Hi, Update for Stunnel to 5.23:
https://www.stunnel.org/sdf_ChangeLog.html Ok? Comments? Cheers.- -- Sending from my toaster.
Index: Makefile =================================================================== RCS file: /cvs/ports/security/stunnel/Makefile,v retrieving revision 1.77 diff -u -p -r1.77 Makefile --- Makefile 25 Jun 2015 14:44:30 -0000 1.77 +++ Makefile 25 Sep 2015 02:32:21 -0000 @@ -2,7 +2,7 @@ COMMENT= SSL encryption wrapper for standard network daemons -DISTNAME= stunnel-5.19 +DISTNAME= stunnel-5.23 CATEGORIES= security MAINTAINER= Gleydson Soares <[email protected]> Index: distinfo =================================================================== RCS file: /cvs/ports/security/stunnel/distinfo,v retrieving revision 1.35 diff -u -p -r1.35 distinfo --- distinfo 25 Jun 2015 14:44:30 -0000 1.35 +++ distinfo 25 Sep 2015 02:32:21 -0000 @@ -1,2 +1,2 @@ -SHA256 (stunnel-5.19.tar.gz) = C1QyQs8mZJrP3Z8A3lZMPo3nrCI31Tk1/9x+sk9NVW0= -SIZE (stunnel-5.19.tar.gz) = 620810 +SHA256 (stunnel-5.23.tar.gz) = D8SnAq/S6Fe66K0fOcUVRusoLD0P9PTVXWKuznMo3eo= +SIZE (stunnel-5.23.tar.gz) = 630943 Index: patches/patch-src_options_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_options_c,v retrieving revision 1.1 diff -u -p -r1.1 patch-src_options_c --- patches/patch-src_options_c 25 Jun 2015 14:44:30 -0000 1.1 +++ patches/patch-src_options_c 25 Sep 2015 02:32:21 -0000 @@ -3,9 +3,9 @@ $OpenBSD: patch-src_options_c,v 1.1 2015 use SSLv23_client_method() required to build with libressl since that it haven't TLS_client_method() for now. ---- src/options.c.orig Mon Jun 1 11:25:32 2015 -+++ src/options.c Mon Jun 22 02:20:12 2015 -@@ -2450,7 +2450,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O +--- src/options.c.orig Wed Sep 2 04:45:36 2015 ++++ src/options.c Thu Sep 24 20:05:16 2015 +@@ -2476,7 +2476,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O /* sslVersion */ switch(cmd) { case CMD_BEGIN: @@ -14,7 +14,7 @@ TLS_client_method() for now. section->client_method=(SSL_METHOD *)TLS_client_method(); section->server_method=(SSL_METHOD *)TLS_server_method(); #else -@@ -2462,7 +2462,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O +@@ -2488,7 +2488,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O if(strcasecmp(opt, "sslVersion")) break; if(!strcasecmp(arg, "all")) { Index: patches/patch-src_ssl_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_ssl_c,v retrieving revision 1.2 diff -u -p -r1.2 patch-src_ssl_c --- patches/patch-src_ssl_c 25 Jun 2015 14:44:30 -0000 1.2 +++ patches/patch-src_ssl_c 25 Sep 2015 02:32:21 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-src_ssl_c,v 1.2 2015/06/25 14:44:30 gsoares Exp $ ---- src/ssl.c.orig Tue Jun 16 10:16:35 2015 -+++ src/ssl.c Mon Jun 22 01:56:51 2015 -@@ -201,18 +201,6 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) { +--- src/ssl.c.orig Wed Sep 2 04:45:43 2015 ++++ src/ssl.c Thu Sep 24 20:05:16 2015 +@@ -208,18 +208,6 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) { } s_log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG"); #else Index: patches/patch-src_verify_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_verify_c,v retrieving revision 1.1 diff -u -p -r1.1 patch-src_verify_c --- patches/patch-src_verify_c 25 Jun 2015 14:44:30 -0000 1.1 +++ patches/patch-src_verify_c 25 Sep 2015 02:32:21 -0000 @@ -3,8 +3,8 @@ $OpenBSD: patch-src_verify_c,v 1.1 2015/ disable OpenSSL 1.0.2 X509_check_* functions, so it can build with libressl. ---- src/verify.c.orig Fri Jun 12 12:45:00 2015 -+++ src/verify.c Fri Jun 12 12:47:35 2015 +--- src/verify.c.orig Thu Aug 6 05:46:37 2015 ++++ src/verify.c Thu Sep 24 20:05:17 2015 @@ -50,7 +50,7 @@ NOEXPORT int add_dir_lookup(X509_STORE *, char *); NOEXPORT int verify_callback(int, X509_STORE_CTX *); NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *); @@ -14,7 +14,7 @@ disable OpenSSL 1.0.2 X509_check_* funct NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *); #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ NOEXPORT int cert_check_local(X509_STORE_CTX *); -@@ -285,7 +285,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba +@@ -297,7 +297,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba } if(depth==0) { /* additional peer certificate checks */ @@ -23,7 +23,7 @@ disable OpenSSL 1.0.2 X509_check_* funct if(!cert_check_subject(c, callback_ctx)) return 0; /* reject */ #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ -@@ -296,7 +296,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba +@@ -308,7 +308,7 @@ NOEXPORT int cert_check(CLI *c, X509_STORE_CTX *callba return 1; /* accept */ } Index: patches/patch-tools_stunnel_conf-sample_in =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-tools_stunnel_conf-sample_in,v retrieving revision 1.13 diff -u -p -r1.13 patch-tools_stunnel_conf-sample_in --- patches/patch-tools_stunnel_conf-sample_in 25 Jun 2015 14:44:30 -0000 1.13 +++ patches/patch-tools_stunnel_conf-sample_in 25 Sep 2015 02:32:21 -0000 @@ -1,11 +1,9 @@ -$OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.13 2015/06/25 14:44:30 gsoares Exp $ ---- tools/stunnel.conf-sample.in.orig Fri Jun 12 05:23:01 2015 -+++ tools/stunnel.conf-sample.in Mon Jun 22 02:02:57 2015 -@@ -7,17 +7,18 @@ - ; * Global options * +$OpenBSD$ +--- tools/stunnel.conf-sample.in.orig Thu Sep 24 20:16:54 2015 ++++ tools/stunnel.conf-sample.in Thu Sep 24 20:22:22 2015 +@@ -8,16 +8,16 @@ ; ************************************************************************** -+chroot = /var/stunnel/ ; It is recommended to drop root privileges if stunnel is started by root -;setuid = nobody -;setgid = @DEFAULT_GROUP@ @@ -24,7 +22,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl ; Enable FIPS 140-2 mode if needed for compliance ;fips = yes -@@ -37,7 +38,7 @@ +@@ -37,7 +37,7 @@ ; * Include all configuration file fragments from the specified folder * ; ************************************************************************** @@ -33,9 +31,9 @@ $OpenBSD: patch-tools_stunnel_conf-sampl ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * -@@ -45,64 +46,64 @@ - - ; ***************************************** Example TLS client mode services +@@ -50,67 +50,67 @@ + ; a hardcoded path of the stunnel package, as it is not related to the + ; stunnel configuration in @sysconfdir@/stunnel/. -[gmail-pop3] -client = yes @@ -44,6 +42,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl -verify = 2 -CApath = /etc/ssl/certs -checkHost = pop.gmail.com +-OCSPaia = yes +;[gmail-pop3] +;client = yes +;accept = 127.0.0.1:110 @@ -51,6 +50,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +;verify = 2 +;CApath = ${SYSCONFDIR}/ssl/certs +;checkHost = pop.gmail.com ++;OCSPaia = yes -[gmail-imap] -client = yes @@ -59,13 +59,15 @@ $OpenBSD: patch-tools_stunnel_conf-sampl -verify = 2 -CApath = /etc/ssl/certs -checkHost = imap.gmail.com +-OCSPaia = yes +;[gmail-imap] +;client = yes +;accept = 127.0.0.1:143 +;connect = imap.gmail.com:993 +;verify = 2 -+;CApath = ${SYSCONFDIR}/ssl/certs ++;CApath = /etc/ssl/certs +;checkHost = imap.gmail.com ++;OCSPaia = yes -[gmail-smtp] -client = yes @@ -74,13 +76,15 @@ $OpenBSD: patch-tools_stunnel_conf-sampl -verify = 2 -CApath = /etc/ssl/certs -checkHost = smtp.gmail.com +-OCSPaia = yes +;[gmail-smtp] +;client = yes +;accept = 127.0.0.1:25 +;connect = smtp.gmail.com:465 +;verify = 2 -+;CApath = ${SYSCONFDIR}/ssl/certs ++;CApath = /etc/ssl/certs +;checkHost = smtp.gmail.com ++;OCSPaia = yes ; ***************************************** Example TLS server mode services @@ -91,7 +95,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +[pop3s] +accept = 995 +connect = 110 -+cert = ${SYSCONFDIR}/ssl/stunnel.pem ++cert = ${SYSCONFDIR}/stunnel/stunnel.pem -;[imaps] -;accept = 993 @@ -100,7 +104,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +[imaps] +accept = 993 +connect = 143 -+cert = ${SYSCONFDIR}/ssl/stunnel.pem ++cert = ${SYSCONFDIR}/stunnel/stunnel.pem -;[ssmtp] -;accept = 465 @@ -109,14 +113,14 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +[ssmtp] +accept = 465 +connect = 25 -+cert = ${SYSCONFDIR}/ssl/stunnel.pem ++cert = ${SYSCONFDIR}/stunnel/stunnel.pem ; TLS front-end to a web server ;[https] ;accept = 443 ;connect = 80 -;cert = @sysconfdir@/stunnel/stunnel.pem -+;cert = ${SYSCONFDIR}/ssl/stunnel.pem ++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks @@ -124,13 +128,13 @@ $OpenBSD: patch-tools_stunnel_conf-sampl ; Remote shell protected with PSK-authenticated TLS -; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs -+; Create "${SYSCONFDIR}/ssl/secrets.txt" containing IDENTITY:KEY pairs ++; Create "${SYSCONFDIR}/stunnel/secrets.txt" containing IDENTITY:KEY pairs ;[shell] ;accept = 1337 ;exec = /bin/sh ;execArgs = sh -i ;ciphers = PSK -;PSKsecrets = @sysconfdir@/stunnel/secrets.txt -+;PSKsecrets = ${SYSCONFDIR}/ssl/secrets.txt ++;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt ; vim:ft=dosini
