Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi, I am requesting permission to upload stunnel4/3:5.54~b3-1 to unstable and to have it unblocked for testing migration. The reason is that this is the first upstream version of stunnel that contains a fix for a problem involving threads and OpenSSL that may lead to a crash in certain situations - see #880659 for more information. I am aware that new upstream versions are not usually allowed in during a release freeze; however, the upstream author has said that the changes in the stunnel internal operation to fix the thread interlock problem are too extensive to be easily backported :( Thanks in advance for your consideration, and keep up the great work! unblock stunnel4/3:5.54~b3-1 G'luck, Peter -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'testing-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8), LANGUAGE=bg_BG.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru stunnel4-5.50/build-android.sh stunnel4-5.54~b3/build-android.sh
--- stunnel4-5.50/build-android.sh 2018-12-01 16:03:29.000000000 +0200
+++ stunnel4-5.54~b3/build-android.sh 2019-04-13 16:58:50.000000000 +0300
@@ -1,6 +1,6 @@
#!/bin/sh
set -ev
-VERSION=5.50
+VERSION=5.54
DST=stunnel-$VERSION-android
# install Android NDK on Arch Linux:
@@ -12,13 +12,14 @@
# build OpenSSL:
# export ANDROID_NDK=/usr/lib/android-ndk
# export PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH
-# ./Configure no-shared --prefix=/opt/openssl-android android-arm
-# make && sudo make install
+# ./Configure no-shared --prefix=/opt/openssl-android android-arm -D__ANDROID_API__=14
+# make
+# sudo PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH make install
# Debian does not deploy /etc/profile.d/android-ndk.sh
test -d "$ANDROID_NDK" || ANDROID_NDK=/usr/lib/android-ndk
-ANDROID_SYSROOT=$ANDROID_NDK/platforms/android-23/arch-arm
+ANDROID_SYSROOT=$ANDROID_NDK/platforms/android-14/arch-arm
export CPPFLAGS="--sysroot=$ANDROID_SYSROOT"
export CFLAGS="--sysroot=$ANDROID_SYSROOT"
export PATH="$ANDROID_NDK/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH"
diff -Nru stunnel4-5.50/ChangeLog stunnel4-5.54~b3/ChangeLog
--- stunnel4-5.50/ChangeLog 2018-12-03 00:51:10.000000000 +0200
+++ stunnel4-5.54~b3/ChangeLog 2019-04-30 17:03:21.000000000 +0300
@@ -1,23 +1,64 @@
stunnel change log
+Version 5.54, unreleased, urgency: LOW
+* New features
+ - New "ticketKeySecret" and "ticketMacSecret" options
+ to control confidentiality and integrity protection
+ of the issued session tickets. These options allow
+ for session resumption on other nodes in a cluster.
+ - Added logging the list of active connections on
+ SIGUSR2 or with Windows GUI.
+ - Logging of the assigned bind address instead of the
+ requested bind address.
+* Bugfixes
+ - Service threads are terminated before OpenSSL cleanup
+ to prevent occasional stunnel crashes at shutdown.
+
+Version 5.53, 2019.04.10, urgency: HIGH
+* New features
+ - Android binary updated to support Android 4.x.
+* Bugfixes
+ - Fixed data transfer stalls introduced in stunnel 5.51.
+
+Version 5.52, 2019.04.08, urgency: HIGH
+* Bugfixes
+ - Fixed a transfer() loop bug introduced in stunnel 5.51.
+
+Version 5.51, 2019.04.04, urgency: MEDIUM
+* New features
+ - OpenSSL DLLs updated to version 1.1.1b.
+ - Hexadecimal PSK keys are automatically converted to binary.
+ - Session ticket support (requires OpenSSL 1.1.1 or later).
+ "connect" address persistence is currently unsupported
+ with session tickets.
+ - SMTP HELO before authentication (thx to Jacopo Giudici).
+ - New "curves" option to control the list of elliptic
+ curves in OpenSSL 1.1.0 and later.
+ - New "ciphersuites" option to control the list of
+ permitted TLS 1.3 ciphersuites.
+ - Include file name and line number in OpenSSL errors.
+ - Compatibility with the current OpenSSL 3.0.0-dev branch.
+ - Better performance with SSL_set_read_ahead()/SSL_pending().
+* Bugfixes
+ - Fixed PSKsecrets as a global option (thx to Teodor Robas).
+ - Fixed a memory allocation bug (thx to matanfih).
+
Version 5.50, 2018.12.02, urgency: MEDIUM
* New features
- 32-bit Windows builds replaced with 64-bit builds.
- OpenSSL DLLs updated to version 1.1.1.
- Check whether "output" is not a relative file name.
- - Major code cleanup in the configuration file parser.
- Added sslVersion, sslVersionMin and sslVersionMax
for OpenSSL 1.1.0 and later.
* Bugfixes
- Fixed PSK session resumption with TLS 1.3.
- - Fixed a memory leak in WIN32 logging subsystem.
+ - Fixed a memory leak in the WIN32 logging subsystem.
- Allow for zero value (ignored) TLS options.
- - Partially refactored configuration file parsing
- and logging subsystems for clearer code and minor
- bugfixes.
+ - Partially refactored configuration file parsing and
+ logging subsystems for clearer code and minor bugfixes.
* Caveats
- We removed FIPS support from our standard builds.
- FIPS will still be available with bespoke builds.
+ FIPS will still be available with custom builds.
Version 5.49, 2018.09.03, urgency: MEDIUM
* New features
@@ -394,7 +435,7 @@
- Added a retry when sleep(3) was interrupted by a signal
in the cron thread scheduler.
-Version 5.20, 2015.07.09, urgency: HIGH
+Version 5.20, 2015.07.09, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2d.
https://www.openssl.org/news/secadv_20150709.txt
diff -Nru stunnel4-5.50/configure stunnel4-5.54~b3/configure
--- stunnel4-5.50/configure 2018-11-09 17:53:57.000000000 +0200
+++ stunnel4-5.54~b3/configure 2019-04-30 17:03:38.000000000 +0300
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for stunnel 5.50.
+# Generated by GNU Autoconf 2.69 for stunnel 5.54.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='stunnel'
PACKAGE_TARNAME='stunnel'
-PACKAGE_VERSION='5.50'
-PACKAGE_STRING='stunnel 5.50'
+PACKAGE_VERSION='5.54'
+PACKAGE_STRING='stunnel 5.54'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1338,7 +1338,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures stunnel 5.50 to adapt to many kinds of systems.
+\`configure' configures stunnel 5.54 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1409,7 +1409,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of stunnel 5.50:";;
+ short | recursive ) echo "Configuration of stunnel 5.54:";;
esac
cat <<\_ACEOF
@@ -1528,7 +1528,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-stunnel configure 5.50
+stunnel configure 5.54
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2134,7 +2134,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by stunnel $as_me 5.50, which was
+It was created by stunnel $as_me 5.54, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3003,7 +3003,7 @@
# Define the identity of the package.
PACKAGE='stunnel'
- VERSION='5.50'
+ VERSION='5.54'
cat >>confdefs.h <<_ACEOF
@@ -16343,6 +16343,26 @@
fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether DH parameters need to be updated" >&5
+$as_echo_n "checking whether DH parameters need to be updated... " >&6; }
+# only build src/dhparam.c if sources are located in the current directory
+if test -f src/stunnel.c && ! grep -q " built for $PACKAGE_STRING " src/dhparam.c; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ (
+ echo '/* dhparam.c: initial DH parameters for stunnel */'
+ echo '#include "common.h"'
+ echo '#ifndef OPENSSL_NO_DH'
+ echo '#define DN_new DH_new'
+ openssl dhparam -noout -C 2048 | sed 's/static DH/DH/'
+ echo '#endif /* OPENSSL_NO_DH */'
+ echo "/* built for $PACKAGE_STRING */"
+ ) > src/dhparam.c
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
SYSROOT="$lt_sysroot"
CPPFLAGS="$valid_CPPFLAGS"
LIBS="$valid_LIBS"
@@ -16881,7 +16901,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by stunnel $as_me 5.50, which was
+This file was extended by stunnel $as_me 5.54, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -16947,7 +16967,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-stunnel config.status 5.50
+stunnel config.status 5.54
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -Nru stunnel4-5.50/configure.ac stunnel4-5.54~b3/configure.ac
--- stunnel4-5.50/configure.ac 2018-11-09 17:53:43.000000000 +0200
+++ stunnel4-5.54~b3/configure.ac 2019-04-30 17:03:21.000000000 +0300
@@ -1,6 +1,6 @@
# Process this file with autoconf to produce a configure script.
-AC_INIT([stunnel],[5.50])
+AC_INIT([stunnel],[5.54])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AC_CONFIG_MACRO_DIR([m4])
@@ -191,7 +191,7 @@
AC_INCLUDES_DEFAULT
#include <sys/socket.h>
])
-AC_CHECK_HEADERS([linux/netfilter_ipv4.h], , ,
+AC_CHECK_HEADERS([linux/netfilter_ipv4.h], , ,
[
#include <limits.h>
#include <linux/types.h>
@@ -448,7 +448,7 @@
AC_MSG_ERROR([
Could not find your TLS library installation dir
Use --with-ssl option to fix this problem
-])
+])
fi
AC_MSG_RESULT([$SSLDIR])
AC_SUBST([SSLDIR])
@@ -466,6 +466,23 @@
])
fi
+AC_MSG_CHECKING([whether DH parameters need to be updated])
+# only build src/dhparam.c if sources are located in the current directory
+if test -f src/stunnel.c && ! grep -q " built for $PACKAGE_STRING " src/dhparam.c; then
+ AC_MSG_RESULT([yes])
+ (
+ echo '/* dhparam.c: initial DH parameters for stunnel */'
+ echo '#include "common.h"'
+ echo '#ifndef OPENSSL_NO_DH'
+ echo '#define DN_new DH_new'
+ openssl dhparam -noout -C 2048 | sed 's/static DH/DH/'
+ echo '#endif /* OPENSSL_NO_DH */'
+ echo "/* built for $PACKAGE_STRING */"
+ ) > src/dhparam.c
+else
+ AC_MSG_RESULT([no])
+fi
+
SYSROOT="$lt_sysroot"
CPPFLAGS="$valid_CPPFLAGS"
LIBS="$valid_LIBS"
diff -Nru stunnel4-5.50/COPYING stunnel4-5.54~b3/COPYING
--- stunnel4-5.50/COPYING 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/COPYING 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
stunnel license (see COPYRIGHT.GPL for detailed GPL conditions)
-Copyright (C) 1998-2018 Michal Trojnara
+Copyright (C) 1998-2019 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
diff -Nru stunnel4-5.50/debian/changelog stunnel4-5.54~b3/debian/changelog
--- stunnel4-5.50/debian/changelog 2019-03-02 22:53:48.000000000 +0200
+++ stunnel4-5.54~b3/debian/changelog 2019-05-01 15:55:31.000000000 +0300
@@ -1,3 +1,19 @@
+stunnel4 (3:5.54~b3-1) experimental; urgency=medium
+
+ * New upstream beta version.
+
+ -- Peter Pentchev <roam@debian.org> Wed, 01 May 2019 15:55:31 +0300
+
+stunnel4 (3:5.54~b2-1) experimental; urgency=medium
+
+ * New upstream beta version:
+ - includes a reworking of the interoperation between pthreads and
+ OpenSSL, thus Closes: #880659
+ - refresh the 02-rename-binary and 04-restore-pidfile-default patches
+ - add the 05-typos patch to correct a typographical error
+
+ -- Peter Pentchev <roam@debian.org> Tue, 30 Apr 2019 15:34:24 +0300
+
stunnel4 (3:5.50-3) unstable; urgency=medium
* Correct the name of the Debian branch in the git-buildpackage config.
diff -Nru stunnel4-5.50/debian/patches/02-rename-binary.patch stunnel4-5.54~b3/debian/patches/02-rename-binary.patch
--- stunnel4-5.50/debian/patches/02-rename-binary.patch 2018-12-06 11:57:19.000000000 +0200
+++ stunnel4-5.54~b3/debian/patches/02-rename-binary.patch 2019-05-01 15:18:33.000000000 +0300
@@ -71,7 +71,7 @@
connect=$REMOTE_HOST
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
-@@ -15,11 +15,11 @@
+@@ -16,11 +16,11 @@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
@@ -92,9 +92,9 @@
.\" ========================================================================
.\"
-.IX Title "stunnel 8"
--.TH stunnel 8 "2018.12.02" "5.50" "stunnel TLS Proxy"
+-.TH stunnel 8 "2019.04.30" "5.54" "stunnel TLS Proxy"
+.IX Title "stunnel4 8"
-+.TH stunnel 8 "2018.12.02" "5.50" "stunnel4 TLS Proxy"
++.TH stunnel 8 "2019.04.30" "5.54" "stunnel4 TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -Nru stunnel4-5.50/debian/patches/04-restore-pidfile-default.patch stunnel4-5.54~b3/debian/patches/04-restore-pidfile-default.patch
--- stunnel4-5.50/debian/patches/04-restore-pidfile-default.patch 2018-12-06 12:01:32.000000000 +0200
+++ stunnel4-5.54~b3/debian/patches/04-restore-pidfile-default.patch 2019-05-01 15:18:50.000000000 +0300
@@ -11,7 +11,7 @@
Last-Update: 2018-12-06
--- a/src/Makefile.am
+++ b/src/Makefile.am
-@@ -44,6 +44,7 @@
+@@ -33,6 +33,7 @@
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
@@ -21,7 +21,7 @@
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
--- a/src/options.c
+++ b/src/options.c
-@@ -1025,7 +1025,7 @@
+@@ -1044,7 +1044,7 @@
#ifndef USE_WIN32
switch(cmd) {
case CMD_SET_DEFAULTS:
@@ -30,7 +30,7 @@
break;
case CMD_SET_COPY: /* not used for global options */
break;
-@@ -1049,9 +1049,10 @@
+@@ -1068,9 +1068,10 @@
return "Pid file must include full path name";
break;
case CMD_PRINT_DEFAULTS:
diff -Nru stunnel4-5.50/debian/patches/05-typos.patch stunnel4-5.54~b3/debian/patches/05-typos.patch
--- stunnel4-5.50/debian/patches/05-typos.patch 1970-01-01 02:00:00.000000000 +0200
+++ stunnel4-5.54~b3/debian/patches/05-typos.patch 2019-04-30 12:36:11.000000000 +0300
@@ -0,0 +1,38 @@
+Description: Correct a typographical error.
+Forwarded: no
+Author: Peter Pentchev <roam@ringlet.net>
+Last-Update: 2019-04-30
+
+--- a/doc/stunnel.8.in
++++ b/doc/stunnel.8.in
+@@ -414,7 +414,7 @@
+ .IX Item "ciphersuites = CIPHERSUITES_LIST"
+ select permitted TLSv1.3 ciphersuites
+ .Sp
+-A colon-delimited list of TLSv1.3 ciphersuites names in order of perference.
++A colon-delimited list of TLSv1.3 ciphersuites names in order of preference.
+ .Sp
+ This option requires OpenSSL 1.1.1 or later.
+ .Sp
+--- a/doc/stunnel.html.in
++++ b/doc/stunnel.html.in
+@@ -504,7 +504,7 @@
+
+ <p>select permitted TLSv1.3 ciphersuites</p>
+
+-<p>A colon-delimited list of TLSv1.3 ciphersuites names in order of perference.</p>
++<p>A colon-delimited list of TLSv1.3 ciphersuites names in order of preference.</p>
+
+ <p>This option requires OpenSSL 1.1.1 or later.</p>
+
+--- a/doc/stunnel.pod.in
++++ b/doc/stunnel.pod.in
+@@ -438,7 +438,7 @@
+
+ select permitted TLSv1.3 ciphersuites
+
+-A colon-delimited list of TLSv1.3 ciphersuites names in order of perference.
++A colon-delimited list of TLSv1.3 ciphersuites names in order of preference.
+
+ This option requires OpenSSL 1.1.1 or later.
+
diff -Nru stunnel4-5.50/debian/patches/series stunnel4-5.54~b3/debian/patches/series
--- stunnel4-5.50/debian/patches/series 2018-12-06 16:41:27.000000000 +0200
+++ stunnel4-5.54~b3/debian/patches/series 2019-04-30 12:34:00.000000000 +0300
@@ -2,3 +2,4 @@
02-rename-binary.patch
03-runas-user.patch
04-restore-pidfile-default.patch
+05-typos.patch
diff -Nru stunnel4-5.50/doc/Makefile.am stunnel4-5.54~b3/doc/Makefile.am
--- stunnel4-5.50/doc/Makefile.am 2018-06-08 20:30:06.000000000 +0300
+++ stunnel4-5.54~b3/doc/Makefile.am 2019-04-10 21:17:21.000000000 +0300
@@ -1,5 +1,5 @@
## Process this file with automake to produce Makefile.in
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en
EXTRA_DIST += stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
@@ -9,7 +9,8 @@
docdir = $(datadir)/doc/stunnel
doc_DATA = stunnel.html stunnel.pl.html
-CLEANFILES = $(man_MANS) $(doc_DATA)
+CLEANFILES = $(man_MANS)
+DISTCLEANFILES = $(doc_DATA)
SUFFIXES = .pod.in .8.in .html.in
diff -Nru stunnel4-5.50/doc/Makefile.in stunnel4-5.54~b3/doc/Makefile.in
--- stunnel4-5.50/doc/Makefile.in 2018-11-09 17:53:56.000000000 +0200
+++ stunnel4-5.54~b3/doc/Makefile.in 2019-04-30 17:03:37.000000000 +0300
@@ -14,7 +14,7 @@
@SET_MAKE@
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
VPATH = @srcdir@
am__is_gnu_make = { \
@@ -285,7 +285,8 @@
stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
man_MANS = stunnel.8 stunnel.pl.8
doc_DATA = stunnel.html stunnel.pl.html
-CLEANFILES = $(man_MANS) $(doc_DATA)
+CLEANFILES = $(man_MANS)
+DISTCLEANFILES = $(doc_DATA)
SUFFIXES = .pod.in .8.in .html.in
edit = sed \
-e 's|@bindir[@]|$(bindir)|g' \
@@ -466,6 +467,7 @@
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+ -test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
diff -Nru stunnel4-5.50/doc/stunnel.8.in stunnel4-5.54~b3/doc/stunnel.8.in
--- stunnel4-5.50/doc/stunnel.8.in 2018-12-03 00:47:20.000000000 +0200
+++ stunnel4-5.54~b3/doc/stunnel.8.in 2019-04-30 17:04:19.000000000 +0300
@@ -67,7 +67,7 @@
.\" ========================================================================
.\"
.IX Title "stunnel 8"
-.TH stunnel 8 "2018.12.02" "5.50" "stunnel TLS Proxy"
+.TH stunnel 8 "2019.04.30" "5.54" "stunnel TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -404,10 +404,21 @@
This option requires OpenSSL 1.0.2 or later.
.IP "\fBciphers\fR = \s-1CIPHER_LIST\s0" 4
.IX Item "ciphers = CIPHER_LIST"
-Select permitted \s-1TLS\s0 ciphers
+select permitted \s-1TLS\s0 ciphers (TLSv1.2 and below)
+.Sp
+This option does not impact TLSv1.3 ciphersuites.
.Sp
A colon-delimited list of the ciphers to allow in the \s-1TLS\s0 connection,
for example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5.\s0
+.IP "\fBciphersuites\fR = \s-1CIPHERSUITES_LIST\s0" 4
+.IX Item "ciphersuites = CIPHERSUITES_LIST"
+select permitted TLSv1.3 ciphersuites
+.Sp
+A colon-delimited list of TLSv1.3 ciphersuites names in order of perference.
+.Sp
+This option requires OpenSSL 1.1.1 or later.
+.Sp
+default: \s-1TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
client mode (remote service uses \s-1TLS\s0)
@@ -454,9 +465,11 @@
.Sp
This file contains multiple CRLs, used with the \fIverifyChain\fR and
\&\fIverifyPeer\fR options.
-.IP "\fBcurve\fR = \s-1NID\s0" 4
-.IX Item "curve = NID"
-specify \s-1ECDH\s0 curve name
+.IP "\fBcurves\fR = list" 4
+.IX Item "curves = list"
+\&\s-1ECDH\s0 curves separated with ':'
+.Sp
+Only a single curve name is allowed for OpenSSL older than 1.1.0.
.Sp
To get a list of supported curves use:
.Sp
@@ -464,7 +477,13 @@
\& openssl ecparam \-list_curves
.Ve
.Sp
-default: prime256v1
+default:
+.Sp
+.Vb 1
+\& X25519:P\-256:X448:P\-521:P\-384 (OpenSSL 1.1.1 or later)
+\&
+\& prime256v1 (OpenSSL older than 1.1.1)
+.Ve
.IP "\fBlogId\fR = \s-1TYPE\s0" 4
.IX Item "logId = TYPE"
connection identifier type
@@ -772,8 +791,10 @@
\& IDENTITY:KEY
.Ve
.Sp
-The key is required to be at least 20 characters long.
-The file should not be world-readable nor world-writable.
+Hexadecimal keys are automatically converted to binary form.
+Keys are required to be at least 16 bytes long, which implies
+at least 32 characters for hexadecimal keys.
+The file should neither be world-readable nor world-writable.
.IP "\fBpty\fR = yes | no (Unix only)" 4
.IX Item "pty = yes | no (Unix only)"
allocate a pseudoterminal for 'exec' option
@@ -968,6 +989,32 @@
Insufficient thread stack size may cause application crashes.
.Sp
default: 65536 bytes (sufficient for all platforms we tested)
+.IP "\fBticketKeySecret\fR = \s-1SECRET\s0" 4
+.IX Item "ticketKeySecret = SECRET"
+hexadecimal symmetric key used by the server for handling session tickets
+.Sp
+Session tickets, defined in \s-1RFC 5077\s0 provide an enhanced session resumption capability where the server implementation is not required to maintain per session state.
+.Sp
+Combining options \fIticketKeySecret\fR and \fIticketMacSecret\fR allows to resume the session on the server cluster, resume the session after server restart.
+.Sp
+The key is required to be 16 or 32 bytes long, which implies exactly 16 or 32 two-character hex \*(L"bytes\*(R" separated by colons.
+.Sp
+This option only works in server mode.
+.Sp
+The \fIticketKeySecret\fR option is only available when compiled with \fBOpenSSL 1.0.0\fR and later.
+.Sp
+Disabling \fI\s-1NO_TICKET\s0\fR option is required for the ticket support in OpenSSL older than 1.1.1, but note that this option is incompatible with the \fIredirect\fR option.
+.IP "\fBticketMacSecret\fR = \s-1SECRET\s0" 4
+.IX Item "ticketMacSecret = SECRET"
+hexadecimal symmetric key used by the server to authenticate and protect the integrity of session tickets
+.Sp
+Session ticket is protected using a strong integrity protection algorithm such as a keyed \s-1HMAC\-SHA\-256.\s0
+.Sp
+The key is required to be 16 or 32 bytes long, which implies exactly 16 or 32 two-character hex \*(L"bytes\*(R" separated by colons.
+.Sp
+This option only works in server mode.
+.Sp
+The \fIticketMacSecret\fR option is only available when compiled with \fBOpenSSL 1.0.0\fR and later.
.IP "\fBTIMEOUTbusy\fR = \s-1SECONDS\s0" 4
.IX Item "TIMEOUTbusy = SECONDS"
time to wait for expected data
@@ -1167,6 +1214,9 @@
.IX Item "SIGUSR1"
Close and reopen the \fBstunnel\fR log file.
This function can be used for log rotation.
+.IP "\s-1SIGUSR2\s0" 4
+.IX Item "SIGUSR2"
+Log the list of active connections.
.IP "\s-1SIGTERM, SIGQUIT, SIGINT\s0" 4
.IX Item "SIGTERM, SIGQUIT, SIGINT"
Shut \fBstunnel\fR down.
diff -Nru stunnel4-5.50/doc/stunnel.html.in stunnel4-5.54~b3/doc/stunnel.html.in
--- stunnel4-5.50/doc/stunnel.html.in 2018-12-03 00:47:21.000000000 +0200
+++ stunnel4-5.54~b3/doc/stunnel.html.in 2019-04-30 17:04:19.000000000 +0300
@@ -492,11 +492,25 @@
<dt id="ciphers-CIPHER_LIST"><b>ciphers</b> = CIPHER_LIST</dt>
<dd>
-<p>Select permitted TLS ciphers</p>
+<p>select permitted TLS ciphers (TLSv1.2 and below)</p>
+
+<p>This option does not impact TLSv1.3 ciphersuites.</p>
<p>A colon-delimited list of the ciphers to allow in the TLS connection, for example DES-CBC3-SHA:IDEA-CBC-MD5.</p>
</dd>
+<dt id="ciphersuites-CIPHERSUITES_LIST"><b>ciphersuites</b> = CIPHERSUITES_LIST</dt>
+<dd>
+
+<p>select permitted TLSv1.3 ciphersuites</p>
+
+<p>A colon-delimited list of TLSv1.3 ciphersuites names in order of perference.</p>
+
+<p>This option requires OpenSSL 1.1.1 or later.</p>
+
+<p>default: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256</p>
+
+</dd>
<dt id="client-yes-no"><b>client</b> = yes | no</dt>
<dd>
@@ -549,16 +563,22 @@
<p>This file contains multiple CRLs, used with the <i>verifyChain</i> and <i>verifyPeer</i> options.</p>
</dd>
-<dt id="curve-NID"><b>curve</b> = NID</dt>
+<dt id="curves-list"><b>curves</b> = list</dt>
<dd>
-<p>specify ECDH curve name</p>
+<p>ECDH curves separated with ':'</p>
+
+<p>Only a single curve name is allowed for OpenSSL older than 1.1.0.</p>
<p>To get a list of supported curves use:</p>
<pre><code> openssl ecparam -list_curves</code></pre>
-<p>default: prime256v1</p>
+<p>default:</p>
+
+<pre><code> X25519:P-256:X448:P-521:P-384 (OpenSSL 1.1.1 or later)
+
+ prime256v1 (OpenSSL older than 1.1.1)</code></pre>
</dd>
<dt id="logId-TYPE"><b>logId</b> = TYPE</dt>
@@ -929,7 +949,7 @@
<pre><code> IDENTITY:KEY</code></pre>
-<p>The key is required to be at least 20 characters long. The file should not be world-readable nor world-writable.</p>
+<p>Hexadecimal keys are automatically converted to binary form. Keys are required to be at least 16 bytes long, which implies at least 32 characters for hexadecimal keys. The file should neither be world-readable nor world-writable.</p>
</dd>
<dt id="pty-yes-no-Unix-only"><b>pty</b> = yes | no (Unix only)</dt>
@@ -1147,6 +1167,38 @@
<p>default: 65536 bytes (sufficient for all platforms we tested)</p>
</dd>
+<dt id="ticketKeySecret-SECRET"><b>ticketKeySecret</b> = SECRET</dt>
+<dd>
+
+<p>hexadecimal symmetric key used by the server for handling session tickets</p>
+
+<p>Session tickets, defined in RFC 5077 provide an enhanced session resumption capability where the server implementation is not required to maintain per session state.</p>
+
+<p>Combining options <i>ticketKeySecret</i> and <i>ticketMacSecret</i> allows to resume the session on the server cluster, resume the session after server restart.</p>
+
+<p>The key is required to be 16 or 32 bytes long, which implies exactly 16 or 32 two-character hex "bytes" separated by colons.</p>
+
+<p>This option only works in server mode.</p>
+
+<p>The <i>ticketKeySecret</i> option is only available when compiled with <b>OpenSSL 1.0.0</b> and later.</p>
+
+<p>Disabling <i>NO_TICKET</i> option is required for the ticket support in OpenSSL older than 1.1.1, but note that this option is incompatible with the <i>redirect</i> option.</p>
+
+</dd>
+<dt id="ticketMacSecret-SECRET"><b>ticketMacSecret</b> = SECRET</dt>
+<dd>
+
+<p>hexadecimal symmetric key used by the server to authenticate and protect the integrity of session tickets</p>
+
+<p>Session ticket is protected using a strong integrity protection algorithm such as a keyed HMAC-SHA-256.</p>
+
+<p>The key is required to be 16 or 32 bytes long, which implies exactly 16 or 32 two-character hex "bytes" separated by colons.</p>
+
+<p>This option only works in server mode.</p>
+
+<p>The <i>ticketMacSecret</i> option is only available when compiled with <b>OpenSSL 1.0.0</b> and later.</p>
+
+</dd>
<dt id="TIMEOUTbusy-SECONDS"><b>TIMEOUTbusy</b> = SECONDS</dt>
<dd>
@@ -1411,6 +1463,12 @@
<p>Close and reopen the <b>stunnel</b> log file. This function can be used for log rotation.</p>
</dd>
+<dt id="SIGUSR2">SIGUSR2</dt>
+<dd>
+
+<p>Log the list of active connections.</p>
+
+</dd>
<dt id="SIGTERM-SIGQUIT-SIGINT">SIGTERM, SIGQUIT, SIGINT</dt>
<dd>
diff -Nru stunnel4-5.50/doc/stunnel.pl.8.in stunnel4-5.54~b3/doc/stunnel.pl.8.in
--- stunnel4-5.50/doc/stunnel.pl.8.in 2018-12-03 00:47:20.000000000 +0200
+++ stunnel4-5.54~b3/doc/stunnel.pl.8.in 2019-04-30 17:04:20.000000000 +0300
@@ -67,7 +67,7 @@
.\" ========================================================================
.\"
.IX Title "stunnel 8"
-.TH stunnel 8 "2018.12.02" "5.50" "stunnel TLS Proxy"
+.TH stunnel 8 "2019.04.30" "5.54" "stunnel TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -413,10 +413,21 @@
Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej.
.IP "\fBciphers\fR = LISTA_SZYFRÓW" 4
.IX Item "ciphers = LISTA_SZYFRÓW"
-lista dozwolonych szyfrów \s-1TLS\s0
+lista dozwolonych szyfrów dla protokołów SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+.Sp
+Ta opcja nie wpływa na listę parametrów kryptograficznych dla protokołu TLSv1.3
.Sp
Parametrem tej opcji jest lista szyfrów, które będą użyte przy
otwieraniu nowych połączeń \s-1TLS,\s0 np.: \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
+.IP "\fBciphersuites\fR = LISTA_PARAMETRÓW_KRYPTOGRAFICZNYCH" 4
+.IX Item "ciphersuites = LISTA_PARAMETRÓW_KRYPTOGRAFICZNYCH"
+lista dozwolonych parametrów kryptograficznych dla protokołu TLSv1.3
+.Sp
+Parametrem tej opcji są listy parametrów kryptograficznych w kolejności ich preferowania.
+.Sp
+Opcja \fIciphersuites\fR jest dostępna począwszy od \fBOpenSSL 1.1.1\fR.
+.Sp
+domyślnie: \s-1TLS_CHACHA20_POLY1305_SHA256: TLS_AES_256_GCM_SHA384: TLS_AES_128_GCM_SHA256\s0
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
tryb kliencki (zdalna usługa używa \s-1TLS\s0)
@@ -464,9 +475,11 @@
.Sp
Opcja pozwala określić położenie pliku zawierającego listy \s-1CRL\s0 używane
przez opcje \fIverifyChain\fR i \fIverifyPeer\fR.
-.IP "\fBcurve\fR = \s-1NID\s0" 4
-.IX Item "curve = NID"
-krzywa dla \s-1ECDH\s0
+.IP "\fBcurves\fR = lista" 4
+.IX Item "curves = lista"
+krzywe \s-1ECDH\s0 odddzielone ':'
+.Sp
+Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
.Sp
Listę dostępnych krzywych można uzyskać poleceniem:
.Sp
@@ -474,7 +487,13 @@
\& openssl ecparam \-list_curves
.Ve
.Sp
-domyślnie: prime256v1
+domyślnie:
+.Sp
+.Vb 1
+\& X25519:P\-256:X448:P\-521:P\-384 (począwszy od OpenSSL 1.1.1)
+\&
+\& prime256v1 (OpenSSL starszy niż 1.1.1)
+.Ve
.IP "\fBlogId\fR = \s-1TYP\s0" 4
.IX Item "logId = TYP"
typ identyfikatora połączenia klienta
@@ -785,7 +804,9 @@
\& TOŻSAMOŚĆ:KLUCZ
.Ve
.Sp
-Klucz musi być mieć przynajmniej 20 znaków.
+Szesnastkowe klucze są automatycznie konwertowane do postaci binarnej.
+Klucz musi być mieć przynajmniej 16 bajtów, co w przypadku kluczy
+szesnastkowych przekłada się na przynajmniej 32 znaki.
Należy ograniczyć dostęp do czytania lub pisania do tego pliku.
.IP "\fBpty\fR = yes | no (tylko Unix)" 4
.IX Item "pty = yes | no (tylko Unix)"
@@ -983,6 +1004,32 @@
Zbyt mały stos może powodować problemy ze stabilnością aplikacji.
.Sp
domyślnie: 65536 bytes (wystarczający dla testowanych platform)
+.IP "\fBticketKeySecret\fR = \s-1SECRET\s0" 4
+.IX Item "ticketKeySecret = SECRET"
+szesnastkowy klucz symetryczny używany przez serwer do obsługi biletów sesji
+.Sp
+Bilety sesji zdefiniowane w \s-1RFC 5077\s0 zapewniają ulepszoną możliwość wznawiania sesji, w której implementacja serwera nie jest wymagana do utrzymania stanu sesji.
+.Sp
+Połączenie opcji \fIticketKeySecret\fR i \fIticketMacSecret\fR umożliwia wznawianie sesji na klastrze serwerów, wznowienie sesji po restarcie serwera.
+.Sp
+Klucz musi mieć rozmiar 16 lub 32 bajtów, co oznacza dokładnie 16 lub 32 dwuznakowych hexów rozdzielonych dwukropkami.
+.Sp
+Opcja działa wyłącznie w trybie serwera.
+.Sp
+Opcja \fIticketKeySecret\fR jest dostępna począwszy od \fBOpenSSL 1.0.0\fR.
+.Sp
+Wyłączenie opcji \fI\s-1NO_TICKET\s0\fR jest wymagane dla obsługi biletów sesji w OpenSSL-u starszym niż 1.1.1, ale ta opcja jest niekompatybilna z opcją \fIredirect\fR.
+.IP "\fBticketMacSecret\fR = \s-1SECRET\s0" 4
+.IX Item "ticketMacSecret = SECRET"
+szesnastkowy klucz symetryczny używany przez serwer do uwierzytelnienia i ochrony integralności biletów sesji
+.Sp
+Bilet sesji jest chroniony przy użyciu silnego algorytmu ochrony integralności, takiego jak \s-1HMAC\-SHA\-256.\s0
+.Sp
+Klucz musi mieć rozmiar 16 lub 32 bajtów, co oznacza dokładnie 16 lub 32 dwuznakowych hexów rozdzielonych dwukropkami.
+.Sp
+Opcja działa wyłącznie w trybie serwera.
+.Sp
+Opcja \fIticketMacSecret\fR jest dostępna począwszy od \fBOpenSSL 1.0.0\fR.
.IP "\fBTIMEOUTbusy\fR = \s-1LICZBA_SEKUND\s0" 4
.IX Item "TIMEOUTbusy = LICZBA_SEKUND"
czas oczekiwania na spodziewane dane
@@ -1180,6 +1227,9 @@
.IX Item "SIGUSR1"
Zamknij i otwórz ponownie log.
Funkcja ta może zostać użyta w skrypcie rotującym log programu \fBstunnel\fR.
+.IP "\s-1SIGUSR2\s0" 4
+.IX Item "SIGUSR2"
+Zapisz w logu listę aktywnych połączeń.
.IP "\s-1SIGTERM, SIGQUIT, SIGINT\s0" 4
.IX Item "SIGTERM, SIGQUIT, SIGINT"
Zakończ działanie programu.
diff -Nru stunnel4-5.50/doc/stunnel.pl.html.in stunnel4-5.54~b3/doc/stunnel.pl.html.in
--- stunnel4-5.50/doc/stunnel.pl.html.in 2018-12-03 00:47:21.000000000 +0200
+++ stunnel4-5.54~b3/doc/stunnel.pl.html.in 2019-04-30 17:04:20.000000000 +0300
@@ -490,11 +490,25 @@
<dt id="ciphers-LISTA_SZYFRW"><b>ciphers</b> = LISTA_SZYFRÓW</dt>
<dd>
-<p>lista dozwolonych szyfrów TLS</p>
+<p>lista dozwolonych szyfrów dla protokołów SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2</p>
+
+<p>Ta opcja nie wpływa na listę parametrów kryptograficznych dla protokołu TLSv1.3</p>
<p>Parametrem tej opcji jest lista szyfrów, które będą użyte przy otwieraniu nowych połączeń TLS, np.: DES-CBC3-SHA:IDEA-CBC-MD5</p>
</dd>
+<dt id="ciphersuites-LISTA_PARAMETRW_KRYPTOGRAFICZNYCH"><b>ciphersuites</b> = LISTA_PARAMETRÓW_KRYPTOGRAFICZNYCH</dt>
+<dd>
+
+<p>lista dozwolonych parametrów kryptograficznych dla protokołu TLSv1.3</p>
+
+<p>Parametrem tej opcji są listy parametrów kryptograficznych w kolejności ich preferowania.</p>
+
+<p>Opcja <i>ciphersuites</i> jest dostępna począwszy od <b>OpenSSL 1.1.1</b>.</p>
+
+<p>domyślnie: TLS_CHACHA20_POLY1305_SHA256: TLS_AES_256_GCM_SHA384: TLS_AES_128_GCM_SHA256</p>
+
+</dd>
<dt id="client-yes-no"><b>client</b> = yes | no</dt>
<dd>
@@ -545,16 +559,22 @@
<p>Opcja pozwala określić położenie pliku zawierającego listy CRL używane przez opcje <i>verifyChain</i> i <i>verifyPeer</i>.</p>
</dd>
-<dt id="curve-NID"><b>curve</b> = NID</dt>
+<dt id="curves-lista"><b>curves</b> = lista</dt>
<dd>
-<p>krzywa dla ECDH</p>
+<p>krzywe ECDH odddzielone ':'</p>
+
+<p>Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.</p>
<p>Listę dostępnych krzywych można uzyskać poleceniem:</p>
<pre><code> openssl ecparam -list_curves</code></pre>
-<p>domyślnie: prime256v1</p>
+<p>domyślnie:</p>
+
+<pre><code> X25519:P-256:X448:P-521:P-384 (począwszy od OpenSSL 1.1.1)
+
+ prime256v1 (OpenSSL starszy niż 1.1.1)</code></pre>
</dd>
<dt id="logId-TYP"><b>logId</b> = TYP</dt>
@@ -927,7 +947,7 @@
<pre><code> TOŻSAMOŚĆ:KLUCZ</code></pre>
-<p>Klucz musi być mieć przynajmniej 20 znaków. Należy ograniczyć dostęp do czytania lub pisania do tego pliku.</p>
+<p>Szesnastkowe klucze są automatycznie konwertowane do postaci binarnej. Klucz musi być mieć przynajmniej 16 bajtów, co w przypadku kluczy szesnastkowych przekłada się na przynajmniej 32 znaki. Należy ograniczyć dostęp do czytania lub pisania do tego pliku.</p>
</dd>
<dt id="pty-yes-no-tylko-Unix"><b>pty</b> = yes | no (tylko Unix)</dt>
@@ -1147,6 +1167,38 @@
<p>domyślnie: 65536 bytes (wystarczający dla testowanych platform)</p>
</dd>
+<dt id="ticketKeySecret-SECRET"><b>ticketKeySecret</b> = SECRET</dt>
+<dd>
+
+<p>szesnastkowy klucz symetryczny używany przez serwer do obsługi biletów sesji</p>
+
+<p>Bilety sesji zdefiniowane w RFC 5077 zapewniają ulepszoną możliwość wznawiania sesji, w której implementacja serwera nie jest wymagana do utrzymania stanu sesji.</p>
+
+<p>Połączenie opcji <i>ticketKeySecret</i> i <i>ticketMacSecret</i> umożliwia wznawianie sesji na klastrze serwerów, wznowienie sesji po restarcie serwera.</p>
+
+<p>Klucz musi mieć rozmiar 16 lub 32 bajtów, co oznacza dokładnie 16 lub 32 dwuznakowych hexów rozdzielonych dwukropkami.</p>
+
+<p>Opcja działa wyłącznie w trybie serwera.</p>
+
+<p>Opcja <i>ticketKeySecret</i> jest dostępna począwszy od <b>OpenSSL 1.0.0</b>.</p>
+
+<p>Wyłączenie opcji <i>NO_TICKET</i> jest wymagane dla obsługi biletów sesji w OpenSSL-u starszym niż 1.1.1, ale ta opcja jest niekompatybilna z opcją <i>redirect</i>.</p>
+
+</dd>
+<dt id="ticketMacSecret-SECRET"><b>ticketMacSecret</b> = SECRET</dt>
+<dd>
+
+<p>szesnastkowy klucz symetryczny używany przez serwer do uwierzytelnienia i ochrony integralności biletów sesji</p>
+
+<p>Bilet sesji jest chroniony przy użyciu silnego algorytmu ochrony integralności, takiego jak HMAC-SHA-256.</p>
+
+<p>Klucz musi mieć rozmiar 16 lub 32 bajtów, co oznacza dokładnie 16 lub 32 dwuznakowych hexów rozdzielonych dwukropkami.</p>
+
+<p>Opcja działa wyłącznie w trybie serwera.</p>
+
+<p>Opcja <i>ticketMacSecret</i> jest dostępna począwszy od <b>OpenSSL 1.0.0</b>.</p>
+
+</dd>
<dt id="TIMEOUTbusy-LICZBA_SEKUND"><b>TIMEOUTbusy</b> = LICZBA_SEKUND</dt>
<dd>
@@ -1409,6 +1461,12 @@
<p>Zamknij i otwórz ponownie log. Funkcja ta może zostać użyta w skrypcie rotującym log programu <b>stunnel</b>.</p>
</dd>
+<dt id="SIGUSR2">SIGUSR2</dt>
+<dd>
+
+<p>Zapisz w logu listę aktywnych połączeń.</p>
+
+</dd>
<dt id="SIGTERM-SIGQUIT-SIGINT">SIGTERM, SIGQUIT, SIGINT</dt>
<dd>
diff -Nru stunnel4-5.50/doc/stunnel.pl.pod.in stunnel4-5.54~b3/doc/stunnel.pl.pod.in
--- stunnel4-5.50/doc/stunnel.pl.pod.in 2018-12-03 00:47:18.000000000 +0200
+++ stunnel4-5.54~b3/doc/stunnel.pl.pod.in 2019-04-30 17:03:21.000000000 +0300
@@ -434,11 +434,23 @@
=item B<ciphers> = LISTA_SZYFRÓW
-lista dozwolonych szyfrów TLS
+lista dozwolonych szyfrów dla protokołów SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+
+Ta opcja nie wpływa na listę parametrów kryptograficznych dla protokołu TLSv1.3
Parametrem tej opcji jest lista szyfrów, które będą użyte przy
otwieraniu nowych połączeń TLS, np.: DES-CBC3-SHA:IDEA-CBC-MD5
+=item B<ciphersuites> = LISTA_PARAMETRÓW_KRYPTOGRAFICZNYCH
+
+lista dozwolonych parametrów kryptograficznych dla protokołu TLSv1.3
+
+Parametrem tej opcji są listy parametrów kryptograficznych w kolejności ich preferowania.
+
+Opcja I<ciphersuites> jest dostępna począwszy od B<OpenSSL 1.1.1>.
+
+domyślnie: TLS_CHACHA20_POLY1305_SHA256: TLS_AES_256_GCM_SHA384: TLS_AES_128_GCM_SHA256
+
=item B<client> = yes | no
tryb kliencki (zdalna usługa używa TLS)
@@ -491,15 +503,21 @@
Opcja pozwala określić położenie pliku zawierającego listy CRL używane
przez opcje I<verifyChain> i I<verifyPeer>.
-=item B<curve> = NID
+=item B<curves> = lista
+
+krzywe ECDH odddzielone ':'
-krzywa dla ECDH
+Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.
Listę dostępnych krzywych można uzyskać poleceniem:
openssl ecparam -list_curves
-domyślnie: prime256v1
+domyślnie:
+
+ X25519:P-256:X448:P-521:P-384 (począwszy od OpenSSL 1.1.1)
+
+ prime256v1 (OpenSSL starszy niż 1.1.1)
=item B<logId> = TYP
@@ -838,7 +856,9 @@
TOŻSAMOŚĆ:KLUCZ
-Klucz musi być mieć przynajmniej 20 znaków.
+Szesnastkowe klucze są automatycznie konwertowane do postaci binarnej.
+Klucz musi być mieć przynajmniej 16 bajtów, co w przypadku kluczy
+szesnastkowych przekłada się na przynajmniej 32 znaki.
Należy ograniczyć dostęp do czytania lub pisania do tego pliku.
=item B<pty> = yes | no (tylko Unix)
@@ -1047,7 +1067,35 @@
Zbyt duży stos zwiększa zużycie pamięci wirtualnej.
Zbyt mały stos może powodować problemy ze stabilnością aplikacji.
-domyślnie: 65536 bytes (wystarczający dla testowanych platform)
+domyślnie: 65536 bytes (wystarczający dla testowanych platform)
+
+=item B<ticketKeySecret> = SECRET
+
+szesnastkowy klucz symetryczny używany przez serwer do obsługi biletów sesji
+
+Bilety sesji zdefiniowane w RFC 5077 zapewniają ulepszoną możliwość wznawiania sesji, w której implementacja serwera nie jest wymagana do utrzymania stanu sesji.
+
+Połączenie opcji I<ticketKeySecret> i I<ticketMacSecret> umożliwia wznawianie sesji na klastrze serwerów, wznowienie sesji po restarcie serwera.
+
+Klucz musi mieć rozmiar 16 lub 32 bajtów, co oznacza dokładnie 16 lub 32 dwuznakowych hexów rozdzielonych dwukropkami.
+
+Opcja działa wyłącznie w trybie serwera.
+
+Opcja I<ticketKeySecret> jest dostępna począwszy od B<OpenSSL 1.0.0>.
+
+Wyłączenie opcji I<NO_TICKET> jest wymagane dla obsługi biletów sesji w OpenSSL-u starszym niż 1.1.1, ale ta opcja jest niekompatybilna z opcją I<redirect>.
+
+=item B<ticketMacSecret> = SECRET
+
+szesnastkowy klucz symetryczny używany przez serwer do uwierzytelnienia i ochrony integralności biletów sesji
+
+Bilet sesji jest chroniony przy użyciu silnego algorytmu ochrony integralności, takiego jak HMAC-SHA-256.
+
+Klucz musi mieć rozmiar 16 lub 32 bajtów, co oznacza dokładnie 16 lub 32 dwuznakowych hexów rozdzielonych dwukropkami.
+
+Opcja działa wyłącznie w trybie serwera.
+
+Opcja I<ticketMacSecret> jest dostępna począwszy od B<OpenSSL 1.0.0>.
=item B<TIMEOUTbusy> = LICZBA_SEKUND
@@ -1284,6 +1332,10 @@
Zamknij i otwórz ponownie log.
Funkcja ta może zostać użyta w skrypcie rotującym log programu B<stunnel>.
+=item SIGUSR2
+
+Zapisz w logu listę aktywnych połączeń.
+
=item SIGTERM, SIGQUIT, SIGINT
Zakończ działanie programu.
diff -Nru stunnel4-5.50/doc/stunnel.pod.in stunnel4-5.54~b3/doc/stunnel.pod.in
--- stunnel4-5.50/doc/stunnel.pod.in 2018-12-03 00:47:18.000000000 +0200
+++ stunnel4-5.54~b3/doc/stunnel.pod.in 2019-04-30 17:03:21.000000000 +0300
@@ -427,11 +427,23 @@
=item B<ciphers> = CIPHER_LIST
-Select permitted TLS ciphers
+select permitted TLS ciphers (TLSv1.2 and below)
+
+This option does not impact TLSv1.3 ciphersuites.
A colon-delimited list of the ciphers to allow in the TLS connection,
for example DES-CBC3-SHA:IDEA-CBC-MD5.
+=item B<ciphersuites> = CIPHERSUITES_LIST
+
+select permitted TLSv1.3 ciphersuites
+
+A colon-delimited list of TLSv1.3 ciphersuites names in order of perference.
+
+This option requires OpenSSL 1.1.1 or later.
+
+default: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
+
=item B<client> = yes | no
client mode (remote service uses TLS)
@@ -483,15 +495,21 @@
This file contains multiple CRLs, used with the I<verifyChain> and
I<verifyPeer> options.
-=item B<curve> = NID
+=item B<curves> = list
+
+ECDH curves separated with ':'
-specify ECDH curve name
+Only a single curve name is allowed for OpenSSL older than 1.1.0.
To get a list of supported curves use:
openssl ecparam -list_curves
-default: prime256v1
+default:
+
+ X25519:P-256:X448:P-521:P-384 (OpenSSL 1.1.1 or later)
+
+ prime256v1 (OpenSSL older than 1.1.1)
=item B<logId> = TYPE
@@ -827,8 +845,10 @@
IDENTITY:KEY
-The key is required to be at least 20 characters long.
-The file should not be world-readable nor world-writable.
+Hexadecimal keys are automatically converted to binary form.
+Keys are required to be at least 16 bytes long, which implies
+at least 32 characters for hexadecimal keys.
+The file should neither be world-readable nor world-writable.
=item B<pty> = yes | no (Unix only)
@@ -1034,7 +1054,35 @@
Excessive thread stack size increases virtual memory usage.
Insufficient thread stack size may cause application crashes.
-default: 65536 bytes (sufficient for all platforms we tested)
+default: 65536 bytes (sufficient for all platforms we tested)
+
+=item B<ticketKeySecret> = SECRET
+
+hexadecimal symmetric key used by the server for handling session tickets
+
+Session tickets, defined in RFC 5077 provide an enhanced session resumption capability where the server implementation is not required to maintain per session state.
+
+Combining options I<ticketKeySecret> and I<ticketMacSecret> allows to resume the session on the server cluster, resume the session after server restart.
+
+The key is required to be 16 or 32 bytes long, which implies exactly 16 or 32 two-character hex "bytes" separated by colons.
+
+This option only works in server mode.
+
+The I<ticketKeySecret> option is only available when compiled with B<OpenSSL 1.0.0> and later.
+
+Disabling I<NO_TICKET> option is required for the ticket support in OpenSSL older than 1.1.1, but note that this option is incompatible with the I<redirect> option.
+
+=item B<ticketMacSecret> = SECRET
+
+hexadecimal symmetric key used by the server to authenticate and protect the integrity of session tickets
+
+Session ticket is protected using a strong integrity protection algorithm such as a keyed HMAC-SHA-256.
+
+The key is required to be 16 or 32 bytes long, which implies exactly 16 or 32 two-character hex "bytes" separated by colons.
+
+This option only works in server mode.
+
+The I<ticketMacSecret> option is only available when compiled with B<OpenSSL 1.0.0> and later.
=item B<TIMEOUTbusy> = SECONDS
@@ -1273,6 +1321,10 @@
Close and reopen the B<stunnel> log file.
This function can be used for log rotation.
+=item SIGUSR2
+
+Log the list of active connections.
+
=item SIGTERM, SIGQUIT, SIGINT
Shut B<stunnel> down.
diff -Nru stunnel4-5.50/INSTALL.W32 stunnel4-5.54~b3/INSTALL.W32
--- stunnel4-5.50/INSTALL.W32 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/INSTALL.W32 2019-03-26 17:16:45.000000000 +0200
@@ -1,28 +1,20 @@
stunnel Windows install notes
-Cross-compiling stunnel from source with MinGW (optional):
+Cross-compiling 64-bit stunnel from source with MinGW (optional):
- 1) Install the mingw32 cross-compiler on a Unix/Linux machine.
+ 1) Install the mingw64 cross-compiler on a Unix/Linux machine.
On Debian (and derivatives, including Ubuntu):
- sudo apt-get install gcc-mingw-w64-i686
+ sudo apt install gcc-mingw-w64-x86-64
On Arch Linux:
- sudo pacman -S mingw-w64-gcc
+ aurman -S mingw-w64-gcc-bin
2) Download the recent OpenSSL and unpack it:
tar zvxf ~/openssl-(version).tar.gz
- mv openssl-(version) openssl-(version)-i686
- cd openssl-(version)-i686/
+ mv openssl-(version) openssl-(version)-mingw64
+ cd openssl-(version)-mingw64/
3) Build and install OpenSSL.
- For 32-bit Windows:
- ./Configure \
- --cross-compile-prefix=i686-w64-mingw32- \
- --prefix=/opt/openssl-mingw mingw shared
- make
- sudo make install
- sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/
- For 64-bit Windows:
./Configure \
--cross-compile-prefix=x86_64-w64-mingw32- \
--prefix=/opt/openssl-mingw64 mingw64 shared
@@ -36,12 +28,43 @@
cd stunnel-(version)
./configure
- 6) Build Windows 32-bit and/or 64-bit executables.
+ 6) Build 64-bit Windows executables.
cd src
- make mingw
make mingw64
+Cross-compiling 32-bit stunnel from source with MinGW (optional):
+
+ 1) Install the mingw64 cross-compiler on a Unix/Linux machine.
+ On Debian (and derivatives, including Ubuntu):
+ sudo apt install gcc-mingw-w64-i686
+ On Arch Linux:
+ aurman -S mingw-w64-gcc-bin
+
+ 2) Download the recent OpenSSL and unpack it:
+ tar zvxf ~/openssl-(version).tar.gz
+ mv openssl-(version) openssl-(version)-mingw
+ cd openssl-(version)-mingw/
+
+ 3) Build and install OpenSSL.
+ ./Configure \
+ --cross-compile-prefix=i686-w64-mingw32- \
+ --prefix=/opt/openssl-mingw mingw shared
+ make
+ sudo make install
+ sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/
+
+ 4) Download and unpack stunnel-(version).tar.gz.
+
+ 5) Configure stunnel.
+ cd stunnel-(version)
+ ./configure
+
+ 6) Build 32-bit Windows executables.
+ cd src
+ make mingw
+
+
Building stunnel from source with MinGW (optional):
Building stunnel with MinGW on a Windows machine is possible,
diff -Nru stunnel4-5.50/Makefile.am stunnel4-5.54~b3/Makefile.am
--- stunnel4-5.50/Makefile.am 2018-12-03 00:55:32.000000000 +0200
+++ stunnel4-5.54~b3/Makefile.am 2019-04-04 23:32:03.000000000 +0300
@@ -1,5 +1,5 @@
## Process this file with automake to produce Makefile.in
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
ACLOCAL_AMFLAGS = -I m4
@@ -33,10 +33,12 @@
-DOPENSSL_DIR=/opt/openssl-mingw64 \
$(srcdir)/tools/stunnel.nsi
-$(srcdir)/sign/sign.sh $(distdir)-win64-installer.exe
+ -$(srcdir)/sign/verify.sh bin/win64/*.exe $(distdir)-win64-installer.exe
sign:
cp -f $(distdir).tar.gz $(distdir)-win64-installer.exe $(distdir)-android.zip ../dist
- gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win64-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
+ -gpg-agent --daemon
+ /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win64-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
sha256sum $(distdir)-win64-installer.exe >../dist/$(distdir)-win64-installer.exe.sha256
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
@@ -57,3 +59,5 @@
@echo "*********************************************************"
@echo "* Type 'make cert' to also install a sample certificate *"
@echo "*********************************************************"
+
+.PHONY: sign cert mingw mingw64 test
diff -Nru stunnel4-5.50/Makefile.in stunnel4-5.54~b3/Makefile.in
--- stunnel4-5.50/Makefile.in 2018-12-03 00:55:36.000000000 +0200
+++ stunnel4-5.54~b3/Makefile.in 2019-04-30 17:03:37.000000000 +0300
@@ -14,7 +14,7 @@
@SET_MAKE@
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
VPATH = @srcdir@
am__is_gnu_make = { \
@@ -882,10 +882,12 @@
-DOPENSSL_DIR=/opt/openssl-mingw64 \
$(srcdir)/tools/stunnel.nsi
-$(srcdir)/sign/sign.sh $(distdir)-win64-installer.exe
+ -$(srcdir)/sign/verify.sh bin/win64/*.exe $(distdir)-win64-installer.exe
sign:
cp -f $(distdir).tar.gz $(distdir)-win64-installer.exe $(distdir)-android.zip ../dist
- gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win64-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
+ -gpg-agent --daemon
+ /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win64-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip"
sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256
sha256sum $(distdir)-win64-installer.exe >../dist/$(distdir)-win64-installer.exe.sha256
sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256
@@ -907,6 +909,8 @@
@echo "* Type 'make cert' to also install a sample certificate *"
@echo "*********************************************************"
+.PHONY: sign cert mingw mingw64 test
+
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff -Nru stunnel4-5.50/src/client.c stunnel4-5.54~b3/src/client.c
--- stunnel4-5.50/src/client.c 2018-11-05 09:19:29.000000000 +0200
+++ stunnel4-5.54~b3/src/client.c 2019-04-30 17:03:21.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -94,12 +94,16 @@
#else
void *
#endif
-client_thread(void *arg) {
+ client_thread(void *arg) {
CLI *c=arg;
#ifdef DEBUG_STACK_SIZE
size_t stack_size=c->opt->stack_size;
#endif
+ /* make sure c->thread_* values are initialized */
+ CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_THREAD_LIST]);
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
+
/* initialize */
c->tls=NULL; /* do not reuse */
tls_alloc(c, NULL, NULL);
@@ -110,7 +114,24 @@
/* execute */
client_main(c);
- /* cleanup */
+ /* cleanup the thread */
+#ifndef USE_FORK
+ CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_THREAD_LIST]);
+ if(thread_head==c)
+ thread_head=c->thread_next;
+ if(c->thread_prev)
+ c->thread_prev->thread_next=c->thread_next;
+ if(c->thread_next)
+ c->thread_next->thread_prev=c->thread_prev;
+#ifdef USE_PTHREAD
+ pthread_detach(c->thread_id);
+#endif
+#ifdef USE_WIN32
+ CloseHandle(c->thread_id);
+#endif
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
+#endif /* !USE_FORK */
+ client_free(c);
#ifdef DEBUG_STACK_SIZE
stack_info(stack_size, 0); /* display computed value */
#endif
@@ -118,7 +139,7 @@
tls_cleanup();
/* s_log() is not allowed after tls_cleanup() */
- /* terminate */
+ /* terminate the thread */
#if defined(USE_WIN32) || defined(USE_OS2)
#if !defined(_WIN32_WCE)
_endthreadex(0);
@@ -148,6 +169,9 @@
} else {
client_run(c);
}
+}
+
+void client_free(CLI *c) {
#ifndef USE_FORK
service_free(c->opt);
#endif
@@ -180,7 +204,7 @@
s_log(LOG_INFO, "Retrying an exec+connect section");
/* c and id are detached, so it is safe to call str_stats() */
str_stats(); /* client thread allocation tracking */
- sleep(1); /* FIXME: not a good idea in ucontext threading */
+ s_poll_sleep(1, 0);
c->rr++;
}
@@ -461,7 +485,9 @@
NOEXPORT void ssl_start(CLI *c) {
int i, err;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
int unsafe_openssl;
+#endif /* OpenSSL version < 1.1.0 */
c->ssl=SSL_new(c->opt->ctx);
if(!c->ssl) {
@@ -507,31 +533,37 @@
else
s_log(LOG_INFO, "Peer certificate not required");
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
unsafe_openssl=OpenSSL_version_num()<0x0090810fL ||
(OpenSSL_version_num()>=0x10000000L &&
OpenSSL_version_num()<0x1000002fL);
+#endif /* OpenSSL version < 1.1.0 */
while(1) {
/* critical section for OpenSSL version < 0.9.8p or 1.x.x < 1.0.0b *
* this critical section is a crude workaround for CVE-2010-3864 *
* see http://www.securityfocus.com/bid/44884 for details *
* alternative solution is to disable internal session caching *
* NOTE: this critical section also covers callbacks (e.g. OCSP) */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if(unsafe_openssl)
CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_SSL]);
+#endif /* OpenSSL version < 1.1.0 */
if(c->opt->option.client)
i=SSL_connect(c->ssl);
else
i=SSL_accept(c->ssl);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if(unsafe_openssl)
CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SSL]);
+#endif /* OpenSSL version < 1.1.0 */
err=SSL_get_error(c->ssl, i);
if(err==SSL_ERROR_NONE)
break; /* ok -> done */
if(err==SSL_ERROR_WANT_READ || err==SSL_ERROR_WANT_WRITE) {
- s_poll_init(c->fds);
+ s_poll_init(c->fds, 0);
s_poll_add(c->fds, c->ssl_rfd->fd,
err==SSL_ERROR_WANT_READ,
err==SSL_ERROR_WANT_WRITE);
@@ -623,6 +655,11 @@
/****************************** transfer data */
NOEXPORT void transfer(CLI *c) {
+ int timeout; /* s_poll_wait timeout in seconds */
+ int pending; /* either processed on unprocessed TLS data */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ int has_pending=0, prev_has_pending;
+#endif
int watchdog=0; /* a counter to detect an infinite loop */
ssize_t num;
int err;
@@ -650,7 +687,7 @@
&& c->sock_ptr && !write_wants_read;
/****************************** setup c->fds structure */
- s_poll_init(c->fds); /* initialize the structure */
+ s_poll_init(c->fds, 0); /* initialize the structure */
/* for plain socket open data strem = open file descriptor */
/* make sure to add each open socket to receive exceptions! */
if(sock_open_rd) /* only poll if the read file descriptor is open */
@@ -667,17 +704,31 @@
}
/****************************** wait for an event */
- err=s_poll_wait(c->fds,
- (sock_open_rd && /* both peers open */
+ pending=SSL_pending(c->ssl);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ /* only attempt to process SSL_has_pending() data once */
+ prev_has_pending=has_pending;
+ has_pending=SSL_has_pending(c->ssl);
+ pending=pending || (has_pending && !prev_has_pending);
+#endif
+ if(read_wants_read && pending) {
+ timeout=0; /* process any buffered data without delay */
+ } else if((sock_open_rd && /* both peers open */
!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN)) ||
- c->ssl_ptr /* data buffered to write to socket */ ||
- c->sock_ptr /* data buffered to write to TLS */ ?
- c->opt->timeout_idle : c->opt->timeout_close, 0);
+ c->ssl_ptr /* data buffered to write to socket */ ||
+ c->sock_ptr /* data buffered to write to TLS */) {
+ timeout=c->opt->timeout_idle;
+ } else {
+ timeout=c->opt->timeout_close;
+ }
+ err=s_poll_wait(c->fds, timeout, 0);
switch(err) {
case -1:
sockerror("transfer: s_poll_wait");
throw_exception(c, 1);
case 0: /* timeout */
+ if(read_wants_read && pending)
+ break;
if((sock_open_rd &&
!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN)) ||
c->ssl_ptr || c->sock_ptr) {
@@ -685,12 +736,12 @@
" TIMEOUTidle exceeded: sending reset");
s_poll_dump(c->fds, LOG_DEBUG);
throw_exception(c, 1);
- } else { /* already closing connection */
- s_log(LOG_ERR, "transfer: s_poll_wait:"
- " TIMEOUTclose exceeded: closing");
- s_poll_dump(c->fds, LOG_DEBUG);
- return; /* OK */
}
+ /* already closing connection */
+ s_log(LOG_ERR, "transfer: s_poll_wait:"
+ " TIMEOUTclose exceeded: closing");
+ s_poll_dump(c->fds, LOG_DEBUG);
+ return; /* OK */
}
/****************************** retrieve results from c->fds */
@@ -920,7 +971,7 @@
}
/****************************** read from TLS */
- if((read_wants_read && (ssl_can_rd || SSL_pending(c->ssl))) ||
+ if((read_wants_read && (ssl_can_rd || pending)) ||
/* it may be possible to read some pending data after
* writesocket() above made some room in c->ssl_buff */
(read_wants_write && ssl_can_wr)) {
@@ -1058,8 +1109,14 @@
s_log(LOG_ERR,
"please report the problem to Michal.Trojnara@stunnel.org");
stunnel_info(LOG_ERR);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d",
+ SSL_get_version(c->ssl),
+ SSL_pending(c->ssl), SSL_has_pending(c->ssl));
+#else
s_log(LOG_ERR, "protocol=%s, SSL_pending=%d",
SSL_get_version(c->ssl), SSL_pending(c->ssl));
+#endif
s_log(LOG_ERR, "sock_open_rd=%s, sock_open_wr=%s",
sock_open_rd ? "Y" : "n", sock_open_wr ? "Y" : "n");
s_log(LOG_ERR, "SSL_RECEIVED_SHUTDOWN=%s, SSL_SENT_SHUTDOWN=%s",
@@ -1111,7 +1168,7 @@
return 1;
case S_EWOULDBLOCK:
s_log(LOG_NOTICE, "%s: Would block: retrying", text);
- sleep(1); /* Microsoft bug KB177346 */
+ s_poll_sleep(1, 0); /* Microsoft bug KB177346 */
return 1;
#if S_EAGAIN!=S_EWOULDBLOCK
case S_EAGAIN:
@@ -1197,7 +1254,7 @@
}
*system++='\0';
if(strcmp(type, " USERID ")) {
- s_log(LOG_ERR, "Incorrect INETD response type");
+ s_log(LOG_ERR, "Incorrect IDENT response type");
str_free(line);
throw_exception(c, 1);
}
@@ -1306,6 +1363,7 @@
signal(SIGCHLD, SIG_DFL);
signal(SIGHUP, SIG_DFL);
signal(SIGUSR1, SIG_DFL);
+ signal(SIGUSR2, SIG_DFL);
signal(SIGPIPE, SIG_DFL);
signal(SIGTERM, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
@@ -1430,6 +1488,7 @@
SOCKADDR_UNION *old_addr, *new_addr;
socklen_t len;
char *addr_txt;
+ int ok;
/* make a copy of the address, so it may work with delayed resolver */
len=addr_len(cur_addr);
@@ -1442,12 +1501,12 @@
CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_ADDR]);
old_addr=SSL_SESSION_get_ex_data(sess, index_session_connect_address);
- if(SSL_SESSION_set_ex_data(sess, index_session_connect_address, new_addr)) {
- CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
+ ok=SSL_SESSION_set_ex_data(sess, index_session_connect_address, new_addr);
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
+ if(ok) {
str_free(old_addr); /* NULL pointers are ignored */
} else { /* failed to store new_addr -> remove it */
sslerror("SSL_SESSION_set_ex_data");
- CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
str_free(new_addr); /* NULL pointers are ignored */
}
}
diff -Nru stunnel4-5.50/src/common.h stunnel4-5.54~b3/src/common.h
--- stunnel4-5.50/src/common.h 2018-11-06 19:42:50.000000000 +0200
+++ stunnel4-5.54~b3/src/common.h 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -451,8 +451,13 @@
#endif /* !defined(OPENSSL_NO_SSL2) */
#else /* OpenSSL older than 1.1.0 */
#define X509_STORE_CTX_get0_chain(x) X509_STORE_CTX_get_chain(x)
+#define OPENSSL_hexstr2buf string_to_hex
#endif /* OpenSSL 1.1.0 or newer */
+#if OPENSSL_VERSION_NUMBER<0x10101000L
+#define OPENSSL_NO_TLS1_3
+#endif /* OpenSSL older than 1.1.1 */
+
#if defined(USE_WIN32) && defined(OPENSSL_FIPS)
#define USE_FIPS
#endif
diff -Nru stunnel4-5.50/src/cron.c stunnel4-5.54~b3/src/cron.c
--- stunnel4-5.50/src/cron.c 2018-11-05 09:19:29.000000000 +0200
+++ stunnel4-5.54~b3/src/cron.c 2019-04-20 11:28:08.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -38,22 +38,35 @@
#include "common.h"
#include "prototypes.h"
+#ifdef USE_OS_THREADS
+THREAD_ID cron_thread_id=(THREAD_ID)0;
+#endif
+
#ifdef USE_PTHREAD
NOEXPORT void *cron_thread(void *arg);
#endif
+
#ifdef USE_WIN32
NOEXPORT unsigned __stdcall cron_thread(void *arg);
#endif
+
#ifdef USE_OS_THREADS
NOEXPORT void cron_worker(void);
+#ifndef OPENSSL_NO_DH
+#if OPENSSL_VERSION_NUMBER>=0x0090800fL
+NOEXPORT void cron_dh_param(BN_GENCB *);
+NOEXPORT BN_GENCB *cron_bn_gencb(void);
+NOEXPORT int bn_callback(int, int, BN_GENCB *);
+#else /* OpenSSL older than 0.9.8 */
NOEXPORT void cron_dh_param(void);
-#endif
+NOEXPORT void dh_callback(int, int, void *);
+#endif /* OpenSSL 0.9.8 or later */
+#endif /* OPENSSL_NO_DH */
+#endif /* USE_OS_THREADS */
#if defined(USE_PTHREAD)
int cron_init() {
- pthread_t thread;
- pthread_attr_t pth_attr;
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
sigset_t new_set, old_set;
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
@@ -62,11 +75,10 @@
sigfillset(&new_set);
pthread_sigmask(SIG_SETMASK, &new_set, &old_set); /* block signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
- pthread_attr_init(&pth_attr);
- pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
- if(pthread_create(&thread, &pth_attr, cron_thread, NULL))
+ CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_THREAD_LIST]);
+ if(pthread_create(&cron_thread_id, NULL, cron_thread, NULL))
ioerror("pthread_create");
- pthread_attr_destroy(&pth_attr);
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
@@ -92,19 +104,19 @@
#elif defined(USE_WIN32)
int cron_init() {
- HANDLE handle;
-
- handle=(HANDLE)_beginthreadex(NULL, 0, cron_thread, NULL, 0, NULL);
- if(!handle) {
+ CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_THREAD_LIST]);
+ cron_thread_id=(HANDLE)_beginthreadex(NULL, 0, cron_thread, NULL, 0, NULL);
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
+ if(!cron_thread_id) {
ioerror("_beginthreadex");
return 1;
}
- CloseHandle(handle);
return 0;
}
NOEXPORT unsigned __stdcall cron_thread(void *arg) {
(void)arg; /* squash the unused parameter warning */
+
tls_alloc(NULL, NULL, "cron");
if(!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_LOWEST))
ioerror("SetThreadPriority");
@@ -130,14 +142,23 @@
NOEXPORT void cron_worker(void) {
time_t now, then;
int delay;
+#if !defined(OPENSSL_NO_DH) && OPENSSL_VERSION_NUMBER>=0x0090800fL
+ BN_GENCB *bn_gencb;
+#endif
s_log(LOG_DEBUG, "Cron thread initialized");
- sleep(60); /* allow the other services to start with idle CPU */
+#if !defined(OPENSSL_NO_DH) && OPENSSL_VERSION_NUMBER>=0x0090800fL
+ bn_gencb=cron_bn_gencb();
+#endif
time(&then);
for(;;) {
s_log(LOG_INFO, "Executing cron jobs");
#ifndef OPENSSL_NO_DH
+#if OPENSSL_VERSION_NUMBER>=0x0090800fL
+ cron_dh_param(bn_gencb);
+#else /* OpenSSL older than 0.9.8 */
cron_dh_param();
+#endif /* OpenSSL 0.9.8 or later */
#endif /* OPENSSL_NO_DH */
time(&now);
s_log(LOG_INFO, "Cron jobs completed in %d seconds", (int)(now-then));
@@ -150,8 +171,8 @@
then=now+delay;
}
s_log(LOG_DEBUG, "Waiting %d seconds", delay);
- do { /* retry sleep() if it was interrupted by a signal */
- sleep((unsigned)delay);
+ do { /* retry s_poll_sleep() if it was interrupted by a signal */
+ s_poll_sleep(delay, 0);
time(&now);
delay=(int)(then-now);
} while(delay>0);
@@ -161,7 +182,12 @@
}
#ifndef OPENSSL_NO_DH
+
+#if OPENSSL_VERSION_NUMBER>=0x0090800fL
+NOEXPORT void cron_dh_param(BN_GENCB *bn_gencb) {
+#else /* OpenSSL older than 0.9.8 */
NOEXPORT void cron_dh_param(void) {
+#endif /* OpenSSL 0.9.8 or later */
SERVICE_OPTIONS *opt;
DH *dh;
@@ -176,18 +202,18 @@
sslerror("DH_new");
return;
}
- if(!DH_generate_parameters_ex(dh, 2048, 2, NULL)) {
+ if(!DH_generate_parameters_ex(dh, 2048, 2, bn_gencb)) {
DH_free(dh);
sslerror("DH_generate_parameters_ex");
return;
}
#else /* OpenSSL older than 0.9.8 */
- dh=DH_generate_parameters(2048, 2, NULL, NULL);
+ dh=DH_generate_parameters(2048, 2, dh_callback, NULL);
if(!dh) {
sslerror("DH_generate_parameters");
return;
}
-#endif
+#endif /* OpenSSL 0.9.8 or later */
/* update global dh_params for future configuration reloads */
CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_DH]);
@@ -203,6 +229,47 @@
CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SECTIONS]);
s_log(LOG_NOTICE, "DH parameters updated");
}
+
+#if OPENSSL_VERSION_NUMBER>=0x0090800fL
+
+NOEXPORT BN_GENCB *cron_bn_gencb(void) {
+#if OPENSSL_VERSION_NUMBER>=0x10100000L
+ BN_GENCB *bn_gencb;
+
+ bn_gencb=BN_GENCB_new();
+ if(!bn_gencb) {
+ sslerror("BN_GENCB_new");
+ return NULL;
+ }
+ BN_GENCB_set(bn_gencb, bn_callback, NULL);
+ return bn_gencb;
+#else
+ static BN_GENCB bn_gencb;
+
+ BN_GENCB_set(&bn_gencb, bn_callback, NULL);
+ return &bn_gencb;
+#endif
+}
+
+NOEXPORT int bn_callback(int p, int n, BN_GENCB *cb) {
+ (void)p; /* squash the unused parameter warning */
+ (void)n; /* squash the unused parameter warning */
+ (void)cb; /* squash the unused parameter warning */
+ s_poll_sleep(0, 100); /* 100ms */
+ return 1; /* return nonzero for success */
+}
+
+#else /* OpenSSL older than 0.9.8 */
+
+NOEXPORT void dh_callback(int p, int n, void *arg) {
+ (void)p; /* squash the unused parameter warning */
+ (void)n; /* squash the unused parameter warning */
+ (void)arg; /* squash the unused parameter warning */
+ s_poll_sleep(0, 100); /* 100ms */
+}
+
+#endif /* OpenSSL 0.9.8 or later */
+
#endif /* OPENSSL_NO_DH */
#endif /* USE_OS_THREADS */
diff -Nru stunnel4-5.50/src/ctx.c stunnel4-5.54~b3/src/ctx.c
--- stunnel4-5.50/src/ctx.c 2018-11-05 09:19:29.000000000 +0200
+++ stunnel4-5.54~b3/src/ctx.c 2019-04-30 17:03:21.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -90,6 +90,18 @@
NOEXPORT void set_prompt(const char *);
NOEXPORT int ui_retry();
+/* session tickets */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+NOEXPORT int generate_session_ticket_cb(SSL *, void *);
+NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *,
+ const unsigned char *, size_t, SSL_TICKET_STATUS, void *);
+#endif /* OpenSSL 1.1.1 or later */
+
+#if OPENSSL_VERSION_NUMBER>=0x10000000L
+NOEXPORT int ssl_tlsext_ticket_key_cb(SSL *, unsigned char *,
+ unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int);
+#endif /* OpenSSL 1.0.0 or later */
+
/* session callbacks */
NOEXPORT int sess_new_cb(SSL *, SSL_SESSION *);
NOEXPORT void new_chain(CLI *);
@@ -114,7 +126,7 @@
NOEXPORT void info_callback(const SSL *, int, int);
NOEXPORT void sslerror_queue(void);
-NOEXPORT void sslerror_log(unsigned long, char *);
+NOEXPORT void sslerror_log(unsigned long, const char *, int, char *);
/**************************************** initialize section->ctx */
@@ -169,6 +181,17 @@
}
}
+#ifndef OPENSSL_NO_TLS1_3
+ /* ciphersuites */
+ if(section->ciphersuites) {
+ s_log(LOG_DEBUG, "TLSv1.3 ciphersuites: %s", section->ciphersuites);
+ if(!SSL_CTX_set_ciphersuites(section->ctx, section->ciphersuites)) {
+ sslerror("SSL_CTX_set_ciphersuites");
+ return 1; /* FAILED */
+ }
+ }
+#endif /* TLS 1.3 */
+
/* TLS options: configure the stunnel defaults first */
SSL_CTX_set_options(section->ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
#ifdef SSL_OP_NO_COMPRESSION
@@ -210,6 +233,17 @@
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#endif
+ /* setup session tickets */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb,
+ decrypt_session_ticket_cb, NULL);
+#endif /* OpenSSL 1.1.1 or later */
+
+#if OPENSSL_VERSION_NUMBER>=0x10000000L
+ if((section->ticket_key)&&(section->ticket_mac))
+ SSL_CTX_set_tlsext_ticket_key_cb(section->ctx, ssl_tlsext_ticket_key_cb);
+#endif /* OpenSSL 1.0.0 or later */
+
/* setup session cache */
if(!section->option.client) {
unsigned servname_len=(unsigned)strlen(section->servname);
@@ -415,23 +449,45 @@
/**************************************** ECDH initialization */
#ifndef OPENSSL_NO_ECDH
-NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+/* simplified version that only supports a single curve */
+NOEXPORT int SSL_CTX_set1_groups_list(SSL_CTX *ctx, char *list) {
+ int nid;
EC_KEY *ecdh;
- s_log(LOG_DEBUG, "ECDH initialization");
- ecdh=EC_KEY_new_by_curve_name(section->curve);
+ nid=OBJ_txt2nid(list);
+ if(nid==NID_undef) {
+ s_log(LOG_ERR, "Unsupported curve: %s", list);
+ return 0; /* FAILED */
+ }
+ ecdh=EC_KEY_new_by_curve_name(nid);
if(!ecdh) {
sslerror("EC_KEY_new_by_curve_name");
- s_log(LOG_ERR, "Cannot create curve %s",
- OBJ_nid2ln(section->curve));
- return 1; /* FAILED */
+ return 0; /* FAILED */
+ }
+ if(!SSL_CTX_set_tmp_ecdh(ctx, ecdh)) {
+ sslerror("SSL_CTX_set_tmp_ecdhSSL_CTX_set_tmp_ecdh");
+ EC_KEY_free(ecdh);
+ return 0; /* FAILED */
}
- SSL_CTX_set_tmp_ecdh(section->ctx, ecdh);
EC_KEY_free(ecdh);
- s_log(LOG_DEBUG, "ECDH initialized with curve %s",
- OBJ_nid2ln(section->curve));
+ return 1; /* OK */
+}
+#endif /* OpenSSL version < 1.1.1 */
+
+NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) {
+ s_log(LOG_DEBUG, "ECDH initialization");
+ if(!SSL_CTX_set1_groups_list(section->ctx, section->curves)) {
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ sslerror("SSL_CTX_set1_groups_list");
+#endif /* OpenSSL version >= 1.1.1 */
+ return 1; /* FAILED */
+ }
+ s_log(LOG_DEBUG, "ECDH initialized with curves %s", section->curves);
return 0; /* OK */
}
+
#endif /* OPENSSL_NO_ECDH */
/**************************************** initialize OpenSSL CONF */
@@ -921,6 +977,173 @@
}
}
+/**************************************** session tickets */
+
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+
+typedef struct {
+ void *session_authenticated;
+#if 0
+ SOCKADDR_UNION addr;
+#endif
+} TICKET_DATA;
+
+NOEXPORT int generate_session_ticket_cb(SSL *ssl, void *arg) {
+ SSL_SESSION *sess;
+ TICKET_DATA ticket_data;
+#if 0
+ SOCKADDR_UNION *addr;
+#endif
+
+ (void)arg; /* squash the unused parameter warning */
+
+ s_log(LOG_DEBUG, "Generate session ticket callback");
+
+ sess=SSL_get_session(ssl);
+ if(!sess)
+ return 0;
+ memset(&ticket_data, 0, sizeof(TICKET_DATA));
+
+ ticket_data.session_authenticated=
+ SSL_SESSION_get_ex_data(sess, index_session_authenticated);
+
+#if 0
+ /* TODO: add remote_start() invocation here */
+ CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_ADDR]);
+ addr=SSL_SESSION_get_ex_data(sess, index_session_connect_address);
+ if(addr)
+ memcpy(&ticket_data.addr, addr, (size_t)addr_len(addr));
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
+#endif
+
+ return SSL_SESSION_set1_ticket_appdata(sess,
+ &ticket_data, sizeof(TICKET_DATA));
+}
+
+NOEXPORT int decrypt_session_ticket_cb(SSL *ssl, SSL_SESSION *sess,
+ const unsigned char *keyname, size_t keyname_len,
+ SSL_TICKET_STATUS status, void *arg) {
+ TICKET_DATA *ticket_data;
+ size_t ticket_len;
+
+ (void)ssl; /* squash the unused parameter warning */
+ (void)keyname; /* squash the unused parameter warning */
+ (void)keyname_len; /* squash the unused parameter warning */
+ (void)arg; /* squash the unused parameter warning */
+
+ s_log(LOG_DEBUG, "Decrypt session ticket callback");
+
+ switch(status) {
+ case SSL_TICKET_EMPTY:
+ case SSL_TICKET_NO_DECRYPT:
+ return SSL_TICKET_RETURN_IGNORE_RENEW;
+ case SSL_TICKET_SUCCESS:
+ case SSL_TICKET_SUCCESS_RENEW:
+ break;
+ default:
+ return SSL_TICKET_RETURN_ABORT;
+ }
+
+ if(!SSL_SESSION_get0_ticket_appdata(sess,
+ (void **)&ticket_data, &ticket_len)) {
+ s_log(LOG_WARNING, "Failed to get ticket application data");
+ return SSL_TICKET_RETURN_IGNORE_RENEW;
+ }
+ if(!ticket_data) {
+ s_log(LOG_WARNING, "Invalid ticket application data value");
+ return SSL_TICKET_RETURN_IGNORE_RENEW;
+ }
+ if(ticket_len != sizeof(TICKET_DATA)) {
+ s_log(LOG_WARNING, "Invalid ticket application data length");
+ return SSL_TICKET_RETURN_IGNORE_RENEW;
+ }
+
+ s_log(LOG_INFO, "Decrypted ticket for an authenticated session: %s",
+ ticket_data->session_authenticated ? "yes" : "no");
+ SSL_SESSION_set_ex_data(sess, index_session_authenticated,
+ ticket_data->session_authenticated);
+
+#if 0
+ if(ticket_data->addr.sa.sa_family) {
+ char *addr_txt;
+ SOCKADDR_UNION *old_addr;
+
+ addr_txt=s_ntop(&ticket_data->addr, addr_len(&ticket_data->addr));
+ s_log(LOG_INFO, "Decrypted ticket persistence address: %s", addr_txt);
+ str_free(addr_txt);
+ CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_ADDR]);
+ old_addr=SSL_SESSION_get_ex_data(sess, index_session_connect_address);
+ if(SSL_SESSION_set_ex_data(sess, index_session_connect_address, &ticket_data->addr)) {
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
+ str_free(old_addr); /* NULL pointers are ignored */
+ } else { /* failed to store ticket_data->addr */
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]);
+ sslerror("SSL_SESSION_set_ex_data");
+ }
+ } else {
+ s_log(LOG_INFO, "Decrypted ticket did not include a persistence address");
+ }
+#endif
+
+ switch(status) {
+ case SSL_TICKET_SUCCESS:
+ return SSL_TICKET_RETURN_USE;
+ case SSL_TICKET_SUCCESS_RENEW:
+ return SSL_TICKET_RETURN_USE_RENEW;
+ }
+ return SSL_TICKET_RETURN_ABORT; /* it should never get executed */
+}
+#endif
+
+#if OPENSSL_VERSION_NUMBER>=0x10000000L
+NOEXPORT int ssl_tlsext_ticket_key_cb(SSL *ssl, unsigned char *key_name,
+ unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) {
+ CLI *c;
+ const EVP_CIPHER *cipher;
+ int iv_len;
+
+ (void)key_name; /* squash the unused parameter warning */
+ s_log(LOG_DEBUG, "Session ticket processing callback");
+
+ c=SSL_get_ex_data(ssl, index_ssl_cli);
+ if(!HMAC_Init_ex(hctx, (const unsigned char *)(c->opt->ticket_mac->key_val),
+ c->opt->ticket_mac->key_len, EVP_sha256(), NULL)) {
+ s_log(LOG_ERR, "HMAC_Init_ex failed");
+ return -1;
+ }
+ if(c->opt->ticket_key->key_len == 16)
+ cipher = EVP_aes_128_cbc();
+ else /* c->opt->ticket_key->key_len == 32 */
+ cipher = EVP_aes_256_cbc();
+ if(enc) { /* create new session */
+ /* EVP_CIPHER_iv_length() returns 16 for either cipher EVP_aes_128_cbc() or EVP_aes_256_cbc() */
+ iv_len = EVP_CIPHER_iv_length(cipher);
+ if(RAND_bytes(iv, iv_len) <= 0) { /* RAND_bytes error */
+ s_log(LOG_ERR, "RAND_bytes failed");
+ return -1;
+ }
+ if(!EVP_EncryptInit_ex(ctx, cipher, NULL,
+ (const unsigned char *)(c->opt->ticket_key->key_val), iv)) {
+ s_log(LOG_ERR, "EVP_EncryptInit_ex failed");
+ return -1;
+ }
+ } else /* retrieve session */
+ if(!EVP_DecryptInit_ex(ctx, cipher, NULL,
+ (const unsigned char *)(c->opt->ticket_key->key_val), iv)) {
+ s_log(LOG_ERR, "EVP_DecryptInit_ex failed");
+ return -1;
+ }
+ /* By default, in TLSv1.2 and below, a new session ticket */
+ /* is not issued on a successful resumption. */
+ /* In TLSv1.3 the default behaviour is to always issue a new ticket on resumption. */
+ /* This behaviour can NOT be changed if this ticket key callback is in use! */
+ if(strcmp(SSL_get_version(c->ssl), "TLSv1.3"))
+ return 1; /* new session ticket is not issued */
+ else
+ return 2; /* session ticket should be replaced */
+}
+#endif /* OpenSSL 1.0.0 or later */
+
/**************************************** session callbacks */
NOEXPORT int sess_new_cb(SSL *ssl, SSL_SESSION *sess) {
@@ -1348,11 +1571,13 @@
void sslerror(char *txt) { /* OpenSSL error handler */
unsigned long err;
+ const char *file;
+ int line;
- err=ERR_get_error();
+ err=ERR_get_error_line(&file, &line);
if(err) {
sslerror_queue();
- sslerror_log(err, txt);
+ sslerror_log(err, file, line, txt);
} else {
s_log(LOG_ERR, "%s: Peer suddenly disconnected", txt);
}
@@ -1360,21 +1585,24 @@
NOEXPORT void sslerror_queue(void) { /* recursive dump of the error queue */
unsigned long err;
+ const char *file;
+ int line;
- err=ERR_get_error();
+ err=ERR_get_error_line(&file, &line);
if(err) {
sslerror_queue();
- sslerror_log(err, "error queue");
+ sslerror_log(err, file, line, "error queue");
}
}
-NOEXPORT void sslerror_log(unsigned long err, char *txt) {
- char *error_string;
+NOEXPORT void sslerror_log(unsigned long err,
+ const char *file, int line, char *txt) {
+ char *str;
- error_string=str_alloc(256);
- ERR_error_string_n(err, error_string, 256);
- s_log(LOG_ERR, "%s: %lX: %s", txt, err, error_string);
- str_free(error_string);
+ str=str_alloc(256);
+ ERR_error_string_n(err, str, 256);
+ s_log(LOG_ERR, "%s: %s:%d: %s", txt, file, line, str);
+ str_free(str);
}
/* end of ctx.c */
diff -Nru stunnel4-5.50/src/dhparam.c stunnel4-5.54~b3/src/dhparam.c
--- stunnel4-5.50/src/dhparam.c 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/src/dhparam.c 2019-04-13 16:58:50.000000000 +0300
@@ -1,57 +1,55 @@
+/* dhparam.c: initial DH parameters for stunnel */
#include "common.h"
#ifndef OPENSSL_NO_DH
#define DN_new DH_new
-#ifndef HEADER_DH_H
-# include <openssl/dh.h>
-#endif
-
-DH *get_dh2048()
+DH *get_dh2048(void)
{
static unsigned char dhp_2048[] = {
- 0x96, 0xB4, 0xED, 0x78, 0xAF, 0xD4, 0xDD, 0xBF, 0x55, 0xDB,
- 0xAD, 0x85, 0xA0, 0x5C, 0x22, 0xC3, 0x8C, 0x14, 0x79, 0xE5,
- 0x0A, 0xB1, 0x48, 0xAC, 0x22, 0x77, 0xDA, 0x86, 0x57, 0xCF,
- 0x3C, 0xEC, 0x12, 0xD2, 0x28, 0x41, 0x7A, 0xCD, 0xD0, 0x55,
- 0x1B, 0x80, 0xEB, 0x9E, 0x60, 0xFA, 0x36, 0x7B, 0xB0, 0x33,
- 0x2A, 0xD3, 0x32, 0xD3, 0x19, 0xB6, 0x51, 0x26, 0x4C, 0x6F,
- 0x62, 0xE5, 0x90, 0x32, 0x75, 0xEB, 0x85, 0x6E, 0x4E, 0x0A,
- 0xC5, 0x1E, 0x16, 0x73, 0x00, 0xB0, 0xB3, 0x46, 0xCA, 0x9D,
- 0xD9, 0xD2, 0x72, 0x43, 0xBB, 0xDB, 0xED, 0x82, 0xDF, 0xD7,
- 0x6E, 0x61, 0x65, 0x62, 0x73, 0x27, 0x0E, 0xD6, 0x92, 0x4E,
- 0x7F, 0x11, 0x7A, 0xDE, 0x8E, 0x3A, 0xB6, 0x5C, 0x67, 0x73,
- 0xD0, 0x5D, 0xC6, 0xC8, 0x86, 0x01, 0xAA, 0x93, 0x19, 0x7E,
- 0x59, 0xDE, 0xEB, 0x51, 0x83, 0x10, 0x76, 0x46, 0x50, 0x60,
- 0xEE, 0xBD, 0x6F, 0xB3, 0x6F, 0x6A, 0x0D, 0x9C, 0x4E, 0x4D,
- 0xB8, 0x51, 0x89, 0x8D, 0x4C, 0x15, 0xCD, 0x91, 0x01, 0x13,
- 0x3C, 0x79, 0x57, 0x0A, 0x17, 0x33, 0x68, 0x85, 0x71, 0xA3,
- 0xF9, 0x7C, 0x22, 0x91, 0x7E, 0x75, 0xB1, 0x7B, 0x60, 0x33,
- 0x84, 0xFB, 0xB2, 0x42, 0x4D, 0x51, 0x6F, 0x2C, 0x41, 0xD6,
- 0xC4, 0x5E, 0x3A, 0xFF, 0x49, 0x93, 0x8A, 0xEE, 0xCC, 0x2A,
- 0xCB, 0x0F, 0x1C, 0x17, 0x85, 0x57, 0x2F, 0x65, 0xC3, 0x54,
- 0x1F, 0xE0, 0x98, 0x1C, 0x2F, 0x3D, 0x67, 0xA1, 0x53, 0x67,
- 0xD7, 0xFC, 0xAC, 0x31, 0x68, 0xBF, 0x43, 0x71, 0xA7, 0xBF,
- 0xE5, 0x1F, 0x9D, 0xD9, 0x72, 0x74, 0xD6, 0x92, 0x1D, 0x36,
- 0x1B, 0xBC, 0x49, 0x09, 0x84, 0x06, 0xC8, 0x4B, 0xD9, 0xB7,
- 0x17, 0xF3, 0x2F, 0x82, 0x9F, 0x3F, 0x50, 0x51, 0x34, 0x25,
- 0x84, 0x1A, 0xC5, 0x75, 0x1C, 0x93
+ 0x98, 0x4E, 0xCF, 0x65, 0xB6, 0x63, 0x5F, 0x50, 0xB1, 0x39,
+ 0x9C, 0x77, 0x0B, 0x61, 0x78, 0x04, 0x1E, 0x61, 0x56, 0x2C,
+ 0x88, 0xE7, 0xA4, 0x99, 0xDA, 0xC2, 0xFB, 0xF3, 0xC2, 0x09,
+ 0xA5, 0x7E, 0xE0, 0xBD, 0x3E, 0x9E, 0xFE, 0x4A, 0xE0, 0x5C,
+ 0xAE, 0x05, 0x26, 0x0A, 0xED, 0xDC, 0x83, 0xC3, 0xDA, 0x99,
+ 0x09, 0xA4, 0xB2, 0xA7, 0x6C, 0x81, 0x92, 0xE0, 0xFC, 0x53,
+ 0xF3, 0xE3, 0x42, 0x0C, 0xEE, 0x4D, 0x1A, 0xB2, 0x80, 0xE4,
+ 0xA0, 0xF5, 0xA8, 0x45, 0x35, 0x8F, 0xDC, 0xB3, 0x30, 0xA1,
+ 0x69, 0x02, 0x40, 0x46, 0x2E, 0x08, 0x5E, 0x4F, 0x8C, 0xB5,
+ 0xF9, 0x7F, 0xFB, 0x5F, 0xD8, 0xC2, 0x88, 0xDA, 0x28, 0x29,
+ 0xA6, 0x7D, 0x81, 0x64, 0x68, 0x64, 0x45, 0xA0, 0x8F, 0x0E,
+ 0x2F, 0xB7, 0xAB, 0xA9, 0x2A, 0xD0, 0x08, 0x0D, 0xCE, 0xDF,
+ 0x63, 0xD2, 0x46, 0x2A, 0x90, 0xAE, 0xCE, 0xD6, 0x94, 0x4A,
+ 0x88, 0xC0, 0xF8, 0x49, 0x18, 0x45, 0xC3, 0x55, 0x15, 0x9F,
+ 0xE3, 0x41, 0x7C, 0x05, 0xD4, 0xE3, 0x67, 0x60, 0x23, 0xBD,
+ 0x59, 0x55, 0x9F, 0xA7, 0x6D, 0x31, 0x7B, 0x81, 0xCC, 0xF2,
+ 0x57, 0x51, 0x80, 0x7A, 0x14, 0x94, 0x38, 0x53, 0x5E, 0xBC,
+ 0xA9, 0x3D, 0x25, 0x40, 0xB3, 0x53, 0xF1, 0x1E, 0x04, 0xB6,
+ 0x84, 0x70, 0x9E, 0xF7, 0x14, 0xFC, 0xB1, 0x8D, 0xB5, 0x28,
+ 0x0E, 0x82, 0xA1, 0x95, 0x4B, 0x74, 0xE1, 0xD5, 0x99, 0x7D,
+ 0x6C, 0xD0, 0xCC, 0x23, 0xEA, 0x4E, 0x8C, 0x3A, 0xEA, 0x2F,
+ 0x21, 0x29, 0x5F, 0xEC, 0x84, 0xD2, 0x71, 0x63, 0xA0, 0x5D,
+ 0x6D, 0x07, 0x40, 0xA8, 0xC0, 0xCA, 0x87, 0xEF, 0x00, 0x87,
+ 0x95, 0x58, 0xBD, 0x94, 0x2A, 0xFA, 0x0B, 0x54, 0x9F, 0x5B,
+ 0x97, 0xE2, 0xD4, 0xD7, 0x3C, 0xCF, 0xAD, 0x5D, 0x96, 0xAF,
+ 0xAD, 0xBE, 0x32, 0x19, 0x83, 0x53
};
static unsigned char dhg_2048[] = {
- 0x02
+ 0x02
};
DH *dh = DH_new();
- BIGNUM *dhp_bn, *dhg_bn;
+ BIGNUM *p, *g;
if (dh == NULL)
return NULL;
- dhp_bn = BN_bin2bn(dhp_2048, sizeof(dhp_2048), NULL);
- dhg_bn = BN_bin2bn(dhg_2048, sizeof(dhg_2048), NULL);
- if (dhp_bn == NULL || dhg_bn == NULL
- || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ p = BN_bin2bn(dhp_2048, sizeof(dhp_2048), NULL);
+ g = BN_bin2bn(dhg_2048, sizeof(dhg_2048), NULL);
+ if (p == NULL || g == NULL
+ || !DH_set0_pqg(dh, p, NULL, g)) {
DH_free(dh);
- BN_free(dhp_bn);
- BN_free(dhg_bn);
+ BN_free(p);
+ BN_free(g);
return NULL;
}
return dh;
}
#endif /* OPENSSL_NO_DH */
+/* built for stunnel 5.54 */
diff -Nru stunnel4-5.50/src/env.c stunnel4-5.54~b3/src/env.c
--- stunnel4-5.50/src/env.c 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/src/env.c 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff -Nru stunnel4-5.50/src/evc.mak stunnel4-5.54~b3/src/evc.mak
--- stunnel4-5.50/src/evc.mak 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/src/evc.mak 2019-04-30 17:03:21.000000000 +0300
@@ -1,4 +1,4 @@
-# wce.mak for stunnel.exe by Michal Trojnara 1998-2018
+# wce.mak for stunnel.exe by Michal Trojnara 1998-2019
# with help of Pierre Delaage <delaage.pierre@free.fr>
# pdelaage 20140610 : added UNICODE optional FLAG, always ACTIVE on WCE because of poor ANSI support
# pdelaage 20140610 : added _WIN32_WCE flag for RC compilation, to preprocess out "HELP" unsupported menu flag on WCE
@@ -8,10 +8,10 @@
# for X86-WCE targets, although compiler "cl.exe" is REALLY the same as desktop W32 VS6 C++ compiler,
# the MT flags relating to LIBCMT is useless BECAUSE LIBCMT does NOT exist on WCE. No msvcrt on WCE either...
-# pdelaage 20140610 : Note on /MC flag
+# pdelaage 20140610 : Note on /MC flag
# For other targets than X86/Emulator, /MC flag is redundant with "/nodefaultlib coredll.lib corelibc.lib" LD lib list.
-# For << X86 / Emulator >> target, as the cl.exe compiler IS the SAME as the standard VS6.0 C++ compiler for Desktop Pentium processor,
-# /MC flag is in fact NOT existing, thus requiring an explicit linking with core libs by using :
+# For << X86 / Emulator >> target, as the cl.exe compiler IS the SAME as the standard VS6.0 C++ compiler for Desktop Pentium processor,
+# /MC flag is in fact NOT existing, thus requiring an explicit linking with core libs by using :
# /NODEFAULTLIB coredll.lib corelibc.lib,
# something that is correct for any WCE target, X86 and other, and leading /MC flag to be useless ALSO for other target than X86.
diff -Nru stunnel4-5.50/src/fd.c stunnel4-5.54~b3/src/fd.c
--- stunnel4-5.50/src/fd.c 2018-07-03 00:30:10.000000000 +0300
+++ stunnel4-5.54~b3/src/fd.c 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff -Nru stunnel4-5.50/src/file.c stunnel4-5.54~b3/src/file.c
--- stunnel4-5.50/src/file.c 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/src/file.c 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -74,7 +74,7 @@
SetFilePointer(fh, 0, NULL, FILE_END);
/* setup df structure */
- df=str_alloc(sizeof df);
+ df=str_alloc(sizeof(DISK_FILE));
df->fh=fh;
return df;
}
@@ -120,7 +120,7 @@
return NULL;
/* setup df structure */
- df=str_alloc(sizeof df);
+ df=str_alloc(sizeof(DISK_FILE));
df->fd=fd;
return df;
}
diff -Nru stunnel4-5.50/src/libwrap.c stunnel4-5.54~b3/src/libwrap.c
--- stunnel4-5.50/src/libwrap.c 2018-07-03 00:30:10.000000000 +0300
+++ stunnel4-5.54~b3/src/libwrap.c 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff -Nru stunnel4-5.50/src/log.c stunnel4-5.54~b3/src/log.c
--- stunnel4-5.50/src/log.c 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/src/log.c 2019-04-20 11:28:08.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -320,6 +320,7 @@
case LOG_ID_SEQUENTIAL:
return str_printf("%llu", c->seq);
case LOG_ID_UNIQUE:
+ memset(rnd, 0, sizeof rnd);
if(RAND_bytes(rnd, sizeof rnd)<=0) /* log2(62^22)=130.99 */
return str_dup("error");
for(i=0; i<sizeof rnd; ++i) {
diff -Nru stunnel4-5.50/src/Makefile.am stunnel4-5.54~b3/src/Makefile.am
--- stunnel4-5.50/src/Makefile.am 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/src/Makefile.am 2019-04-04 23:08:23.000000000 +0300
@@ -1,5 +1,5 @@
## Process this file with automake to produce Makefile.in
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
###############################################################################
# File lists #
@@ -16,17 +16,6 @@
win32_cli_sources = ui_win_cli.c
###############################################################################
-# Generate a new set of DH parameters for each version #
-###############################################################################
-
-dhparam.c: version.h
- echo '#include "common.h"' >dhparam.c
- echo '#ifndef OPENSSL_NO_DH' >>dhparam.c
- echo '#define DN_new DH_new' >>dhparam.c
- openssl dhparam -noout -C 2048 >>dhparam.c
- echo '#endif /* OPENSSL_NO_DH */' >>dhparam.c
-
-###############################################################################
# Unix executables and shared library #
###############################################################################
diff -Nru stunnel4-5.50/src/Makefile.in stunnel4-5.54~b3/src/Makefile.in
--- stunnel4-5.50/src/Makefile.in 2018-11-09 17:53:56.000000000 +0200
+++ stunnel4-5.54~b3/src/Makefile.in 2019-04-30 17:03:37.000000000 +0300
@@ -14,7 +14,7 @@
@SET_MAKE@
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
###############################################################################
# File lists #
@@ -1122,17 +1122,6 @@
.PRECIOUS: Makefile
-
-###############################################################################
-# Generate a new set of DH parameters for each version #
-###############################################################################
-
-dhparam.c: version.h
- echo '#include "common.h"' >dhparam.c
- echo '#ifndef OPENSSL_NO_DH' >>dhparam.c
- echo '#define DN_new DH_new' >>dhparam.c
- openssl dhparam -noout -C 2048 >>dhparam.c
- echo '#endif /* OPENSSL_NO_DH */' >>dhparam.c
stunnel3: Makefile
$(edit) '$(srcdir)/$@.in' >$@
stunnel3: $(srcdir)/stunnel3.in
diff -Nru stunnel4-5.50/src/mingw.mak stunnel4-5.54~b3/src/mingw.mak
--- stunnel4-5.50/src/mingw.mak 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/src/mingw.mak 2019-04-30 17:03:21.000000000 +0300
@@ -1,4 +1,4 @@
-# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2018
+# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2019
#
# Modified by Brian Hatch (bri@stunnel.org)
# 20101030 pdelaage:
@@ -19,7 +19,7 @@
# On Windows host, download:
# http://gnuwin32.sourceforge.net/downlinks/coreutils.php
# if you have forgotten this, this makefile will remind you...
-
+
# Modify this to point to your actual openssl compile directory
# (You did already compile openssl, didn't you???)
#SSLDIR=../../openssl-0.9.8zh
@@ -98,7 +98,7 @@
# default options : -J rc -O coff, input rc file, output coff file.
RFLAGS=-v --use-temp-file $(DEFINES)
-# following RFLAGS2 useful if one day use-temp-file does not exist anymore
+# following RFLAGS2 useful if one day use-temp-file does not exist anymore
RFLAGS2=-v $(DEFINES)
LDFLAGS=-s
@@ -117,7 +117,7 @@
# pdelaage : trick for windres preprocessing popen bug on Windows, in case the windres option
# use_temp_file disappear one day...
-# comment out the $(RC) rule above to activate the following
+# comment out the $(RC) rule above to activate the following
$(OBJ)/%.rcp: $(SRC)/%.rc
$(RCP) $(DEFINES) -o$@ $<
@@ -125,7 +125,7 @@
$(OBJ)/%.o: $(OBJ)/%.rcp
$(RC) $(RFLAGS2) -o$@ $<
-# Note : gnu-make will automatically RM the intermediate "rcp" file
+# Note : gnu-make will automatically RM the intermediate "rcp" file
# BUT it will ABSOLUTELY NEED the "rm" command available : not a problem on linux
# but on a windows dev host machine, one will need to install gnu-win32/rm command
# in the system...
@@ -152,7 +152,7 @@
@true >$(NULLDEV) 2>&1
endif
-clean:
+clean:
-@ $(DELFILES) $(OBJ)/*.o
-@ $(DELFILES) $(BIN)/stunnel.exe >$(NULLDEV) 2>&1
-@ $(DELDIR) $(OBJ) >$(NULLDEV) 2>&1
@@ -164,10 +164,10 @@
-@ $(MKDIR) $(BINROOT) >$(NULLDEV) 2>&1
-@ $(MKDIR) $(BIN) >$(NULLDEV) 2>&1
-# pseudo-target for RC-preprocessor debugging
+# pseudo-target for RC-preprocessor debugging
# result appears OK, as a text file
faketest:
- gcc -E -xc-header -DRC_INVOKED $(DEFINES) -o $(SRC)/resources.rcp $(SRC)/resources.rc
+ gcc -E -xc-header -DRC_INVOKED $(DEFINES) -o $(SRC)/resources.rcp $(SRC)/resources.rc
$(OBJS): *.h mingw.mak
diff -Nru stunnel4-5.50/src/mingw.mk stunnel4-5.54~b3/src/mingw.mk
--- stunnel4-5.50/src/mingw.mk 2018-11-28 23:03:38.000000000 +0200
+++ stunnel4-5.54~b3/src/mingw.mk 2019-04-04 23:08:23.000000000 +0300
@@ -1,5 +1,5 @@
## mingw/mingw64 Makefile
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
# 32-bit Windows
#win32_arch=win32
@@ -16,11 +16,11 @@
win32_ssl_dir = /opt/openssl-$(win32_mingw)
win32_cppflags = -I$(win32_ssl_dir)/include
-win32_cflags = -mthreads -O2
+win32_cflags = -g -mthreads -O2
#win32_cflags += -fstack-protector
win32_cflags += -Wall -Wextra -Wpedantic -Wformat=2 -Wconversion -Wno-long-long
win32_cflags += -D_FORTIFY_SOURCE=2 -DUNICODE -D_UNICODE
-win32_ldflags = -s -mthreads
+win32_ldflags = -g -mthreads
#win32_ldflags += -fstack-protector
# -fstack-protector is broken (at least in x86_64-w64-mingw32-gcc 8.2.0)
diff -Nru stunnel4-5.50/src/network.c stunnel4-5.54~b3/src/network.c
--- stunnel4-5.50/src/network.c 2018-06-08 20:30:06.000000000 +0300
+++ stunnel4-5.54~b3/src/network.c 2019-04-20 11:28:08.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -46,6 +46,9 @@
/* #define DEBUG_UCONTEXT */
NOEXPORT void s_poll_realloc(s_poll_set *);
+#ifndef USE_UCONTEXT
+NOEXPORT void check_terminate(s_poll_set *);
+#endif
/**************************************** s_poll functions */
@@ -63,10 +66,12 @@
}
}
-void s_poll_init(s_poll_set *fds) {
+void s_poll_init(s_poll_set *fds, int main_thread) {
fds->nfds=0;
fds->allocated=4; /* prealloc 4 file descriptors */
s_poll_realloc(fds);
+ fds->main_thread=main_thread;
+ s_poll_add(fds, main_thread ? signal_pipe[0] : terminate_pipe[0], 1, 0);
}
void s_poll_add(s_poll_set *fds, SOCKET fd, int rd, int wr) {
@@ -334,6 +339,8 @@
do { /* skip "Interrupted system call" errors */
retval=poll(fds->ufds, fds->nfds, sec<0 ? -1 : 1000*sec+msec);
} while(retval<0 && get_last_socket_error()==S_EINTR);
+ if(retval>0)
+ check_terminate(fds);
return retval;
}
@@ -358,7 +365,7 @@
}
}
-void s_poll_init(s_poll_set *fds) {
+void s_poll_init(s_poll_set *fds, int main_thread) {
#ifdef USE_WIN32
fds->allocated=4; /* prealloc 4 file descriptors */
#endif
@@ -367,6 +374,8 @@
FD_ZERO(fds->iwfds);
FD_ZERO(fds->ixfds);
fds->max=0; /* no file descriptors */
+ fds->main_thread=main_thread;
+ s_poll_add(fds, main_thread ? signal_pipe[0] : terminate_pipe[0], 1, 0);
}
void s_poll_add(s_poll_set *fds, SOCKET fd, int rd, int wr) {
@@ -449,6 +458,8 @@
retval=select((int)fds->max+1,
fds->orfds, fds->owfds, fds->oxfds, tv_ptr);
} while(retval<0 && get_last_socket_error()==S_EINTR);
+ if(retval>0)
+ check_terminate(fds);
return retval;
}
@@ -481,6 +492,37 @@
#endif /* USE_POLL */
+void s_poll_sleep(int sec, int msec) {
+ s_poll_set *fds=s_poll_alloc();
+ s_poll_init(fds, 0);
+ s_poll_wait(fds, sec, msec);
+ s_poll_free(fds);
+}
+
+#ifndef USE_UCONTEXT
+NOEXPORT void check_terminate(s_poll_set *fds) {
+ if(!fds->main_thread && s_poll_canread(fds, terminate_pipe[0])) {
+#ifdef USE_PTHREAD
+ pthread_exit(NULL);
+#endif /* USE_PTHREAD */
+#if defined(USE_WIN32) || defined(USE_OS2)
+#if defined(_WIN32_WCE)
+ /* FIXME */
+#else /* !_WIN32_WCE */
+ _endthreadex(0);
+#endif /* _WIN32_WCE */
+#endif /* USE_WIN32 || USE_OS2 */
+#ifdef USE_UCONTEXT
+ /* currently unused */
+ s_poll_wait(NULL, 0, 0); /* wait on poll() */
+#endif /* USE_UCONTEXT */
+#ifdef USE_FORK
+ exit(0);
+#endif /* USE_FORK */
+ }
+}
+#endif
+
/**************************************** fd management */
int socket_options_set(SERVICE_OPTIONS *service, SOCKET s, int type) {
@@ -560,7 +602,7 @@
s_log(LOG_DEBUG, "s_connect: s_poll_wait %s: waiting %d seconds",
dst, c->opt->timeout_connect);
- s_poll_init(c->fds);
+ s_poll_init(c->fds, 0);
s_poll_add(c->fds, c->fd, 1, 1);
switch(s_poll_wait(c->fds, c->opt->timeout_connect, 0)) {
case -1:
@@ -601,7 +643,7 @@
ssize_t num;
while(len>0) {
- s_poll_init(c->fds);
+ s_poll_init(c->fds, 0);
s_poll_add(c->fds, fd, 0, 1); /* write */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
@@ -632,7 +674,7 @@
ssize_t num;
while(len>0) {
- s_poll_init(c->fds);
+ s_poll_init(c->fds, 0);
s_poll_add(c->fds, fd, 1, 0); /* read */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
@@ -724,7 +766,7 @@
int num;
while(len>0) {
- s_poll_init(c->fds);
+ s_poll_init(c->fds, 0);
s_poll_add(c->fds, c->ssl_wfd->fd, 0, 1); /* write */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
@@ -756,7 +798,7 @@
while(len>0) {
if(!SSL_pending(c->ssl)) {
- s_poll_init(c->fds);
+ s_poll_init(c->fds, 0);
s_poll_add(c->fds, c->ssl_rfd->fd, 1, 0); /* read */
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
diff -Nru stunnel4-5.50/src/options.c stunnel4-5.54~b3/src/options.c
--- stunnel4-5.50/src/options.c 2018-11-05 16:37:18.000000000 +0200
+++ stunnel4-5.54~b3/src/options.c 2019-04-30 17:03:21.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -38,6 +38,12 @@
#include "common.h"
#include "prototypes.h"
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
+#else /* OpenSSL version < 1.1.1 */
+#define DEFAULT_CURVES "prime256v1"
+#endif /* OpenSSL version >= 1.1.1 */
+
#if defined(_WIN32_WCE) && !defined(CONFDIR)
#define CONFDIR "\\stunnel"
#endif
@@ -90,6 +96,12 @@
NOEXPORT void psk_free(PSK_KEYS *);
#endif /* !defined(OPENSSL_NO_PSK) */
+#if OPENSSL_VERSION_NUMBER>=0x10000000L
+NOEXPORT TICKET_KEY *key_read(char *, char *);
+NOEXPORT TICKET_KEY *key_dup(TICKET_KEY *);
+NOEXPORT void key_free(TICKET_KEY *);
+#endif /* OpenSSL 1.0.0 or later */
+
typedef struct {
char *name;
long unsigned value;
@@ -267,6 +279,11 @@
static char *stunnel_cipher_list=
"HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+#ifndef OPENSSL_NO_TLS1_3
+static char *stunnel_ciphersuites=
+ "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256";
+#endif /* TLS 1.3 */
+
/**************************************** parse commandline parameters */
/* return values:
@@ -670,10 +687,12 @@
case CMD_SET_VALUE:
if(strcasecmp(opt, "compression"))
break;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* only allow compression with OpenSSL 0.9.8 or later
* with OpenSSL #1468 zlib memory leak fixed */
if(OpenSSL_version_num()<0x00908051L) /* 0.9.8e-beta1 */
return "Compression unsupported due to a memory leak";
+#endif /* OpenSSL version < 1.1.0 */
if(!strcasecmp(arg, "deflate"))
new_global_options.compression=COMP_DEFLATE;
else if(!strcasecmp(arg, "zlib"))
@@ -1519,8 +1538,8 @@
return NULL; /* OK */
case CMD_INITIALIZE:
if(!section->cipher_list) {
- /* this is only executed for global options,
- * because section->cipher_list is no longer NULL */
+ /* this is only executed for global options, because
+ * section->cipher_list is no longer NULL in sections */
#ifdef USE_FIPS
if(new_global_options.option.fips)
section->cipher_list=str_dup_detached("FIPS");
@@ -1540,10 +1559,44 @@
#endif /* USE_FIPS */
break;
case CMD_PRINT_HELP:
- s_log(LOG_NOTICE, "%-22s = list of permitted TLS ciphers", "ciphers");
+ s_log(LOG_NOTICE, "%-22s = permitted ciphers for TLS 1.2 or older", "ciphers");
break;
}
+#ifndef OPENSSL_NO_TLS1_3
+ /* ciphersuites */
+ switch(cmd) {
+ case CMD_SET_DEFAULTS:
+ section->ciphersuites=NULL;
+ break;
+ case CMD_SET_COPY:
+ section->ciphersuites=str_dup_detached(new_service_options.ciphersuites);
+ break;
+ case CMD_FREE:
+ str_free(section->ciphersuites);
+ break;
+ case CMD_SET_VALUE:
+ if(strcasecmp(opt, "ciphersuites"))
+ break;
+ str_free(section->ciphersuites);
+ section->ciphersuites=str_dup_detached(arg);
+ return NULL; /* OK */
+ case CMD_INITIALIZE:
+ if(!section->ciphersuites) {
+ /* this is only executed for global options, because
+ * section->ciphersuites is no longer NULL in sections */
+ section->ciphersuites=str_dup_detached(stunnel_ciphersuites);
+ }
+ break;
+ case CMD_PRINT_DEFAULTS:
+ s_log(LOG_NOTICE, "%-22s = %s %s", "ciphersuites", stunnel_ciphersuites, "(with TLSv1.3)");
+ break;
+ case CMD_PRINT_HELP:
+ s_log(LOG_NOTICE, "%-22s = permitted ciphersuites for TLS 1.3", "ciphersuites");
+ break;
+ }
+#endif /* TLS 1.3 */
+
/* client */
switch(cmd) {
case CMD_SET_DEFAULTS:
@@ -1710,31 +1763,30 @@
#ifndef OPENSSL_NO_ECDH
- /* curve */
-#define DEFAULT_CURVE NID_X9_62_prime256v1
+ /* curves */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->curve=DEFAULT_CURVE;
+ section->curves=str_dup_detached(DEFAULT_CURVES);
break;
case CMD_SET_COPY:
- section->curve=new_service_options.curve;
+ section->curves=str_dup_detached(new_service_options.curves);
break;
case CMD_FREE:
+ str_free(section->curves);
break;
case CMD_SET_VALUE:
- if(strcasecmp(opt, "curve"))
+ if(strcasecmp(opt, "curves") && strcasecmp(opt, "curve"))
break;
- section->curve=OBJ_txt2nid(arg);
- if(section->curve==NID_undef)
- return "Curve name not supported";
+ str_free(section->curves);
+ section->curves=str_dup_detached(arg);
return NULL; /* OK */
case CMD_INITIALIZE:
break;
case CMD_PRINT_DEFAULTS:
- s_log(LOG_NOTICE, "%-22s = %s", "curve", OBJ_nid2ln(DEFAULT_CURVE));
+ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
break;
case CMD_PRINT_HELP:
- s_log(LOG_NOTICE, "%-22s = ECDH curve name", "curve");
+ s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
break;
}
@@ -2346,10 +2398,12 @@
return tmp_str;
}
endpoints+=section->option.protocol_endpoint;
-#ifdef SSL_OP_NO_TICKET
+#if defined(SSL_OP_NO_TICKET) && OPENSSL_VERSION_NUMBER<0x10101000L
/* disable RFC4507 support introduced in OpenSSL 0.9.8f */
- /* session tickets do not support SSL_SESSION_*_ex_data() */
- if(!section->option.connect_before_ssl) /* address cache can be used */
+ /* OpenSSL 1.1.1 is required to serialize application data
+ * into session tickets */
+ /* this is needed for connect address session persistence */
+ if(!section->option.connect_before_ssl)
section->ssl_options_set|=SSL_OP_NO_TICKET;
#endif
break;
@@ -2633,9 +2687,11 @@
case CMD_SET_VALUE:
if(strcasecmp(opt, "redirect"))
break;
-#ifdef SSL_OP_NO_TICKET
+#if defined(SSL_OP_NO_TICKET) && OPENSSL_VERSION_NUMBER<0x10101000L
/* disable RFC4507 support introduced in OpenSSL 0.9.8f */
- /* session tickets do not support SSL_SESSION_*_ex_data() */
+ /* OpenSSL 1.1.1 is required to serialize application data
+ * into session tickets */
+ /* this is needed for preserving authentication status */
section->ssl_options_set|=SSL_OP_NO_TICKET;
#endif
name_list_append(§ion->redirect_addr.names, arg);
@@ -3217,6 +3273,84 @@
}
#endif
+#if OPENSSL_VERSION_NUMBER>=0x10000000L
+
+ /* ticketKeySecret */
+ switch(cmd) {
+ case CMD_SET_DEFAULTS:
+ section->ticket_key=NULL;
+ break;
+ case CMD_SET_COPY:
+ section->ticket_key=key_dup(new_service_options.ticket_key);
+ break;
+ case CMD_FREE:
+ key_free(section->ticket_key);
+ break;
+ case CMD_SET_VALUE:
+ if(strcasecmp(opt, "ticketKeySecret"))
+ break;
+ section->ticket_key=key_read(arg, "ticketKeySecret");
+ if(!section->ticket_key)
+ return "Failed to read ticketKeySecret";
+ return NULL; /* OK */
+ case CMD_INITIALIZE:
+ if(!section->ticket_key) /* ticketKeySecret not configured */
+ break;
+ if(section->option.client){
+ s_log(LOG_NOTICE,
+ "ticketKeySecret is ignored in the client mode");
+ break;
+ }
+ if(section->ticket_key && !section->ticket_mac)
+ return "\"ticketKeySecret\" and \"ticketMacSecret\" must be set together";
+ break;
+ case CMD_PRINT_DEFAULTS:
+ break;
+ case CMD_PRINT_HELP:
+ s_log(LOG_NOTICE, "%-22s = secret key for encryption/decryption TLSv1.3 tickets",
+ "ticketKeySecret");
+ break;
+ }
+
+ /* ticketMacSecret */
+ switch(cmd) {
+ case CMD_SET_DEFAULTS:
+ section->ticket_mac=NULL;
+ break;
+ case CMD_SET_COPY:
+ section->ticket_mac=key_dup(new_service_options.ticket_mac);
+ break;
+ case CMD_FREE:
+ key_free(section->ticket_mac);
+ break;
+ case CMD_SET_VALUE:
+ if(strcasecmp(opt, "ticketMacSecret"))
+ break;
+ section->ticket_mac=key_read(arg, "ticketMacSecret");
+ if(!section->ticket_mac)
+ return "Failed to read ticketMacSecret";
+ return NULL; /* OK */
+ case CMD_INITIALIZE:
+ if(!section->ticket_mac) /* ticketMacSecret not configured */
+ break;
+ if(section->option.client){
+ s_log(LOG_NOTICE,
+ "ticketMacSecret is ignored in the client mode");
+ break;
+ }
+ if(section->ticket_mac && !section->ticket_key)
+ return "\"ticketKeySecret\" and \"ticketMacSecret\" must be set together";
+ break;
+ case CMD_PRINT_DEFAULTS:
+ break;
+ case CMD_PRINT_HELP:
+ s_log(LOG_NOTICE, "%-22s = key for HMAC operations on TLSv1.3 tickets",
+ "ticketMacSecret");
+ break;
+ }
+
+#endif /* OpenSSL 1.0.0 or later */
+
/* TIMEOUTbusy */
switch(cmd) {
case CMD_SET_DEFAULTS:
@@ -3828,8 +3962,9 @@
NOEXPORT PSK_KEYS *psk_read(char *key_file) {
DISK_FILE *df;
- char line[CONFLINELEN], *key_val;
- unsigned key_len;
+ char line[CONFLINELEN], *key_str;
+ unsigned char *key_buf;
+ long key_len;
PSK_KEYS *head=NULL, *tail=NULL, *curr;
int line_number=0;
@@ -3844,8 +3979,8 @@
++line_number;
if(!line[0]) /* empty line */
continue;
- key_val=strchr(line, ':');
- if(!key_val) {
+ key_str=strchr(line, ':');
+ if(!key_str) {
s_log(LOG_ERR,
"PSKsecrets line %d: Not in identity:key format",
line_number);
@@ -3853,8 +3988,7 @@
psk_free(head);
return NULL;
}
- *key_val++='\0';
- key_len=(unsigned)strlen(key_val);
+ *key_str++='\0';
if(strlen(line)+1>PSK_MAX_IDENTITY_LEN) { /* with the trailing '\0' */
s_log(LOG_ERR,
"PSKsecrets line %d: Identity longer than %d characters",
@@ -3863,27 +3997,44 @@
psk_free(head);
return NULL;
}
+ key_buf=OPENSSL_hexstr2buf(key_str, &key_len);
+ if(key_buf) { /* a valid hexadecimal value */
+ s_log(LOG_INFO, "PSKsecrets line %d: "
+ "%ld-byte hexadecimal key configured for identity \"%s\"",
+ line_number, key_len, line);
+ } else { /* not a valid hexadecimal value -> copy as a string */
+ key_len=(long)strlen(key_str);
+ key_buf=OPENSSL_malloc((size_t)key_len);
+ memcpy(key_buf, key_str, (size_t)key_len);
+ s_log(LOG_INFO, "PSKsecrets line %d: "
+ "%ld-byte ASCII key configured for identity \"%s\"",
+ line_number, key_len, line);
+ }
if(key_len>PSK_MAX_PSK_LEN) {
s_log(LOG_ERR,
- "PSKsecrets line %d: Key longer than %d characters",
+ "PSKsecrets line %d: Key longer than %d bytes",
line_number, PSK_MAX_PSK_LEN);
+ OPENSSL_free(key_buf);
file_close(df);
psk_free(head);
return NULL;
}
- if(key_len<20) {
+ if(key_len<16) {
/* shorter keys are unlikely to have sufficient entropy */
s_log(LOG_ERR,
- "PSKsecrets line %d: Key shorter than 20 characters",
+ "PSKsecrets line %d: Key shorter than 16 bytes",
line_number);
+ OPENSSL_free(key_buf);
file_close(df);
psk_free(head);
return NULL;
}
curr=str_alloc_detached(sizeof(PSK_KEYS));
curr->identity=str_dup_detached(line);
- curr->key_val=(unsigned char *)str_dup_detached(key_val);
- curr->key_len=key_len;
+ curr->key_val=str_alloc_detached((size_t)key_len);
+ memcpy(curr->key_val, key_buf, (size_t)key_len);
+ OPENSSL_free(key_buf);
+ curr->key_len=(unsigned)key_len;
curr->next=NULL;
if(head)
tail->next=curr;
@@ -3898,10 +4049,11 @@
NOEXPORT PSK_KEYS *psk_dup(PSK_KEYS *src) {
PSK_KEYS *head=NULL, *tail=NULL, *curr;
- while(src) {
+ for(; src; src=src->next) {
curr=str_alloc_detached(sizeof(PSK_KEYS));
curr->identity=str_dup_detached(src->identity);
- curr->key_val=(unsigned char *)str_dup_detached((char *)src->key_val);
+ curr->key_val=str_alloc_detached(src->key_len);
+ memcpy(curr->key_val, src->key_val, src->key_len);
curr->key_len=src->key_len;
curr->next=NULL;
if(head)
@@ -3925,6 +4077,61 @@
#endif
+/**************************************** read ticket key */
+
+#if OPENSSL_VERSION_NUMBER>=0x10000000L
+
+NOEXPORT TICKET_KEY *key_read(char *arg, char *option) {
+ char *key_str;
+ unsigned char *key_buf;
+ long key_len;
+ TICKET_KEY *head=NULL;
+
+ key_str=str_dup_detached(arg);
+ key_buf=OPENSSL_hexstr2buf(key_str, &key_len);
+ if(key_buf)
+ if((key_len == 16) || (key_len == 32)) /* a valid 16 or 32 byte hexadecimal value */
+ s_log(LOG_INFO, "%s configured", option);
+ else { /* not a valid length */
+ s_log(LOG_ERR, "%s value has %ld bytes instead of required 16 or 32 bytes",
+ option, key_len);
+ OPENSSL_free(key_buf);
+ key_free(head);
+ return NULL;
+ }
+ else { /* not a valid hexadecimal form */
+ s_log(LOG_ERR, "Required %s is 16 or 32 byte hexadecimal key", option);
+ key_free(head);
+ return NULL;
+ }
+ head=str_alloc_detached(sizeof(TICKET_KEY));
+ head->key_val=str_alloc_detached((size_t)key_len);
+ memcpy(head->key_val, key_buf, (size_t)key_len);
+ OPENSSL_free(key_buf);
+ head->key_len=(int)key_len;
+ return head;
+}
+
+NOEXPORT TICKET_KEY *key_dup(TICKET_KEY *src) {
+ TICKET_KEY *head=NULL;
+
+ if (src) {
+ head=str_alloc_detached(sizeof(TICKET_KEY));
+ head->key_val=(unsigned char *)str_dup_detached((char *)src->key_val);
+ head->key_len=src->key_len;
+ }
+ return head;
+}
+
+NOEXPORT void key_free(TICKET_KEY *head) {
+ if (head) {
+ str_free(head->key_val);
+ str_free(head);
+ }
+}
+
+#endif /* OpenSSL 1.0.0 or later */
+
/**************************************** socket options */
#define VAL_TAB {NULL, NULL, NULL}
diff -Nru stunnel4-5.50/src/os2.mak stunnel4-5.54~b3/src/os2.mak
--- stunnel4-5.50/src/os2.mak 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/src/os2.mak 2019-04-13 16:58:50.000000000 +0300
@@ -1,11 +1,11 @@
prefix=.
DEFS = -DPACKAGE_NAME=\"stunnel\" \
-DPACKAGE_TARNAME=\"stunnel\" \
- -DPACKAGE_VERSION=\"5.50\" \
- -DPACKAGE_STRING=\"stunnel\ 5.50\" \
+ -DPACKAGE_VERSION=\"5.54\" \
+ -DPACKAGE_STRING=\"stunnel\ 5.54\" \
-DPACKAGE_BUGREPORT=\"\" \
-DPACKAGE=\"stunnel\" \
- -DVERSION=\"5.50\" \
+ -DVERSION=\"5.54\" \
-DSTDC_HEADERS=1 \
-DHAVE_SYS_TYPES_H=1 \
-DHAVE_SYS_STAT_H=1 \
diff -Nru stunnel4-5.50/src/protocol.c stunnel4-5.54~b3/src/protocol.c
--- stunnel4-5.50/src/protocol.c 2018-07-03 00:30:10.000000000 +0300
+++ stunnel4-5.54~b3/src/protocol.c 2019-04-20 11:28:08.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -711,6 +711,11 @@
break;
case PROTOCOL_LATE:
if(opt->protocol_username && opt->protocol_password) {
+ char *line;
+
+ ssl_putline(c, "HELO localhost");
+ line=ssl_getline(c); /* ignore the reply */
+ str_free(line);
if(!strcasecmp(c->opt->protocol_authentication, "LOGIN"))
smtp_client_login(c,
opt->protocol_username, opt->protocol_password);
@@ -838,7 +843,7 @@
return NULL;
/* detect RFC 2487 */
- s_poll_init(c->fds);
+ s_poll_init(c->fds, 0);
s_poll_add(c->fds, c->local_rfd.fd, 1, 0);
switch(s_poll_wait(c->fds, 0, 200)) { /* wait up to 200ms */
case 0: /* fd not ready to read */
@@ -993,7 +998,7 @@
opt->option.connect_before_ssl=1; /* c->remote_fd needed */
if(phase!=PROTOCOL_MIDDLE)
return NULL;
- s_poll_init(c->fds);
+ s_poll_init(c->fds, 0);
s_poll_add(c->fds, c->local_rfd.fd, 1, 0);
switch(s_poll_wait(c->fds, 0, 200)) {
case 0: /* fd not ready to read */
diff -Nru stunnel4-5.50/src/prototypes.h stunnel4-5.54~b3/src/prototypes.h
--- stunnel4-5.50/src/prototypes.h 2018-11-05 09:19:29.000000000 +0200
+++ stunnel4-5.54~b3/src/prototypes.h 2019-04-30 17:03:21.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -40,6 +40,10 @@
#include "common.h"
+#if defined(USE_PTHREAD) || defined(USE_WIN32)
+#define USE_OS_THREADS
+#endif
+
/**************************************** forward declarations */
typedef struct tls_data_struct TLS_DATA;
@@ -47,6 +51,13 @@
/**************************************** data structures */
+#ifdef USE_PTHREAD
+ typedef pthread_t THREAD_ID;
+#endif
+#ifdef USE_WIN32
+ typedef HANDLE THREAD_ID;
+#endif
+
#if defined (USE_WIN32)
#define ICON_IMAGE HICON
#elif defined(__APPLE__)
@@ -175,6 +186,13 @@
} PSK_TABLE;
#endif /* !defined(OPENSSL_NO_PSK) */
+#if OPENSSL_VERSION_NUMBER>=0x10000000L
+typedef struct ticket_key_struct {
+ unsigned char *key_val;
+ int key_len;
+} TICKET_KEY;
+#endif /* OpenSSL 1.0.0 or later */
+
typedef struct service_options_struct {
struct service_options_struct *next; /* next node in the services list */
SSL_CTX *ctx; /* TLS context */
@@ -216,6 +234,9 @@
/* service-specific data for ctx.c */
char *cipher_list;
+#ifndef OPENSSL_NO_TLS1_3
+ char *ciphersuites;
+#endif /* TLS 1.3 */
char *cert; /* cert filename */
char *key; /* pem (priv key/cert) filename */
long session_size, session_timeout;
@@ -239,11 +260,15 @@
PSK_TABLE psk_sorted;
#endif /* !defined(OPENSSL_NO_PSK) */
#ifndef OPENSSL_NO_ECDH
- int curve;
+ char *curves;
#endif /* !defined(OPENSSL_NO_ECDH) */
#ifndef OPENSSL_NO_ENGINE
ENGINE *engine; /* engine to read the private key */
#endif /* !defined(OPENSSL_NO_ENGINE) */
+#if OPENSSL_VERSION_NUMBER>=0x10000000L
+ TICKET_KEY *ticket_key; /* key for handling session tickets */
+ TICKET_KEY *ticket_mac; /* key for protecting session tickets */
+#endif /* OpenSSL 1.0.0 or later */
/* service-specific data for client.c */
char *exec_name; /* program name for local mode */
@@ -365,6 +390,7 @@
unsigned allocated;
#endif
#endif
+ int main_thread;
} s_poll_set;
typedef struct disk_file {
@@ -389,13 +415,20 @@
RENEG_DETECTED /* renegotiation detected */
} RENEG_STATE;
-typedef struct {
+typedef struct client_data_struct {
jmp_buf *exception_pointer;
SSL *ssl; /* TLS connection */
SERVICE_OPTIONS *opt;
TLS_DATA *tls;
+#ifdef USE_OS_THREADS
+ THREAD_ID thread_id;
+#endif
+#ifndef USE_FORK
+ struct client_data_struct *thread_prev, *thread_next;
+#endif
+
SOCKADDR_UNION peer_addr; /* peer address */
socklen_t peer_addr_len;
char *accepted_address; /* textual representation of the peer address */
@@ -429,6 +462,8 @@
extern int max_clients;
extern int num_clients;
#endif
+extern SOCKET signal_pipe[2];
+extern SOCKET terminate_pipe[2];
void main_init(void);
int main_configure(char *, char *);
@@ -501,6 +536,10 @@
/**************************************** prototypes for cron.c */
+#ifdef USE_OS_THREADS
+extern THREAD_ID cron_thread_id;
+#endif
+
int cron_init(void);
/**************************************** prototypes for ssl.c */
@@ -538,7 +577,7 @@
s_poll_set *s_poll_alloc(void);
void s_poll_free(s_poll_set *);
-void s_poll_init(s_poll_set *);
+void s_poll_init(s_poll_set *, int);
void s_poll_add(s_poll_set *, SOCKET, int, int);
void s_poll_remove(s_poll_set *, SOCKET);
int s_poll_canread(s_poll_set *, SOCKET);
@@ -548,15 +587,18 @@
int s_poll_err(s_poll_set *, SOCKET);
int s_poll_wait(s_poll_set *, int, int);
void s_poll_dump(s_poll_set *, int);
+void s_poll_sleep(int, int);
#ifdef USE_WIN32
-#define SIGNAL_RELOAD_CONFIG 1
-#define SIGNAL_REOPEN_LOG 2
-#define SIGNAL_TERMINATE 3
+#define SIGNAL_TERMINATE 1
+#define SIGNAL_RELOAD_CONFIG 2
+#define SIGNAL_REOPEN_LOG 3
+#define SIGNAL_CONNECTIONS 4
#else
+#define SIGNAL_TERMINATE SIGTERM
#define SIGNAL_RELOAD_CONFIG SIGHUP
#define SIGNAL_REOPEN_LOG SIGUSR1
-#define SIGNAL_TERMINATE SIGTERM
+#define SIGNAL_CONNECTIONS SIGUSR2
#endif
int socket_options_set(SERVICE_OPTIONS *, SOCKET, int);
@@ -571,8 +613,9 @@
#else
void *
#endif
-client_thread(void *);
+ client_thread(void *);
void client_main(CLI *);
+void client_free(CLI *);
void throw_exception(CLI *, int) NORETURN;
/**************************************** prototypes for network.c */
@@ -659,8 +702,8 @@
/**************************************** prototypes for sthreads.c */
-#if defined(USE_PTHREAD) || defined(USE_WIN32)
-#define USE_OS_THREADS
+#ifndef USE_FORK
+extern CLI *thread_head;
#endif
#if OPENSSL_VERSION_NUMBER<0x10100004L
@@ -690,6 +733,7 @@
#endif /* OPENSSL_VERSION_NUMBER<0x10100004L */
typedef enum {
+ LOCK_THREAD_LIST, /* sthreads.c */
LOCK_SESSION, LOCK_ADDR,
LOCK_CLIENTS, LOCK_SSL, /* client.c */
LOCK_REF, /* options.c */
@@ -725,6 +769,7 @@
unsigned long stunnel_process_id(void);
unsigned long stunnel_thread_id(void);
int create_client(SOCKET, SOCKET, CLI *);
+
#ifdef USE_UCONTEXT
typedef struct CONTEXT_STRUCTURE {
char *stack; /* CPU stack for this thread */
@@ -739,10 +784,12 @@
extern CONTEXT *ready_head, *ready_tail;
extern CONTEXT *waiting_head, *waiting_tail;
#endif
+
#ifdef _WIN32_WCE
long _beginthread(void (*)(void *), int, void *);
void _endthread(void);
#endif
+
#ifdef DEBUG_STACK_SIZE
void stack_info(size_t, int);
void ignore_value(void *);
diff -Nru stunnel4-5.50/src/pty.c stunnel4-5.54~b3/src/pty.c
--- stunnel4-5.50/src/pty.c 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/src/pty.c 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff -Nru stunnel4-5.50/src/resolver.c stunnel4-5.54~b3/src/resolver.c
--- stunnel4-5.50/src/resolver.c 2018-07-03 00:30:10.000000000 +0300
+++ stunnel4-5.54~b3/src/resolver.c 2019-04-20 11:28:08.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -255,7 +255,7 @@
}
if(err==EAI_AGAIN && ++retry<=3) {
s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying");
- sleep(1);
+ s_poll_sleep(1, 0);
continue;
}
#ifdef AI_ADDRCONFIG
@@ -320,7 +320,7 @@
}
unsigned addrlist_resolve(SOCKADDR_LIST *addr_list) {
- unsigned num=0, rnd;
+ unsigned num=0, rnd=0;
NAME_LIST *host;
addrlist_reset(addr_list);
@@ -358,16 +358,20 @@
}
socklen_t addr_len(const SOCKADDR_UNION *addr) {
- if(addr->sa.sa_family==AF_INET)
+ switch(addr->sa.sa_family) {
+ case AF_UNSPEC: /* 0 */
+ return 0;
+ case AF_INET: /* 2 (almost universally) */
return sizeof(struct sockaddr_in);
#ifdef USE_IPv6
- if(addr->sa.sa_family==AF_INET6)
+ case AF_INET6:
return sizeof(struct sockaddr_in6);
#endif
#ifdef HAVE_STRUCT_SOCKADDR_UN
- if(addr->sa.sa_family==AF_UNIX)
+ case AF_UNIX:
return sizeof(struct sockaddr_un);
#endif
+ }
s_log(LOG_ERR, "INTERNAL ERROR: Unknown sa_family: %d",
addr->sa.sa_family);
return sizeof(SOCKADDR_UNION);
diff -Nru stunnel4-5.50/src/resources.h stunnel4-5.54~b3/src/resources.h
--- stunnel4-5.50/src/resources.h 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/src/resources.h 2019-04-13 16:58:50.000000000 +0300
@@ -22,8 +22,9 @@
#define IDM_SAVE_LOG 40
#define IDM_REOPEN_LOG 41
-#define IDM_EDIT_CONFIG 42
-#define IDM_RELOAD_CONFIG 43
+#define IDM_CONNECTIONS 42
+#define IDM_EDIT_CONFIG 43
+#define IDM_RELOAD_CONFIG 44
#define IDM_ABOUT 50
#define IDM_MANPAGE 51
diff -Nru stunnel4-5.50/src/resources.rc stunnel4-5.54~b3/src/resources.rc
--- stunnel4-5.50/src/resources.rc 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/src/resources.rc 2019-04-13 16:58:50.000000000 +0300
@@ -19,7 +19,7 @@
VALUE "FileDescription", "stunnel - TLS offloading and load-balancing proxy"
VALUE "FileVersion", STUNNEL_VERSION
VALUE "InternalName", "stunnel"
- VALUE "LegalCopyright", "� by Michal Trojnara, 1998-2018"
+ VALUE "LegalCopyright", "� by Michal Trojnara, 1998-2019"
VALUE "OriginalFilename", "stunnel.exe"
VALUE "ProductName", STUNNEL_PRODUCTNAME
VALUE "ProductVersion", STUNNEL_VERSION
@@ -42,6 +42,7 @@
BEGIN
MENUITEM "&Save Log As", IDM_SAVE_LOG
MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
+ MENUITEM "Co&nnections", IDM_CONNECTIONS
MENUITEM SEPARATOR
MENUITEM "E&xit", IDM_EXIT
MENUITEM SEPARATOR
@@ -53,8 +54,8 @@
POPUP "&Configuration"
#endif
BEGIN
- MENUITEM "&Edit Configuration", IDM_EDIT_CONFIG
- MENUITEM "&Reload Configuration", IDM_RELOAD_CONFIG
+ MENUITEM "&Edit Configuration", IDM_EDIT_CONFIG
+ MENUITEM "&Reload Configuration", IDM_RELOAD_CONFIG
END
#ifdef _WIN32_WCE
POPUP "&Save Peer Certs"
@@ -79,15 +80,17 @@
BEGIN
MENUITEM "Show Log &Window", IDM_SHOW_LOG
MENUITEM SEPARATOR
+ MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
+ MENUITEM "Co&nnections", IDM_CONNECTIONS
+ MENUITEM SEPARATOR
+ MENUITEM "&Edit Configuration", IDM_EDIT_CONFIG
+ MENUITEM "&Reload Configuration", IDM_RELOAD_CONFIG
+ MENUITEM SEPARATOR
POPUP "&Save Peer Certificate"
BEGIN
MENUITEM "dummy", 0, GRAYED
END
MENUITEM SEPARATOR
- MENUITEM "&Edit Configuration", IDM_EDIT_CONFIG
- MENUITEM "&Reload Configuration", IDM_RELOAD_CONFIG
- MENUITEM "Reopen &Log File", IDM_REOPEN_LOG, GRAYED
- MENUITEM SEPARATOR
MENUITEM "&Homepage", IDM_HOMEPAGE
MENUITEM "&Manual", IDM_MANPAGE
MENUITEM "&About", IDM_ABOUT
@@ -104,7 +107,7 @@
ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20
LTEXT "stunnel version", -1, 30, 4, 49, 8
LTEXT STUNNEL_VERSION, -1, 79, 4, 57, 8
- LTEXT "� by Michal Trojnara, 1998-2018", -1, 30, 12, 106, 8
+ LTEXT "� by Michal Trojnara, 1998-2019", -1, 30, 12, 106, 8
LTEXT "All Rights Reserved", -1, 30, 20, 106, 8
LTEXT "Licensed under the GNU GPL version 2", -1, 4, 28, 132, 8
LTEXT "with a special exception for OpenSSL", -1, 4, 36, 132, 8
diff -Nru stunnel4-5.50/src/ssl.c stunnel4-5.54~b3/src/ssl.c
--- stunnel4-5.50/src/ssl.c 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/src/ssl.c 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff -Nru stunnel4-5.50/src/sthreads.c stunnel4-5.54~b3/src/sthreads.c
--- stunnel4-5.50/src/sthreads.c 2018-11-06 15:25:39.000000000 +0200
+++ stunnel4-5.54~b3/src/sthreads.c 2019-04-20 11:28:08.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -43,6 +43,11 @@
#include "common.h"
#include "prototypes.h"
+#ifndef USE_FORK
+CLI *thread_head=NULL;
+NOEXPORT void thread_list_add(CLI *);
+#endif
+
/**************************************** thread ID callbacks */
#ifdef USE_UCONTEXT
@@ -458,6 +463,7 @@
context->context.uc_stack.ss_flags=0;
makecontext(&context->context, (void(*)(void))client_thread, ARGC, arg);
+ thread_list_add(arg);
s_log(LOG_DEBUG, "New context created");
return 0;
}
@@ -502,14 +508,25 @@
#ifdef USE_PTHREAD
+NOEXPORT void *dummy_thread(void *arg) {
+ pthread_exit(arg);
+ return arg;
+}
+
int sthreads_init(void) {
+ pthread_t thread_id;
+
+ /* this is a workaround for NPTL threads failing to invoke
+ * pthread_exit() or pthread_cancel() from a chroot jail */
+ if(!pthread_create(&thread_id, NULL, dummy_thread, NULL))
+ pthread_join(thread_id, NULL);
+
thread_id_init();
locking_init();
return 0;
}
int create_client(SOCKET ls, SOCKET s, CLI *arg) {
- pthread_t thread;
pthread_attr_t pth_attr;
int error;
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
@@ -528,22 +545,25 @@
pthread_sigmask(SIG_SETMASK, &new_set, &old_set); /* block signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
pthread_attr_init(&pth_attr);
- pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED);
pthread_attr_setstacksize(&pth_attr, arg->opt->stack_size);
- error=pthread_create(&thread, &pth_attr, client_thread, arg);
+
+ CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_THREAD_LIST]);
+ error=pthread_create(&arg->thread_id, &pth_attr, client_thread, arg);
pthread_attr_destroy(&pth_attr);
#if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__)
pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */
#endif /* HAVE_PTHREAD_SIGMASK && !__APPLE__*/
-
if(error) {
errno=error;
ioerror("pthread_create");
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
str_free(arg);
if(s>=0)
closesocket(s);
return -1;
}
+ thread_list_add(arg);
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
return 0;
}
@@ -562,20 +582,22 @@
}
int create_client(SOCKET ls, SOCKET s, CLI *arg) {
- HANDLE thread;
-
(void)ls; /* this parameter is only used with USE_FORK */
s_log(LOG_DEBUG, "Creating a new thread");
- thread=(HANDLE)_beginthreadex(NULL, (unsigned)arg->opt->stack_size,
- client_thread, arg, STACK_SIZE_PARAM_IS_A_RESERVATION, NULL);
- if(!thread) {
+ CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_THREAD_LIST]);
+ arg->thread_id=(HANDLE)_beginthreadex(NULL,
+ (unsigned)arg->opt->stack_size, client_thread, arg,
+ STACK_SIZE_PARAM_IS_A_RESERVATION, NULL);
+ if(!arg->thread_id) {
ioerror("_beginthreadex");
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
str_free(arg);
if(s!=INVALID_SOCKET)
closesocket(s);
return -1;
}
- CloseHandle(thread);
+ thread_list_add(arg);
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
s_log(LOG_DEBUG, "New thread created");
return 0;
}
@@ -723,4 +745,14 @@
#endif /* DEBUG_STACK_SIZE */
+#ifndef USE_FORK
+NOEXPORT void thread_list_add(CLI *c) {
+ c->thread_next=thread_head;
+ c->thread_prev=NULL;
+ if(thread_head)
+ thread_head->thread_prev=c;
+ thread_head=c;
+}
+#endif /* !USE_FORK */
+
/* end of sthreads.c */
diff -Nru stunnel4-5.50/src/str.c stunnel4-5.54~b3/src/str.c
--- stunnel4-5.50/src/str.c 2018-08-09 08:43:52.000000000 +0300
+++ stunnel4-5.54~b3/src/str.c 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff -Nru stunnel4-5.50/src/stunnel.c stunnel4-5.54~b3/src/stunnel.c
--- stunnel4-5.50/src/stunnel.c 2018-10-23 14:24:33.000000000 +0300
+++ stunnel4-5.54~b3/src/stunnel.c 2019-04-30 17:03:21.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -79,13 +79,15 @@
#ifdef HAVE_CHROOT
NOEXPORT int change_root(void);
#endif
-NOEXPORT int signal_pipe_init(void);
+NOEXPORT int pipe_init(SOCKET [2], char *);
NOEXPORT int signal_pipe_dispatch(void);
+NOEXPORT int process_connections(void);
NOEXPORT char *signal_name(int);
/**************************************** global variables */
-static SOCKET signal_pipe[2]={INVALID_SOCKET, INVALID_SOCKET};
+SOCKET signal_pipe[2]={INVALID_SOCKET, INVALID_SOCKET};
+SOCKET terminate_pipe[2]={INVALID_SOCKET, INVALID_SOCKET};
#ifndef USE_FORK
int max_clients=0;
@@ -125,9 +127,12 @@
get_limits(); /* required by setup_fd() */
#endif
fds=s_poll_alloc();
- if(signal_pipe_init())
+ if(pipe_init(signal_pipe, "signal_pipe"))
fatal("Signal pipe initialization failed: "
"check your personal firewall");
+ if(pipe_init(terminate_pipe, "terminate_pipe"))
+ fatal("Terminate pipe initialization failed: "
+ "check your personal firewall");
stunnel_info(LOG_NOTICE);
if(systemd_fds>0)
s_log(LOG_INFO, "Systemd socket activation: %d descriptors received",
@@ -210,7 +215,55 @@
return 0;
}
+#ifdef __GNUC__
+#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) || defined(__clang__)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-result"
+#endif /* __GNUC__>=4.6 */
+#endif /* __GNUC__ */
void main_cleanup() {
+#ifdef USE_OS_THREADS
+ CLI *c;
+ unsigned i, threads;
+ THREAD_ID *thread_list;
+
+ CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_THREAD_LIST]);
+ threads=0;
+ for(c=thread_head; c; c=c->thread_next) /* count client threads */
+ threads++;
+ thread_list=str_alloc((threads+1)*sizeof(THREAD_ID));
+ i=0;
+ for(c=thread_head; c; c=c->thread_next) { /* copy client threads */
+ thread_list[i++]=c->thread_id;
+ s_log(LOG_DEBUG, "Terminating a thread for [%s]", c->opt->servname);
+ }
+ if(cron_thread_id) { /* append cron_thread_id if used */
+ thread_list[threads++]=cron_thread_id;
+ s_log(LOG_DEBUG, "Terminating the cron thread");
+ }
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
+
+ if(threads) {
+ s_log(LOG_NOTICE, "Terminating %u service thread(s)", threads);
+ writesocket(terminate_pipe[1], "", 1);
+ for(i=0; i<threads; ++i) { /* join client threads */
+#ifdef USE_PTHREAD
+ if(pthread_join(thread_list[i], NULL))
+ s_log(LOG_ERR, "pthread_join() failed");
+#endif
+#ifdef USE_WIN32
+ if(WaitForSingleObject(thread_list[i], INFINITE)==WAIT_FAILED)
+ ioerror("WaitForSingleObject");
+ if(!CloseHandle(thread_list[i]))
+ ioerror("CloseHandle");
+#endif
+ }
+ s_log(LOG_NOTICE, "Service threads terminated");
+ }
+
+ str_free(thread_list);
+#endif /* USE_OS_THREADS */
+
unbind_ports();
s_poll_free(fds);
fds=NULL;
@@ -220,6 +273,11 @@
log_flush(LOG_MODE_ERROR);
log_close(SINK_SYSLOG|SINK_OUTFILE);
}
+#ifdef __GNUC__
+#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
+#pragma GCC diagnostic pop
+#endif /* __GNUC__>=4.6 */
+#endif /* __GNUC__ */
/**************************************** Unix-specific initialization */
@@ -400,8 +458,7 @@
void unbind_ports(void) {
SERVICE_OPTIONS *opt;
- s_poll_init(fds);
- s_poll_add(fds, signal_pipe[0], 1, 0);
+ s_poll_init(fds, 1);
CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_SECTIONS]);
@@ -487,8 +544,7 @@
libwrap_init();
#endif /* USE_LIBWRAP */
- s_poll_init(fds);
- s_poll_add(fds, signal_pipe[0], 1, 0);
+ s_poll_init(fds, 1);
/* allow clean unbind_ports() even though
bind_ports() was not fully performed */
@@ -541,7 +597,6 @@
NOEXPORT SOCKET bind_port(SERVICE_OPTIONS *opt, int listening_section, unsigned i) {
SOCKET fd;
SOCKADDR_UNION *addr=opt->local_addr.addr+i;
- char *local_address;
#ifdef HAVE_STRUCT_SOCKADDR_UN
struct stat sb; /* buffer for lstat() */
#endif
@@ -564,21 +619,22 @@
return INVALID_SOCKET;
}
- /* local socket can't be unnamed */
- local_address=s_ntop(addr, addr_len(addr));
/* we don't bind or listen on a socket inherited from systemd */
if(listening_section>=systemd_fds) {
if(bind(fd, &addr->sa, addr_len(addr))) {
int err=get_last_socket_error();
+ char *requested_bind_address;
+
+ /* local socket can't be unnamed */
+ requested_bind_address=s_ntop(addr, addr_len(addr));
s_log(LOG_NOTICE, "Binding service [%s] to %s: %s (%d)",
- opt->servname, local_address, s_strerror(err), err);
- str_free(local_address);
+ opt->servname, requested_bind_address, s_strerror(err), err);
+ str_free(requested_bind_address);
closesocket(fd);
return INVALID_SOCKET;
}
if(listen(fd, SOMAXCONN)) {
sockerror("listen");
- str_free(local_address);
closesocket(fd);
return INVALID_SOCKET;
}
@@ -608,9 +664,21 @@
}
#endif
- s_log(LOG_INFO, "Service [%s] (FD=%ld) bound to %s",
- opt->servname, (long)fd, local_address);
- str_free(local_address);
+ {
+ SOCKADDR_UNION assigned_addr;
+ socklen_t assigned_addr_len=sizeof assigned_addr;
+ char *assigned_bind_address;
+
+ if(getsockname(fd, &assigned_addr.sa, &assigned_addr_len)) {
+ sockerror("getsockname");
+ closesocket(fd);
+ return INVALID_SOCKET;
+ }
+ assigned_bind_address=s_ntop(&assigned_addr, addr_len(&assigned_addr));
+ s_log(LOG_INFO, "Service [%s] (FD=%ld) bound to %s",
+ opt->servname, (long)fd, assigned_bind_address);
+ str_free(assigned_bind_address);
+ }
return fd;
}
@@ -633,9 +701,11 @@
/**************************************** signal pipe handling */
-NOEXPORT int signal_pipe_init(void) {
+NOEXPORT int pipe_init(SOCKET socket_vector[2], char *name) {
#ifdef USE_WIN32
- if(make_sockets(signal_pipe))
+ (void)name; /* squash the unused parameter warning */
+
+ if(make_sockets(socket_vector))
return 1;
#elif defined(__INNOTEK_LIBC__)
/* Innotek port of GCC can not use select on a pipe:
@@ -645,29 +715,29 @@
int pipe_in;
FD_ZERO(&set_pipe);
- signal_pipe[0]=s_socket(PF_OS2, SOCK_STREAM, 0, 0, "socket#1");
- signal_pipe[1]=s_socket(PF_OS2, SOCK_STREAM, 0, 0, "socket#2");
+ socket_vector[0]=s_socket(PF_OS2, SOCK_STREAM, 0, 0, "socket#1");
+ socket_vector[1]=s_socket(PF_OS2, SOCK_STREAM, 0, 0, "socket#2");
/* connect the two endpoints */
memset(&un, 0, sizeof un);
un.sun_len=sizeof un;
un.sun_family=AF_OS2;
- sprintf(un.sun_path, "\\socket\\stunnel-%u", getpid());
+ sprintf(un.sun_path, "\\socket\\stunnel-%s-%u", name, getpid());
/* make the first endpoint listen */
- bind(signal_pipe[0], (struct sockaddr *)&un, sizeof un);
- listen(signal_pipe[0], 1);
- connect(signal_pipe[1], (struct sockaddr *)&un, sizeof un);
- FD_SET(signal_pipe[0], &set_pipe);
- if(select(signal_pipe[0]+1, &set_pipe, NULL, NULL, NULL)>0) {
- pipe_in=signal_pipe[0];
- signal_pipe[0]=s_accept(signal_pipe[0], NULL, 0, 0, "accept");
+ bind(socket_vector[0], (struct sockaddr *)&un, sizeof un);
+ listen(socket_vector[0], 1);
+ connect(socket_vector[1], (struct sockaddr *)&un, sizeof un);
+ FD_SET(socket_vector[0], &set_pipe);
+ if(select(socket_vector[0]+1, &set_pipe, NULL, NULL, NULL)>0) {
+ pipe_in=socket_vector[0];
+ socket_vector[0]=s_accept(socket_vector[0], NULL, 0, 0, "accept");
closesocket(pipe_in);
} else {
sockerror("select");
return 1;
}
#else /* Unix */
- if(s_pipe(signal_pipe, 1, "signal_pipe"))
+ if(s_pipe(socket_vector, 1, name))
return 1;
#endif /* USE_WIN32 */
return 0;
@@ -711,7 +781,7 @@
s_poll_remove(fds, signal_pipe[0]);
closesocket(signal_pipe[0]);
closesocket(signal_pipe[1]);
- if(signal_pipe_init()) {
+ if(pipe_init(signal_pipe, "signal_pipe")) {
s_log(LOG_ERR,
"Signal pipe reinitialization failed; terminating");
return 1;
@@ -732,6 +802,10 @@
#endif /* defined USE_FORK */
return 0;
#endif /* !defind USE_WIN32 */
+ case SIGNAL_TERMINATE:
+ s_log(LOG_DEBUG, "Processing SIGNAL_TERMINATE");
+ s_log(LOG_NOTICE, "Terminated");
+ return 1;
case SIGNAL_RELOAD_CONFIG:
s_log(LOG_DEBUG, "Processing SIGNAL_RELOAD_CONFIG");
if(options_parse(CONF_RELOAD)) {
@@ -776,10 +850,8 @@
log_flush(LOG_MODE_CONFIGURED);
s_log(LOG_NOTICE, "Log file reopened");
return 0;
- case SIGNAL_TERMINATE:
- s_log(LOG_DEBUG, "Processing SIGNAL_TERMINATE");
- s_log(LOG_NOTICE, "Terminated");
- return 1;
+ case SIGNAL_CONNECTIONS:
+ return process_connections();
default:
sig_name=signal_name(sig);
s_log(LOG_ERR, "Received %s; terminating", sig_name);
@@ -788,6 +860,37 @@
}
}
+#ifdef __GNUC__
+#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
+#pragma GCC diagnostic push
+#endif /* __GNUC__>=4.6 */
+#pragma GCC diagnostic ignored "-Wformat"
+#pragma GCC diagnostic ignored "-Wformat-extra-args"
+#endif /* __GNUC__ */
+NOEXPORT int process_connections() {
+#ifndef USE_FORK
+ CLI *c;
+
+ s_log(LOG_NOTICE, "Active connections:");
+ CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_THREAD_LIST]);
+ for(c=thread_head; c; c=c->thread_next) {
+ s_log(LOG_NOTICE, "Service [%s]: "
+ "%llu byte(s) sent to TLS, "
+ "%llu byte(s) sent to socket",
+ c->opt->servname,
+ (unsigned long long)c->ssl_bytes,
+ (unsigned long long)c->sock_bytes);
+ }
+ CRYPTO_THREAD_unlock(stunnel_locks[LOCK_THREAD_LIST]);
+#endif /* USE_FORK */
+ return 0; /* continue execution */
+}
+#ifdef __GNUC__
+#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
+#pragma GCC diagnostic pop
+#endif /* __GNUC__>=4.6 */
+#endif /* __GNUC__ */
+
/**************************************** signal name decoding */
#define check_signal(s) if(signum==s) return str_dup(#s);
@@ -908,11 +1011,17 @@
if(strcmp(OPENSSL_VERSION_TEXT, OpenSSL_version(OPENSSL_VERSION))) {
s_log(level, "Compiled with " OPENSSL_VERSION_TEXT);
s_log(level, "Running with %s", OpenSSL_version(OPENSSL_VERSION));
- if((OpenSSL_version_num()^OPENSSL_VERSION_NUMBER)&~0xfffu)
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ if((OPENSSL_version_major()<<8 | OPENSSL_version_minor()) !=
+ OPENSSL_VERSION_NUMBER>>20)
+#else /* OpenSSL version < 3.0.0 */
+ if(OpenSSL_version_num()>>12 != OPENSSL_VERSION_NUMBER>>12)
+#endif /* OpenSSL version >= 3.0.0 */
s_log(level, "Update OpenSSL shared libraries or rebuild stunnel");
} else {
s_log(level, "Compiled/running with " OPENSSL_VERSION_TEXT);
}
+
s_log(level,
"Threading:"
diff -Nru stunnel4-5.50/src/tls.c stunnel4-5.54~b3/src/tls.c
--- stunnel4-5.50/src/tls.c 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/src/tls.c 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff -Nru stunnel4-5.50/src/ui_unix.c stunnel4-5.54~b3/src/ui_unix.c
--- stunnel4-5.50/src/ui_unix.c 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/src/ui_unix.c 2019-04-30 17:03:21.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -99,6 +99,7 @@
signal(SIGCHLD, signal_handler); /* handle dead children */
signal(SIGHUP, signal_handler); /* configuration reload */
signal(SIGUSR1, signal_handler); /* log reopen */
+ signal(SIGUSR2, signal_handler); /* connections */
signal(SIGPIPE, SIG_IGN); /* ignore broken pipe */
if(signal(SIGTERM, SIG_IGN)!=SIG_IGN)
signal(SIGTERM, signal_handler); /* fatal */
@@ -126,6 +127,7 @@
tls_alloc(c, ui_tls, NULL);
service_up_ref(&service_options);
client_main(c);
+ client_free(c);
}
return 0;
}
diff -Nru stunnel4-5.50/src/ui_win_cli.c stunnel4-5.54~b3/src/ui_win_cli.c
--- stunnel4-5.50/src/ui_win_cli.c 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/src/ui_win_cli.c 2019-04-04 23:08:23.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff -Nru stunnel4-5.50/src/ui_win_gui.c stunnel4-5.54~b3/src/ui_win_gui.c
--- stunnel4-5.50/src/ui_win_gui.c 2018-10-23 14:24:33.000000000 +0300
+++ stunnel4-5.54~b3/src/ui_win_gui.c 2019-04-13 17:07:00.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -564,6 +564,9 @@
case IDM_REOPEN_LOG:
signal_post(SIGNAL_REOPEN_LOG);
break;
+ case IDM_CONNECTIONS:
+ signal_post(SIGNAL_CONNECTIONS);
+ break;
case IDM_MANPAGE:
#ifndef _WIN32_WCE
if(!cmdline.service) /* security */
diff -Nru stunnel4-5.50/src/vc.mak stunnel4-5.54~b3/src/vc.mak
--- stunnel4-5.50/src/vc.mak 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/src/vc.mak 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,4 @@
-# vc.mak by Michal Trojnara 1998-2018
+# vc.mak by Michal Trojnara 1998-2019
# with help of David Gillingham <dgillingham@gmail.com>
# with help of Pierre Delaage <delaage.pierre@free.fr>
@@ -10,7 +10,9 @@
!IF [ml64.exe /help >NUL 2>&1]
TARGET=win32
-SSLLIBS=libeay32.lib ssleay32.lib
+SSLLIBS=libcrypto.lib libssl.lib
+# or change libraries for OpenSSL older than 1.1.0
+#SSLLIBS=libeay32.lib ssleay32.lib
!ELSE
TARGET=win64
SSLLIBS=libcrypto.lib libssl.lib
@@ -49,7 +51,7 @@
LINK=link
UNICODEFLAGS=/DUNICODE /D_UNICODE
-CFLAGS=/MD /W3 /O2 /nologo /I"$(INCDIR)" $(UNICODEFLAGS)
+CFLAGS=/MD /W3 /O2 /Zi /nologo /I"$(INCDIR)" $(UNICODEFLAGS)
LDFLAGS=/NOLOGO /DEBUG
SHAREDLIBS=ws2_32.lib user32.lib shell32.lib kernel32.lib
diff -Nru stunnel4-5.50/src/verify.c stunnel4-5.54~b3/src/verify.c
--- stunnel4-5.50/src/verify.c 2018-07-03 00:30:10.000000000 +0300
+++ stunnel4-5.54~b3/src/verify.c 2019-04-20 11:28:08.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -651,7 +651,7 @@
/* OCSP protocol communication loop */
while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) {
- s_poll_init(c->fds);
+ s_poll_init(c->fds, 0);
s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio));
switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) {
case -1:
diff -Nru stunnel4-5.50/src/version.h stunnel4-5.54~b3/src/version.h
--- stunnel4-5.50/src/version.h 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/src/version.h 2019-04-13 16:58:50.000000000 +0300
@@ -1,6 +1,6 @@
/*
* stunnel TLS offloading and load-balancing proxy
- * Copyright (C) 1998-2018 Michal Trojnara <Michal.Trojnara@stunnel.org>
+ * Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -65,7 +65,7 @@
/* START CUSTOMIZE */
#define VERSION_MAJOR 5
-#define VERSION_MINOR 50
+#define VERSION_MINOR 54
/* END CUSTOMIZE */
/* all the following macros are ABSOLUTELY NECESSARY to have proper string
diff -Nru stunnel4-5.50/tests/certs/CACertCRL.pem stunnel4-5.54~b3/tests/certs/CACertCRL.pem
--- stunnel4-5.50/tests/certs/CACertCRL.pem 2018-10-09 17:49:40.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/CACertCRL.pem 2019-03-20 17:00:55.000000000 +0200
@@ -1,13 +1,13 @@
-----BEGIN X509 CRL-----
MIIB7TCB1gIBATANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJQTDEbMBkGA1UE
CgwSU3R1bm5lbCBEZXZlbG9wZXJzMRAwDgYDVQQLDAdSb290IENBMQswCQYDVQQD
-DAJDQTEdMBsGCSqGSIb3DQEJARYOQ0FAZXhhbXBsZS5jb20XDTE4MTAwOTE0NDkz
-OVoXDTIyMTAwOTE0NDkzOVowFTATAgIQABcNMTgxMDA5MTQ0OTM5WqAjMCEwHwYD
-VR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQELBQADggEB
-AE9wjD43V31VT6MkVISh9VHmKY4Ah/lR5LI8FprLKuga9Rr1RMNGb43bpWRLvhMA
-dRrXx+uQdm6dZOscAjnIERj2JkkJXG1ydELftzJNc3OGJtUCD07h8qLa7wA+7uzh
-FtgmmNPdzpx+1YoqsqIh+TqAu+RwWG01vfXRI5VWmAdjzgv21eeI1i9ZBYeWqTbB
-V1e2NiAM6DVprzmddIcr6VXmC21M2XYfhzTORrJf9FO5Y3JisYl3kKl2nPa0q9EH
-+4887dUXmzFPUjDQtFkhcho2DBOcUZy4XGrSWvOru0X7AbgjpJ/GrXQnoGcBHESm
-zYNNznz/O97dVwkMssW8LxY=
+DAJDQTEdMBsGCSqGSIb3DQEJARYOQ0FAZXhhbXBsZS5jb20XDTE5MDMyMDE1MDA1
+NFoXDTIzMDMyMDE1MDA1NFowFTATAgIQABcNMTkwMzIwMTUwMDU0WqAjMCEwHwYD
+VR0jBBgwFoAUNEfDTxLuOyvNlmE37pv3HEM4SOgwDQYJKoZIhvcNAQELBQADggEB
+ADGW3LrzF0ikvtOdQH87fe3WbYxaCUMdohmm2LVd4a37SJYksw8mei+MfbQTJIEG
+CtNJWeDCP3iPKVXeA2Z6d+AU5SNfxqTOxhjLjx3F0XNHVtIXmE+SdeUuv1W9pZCN
+G9YeEoWJzl5+A4KakMZsNCUQQzAx9d21xBO7qgESBRROjRuAxloU81q2B9XyPdMl
+DnZckyEnvmxHHpepo5TlnT1G4eMHDpmPOmvP/yPo8G0hZq0D+c0XjOCMikZKFtYE
+iRrMR7gBtS/AzhxW4EYFletxjkLt22Of726LgEIwdjy3ZnfUZ2goc84APwI1D9ps
+lh+RL/aHOjERrSP1qRK8JYc=
-----END X509 CRL-----
diff -Nru stunnel4-5.50/tests/certs/CACert.pem stunnel4-5.54~b3/tests/certs/CACert.pem
--- stunnel4-5.50/tests/certs/CACert.pem 2018-10-09 17:49:40.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/CACert.pem 2019-03-20 17:00:55.000000000 +0200
@@ -1,22 +1,23 @@
-----BEGIN CERTIFICATE-----
-MIIDtjCCAp6gAwIBAgIJAKCwzlHufIcDMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
-BAYTAlBMMRswGQYDVQQKDBJTdHVubmVsIERldmVsb3BlcnMxEDAOBgNVBAsMB1Jv
-b3QgQ0ExCzAJBgNVBAMMAkNBMR0wGwYJKoZIhvcNAQkBFg5DQUBleGFtcGxlLmNv
-bTAeFw0xODEwMDkxNDQ5MzlaFw0yMjEwMDkxNDQ5MzlaMGgxCzAJBgNVBAYTAlBM
-MRswGQYDVQQKDBJTdHVubmVsIERldmVsb3BlcnMxEDAOBgNVBAsMB1Jvb3QgQ0Ex
-CzAJBgNVBAMMAkNBMR0wGwYJKoZIhvcNAQkBFg5DQUBleGFtcGxlLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuQxz8urfZRBvBj8K6+29NpbXZE
-qsCxq60ZkBrNwbxb/V07eRk87pvfZfQ+cPN5SaJ6S9r35uoJNDdW42kQXNer9NOo
-QeqBUBGLjnJZ6wcplLc+0/PXsgmIzSmlNTx+k9FuuEg06Fw0AG+Lirlnzt6VtILW
-FF9vOoy13UOnySAjzkLQMNThuqerL6d91/9BOYyDUbXPfGbBoVusGX3R2qWxzgsH
-MLvvCX/h6TJD4YDoaefWNswfjS3u40D7WlOXEKvltwyb2C5vfIV/eZZmoc1jza6t
-nvcqtpo9c7QXR7MxIl2IA80Wykmyv4anGZ2yGB02/gZFzmBRcioKKIUJpVsCAwEA
-AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUMrsPuqQ8kOHXNhiDndXE
-GCYNvBowHwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDgYDVR0PAQH/
-BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAosqQoiY+OM4ZWE3W6gHWEBNvYioCK
-M0a7faso0ice5AxlzOrMyOP7AwWJ5Abeho6j7xFYVEREIGpViEJLp4QSJyDiPUGh
-I9CwtJd0Pp3wzpXzvG7awZVef3uWiUEXQlPWm+a/Z2aJlF0jPx7GQhW/vCxgesnz
-Z75kVYP9eAlka/6bbPQOwvx2D/4hS9829RLKkCLEBj1D9GHK7DhJJAlmokowtq+8
-CfTeLSkJb0lnK/KSsZWFnJiBw/yq4XF7VQEAVhYTmnn78Ew7YACvGAoVPploArfS
-Mf22wB95jYzuqxjXY9mxjKmwsoisAqcdh9nZoqrK9l33wPWwAmsof4Fi
+MIIDwTCCAqmgAwIBAgIUZWKfpQpNBAWupcviv+US6dFUB2swDQYJKoZIhvcNAQEL
+BQAwaDELMAkGA1UEBhMCUEwxGzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQ
+MA4GA1UECwwHUm9vdCBDQTELMAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNB
+QGV4YW1wbGUuY29tMB4XDTE5MDMyMDE1MDA1NFoXDTIzMDMyMDE1MDA1NFowaDEL
+MAkGA1UEBhMCUEwxGzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UE
+CwwHUm9vdCBDQTELMAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1w
+bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA32hehjXr5g20
+JSJHccUsnZr5j69sbpy0oXUI8tckoVokbXzjvhJhNw+nPIUT7h7+zavHQ4LLsV35
+di4SCsYR+juPVswNpKfWwOCjz9alxK3gqd/UwoEDdL7Iw7Oph5ZTPJ6AihU9aQfi
+V4hjVOVDJ47foeB3f+CrWN/LI4dt8D56TZ/vygL7RuzW/Rw5rFJq5y/meDEoRMBg
+2Q3Bk5uJg68n3ZbogHGO3+p2cY/B2GAkJfmGas0stZ/4ZTAr0zECYdGaZ8Q7Y989
+dqLm2ikewM5qD65nZpLyH5sJFjqWO79z6aaE5OOBdaGUuEBIt9FVXW3DTihlKrPH
+WX+Pi4B/fQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ0R8NP
+Eu47K82WYTfum/ccQzhI6DAfBgNVHSMEGDAWgBQ0R8NPEu47K82WYTfum/ccQzhI
+6DAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAMSajxG20FdoEDvK
+8D2aToZDn/47/9yb+LGoIrRRsBy9XACGSIZvW12UIQ1QD9iH3cNMeyyftqcXDla+
+IDb5aYZ2d9FJil6CqccF+Zo/zGjvO5zxbmG22ScpRom9FlEB4toFTXf68Li+Gh2i
+XW5iY4XWsT39kRmJwowpOKq9euhsjOiCPEHRPywI3UMlMJkMQqqcDPcrvuWxcCpv
+M2RC+Mlmf6ouHTA74xbaBaNHpHUTrRgGKWHzyA9AU1ZvUUkPd+i0xUJLI1OEFe74
+u45GqkTYW0hdQMyxmtf9PwlPylWO8YrdRLXPzr5bDY+piSiK5UrrXL/8CiDtIkKM
+UO/dTL8=
-----END CERTIFICATE-----
diff -Nru stunnel4-5.50/tests/certs/client_cert.pem stunnel4-5.54~b3/tests/certs/client_cert.pem
--- stunnel4-5.50/tests/certs/client_cert.pem 2018-10-09 17:49:40.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/client_cert.pem 2019-03-20 17:00:55.000000000 +0200
@@ -1,49 +1,49 @@
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUEwx
GzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHUm9vdCBDQTEL
-MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE4
-MTAwOTE0NDk0MFoXDTIyMTAwOTE0NDk0MFowbzELMAkGA1UEBhMCUEwxGzAZBgNV
+MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE5
+MDMyMDE1MDA1NFoXDTIzMDMyMDE1MDA1NFowbzELMAkGA1UEBhMCUEwxGzAZBgNV
BAoMElN0dW5uZWwgRGV2ZWxvcGVyczEPMA0GA1UECwwGY2xpZW50MQ8wDQYDVQQD
DAZjbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPOsVd02IKUGn2+RMaxEjy+4M5k
-IulcufKLK61NvOTsghPYkpuLieNlLQL5DnxTIll9AXoN5Gg9HVp5l7d1Xst9rd5/
-HhBLpJxsfoLCJmQUybGaxBfkGPUriZLTjZJgvAhtHD4q2KjtQIZq/KXvvlDmr/CN
-f+cblpBQdAolGRX7xGIO+5ygTSZ0D4qghUXBmYSplWDvVpZMCHeXG/hlqlxaOSmq
-VNDgHRMO2ocyHwRtc5bPI6iPLP9V0bKFfLPcsd5IWuPlx1BD3rRPWUWM2BFiMmUN
-rnyEknRs3phgdGlCA4Sg1pNcNEzxfQJhgMdDX7rH7xEM9ucv5jVzBEGY/ZsCAwEA
-AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUvw7F5zODR/W7L2kuYkKS8MK0ad8w
-HwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQELBQAD
-ggEBAHPHEPqacyq4XnMAURVUDydWoLf6h1rK8cnZI7hNydaigO20R30rkSpQcfHk
-susDGO822ozCzTMd0nUOCe2y/a6tLOpQXXX2zgo4C6utqGJCRwwTjqvUfeLnPkGD
-eJoBighsfcGWwoZBOOPgdJ2hhsamF2h7TBIneochNovPW0mH6w/G3Hjy2VHeEq29
-mDTA3NRic2R9iazHQIBW8U+o0CYtwgzB0ZrbL8ak/uH3yPhCuhlrYH4eXiou5kzb
-nOuS3VonBp8lFLhfE040rf1Y6piwsl4FYE5udyRXli1A6D4g62/O2KXjoKzz7T6E
-YAJGZqVcWZrLJgJaONqlYDEL9ZE=
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANYYxHm4rbou8JzqFlmHk8jPraqO
+g6CBruiDcISq80SHLmButKxal8PcV7SNctWuhZtAoYMTakw2Eva+eVfN7e0qFOEX
+tM+sNqpBW32Nt++BxLG8wwMi1/E/88ONUBUkJ5YrWMwJzauFXKc+t834BgxEUCw1
+Xk7gzAwEJzMKrYPSiwm+A+P7VWVx1ZJqYvnqQqZB+LjWAayXahREgLExlD5U+HBL
+A6WXr1J37LuiSJWSxazYb6cEpag+Wr67N9heJJper5vSvoE52UvTa/Hd3FAAQ3BN
+AwOzbvDPOdC4BBnsXZGvfp4UFHf8H+D1mmlW7qD6vANU6BYN7r+kifY/bzcCAwEA
+AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUrvAZXfI5C9+mwps9kBhyS9Yldl8w
+HwYDVR0jBBgwFoAUNEfDTxLuOyvNlmE37pv3HEM4SOgwDQYJKoZIhvcNAQELBQAD
+ggEBAIZL7XtMb/+t0rkKOetRtKEHCudfQAL43F0NdsaAzd5H1KsD4ajldE9zR+i7
+84vHCaf2saaP6G074+UG7KlqjAGvRG28EZG/ReBYX+SnxdWA1+EW8eb0IgbL7CAj
+5TipjeQRg5WofBeACaCZroA2AlgTrhGSdXwWINFyyoY1XHFXt/6vFbb4ysQRc4LN
+MoBf3yp9MaMVs5LkpAbkkcOyZFkVHzoXyoMTE0BNAeQXM5STSjdiOM6duZeO+QV1
+kebxTKuuGeUybVDIGxKWgMK75/sprIlrW82t50RafphGEgNGfgdl//+2GPCMPfry
+VZIW2zwNeZ1vi7q1AEHSWuANRT8=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAs86xV3TYgpQafb5ExrESPL7gzmQi6Vy58osrrU285OyCE9iS
-m4uJ42UtAvkOfFMiWX0Beg3kaD0dWnmXt3Vey32t3n8eEEuknGx+gsImZBTJsZrE
-F+QY9SuJktONkmC8CG0cPirYqO1Ahmr8pe++UOav8I1/5xuWkFB0CiUZFfvEYg77
-nKBNJnQPiqCFRcGZhKmVYO9WlkwId5cb+GWqXFo5KapU0OAdEw7ahzIfBG1zls8j
-qI8s/1XRsoV8s9yx3kha4+XHUEPetE9ZRYzYEWIyZQ2ufISSdGzemGB0aUIDhKDW
-k1w0TPF9AmGAx0NfusfvEQz25y/mNXMEQZj9mwIDAQABAoIBABhj/1Z3uS7tXDKW
-bsntFyY6VlBo8Ptq4qZuDnyxwN/k3ThH9os3AHtiLBrtIfPnaw9sj5i47bTeJW8y
-c0wllbhQ0hcOc0uOl0PIy9h88aw9zaZT8imzfVc0krLiE6A5kwgplN0x/rXbiRcy
-yBbSUKS0xkUBTMpSybfF0hfWNHLwu69vxmvucmkirlERrqMgMgY30Ac7G4PZGARd
-SOM5kdNz6iATU9ccUm8Yl5YB4TNXvh1QF3inBJKgFpw9NBAjd8sXhebWEZVG8Zng
-glkCxcXEwyIYJxmxPA3M1OZCKLjEDI0APdQkHSn9oniqghYithUTpJ1hN9R15F96
-b88q0LECgYEA58ncXPezCsy6Wf/gAXf1C7srJDY1GaMYZ7q4Zgp5at7t54kFLfn9
-ecTpf89Q7bReSRwhuc6sOKabk5dFPz2Bmo9kO73G8KdakTdxR/CFuf3lrwZ9s8I6
-choLYff909HUHbqeVGthhMx7xQRJijKBCxV2403ttHipTe2K9au4BuUCgYEAxpbU
-v12LV3EE4i8Bt+bxcA6q5Ygq+7o5kFbkqgzzwyzbtyn2TWn4/z142CNc+3xg598d
-AXi2oV2alqy8WAgUQP0+g4XXLlW7bvuvAga6F+XqQlKLzF61FWFwcNifeYRYCDMJ
-R827pDXpaMs2AUZaMlOZreoAhxd0FWP9CpC8Kn8CgYBn6dqOH0o4TEI7OPhvEB1e
-rgGQUXEK1lCJqG8k6As4+0qC463bx9h4b+wSrZnlh1hBxIfmKh6RozfaOhYEXQmu
-hhx0oAcBOrXipo11qAH7uTTwe6N9JFVZdA2oVSqJfOdwkIqM5Dsq8xWF5P8nIq8x
-jeTn0LcBkpqsYhNLQjnVdQKBgQCplATpwJyLN6Re7JsACgJjmPLP/B4QRO6A1eJ/
-X34MTVL1rqx3YKXSdxCpKFFvIr+xYLFpH0Z8tuyZ+7j9RzDcaiQmtXSRSX47gEnq
-Zgok/By1M73S75CcSE923VQYtS1jGwmyufigebTt2pEsN4Iv9XmGrAp1UU68MVzT
-19IGSwKBgQCtE2zXTIs6FfjwJvExPGAX6jj//E5uGiLT/afQGUWpFLKikaJsrhUb
-2H0TneIM31zvvtbyG6gHARUP8MFH4KZaFgSmRkn86WrN3nxO499kxqCQV+GZ7+M1
-OoKU++aVv9+0VlpUyCAEUJq2flSOCex+9V2gODPKQfu8h0U4IEptZA==
+MIIEpAIBAAKCAQEA1hjEebitui7wnOoWWYeTyM+tqo6DoIGu6INwhKrzRIcuYG60
+rFqXw9xXtI1y1a6Fm0ChgxNqTDYS9r55V83t7SoU4Re0z6w2qkFbfY2374HEsbzD
+AyLX8T/zw41QFSQnlitYzAnNq4Vcpz63zfgGDERQLDVeTuDMDAQnMwqtg9KLCb4D
+4/tVZXHVkmpi+epCpkH4uNYBrJdqFESAsTGUPlT4cEsDpZevUnfsu6JIlZLFrNhv
+pwSlqD5avrs32F4kml6vm9K+gTnZS9Nr8d3cUABDcE0DA7Nu8M850LgEGexdka9+
+nhQUd/wf4PWaaVbuoPq8A1ToFg3uv6SJ9j9vNwIDAQABAoIBAD5D7cBIyZ3AURIR
+snZPS9e3LpbP49AmZywQLgUngqCHgCFjkQAfSMwZpRhJmwAyRYElhtOMLfoEL/e6
+5ad3qJ61AmWEc32CZFOXtngJY1kwsHfQohajZ5IuO0LAMm4zmZ++85BDuaEMpCmv
+v90TKQ8gPwDcdJUUI8PK4Wuiy1vuszG/lEDVntIaxtdV3mWEmoBNGF+MiOBvs8xW
+jU0lvZDgzFsdONF3NkVGm3mIaDehJUClhmQ2RX6PTce1Xb9h12Clh7QdlBeTjqmP
+Xsrq4ejkI3nXIatATKGh7uUTpTaSDp5TijQ/FiKwex7RK8w21fmUpmVDicPhyBVQ
+JW1MoyECgYEA+e3cLTnUf1gFprwKouXm+K6EQgAf3TFLvpLKFy9CHos3/KwgevXA
+KExn69TWDV2B9ufHJd+5dnJYr0smkQ0JBMgpou5+PuF9yMJUh6E/p84gfkV16EgH
+M6t8AE9a9i4Zbv4q1l5bcrWXKqukczpfcJvp7OeHQn/09cXfIQ1t0GUCgYEA20wX
+DZ6u32d/guOG8kQAtbpkd6O/G99grF1lpvkcSKSTYICBTQQVGZRC0T7a0i+czavV
+SkrbhVIXk2Va4KVoe2OTOZGyusJ/3Mjq7aHhrDW32PcfKAZgv9ad8vpDuBesZSRw
+gNFMgUkaCnBpIg+cE5W2SFckv4sXCfcHL6w+MWsCgYEAlrgsyVFQpqMMdWp895Ox
+YFLOC4dLr/akeP7IxIaJVyYZ01RyGfTNtv+sw/mMRG8Ziy5nWJ28mIOIm920GlFE
+GRAkm887buxJEKKwm0JQwv95dOyqmDOntC88DmvMrR1L1TWN28z3VQvRZ7gu6hZP
+q/c6cNWHKkFEFlsHnkUc7kkCgYEAhj6bMiw80ufxx/du6am1YYob7J1h5TcmX/3A
+t6lxpgqRaZbhEHt6SzFWge9fVyHsdH9HT3Zp0cCCTCnUqwa24in/u1M0vV1Jlqes
+IRJjKt+rjvcgrIjS+zzvbgnEINLlJvlaoZD+q3pLpa5QvZgerGKOttQZ2+PSk7gU
+PxvK6scCgYBNMKPYxia0Fjgv2kuEgzkI6ZoYxnk8FVVONA9fPTGA3eCGYXeX2+fq
+KgYq+DRnddPi9KSx/EDR1ooYUJhkqbwXLCfJrcQ2HNFpxLTRWbvLFlCnJkK4emRp
+oKmhCPZfkM54tJb27a3AIuIh+oF89tL9XB3UPaNBrm35+pkgqo255g==
-----END RSA PRIVATE KEY-----
diff -Nru stunnel4-5.50/tests/certs/Makefile.am stunnel4-5.54~b3/tests/certs/Makefile.am
--- stunnel4-5.50/tests/certs/Makefile.am 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/Makefile.am 2019-04-04 23:08:23.000000000 +0300
@@ -1,5 +1,5 @@
## Process this file with automake to produce Makefile.in
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
EXTRA_DIST = maketestcert.sh openssltest.cnf
EXTRA_DIST += CACertCRL.pem CACert.pem
diff -Nru stunnel4-5.50/tests/certs/Makefile.in stunnel4-5.54~b3/tests/certs/Makefile.in
--- stunnel4-5.50/tests/certs/Makefile.in 2018-11-09 17:53:56.000000000 +0200
+++ stunnel4-5.54~b3/tests/certs/Makefile.in 2019-04-30 17:03:37.000000000 +0300
@@ -14,7 +14,7 @@
@SET_MAKE@
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
diff -Nru stunnel4-5.50/tests/certs/maketestcert.sh stunnel4-5.54~b3/tests/certs/maketestcert.sh
--- stunnel4-5.50/tests/certs/maketestcert.sh 2018-10-23 14:19:35.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/maketestcert.sh 2018-12-16 09:58:45.000000000 +0200
@@ -29,15 +29,11 @@
gen_psk 2
# OpenSSL settings
+TEMP_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
+LD_LIBRARY_PATH=""
+OPENSSL=openssl
CONF="${script_path}/openssltest.cnf"
-if test -n "$1"; then
- OPENSSL="$2/bin/openssl"
- LD_LIBRARY_PATH="$2/lib"
-else
- OPENSSL=openssl
-fi
-
mkdir "demoCA/"
touch "demoCA/index.txt"
touch "demoCA/index.txt.attr"
@@ -114,3 +110,6 @@
# remove the working directory
rm -rf "demoCA/"
rm -rf "tmp/"
+
+# restore settings
+LD_LIBRARY_PATH=$TEMP_LD_LIBRARY_PATH
diff -Nru stunnel4-5.50/tests/certs/PeerCerts.pem stunnel4-5.54~b3/tests/certs/PeerCerts.pem
--- stunnel4-5.50/tests/certs/PeerCerts.pem 2018-10-09 17:49:40.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/PeerCerts.pem 2019-03-20 17:00:55.000000000 +0200
@@ -1,44 +1,44 @@
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUEwx
GzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHUm9vdCBDQTEL
-MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE4
-MTAwOTE0NDk0MFoXDTIyMTAwOTE0NDk0MFowbzELMAkGA1UEBhMCUEwxGzAZBgNV
+MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE5
+MDMyMDE1MDA1NFoXDTIzMDMyMDE1MDA1NFowbzELMAkGA1UEBhMCUEwxGzAZBgNV
BAoMElN0dW5uZWwgRGV2ZWxvcGVyczEPMA0GA1UECwwGY2xpZW50MQ8wDQYDVQQD
DAZjbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPOsVd02IKUGn2+RMaxEjy+4M5k
-IulcufKLK61NvOTsghPYkpuLieNlLQL5DnxTIll9AXoN5Gg9HVp5l7d1Xst9rd5/
-HhBLpJxsfoLCJmQUybGaxBfkGPUriZLTjZJgvAhtHD4q2KjtQIZq/KXvvlDmr/CN
-f+cblpBQdAolGRX7xGIO+5ygTSZ0D4qghUXBmYSplWDvVpZMCHeXG/hlqlxaOSmq
-VNDgHRMO2ocyHwRtc5bPI6iPLP9V0bKFfLPcsd5IWuPlx1BD3rRPWUWM2BFiMmUN
-rnyEknRs3phgdGlCA4Sg1pNcNEzxfQJhgMdDX7rH7xEM9ucv5jVzBEGY/ZsCAwEA
-AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUvw7F5zODR/W7L2kuYkKS8MK0ad8w
-HwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQELBQAD
-ggEBAHPHEPqacyq4XnMAURVUDydWoLf6h1rK8cnZI7hNydaigO20R30rkSpQcfHk
-susDGO822ozCzTMd0nUOCe2y/a6tLOpQXXX2zgo4C6utqGJCRwwTjqvUfeLnPkGD
-eJoBighsfcGWwoZBOOPgdJ2hhsamF2h7TBIneochNovPW0mH6w/G3Hjy2VHeEq29
-mDTA3NRic2R9iazHQIBW8U+o0CYtwgzB0ZrbL8ak/uH3yPhCuhlrYH4eXiou5kzb
-nOuS3VonBp8lFLhfE040rf1Y6piwsl4FYE5udyRXli1A6D4g62/O2KXjoKzz7T6E
-YAJGZqVcWZrLJgJaONqlYDEL9ZE=
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANYYxHm4rbou8JzqFlmHk8jPraqO
+g6CBruiDcISq80SHLmButKxal8PcV7SNctWuhZtAoYMTakw2Eva+eVfN7e0qFOEX
+tM+sNqpBW32Nt++BxLG8wwMi1/E/88ONUBUkJ5YrWMwJzauFXKc+t834BgxEUCw1
+Xk7gzAwEJzMKrYPSiwm+A+P7VWVx1ZJqYvnqQqZB+LjWAayXahREgLExlD5U+HBL
+A6WXr1J37LuiSJWSxazYb6cEpag+Wr67N9heJJper5vSvoE52UvTa/Hd3FAAQ3BN
+AwOzbvDPOdC4BBnsXZGvfp4UFHf8H+D1mmlW7qD6vANU6BYN7r+kifY/bzcCAwEA
+AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUrvAZXfI5C9+mwps9kBhyS9Yldl8w
+HwYDVR0jBBgwFoAUNEfDTxLuOyvNlmE37pv3HEM4SOgwDQYJKoZIhvcNAQELBQAD
+ggEBAIZL7XtMb/+t0rkKOetRtKEHCudfQAL43F0NdsaAzd5H1KsD4ajldE9zR+i7
+84vHCaf2saaP6G074+UG7KlqjAGvRG28EZG/ReBYX+SnxdWA1+EW8eb0IgbL7CAj
+5TipjeQRg5WofBeACaCZroA2AlgTrhGSdXwWINFyyoY1XHFXt/6vFbb4ysQRc4LN
+MoBf3yp9MaMVs5LkpAbkkcOyZFkVHzoXyoMTE0BNAeQXM5STSjdiOM6duZeO+QV1
+kebxTKuuGeUybVDIGxKWgMK75/sprIlrW82t50RafphGEgNGfgdl//+2GPCMPfry
+VZIW2zwNeZ1vi7q1AEHSWuANRT8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUEwx
GzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHUm9vdCBDQTEL
-MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE4
-MTAwOTE0NDk0MFoXDTIyMTAwOTE0NDk0MFowbzELMAkGA1UEBhMCUEwxGzAZBgNV
+MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE5
+MDMyMDE1MDA1NVoXDTIzMDMyMDE1MDA1NVowbzELMAkGA1UEBhMCUEwxGzAZBgNV
BAoMElN0dW5uZWwgRGV2ZWxvcGVyczEPMA0GA1UECwwGc2VydmVyMQ8wDQYDVQQD
DAZzZXJ2ZXIxITAfBgkqhkiG9w0BCQEWEnNlcnZlckBleGFtcGxlLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvRSOWnuJnrrnlt+qUaiY9CJOp0
-Lox6vCEzwgMH+ftMZQwP6m427b3LEfPrxH6WkYMLwpAXGjREXRj+yB0ZcPvQ94VI
-OyHgvgWJ14t+yLcq3w6zsWzJx/SmWLG7ga67wODxhCHAAHPKsv+cC+6wgt3kWu+G
-jUQ27X03rQO2wNpV5cxdp9Ax6JQVnKleQEIShfELYYjJpp4s6n5VY8R8jRwJHl7k
-XCjp5+8LSD64MUcXzo7u6XL8SxEGjQU+drKfNdleFfyVgjtAeyaWBrY8ciM4yIqn
-M37zs6jyjLcNO0PtD+64VO4jJPmFY4M0O33AJu0EtuR1G/NSj1D85nKBZYUCAwEA
-AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUSLKfbW2zrTXPv2dTLXpT9jHEYLkw
-HwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQELBQAD
-ggEBABYai56PR5tsnmv8+mIxZM980x+oYLACVA6YaQEWxtdPQl+tGJIVnJergfRO
-UrG4OjqBZp0DjMJRNIIiM50YTsEQdrVoL6HaP5AgDwqWoRJIEdVZUQWyTTTE7nBd
-0k6qNKUsJVEM1Zvv+cseQYIpT75P0FPl5egSPQHVuPWSco7gGF/zF2gA4QfzRsLe
-frgfzXzxEF712CuS+OXj5lab4N1L9A1GzfeQ+bNlrUky79R+vMPfjoayUJ/fTafl
-wTd6YBZurwxdy6Ktql9eisuli0PRdxed1eOpUxZAbS7N3ZIDTEOcLnBrIhQY7E8P
-YxSm0/qri7nS4z/DmzTe2z0ttqM=
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKRLRvKQlFlpKEqkAoJzVIUR5RFQ
+T4eIc+bdb3M1cT1d49qMBLBscj1MlIN4fIHeJSVJ3Q8cQGfNjBSWc0att7C2y5bz
+LkjZgAMjJz83JwHP5C7wm3nXVNsqTlzJrtmGg6NK5muuV7G4ja3hcmhZ/H7uF56G
+C8F5929w+o9PLHRZTtOvMi89Va6SM/IWQuke2bS8omXsl2J42qyKs+AVJi6qhbRw
+85WaAQV3EU5bVU6l/KIEh6ok2084KnMS++6Hu8VWk5ilx6JMXYiJBi40kjDAuk6v
+GNdoRYhRr5XT7RgaVDG84pfNjAL5lC+Zkfrcko7sle44L7/d4lHTWNe97sECAwEA
+AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUbmDWMjJ0fBd1iMNB740er4d5vzkw
+HwYDVR0jBBgwFoAUNEfDTxLuOyvNlmE37pv3HEM4SOgwDQYJKoZIhvcNAQELBQAD
+ggEBAJcxqMpSvkyoHTyRyMo+8NTg2njJfxZ+RDTBOK0xyT2CdkV8NYuiKOb4sc0r
+Emv37v5aN6bN1KReE+SCXvZPc1WHVmAYsuLnIGcbx6xQ/11C7vY2sv/zb3f7OMam
+Ajz1F1onEKGstDFHXgsK6nRGacktDJWDXq9OJ89PjkiX3jS6lzXXzAEejQHxQawV
+FfNYbg99PP4fRKcm16++iV7bI7d4AwJ9ni3q2SlsrP032wlgp9SiSN5r8QxiqtUm
+MZEGWv5fEok3hwzR/sHayL1VNz1XPusTJolKJ2pp2EPzFhNM2CtyR2K7VCoLnGt4
+28TKjgLadBIJmINdbM83GwWePd0=
-----END CERTIFICATE-----
diff -Nru stunnel4-5.50/tests/certs/psk1.txt stunnel4-5.54~b3/tests/certs/psk1.txt
--- stunnel4-5.50/tests/certs/psk1.txt 2018-10-09 17:49:40.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/psk1.txt 2019-03-20 17:00:55.000000000 +0200
@@ -1 +1 @@
-test1:H9kpiYb8TWGo19hvd4txGMffBG6yzbJcz0FpPD4rB590vVFvyE
+test1:oc0vZijCTtEXYIYwNFAmRyjcuA91TGD4OhL2PEzuLVBsKw362J
diff -Nru stunnel4-5.50/tests/certs/psk2.txt stunnel4-5.54~b3/tests/certs/psk2.txt
--- stunnel4-5.50/tests/certs/psk2.txt 2018-10-09 17:49:40.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/psk2.txt 2019-03-20 17:00:55.000000000 +0200
@@ -1 +1 @@
-test2:gTcg0XYgwmBISqC8KpeHUQuGdGqkcTUJBZZLUefskgjXdc5cdL
+test2:AKcwVXfz7TuEvbaX79wD6vXIwlppnniAWPkPBobH18xjGUEVWy
diff -Nru stunnel4-5.50/tests/certs/revoked_cert.pem stunnel4-5.54~b3/tests/certs/revoked_cert.pem
--- stunnel4-5.50/tests/certs/revoked_cert.pem 2018-10-09 17:49:40.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/revoked_cert.pem 2019-03-20 17:00:55.000000000 +0200
@@ -1,49 +1,49 @@
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUEwx
GzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHUm9vdCBDQTEL
-MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE4
-MTAwOTE0NDkzOVoXDTIyMTAwOTE0NDkzOVowcjELMAkGA1UEBhMCUEwxGzAZBgNV
+MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE5
+MDMyMDE1MDA1NFoXDTIzMDMyMDE1MDA1NFowcjELMAkGA1UEBhMCUEwxGzAZBgNV
BAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHcmV2b2tlZDEQMA4GA1UE
AwwHcmV2b2tlZDEiMCAGCSqGSIb3DQEJARYTcmV2b2tlZEBleGFtcGxlLmNvbTCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPX7XgEBeUeMJc5Xkw0Fe39d
-OB0kuJhPTTkK05F2Bwu1hCMc2LbSFY3ohzMRIocjWdcGb8idzkmxZmeoxAaVR9JA
-OXKsmfbEU6hA5NcvH6QvJbZH5qIlvUk0AfSrtAbxXgq0JEKIHNQ63qTFUef28BfT
-YsnOFxL1GX0RUzrLz8dcCkNPM8xZaShJxENxWWijI2m4Gc/eDqTrPJhYK+WRNfHp
-7fLWt5y13drOyFG5sNIsykp1zMSiufG2NZ9IOxY0NOY0sc6kasvGlv30fqGu1+6Y
-7PRRfmQcEP/kDZ0Kv1NEgHtizEArySpZEKzNaS5Q6oCvL+UHYfPmmSgBeYinDHkC
-AwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUZED9hULxiuarUg6QXT3PAib8
-K88wHwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQEL
-BQADggEBADb/u5h5l7LPo1rAyQUMVm1DfA6bjNAucIJbQeqnAynsQe7Qc6CCyJH8
-YZeJsq9oHE6h0PYfBWvZ4wK/ebG86p8Ovt2mCANgWzCcnxFaaWr6fCmPjsr4XOcq
-PN7qiHRN8Yeski2/JMMKRY1LGwH8jpHjWH7JVK2UV8Y6053YgCf1UcQSjgBF6lKw
-ZwHW23NrYJ06AKu6yAXQpX/LiVMbWVRwfeL26UoMK3C7FKwWWOjIxsX+ihxuJM3C
-i7wgDrvBkTR/JKSL6qG/Q5TUVCU7YVCZjdP8uCUz+9ac3pgy2ax5xZaGCOavnkCn
-OeQQWHFGnp97t/44yES505D9KGB0LXE=
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSw9qYnxHpABxNWeZtgOZJS
+OPEjvJ0ckAThj2hbTe3H2vd74qP/AQFkCl8CX8aY2xOyZfNrWBkksc54pFh1ez2C
+bm4kgpwHUIPb+0MkcPiSnrgJP3MSNXpk30VFuBqStNxY8/5Gr97UTaMq2DjO9eVw
+sgB25KL8z+YurMatiX5hE3tIX6lSD8f/KnBYebyscJ4PnHGXoZ8haTLuc3DzWr7w
+PV5Bb+6LPqewF5ExpeScrS/MMswxBffMWGmlmQ5w4sDANUfZK/pX+P+0zmM9K8gz
+8D9yoIH+gTo2swnyPBC0RkqxX3q8Rg3RUh4+R7z/qKjiqf1RugggwfHfNko63bMC
+AwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUmUogVj39cYsCIGnvnI8yMObC
+qW8wHwYDVR0jBBgwFoAUNEfDTxLuOyvNlmE37pv3HEM4SOgwDQYJKoZIhvcNAQEL
+BQADggEBAIeanb0Ct/IVKX5h3Rcx77NpjoNmcnD0hH8JMtfNS4EDH3B7+cpqojR8
+AydCx0Qn6gqqRyvkIQ5W4IMHLIAAkMNOqmkArEIWEnQYchQGLOBPaaYgQ1OoaoZ5
+Qb8bMNDgV+wVpmCkGtuJLjddKo6/Uur1FoUZJaeLUW9cT02aWnbsguwDR3U5RFjn
+XKOtAATF90l5XsCJFniJce+Cp7OjNv1XUN1i8rhBVu9bkbsa+inWLV9gNA6R4ReH
+RfUxWIwkKFAq8/Canmgi5/wSfTGf2WQ7m4orQljZedhSPQqY1xXfN22QKHjqN67t
+TjQHM6DCn85JB//NRI8XcIGG614dPQs=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIEpgIBAAKCAQEA9fteAQF5R4wlzleTDQV7f104HSS4mE9NOQrTkXYHC7WEIxzY
-ttIVjeiHMxEihyNZ1wZvyJ3OSbFmZ6jEBpVH0kA5cqyZ9sRTqEDk1y8fpC8ltkfm
-oiW9STQB9Ku0BvFeCrQkQogc1DrepMVR5/bwF9Niyc4XEvUZfRFTOsvPx1wKQ08z
-zFlpKEnEQ3FZaKMjabgZz94OpOs8mFgr5ZE18ent8ta3nLXd2s7IUbmw0izKSnXM
-xKK58bY1n0g7FjQ05jSxzqRqy8aW/fR+oa7X7pjs9FF+ZBwQ/+QNnQq/U0SAe2LM
-QCvJKlkQrM1pLlDqgK8v5Qdh8+aZKAF5iKcMeQIDAQABAoIBAQC62ho7W1o8PjqN
-trpufsakJjS09qr+j+bSOOYjreuGOnlIjuYUYhubc5IX+aEn1HOvQiVx2GXWVtq6
-TVmywn0POlgpQvGloNcHjVwIFbTMbEASaiXI8DAMRmRh7nhPedP8/4A3xdtYX+u2
-cGlacptJDfsR3upqLSMSfTGjDSUlgsjNkQ23ZUcabQ52KPD8Z4dFcuXZcfCGEYGd
-YJmBSUiwMh67NwUsqwzcqcTRz82zLC599gU+ppf2a61Ue+dRaKS0FfDJETWa1lAB
-8PIK8xKfEog1kFwyEN1Q5QqwPC61W4H6DeWHyx7awCO9gcWAg7SSQlxaL5TvSJUo
-hqJzSK89AoGBAPwZtWQ9Rq8+8Csy8NrTEfZajBeIukuaYdfDep6jom7MA1H4lEsa
-C1ER1FPc4pfpr9Q31pTvMNiAd/rQSnFjTKApTWhkzHpX+P9bqnUEYkUK2fqQpBL1
-YzC7QrRNz2vhkSiAhBcBUq0Y+RzYq8yGdLsNqMHe4Kqt/SsfjM5dVF4DAoGBAPnJ
-bhBJvpR01vU5VcLU0KD0+d/6E/hQxoRgBUWLGpXghYsUBMP2V2vxS8c2wPpBQrSk
-Ivk3q0lL6WXvtKEQCY5D3t1D7JEZHmZFgwJmez4WQMC+tCw54SDOL3ggQI+lyodW
-eyJgmqMu1H2CyEeQdiQIlvt54SJ0gkR7iBYNfzDTAoGBAMV9LkhUaGcomuR8h4ol
-B1FCJbTZ+3b2feeUzx4vejPpxkAUx7b9tBfSK892nlv7SS6qf4M0zcMNAPCO84JY
-E9L0CBvbuwOsnvcMTEBXKtSDZ7eOT7o6WXX3fI3a1r7geeKMqu2Kr8XCZoReiFc0
-jYVrceROQRn0Kvv5P0j6e/kZAoGBAPXJ56vPZODgN8UFrgYRM1mutVJX2d62XSFU
-+tr7jiV80OuRvz604EEvJsnYbvvRy7nE6UUiKkHtmLTdsnfqN/ztfBduBxKgDPHF
-5Kwv+4WUkBMZlGEQcx68xKkH03+GPEwAJRomxQNdyWnXjwwccqPyb970hzxIOQb6
-J2bL0SRRAoGBAJjDixE61RuenxLeHXzicqfBincEmswKgpl5CM28ZF9W4id7EcND
-4Vu7Y+QRexxbWMz637nVKLiYwfS/rra33i/igfhk6/Nb7dMG9KooCoS19PhM2V+I
-h/XLqvSe93n2ocqviJO4ZahXJFotlXq2nK2/bF2g45mvRcbFPtENqgcb
+MIIEogIBAAKCAQEApLD2pifEekAHE1Z5m2A5klI48SO8nRyQBOGPaFtN7cfa93vi
+o/8BAWQKXwJfxpjbE7Jl82tYGSSxznikWHV7PYJubiSCnAdQg9v7QyRw+JKeuAk/
+cxI1emTfRUW4GpK03Fjz/kav3tRNoyrYOM715XCyAHbkovzP5i6sxq2JfmETe0hf
+qVIPx/8qcFh5vKxwng+ccZehnyFpMu5zcPNavvA9XkFv7os+p7AXkTGl5JytL8wy
+zDEF98xYaaWZDnDiwMA1R9kr+lf4/7TOYz0ryDPwP3Kggf6BOjazCfI8ELRGSrFf
+erxGDdFSHj5HvP+oqOKp/VG6CCDB8d82SjrdswIDAQABAoIBAHK3WXcvaCqHguYz
+bA2Qn0mOwF8nt2/wv1jHDS9xufyRI7MTtjDppXekiZzYeIJLYv57W4yNDxaker4J
+RuDfJHMZ8XYDNH8ekTTn/EMulQpwhuJGfs3Wty2EKgmEoNLRse1ygLJz5nlehJ3N
+cENR1fJ152dvaZ8mXmJFzM+vfYBrXAFIzySqorHd0IC/F4hV6PWgMIp/UsGq2LoU
+uI4sagpioVRjfqTsOItYRUwaRMXS/aizgM7+Iob36gF+XKwxF5a3x1EuXull39uI
+ztWFIl4eCDJPh72EdnjgZ5vUJo8WTVpLO2iuSz3AHtBdm9OOLomTjngx8kWSURrK
+b+aM54ECgYEA1GN4EkAW70LnDVoykdBx1inKCCKWUudJd2G2AdMMYehOTvxq7L/F
+ASw0RShe/w7eCVqL2IgCcnw2PsNXQGEo/QRUBjYhgmcrC16+OeKkzTb0WPVX73UV
+c+2CDGVxu1iwH3vrqeuE3d52iecahII/oD36QJP02tsXPEBN9JUBCBMCgYEAxoI2
+kL4GAGJHD46hUp8ihAw0liTm4Eg3FfXjUAJj3qJGB96y0Wvt23V9aTQT2BU3UDid
+2ZuAraG6i8X/752aPq2cL+qNv6BcYAhvqdr1+hQIhQ/Z4Bg/lOnJ8m0erTouf/hB
+k+9e9EfrtYnUypG9Vy/1DTsEUhWPLUMjtVZEx+ECgYAw6McZzNB7QLjchkzm702H
+uA/iV7SuWry8VTAIs4VCdrCx18b3xiGj534R/v4BVncjSEq0Dn4hxyDmyy0okjdS
+LND8rTKCSSfMcoDz65FwAJu8cKNTbW8HR0aPfDz4m6/TUEIw2x+5yCUcFLAym5vz
+VtJuVKQqUhHDujs5e6bFKQKBgARU1wf1fYAIpPBL9m0tF7213nfgOkFukfUitmEK
+jE9RTyHg1BoJttjxCVmAT2aJn/laIueaowYm30EpgtohoDn548yP26PwxdM6m+Ui
+5/ca9MyieeiP3uNK7qMhimfROy6DpjqqIHJIF3aQmVoKMA10+G3fecqoucUND/xm
+831BAoGAQid2RRBipjc5q2CtdYYR3XB25X3mNesqFNxRp7mh75+YSD6p6XWSR/nk
+NIpnCPh7HCc2cm3NT+uA+sI1/ybPVEvrbt6QzEevAf9K9qbM2iEflyZGpbw51e3s
+I8y8CKxfKyxInHwTNkJQCPK7/2LXUqTM/yHcAtkO24HTJWJpMec=
-----END RSA PRIVATE KEY-----
diff -Nru stunnel4-5.50/tests/certs/secrets.txt stunnel4-5.54~b3/tests/certs/secrets.txt
--- stunnel4-5.50/tests/certs/secrets.txt 2018-10-09 17:49:40.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/secrets.txt 2019-03-20 17:00:55.000000000 +0200
@@ -1,2 +1,2 @@
-test1:H9kpiYb8TWGo19hvd4txGMffBG6yzbJcz0FpPD4rB590vVFvyE
-test2:xomqBFaKDSLSIZEFk4TxPvSdMTiOq7iwfN1Np06SThYetP2Jpm
+test1:oc0vZijCTtEXYIYwNFAmRyjcuA91TGD4OhL2PEzuLVBsKw362J
+test2:fBg4EMg39tFiw7pW20U1OJIyOKbOnQHhR9Mx71qNrODTjzp1Yi
Двоичните файлове „/tmp/xh8m1g7Lf7/stunnel4-5.50/tests/certs/server_cert.p12“ и „/tmp/UryoUty4KC/stunnel4-5.54~b3/tests/certs/server_cert.p12“ се различават
diff -Nru stunnel4-5.50/tests/certs/server_cert.pem stunnel4-5.54~b3/tests/certs/server_cert.pem
--- stunnel4-5.50/tests/certs/server_cert.pem 2018-10-09 17:49:40.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/server_cert.pem 2019-03-20 17:00:55.000000000 +0200
@@ -1,49 +1,49 @@
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUEwx
GzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHUm9vdCBDQTEL
-MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE4
-MTAwOTE0NDk0MFoXDTIyMTAwOTE0NDk0MFowbzELMAkGA1UEBhMCUEwxGzAZBgNV
+MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE5
+MDMyMDE1MDA1NVoXDTIzMDMyMDE1MDA1NVowbzELMAkGA1UEBhMCUEwxGzAZBgNV
BAoMElN0dW5uZWwgRGV2ZWxvcGVyczEPMA0GA1UECwwGc2VydmVyMQ8wDQYDVQQD
DAZzZXJ2ZXIxITAfBgkqhkiG9w0BCQEWEnNlcnZlckBleGFtcGxlLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvRSOWnuJnrrnlt+qUaiY9CJOp0
-Lox6vCEzwgMH+ftMZQwP6m427b3LEfPrxH6WkYMLwpAXGjREXRj+yB0ZcPvQ94VI
-OyHgvgWJ14t+yLcq3w6zsWzJx/SmWLG7ga67wODxhCHAAHPKsv+cC+6wgt3kWu+G
-jUQ27X03rQO2wNpV5cxdp9Ax6JQVnKleQEIShfELYYjJpp4s6n5VY8R8jRwJHl7k
-XCjp5+8LSD64MUcXzo7u6XL8SxEGjQU+drKfNdleFfyVgjtAeyaWBrY8ciM4yIqn
-M37zs6jyjLcNO0PtD+64VO4jJPmFY4M0O33AJu0EtuR1G/NSj1D85nKBZYUCAwEA
-AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUSLKfbW2zrTXPv2dTLXpT9jHEYLkw
-HwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQELBQAD
-ggEBABYai56PR5tsnmv8+mIxZM980x+oYLACVA6YaQEWxtdPQl+tGJIVnJergfRO
-UrG4OjqBZp0DjMJRNIIiM50YTsEQdrVoL6HaP5AgDwqWoRJIEdVZUQWyTTTE7nBd
-0k6qNKUsJVEM1Zvv+cseQYIpT75P0FPl5egSPQHVuPWSco7gGF/zF2gA4QfzRsLe
-frgfzXzxEF712CuS+OXj5lab4N1L9A1GzfeQ+bNlrUky79R+vMPfjoayUJ/fTafl
-wTd6YBZurwxdy6Ktql9eisuli0PRdxed1eOpUxZAbS7N3ZIDTEOcLnBrIhQY7E8P
-YxSm0/qri7nS4z/DmzTe2z0ttqM=
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKRLRvKQlFlpKEqkAoJzVIUR5RFQ
+T4eIc+bdb3M1cT1d49qMBLBscj1MlIN4fIHeJSVJ3Q8cQGfNjBSWc0att7C2y5bz
+LkjZgAMjJz83JwHP5C7wm3nXVNsqTlzJrtmGg6NK5muuV7G4ja3hcmhZ/H7uF56G
+C8F5929w+o9PLHRZTtOvMi89Va6SM/IWQuke2bS8omXsl2J42qyKs+AVJi6qhbRw
+85WaAQV3EU5bVU6l/KIEh6ok2084KnMS++6Hu8VWk5ilx6JMXYiJBi40kjDAuk6v
+GNdoRYhRr5XT7RgaVDG84pfNjAL5lC+Zkfrcko7sle44L7/d4lHTWNe97sECAwEA
+AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUbmDWMjJ0fBd1iMNB740er4d5vzkw
+HwYDVR0jBBgwFoAUNEfDTxLuOyvNlmE37pv3HEM4SOgwDQYJKoZIhvcNAQELBQAD
+ggEBAJcxqMpSvkyoHTyRyMo+8NTg2njJfxZ+RDTBOK0xyT2CdkV8NYuiKOb4sc0r
+Emv37v5aN6bN1KReE+SCXvZPc1WHVmAYsuLnIGcbx6xQ/11C7vY2sv/zb3f7OMam
+Ajz1F1onEKGstDFHXgsK6nRGacktDJWDXq9OJ89PjkiX3jS6lzXXzAEejQHxQawV
+FfNYbg99PP4fRKcm16++iV7bI7d4AwJ9ni3q2SlsrP032wlgp9SiSN5r8QxiqtUm
+MZEGWv5fEok3hwzR/sHayL1VNz1XPusTJolKJ2pp2EPzFhNM2CtyR2K7VCoLnGt4
+28TKjgLadBIJmINdbM83GwWePd0=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-MIIEpgIBAAKCAQEAu9FI5ae4meuueW36pRqJj0Ik6nQujHq8ITPCAwf5+0xlDA/q
-bjbtvcsR8+vEfpaRgwvCkBcaNERdGP7IHRlw+9D3hUg7IeC+BYnXi37ItyrfDrOx
-bMnH9KZYsbuBrrvA4PGEIcAAc8qy/5wL7rCC3eRa74aNRDbtfTetA7bA2lXlzF2n
-0DHolBWcqV5AQhKF8QthiMmmnizqflVjxHyNHAkeXuRcKOnn7wtIPrgxRxfOju7p
-cvxLEQaNBT52sp812V4V/JWCO0B7JpYGtjxyIzjIiqczfvOzqPKMtw07Q+0P7rhU
-7iMk+YVjgzQ7fcAm7QS25HUb81KPUPzmcoFlhQIDAQABAoIBAQCFhYh8c9sh2dJE
-03Hv9Ei9Brn1z7jT9+FM/V29B+uowqvHgn0X84baecZ+kSs1D1fNQQwFodboN32z
-6lVbkp2m9+0v3KTlNcABcfhBXFXXGexPqGHHREAZ5jSBzhqonSPHBwv3bmcj6oOM
-gmRdQTEYDGK1jANb7myxq2YdkMvTqyqYB3VlOrtNQV0KCQ/lan/CnTymYJlEi3D6
-9q0oniOoOsRWFFPJgfiUBTtOWofvWtiD5sj1wXX9wmJVX+w9Zxu5ep+vU9RymAA7
-km1e81fnc69hmJpGtQuEgSNiYW3UKHObZyShokANUVUW4sNo27oEynT8S8vbI/aL
-dclhkz91AoGBAO2N+3bIBZSlobWdYQUoqzvNUuOjYh1bz+ejwr4QLUhh6XtjI7Kn
-WoLN2jHnOdv9+mpguTP5L9nlwlWghkotQpRzbA5ovcGsVnIe75lZ+wLPH1XSbvyy
-LjOJOEQvgH+Y7XXu6KuEye/ABfbzF2fcg+tKiC2IHPYGyvTkJzJGMK5fAoGBAMpm
-pdsBGzstobtHq9V5Oj/MS7UwzOAeEUPPG4G2gufJ+SYyI+VQ490Iiz3DMcqc6LWn
-+uDzpoqiqDZn3c8HNBAd/c29yplq8D1aHutKIWKyj0rPhFIfeYwMvBHWsgCAWmbI
-4JcrrAZMIiaOA7QhmCzXILpmzqqUu2tUEZXHxW6bAoGBAJ4IDDdyzTOcFD3LmpVh
-/rfj2baSJF0/jMmeiZkDDfzPFhH9W+wnpPDLnNIB7t3I0eQewFYw+YJNdMCd73g9
-L8OuHT5gs4u56DA3IFG2KGQwAbqIKUl2B4JFUOcbarJ3u9DuxF4GEoiqB83G3dU8
-P44xoPIZUJri3fWYKfMp+oylAoGBAJoQtKMWHoJXY8rI7ZXbZ2l0uxQ7B1h5yq6R
-EeEU6mRBq7NVa1l8z1ZK0KK82EPgWIseSKu/C8BvvBddzMtwMkMqcS2REIzjh+dL
-mEmF7g/Q154chB528vCWKPpzMJ+NFEM1GTA5AALzJPOwGkWdZNaNEs6QvzO9b0Rt
-g809eZ2NAoGBALAWTTy1GEHB5cEjV49WbinkEOHrBkhl/FOVDkZmZgKbtzpM0K06
-H9UnQ2rzGGpXaE6t5phk42EhQ64+LGydtehOvAJFLUayOnDSqX06znIVOX2mUYVc
-5yqja4x7YSOQCQEwGSvZ6c3RbFly0dFu0qCfzS0uJDHjLUpx0cwmt6JO
+MIIEpAIBAAKCAQEApEtG8pCUWWkoSqQCgnNUhRHlEVBPh4hz5t1vczVxPV3j2owE
+sGxyPUyUg3h8gd4lJUndDxxAZ82MFJZzRq23sLbLlvMuSNmAAyMnPzcnAc/kLvCb
+eddU2ypOXMmu2YaDo0rma65XsbiNreFyaFn8fu4XnoYLwXn3b3D6j08sdFlO068y
+Lz1VrpIz8hZC6R7ZtLyiZeyXYnjarIqz4BUmLqqFtHDzlZoBBXcRTltVTqX8ogSH
+qiTbTzgqcxL77oe7xVaTmKXHokxdiIkGLjSSMMC6Tq8Y12hFiFGvldPtGBpUMbzi
+l82MAvmUL5mR+tySjuyV7jgvv93iUdNY173uwQIDAQABAoIBAQCNQ2SHYCUOE8rf
+EtJNlBiSKmbJUkJviLYPRUp0xvjNCRPHcCkAAN7hMh1oRYrYp0dNHouCWIpQNn5B
+nXMUzH1q5mF7MzES1mCpUeqHAkb52eSbL6qfQrTllSS3x3od8vjwyJAC+m7QkpzP
+a09Rxj3CbbnFRgCJpPNJ0Ny/qBXTGy4ubUQ9BbTBTa8PaPDg6KUC7J/8ta4HAXAX
+A6nR8PUVBFEJPOIjV6b8ju4xRY4wXnl/DzqFH+XvfCGKaP79m/0iiWZVHb8vVdvO
+D0VuFJpoowO2gj1sL2oxaA28OG+5aODkUeYMN1usSsNeog9rSUhYR4pMuc/DWkel
+y/805ooBAoGBANTe4dyHKSjyGSxXw8BymtyU4ZEM+0nwfqj9Rq7pQdUBeuc0j9jn
+rFASv5CJBdQu/dk2rZ2u4SOJuE2k4XUKSzQrGGGyyy3rQmZL0sVTAsV3Ze+DIItJ
+LA2Fbzacw70twlPjUP2mDitjyEQUinsmK1HyTucyFlrjPcdUXmy6Vh2RAoGBAMWU
+1miXMnf91gF7oSqZ8b+0XoMEZfI1ecHshmz5ZK4zJjJXSs4nz1nwX3ub6WjthFAG
+YYKgOF+mBBQOLNUHbB6AZlVNzqj03WleHdPoemwkgA1z5QjTCkxXl8xMzLbacxE1
+xsWBiY1Tr3cmumEoaILQm2GTJPbGWvJiUqLSkuYxAoGBALgneU3GwBzkFFMAOiCr
+BL3/LoTFrj7xByI6uoNm18TmWuTZ2/fRtIgxL/hiEeDWJlVbsCbRu4N7CS5ijYkr
+NpQTFCyw+ITpGbBVuCls/uDFwjHKRsU4sBuia+vbApsOkybvaImGtoti70W2X3ba
+Nm/WJ9xqwFwwaqmem3GEYiuBAoGACoAlgPuAICZqaDvEzfnOgky4tSfXry6uYOMM
+JeB/PE7VmdlPzXMKLxJ6UJxxpDTzUjl0lzeip1qwXsx+D3hMg7Z5OdFfyVTyK3Zo
+CWoSj4rFD3H4Wya0JmiFVcNDIfisIt8DyF1hDRTEf4WcZCt8mm8xwtbKIR9bmAQn
+tiWQzxECgYB2mMQz4/PfSU5KQ3vAIB7RyNZWy8al3MBENuJVbA/ZtfsZC6rAw2ym
+/zt+PA163bnW30HS9lCwz2Ly6ZN6GQNjaNPPemlUOfr1HC8Be9anJ/0FyoI3YYfD
+8lJ21teCC/ZKnsuEWvMGlgVpRABcv/RgFfs/Ww4OQiYmr2c+wV5KOg==
-----END RSA PRIVATE KEY-----
diff -Nru stunnel4-5.50/tests/certs/stunnel.pem stunnel4-5.54~b3/tests/certs/stunnel.pem
--- stunnel4-5.50/tests/certs/stunnel.pem 2018-10-09 17:49:40.000000000 +0300
+++ stunnel4-5.54~b3/tests/certs/stunnel.pem 2019-03-20 17:00:55.000000000 +0200
@@ -1,53 +1,53 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBisv4Ys8pVJZ6
-CHKDy4UAi38KJp28husfNmrrQWlGStYvjhyEusVrA6WDP3yz2X/56m+8KnvsM29L
-jDWhyQmXMxTh1XKWoh1URAI3FA7SAZ0dv8D8kFB34F2kuC+6o7GLsgz4qOOk3DhY
-NFzMefiRjrqLFt5OgOiATI1flYTKh+sHxXFF/xu+31ND+RTGHtGGxjyeXfSw7n3p
-o6e4U2ihcT/tU68PcGZCrDrVktfq/KvE6lFslPDcgnCrDyoTG1P3vwVlBDMzUSEn
-916f6Wq6J6kK0KbLDZ+LXJZe2I5CYiFZXAluprNo+dUEwWZ42vE9kq6yy580ibOF
-iKBzMG9PAgMBAAECggEBAIk/r1OuZnBNzwQtN2AlFGWFhwqgxd0q5FPXGE1Krqgt
-a+R/Z9PsSxGPnXEMtZco12tYB/KtQgIHm5Y8kM/xK/7wN4/K+R6/SgM200dRzwy4
-Hj45fFbe1GGeV2n3P8mgScjh8/bmdcC0drR+NYy/tjkquTjnd7C+E6LgJqUw9+FS
-89NU70UR+1irf/RysAwHCPlTfIIZon3atsvCUkiUE8G+8Kz4233H3TmVY5B+Zjq4
-uRLq47fcaOQ+irBkeicW7S4AbkKbXZsM/XxZB5BIBMv0t6OoF/uHvhyUzSxhvwhb
-LGGGMSrtGnYAeNXj329xyjrOnA4jmsMPVNiVc/rdTkECgYEA5NrvStXvybPY8ngd
-6ka4idu0K5EDixxrgoRQ2wV3WZecSsTSfr6B09UKch46HOIga9hpWg27NUGYuKfL
-NOfF1cBNxU5yV5+zKCgX5bYX0QdpfUM6mO0btUEkXf5xMYTyzHfnLE+L3Vcnq0qg
-KfZdto2LtEg3cznmtoJMqP3viaECgYEA2H+Zwkj84bxIuPwux6QeHueQ7K7Re59s
-KxymutuTQ6N0oCHK5KwQvuUELFRiTj0frEIgJfNMrTrzJ6rIu7ExDzUafhnPi194
-zKfQVf0gtfCJvrDBbF1VEqAtfcfW+x7jI+sylWhltBJSlGvsju9LTEcnp4c6wtDS
-hpsaXNe9su8CgYBZq8tdSExnfRfBkf0uwb0nDzYeZ/i6dk1N26iO2Sp1qWktBsfv
-r5fRN8WbB2r/zD6l4ysMhRrYeDZuDBkcRsCGy43thJpa6RFa57LNaDcWyU+1LDV2
-nFliAP9N8RfLLmuwYD7tZtHHzZGWlWwCZS09DWMzJaTMemCDHLUK9kz4YQKBgHrM
-nbVC2xVbS9CJUitxHpie9mgZnL7HJX6qqLOyWixyaXNu13uvUWxF0IEod/4y02VM
-uJluEF7t4f/s8iDsF4ytrVI7Z6qBQ66pvRUZF9W7ExZzgbLqmZeP/V2r3XfhBCta
-e/2dEpr6DZccRDiq6IXikk6G+MCJ2+/3yBNDV9lHAoGAXluoghrraKwg23U8eT5d
-HrafIW/5F3OoLNMjxd64HI8mmX/IwwEmcVKdxFrUlgzjSI3Yu7YH8bMT/neppVOQ
-srRJRXlqt3TZcup8/w6PIxvrCo3FnEXpizKR8fu66Vv0K7NG1aIao4Vu8SHm5Bfm
-Vo6H4riZvNeRY5wfvR7ySVo=
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCeOGrq6DsE/cUu
+6a3hPRdzJLJk+OQzuWddUPJ7hcZr8DRDD9k2KAos3iVA+dJF6ZwpNRnaKezlJlEL
+k3hMNeKhGBpJ9mE4KODRcE+w2mVmi5CHf/TzmDgxAw2gUPr3/AyfrxqhmtAUFQ1t
+eg7MHEfjYOrQPheEucx02QXfioosIUWL6QEbvjHLFy0dzaL8vC2fJBYGTrWqwSxk
+b8ukiIQg7/DWC3zRXo6dKzcQy5Zx8FSA8ePdUZG97aVrcOCI8+32M7OMP6mKLfZC
+edUa/bzytOBUSwb84Sgw/JGjSpp/7OMkHbLmvINoScyPgArYuVtTdvDL6mkkGo27
+hxbEEIm5AgMBAAECggEBAI4ZJ1UgCtmZvL08W9C9mFDuNVXf/rvBmObDK3PqmmEY
+kydjlXZBEZpoTNcFR2dIvtp3eWdpXfwTpJgb8t+nSYna5slkgL36YKdZEglIq+ck
+E0LOlcUtAdJq5pMEB9IuSXwkvGtFafmPSsb251FDWQEKavlpup+WatzKiK7ScvPb
+6FYzST3TEr/c0e4x1UrOeUtJFEqnGMHwQPuCNdWr2O89bZ1L2rU7y25JlbZBnt4L
+FLqLk6aMTnDse/eXL4rl7A0ejdJZOgnTAmYJXzXbX3EUeewEDPzyaVhR+Dim6cgI
+7geOjMKWx97oGutKjgQ3ZaVh/vtEBBulN8YkArR+YzECgYEAzL4iNrvYLg9G2Qr2
+Cvvk+sqoEMQaedaKUvgINRLZI4vwfEOXXukPhXPD2vgMtVbBhbxYUbpuTIoXMdAk
+bo8MmA16dFxhF2pTVW/KMTGxkhzv6ssERsLstJyOoI+GZ5b0PEzcLGbaYvcnZGJh
+4v/6EvxWzod0mKIA1nr2DBrGhTUCgYEAxdSwd7ScJYhuntxv1BvgmxcJeQtnkDKy
+G030LQpoY3GLZa90BEsowQgDdXr2OYACpSVjvN0wbsOep2YQ4CVCtSAedz4AFd3p
+s8KOJQfA8UThAP/CBD3xCBcoRn8MLMGCug3lCNUW8HBwSIYrUwCPQeHpTvFuPHqG
+2lmiCiiulvUCgYAvBHLC8vxAB44Thare9t2soiFaSE50MEpvpznrRjrLKPW+856t
+UwQXd3BAtrnkYtnqJkh57EAsH4IYFF5pbTxNJrs6QYSiZe5hLlzWUz0d+rs1xg1j
+WpwVFebDBHKvE0FfH59oKu53z54iNV2ZTYNWHNCqePzTmFBs8KvUN8njCQKBgBxX
+fTSZFmm2Iwr1T7wWhlYRtdS2ko6xBJ0uzNWLESt1/9+AhGF9FwiYik5RYGcadMaO
+Fbzf/2lO8zLOR4qlK+phAJxasI5xbWLIc67Qbo7iLE4FVhlfemGLV8TJvMfIrV7U
+UMS0KoYlxaBOQHSyttNcdx1NL1rQvvMXNkS4UVLlAoGAHIM7ZQNazooC8DOkQieP
+qxxjO5J5N17o9HPpJj0pNP9H4YhnEB1cpbCC+PHQspPs598sEVs+kok4c5LBVWnp
+5cAEKxG6ZhhsovGYpV1hSqLQMGUKCDxT8msMJjxzx+7u0aBNEn8wBCQFqAAGGOe6
+2sNTv4uk8BAJ/sOUDcWgCi8=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-MIIENjCCAx6gAwIBAgIJAMrjqfDZWkd2MA0GCSqGSIb3DQEBCwUAMIGnMQswCQYD
-VQQGEwJQTDEZMBcGA1UECAwQTWF6b3ZpYSBQcm92aW5jZTEPMA0GA1UEBwwGV2Fy
-c2F3MRswGQYDVQQKDBJTdHVubmVsIERldmVsb3BlcnMxFzAVBgNVBAsMDlByb3Zp
-c2lvbmFsIENBMRIwEAYDVQQDDAlsb2NhbGhvc3QxIjAgBgkqhkiG9w0BCQEWE3N0
-dW5uZWxAZXhhbXBsZS5jb20wHhcNMTgxMDA5MTQ0OTM5WhcNMjIxMDA5MTQ0OTM5
-WjCBpzELMAkGA1UEBhMCUEwxGTAXBgNVBAgMEE1hem92aWEgUHJvdmluY2UxDzAN
-BgNVBAcMBldhcnNhdzEbMBkGA1UECgwSU3R1bm5lbCBEZXZlbG9wZXJzMRcwFQYD
-VQQLDA5Qcm92aXNpb25hbCBDQTESMBAGA1UEAwwJbG9jYWxob3N0MSIwIAYJKoZI
-hvcNAQkBFhNzdHVubmVsQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAwYrL+GLPKVSWeghyg8uFAIt/CiadvIbrHzZq60FpRkrWL44c
-hLrFawOlgz98s9l/+epvvCp77DNvS4w1ockJlzMU4dVylqIdVEQCNxQO0gGdHb/A
-/JBQd+BdpLgvuqOxi7IM+KjjpNw4WDRczHn4kY66ixbeToDogEyNX5WEyofrB8Vx
-Rf8bvt9TQ/kUxh7RhsY8nl30sO596aOnuFNooXE/7VOvD3BmQqw61ZLX6vyrxOpR
-bJTw3IJwqw8qExtT978FZQQzM1EhJ/den+lquiepCtCmyw2fi1yWXtiOQmIhWVwJ
-bqazaPnVBMFmeNrxPZKussufNImzhYigczBvTwIDAQABo2MwYTAPBgNVHRMBAf8E
-BTADAQH/MB0GA1UdDgQWBBRseoi9wT0pV/YquSn6CXXEDHd6OzAfBgNVHSMEGDAW
-gBRseoi9wT0pV/YquSn6CXXEDHd6OzAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN
-AQELBQADggEBAI7stlWNcMCleOiS0YbR64BKOj/DhfVxR13OS3dfPfDKztu+tvjJ
-p+HUN8ZryKWXDuR1qg4m63PdKLC7r1AhKhkYtWEJiijN6OEmCvK3LgtqY+jzPa82
-2YJdtQuMFbZJkCe7dqEqelhJ1VjYR0Vbl83dPLQStMgdGjiYSfLoo9pmy/MJv1f0
-I0n3AKFp/328ZYPfPG8WmU4aBI7HzUsWiJGC8wEUsakpAp882KLOXfVhpYwBVBtL
-QDs6QrX1jquhfMNQX635YQcFhzTsG4KmCy6ueevwvyOtWLrvPkiuUGcvIlpJGI96
-4oSNsEzAchpxZ5tafzZ3ozP/Awi3m89KbbE=
+MIIEQTCCAymgAwIBAgIUObCeIZ5SUOkvWXFmq3EhB5e9GLgwDQYJKoZIhvcNAQEL
+BQAwgacxCzAJBgNVBAYTAlBMMRkwFwYDVQQIDBBNYXpvdmlhIFByb3ZpbmNlMQ8w
+DQYDVQQHDAZXYXJzYXcxGzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEXMBUG
+A1UECwwOUHJvdmlzaW9uYWwgQ0ExEjAQBgNVBAMMCWxvY2FsaG9zdDEiMCAGCSqG
+SIb3DQEJARYTc3R1bm5lbEBleGFtcGxlLmNvbTAeFw0xOTAzMjAxNTAwNTRaFw0y
+MzAzMjAxNTAwNTRaMIGnMQswCQYDVQQGEwJQTDEZMBcGA1UECAwQTWF6b3ZpYSBQ
+cm92aW5jZTEPMA0GA1UEBwwGV2Fyc2F3MRswGQYDVQQKDBJTdHVubmVsIERldmVs
+b3BlcnMxFzAVBgNVBAsMDlByb3Zpc2lvbmFsIENBMRIwEAYDVQQDDAlsb2NhbGhv
+c3QxIjAgBgkqhkiG9w0BCQEWE3N0dW5uZWxAZXhhbXBsZS5jb20wggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeOGrq6DsE/cUu6a3hPRdzJLJk+OQzuWdd
+UPJ7hcZr8DRDD9k2KAos3iVA+dJF6ZwpNRnaKezlJlELk3hMNeKhGBpJ9mE4KODR
+cE+w2mVmi5CHf/TzmDgxAw2gUPr3/AyfrxqhmtAUFQ1teg7MHEfjYOrQPheEucx0
+2QXfioosIUWL6QEbvjHLFy0dzaL8vC2fJBYGTrWqwSxkb8ukiIQg7/DWC3zRXo6d
+KzcQy5Zx8FSA8ePdUZG97aVrcOCI8+32M7OMP6mKLfZCedUa/bzytOBUSwb84Sgw
+/JGjSpp/7OMkHbLmvINoScyPgArYuVtTdvDL6mkkGo27hxbEEIm5AgMBAAGjYzBh
+MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIUp7EBYX6eT+6Wy8u1vk4+gp0SS
+MB8GA1UdIwQYMBaAFIUp7EBYX6eT+6Wy8u1vk4+gp0SSMA4GA1UdDwEB/wQEAwIB
+hjANBgkqhkiG9w0BAQsFAAOCAQEAkqJqbtfQPS4CYTWspqTEw4ETmpN7k4aq0Wm5
+eCXvh0bsgrzjo9vq9ek4BvE3e/AJ9Eg8jym88A8kiwB2gwVoLaarTdtUaSlDoRId
+EYtmkH6oYo9xmJLvekuod59iU95ILpa+G3i1hpXWrieHSlwrsRNdPzaGKyA3lt3A
+Pg4tsrwSvLGAkg5uPsYQ4feHLtwTDBifjY6gavuzjYzkgW94pgKYOvVwOorGDwy/
+d2qGM6FNlCx619pmCOU258ZKe0MDYLhid+5VA+aYIz8QMXiGjjt8cWMpvo0pzbFy
+9+hEaGKjKkghqSTwgpBLci8K37yxDD6cpcaXXWdLEQrdKCdPfw==
-----END CERTIFICATE-----
diff -Nru stunnel4-5.50/tests/Makefile.am stunnel4-5.54~b3/tests/Makefile.am
--- stunnel4-5.50/tests/Makefile.am 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/tests/Makefile.am 2019-04-04 23:08:23.000000000 +0300
@@ -1,5 +1,5 @@
## Process this file with automake to produce Makefile.in
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
SUBDIRS = certs
diff -Nru stunnel4-5.50/tests/Makefile.in stunnel4-5.54~b3/tests/Makefile.in
--- stunnel4-5.50/tests/Makefile.in 2018-11-09 17:53:56.000000000 +0200
+++ stunnel4-5.54~b3/tests/Makefile.in 2019-04-30 17:03:37.000000000 +0300
@@ -14,7 +14,7 @@
@SET_MAKE@
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
diff -Nru stunnel4-5.50/tests/recipes/010_require_cert stunnel4-5.54~b3/tests/recipes/010_require_cert
--- stunnel4-5.50/tests/recipes/010_require_cert 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/010_require_cert 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,8 @@
#!/bin/sh
+
+# Checking if the requireCert option requires a client certificate.
+# The success is expected because the client presents a certificate.
+
. $(dirname $0)/../test_library
start() {
@@ -7,6 +11,7 @@
syslog = no
pid = ${result_path}/stunnel.pid
output = ${result_path}/stunnel.log
+ requireCert = yes
[client]
client = yes
@@ -18,7 +23,6 @@
accept = 127.0.0.1:${https1}
connect = 127.0.0.1:${http_nc}
cert = ../certs/server_cert.pem
- requireCert = yes
EOT
}
diff -Nru stunnel4-5.50/tests/recipes/011_verify_peer stunnel4-5.54~b3/tests/recipes/011_verify_peer
--- stunnel4-5.50/tests/recipes/011_verify_peer 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/011_verify_peer 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,9 @@
#!/bin/sh
+
+# Checking if the verifyPeer option verifies the peer certificate.
+# The peer certificate is stored in the file specified with CAfile.
+# The success is expected because the client presents the valid certificate.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/012_verify_chain stunnel4-5.54~b3/tests/recipes/012_verify_chain
--- stunnel4-5.50/tests/recipes/012_verify_chain 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/012_verify_chain 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,9 @@
#!/bin/sh
+
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
+# The self-signed root CA certificate is stored in the file specified with CAfile.
+# The success is expected because the server presents the valid certificate.
+
. $(dirname $0)/../test_library
start() {
@@ -7,13 +12,13 @@
syslog = no
pid = ${result_path}/stunnel.pid
output = ${result_path}/stunnel.log
+ CAfile = ../certs/CACert.pem
[client]
client = yes
accept = 127.0.0.1:${http1}
connect = 127.0.0.1:${https1}
verifyChain = yes
- CAfile = ../certs/CACert.pem
[server]
accept = 127.0.0.1:${https1}
@@ -22,7 +27,7 @@
EOT
}
-if grep -q -e "OpenSSL 0.9.8" -e "OpenSSL 1" "results.log"
+if grep -q -e "OpenSSL 0\.9\.8" -e "OpenSSL [1-9]" "results.log"
then
test_log_for "012_verify_chain" "success" "0" "$1" "$2" "$3" 2>> "stderr.log"
exit $?
diff -Nru stunnel4-5.50/tests/recipes/013_CRL_file stunnel4-5.54~b3/tests/recipes/013_CRL_file
--- stunnel4-5.50/tests/recipes/013_CRL_file 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/013_CRL_file 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,11 @@
#!/bin/sh
+
+# Checking if the CRL is verified.
+# The verifyChain option verifies the peer certificate starting from the root CA.
+# The self-signed root CA certificate is stored in the file specified with CAfile.
+# Certificate Revocation Lists file is stored in the file specified with CRLfile.
+# The success is expected because the server presents the valid certificate.
+
. $(dirname $0)/../test_library
start() {
@@ -7,14 +14,14 @@
syslog = no
pid = ${result_path}/stunnel.pid
output = ${result_path}/stunnel.log
+ CAfile = ../certs/CACert.pem
+ CRLfile = ../certs/CACertCRL.pem
[client]
client = yes
accept = 127.0.0.1:${http1}
connect = 127.0.0.1:${https1}
verifyChain = yes
- CAfile = ../certs/CACert.pem
- CRLfile = ../certs/CACertCRL.pem
[server]
accept = 127.0.0.1:${https1}
@@ -23,7 +30,7 @@
EOT
}
-if grep -q -e "OpenSSL 0.9.8" -e "OpenSSL 1" "results.log"
+if grep -q -e "OpenSSL 0\.9\.8" -e "OpenSSL [1-9]" "results.log"
then
test_log_for "013_CRL_file" "success" "0" "$1" "$2" "$3" 2>> "stderr.log"
exit $?
diff -Nru stunnel4-5.50/tests/recipes/014_PSK_secrets stunnel4-5.54~b3/tests/recipes/014_PSK_secrets
--- stunnel4-5.50/tests/recipes/014_PSK_secrets 2018-11-05 09:19:29.000000000 +0200
+++ stunnel4-5.54~b3/tests/recipes/014_PSK_secrets 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,9 @@
#!/bin/sh
+
+# Checking if the PSK authentication works properly.
+# PSK identities and corresponding keys are stored in files specified with PSKsecrets.
+# The success is expected because the client presents the valid PSK.
+
. $(dirname $0)/../test_library
start() {
@@ -21,11 +26,11 @@
EOT
}
-if grep -q "OpenSSL 1" "results.log"
+if grep -q -e "OpenSSL [1-9]" "results.log"
then
test_log_for "014_PSK_secrets" "success" "0" "$1" "$2" "$3" 2>> "stderr.log"
exit $?
- else
+ else # older OpenSSL doesn't support PSK
exit_logs "014_PSK_secrets" "skipped"
clean_logs
exit 125
diff -Nru stunnel4-5.50/tests/recipes/015_p12_cert stunnel4-5.54~b3/tests/recipes/015_p12_cert
--- stunnel4-5.50/tests/recipes/015_p12_cert 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/015_p12_cert 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,9 @@
#!/bin/sh
+
+# Checking if the file containing certificates used by stunnel to authenticate
+# itself against the remote client or server may be in the P12 format.
+# The success is expected because the server presents the valid certificate in the P12 format.
+
. $(dirname $0)/../test_library
start() {
@@ -20,7 +25,7 @@
EOT
}
-if grep -q "OpenSSL 1" "results.log"
+if grep -q -e "OpenSSL [1-9]" "results.log"
then
test_log_for "015_p12_cert" "success" "0" "$1" "$2" "$3" 2>> "stderr.log"
exit $?
diff -Nru stunnel4-5.50/tests/recipes/020_IPv6 stunnel4-5.54~b3/tests/recipes/020_IPv6
--- stunnel4-5.50/tests/recipes/020_IPv6 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/020_IPv6 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,7 @@
#!/bin/sh
+
+# Checking if IPv6 is supported.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/021_FIPS stunnel4-5.54~b3/tests/recipes/021_FIPS
--- stunnel4-5.50/tests/recipes/021_FIPS 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/021_FIPS 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,7 @@
#!/bin/sh
+
+# Checking FIPS mode.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/022_bind stunnel4-5.54~b3/tests/recipes/022_bind
--- stunnel4-5.50/tests/recipes/022_bind 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/022_bind 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,10 @@
#!/bin/sh
+
+# Checking if the service does't refuse to start if binding fails for some addresses:ports.
+# Expected logs:
+# LOG6[ui]: Service [server] (FD=7) bound to 127.0.0.1:4433
+# LOG5[ui]: Binding service [server] to 127.0.0.1:4433: Address already in use (98)
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/030_simple_execute stunnel4-5.54~b3/tests/recipes/030_simple_execute
--- stunnel4-5.50/tests/recipes/030_simple_execute 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/030_simple_execute 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,8 @@
#!/bin/sh
+
+# Simple execute a local inetd-type program.
+# The execArgs option contains arguments for exec including the program name.
+
. $(dirname $0)/../test_library
start() {
@@ -7,6 +11,7 @@
syslog = no
pid = ${result_path}/stunnel.pid
output = ${result_path}/stunnel.log
+ execArgs = execute 030_simple_execute
[client]
client = yes
@@ -16,7 +21,6 @@
[server]
accept = 127.0.0.1:${https1}
exec = ${script_path}/execute
- execArgs = execute 030_simple_execute
cert = ../certs/server_cert.pem
EOT
}
diff -Nru stunnel4-5.50/tests/recipes/031_redirect stunnel4-5.54~b3/tests/recipes/031_redirect
--- stunnel4-5.50/tests/recipes/031_redirect 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/031_redirect 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,10 @@
#!/bin/sh
+
+# Redirect TLS client connections on certificate-based authentication failures.
+# [client_1] -> [server_1] -> [client_3] -> [server_3]
+# The success is expected because the client presents the *wrong* certificate
+# and the client connection is redirected.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/032_no_redirect stunnel4-5.54~b3/tests/recipes/032_no_redirect
--- stunnel4-5.50/tests/recipes/032_no_redirect 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/032_no_redirect 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,10 @@
#!/bin/sh
+
+# Do not redirect TLS client connections on certificate-based authentication success.
+# [client_1] -> [server_1] -> [client_2] -> [server_2]
+# The success is expected because the client presents the *correct* certificate
+# and the client connection isn't redirected.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/033_redirect_exec stunnel4-5.54~b3/tests/recipes/033_redirect_exec
--- stunnel4-5.50/tests/recipes/033_redirect_exec 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/033_redirect_exec 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,10 @@
#!/bin/sh
+
+# Redirect TLS client connections on certificate-based authentication failures.
+# [client_1] -> [server_1] -> [client_2] -> [server_2]
+# The success is expected because the client presents the *wrong* certificate
+# and the client connection is redirected.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/034_no_redirect_exec stunnel4-5.54~b3/tests/recipes/034_no_redirect_exec
--- stunnel4-5.50/tests/recipes/034_no_redirect_exec 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/034_no_redirect_exec 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,10 @@
#!/bin/sh
+
+# Do not redirect TLS client connections on certificate-based authentication success.
+# [client_1] -> [server_1]
+# The success is expected because the client presents the *correct* certificate
+# and the client connection isn't redirected.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/035_SNI stunnel4-5.54~b3/tests/recipes/035_SNI
--- stunnel4-5.50/tests/recipes/035_SNI 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/035_SNI 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,11 @@
#!/bin/sh
+
+# Use the service as a slave service (a name-based virtual server) for Server Name Indication TLS extension.
+# SERVICE_NAME (server_virtual) specifies the master service that accepts client connections with the accept option.
+# SERVER_NAME_PATTERN (*.mydomain.com) specifies the host name to be redirected.
+# The success is expected because the client presents the sni pattern (sni.mydomain.com)
+# corresponding with SERVER_NAME_PATTERN (*.mydomain.com).
+
. $(dirname $0)/../test_library
start() {
@@ -31,11 +38,11 @@
EOT
}
-if grep -q "OpenSSL 1" "results.log"
+if grep -q -e "OpenSSL [1-9]" "results.log"
then
test_log_for "035_SNI" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
exit $?
- else
+ else # older OpenSSL doesn't support sni
exit_logs "035_SNI" "skipped"
clean_logs
exit 125
diff -Nru stunnel4-5.50/tests/recipes/036_no_SNI stunnel4-5.54~b3/tests/recipes/036_no_SNI
--- stunnel4-5.50/tests/recipes/036_no_SNI 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/036_no_SNI 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,10 @@
#!/bin/sh
+
+# Use the service as a slave service (a name-based virtual server) for Server Name Indication TLS extension.
+# SERVICE_NAME (server_virtual) specifies the master service that accepts client connections with the accept option.
+# SERVER_NAME_PATTERN sni.mydomain.com) specifies the host name to be redirected.
+# The success is expected because the client doesn't present any sni pattern.
+
. $(dirname $0)/../test_library
start() {
@@ -28,11 +34,11 @@
EOT
}
-if grep -q "OpenSSL 1" "results.log"
+if grep -q -e "OpenSSL [1-9]" "results.log"
then
test_log_for "036_no_SNI" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
exit $?
- else
+ else # older OpenSSL doesn't support sni
exit_logs "036_no_SNI" "skipped"
clean_logs
exit 125
diff -Nru stunnel4-5.50/tests/recipes/037_failover_prio1 stunnel4-5.54~b3/tests/recipes/037_failover_prio1
--- stunnel4-5.50/tests/recipes/037_failover_prio1 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/037_failover_prio1 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,9 @@
#!/bin/sh
+
+# Checking if the failover strategy for multiple "connect" targets.
+# The priority (prio) strategy uses the order specified in the config file.
+# All connections to the [server_1] service are expected.
+
. $(dirname $0)/../test_library
start() {
@@ -7,10 +12,10 @@
syslog = no
pid = ${result_path}/stunnel.pid
output = ${result_path}/stunnel.log
+ failover = prio
[client]
client = yes
- failover = prio
accept = 127.0.0.1:${http1}
connect = 127.0.0.1:${https1}
connect = 127.0.0.1:${https2}
diff -Nru stunnel4-5.50/tests/recipes/038_failover_prio2 stunnel4-5.54~b3/tests/recipes/038_failover_prio2
--- stunnel4-5.50/tests/recipes/038_failover_prio2 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/038_failover_prio2 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,9 @@
#!/bin/sh
+
+# Checking if the failover strategy for multiple "connect" targets.
+# The priority (prio) strategy uses the order specified in the config file.
+# All connections to the [server_2] service are expected.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/039_failover_rr stunnel4-5.54~b3/tests/recipes/039_failover_rr
--- stunnel4-5.50/tests/recipes/039_failover_rr 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/039_failover_rr 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,9 @@
#!/bin/sh
+
+# Checking if the failover strategy for multiple "connect" targets.
+# The round robin (rr) strategy ensures fair load distribution.
+# At least one connection with each service is expected.
+
. $(dirname $0)/../test_library
start() {
@@ -7,10 +12,10 @@
syslog = no
pid = ${result_path}/stunnel.pid
output = ${result_path}/stunnel.log
+ failover = rr
[client]
client = yes
- failover = rr
accept = 127.0.0.1:${http1}
connect = 127.0.0.1:${https1}
connect = 127.0.0.1:${https2}
diff -Nru stunnel4-5.50/tests/recipes/040_reload stunnel4-5.54~b3/tests/recipes/040_reload
--- stunnel4-5.50/tests/recipes/040_reload 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/040_reload 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,8 @@
#!/bin/sh
+
+# Checking if the stunnel works correctly after reloading the configuration.
+# kill -HUP PID is called in reload_stunnel().
+
. $(dirname $0)/../test_library
set_config() {
diff -Nru stunnel4-5.50/tests/recipes/041_exec_connect stunnel4-5.54~b3/tests/recipes/041_exec_connect
--- stunnel4-5.50/tests/recipes/041_exec_connect 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/041_exec_connect 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,8 @@
#!/bin/sh
+
+# Simple execute a local inetd-type program in the client service.
+# The execArgs option contains arguments for exec including the program name.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/042_inetd stunnel4-5.54~b3/tests/recipes/042_inetd
--- stunnel4-5.50/tests/recipes/042_inetd 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/042_inetd 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,7 @@
#!/bin/sh
+
+# inetd mode
+
. $(dirname $0)/../test_library
start() {
@@ -8,11 +11,11 @@
pid = ${result_path}/stunnel.pid
output = ${result_path}/stunnel.log
- [server]
accept = 127.0.0.1:${https1}
exec = ${script_path}/execute
execArgs = execute 042_inetd
cert = ../certs/server_cert.pem
+ [server]
EOT
}
diff -Nru stunnel4-5.50/tests/recipes/043_session_delay stunnel4-5.54~b3/tests/recipes/043_session_delay
--- stunnel4-5.50/tests/recipes/043_session_delay 2018-11-05 09:19:29.000000000 +0200
+++ stunnel4-5.54~b3/tests/recipes/043_session_delay 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,10 @@
#!/bin/sh
+
+# Checking if the delay option works properly when the session is resumed.
+# This option delays DNS lookup for the connect option.
+# Delayed resolver inflicts failover = prio.
+# Just "1" "accepted: new session negotiated" log for [server_1] service is expected.
+
. $(dirname $0)/../test_library
start() {
@@ -8,13 +14,14 @@
pid = ${result_path}/stunnel.pid
output = ${result_path}/stunnel.log
+ delay = yes
+ retry = yes
+
[client]
client = yes
exec = ${script_path}/execute_read
execArgs = execute_read ${result_path}/temp.log
connect = 127.0.0.1:${https1}
- delay = yes
- retry = yes
[server_1]
accept = 127.0.0.1:${https1}
@@ -28,7 +35,7 @@
then
test_log_for "043_session_delay" "session" "1" "$1" "$2" "$3" 2>> "stderr.log"
exit $?
- else
+ else # the resumption of the session does not work for the FORK model
exit_logs "043_session_delay" "skipped"
exit 125
fi
diff -Nru stunnel4-5.50/tests/recipes/044_session_nodelay stunnel4-5.54~b3/tests/recipes/044_session_nodelay
--- stunnel4-5.50/tests/recipes/044_session_nodelay 2018-11-05 09:19:29.000000000 +0200
+++ stunnel4-5.54~b3/tests/recipes/044_session_nodelay 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,10 @@
#!/bin/sh
+
+# Checking if disable delay option works properly when the session is resumed.
+# This option delays DNS lookup for the connect option.
+# Exactly "2" "accepted: new session negotiated" logs for [server_1]
+# and [server_2] services are expected, becouse failover = rr
+
. $(dirname $0)/../test_library
start() {
@@ -8,14 +14,16 @@
pid = ${result_path}/stunnel.pid
output = ${result_path}/stunnel.log
+ delay = no
+ failover = rr
+ retry = yes
+
[client]
client = yes
- failover = rr
exec = ${script_path}/execute_read
execArgs = execute_read ${result_path}/temp.log
connect = 127.0.0.1:${https1}
connect = 127.0.0.1:${https2}
- retry = yes
[server_1]
accept = 127.0.0.1:${https1}
@@ -35,7 +43,7 @@
then
test_log_for "044_session_nodelay" "session" "2" "$1" "$2" "$3" 2>> "stderr.log"
exit $?
- else
+ else # the resumption of the session does not work for the FORK model
exit_logs "044_session_nodelay" "skipped"
exit 125
fi
diff -Nru stunnel4-5.50/tests/recipes/045_include stunnel4-5.54~b3/tests/recipes/045_include
--- stunnel4-5.50/tests/recipes/045_include 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/045_include 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,8 @@
#!/bin/sh
+
+# Checking if stunnel works with the configuration placed in a few files.
+# All configuration file parts are located in the directory specified with include.
+
. $(dirname $0)/../test_library
set_config() {
diff -Nru stunnel4-5.50/tests/recipes/046_resume_PSK stunnel4-5.54~b3/tests/recipes/046_resume_PSK
--- stunnel4-5.50/tests/recipes/046_resume_PSK 2018-11-05 09:19:29.000000000 +0200
+++ stunnel4-5.54~b3/tests/recipes/046_resume_PSK 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,10 @@
#!/bin/sh
+
+# Checking if the PSK authentication works properly when the session is resumed.
+# PSK identities and corresponding keys are stored in files specified with PSKsecrets.
+# Just "1" "accepted: new session negotiated" log is expected for [server] service
+# becouse the client presents the valid PSK.
+
. $(dirname $0)/../test_library
start() {
@@ -8,16 +14,17 @@
pid = ${result_path}/stunnel.pid
output = ${result_path}/stunnel.log
+ delay = yes
+ retry = yes
+
[client]
client = yes
exec = ${script_path}/execute_read
execArgs = execute_read ${result_path}/temp.log
connect = 127.0.0.1:${https1}
- delay = yes
- retry = yes
PSKsecrets = ../certs/psk1.txt
- [server_1]
+ [server]
accept = 127.0.0.1:${https1}
exec = ${script_path}/execute
execArgs = execute 046_resume_PSK
@@ -25,7 +32,9 @@
EOT
}
-if grep -q "OpenSSL 1" "results.log" && ! grep -q "FORK" "results.log"
+# The PSKsecrets option is only available when compiled with OpenSSL 1.0.0 and later.
+# The resumption of the session does not work for the FORK model
+if grep -q -e "OpenSSL [1-9]" "results.log" && ! grep -q "FORK" "results.log"
then
test_log_for "046_resume_PSK" "session" "1" "$1" "$2" "$3" 2>> "stderr.log"
exit $?
diff -Nru stunnel4-5.50/tests/recipes/047_resume_redirect stunnel4-5.54~b3/tests/recipes/047_resume_redirect
--- stunnel4-5.50/tests/recipes/047_resume_redirect 1970-01-01 02:00:00.000000000 +0200
+++ stunnel4-5.54~b3/tests/recipes/047_resume_redirect 2019-03-26 17:16:45.000000000 +0200
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+# Checking if redirect TLS client connections works properly when the session is resumed.
+# Redirect TLS client connections on certificate-based authentication failures.
+# [client_1] -> [server_1] -> [client_2] -> [server_2]
+# Exactly "2" "accepted: new session negotiated" logs for [server_1]
+# and [server_2] services are expected, becouse the client presents the wrong certificate.
+
+. $(dirname $0)/../test_library
+
+start() {
+ ../../src/stunnel -fd 0 <<EOT
+ debug = debug
+ syslog = no
+ pid = ${result_path}/stunnel.pid
+ output = ${result_path}/stunnel.log
+
+ retry = yes
+
+ [client_1]
+ client = yes
+ exec = ${script_path}/execute_read
+ execArgs = execute_read ${result_path}/temp.log
+ connect = 127.0.0.1:${https1}
+ ;cert = ../certs/client_cert.pem
+;wrong certificate
+ cert = ../certs/stunnel.pem
+
+ [client_2]
+ client = yes
+ accept = 127.0.0.1:${http2}
+ connect = 127.0.0.1:${https2}
+
+ [server_1]
+ accept = 127.0.0.1:${https1}
+ exec = ${script_path}/execute
+ execArgs = execute 047_resume_redirect_error
+ redirect = ${http2}
+ cert = ../certs/server_cert.pem
+ verifyPeer = yes
+ CAfile = ../certs/PeerCerts.pem
+
+ [server_2]
+ accept = 127.0.0.1:${https2}
+ cert = ../certs/server_cert.pem
+ exec = ${script_path}/execute
+ execArgs = execute 047_resume_redirect
+EOT
+}
+
+if ! grep -q "FORK" "results.log"
+ then
+ test_log_for "047_resume_redirect" "session" "2" "$1" "$2" "$3" 2>> "stderr.log"
+ exit $?
+ else # the resumption of the session does not work for the FORK model
+ exit_logs "047_resume_redirect" "skipped"
+ exit 125
+ fi
+exit $?
diff -Nru stunnel4-5.50/tests/recipes/048_resume_noredirect stunnel4-5.54~b3/tests/recipes/048_resume_noredirect
--- stunnel4-5.50/tests/recipes/048_resume_noredirect 1970-01-01 02:00:00.000000000 +0200
+++ stunnel4-5.54~b3/tests/recipes/048_resume_noredirect 2019-03-26 17:16:45.000000000 +0200
@@ -0,0 +1,58 @@
+#!/bin/sh
+
+# Checking if redirect TLS client connections works properly when the session is resumed.
+# Do not redirect TLS client connections on certificate-based authentication success.
+# [client_1] -> [server_1]
+# Just "1" "accepted: new session negotiated" log for [server_1] service
+# is expected, becouse the client presents the correct certificate.
+
+. $(dirname $0)/../test_library
+
+start() {
+ ../../src/stunnel -fd 0 <<EOT
+ debug = debug
+ syslog = no
+ pid = ${result_path}/stunnel.pid
+ output = ${result_path}/stunnel.log
+
+ retry = yes
+
+ [client_1]
+ client = yes
+ exec = ${script_path}/execute_read
+ execArgs = execute_read ${result_path}/temp.log
+ connect = 127.0.0.1:${https1}
+;correct certificate
+ cert = ../certs/client_cert.pem
+
+ [client_2]
+ client = yes
+ accept = 127.0.0.1:${http2}
+ connect = 127.0.0.1:${https2}
+
+ [server_1]
+ accept = 127.0.0.1:${https1}
+ exec = ${script_path}/execute
+ execArgs = execute 048_resume_noredirect
+ redirect = ${http2}
+ cert = ../certs/server_cert.pem
+ verifyPeer = yes
+ CAfile = ../certs/PeerCerts.pem
+
+ [server_2]
+ accept = 127.0.0.1:${https2}
+ cert = ../certs/server_cert.pem
+ exec = ${script_path}/execute
+ execArgs = execute 048_resume_noredirect_error
+EOT
+}
+
+if ! grep -q "FORK" "results.log"
+ then
+ test_log_for "048_resume_noredirect" "session" "1" "$1" "$2" "$3" 2>> "stderr.log"
+ exit $?
+ else # the resumption of the session does not work for the FORK model
+ exit_logs "048_resume_noredirect" "skipped"
+ exit 125
+ fi
+exit $?
diff -Nru stunnel4-5.50/tests/recipes/050_ticket_secrets stunnel4-5.54~b3/tests/recipes/050_ticket_secrets
--- stunnel4-5.50/tests/recipes/050_ticket_secrets 1970-01-01 02:00:00.000000000 +0200
+++ stunnel4-5.54~b3/tests/recipes/050_ticket_secrets 2019-04-30 17:03:21.000000000 +0300
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+# Checking if the reloaded server resume the session with secret keys for
+# the session ticket processing.
+# Just "1" "accepted: new session negotiated" log for the [server] service
+# is expected for the first connection, and "0" for the second connection
+# because the server holds keys for the session ticket processing.
+# Disabling "NO_TICKET" option is required for the ticket support in OpenSSL older than 1.1.1.
+
+. $(dirname $0)/../test_library
+
+start() {
+ ../../src/stunnel -fd 9 9<<EOT
+ debug = debug
+ syslog = no
+ pid = ${result_path}/stunnel.pid
+ output = ${result_path}/stunnel.log
+
+ delay = yes
+ retry = yes
+
+ [client]
+ client = yes
+ exec = ${script_path}/execute_read
+ execArgs = execute_read ${result_path}/temp.log
+ connect = 127.0.0.1:${https1}
+ cert = ../certs/client_cert.pem
+EOT
+}
+
+start_server() {
+ ../../src/stunnel -fd 0 <<EOT
+ debug = debug
+ syslog = no
+ pid = ${result_path}/stunnel_s.pid
+ output = ${result_path}/stunnel_s.log
+ log = overwrite
+
+ options = -NO_TICKET
+ ticketKeySecret = 6c:42:72:46:57:23:3a:3d:4b:54:2d:7b:55:4b:6e:8f:32:5c:21:6a:2e:6e:47:31:57:20:2f:75:26:7b:4d:25
+ ticketMacSecret = 3f:3c:77:53:32:48:79:76:75:7a:50:33:70:65:47:27:32:79:73:7e:73:2c:21:6c:3a:6f:30:28:4c:5c:27:1f
+
+ [server]
+ accept = 127.0.0.1:${https1}
+ exec = ${script_path}/execute
+ execArgs = execute 050_ticket_secrets
+ cert = ../certs/server_cert.pem
+ verifyPeer = yes
+ CAfile = ../certs/PeerCerts.pem
+EOT
+}
+
+if grep -q -e "OpenSSL [1-9]" "results.log" && ! grep -q "FORK" "results.log"
+ then
+ test_log_for "050_ticket_secrets" "instances" "1" "$1" "$2" "$3" 2>> "stderr.log"
+ exit $?
+ else # the resumption of the session does not work for the FORK model
+ exit_logs "050_ticket_secrets" "skipped"
+ exit 125
+ fi
diff -Nru stunnel4-5.50/tests/recipes/110_failure_require_cert stunnel4-5.54~b3/tests/recipes/110_failure_require_cert
--- stunnel4-5.50/tests/recipes/110_failure_require_cert 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/110_failure_require_cert 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,8 @@
#!/bin/sh
+
+# Checking if the requireCert option requires a client certificate.
+# The failure is expected because the client does not present the certificate.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/111_failure_verify_peer stunnel4-5.54~b3/tests/recipes/111_failure_verify_peer
--- stunnel4-5.50/tests/recipes/111_failure_verify_peer 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/111_failure_verify_peer 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,9 @@
#!/bin/sh
+
+# Checking if the verifyPeer option verifies the peer certificate.
+# The valid peer certificate is stored in the file specified with CAfile.
+# The failure is expected because the client presents an incorrect certificate.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/112_failure_verify_chain stunnel4-5.54~b3/tests/recipes/112_failure_verify_chain
--- stunnel4-5.50/tests/recipes/112_failure_verify_chain 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/112_failure_verify_chain 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,9 @@
#!/bin/sh
+
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
+# The self-signed root CA certificate is stored in the file specified with CAfile.
+# The failure is expected because the server presents an incorrect certificate.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/113_failure_CRL_file stunnel4-5.54~b3/tests/recipes/113_failure_CRL_file
--- stunnel4-5.50/tests/recipes/113_failure_CRL_file 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/113_failure_CRL_file 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,11 @@
#!/bin/sh
+
+# Checking if the CRL is verified.
+# The verifyChain option verifies the peer certificate starting from the root CA.
+# The self-signed root CA certificate is stored in the file specified with CAfile.
+# Certificate Revocation Lists file is stored in the file specified with CRLfile.
+# The failure is expected because the server presents the revoked certificate.
+
. $(dirname $0)/../test_library
start() {
diff -Nru stunnel4-5.50/tests/recipes/114_failure_PSK_secrets stunnel4-5.54~b3/tests/recipes/114_failure_PSK_secrets
--- stunnel4-5.50/tests/recipes/114_failure_PSK_secrets 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/114_failure_PSK_secrets 2019-03-26 17:16:45.000000000 +0200
@@ -1,4 +1,9 @@
#!/bin/sh
+
+# Checking if the PSK authentication works properly.
+# PSK identities and corresponding keys are stored in files specified with PSKsecrets.
+# The failure is expected because the client presented an incorrect key.
+
. $(dirname $0)/../test_library
start() {
@@ -17,16 +22,15 @@
[server]
accept = 127.0.0.1:${https1}
connect = 127.0.0.1:${http_nc}
- ciphers = PSK
PSKsecrets = ../certs/secrets.txt
EOT
}
-if grep -q "OpenSSL 1" "results.log"
+if grep -q -e "OpenSSL [1-9]" "results.log"
then
test_log_for "114_failure_PSK_secrets" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log"
exit $?
- else
+ else # older OpenSSL doesn't support PSK
exit_logs "114_failure_PSK_secrets" "skipped" "error"
exit 125
fi
diff -Nru stunnel4-5.50/tests/recipes/115_failure_wrong_config stunnel4-5.54~b3/tests/recipes/115_failure_wrong_config
--- stunnel4-5.50/tests/recipes/115_failure_wrong_config 1970-01-01 02:00:00.000000000 +0200
+++ stunnel4-5.54~b3/tests/recipes/115_failure_wrong_config 2019-03-26 17:16:45.000000000 +0200
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# Checking the wrong configuration.
+# The failure is expected because there is no connect option in the client service.
+
+. $(dirname $0)/../test_library
+
+start() {
+ ../../src/stunnel -fd 0 <<EOT
+ debug = debug
+ syslog = no
+ pid = ${result_path}/stunnel.pid
+ output = ${result_path}/stunnel.log
+
+ [client]
+ client = yes
+ accept = 127.0.0.1:${http1}
+ ;*** error***
+ ;connect = 127.0.0.1:${https1}
+ cert = ../certs/client_cert.pem
+
+ [server]
+ accept = 127.0.0.1:${https1}
+ connect = 127.0.0.1:${http_nc}
+ cert = ../certs/server_cert.pem
+EOT
+}
+
+test_log_for "115_failure_wrong_config" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log"
+exit $?
+
+
diff -Nru stunnel4-5.50/tests/recipes/120_failure_no_cert stunnel4-5.54~b3/tests/recipes/120_failure_no_cert
--- stunnel4-5.50/tests/recipes/120_failure_no_cert 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/120_failure_no_cert 1970-01-01 02:00:00.000000000 +0200
@@ -1,26 +0,0 @@
-#!/bin/sh
-. $(dirname $0)/../test_library
-
-start() {
- ../../src/stunnel -fd 0 <<EOT
- debug = debug
- syslog = no
- pid = ${result_path}/stunnel.pid
- output = ${result_path}/stunnel.log
-
- [client]
- client = yes
- accept = 127.0.0.1:${http1}
- connect = 127.0.0.1:${https1}
-
- [server]
- accept = 127.0.0.1:${https1}
- connect = 127.0.0.1:${http_nc}
- cert = ../certs/server_cert.pem
- ;*** error***
- requireCert = yes
-EOT
-}
-
-test_log_for "120_failure_no_cert" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log"
-exit $?
diff -Nru stunnel4-5.50/tests/recipes/121_failure_wrong_config stunnel4-5.54~b3/tests/recipes/121_failure_wrong_config
--- stunnel4-5.50/tests/recipes/121_failure_wrong_config 2018-10-11 12:19:45.000000000 +0300
+++ stunnel4-5.54~b3/tests/recipes/121_failure_wrong_config 1970-01-01 02:00:00.000000000 +0200
@@ -1,28 +0,0 @@
-#!/bin/sh
-. $(dirname $0)/../test_library
-
-start() {
- ../../src/stunnel -fd 0 <<EOT
- debug = debug
- syslog = no
- pid = ${result_path}/stunnel.pid
- output = ${result_path}/stunnel.log
-
- [client]
- client = yes
- accept = 127.0.0.1:${http1}
- ;*** error***
- ;connect = 127.0.0.1:${https1}
- cert = ../certs/client_cert.pem
-
- [server]
- accept = 127.0.0.1:${https1}
- connect = 127.0.0.1:${http_nc}
- cert = ../certs/server_cert.pem
-EOT
-}
-
-test_log_for "121_failure_wrong_config" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log"
-exit $?
-
-
diff -Nru stunnel4-5.50/tests/test_library stunnel4-5.54~b3/tests/test_library
--- stunnel4-5.50/tests/test_library 2018-08-09 08:43:52.000000000 +0300
+++ stunnel4-5.54~b3/tests/test_library 2019-04-30 17:03:21.000000000 +0300
@@ -226,11 +226,12 @@
}
killing_stunnel() {
+ # $1 = file name
local result=0
- if kill -TERM $(tail "stunnel.pid") 2>> "stderr_nc.log"
+ if kill -TERM $(tail "$1.pid") 2>> "stderr_nc.log"
then
- waiting_for "stunnel" "Removed pid file"
+ waiting_for "$1" "Removed pid file"
else
exit_code="failed"
result=1
@@ -375,7 +376,7 @@
else # ncat (nc) failed
result=1
fi
- if ! killing_stunnel
+ if ! killing_stunnel stunnel
then
result=1
fi
@@ -410,7 +411,7 @@
else # ncat (nc) failed
result=1
fi
- if ! killing_stunnel
+ if ! killing_stunnel stunnel
then
result=1
fi
@@ -434,7 +435,7 @@
if no_file "error.log"
then
sending_ncat "$1"
- if ! killing_stunnel
+ if ! killing_stunnel stunnel
then
result=1
fi
@@ -486,7 +487,7 @@
printf "%s\n" "*** inetd mode ***" >> "stunnel.log"
cat "stunnel_0.log" >> "stunnel.log"
fi
- if ! killing_stunnel
+ if ! killing_stunnel stunnel
then
result=1
fi
@@ -548,7 +549,7 @@
rm -f "stunnel_$j.log"
j=$((j + 1))
done
- if ! killing_stunnel
+ if ! killing_stunnel stunnel
then
result=1
fi
@@ -605,7 +606,7 @@
rm -f "stunnel_$j.log"
j=$((j + 1))
done
- if ! killing_stunnel
+ if ! killing_stunnel stunnel
then
result=1
fi
@@ -659,8 +660,11 @@
then
result=1
fi
- finding_text "yes" "test $1.*success" "temp.log" "UNUSED PATTERN"
- result=$?
+ if [ $result -eq 0 ]
+ then
+ finding_text "yes" "test $1.*success" "temp.log" "UNUSED PATTERN"
+ result=$?
+ fi
j=$(grep -c "accepted: new session negotiated" "stunnel.log")
if [ $result -eq 0 ] && [ $j -ne $2 ]
then
@@ -678,6 +682,74 @@
return $result
}
+two_instances() {
+ # $1 = test name
+ # $2 = number of new connections
+
+ local result=0
+ local i=0
+ local j=0
+ check_ports "$1"
+ start_stunnel "$1"
+ if no_file "error.log"
+ then
+ waiting_for "stunnel" "Created pid file"
+ start_server 2> "error.log"
+ if no_file "error.log"
+ then
+ waiting_for "stunnel_s" "Created pid file"
+ while [ $i -le 2 ]
+ do
+ i=$(grep -c "Retrying an exec+connect section" "stunnel.log")
+ done
+ if ! killing_stunnel stunnel_s
+ then
+ result=1
+ fi
+ cat stunnel_s.log >> "stunnel.log"
+ start_server 2>> "error.log"
+ waiting_for "stunnel_s" "Created pid file"
+ while [ $i -le 3 ]
+ do
+ i=$(grep -c "Retrying an exec+connect section" "stunnel.log")
+ done
+ if ! killing_stunnel stunnel_s
+ then
+ result=1
+ fi
+ cat stunnel_s.log >> "stunnel.log"
+ if ! killing_stunnel stunnel
+ then
+ result=1
+ fi
+ if [ $result -eq 0 ]
+ then
+ finding_text "yes" "test $1.*success" "temp.log" "UNUSED PATTERN"
+ result=$?
+ fi
+ j=$(grep -c "accepted: new session negotiated" "stunnel.log")
+ if [ $result -eq 0 ] && [ $j -ne $2 ]
+ then
+ exit_code="failed"
+ result=1
+ fi
+ else # server configuration failed
+ killing_stunnel stunnel
+ exit_code="configuration failed"
+ result=1
+ fi
+ else # client configuration failed
+ result=1
+ fi
+ if ! finding_text "no" "INTERNAL ERROR" "stunnel.log" "error.log"
+ then
+ result=1
+ fi
+ rm -f "stunnel_s.log"
+ exit_logs "$1" "$exit_code"
+ return $result
+}
+
myglobal() {
# $1 = mynetcat name: "ncat" / "nc"
# $2 = mynetstat name: "netstat" / "ss" / "lsof"
@@ -716,6 +788,7 @@
"prio") loop_prio "$1";;
"rr") loop_rr "$1";;
"session") loop_session "$1" "$3";;
+ "instances") two_instances "$1" "$3";;
esac
result=$?
clean_logs
diff -Nru stunnel4-5.50/TODO stunnel4-5.54~b3/TODO
--- stunnel4-5.50/TODO 2018-06-08 20:30:06.000000000 +0300
+++ stunnel4-5.54~b3/TODO 2019-04-13 16:58:50.000000000 +0300
@@ -16,9 +16,6 @@
* An Android GUI.
* OCSP stapling (tlsext_status).
* Indirect CRL support (RFC 3280, section 5).
-* Provide 64-bit Windows builds (besides 32-bit builds).
- This requires either Microsoft Visual Studio Standard Edition or Microsoft
- Visual Studio Professional Edition in order to retain FIPS compliance.
* MSI installer for Windows.
* Add user-defined headers to CONNECT proxy requests.
This can be used to impersonate other software (e.g. web browsers).
diff -Nru stunnel4-5.50/tools/Makefile.am stunnel4-5.54~b3/tools/Makefile.am
--- stunnel4-5.50/tools/Makefile.am 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/tools/Makefile.am 2019-04-04 23:08:23.000000000 +0300
@@ -1,5 +1,5 @@
## Process this file with automake to produce Makefile.in
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh makecert.sh
EXTRA_DIST += openssl.cnf stunnel.nsi stunnel.license stunnel.conf
diff -Nru stunnel4-5.50/tools/Makefile.in stunnel4-5.54~b3/tools/Makefile.in
--- stunnel4-5.50/tools/Makefile.in 2018-11-09 17:53:56.000000000 +0200
+++ stunnel4-5.54~b3/tools/Makefile.in 2019-04-30 17:03:37.000000000 +0300
@@ -14,7 +14,7 @@
@SET_MAKE@
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
VPATH = @srcdir@
am__is_gnu_make = { \
diff -Nru stunnel4-5.50/tools/openssl.cnf stunnel4-5.54~b3/tools/openssl.cnf
--- stunnel4-5.50/tools/openssl.cnf 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/tools/openssl.cnf 2019-04-04 23:08:23.000000000 +0300
@@ -1,5 +1,5 @@
# OpenSSL configuration file to create a server certificate
-# by Michal Trojnara 1998-2018
+# by Michal Trojnara 1998-2019
[ req ]
# comment out the next line to protect the private key with a passphrase
diff -Nru stunnel4-5.50/tools/stunnel.conf stunnel4-5.54~b3/tools/stunnel.conf
--- stunnel4-5.50/tools/stunnel.conf 2018-12-03 00:47:18.000000000 +0200
+++ stunnel4-5.54~b3/tools/stunnel.conf 2019-04-04 23:08:23.000000000 +0300
@@ -1,4 +1,4 @@
-; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2018
+; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2019
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
diff -Nru stunnel4-5.50/tools/stunnel.conf-sample.in stunnel4-5.54~b3/tools/stunnel.conf-sample.in
--- stunnel4-5.50/tools/stunnel.conf-sample.in 2018-12-03 00:47:18.000000000 +0200
+++ stunnel4-5.54~b3/tools/stunnel.conf-sample.in 2019-04-04 23:08:23.000000000 +0300
@@ -1,4 +1,4 @@
-; Sample stunnel configuration file for Unix by Michal Trojnara 1998-2018
+; Sample stunnel configuration file for Unix by Michal Trojnara 1998-2019
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
diff -Nru stunnel4-5.50/tools/stunnel.init.in stunnel4-5.54~b3/tools/stunnel.init.in
--- stunnel4-5.50/tools/stunnel.init.in 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/tools/stunnel.init.in 2019-04-30 17:03:21.000000000 +0300
@@ -56,7 +56,7 @@
ulimit $RLIMITS
fi
res=0
- for file in $FILES; do
+ for file in $FILES; do
if [ -f $file ]; then
echo -n " $file: "
args="$file $OPTIONS"
@@ -224,7 +224,7 @@
echo -n "Reloading configuration $DESC:"
killdaemons HUP
res=$?
- ;;
+ ;;
restart)
echo -n "Restarting $DESC:"
killdaemons && startdaemons
diff -Nru stunnel4-5.50/tools/stunnel.license stunnel4-5.54~b3/tools/stunnel.license
--- stunnel4-5.50/tools/stunnel.license 2018-04-06 17:25:10.000000000 +0300
+++ stunnel4-5.54~b3/tools/stunnel.license 2019-04-04 23:08:23.000000000 +0300
@@ -1,4 +1,4 @@
-Copyright (C) 1998-2018 Michal Trojnara
+Copyright (C) 1998-2019 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
diff -Nru stunnel4-5.50/tools/stunnel.nsi stunnel4-5.54~b3/tools/stunnel.nsi
--- stunnel4-5.50/tools/stunnel.nsi 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/tools/stunnel.nsi 2019-04-04 23:08:23.000000000 +0300
@@ -1,4 +1,4 @@
-# NSIS stunnel installer by Michal Trojnara 1998-2018
+# NSIS stunnel installer by Michal Trojnara 1998-2019
!define /ifndef VERSION testing
!define /ifndef ARCH win32
diff -Nru stunnel4-5.50/tools/stunnel.spec stunnel4-5.54~b3/tools/stunnel.spec
--- stunnel4-5.50/tools/stunnel.spec 2018-10-09 17:37:38.000000000 +0300
+++ stunnel4-5.54~b3/tools/stunnel.spec 2019-04-13 16:58:50.000000000 +0300
@@ -1,5 +1,5 @@
Name: stunnel
-Version: 5.50
+Version: 5.54
Release: 1%{?dist}
Summary: An TLS-encrypting socket wrapper
Group: Applications/Internet
Attachment:
signature.asc
Description: PGP signature