Hello,
I have managed to make stunnel build against libressl.
While working on it, i've triggered a segfault:
openbsd-arm64$ stunnel
Segmentation fault (core dumped)
openbsd-arm64$
...
So looked at the coredump to find clues:
Program received signal SIGSEGV, Segmentation fault.
prng_init (global=0xfb13b5ce8 <new_global_options>)
at /usr/ports/pobj/stunnel-5.62/stunnel-5.62/src/ssl.c:357
357 if(meth->status==NULL || meth->add==NULL) {
(gdb)
Breakpoint 5, prng_init (global=0x8c4385ce8 <new_global_options>)
at /usr/ports/pobj/stunnel-5.62/stunnel-5.62/src/ssl.c:354
354 const RAND_METHOD *meth=RAND_get_rand_method();
It has been fixed by wrapping the code path with
!defined(LIBRESSL_VERSION_NUMBER), RAND_*_rand_method() exist just for
ABI compatibility, the code fallback to "/dev/urandom" afterwards, but
would be great to use arc4random(3) instead, something like our
RAND_pseudo_bytes().
It builds and runs, been slighttly tested though, i don't have a fancy
setup so tests welcome.diff inline below
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/stunnel/Makefile,v
retrieving revision 1.93
diff -u -p -u -p -r1.93 Makefile
--- Makefile 12 Jul 2019 20:49:37 -0000 1.93
+++ Makefile 2 Mar 2022 23:53:06 -0000
@@ -2,9 +2,8 @@
COMMENT= SSL encryption wrapper for standard network daemons
-DISTNAME= stunnel-5.44
+DISTNAME= stunnel-5.62
CATEGORIES= security
-REVISION= 2
MAINTAINER= Gleydson Soares <gsoa...@openbsd.org>
@@ -13,12 +12,11 @@ PERMIT_PACKAGE= Yes
WANTLIB += c crypto pthread ssl util
-HOMEPAGE= http://www.stunnel.org/
+HOMEPAGE= https://www.stunnel.org/
MASTER_SITES= https://www.stunnel.org/downloads/archive/5.x/ \
- http://ftp.nluug.nl/pub/networking/stunnel/archive/5.x/ \
- http://mirror.bit.nl/stunnel/archive/5.x/ \
- ftp://ftp.stunnel.org/stunnel/archive/5.x/
+ https://ftp.nluug.nl/pub/networking/stunnel/ \
+ https://www.usenix.org.uk/mirrors/stunnel/
SEPARATE_BUILD= Yes
CONFIGURE_STYLE= gnu
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/stunnel/distinfo,v
retrieving revision 1.45
diff -u -p -u -p -r1.45 distinfo
--- distinfo 1 Dec 2017 00:08:44 -0000 1.45
+++ distinfo 2 Mar 2022 23:53:06 -0000
@@ -1,2 +1,2 @@
-SHA256 (stunnel-5.44.tar.gz) = mQoyXbtH132Idy3QL7vSfZGx/qPs52yf9EYeypPxIpk=
-SIZE (stunnel-5.44.tar.gz) = 699117
+SHA256 (stunnel-5.62.tar.gz) = nPW7lJAiqmbHNsEyZVTMon0GQWBaY3AnTtxJUetb0zk=
+SIZE (stunnel-5.62.tar.gz) = 862456
Index: patches/patch-Makefile_in
===================================================================
RCS file: /cvs/ports/security/stunnel/patches/patch-Makefile_in,v
retrieving revision 1.15
diff -u -p -u -p -r1.15 patch-Makefile_in
--- patches/patch-Makefile_in 1 Dec 2017 00:08:44 -0000 1.15
+++ patches/patch-Makefile_in 2 Mar 2022 23:53:06 -0000
@@ -1,13 +1,14 @@
-$OpenBSD: patch-Makefile_in,v 1.15 2017/12/01 00:08:44 gsoares Exp $
+$OpenBSD$
+
Index: Makefile.in
--- Makefile.in.orig
+++ Makefile.in
-@@ -364,7 +364,7 @@ top_build_prefix = @top_build_prefix@
- top_builddir = @top_builddir@
- top_srcdir = @top_srcdir@
+@@ -371,7 +371,7 @@ top_srcdir = @top_srcdir@
+ with_bashcompdir = @with_bashcompdir@
+ AM_DISTCHECK_CONFIGURE_FLAGS =
--with-bashcompdir='$$(datarootdir)/bash-completion/completions'
ACLOCAL_AMFLAGS = -I m4
-SUBDIRS = src doc tools tests
+SUBDIRS = src doc tests
- EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \
- INSTALL.FIPS build-android.sh .travis.yml
- doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \
+ doc_DATA = README.md TODO.md COPYING.md AUTHORS.md NEWS.md PORTS.md \
+ BUGS.md COPYRIGHT.md CREDITS.md INSTALL.W32.md INSTALL.WCE.md \
+ INSTALL.FIPS.md
Index: patches/patch-src_client_c
===================================================================
RCS file: patches/patch-src_client_c
diff -N patches/patch-src_client_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_client_c 2 Mar 2022 23:53:06 -0000
@@ -0,0 +1,30 @@
+Index: src/client.c
+--- src/client.c.orig
++++ src/client.c
+@@ -750,7 +750,7 @@ NOEXPORT void print_cipher(CLI *c) { /* print negotiat
+ NOEXPORT void transfer(CLI *c) {
+ int timeout; /* s_poll_wait timeout in seconds */
+ int pending; /* either processed on unprocessed TLS data */
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ int has_pending=0, prev_has_pending;
+ #endif
+ int watchdog=0; /* a counter to detect an infinite loop */
+@@ -797,7 +797,7 @@ NOEXPORT void transfer(CLI *c) {
+
+ /****************************** wait for an event */
+ pending=SSL_pending(c->ssl);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /* only attempt to process SSL_has_pending() data once */
+ prev_has_pending=has_pending;
+ has_pending=SSL_has_pending(c->ssl);
+@@ -1202,7 +1202,7 @@ NOEXPORT void transfer(CLI *c) {
+ s_log(LOG_ERR,
+ "please report the problem to michal.trojn...@stunnel.org");
+ stunnel_info(LOG_ERR);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d",
+ SSL_get_version(c->ssl),
+ SSL_pending(c->ssl), SSL_has_pending(c->ssl));
Index: patches/patch-src_common_h
===================================================================
RCS file: patches/patch-src_common_h
diff -N patches/patch-src_common_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_common_h 2 Mar 2022 23:53:06 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: src/common.h
+--- src/common.h.orig
++++ src/common.h
+@@ -454,7 +454,7 @@ extern char *sys_errlist[];
+ #define OPENSSL_NO_TLS1_2
+ #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #ifndef OPENSSL_NO_SSL2
+ #define OPENSSL_NO_SSL2
+ #endif /* !defined(OPENSSL_NO_SSL2) */
Index: patches/patch-src_ctx_c
===================================================================
RCS file: /cvs/ports/security/stunnel/patches/patch-src_ctx_c,v
retrieving revision 1.8
diff -u -p -u -p -r1.8 patch-src_ctx_c
--- patches/patch-src_ctx_c 19 Mar 2019 16:51:13 -0000 1.8
+++ patches/patch-src_ctx_c 2 Mar 2022 23:53:06 -0000
@@ -1,8 +1,34 @@
-$OpenBSD: patch-src_ctx_c,v 1.8 2019/03/19 16:51:13 jsing Exp $
Index: src/ctx.c
--- src/ctx.c.orig
+++ src/ctx.c
-@@ -398,7 +398,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
+@@ -91,7 +91,7 @@ NOEXPORT void set_prompt(const char *);
+ NOEXPORT int ui_retry();
+
+ /* session tickets */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int generate_session_ticket_cb(SSL *, void *);
+ NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *,
+ const unsigned char *, size_t, SSL_TICKET_STATUS, void *);
+@@ -179,7 +179,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T
+ }
+ current_section=section; /* setup current section for callbacks */
+
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /* set the security level */
+ if(section->security_level>=0) {
+ /* set the user-specified value */
+@@ -265,7 +265,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T
+ #endif
+
+ /* setup session tickets */
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb,
+ decrypt_session_ticket_cb, NULL);
+ #endif /* OpenSSL 1.1.1 or later */
+@@ -539,7 +539,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
/**************************************** initialize OpenSSL CONF */
NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
@@ -11,3 +37,21 @@ Index: src/ctx.c
SSL_CONF_CTX *cctx;
NAME_LIST *curr;
char *cmd, *param;
+@@ -1045,7 +1045,7 @@ NOEXPORT int ui_retry() {
+
+ /**************************************** session tickets */
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+
+ typedef struct {
+ void *session_authenticated;
+@@ -1538,7 +1538,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where,
+
+ c=SSL_get_ex_data((SSL *)ssl, index_ssl_cli);
+ if(c) {
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl);
+ #else
+ int state=SSL_get_state((SSL *)ssl);
Index: patches/patch-src_options_c
===================================================================
RCS file: patches/patch-src_options_c
diff -N patches/patch-src_options_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_options_c 2 Mar 2022 23:53:06 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: src/options.c
+--- src/options.c.orig
++++ src/options.c
+@@ -38,7 +38,7 @@
+ #include "common.h"
+ #include "prototypes.h"
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+ #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
+ #else /* OpenSSL version < 1.1.1 */
+ #define DEFAULT_CURVES "prime256v1"
Index: patches/patch-src_prototypes_h
===================================================================
RCS file: patches/patch-src_prototypes_h
diff -N patches/patch-src_prototypes_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_prototypes_h 2 Mar 2022 23:53:06 -0000
@@ -0,0 +1,23 @@
+$OpenBSD$
+
+Index: src/prototypes.h
+--- src/prototypes.h.orig
++++ src/prototypes.h
+@@ -736,7 +736,7 @@ int getnameinfo(const struct sockaddr *, socklen_t,
+ extern CLI *thread_head;
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+
+ #ifdef USE_OS_THREADS
+
+@@ -787,7 +787,7 @@ typedef enum {
+
+ extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
+
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+ /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */
+ CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void);
+ int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *);
Index: patches/patch-src_ssl_c
===================================================================
RCS file: patches/patch-src_ssl_c
diff -N patches/patch-src_ssl_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_ssl_c 2 Mar 2022 23:53:06 -0000
@@ -0,0 +1,46 @@
+Index: src/ssl.c
+--- src/ssl.c.orig
++++ src/ssl.c
+@@ -44,7 +44,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRY
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void **from_d, int idx, long argl, void *argp);
+-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void *from_d, int idx, long argl, void *argp);
+ #else
+@@ -87,7 +87,7 @@ int fips_available() { /* either FIPS provider or cont
+ }
+
+ int ssl_init(void) { /* init TLS before parsing configuration file */
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ OPENSSL_INIT_SETTINGS *conf=OPENSSL_INIT_new();
+ #ifdef USE_WIN32
+ OPENSSL_INIT_set_config_filename(conf, "..\\config\\openssl.cnf");
+@@ -161,7 +161,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRY
+ #if OPENSSL_VERSION_NUMBER>=0x30000000L
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void **from_d, int idx, long argl, void *argp) {
+-#elif OPENSSL_VERSION_NUMBER>=0x10100000L
++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
+ void *from_d, int idx, long argl, void *argp) {
+ #else
+@@ -351,6 +351,7 @@ NOEXPORT int compression_configure(GLOBAL_OPTIONS *glo
+ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) {
+ int totbytes=0;
+ char filename[256];
++#if !defined(LIBRESSL_VERSION_NUMBER)
+ const RAND_METHOD *meth=RAND_get_rand_method();
+
+ /* skip PRNG initialization when no seeding methods are available */
+@@ -363,6 +364,7 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) {
+ s_log(LOG_DEBUG, "No PRNG seeding was required");
+ return 0; /* success */
+ }
++#endif
+
+ /* if they specify a rand file on the command line we
+ assume that they really do want it, so try it first */
Index: patches/patch-src_sthreads_c
===================================================================
RCS file: patches/patch-src_sthreads_c
diff -N patches/patch-src_sthreads_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_sthreads_c 2 Mar 2022 23:53:06 -0000
@@ -0,0 +1,33 @@
+$OpenBSD$
+
+Index: src/sthreads.c
+--- src/sthreads.c.orig
++++ src/sthreads.c
+@@ -120,7 +120,7 @@ void thread_id_init(void) {
+ /**************************************** locking */
+
+ /* we only need to initialize locking with OpenSSL older than 1.1.0 */
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+
+ #ifdef USE_PTHREAD
+
+@@ -279,7 +279,7 @@ NOEXPORT int s_atomic_add(int *val, int amount, CRYPTO
+
+ CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS];
+
+-#if OPENSSL_VERSION_NUMBER<0x10100004L
++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
+
+ #ifdef USE_OS_THREADS
+
+@@ -387,7 +387,8 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret,
+
+ void locking_init(void) {
+ size_t i;
+-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L
++#if defined(USE_OS_THREADS) && \
++ (OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER))
+ size_t num;
+
+ /* initialize the OpenSSL static locking */
Index: patches/patch-src_tls_c
===================================================================
RCS file: patches/patch-src_tls_c
diff -N patches/patch-src_tls_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_tls_c 2 Mar 2022 23:53:06 -0000
@@ -0,0 +1,30 @@
+Index: src/tls.c
+--- src/tls.c.orig
++++ src/tls.c
+@@ -41,7 +41,7 @@
+ volatile int tls_initialized=0;
+
+ NOEXPORT void tls_platform_init();
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void free_function(void *);
+ #endif
+
+@@ -52,7 +52,7 @@ void tls_init() {
+ tls_platform_init();
+ tls_initialized=1;
+ ui_tls=tls_alloc(NULL, NULL, "ui");
+-#if OPENSSL_VERSION_NUMBER>=0x10100000L
++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ CRYPTO_set_mem_functions(str_alloc_detached_debug,
+ str_realloc_detached_debug, str_free_debug);
+ #else
+@@ -184,7 +184,7 @@ TLS_DATA *tls_get() {
+
+ /**************************************** OpenSSL allocator hook */
+
+-#if OPENSSL_VERSION_NUMBER<0x10100000L
++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ NOEXPORT void free_function(void *ptr) {
+ /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
+ /* unfortunately, OpenSSL provides no file:line information here */
Index: patches/patch-src_verify_c
===================================================================
RCS file: /cvs/ports/security/stunnel/patches/patch-src_verify_c,v
retrieving revision 1.6
diff -u -p -u -p -r1.6 patch-src_verify_c
--- patches/patch-src_verify_c 12 Sep 2017 16:15:24 -0000 1.6
+++ patches/patch-src_verify_c 2 Mar 2022 23:53:06 -0000
@@ -2,7 +2,7 @@ $OpenBSD: patch-src_verify_c,v 1.6 2017/
Index: src/verify.c
--- src/verify.c.orig
+++ src/verify.c
-@@ -353,7 +353,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback
+@@ -351,7 +351,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
subject=X509_get_subject_name(cert);
Index: patches/patch-tools_stunnel_conf-sample_in
===================================================================
RCS file:
/cvs/ports/security/stunnel/patches/patch-tools_stunnel_conf-sample_in,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 patch-tools_stunnel_conf-sample_in
--- patches/patch-tools_stunnel_conf-sample_in 12 Sep 2017 16:15:24 -0000
1.16
+++ patches/patch-tools_stunnel_conf-sample_in 2 Mar 2022 23:53:06 -0000
@@ -1,4 +1,3 @@
-$OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.16 2017/09/12 16:15:24
gsoares Exp $
Index: tools/stunnel.conf-sample.in
--- tools/stunnel.conf-sample.in.orig
+++ tools/stunnel.conf-sample.in
@@ -15,7 +14,7 @@ Index: tools/stunnel.conf-sample.in
; PID file is created inside the chroot jail (if enabled)
-;pid = @localstatedir@/run/stunnel.pid
-+pid = /stunnel.pid
++;pid = /stunnel.pid
; Debugging stuff (may be useful for troubleshooting)
;foreground = yes
@@ -25,18 +24,16 @@ Index: tools/stunnel.conf-sample.in
; Enable FIPS 140-2 mode if needed for compliance
;fips = yes
-@@ -46,7 +47,7 @@
- ; * Include all configuration file fragments from the specified folder *
- ; **************************************************************************
+@@ -54,38 +55,38 @@
--;include = @sysconfdir@/stunnel/conf.d
-+;include = ${SYSCONFDIR}/stunnel/conf.d
+ ; ***************************************** Example TLS client mode services
- ; **************************************************************************
- ; * Service definitions (remove all services for inetd mode) *
-@@ -59,32 +60,32 @@
+-; The following examples use /etc/ssl/certs, which is the common location
++; The following examples use ${SYSCONFDIR}/ssl/certs, which is the common
location
+ ; of a hashed directory containing trusted CA certificates. This is not
; a hardcoded path of the stunnel package, as it is not related to the
- ; stunnel configuration in @sysconfdir@/stunnel/.
+-; stunnel configuration in @sysconfdir@/stunnel/.
++; stunnel configuration in ${SYSCONFDIR}/stunnel/.
-[gmail-pop3]
-client = yes
@@ -54,15 +51,7 @@ Index: tools/stunnel.conf-sample.in
+;CApath = ${SYSCONFDIR}/ssl/certs
+;checkHost = pop.gmail.com
+;OCSPaia = yes
-
--[gmail-imap]
--client = yes
--accept = 127.0.0.1:143
--connect = imap.gmail.com:993
--verifyChain = yes
--CApath = /etc/ssl/certs
--checkHost = imap.gmail.com
--OCSPaia = yes
++;
+;[gmail-imap]
+;client = yes
+;accept = 127.0.0.1:143
@@ -71,15 +60,7 @@ Index: tools/stunnel.conf-sample.in
+;CApath = ${SYSCONFDIR}/ssl/certs
+;checkHost = imap.gmail.com
+;OCSPaia = yes
-
--[gmail-smtp]
--client = yes
--accept = 127.0.0.1:25
--connect = smtp.gmail.com:465
--verifyChain = yes
--CApath = /etc/ssl/certs
--checkHost = smtp.gmail.com
--OCSPaia = yes
++;
+;[gmail-smtp]
+;client = yes
+;accept = 127.0.0.1:25
@@ -89,38 +70,48 @@ Index: tools/stunnel.conf-sample.in
+;checkHost = smtp.gmail.com
+;OCSPaia = yes
+-[gmail-imap]
+-client = yes
+-accept = 127.0.0.1:143
+-connect = imap.gmail.com:993
+-verifyChain = yes
+-CApath = /etc/ssl/certs
+-checkHost = imap.gmail.com
+-OCSPaia = yes
+-
+-[gmail-smtp]
+-client = yes
+-accept = 127.0.0.1:25
+-connect = smtp.gmail.com:465
+-verifyChain = yes
+-CApath = /etc/ssl/certs
+-checkHost = smtp.gmail.com
+-OCSPaia = yes
+-
; Encrypted HTTP proxy authenticated with a client certificate
; located in a cryptographic token
-@@ -98,43 +99,43 @@ OCSPaia = yes
-
- ; ***************************************** Example TLS server mode services
-
--;[pop3s]
--;accept = 995
--;connect = 110
+ ;[example-pkcs11]
+@@ -101,12 +102,12 @@ OCSPaia = yes
+ ;[pop3s]
+ ;accept = 995
+ ;connect = 110
-;cert = @sysconfdir@/stunnel/stunnel.pem
-+[pop3s]
-+accept = 995
-+connect = 110
-+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
-
--;[imaps]
--;accept = 993
--;connect = 143
++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
+
+ ;[imaps]
+ ;accept = 993
+ ;connect = 143
-;cert = @sysconfdir@/stunnel/stunnel.pem
-+[imaps]
-+accept = 993
-+connect = 143
-+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
-
--;[ssmtp]
--;accept = 465
--;connect = 25
++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
+
+ ; Either only expose this service to trusted networks, or require
+ ; authentication when relaying emails originated from loopback.
+@@ -114,29 +115,29 @@ OCSPaia = yes
+ ;[ssmtp]
+ ;accept = 465
+ ;connect = 25
-;cert = @sysconfdir@/stunnel/stunnel.pem
-+[ssmtp]
-+accept = 465
-+connect = 25
-+cert = ${SYSCONFDIR}/stunnel/stunnel.pem
++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
; TLS front-end to a web server
;[https]
@@ -140,7 +131,6 @@ Index: tools/stunnel.conf-sample.in
;accept = 1337
;exec = /bin/sh
;execArgs = sh -i
- ;ciphers = PSK
-;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
+;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/stunnel/pkg/PLIST,v
retrieving revision 1.13
diff -u -p -u -p -r1.13 PLIST
--- pkg/PLIST 14 Oct 2015 02:05:06 -0000 1.13
+++ pkg/PLIST 2 Mar 2022 23:53:06 -0000
@@ -1,7 +1,7 @@
-@comment $OpenBSD: PLIST,v 1.13 2015/10/14 02:05:06 gsoares Exp $
@newgroup _stunnel:528
@newuser _stunnel:528:_stunnel:daemon:stunnel
account:/var/stunnel:/sbin/nologin
@extra /var/stunnel/stunnel.pid
+@rcscript ${RCDIR}/stunnel
@man man/man8/stunnel.8
@bin sbin/stunnel
sbin/stunnel3
@@ -11,5 +11,3 @@ share/examples/stunnel/stunnel.conf-samp
@sample ${SYSCONFDIR}/stunnel/stunnel.conf
@owner _stunnel
@sample /var/stunnel/
-@owner
-@rcscript ${RCDIR}/stunnel
