KI2DAg+pn3LiLCuz3GaXAEDQpFSOm117RTYm1nJD68/A6g3czhLmfTifBSeolz7p -UcZsBSjBAg/pGG3svZwG1KdJ9FQFa2ww8esD1eo9anbCyxooSU1/ZOD6K9pzg4H/ -kQO9lLvkuI6cMmPNn7togbGEW682v3fuHX/3SZtS7NJ3Wn2RnU3COS3kuoL4b/JO -Hg9O5j9ZpSPcPYeoKFgo0fEbNttPxP/hjFtyjMcmAyejOQoBqsCyMWCDIqFPEgkB -Ea801M/XrmLTBQe0MXXgDW1XT2mH+VepuhX2yFJtocucH+X8eKg1mp9BFM6ltM6U -CBwJrVbl2rZJmkrqYxhTnCwuwwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G -A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUN12mmnQywsL5x6YVEFm45P3luG0wDQYJ -KoZIhvcNAQELBQADggIBAK+nz97/4L1CjU3lIpbfaOp9TSp90K09FlxD533Ahuh6 -NWPxzIHIxgvoLlI1pKZJkGNRrDSsBTtXAOnTYtPZKdVUvhwQkZyybf5Z/Xn36lbQ -nmhUQo8mUuJM3y+Xpi/SB5io82BdS5pYV4jvguX6r2yBS5KPQJqTRlnLX3gWsWc+ -QgvfKNmwrZggvkN80V4aCRckjXtdlemrwWCrWxhkgPut4AZ9HcpZuPN4KWfGVh2v -trV0KnahP/t1MJ+UXjulYPPLXAziDslg+MkfFoom3ecnf+slpoq9uC02EJqxWE2a -aE9gVOX2RhOOiKy8IUISrcZKiX2bwdgt6ZYD9KJ0DLwAHb/WNyVntHKLr4W96ioD -j8z7PEQkguIBpQtZtjSNMgsSDesnwv1B10A8ckYpwIzqug/xBpMu95yo9GA+o/E4 -Xo4TwbM6l4c/ksp4qRyv0LAbJh6+cOx69TOY6lz/KwsETkPdY34Op054A5U+1C0w -lREQKC6/oAI+/15Z0wUOlV9TRe9rh9VIzRamloPh37MG88EU26fsHItdkJANclHn -YfkUyq+Dj7+vsQpZXdxc1+SWrVtgHdqul7I52Qb1dgAT+GhMIbA1xNxVssnBQVoc -icCMb3SgazNNtQEo/a2tiRc7ppqEvOuM6sRxJKi6KfkIsidWNTJf6jn7MZrVGczw ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFbDCCA1SgAwIBAgIUVBa/O345lXGN0aoApYYNK496BU4wDQYJKoZIhvcNAQEL -BQAwTjELMAkGA1UEBhMCVVMxEjAQBgNVBAoMCUNvbW1TY29wZTErMCkGA1UEAwwi -Q29tbVNjb3BlIFB1YmxpYyBUcnVzdCBSU0EgUm9vdC0wMjAeFw0yMTA0MjgxNzE2 -NDNaFw00NjA0MjgxNzE2NDJaME4xCzAJBgNVBAYTAlVTMRIwEAYDVQQKDAlDb21t -U2NvcGUxKzApBgNVBAMMIkNvbW1TY29wZSBQdWJsaWMgVHJ1c3QgUlNBIFJvb3Qt -MDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDh+g77aAASyE3VrCLE -NQE7xVTlWXZjpX/rwcRqmL0yjReA61260WI9JSMZNRTpf4mnG2I81lDnNJUDMrG0 -kyI9p+Kx7eZ7Ti6Hmw0zdQreqjXnfuU2mKKuJZ6VszKWpCtYHu8//mI0SFHRtI1C -rWDaSWqVcN3SAOLMV2MCe5bdSZdbkk6V0/nLKR8YSvgBKtJjCW4k6YnS5cciTNxz -hkcAqg2Ijq6FfUrpuzNPDlJwnZXjfG2WWy09X6GDRl224yW4fKcZgBzqZUPckXk2 -LHR88mcGyYnJ27/aaL8j7dxrrSiDeS/sOKUNNwFnJ5rpM9kzXzehxfCrPfp4sOcs -n/Y+n2Dg70jpkEUeBVF4GiwSLFworA2iI540jwXmojPOEXcT1A6kHkIfhs1w/tku -FT0du7jyU1fbzMZ0KZwYszZ1OC4PVKH4kh+Jlk+71O6d6Ts2QrUKOyrUZHk2EOH5 -kQMreyBUzQ0ZGshBMjTRsJnhkB4BQDa1t/qp5Xd1pCKBXbCL5CcSD1SIxtuFdOa3 -wNemKfrb3vOTlycEVS8KbzfFPROvCgCpLIscgSjX74Yxqa7ybrjKaixUR9gqiC6v -wQcQeKwRoi9C8DfF8rhW3Q5iLc4tVn5V8qdE9isy9COoR+jUKgF4z2rDN6ieZdIs -5fq6M8EGRPbmz6UNp2YINIos8wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G -A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUR9DnsSL/nSz12Vdgs7GxcJXvYXowDQYJ -KoZIhvcNAQELBQADggIBAIZpsU0v6Z9PIpNojuQhmaPORVMbc0RTAIFhzTHjCLqB -KCh6krm2qMhDnscTJk3C2OVVnJJdUNjCK9v+5qiXz1I6JMNlZFxHMaNlNRPDk7n3 -+VGXu6TwYofF1gbTl4MgqX67tiHCpQ2EAOHyJxCDut0DgdXdaMNmEMjRdrSzbyme -APnCKfWxkxlSaRosTKCL4BWaMS/TiJVZbuXEs1DIFAhKm4sTg7GkcrI7djNB3Nyq -pgdvHSQSn8h2vS/ZjvQs7rfSOBAkNlEv41xdgSGn2rtO/+YHqP65DSdsu3BaVXoT -6fEqSWnHX4dXTEN5bTpl6TBcQe7rd6VzEojov32u5cSoHw2OHG1QAk8mGEPej1WF -sQs3BWDJVTkSBKEqz3EWnzZRSb9wO55nnPt7eck5HHisd5FUmrh1CoFSl+NmYWvt -PjgelmFV4ZFUjO2MJB+ByRCac5krFk5yAD9UG/iNuovnFNa2RU9g7Jauwy8CTl2d -lklyALKrdVwPaFsdZcJfMw8eD/A7hvWwTruc9+olBdytoptLFwG+Qt81IR2tq670 -v64fG9PiO/yzcnMcmyiQiRM9HcEARwmWmjgb3bHPDcK0RPOWlc4yOo80nOAXx17O -rg3bhzjlP1v9mxnhMUF6cKojawHhRUzNlM47ni3niAIi9G7oyOzWPPO5std3eqx7 ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- MIIFZDCCA0ygAwIBAgIQU9XP5hmTC/srBRLYwiqipDANBgkqhkiG9w0BAQwFADBM MS4wLAYDVQQDDCVBdG9zIFRydXN0ZWRSb290IFJvb3QgQ0EgUlNBIFRMUyAyMDIx MQ0wCwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0yMTA0MjIwOTIxMTBaFw00 @@ -1612,6 +1522,24 @@ dTdmQRCsu/WU48IxK63nI1bMNSWSs1A= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- +MIICzzCCAjGgAwIBAgINAOhvGHvWOWuYSkmYCjAKBggqhkjOPQQDBDB1MQswCQYD +VQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0 +ZC4xFzAVBgNVBGEMDlZBVEhVLTIzNTg0NDk3MSIwIAYDVQQDDBllLVN6aWdubyBU +TFMgUm9vdCBDQSAyMDIzMB4XDTIzMDcxNzE0MDAwMFoXDTM4MDcxNzE0MDAwMFow +dTELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNy +b3NlYyBMdGQuMRcwFQYDVQRhDA5WQVRIVS0yMzU4NDQ5NzEiMCAGA1UEAwwZZS1T +emlnbm8gVExTIFJvb3QgQ0EgMjAyMzCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAE +AGgP36J8PKp0iGEKjcJMpQEiFNT3YHdCnAo4YKGMZz6zY+n6kbCLS+Y53wLCMAFS +AL/fjO1ZrTJlqwlZULUZwmgcAOAFX9pQJhzDrAQixTpN7+lXWDajwRlTEArRzT/v +SzUaQ49CE0y5LBqcvjC2xN7cS53kpDzLLtmt3999Cd8ukv+ho2MwYTAPBgNVHRMB +Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUWYQCYlpGePVd3I8K +ECgj3NXW+0UwHwYDVR0jBBgwFoAUWYQCYlpGePVd3I8KECgj3NXW+0UwCgYIKoZI +zj0EAwQDgYsAMIGHAkIBLdqu9S54tma4n7Zwf2Z0z+yOfP7AAXmazlIC58PRDHpt +y7Ve7hekm9sEdu4pKeiv+62sUvTXK9Z3hBC9xdIoaDQCQTV2WnXzkoYI9bIeCvZl +C9p2x1L/Cx6AcCIwwzPbGO2E14vs7dOoY4G1VnxHx1YwlGhza9IuqbnZLBwpvQy6 +uWWL +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- MIIFgDCCA2igAwIBAgIUHBjYz+VTPyI1RlNUJDxsR9FcSpwwDQYJKoZIhvcNAQEM BQAwWDELMAkGA1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dp ZXMsIEluYy4xIjAgBgNVBAMTGVRydXN0QXNpYSBUTFMgUlNBIFJvb3QgQ0EwHhcN diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/stunnel-5.76/tools/stunnel.service.in new/stunnel-5.77/tools/stunnel.service.in --- old/stunnel-5.76/tools/stunnel.service.in 2023-03-06 09:21:55.000000000 +0100 +++ new/stunnel-5.77/tools/stunnel.service.in 2025-11-07 12:43:18.000000000 +0100 @@ -7,6 +7,7 @@ ExecStart=@bindir@/stunnel ExecReload=/bin/kill -HUP $MAINPID Type=forking +PrivateTmp=true [Install] WantedBy=multi-user.target
