debian/0000755000000000000000000000000012241166026007166 5ustar debian/lintian.overrides0000644000000000000000000000015712135311447012554 0ustar # No character arrays anywhere in this .so stunnel4: hardening-no-stackprotector usr/lib/stunnel/libstunnel.so debian/stunnel3.80000644000000000000000000004264712135311447011050 0ustar .\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13 .\" .\" Standard preamble: .\" ======================================================================== .de Sh \" Subsection heading .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. | will give a .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to .\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' .\" expand to `' in nroff, nothing in troff, for use with C<>. .tr \(*W-|\(bv\*(Tr .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .\" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .hy 0 .if n .na .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "STUNNEL 1" .TH STUNNEL 8 "2003-08-01" " " " " .SH "NAME" stunnel \- universal SSL tunnel .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O\ a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p\ pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a\ directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user] [\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ filename\ |\ ''\ }\ ] [\-B\ bytes] [\-R\ randfile] [\-W] [\-E\ socket] [\-I\ host] [\-d\ [host:]port\ [\-f]\ ] [\ \-r\ [host:]port\ |\ {\ \-l\ |\ \-L\ }\ program\ [\-\-\ progname\ args]\ ] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption wrapper between remote clients and local (\fIinetd\fR\-startable) or remote servers. The concept is that having non-SSL aware daemons running on your system you can easily set them up to communicate with clients over secure \s-1SSL\s0 channels. .PP \&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used \&\fIinetd\fR daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone daemons like \s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network sockets without changes to the source code. .PP This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) .SH "OPTIONS" .IX Header "OPTIONS" .IP "\fB\-h\fR" 4 .IX Item "-h" Print stunnel help menu .IP "\fB\-D\fR level" 4 .IX Item "-D level" Debugging level .Sp Level is a one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use \-D debug or \-D 7 for greatest debugging output. The default is notice (5). .Sp The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on windows.) .Sp Case is ignored for both facilities and levels. .IP "\fB\-O\fR a|l|r:option=value[:value]" 4 .IX Item "-O a|l|r:option=value[:value]" Set an option on accept/local/remote socket .Sp The values for linger option are l_onof:l_linger. The values for time are tv_sec:tv_usec. .Sp \&\fBExamples:\fR .Sp \&\fB\-O l:SO_LINGER=1:60\fR \- set one minute timeout for closing local socket .Sp \&\fB\-O r:TCP_NODELAY=1\fR \- turn off the Nagle algorithm for remote sockets .Sp \&\fB\-O r:SO_OOBINLINE=1\fR \- place out-of-band data directly into the receive data stream for remote sockets .Sp \&\fB\-O a:SO_REUSEADDR=0\fR \- disable address reuse (enabled by default) .Sp \&\fB\-O a:SO_BINDTODEVICE=lo\fR \- only accept connections on loopback interface .Sp The available options and their defaults are: Option Accept Local Remote OS default SO_DEBUG -- -- -- 0 SO_DONTROUTE -- -- -- 0 SO_KEEPALIVE -- -- -- 0 SO_LINGER -- -- -- 0:0 SO_OOBINLINE -- -- -- 0 SO_RCVBUF -- -- -- 87380 SO_SNDBUF -- -- -- 16384 SO_RCVLOWAT -- -- -- 1 SO_SNDLOWAT -- -- -- 1 SO_RCVTIMEO -- -- -- 0:0 SO_SNDTIMEO -- -- -- 0:0 SO_REUSEADDR 1 -- -- 0 SO_BINDTODEVICE -- -- -- -- IP_TOS -- -- -- 0 IP_TTL -- -- -- 64 TCP_NODELAY -- -- -- 0 .IP "\fB\-o\fR file" 4 .IX Item "-o file" Append log messages to a file. .IP "\fB\-C\fR cipherlist" 4 .IX Item "-C cipherlist" Select permitted \s-1SSL\s0 ciphers .Sp A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection. For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0 .IP "\fB\-c\fR" 4 .IX Item "-c" client mode (remote service uses \s-1SSL\s0) .Sp default: server mode .IP "\fB\-T\fR" 4 .IX Item "-T" transparent proxy mode .Sp Re-write address to appear as if wrapped daemon is connecting from the \&\s-1SSL\s0 client machine instead of the machine running stunnel. Available only on some operating systems (Linux only, we believe) and then only in server mode. Note that this option will not combine with proxy mode (\-r) unless the client's default route to the target machine lies through the host running stunnel, which cannot be localhost. .IP "\fB\-p\fR pemfile" 4 .IX Item "-p pemfile" private key and certificate chain \s-1PEM\s0 file name .Sp A \s-1PEM\s0 is always needed in server mode (by default located in \fI/etc/stunnel/stunnel.pem\fR). Specifying this flag in client mode will use this key and certificate chain as a client side certificate chain. Using client side certs is optional. The certificates must be in \s-1PEM\s0 format and must be sorted starting with the certificate to the highest level (root \s-1CA\s0). .IP "\fB\-v\fR level" 4 .IX Item "-v level" verify peer certificate .RS 4 .IP "\(bu" 8 level 1 \- verify peer certificate if present .IP "\(bu" 8 level 2 \- verify peer certificate .IP "\(bu" 8 level 3 \- verify peer with locally installed certificate .IP "\(bu" 8 default \- no verify .RE .RS 4 .RE .IP "\fB\-a\fR directory" 4 .IX Item "-a directory" client certificate directory .Sp This is the directory in which stunnel will look for certificates when using the \fI\-v\fR options. Note that the certificates in this directory should be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the cert. .IP "\fB\-A\fR certfile" 4 .IX Item "-A certfile" Certificate Authority file .Sp This file contains multiple \s-1CA\s0 certificates, used with the \fI\-v\fR options. .IP "\fB\-t\fR timeout" 4 .IX Item "-t timeout" session cache timeout .Sp default: 300 seconds. .IP "\fB\-N\fR servicename" 4 .IX Item "-N servicename" Service name to use for tcpwrappers. If not specified then a tcpwrapper service name will be generated automatically for you. This will also be used when auto-generating pid filenames. .IP "\fB\-u\fR ident_username" 4 .IX Item "-u ident_username" Use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking .IP "\fB\-n\fR proto" 4 .IX Item "-n proto" Negotiate \s-1SSL\s0 with specified protocol .Sp currently supported: smtp, pop3, nntp .IP "\fB\-E\fR socket" 4 .IX Item "-E socket" Entropy Gathering Daemon socket to use to feed OpenSSL random number generator. (Available only if compiled with OpenSSL 0.9.5a or higher) .IP "\fB\-R\fR filename" 4 .IX Item "-R filename" File containing random input. The \s-1SSL\s0 library will use data from this file first to seed the random number generator. .IP "\fB\-W\fR" 4 .IX Item "-W" Do not overwrite the random seed files with new random data. .IP "\fB\-B\fR bytes" 4 .IX Item "-B bytes" Number of bytes of data read from random seed files. With \s-1SSL\s0 versions less than 0.9.5a, also determines how many bytes of data are considered sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions have a builtin function to determine when sufficient randomness is available. .IP "\fB\-I\fR host" 4 .IX Item "-I host" \&\s-1IP\s0 of the outgoing interface is used as source for remote connections. Use this option to bind a static local \s-1IP\s0 address, instead. .IP "\fB\-d\fR [host:]port" 4 .IX Item "-d [host:]port" daemon mode .Sp Listen for connections on [host:]port. If no host specified, defaults to all \s-1IP\s0 addresses for the local host. .Sp default: inetd mode .IP "\fB\-f\fR" 4 .IX Item "-f" foreground mode .Sp Stay in foreground (don't fork) and log to stderr instead of via syslog (unless \-o is specified). .Sp default: background in daemon mode .IP "\fB\-l\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4 .IX Item "-l program [-- programname [arg1 arg2 arg3...] ]" execute local inetd-type program. .IP "\fB\-L\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4 .IX Item "-L program [-- programname [arg1 arg2 arg3...] ]" open local pty and execute program. .IP "\fB\-s\fR username" 4 .IX Item "-s username" \&\fIsetuid()\fR to username in daemon mode .IP "\fB\-g\fR groupname" 4 .IX Item "-g groupname" \&\fIsetgid()\fR to groupname in daemon mode. Clears all other groups. .IP "\fB\-P\fR { file | '' }" 4 .IX Item "-P { file | '' }" Pid file location .Sp If the argument is a filename, then that filename will be used for the pid. If the argument is empty ('', not missing), then no pid file will be created. .IP "\fB\-r\fR [host:]port" 4 .IX Item "-r [host:]port" connect to remote service .Sp If no host specified, defaults to localhost. .SH "EXAMPLES" .IX Header "EXAMPLES" In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, use .PP .Vb 1 \& stunnel \-d 993 \-l /usr/sbin/imapd \-\- imapd .Ve .PP If you want to provide tunneling to your \fIpppd\fR daemon on port 2020, use something like .PP .Vb 1 \& stunnel \-d 2020 \-L /usr/sbin/pppd \-\- pppd local .Ve .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" If Stunnel is used to create local processes using the \fB\-l\fR or \fB\-L\fR options, it will set the following environment variables .IP "\s-1REMOTE_HOST\s0" 4 .IX Item "REMOTE_HOST" The \s-1IP\s0 address of the remote end of the connection. .IP "\s-1SSL_CLIENT_DN\s0" 4 .IX Item "SSL_CLIENT_DN" The \s-1DN\s0 (Distinguished Name, aka subject name) of the peer certificate, if a certificate was present and verified. .IP "\s-1SSL_CLIENT_I_DN\s0" 4 .IX Item "SSL_CLIENT_I_DN" The Issuer's \s-1DN\s0 of the peer's certificate, if a certificate was present and verified. .SH "CERTIFICATES" .IX Header "CERTIFICATES" .IP "\(bu" 4 Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to the peer. It also needs a private key to decrypt the incoming data. The easiest way to obtain a certificate and a key is to generate them with the free \fIopenssl\fR package. You can find more information on certificates generation on pages listed below. .Sp Two things are important when generating certificate-key pairs for \&\fBstunnel\fR. The private key cannot be encrypted, because the server has no way to obtain the password from the user. To produce an unencrypted key add the \fI\-nodes\fR option when running the \fBreq\fR command from the \fIopenssl\fR kit. .Sp The order of contents of the \fI.pem\fR file is also important. It should contain the unencrypted private key first, then a signed certificate (not certificate request). There should be also empty lines after certificate and private key. Plaintext certificate information appended on the top of generated certificate should be discarded. So the file should look like this: .Sp .Vb 8 \& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- \& [encoded key] \& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- \& [empty line] \& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- \& [encoded certificate] \& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- \& [empty line] .Ve .SH "RANDOMNESS" .IX Header "RANDOMNESS" .IP "\(bu" 4 \&\fIstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in order for \s-1SSL\s0 to use good randomness. The following sources are loaded in order until sufficient random data has been gathered: .RS 4 .IP "\(bu" 8 The file specified with the \fI\-R\fR flag. .IP "\(bu" 8 The file specified by the \s-1RANDFILE\s0 environment variable, if set. .IP "\(bu" 8 The file .rnd in your home directory, if \s-1RANDFILE\s0 not set. .IP "\(bu" 8 The file specified with '\-\-with\-random' at compile time. .IP "\(bu" 8 The contents of the screen if running on Windows. .IP "\(bu" 8 The egd socket specified with the \fI\-E\fR flag. .IP "\(bu" 8 The egd socket specified with '\-\-with\-egd\-sock' at compile time. .IP "\(bu" 8 The /dev/urandom device. .RE .RS 4 .Sp With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading random data automatically when sufficient entropy has been gathered. With previous versions it will continue to gather from all the above sources since no \s-1SSL\s0 function exists to tell when enough data is available. .Sp Note that on Windows machines that do not have console user interaction (mouse movements, creating windows, etc) the screen contents are not variable enough to be sufficient, and you should provide a random file for use with the \fI\-R\fR flag. .Sp Note that the file specified with the \fI\-R\fR flag should contain random data \*(-- that means it should contain different information each time \&\fIstunnel\fR is run. This is handled automatically unless the \fI\-W\fR flag is used. If you wish to update this file manually, the \fIopenssl rand\fR command in recent versions of OpenSSL, would be useful. .Sp One important note \*(-- if /dev/urandom is available, OpenSSL has a habit of seeding the \s-1PRNG\s0 with it even when checking the random state, so on systems with /dev/urandom you're likely to use it even though it's listed at the very bottom of the list above. This isn't stunnel's behaviour, it's OpenSSLs. .RE .SH "LIMITATIONS" .IX Header "LIMITATIONS" .IP "\(bu" 4 \&\fIstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature of the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers. There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, however. .SH "SEE ALSO" .IX Header "SEE ALSO" .RS 4 .IP "\fItcpd\fR\|(8)" 8 .IX Item "tcpd" access control facility for internet services .IP "\fIinetd\fR\|(8)" 8 .IX Item "inetd" internet ``super\-server'' .IP "\fIhttp://stunnel.mirt.net/\fR" 8 .IX Item "http://stunnel.mirt.net/" Stunnel homepage .IP "\fIhttp://www.stunnel.org/\fR" 8 .IX Item "http://www.stunnel.org/" Stunnel Frequently Asked Questions .IP "\fIhttp://www.openssl.org/\fR" 8 .IX Item "http://www.openssl.org/" OpenSSL project website .RE .RS 4 .RE .SH "AUTHOR" .IX Header "AUTHOR" .RS 4 .IP "Michal Trojnara" 8 .IX Item "Michal Trojnara" <\fIMichal.Trojnara@mirt.net\fR> .RE .RS 4 .RE debian/stunnel4.links0000644000000000000000000000014612135311447012006 0ustar /usr/bin/stunnel3 /usr/bin/stunnel /usr/share/man/man8/stunnel3.8.gz /usr/share/man/man8/stunnel.8.gz debian/stunnel4.manpages0000644000000000000000000000010512135311447012454 0ustar doc/stunnel4.8 doc/stunnel4.fr.8 doc/stunnel4.pl.8 debian/stunnel3.8 debian/copyright0000644000000000000000000000431412135311447011124 0ustar This package was dowloaded from http://www.stunnel.org/download/source.html and debianized by Paolo Molaro . Copyright (C) 1998-2012 Michal Trojnara src/pty.c is based on a Public Domain code by Tatu Ylonen src/vc.mak contains modifications by David Gillingham src/mingw.mak contains modifications by Brian Hatch French documentation translation by Bernard Choppy StunnelConf-0.1.pl is copyright (C) 2004 Sergio Rua The Debian packaging itself is Copyright (C) 1998-2001 Paolo Molaro Copyright (C) 2003-2007 Julien Lemoine Copyright (C) 2007-2012 Rodrigo Gallardo * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. * * In addition, as a special exception, Michal Trojnara gives * permission to link the code of this program with the OpenSSL * library (or with modified versions of OpenSSL that use the same * license as OpenSSL), and distribute linked combinations including * the two. You must obey the GNU General Public License in all * respects for all of the code used other than OpenSSL. If you modify * this file, you may extend this exception to your version of the * file, but you are not obligated to do so. If you do not wish to * do so, delete this exception statement from your version. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL file. debian/source/0000755000000000000000000000000012135311447010467 5ustar debian/source/format0000644000000000000000000000001412135311447011675 0ustar 3.0 (quilt) debian/stunnel4.logrotate0000644000000000000000000000045212135311447012666 0ustar /var/log/stunnel4/*.log { daily missingok rotate 356 compress delaycompress notifempty create 640 stunnel4 stunnel4 sharedscripts postrotate /etc/init.d/stunnel4 reopen-logs > /dev/null endscript } debian/changelog0000644000000000000000000010560712241166026011051 0ustar stunnel4 (3:4.53-1.1ubuntu1) trusty; urgency=low * Use dh_autotools-dev to update config.{sub,guess} for new ports. -- Adam Conrad Thu, 14 Nov 2013 15:28:10 +0000 stunnel4 (3:4.53-1.1) unstable; urgency=high * Non-maintainer upload. * Add CVE-2013-1762.patch patch. CVE-2013-1762: Fix buffer overflow in NTLM authentication of the CONNECT protocol negotiation. (Closes: #702267) -- Salvatore Bonaccorso Mon, 22 Apr 2013 19:47:34 +0200 stunnel4 (3:4.53-1) unstable; urgency=low * New upstream version 4.53. - Added client-mode "sni" option to directly control the value of TLS Server Name Indication (RFC 3546) extension (Closes: #668041). - Added support for IP_FREEBIND socket option with a pached Linux kernel. - Glibc-specific dynamic allocation tuning was applied to help unused memory deallocation. - Non-blocking OCSP implementation. - Various other bugfixes, see upstream changelog for details. * Enabled hardening compile flags. There were NO compile time warning messages or errors triggered because of this. * Updated to Standards-Version 3.9.3. No changes required. - Migrating to /run from /var/run will be a hard problem, because we expect user written config files to refer to the directory. We'll punt on making this change for now. * Updated copyright years to 2012. * Added Description: LSB header to init script. -- Luis Rodrigo Gallardo Cruz Sun, 03 Jun 2012 11:34:36 -0700 stunnel4 (3:4.52-1) unstable; urgency=low * New upstream version 4.52. * Do not enable chroot in sample config file. It is misleading to users, it suggests it can be used with no further changes. Closes: #652812 * Remove log files on purge. Closes: #657135 -- Luis Rodrigo Gallardo Cruz Sun, 12 Feb 2012 12:06:37 -0800 stunnel4 (3:4.51~b5-1) experimental; urgency=low * New upstream version - Fixed exec+connect sections (Closes: #653882). - New "compression = deflate" global option to enable RFC 2246 compression. For compatibility with previous versions "compression = zlib" and "compression = rle" also enable the deflate (RFC 2246) compression. - Separate default ciphers and sslVersion for "fips = yes" and "fips = no". -- Luis Rodrigo Gallardo Cruz Wed, 04 Jan 2012 11:24:58 -0800 stunnel4 (3:4.50-1) unstable; urgency=low * New Upstream Releases. Highlights: + 4.46: - Added Unix socket support (e.g. "connect = /var/run/stunnel/socket"). - Added "verify = 4" mode to ignore CA chain and only verify peer certificate. - Removed the limit of 16 IP addresses for a single 'connect' option. - Removed the limit of 256 stunnel.conf sections in PTHREAD threading model. + 4.45: - "protocol = proxy" support to send original client IP address to haproxy http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt This requires accept-proxy bind option of haproxy 1.5-dev3 or later. - Libwrap helper processes are no longer started if libwrap is disabled in all sections of the configuration file. - Fixed -l option handling in stunnel3 script (thx to Kai Gülzau). - Script to build default stunnel.pem was fixed (thx to Sebastian Kayser). + 4.44: - Heap buffer overflow protection with canaries. - Stack buffer overflow protection with -fstack-protector. - Fixed garbled error messages on errors with setuid/setgid options. + 4.43: - Major optimization of the logging subsystem. Benchmarks indicate up to 15% stunnel performance improvement. * Remove config.guess and config.sub in clean target, otherwise build fails because of changes in source outside of a patch. Found and fixed by Peter Eisentraut (Closes: #647176). * Updated watchfile to new upstream's directory structure for archived releases. -- Luis Rodrigo Gallardo Cruz Thu, 29 Dec 2011 06:39:09 -0800 stunnel4 (3:4.42-1) unstable; urgency=low * New Upstream Release. - Fixed a heap corruption vulnerability in versions 4.40 and 4.41. It may possibly be leveraged to perform DoS or remote code execution attacks. (Closes: #638758) - New verify level 0 to request and ignore peer certificate. -- Luis Rodrigo Gallardo Cruz Sat, 27 Aug 2011 08:34:43 -0700 stunnel4 (3:4.40-1) unstable; urgency=low * New Upstream Release: - Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters are not provided in stunnel.pem. - Default "ciphers" value updated to prefer ECDH: "ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH". - Default ECDH curve updated to "prime256v1". - Removed support for temporary RSA keys (used in obsolete export ciphers). -- Luis Rodrigo Gallardo Cruz Sun, 24 Jul 2011 11:06:57 -0700 stunnel4 (3:4.39-1) unstable; urgency=low * New Upstream Releases. Highlights: + 4.38: - Server-side SNI implemented (RFC 3546 section 3.1) with a new service-level option "nsi". - "socket" option also accepts "yes" and "no" for flags. - Nagle's algorithm is now disabled by default for improved interactivity. - Bugfix: Signal pipe set to non-blocking mode. This bug caused hangs of stunnel features based on signals, e.g. local mode, FORK threading, or configuration file reload on Unix. Win32 platform was not affected. + 4.37: - Client-side SNI implemented (RFC 3546 section 3.1). - Default "ciphers" changed from the OpenSSL default to a more secure and faster "RC4-MD5:HIGH:!aNULL:!SSLv2". A paranoid (and usually slower) setting would be "HIGH:!aNULL:!SSLv2". - Recommended "options = NO_SSLv2" added to the sample stunnel.conf file. - Default client method upgraded from SSLv3 to TLSv1. To connect servers without TLS support use "sslVersion = SSLv3" option. - Bugfix: Non-blocking socket handling in local mode fixed (Closes: #626856). + 4.36: - Dynamic memory management for strings manipulation: no more static STRLEN limit, lower stack footprint. (Closes: #594876). - Strict public key comparison added for "verify = 3" certificate checking mode (thx to Philipp Hartwig). For more details see upstream ChangeLog. * Removed /usr/lib/stunnel/libstunnel.la file. * Support restarting selected stunnel instances. Thanks Peter Palfrader. (Closes: #627765). -- Luis Rodrigo Gallardo Cruz Thu, 21 Jul 2011 15:46:25 -0700 stunnel4 (3:4.35-2) unstable; urgency=low * Fix variable substitution in init script (Closes: #623221). Thanks Tomas Kapralek for report and diagnosis. -- Luis Rodrigo Gallardo Cruz Mon, 18 Apr 2011 20:46:01 -0700 stunnel4 (3:4.35-1) unstable; urgency=low * New Upstream Releases (Closes: #621987). * Upstream incorporated our init script, so this package no longer carries its own copy of it. * Bump Standards-Version to 3.9.2. No changes needed. * Remove /etc/stunnel/stunnel4.conf file as it is useless, except as a sample. A README file for /etc/stunnel was provided (Closes: #549384). * Minor cleanup of debian/rules, no longer runs configure twice. -- Luis Rodrigo Gallardo Cruz Sun, 17 Apr 2011 22:04:53 -0700 stunnel4 (3:4.33-1) experimental; urgency=low * New Upstream Releases - 4.31 + A SIGHUP to the server will cause it to reload the configuration file. + A SIGUSR1 to the server causes it to reopen its log files. - 4.32 + New service-level "libwrap" option for run-time control whether /etc/hosts.allow and /etc/hosts.deny are used for access control. Disabling libwrap significantly increases performance of stunnel. - 4.33 + Fixes to inetd mode For more details please see upstream's ChangeLog. * Init script now provides reload and reopen-log options (Closes: #323171). * The logrotate config file now takes advantage of reopen-log option. * Update config.{build,sub} on build. Closes: #535719. * Add missing ${misc:Depends} entry to debian/control. * Update copyright years. * Update to Standards-Version: 3.9.1 - stunnel4 no longer Conflicts: stunnel, but merely Breaks: stunnel. * Update packaging to source format 3.0 (quilt). -- Luis Rodrigo Gallardo Cruz Fri, 27 Aug 2010 16:58:44 -0700 stunnel4 (3:4.29-1) unstable; urgency=low * New upstream version (Closes: #559270). - sessiond, a high performance SSL session cache was built for stunnel. A new service-level "sessiond" option was added. sessiond is available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ . stunnel clusters will be a lot faster, now! - Transparent proxy support on Linux kernels >=2.6.28. See the manual for details. The old transproxy.txt file is no longer provided. - New socket options to control TCP keepalive on Linux: TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL. - SSL options updated for the recent version of OpenSSL library. - Bugfixes + Missing "fips" option was added to the manual. + A serious bug in asynchronous shutdown code fixed. + Data alignment updated in libwrap.c. + Polish manual encoding fixed. Debian's patch for this removed. + Notes on compression implementation in OpenSSL added to the manual. * Use correct owner:group for logs after rotation. (Closes: #529481). Thanks Brian 'morlenxus' Miculcy * Use copytruncate in logrotate file, instead of restarting the daemon (Closes: #535915). Thanks Andrew Buckeridge * Bump Standards-Version to 3.8.3. No changes required. * Do not specify path to true in postinst script. -- Luis Rodrigo Gallardo Cruz Tue, 08 Dec 2009 19:34:21 -0800 stunnel4 (3:4.27-1) unstable; urgency=low * New upstream release. - Remove debian/patches/security-check_certificate, now included upstream. Fixes: CVE-2008-2420 - Libwrap helper processes fixed to close standard input/output/error file descriptors. (Closes: #482379) * Rebase quilt patches to not require -p0. (Closes: #484966) * Fix sample configuration file to use ssl cert from /etc/ssl/certs (Closes: #460953). * Warn if automatic startup is disabled in /etc/default/stunnel4 (Closes: #475599). * Use invoke-rc.d in ppp start/stop scripts. * Standards-Version: 3.8.1. - Add README.source documenting use of quilt. * Bump to debhelper 7 - Remove unused old option from dh_mkshlibs call * Declare the polish pod's encoding and use unicode when converting it to a manpage. * Dummy upgrade package is priority: extra -- Luis Rodrigo Gallardo Cruz Fri, 24 Apr 2009 19:56:05 -0700 stunnel4 (3:4.22-2) unstable; urgency=low * Check if a daemon is already running before trying to start it with the same configuration file. Thanks Peter Palfrader for the report (Closes: #506091). -- Luis Rodrigo Gallardo Cruz Tue, 18 Nov 2008 13:52:42 +0100 stunnel4 (3:4.22-1.1) unstable; urgency=high * Non-maintainer upload by the security team * Fix security bug in the OCSP functionality that allowed revoked certificates to authenticate (Closes: #482644) Fixes: CVE-2008-2420 -- Steffen Joeris Tue, 27 May 2008 18:28:56 +0200 stunnel4 (3:4.22-1) unstable; urgency=low * New upstream release. - Build system now uses standard automake dirs. - Reworked logging system avoids outputing before log file is configured (Closes: #460019). - Simultaneous logging to a file and the syslog is now possible. - A new service level option to control stack size: stack = - Bugfixes in libwrap support code. * debian/patches/setuid.patch: Removed, it's included upstream. * debian/patches/fix-paths: Reworked to use automake's standard dirs. * Rebase the rest of the patches. * Update standards-version to 3.7.3. No changes needed. * Fix build-dependencies on -1 revisions of libssl-dev, openssl and quilt. * Register documentation in the System/Security section. -- Luis Rodrigo Gallardo Cruz Tue, 01 Apr 2008 11:07:56 -0600 stunnel4 (3:4.21-1) unstable; urgency=low * New upstream release. - Binaries moved from /usr/sbin to /usr/bin. Thus, Debian no longer diverges in that from upstream. - libstunnel.so migrated inside /usr/lib/stunnel. - Preliminary FIPS 140-2 support, but this package does not include it, as it requires static compilation. - Miscelaneous bugfixing. * debian/patches/no_zlib_link: - Rebased. Only line numbering changed. * debian/patches/libstunnel_is_private_lib: - Removed. Included upstream. * debian/patches/fix-paths: - Remove hunks related to moving binaries to /usr/bin. Refresh line numbers in the rest. * debian/patches/rename-binary: - Rebased. Minor changes due to changed dates in the manpage and the use of @prefix@ in src/stunnel3.in. * debian/patches/setuid.patch: - Patch from upstream to allow using setuid/setgid with /etc/passwd and /etc/group not within chrooted directory. * debian/README.Debian: - Add explanation about not turning FIPS mode on. - Reword warning about binaries changing place. * debian/rules, debian/stunnel4.manpages: - No longer need to move the binaries. - Upstream location for manpages changed. We still install them by hand, anyways. - Ship fr and pl manpages. - Do not pass --host to configure if not cross compiling. - Reorder target dependencies. This should avoid problems when doing paralell builds. * debian/control: - Remove XS- prefix from Vcs-* fields. - Add Homepage: field. - Correct minor typo in dummy package's description. - Version build dependency on quilt, since we require /usr/share/quilt/quilt.make (Closes: #447751). - Change my maintainer address. -- Luis Rodrigo Gallardo Cruz Wed, 05 Dec 2007 08:09:44 -0600 stunnel4 (3:4.20-5) unstable; urgency=low * debian/stunnel3.8: - Remove references to unsupported -S and -V options in manpage, and include an explicit list of tunable parameters for -O and their default values (Closes: #440718). - Rewrite -P argument description. It must be a file to be created, or empty (Closes: #398012). -- Luis Rodrigo Gallardo Cruz Thu, 27 Sep 2007 11:54:53 -0500 stunnel4 (3:4.20-4) unstable; urgency=low * Add missing names and dates of copyright attributions to debian/copyright. Update licencing blurb to mention the new FSF's postal address. * Restructure README.Debian into sections. * Remove /usr/share/lintian/overrides and /usr/sbin from debian/dirs. Explicitely create the first if needed to install an override file, and explicitely remove the later after moving the binaries, in debian/rules. * Move StunnelConf-0.1.pl into /usr/share/doc/stunnel4/contrib. Remove it from debian/docs and explicitely install it in dh_install call. * Patch configure (debian/patches/no_zlib_link) to avoid linking to zlib. This library is a dependency of openssl, but not of ours. * Rewrite changelog entries from previous version, adding mention of modified files. * Use make -C dir instead of cd dir; make constructs in debian/rules. -- Luis Rodrigo Gallardo Cruz Mon, 27 Aug 2007 18:11:40 -0500 stunnel4 (3:4.20-3) unstable; urgency=low * New Maintainer (Closes: #416955). * Manage patches to upstream source with quilt. - fix-paths changes references to /usr/sbin. We install binaries in /usr/bin. It also removes bogus @PREFIX@ uses from several paths. - rename-binary changes the name of the executable to stunnel4. - runas-user sets the default config to run as the stunnel4 user and group. - connect-proxy-dunbar *unapplied* patch from upstream's site. (It does not apply to 4.07 onwards) - openssl0.9.8-initialization *unapplied* patch. Originaly meant to close #334180, was disabled by previous maintainer without explanation. * Add stunnel dummy upgrade package. - debian/control: Add package stanza. - debian/rules: Modify to build the arch-indep package. - debian/stunnel.NEWS: Add upgrade notice for stunnel 3 users. * Shorten dh_* invocations in debian/rules. - new files: stunnel4.examples, stunnel4.links, stunnel4.manpages. * Ship upstream Changelog (Closes: #419842). - Add ChangeLog to dh_installchangelogs call in debian/rules. * Do not compress StunnelConf-0.1.pl (Closes: #432304). - Add exclude entry to dh_compress call in debian/rules. * Add watch file. * Suggests: logcheck-database (Closes: #382099). * Move libstunnel.so into /usr/lib/stunnel, as it is a private DSO. - Remove lintian overrides. - Added debian/patches/libstunnel_is_private_lib - Remove ldconfig calls from post{inst,rm} - Remove /usr/lib/libstunnel.so.4 link * Use debhelper compat mode 5. - Bump debhelper build-depends to >= 5. No other changes. * Remove /var/lib/stunnel4 when purged, if empty (in debian/postinst). * Remove manual call to invoke-rc.d from postinst. debhelper inserts it automatically. -- Luis Rodrigo Gallardo Cruz Mon, 20 Aug 2007 23:18:31 -0500 stunnel4 (3:4.20-2) unstable; urgency=low * Orphan package -- Julien Lemoine Sat, 31 Mar 2007 20:07:55 +0200 stunnel4 (3:4.20-1) unstable; urgency=low * New upstream release -- Julien Lemoine Sat, 27 Jan 2007 21:43:19 +0100 stunnel4 (3:4.18-2) unstable; urgency=low * Updated chroot default path in configuration file * Added LSB section in init script -- Julien Lemoine Tue, 7 Nov 2006 20:22:04 +0100 stunnel4 (3:4.18-1) unstable; urgency=low * New upstream release -- Julien Lemoine Wed, 27 Sep 2006 20:33:07 +0200 stunnel4 (3:4.17-2) unstable; urgency=low * Check if pids are valid before trying to use kill (Closes: #388379) -- Julien Lemoine Wed, 20 Sep 2006 22:04:41 +0200 stunnel4 (3:4.17-1) unstable; urgency=low * New upstream release -- Julien Lemoine Mon, 11 Sep 2006 22:48:09 +0200 stunnel4 (3:4.16-1) unstable; urgency=low * New upstream release -- Julien Lemoine Fri, 1 Sep 2006 22:11:10 +0200 stunnel4 (2:4.150-7) unstable; urgency=low * Fixed a bug when pid is not given in configuration file : init.d script was looking for /var/run/stunnel4/stunnel4.pid but stunnel was creating /var/run/stunnel4.pid (Closes: #384275) * Added check during start to encourage users to fill the pid= section of configuration file when start failed (for example if you use two configuration files without pid= option) -- Julien Lemoine Thu, 24 Aug 2006 17:19:57 +0200 stunnel4 (2:4.150-6) unstable; urgency=low * Updated to debian policy 3.7.2 * Fixed lintian warnings -- Julien Lemoine Tue, 22 Aug 2006 14:03:19 +0200 stunnel4 (2:4.150-5) unstable; urgency=low * Fixed typo in postinst : /var/lib/stunnel4/stunnel.log instead of /var/log/stunnel4/stunnel.org (Closes: #381127) -- Julien Lemoine Wed, 2 Aug 2006 21:19:49 +0200 stunnel4 (2:4.150-4) unstable; urgency=low * Create /var/lib/stunnel4 if it does not exist in postinst (Closes: #377074) -- Julien Lemoine Sun, 16 Jul 2006 16:12:05 +0200 stunnel4 (2:4.150-3) unstable; urgency=low * Fixed another problem with stunnel3 compatibility script (call to /usr/sbin/stunnel4 instead of /usr/bin/stunnel4) and added a check in debian/rules (Closes: #340113) -- Julien Lemoine Mon, 1 May 2006 17:58:39 +0200 stunnel4 (2:4.150-2) unstable; urgency=low * Fixed stunnel3 compatibility script problem (infinite loop) Thanks to "Martin Schwenke" for bug report. * Added a check in debian/rules to ensure that stunnel3 compatibility script does not contains infinite loop -- Julien Lemoine Mon, 27 Mar 2006 09:26:06 +0200 stunnel4 (2:4.150-1) unstable; urgency=low * New upstream release -- Julien Lemoine Sun, 12 Mar 2006 21:30:08 +0100 stunnel4 (2:4.140-6) unstable; urgency=low * Added check/creation of /var/run/stunnel4 directory in init.d script instead of postinst in order to be FHS compliant when /var/run is cleared at startup (note that /var/run/stunnel4 cleanup does not allow to have a chroot in /var/run/stunnel4) Thanks to Jim Helm : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343882;msg=25 -- Julien Lemoine Sun, 5 Mar 2006 18:18:58 +0100 stunnel4 (2:4.140-5) unstable; urgency=low * Move stunnel and stunnel-dsa from /usr/sbin to /usr/bin in order to be compliant with FHS standard. The stunnel program is interesting for "normal" users as well as administrator. -- Julien Lemoine Sun, 19 Feb 2006 17:47:55 +0100 stunnel4 (2:4.140-4) unstable; urgency=low * Fixed problem with default directory (/etc/stunnel for configuration directory and /var/run/stunnel4.pid for pid file) (Closes: #343882) -- Julien Lemoine Thu, 22 Dec 2005 16:32:20 +0100 stunnel4 (2:4.140-3) unstable; urgency=low * Default configuration file is now filled with values for usage in a chroot environment (if you do not want chroot or want to use vserver, you need to edit it) (Closes: #342507) -- Julien Lemoine Sat, 17 Dec 2005 10:00:40 +0100 stunnel4 (2:4.140-2) unstable; urgency=low * Fixed stunnel3 compatibility script (wrong binary : stunnel instead of stunnel4) (Closes: #340113) -- Julien Lemoine Mon, 21 Nov 2005 07:57:02 +0100 stunnel4 (2:4.140-1) unstable; urgency=low * New upstream release -- Julien Lemoine Wed, 2 Nov 2005 22:01:52 +0100 stunnel4 (2:4.120-1) unstable; urgency=low * New upstream release * Applied patch from Kurt Roeckx to fix initialization problem with openssl 0.9.8 (Closes: #334180) -- Julien Lemoine Wed, 26 Oct 2005 17:53:55 +0200 stunnel4 (2:4.110-2) unstable; urgency=low * Rebuild with openssl 0.9.8 -- Julien Lemoine Mon, 10 Oct 2005 19:41:33 +0200 stunnel4 (2:4.110-1) unstable; urgency=low * New upstream release * Updated to Standards-Version 3.6.2 -- Julien Lemoine Sun, 24 Jul 2005 11:21:14 +0200 stunnel4 (2:4.090-1) unstable; urgency=low * New upstream release * include better stunnel3 compability script from upstream, options like -cd can now be use instead of -c -d ... (closes: #305259) * Added depends on perl-modules to allow use of stunnel3 compatibilty script -- Julien Lemoine Wed, 20 Apr 2005 21:07:50 +0200 stunnel4 (2:4.070-5) unstable; urgency=low * Renamed stunnel3 compatibility script (/usr/sbin/stunnel) to be compatible with stunnel package * Added conflict with stunnel package (compatible, does not break user configuration) since stunnel 4.x is more actively maintained than stunnel 3.x -- Julien Lemoine Tue, 29 Mar 2005 22:16:43 +0200 stunnel4 (2:4.070-4) unstable; urgency=low * Add an option (PPP_RESTART) in /etc/default/stunnel4 to enable/disable restart scripts (closes: #298352) -- Julien Lemoine Mon, 7 Mar 2005 22:47:27 +0100 stunnel4 (2:4.070-3) unstable; urgency=low * Do not remove user and group if there already exist in postinst script (Closes: #290374) -- Julien Lemoine Mon, 17 Jan 2005 23:33:56 +0100 stunnel4 (2:4.070-2) unstable; urgency=low * Fixed directory problem : - confdir was /usr/etc/stunnel instead of /etc/stunnel (Closes: #289832) - zlib compression was unable to start since /etc/stunnel/stunnel.conf was not read (Closes: #289872) -- Julien Lemoine Tue, 11 Jan 2005 19:56:59 +0100 stunnel4 (2:4.070-1) unstable; urgency=low * New upstream release : Add IPV6 support * Disable proxy-connect patch (does not apply on 4.07 sources) -- Julien Lemoine Thu, 6 Jan 2005 07:23:48 +0100 stunnel4 (2:4.050-4) unstable; urgency=low * Restart connection instead of stop when ppp is down. It is possible to use stunnel for eth interfaces. (Closes: 271006) -- Julien Lemoine Sun, 26 Sep 2004 18:12:36 +0200 stunnel4 (2:4.050-3) unstable; urgency=low * Added proxy-connect patch (Closes: #267533) * Create directory /var/log/stunnel in postinst (Closes: #267093) * Create user and group stunnel4 (Closes: #266339) * Uncomment some line in default configuration file : o Use /var/log/stunnel4/stunnel.log as default log file o Use stunnel4 user and group as default o Use /var/run/stunnel4/stunnel.pid as default pid file -- Julien Lemoine Wed, 1 Sep 2004 22:19:28 +0200 stunnel4 (2:4.050-2) unstable; urgency=low * Fixed stoping problem in init.d script (Closes: #265449) Thanks to Wilfried Goesgens * Added stunnel4 in logrotate (Closes: #265437) Thanks to Wilfried Goesgens -- Julien Lemoine Fri, 13 Aug 2004 21:42:23 +0200 stunnel4 (2:4.050-1) unstable; urgency=low * By default, store pidfile in /var/run/stunnel4/stunnel.pid with /var/run/stunnel4 owned by nobody:nogroup * Oops, stunnel4 was a debian native package -- Julien Lemoine Mon, 7 Jun 2004 21:23:37 +0200 stunnel4 (2:4.05-1) unstable; urgency=low * New upstream release -- Julien Lemoine Wed, 7 Apr 2004 22:08:42 +0200 stunnel4 (2:4.04.0-10) unstable; urgency=low * Shut down stunnel4 in postinst (Closes: #234498) -- Julien Lemoine Tue, 24 Feb 2004 21:50:03 +0100 stunnel4 (2:4.04.0-9) unstable; urgency=low * Added configuration script from "Sergio Rua" -- Julien Lemoine Sun, 22 Feb 2004 23:26:38 +0100 stunnel4 (2:4.04.0-8) unstable; urgency=low * Added ppp ip-up and ip-down scripts (Closes: #227678) -- Julien Lemoine Sun, 22 Feb 2004 22:52:31 +0100 stunnel4 (2:4.04.0-7) unstable; urgency=low * Fix problem in init.d script (was not sh compatible) (Closes: #214818, #214823) -- Julien Lemoine Fri, 10 Oct 2003 00:47:57 +0200 stunnel4 (2:4.04.0-6) unstable; urgency=low * Rewrite of /etc/init.d/stunnel4 : o does not use kill -9, thus giving a chance to stunnel4 to clean up puts common code in functions o avoids calling ps twice o uses fgrep o does not print the conf file name if no processes exist for it o corrects the `stoped' typo Thanks to Francesco Potorti` (Closes: #214562) -- Julien Lemoine Tue, 7 Oct 2003 16:37:12 +0200 stunnel4 (2:4.04.0-5) unstable; urgency=low * /etc/init.d/stunnel4 can load more than one configuration file. It loads /etc/stunnel/*.conf. You can have a configuration file for server mode and one for client mode. (Closes: #211870) -- Julien Lemoine Thu, 25 Sep 2003 18:05:01 +0200 stunnel4 (2:4.04.0-4) unstable; urgency=low * Put stunnel.html in /usr/share/doc/stunnel4/ instead of /usr/share/doc/stunnel * Updated to Standards-Version 3.6.1 -- Julien Lemoine Thu, 4 Sep 2003 13:39:51 +0200 stunnel4 (2:4.04.0-3) unstable; urgency=low * Fixed wrong path search for stunnel.conf (Closes: Bug#202931) -- Julien Lemoine Sat, 26 Jul 2003 11:00:46 +0200 stunnel4 (2:4.04.0-2) unstable; urgency=low * Fixed stunnel.conf problems, file must be commented by default. (Closes: #202693) -- Julien Lemoine Fri, 25 Jul 2003 11:38:47 +0200 stunnel4 (2:4.04.0-1) unstable; urgency=low * Oops, stunnel4 is not a native package -> reupload it with a diff.gz * Does not install stunnel.so since it is not used * Updated clean rules to have a clean diff * Updated to Standards-Version 3.6.0 -- Julien Lemoine Sat, 19 Jul 2003 20:12:51 +0200 stunnel4 (2:4.04-2) unstable; urgency=low * Fixed compilation errors (removed binary in clean rule) * removed libstunnel.so since it is not used -- Julien Lemoine Sun, 13 Jul 2003 02:45:05 +0200 stunnel4 (2:4.04-1) unstable; urgency=low * Stunnel versions 4.x are now in stunnel4 package and stunnel versions 3.x are in stunnel package to keep backward compatibility. -- Julien Lemoine Fri, 4 Jul 2003 18:24:21 +0200 stunnel (4.04-5) unstable; urgency=low * The "I need to sleep more to avoid making typos" release. * Fixed typos in default/init file (ENABLED instead of ENABLE) (Closes: #197958) * Commented all stunnel.conf file, client=no is the default value (Closes: #197961) -- Julien Lemoine Thu, 19 Jun 2003 00:40:28 +0200 stunnel (4.04-4) unstable; urgency=low * Added /etc/default/stunnel with a variable ENABLE. ENABLE=0 by default since stunnel segv on some computer when all lines are commented (Closes: #197663, #197615) -- Julien Lemoine Mon, 16 Jun 2003 22:04:17 +0200 stunnel (4.04-3) unstable; urgency=low * comment ldap sample (Closes: #197566) -- Julien Lemoine Mon, 9 Jun 2003 15:03:41 +0200 stunnel (4.04-2) unstable; urgency=low * Fixed typo in init.d script (Closes: #197499) * Added a commented example in stunnel.conf from Craig Sanders -- Julien Lemoine Sun, 15 Jun 2003 18:06:07 +0200 stunnel (4.04-1) unstable; urgency=low * New upstream release (Closes: #177532, Closes: 188137) * New maintainer * Stunnel has no more -L option (Closes: #120265) * Stunnel has no more -l option (Closes: #175844) * Shutdown(1) problem was fixed (Closes: #111125) * Problem with large data resolved (tested with a 5Mo file) (Closes: #112287) * Licence is now GPL version 2 with agreement to link with openssl (Closes: #147665) * stunnel can execute command (Closes: #147537) * added a lintian overwrite for libstunnel.so since it is compiled with -avoid-version * Fixed problem with path (/etc/ instead of $(prefix)/etc, ...) * Include default configuration file in /etc * Upgraded to debian policy 3.5.10 * Added init.d file -- Julien Lemoine Sat, 24 May 2003 02:30:20 +0200 stunnel (3.22-1) unstable; urgency=high * New upstream release (closes: bug#126627). * Typo fix in postinst (closes: bug#120199, bug#121904) -- Paolo Molaro Sun, 30 Dec 2001 10:31:46 +0100 stunnel (3.21.c-1) unstable; urgency=low * New upstream release (Closes: bug#111139, bug#102834, bug#61427). * Avoid generating automatically the initial stunnel.pem, openssl cannot be reliably used in a non-interactive way (Closes: bug#60776, bug#98445). Info on how to generate the certificate is now included in README.Debian. * There is support for (re)setting OOB data handling in the new upstream version (Closes: bug#107503). * Include the sample /etc/iniy.d/stunnel file as an example in the package (Closes: bug#114669). -- Paolo Molaro Sat, 17 Nov 2001 12:31:04 +0100 stunnel (3.14-1) unstable; urgency=low * New upstream release * Actually compile it against the new libssl (Closes: #86916). -- Paolo Molaro Fri, 23 Feb 2001 18:57:18 +0100 stunnel (3.13-1) unstable; urgency=low * New upstream release. * Recompile with and depend on libssl096 (Closes: #85000, #86385, #83857, #82500). * Already fixed in previous aborted upload (Closes: #82105, #77227, #80079, #76576). -- Paolo Molaro Sun, 18 Feb 2001 21:30:50 +0100 stunnel (3.10-1) unstable; urgency=high * New upstream release. -- Paolo Molaro Wed, 20 Dec 2000 15:14:08 +0100 stunnel (3.10-0potato1) stable; urgency=high * New upstream release. -- Paolo Molaro Wed, 20 Dec 2000 13:07:35 +0100 stunnel (3.9-0potato1) stable; urgency=high * New upstream release: security fix (Closes: #80079, #76576). * Use correct dir for pid (Closes: #77227). -- Paolo Molaro Wed, 20 Dec 2000 11:24:18 +0100 stunnel (3.8-1) unstable; urgency=low * New upstream version (Closes: #75117, #67010). * Read 1k of random data in a temp file (Closes: #69808). * Added a note in postrm about the stunnel.pem file that is left in /etc/ssl/certs: it is safer if the user deals with it since it may have been create by him and not stunnel (Closes: #57648). -- Paolo Molaro Wed, 5 Jul 2000 16:43:07 +0000 stunnel (3.4a-6) unstable; urgency=low * Depends on openssl 0.9.4 (closes: bug#53947). -- Paolo Molaro Tue, 4 Jan 2000 12:37:24 +0100 stunnel (3.4a-5) unstable; urgency=medium * Include upstream download info in copyright (closes: bug#53301). * Include example from Steve Haslam to make stunnel run from a init script (closes: bug#53300). -- Paolo Molaro Thu, 23 Dec 1999 16:49:38 +0100 stunnel (3.4a-4) unstable; urgency=medium * Depends on openssl instead of Suggests (Closes: bug#49238). -- Paolo Molaro Sat, 13 Nov 1999 12:44:35 +0100 stunnel (3.4a-3) unstable; urgency=high * Fixes security problem with the certificate. -- Paolo Molaro Thu, 4 Nov 1999 17:33:52 +0100 stunnel (3.4a-2) unstable; urgency=low * Suggest openssl instead of ssleay. (Closes: bug#47712) -- Paolo Molaro Wed, 27 Oct 1999 18:24:27 +0200 stunnel (3.4a-1) unstable; urgency=low * New upstream release. * Put cert in /etc/ssl/certs (closes:#41099). I think this is neither an openssl nor stunnel bug, but a dpkg one (other similar bugs are already filed against dpkg). -- Paolo Molaro Thu, 22 Jul 1999 16:50:32 +0200 stunnel (3.3-1) unstable; urgency=low * New upstream release. -- Paolo Molaro Fri, 18 Jun 1999 16:43:05 +0200 stunnel (3.2-2) unstable; urgency=low * Fixed stupid coding error. -- Paolo Molaro Sat, 29 May 1999 13:01:17 +0200 stunnel (3.2-1) unstable; urgency=low * Recompilation with new ssl lib. * New upstream release. -- Paolo Molaro Mon, 24 May 1999 12:09:58 +0200 stunnel (2.1-2) unstable; urgency=low * Added libwrap support (/etc/hosts.{allow,deny}). * Recompilation with newer libc6. * Better stunnel-config script. -- Paolo Molaro Fri, 11 Dec 1998 11:57:52 +0100 stunnel (2.1-1) unstable; urgency=low * Initial release. -- Paolo Molaro Mon, 30 Nov 1998 11:41:29 +0100 debian/compat0000644000000000000000000000000212135311447010365 0ustar 7 debian/rules0000755000000000000000000000577712241165761010273 0ustar #!/usr/bin/make -f # -*- makefile -*- # debian/rules file for the Debian/GNU Linux stunnel package # Copyright 2003 by Julien LEMOINE DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) SYSTEM = --build $(DEB_HOST_GNU_TYPE) else SYSTEM = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) endif export DEB_BUILD_MAINT_OPTIONS = hardening=+all export DEB_CFLAGS_MAINT_APPEND=-Wall build: build-arch build-indep build-arch: build-stamp build-indep: build-stamp build-stamp: dh_testdir dh_autotools-dev_updateconfig ./configure --prefix=/usr $(SYSTEM) \ $(shell dpkg-buildflags --export=configure) \ --localstatedir=/var --sysconfdir=/etc \ --enable-ipv6 --with-threads=pthread $(MAKE) -C src $(MAKE) -C doc touch build-stamp clean: dh_testdir dh_testroot dh_clean build-stamp debian/stunnel4.init doc/stunnel4.8 doc/stunnel4.fr.8 doc/stunnel4.pl.8 [ ! -f Makefile ] || $(MAKE) distclean dh_autotools-dev_restoreconfig install: build-stamp dh_testdir dh_testroot dh_prep dh_installdirs $(MAKE) -C src install prefix=$(CURDIR)/debian/stunnel4/usr $(MAKE) -C doc install prefix=$(CURDIR)/debian/stunnel4/usr # .la file is useless rm $(CURDIR)/debian/stunnel4/usr/lib/stunnel/libstunnel.la ln doc/stunnel.8 doc/stunnel4.8 ln doc/stunnel.fr.8 doc/stunnel4.fr.8 ln doc/stunnel.pl.8 doc/stunnel4.pl.8 # Manpages will be installed by dh_installman rm -rf $(CURDIR)/debian/stunnel4/usr/share/man # Rename binary mv $(CURDIR)/debian/stunnel4/usr/bin/stunnel \ $(CURDIR)/debian/stunnel4/usr/bin/stunnel4 # Move docs into propper dir mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel \ $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4 # Copy sample init script into place for dh_installinit cp $(CURDIR)/tools/stunnel.init $(CURDIR)/debian/stunnel4.init # Basic docs for the user on how to create an initial configuration install -p -m 0644 $(CURDIR)/debian/stunnel4.conf.README \ $(CURDIR)/debian/stunnel4/etc/stunnel/README [ ! -s debian/lintian.overrides ] || \ install -p -m 0644 -D $(CURDIR)/debian/lintian.overrides \ $(CURDIR)/debian/stunnel4/usr/share/lintian/overrides/stunnel4 binary-indep: # There are no binary independent packages binary-arch: install dh_testdir dh_testroot dh_installdocs -a dh_installexamples -a dh_installman -a dh_installchangelogs -a ChangeLog dh_installinit -a --restart-after-upgrade -- defaults dh_installppp -a --name=0stunnel4 dh_installlogrotate -a dh_install -a debian/StunnelConf-0.1.pl usr/share/doc/stunnel4/contrib dh_link -a dh_strip -a dh_compress -a --exclude=StunnelConf-0.1.pl dh_fixperms -a dh_makeshlibs -a dh_installdeb -a dh_shlibdeps -a dh_gencontrol -a dh_md5sums -a dh_builddeb -a binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install debian/doc-base0000644000000000000000000000043412135311447010570 0ustar Document: stunnel4 Title: Stunnel documentation Author: Michal Trojnara Abstract: This manual documents stunnel, a SSL-enhanced client and server wrapper. Section: System/Security Format: HTML Index: /usr/share/doc/stunnel4/stunnel.html Files: /usr/share/doc/stunnel4/stunnel*.html debian/stunnel4.default0000644000000000000000000000036312135311447012313 0ustar # /etc/default/stunnel # Julien LEMOINE # September 2003 # Change to one to enable stunnel automatic startup ENABLED=0 FILES="/etc/stunnel/*.conf" OPTIONS="" # Change to one to enable ppp restart scripts PPP_RESTART=0 debian/dirs0000644000000000000000000000004312135311447010050 0ustar usr/bin etc/stunnel usr/share/doc/ debian/control0000644000000000000000000000243612241166034010575 0ustar Source: stunnel4 Section: net Priority: optional Build-Depends: debhelper (>=7), libssl-dev (>= 0.9.8), openssl (>= 0.9.8), libwrap0-dev, sdf, autotools-dev Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Luis Rodrigo Gallardo Cruz Standards-Version: 3.9.3 Vcs-Browser: http://git.debian.org/?p=collab-maint/stunnel.git Vcs-Git: git://git.debian.org/git/collab-maint/stunnel.git Homepage: http://www.stunnel.org/ Package: stunnel4 Architecture: any Breaks: stunnel (<< 3:4.20-3) Provides: stunnel Replaces: stunnel Depends: ${shlibs:Depends}, ${misc:Depends}, openssl, netbase, perl-modules Pre-Depends: adduser Suggests: logcheck-database Description: Universal SSL tunnel for network daemons The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup them to communicate with clients over secure SSL channel. . stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code. . This package contains a wrapper script for compatibility with stunnel 3.x debian/postinst0000644000000000000000000000275712135311447011010 0ustar #!/bin/sh set -e USER="stunnel4" CHOWN="/bin/chown" #USERDEL="/usr/sbin/userdel" ADDUSER="/usr/sbin/adduser" ID="/usr/bin/id" GROUPMOD="/usr/sbin/groupmod" #GROUPDEL="/usr/sbin/groupdel" ### # 1. get current stunnel uid and gid if user exists. set -e if $ID $USER > /dev/null 2>&1; then IUID=`$ID --user $USER` IGID=`$ID --group $USER` else IUID="NONE" IGID="NONE" fi ### # 2. Ensure that no standard account or group will remain before adding the # new user #if [ "$IUID" != "NONE" ]; then # remove existing user # $USERDEL $USER #fi #if $GROUPMOD $USER > /dev/null 2>&1; then # $GROUPDEL $USER; #fi if [ "$IUID" = "NONE" ]; then $ADDUSER --system --disabled-password --disabled-login \ --home /var/run/stunnel4 \ --no-create-home --group $USER fi # /var/run/stunnel4 is not a directory, create it... if ! test -d /var/run/stunnel4; then rm -rf /var/run/stunnel4; mkdir /var/run/stunnel4 fi $CHOWN $USER:$USER /var/run/stunnel4 || true # /var/log/stunnel4 is not a directory, create it... if ! test -d /var/log/stunnel4; then rm -rf /var/log/stunnel4; mkdir /var/log/stunnel4 fi $CHOWN -R $USER:$USER /var/log/stunnel4 # /var/lib/stunnel4 is not a directory, create it... if ! test -d /var/lib/stunnel4; then rm -rf /var/lib/stunnel4; mkdir /var/lib/stunnel4 fi $CHOWN -R $USER:$USER /var/lib/stunnel4 if ! test -f /var/log/stunnel4/stunnel.log; then touch /var/log/stunnel4/stunnel.log $CHOWN -R $USER:$USER /var/log/stunnel4/stunnel.log fi #DEBHELPER# debian/stunnel4.examples0000644000000000000000000000015412135311447012503 0ustar tools/ca.html tools/ca.pl tools/importCA.html tools/importCA.sh tools/stunnel.cnf tools/stunnel.conf-sample debian/README.source0000644000000000000000000000350712135311447011353 0ustar This package uses quilt to manage all modifications to the upstream source. Changes are stored in the source package as diffs in debian/patches and applied during the build. To configure quilt to use debian/patches instead of patches, you want either to export QUILT_PATCHES=debian/patches in your environment or use this snippet in your ~/.quiltrc: for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then export QUILT_PATCHES=debian/patches fi done To get the fully patched source after unpacking the source package, cd to the root level of the source package and run: quilt push -a The last patch listed in debian/patches/series will become the current patch. To add a new set of changes, first run quilt push -a, and then run: quilt new where is a descriptive name for the patch, used as the filename in debian/patches. Then, for every file that will be modified by this patch, run: quilt add before editing those files. You must tell quilt with quilt add what files will be part of the patch before making changes or quilt will not work properly. After editing the files, run: quilt refresh to save the results as a patch. Alternately, if you already have an external patch and you just want to add it to the build system, run quilt push -a and then: quilt import -P /path/to/patch quilt push -a (add -p 0 to quilt import if needed). as above is the filename to use in debian/patches. The last quilt push -a will apply the patch to make sure it works properly. To remove an existing patch from the list of patches that will be applied, run: quilt delete You may need to run quilt pop -a to unapply patches first before running this command. debian/postrm0000644000000000000000000000062712135311447010443 0ustar #!/bin/sh set -e if [ x$1 = "xpurge" ]; then echo You may want to delete the generated stunnel.pem file echo in /etc/ssl/certs. # Remove chroot dir if present. It may contain logfiles rm -rf /var/lib/stunnel4 || true # Log files must be removed on purge (Policy 10.8) rm -f /var/log/stunnel4/stunnel.log* || true rmdir /var/log/stunnel4 || true fi #DEBHELPER# debian/stunnel4.0stunnel4.ppp.ip-up0000644000000000000000000000021012135311447014341 0ustar #!/bin/sh test -f /etc/default/stunnel4 && . /etc/default/stunnel4 test "$PPP_RESTART" != "0" || exit 0 invoke-rc.d stunnel4 restart debian/watch0000644000000000000000000000037512135311447010225 0ustar version=3 # Latest version is directly at /stunnel ftp://ftp.stunnel.org/stunnel/stunnel-(4).([\d]+)+\.tar\.gz debian # Any previous versions are at /stunnel/obsolete/4.x ftp://ftp.stunnel.org/stunnel/archive/4.x/stunnel-(4).([\d]+)+\.tar\.gz debian debian/stunnel4.conf.README0000644000000000000000000000114712135311447012551 0ustar Stunnel 4 configuration files. Files found under the /etc/stunnel directory that end with .conf are used by the stunnel4 service as configuration files, and each will be used to start a daemon process setting up a tunnel with the given configuration. Note that this directory is initially empty, as the settings you may want for your tunnels are completely system dependent. In order to have the tunnels start up automatically on system boot you must *also* set ENABLED to 1 in /etc/default/stunnel4 A sample configuration file with defaults may be found at /usr/share/doc/stunnel4/examples/stunnel.conf-sample debian/README.Debian0000644000000000000000000000635212135311447011236 0ustar This is the Stunnel 4.x package for Debian. * Upgrading from stunnel to stunnel4 Stunnel 3 has been deprecated from Debian. The new stunnel4 has a different command line syntax and configuration. You will need to update your scripts. The wrapper script /usr/bin/stunnel3 understands stunnel3 command line syntax and calls stunnel4 with appropriate options. It appears to support every stunnel3 option *except* -S (which controls the defaults used for certificate sources). To simplify migration, /usr/bin/stunnel is a symlink to the wrapper script. A future version will make the link point to stunnel4. * Changes from previous versions Upstream versions 4.20 and earlier used to ship binaries in /usr/sbin by default. If you are upgrading from a hand compiled version or from an ancient Debian package you will need to update your scripts to refer to /usr/bin. This change was made in order to be FHS compliant (stunnel can be used by normal users, and not only by admins). * Basic configuration After installation, you should : - edit /etc/stunnel/stunnel.conf - edit /etc/default/stunnel and set ENABLE=1, if you want your configured tunnels to start automatically on boot. - generate a certificate for use with stunnel if you want to use server mode Sergio Rua made a perl front-end for the stunnel configuration. It is very simple and only includes a couple of configuration options. This script is located in /usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl It requires libgnome2-perl and libgtk2-perl. * How to create SSL keys for stunnel The certificates default directory is /etc/ssl/certs, so cd into that dir and issue the command: openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem Fill in the info requested. Change 'stunnel.pem' to the name of the certificate you need to create. stunnel.pem will be used by default by stunnel, but you want to create different certificates for different services you run with stunnel. Make sure only root can read the file (or only the user that needs to read it, if stunnel is run as that user): chmod 600 stunnel.pem Now you need to append the DH parameters to the certificate. First you need to generate some amount of random data: dd if=/dev/urandom of=temp_file count=2 Use /dev/random if you want a more secure source of data, but make sure you have enough entropy on you system (the output file should be at least 512 bytes long). And now make openssl generate the DH parameters and append them to the certificate file: openssl dhparam -rand temp_file 512 >> stunnel.pem You also want to link the certificate to its hash name so that openssl can find it also by that means: ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0 Read the manual page for openssl for more info on the various options. * FIPS stunnel 4.21 includes support for OpenSSL's FIPS mode. However, using it requieres stunnel to be compiled statically against OpenSSL and all supporting libraries. Thus, this option is disabled in the Debian package. See the OpenSSL FIPS FAQ at http://oss-institute.org/fips-faq.html - Julien LEMOINE , Sun, 19 Feb 2006 17:31:24 +0100 -- Luis Rodrigo Gallardo Cruz , Sat, 30 Oct 2007 14:50:54 z debian/docs0000644000000000000000000000002612135311447010040 0ustar BUGS NEWS README TODO debian/stunnel4.NEWS0000644000000000000000000000231712135311447011444 0ustar stunnel (3:4.33-1) experimental; urgency=low This version introduces support for reloading the configuration file and for closing/reopening log files. The init script has been updated to provide these options, and the default logrotate configuration has been updated to take advantage of them. -- Luis Rodrigo Gallardo Cruz Thu, 04 Feb 2010 19:52:23 -0800 stunnel (3:4.28-1) unstable; urgency=low The default behaviour of the logrotate configuration for stunnel4 has been changed. Instead of restarting stunnel after rotating the log files we now use the 'copytruncate' keyword. This avoids the problems associated with the restart, but introduces the possibility of loosing small amounts of log data. Please see Debian bugs #535915, #535924 and #323171 for more info. -- Luis Rodrigo Gallardo Cruz Wed, 25 Nov 2009 17:12:42 -0800 stunnel (2:4.140-5) unstable; urgency=low stunnel/stunnel4 binaries are located in /usr/bin instead of /usr/sbin in order to be FHS compliant (they can be used by normal user). You need to update your scripts to refer to this new location -- Julien Lemoine Sun, 19 Feb 2006 17:31:24 +0100 debian/patches/0000755000000000000000000000000012135311447010616 5ustar debian/patches/CVE-2013-1762.patch0000644000000000000000000000416312135311447013240 0ustar Description: Fix CVE-2013-1762 buffer overflow in NTLM authentication of the CONNECT protocol negotiation Origin: vendor Bug-Debian: http://bugs.debian.org/702267 Forwarded: no Author: Salvatore Bonaccorso Last-Update: 2013-04-22 --- a/src/protocol.c +++ b/src/protocol.c @@ -566,7 +566,7 @@ #define s_min(a, b) ((a)>(b)?(b):(a)) static void ntlm(CLI *c) { - char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt; + char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr; long content_length=0; /* no HTTP content */ /* send Proxy-Authorization (phase 1) */ @@ -582,8 +582,8 @@ line=fd_getline(c, c->remote_fd.fd); /* receive Proxy-Authenticate (phase 2) */ - if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */ - s_log(LOG_ERR, "NTLM authorization request rejected"); + if(!isprefix(line, "HTTP/1.0 407") && !isprefix(line, "HTTP/1.1 407")) { + s_log(LOG_ERR, "Proxy-Authenticate: NTLM authorization request rejected"); do { /* read all headers */ line=fd_getline(c, c->remote_fd.fd); } while(*line); @@ -594,8 +594,13 @@ line=fd_getline(c, c->remote_fd.fd); if(isprefix(line, "Proxy-Authenticate: NTLM ")) ntlm2_txt=str_dup(line+25); - else if(isprefix(line, "Content-Length: ")) - content_length=atol(line+16); + else if(isprefix(line, "Content-Length: ")) { + content_length=strtol(line+16, &tmpstr, 10); + if(tmpstr==line+16 || *tmpstr || content_length<0) { + s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length"); + longjmp(c->err, 1); + } + } } while(*line); if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */ s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found"); @@ -603,7 +608,7 @@ } /* read and ignore HTTP content (if any) */ - while(content_length) { + while(content_length>0) { read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ)); content_length-=s_min(content_length, BUFSIZ); } debian/patches/logrotate_warning_in_sample_conf0000644000000000000000000000174012135311447017324 0ustar Disable chroot setting from default sample config. Using this requires more tought from te user, including the logrotate configuration, and so it is misleading to have it on as default. This does not affect any current instalation, as this is only shipped as a sample for users. Index: stunnel4/tools/stunnel.conf-sample.in =================================================================== --- stunnel4.orig/tools/stunnel.conf-sample.in +++ stunnel4/tools/stunnel.conf-sample.in @@ -9,10 +9,11 @@ ; A copy of some devices and system files is needed within the chroot jail ; Chroot conflicts with configuration file reload and many other features -chroot = @localstatedir@/lib/stunnel4/ +; Remember also to update the logrotate configuration. +;chroot = @localstatedir@/lib/stunnel4/ ; Chroot jail can be escaped if setuid option is not used -setuid = stunnel4 -setgid = stunnel4 +;setuid = stunnel4 +;setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid debian/patches/fix-paths0000644000000000000000000000435412135311447012452 0ustar ## Do several path fixups, removing unneeded @prefix@s and changing ## binaries install location from sbin to bin, to comply with the FHS Index: stunnel4/tools/stunnel.conf-sample.in =================================================================== --- stunnel4.orig/tools/stunnel.conf-sample.in +++ stunnel4/tools/stunnel.conf-sample.in @@ -9,7 +9,7 @@ ; A copy of some devices and system files is needed within the chroot jail ; Chroot conflicts with configuration file reload and many other features -chroot = @prefix@/var/lib/stunnel/ +chroot = @localstatedir@/lib/stunnel/ ; Chroot jail can be escaped if setuid option is not used setuid = nobody setgid = @DEFAULT_GROUP@ @@ -19,15 +19,15 @@ ; Debugging stuff (may useful for troubleshooting) ;debug = 7 -;output = stunnel.log +;output = @localstatedir@/log/stunnel/stunnel.log ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Certificate/key is needed in server mode and optional in client mode -cert = @prefix@/etc/stunnel/mail.pem -;key = @prefix@/etc/stunnel/mail.pem +cert = @sysconfdir@/stunnel/mail.pem +;key = @sysconfdir@/stunnel/mail.pem ; Authentication stuff needs to be configured to prevent MITM attacks ; It is not enabled by default! @@ -36,12 +36,12 @@ ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile -;CAfile = @prefix@/etc/stunnel/certs.pem +;CAfile = @sysconfdir@/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively CRLfile can be used -;CRLfile = @prefix@/etc/stunnel/crls.pem +;CRLfile = @sysconfdir@/stunnel/crls.pem ; Disable support for insecure SSLv2 protocol options = NO_SSLv2 Index: stunnel4/tools/script.sh =================================================================== --- stunnel4.orig/tools/script.sh +++ stunnel4/tools/script.sh @@ -2,7 +2,7 @@ REMOTE_HOST="www.mirt.net:443" echo "client script connecting $REMOTE_HOST" -/usr/local/bin/stunnel -fd 10 \ +/usr/bin/stunnel -fd 10 \ 11<&0 < Bug-Debian: http://bugs.debian.org/627765 Index: stunnel4/tools/stunnel.init.in =================================================================== --- stunnel4.orig/tools/stunnel.init.in +++ stunnel4/tools/stunnel.init.in @@ -14,7 +14,6 @@ DAEMON=@prefix@/bin/stunnel4 NAME=stunnel DESC="SSL tunnels" -FILES="/etc/stunnel/*.conf" OPTIONS="" ENABLED=0 @@ -76,6 +75,22 @@ exit 0 fi +# If the user want to manage a single tunnel, the conf file's name +# is in $2. Otherwise, respect /etc/default/stunnel4 setting. If no +# setting there, use /etc/stunnel/*.conf +if [ -n "${2:-}" ]; then + if [ -e "/etc/stunnel/$2.conf" ]; then + FILES="/etc/stunnel/$2.conf" + else + echo >&2 "/etc/stunnel/$2.conf does not exist." + exit 1 + fi +else + if [ -z "$FILES" ]; then + FILES="/etc/stunnel/*.conf" + fi +fi + test -x $DAEMON || exit 0 set -e @@ -110,7 +125,7 @@ ;; *) N=/etc/init.d/$NAME - echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2 + echo "Usage: $N {start|stop|reload|reopen-logs|restart} []" >&2 exit 1 ;; esac debian/patches/rename-binary0000644000000000000000000001275412135311447013303 0ustar # Change references to the binary from stunnel to stunnel4 Index: stunnel4/src/stunnel3.in =================================================================== --- stunnel4.orig/src/stunnel3.in +++ stunnel4/src/stunnel3.in @@ -22,7 +22,7 @@ use Getopt::Std; # Configuration - path to stunnel (version >=4.05) -$stunnel_bin='@prefix@/bin/stunnel'; +$stunnel_bin='@prefix@/bin/stunnel4'; # stunnel3 script body begins here ($read_fd, $write_fd)=POSIX::pipe(); Index: stunnel4/doc/stunnel.8 =================================================================== --- stunnel4.orig/doc/stunnel.8 +++ stunnel4/doc/stunnel.8 @@ -61,8 +61,8 @@ .\} .\" ======================================================================== .\" -.IX Title "STUNNEL 8" -.TH STUNNEL 8 "2012.01.14" "4.53" "stunnel" +.IX Title "STUNNEL4 8" +.TH STUNNEL 8 "2012.01.14" "4.53" "stunnel4" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l Index: stunnel4/tools/stunnel.conf-sample.in =================================================================== --- stunnel4.orig/tools/stunnel.conf-sample.in +++ stunnel4/tools/stunnel.conf-sample.in @@ -9,17 +9,17 @@ ; A copy of some devices and system files is needed within the chroot jail ; Chroot conflicts with configuration file reload and many other features -chroot = @localstatedir@/lib/stunnel/ +chroot = @localstatedir@/lib/stunnel4/ ; Chroot jail can be escaped if setuid option is not used setuid = nobody setgid = @DEFAULT_GROUP@ ; PID is created inside the chroot jail -pid = /stunnel.pid +pid = /stunnel4.pid ; Debugging stuff (may useful for troubleshooting) ;debug = 7 -;output = @localstatedir@/log/stunnel/stunnel.log +;output = @localstatedir@/log/stunnel4/stunnel.log ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * Index: stunnel4/src/Makefile.am =================================================================== --- stunnel4.orig/src/Makefile.am +++ stunnel4/src/Makefile.am @@ -25,7 +25,7 @@ stunnel_CPPFLAGS += -I$(SSLDIR)/include stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"' stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"' -stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"' +stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"' # SSL library stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto Index: stunnel4/src/Makefile.in =================================================================== --- stunnel4.orig/src/Makefile.in +++ stunnel4/src/Makefile.in @@ -273,7 +273,7 @@ # Additional preprocesor definitions stunnel_CPPFLAGS = -I/usr/kerberos/include -I$(SSLDIR)/include \ -DLIBDIR='"$(pkglibdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' \ - -DPIDFILE='"$(localstatedir)/run/stunnel/stunnel.pid"' + -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"' # Win32 executable EXTRA_DIST = nogui.c make.bat makece.bat makew32.bat mingw.mak evc.mak \ Index: stunnel4/doc/stunnel.pl.8 =================================================================== --- stunnel4.orig/doc/stunnel.pl.8 +++ stunnel4/doc/stunnel.pl.8 @@ -61,8 +61,8 @@ .\} .\" ======================================================================== .\" -.IX Title "STUNNEL.PL 8" -.TH STUNNEL.PL 8 "2012.01.14" "4.53" "stunnel" +.IX Title "STUNNEL4.PL 8" +.TH STUNNEL.PL 8 "2012.01.14" "4.53" "stunnel4" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l Index: stunnel4/doc/stunnel.fr.8 =================================================================== --- stunnel4.orig/doc/stunnel.fr.8 +++ stunnel4/doc/stunnel.fr.8 @@ -61,8 +61,8 @@ .\} .\" ======================================================================== .\" -.IX Title "STUNNEL.FR 8" -.TH STUNNEL.FR 8 "2012.01.12" "4.53" "stunnel" +.IX Title "STUNNEL4.FR 8" +.TH STUNNEL.FR 8 "2012.01.12" "4.53" "stunnel4" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l Index: stunnel4/tools/stunnel.init.in =================================================================== --- stunnel4.orig/tools/stunnel.init.in +++ stunnel4/tools/stunnel.init.in @@ -1,6 +1,6 @@ #! /bin/sh -e ### BEGIN INIT INFO -# Provides: stunnel +# Provides: stunnel4 # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Should-Start: $syslog @@ -10,8 +10,8 @@ # Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons) ### END INIT INFO -DEFAULTPIDFILE="/var/run/stunnel.pid" -DAEMON=@prefix@/bin/stunnel +DEFAULTPIDFILE="/var/run/stunnel4.pid" +DAEMON=@prefix@/bin/stunnel4 NAME=stunnel DESC="SSL tunnels" FILES="/etc/stunnel/*.conf" @@ -33,9 +33,9 @@ } startdaemons() { - if ! [ -d /var/run/stunnel ]; then - rm -rf /var/run/stunnel - install -d -o stunnel -g stunnel /var/run/stunnel + if ! [ -d /var/run/stunnel4 ]; then + rm -rf /var/run/stunnel4 + install -d -o stunnel4 -g stunnel4 /var/run/stunnel4 fi for file in $FILES; do if test -f $file; then @@ -70,9 +70,9 @@ OPTIONS="-- $OPTIONS" fi -test -f /etc/default/stunnel && . /etc/default/stunnel +test -f /etc/default/stunnel4 && . /etc/default/stunnel4 if [ "$ENABLED" = "0" ] ; then - echo "$DESC disabled, see /etc/default/stunnel" + echo "$DESC disabled, see /etc/default/stunnel4" exit 0 fi debian/patches/runas-user0000644000000000000000000000113012135311447012640 0ustar # Change the default user the binary will run as to stunnel4 Index: stunnel4/tools/stunnel.conf-sample.in =================================================================== --- stunnel4.orig/tools/stunnel.conf-sample.in +++ stunnel4/tools/stunnel.conf-sample.in @@ -11,8 +11,8 @@ ; Chroot conflicts with configuration file reload and many other features chroot = @localstatedir@/lib/stunnel4/ ; Chroot jail can be escaped if setuid option is not used -setuid = nobody -setgid = @DEFAULT_GROUP@ +setuid = stunnel4 +setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid debian/patches/series0000644000000000000000000000021112135311447012025 0ustar fix-paths rename-binary runas-user selective_tunnel_restart logrotate_warning_in_sample_conf init_script_description CVE-2013-1762.patch debian/stunnel4.0stunnel4.ppp.ip-down0000644000000000000000000000045512135311447014677 0ustar #!/bin/sh # if this script gets called, we assume that the machine has lost # IPv4 connectivity -> restart stunnel (do not stop it, it is possible # to have a eth connection) test -f /etc/default/stunnel4 && . /etc/default/stunnel4 test "$PPP_RESTART" != "0" || exit 0 invoke-rc.d stunnel4 restart debian/StunnelConf-0.1.pl0000644000000000000000000003211712135311447012262 0ustar #!/usr/bin/perl # Copyright (C) 2004 Sergio Rua # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA # 02111-1307, USA. # # On Debian GNU/Linux systems, the complete text of the GNU General # Public License can be found in `/usr/share/common-licenses/GPL'. use strict; use Gtk2; use Gnome2; use Gtk2::SimpleList; use constant TRUE => 1; use constant FALSE => 0; # Please configure if necessary! my $cfgfile = "/etc/stunnel/stunnel.conf"; my $backup_cfg = 1; my $base_cfg_dir = $cfgfile;$base_cfg_dir=~s/\/stunnel\.conf//g; # global variables my $ekey; my $ecert; my $verify; my $app; my $elog; my $clientmode; my $debuglevel; my $capath; my $list; sub mydie { my ($msg)=@_; print "$msg\n"; Gtk2->main_quit; exit (-1); } sub sel_file { my ($title,$entry,$isfile)=@_; my $fsel=Gtk2::FileSelection->new($title); $fsel->ok_button->signal_connect("clicked",sub { print "OK: ". $fsel->get_filename."\n"; $entry->set_text($fsel->get_filename); $fsel->destroy; }); $fsel->cancel_button->signal_connect("clicked",sub { $fsel->destroy; }); $fsel->show; } sub add_connection { my $win = new Gtk2::Window("toplevel"); $win->set_position("center"); my $vbox = new Gtk2::VBox( 0, 2 ); $win->add($vbox); $vbox->show; my $druid = new Gnome2::Druid; $druid->signal_connect("cancel", sub { $win->destroy; } ); $vbox->pack_start($druid,0,0,0); my $druid_start = new Gnome2::DruidPageEdge("GNOME_EDGE_START"); $druid_start->set_title("Connections setup"); $druid_start->set_text("Please follow this configuration wizard to ". "configure your connections\n"); # $druid_start->set_watermark($logo); $druid_start->show; $druid->append_page($druid_start); # Second Step: accepting connections my $druid_name = new Gnome2::DruidPageStandard(); $druid_name->set_title("Connection name"); my $dvbox=new Gtk2::VBox(2,2); my $dtable=new Gtk2::Table(2,2,FALSE); $dvbox->pack_start($dtable,FALSE,FALSE,0); my $label=new Gtk2::Label("Enter this connection name"); $dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0); my $ename=new Gtk2::Entry(); $dtable->attach($ename,1,2,0,1,["fill"],["fill"],0,0); $druid_name->append_item("",$dvbox,""); $druid_name->show_all; # add page to the druid $druid->append_page($druid_name); # Second Step: accepting connections my $druid_accept = new Gnome2::DruidPageStandard(); $druid_accept->set_title("Accepting connections"); my $dvbox=new Gtk2::VBox(2,2); my $dtable=new Gtk2::Table(2,2,FALSE); $dvbox->pack_start($dtable,FALSE,FALSE,0); my $accept_error=new Gtk2::Label(""); $dtable->attach($accept_error,0,1,0,1,["fill"],["fill"],0,0); my $label=new Gtk2::Label("IP or hostname"); $dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0); my $eip=new Gtk2::Entry(); $dtable->attach($eip,1,2,1,2,["fill"],["fill"],0,0); my $label=new Gtk2::Label("Port number"); $dtable->attach($label,0,1,2,3,["fill"],["fill"],0,0); my $eport=new Gtk2::Entry(); $dtable->attach($eport,1,2,2,3,["fill"],["fill"],0,0); $druid_accept->append_item("",$dvbox,""); $druid_accept->show_all; # add page to the druid $druid->append_page($druid_accept); # Third Step: connecting to... my $druid_connect = new Gnome2::DruidPageStandard(); $druid_connect->set_title("Connection To..."); my $dvbox=new Gtk2::VBox(2,2); my $dtable=new Gtk2::Table(2,2,FALSE); $dvbox->pack_start($dtable,FALSE,FALSE,0); my $label=new Gtk2::Label("IP or hostname"); $dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0); my $etoip=new Gtk2::Entry(); $dtable->attach($etoip,1,2,0,1,["fill"],["fill"],0,0); my $label=new Gtk2::Label("Port number"); $dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0); my $etoport=new Gtk2::Entry(); $dtable->attach($etoport,1,2,1,2,["fill"],["fill"],0,0); $druid_connect->append_item("",$dvbox,""); $druid_connect->show_all; # add page to the druid $druid->append_page($druid_connect); # Finishing and adding connection my $druid_finish = new Gnome2::DruidPageEdge("GNOME_EDGE_FINISH"); $druid_finish->set_title("Configuration Finished."); $druid_finish->set_text("The configuration has been finished. Click to either save or cancel"); # $druid_finish->set_logo($logo2); $druid_finish->signal_connect("finish", sub { my $acip=$eip->get_text(); my $acport=$eport->get_text(); my $coip=$etoip->get_text(); my $coport=$etoport->get_text(); my $dslist = $list->{data}; push @$dslist, [ $ename->get_text(), $acip.":".$acport, $coip.":".$coport ]; $win->destroy; }); $druid_finish->show; $druid->append_page($druid_finish); $druid->show; $win->show; } sub load_config_file { my $con=$list->{data}; my $name=""; my $accept=""; my $connect=""; if (! -s $cfgfile) { print "Config file not found. Starting from scratch!\n"; return (0); } open F, "<$cfgfile" or die "$cfgfile: $!\n"; while () { $_=~s/\n//g; if ($_=~/^cert.*=.*/) { (undef,my $value) = split "=",$_; $value=~s/(\ |\t)//g; $ecert->set_text($value); } elsif ($_=~/^key.*=.*/) { (undef,my $value) = split "=",$_; $value=~s/(\ |\t)//g; $ekey->set_text($value); } elsif ($_=~/^verify.*=.*/) { (undef,my $value) = split "=",$_; $value=~s/(\ |\t)//g; if ($value==1) { $verify->entry->set_text("verify peer certificate if present"); } elsif ($value==2) { $verify->entry->set_text("verify peer certificate"); } elsif ($value==3) { $verify->entry->set_text("verify peer with locally installed certificate"); } else { $verify->entry->set_text("no verify"); } } elsif ($_=~/^client.*=.*/) { (undef,my $value) = split "=",$_; $value=~s/(\ |\t)//g; $clientmode->entry->set_text($value); } elsif ($_=~/^(capath|CApath).*=.*/) { (undef,my $value) = split "=",$_; $value=~s/(\ |\t)//g; $capath->set_text($value); } elsif ($_=~/^debug.*=.*/) { (undef,my $value) = split "=",$_; $value=~s/(\ |\t)//g; $debuglevel->entry->set_text($value); } elsif ($_=~/^output.*=.*/) { (undef,my $value) = split "=",$_; $value=~s/(\ |\t)//g; $elog->set_text($value); } elsif ($_=~/^\[.*/) { $_=~s/\[//g; $_=~s/\]//g; $name=$_; } elsif ($_=~/^accept.*=.*/) { (undef,$accept) = split "=",$_; $accept=~s/(\ |\t)//g; } elsif ($_=~/^connect.*=.*/) { (undef,$connect) = split "=",$_; $connect=~s/(\ |\t)//g; } # load connection if (($accept) && ($name) && ($connect)) { push @$con, [ $name, $accept, $connect ]; $name=$connect=$accept=""; } } close F; } sub save_config_file { if ($backup_cfg) { chdir ($base_cfg_dir); rename($cfgfile,$cfgfile.".$$") or print "Error at \n$cfgfile: $!\nNo backup made!\n"; } open O, ">$cfgfile" or mydie "Cannot open config file: $!\n"; print "Saving $cfgfile\n\n\n"; print O "# Configuration file created by \"stunnelconf\" by ". "Sergio Rua \n\n"; if ($ekey->get_text()) { print O "key = ".$ekey->get_text()."\n"; } if ($ecert->get_text()) { print O "cert = ".$ecert->get_text()."\n"; } print O "verify = ".$verify->entry->get_text()."\n"; print O "output = ".$elog->get_text()."\n"; print O "client = ".$clientmode->entry->get_text()."\n"; print O "debug = ".$debuglevel->entry->get_text()."\n"; print O "CApath = ".$capath->get_text()."\n"; print O "\n\n"; # just some spaces my @rowref = @{$list->{data}}; my $i=0; for $i (0 .. $#rowref) { print O "[".$rowref[$i][0] . "]\n"; # if no hostname, ugly ":" to be removed $rowref[$i][1]=~s/^://g; $rowref[$i][2]=~s/^://g; print O "accept = ".$rowref[$i][1] . "\n"; print O "connect = ".$rowref[$i][2] . "\n"; print O "\n"; # just some spaces } close O; Gtk2->main_quit; return 0; } sub create_main_win { $app = Gnome2::App->new ("stunnel-conf"); $app->set_default_size(470,410); $app->signal_connect( 'destroy' => sub { Gtk2->main_quit; } ); $app->set_title("Stunnel Configuration"); my $vbox=Gtk2::VBox->new(FALSE,0); my $frame=Gtk2::Frame->new("Common options"); $vbox->pack_start($frame,TRUE, TRUE, 0); my $table=Gtk2::Table->new(6, 2, FALSE); $frame->add($table); my $label0=Gtk2::Label->new("Private Key"); $table->attach($label0,0,1,0,1,["fill"],["fill"],0,0); my $label1=Gtk2::Label->new("Certificate"); $table->attach($label1,0,1,1,2,["fill"],["fill"],0,0); my $label2=Gtk2::Label->new("Verify level"); $table->attach($label2,0,1,2,3,["fill"],["fill"],0,0); my $label3=Gtk2::Label->new("Log output"); $table->attach($label3,0,1,3,4,["fill"],["fill"],0,0); my $label4=Gtk2::Label->new("Client mode"); $table->attach($label4,0,1,4,5,["fill"],["fill"],0,0); my $label5=Gtk2::Label->new("Debug level"); $table->attach($label5,0,1,5,6,["fill"],["fill"],0,0); my $label6=Gtk2::Label->new("Certificates path"); $table->attach($label6,0,1,6,7,["fill"],["fill"],0,0); # Private Key my $hbox0=Gtk2::HBox->new(FALSE,0); $table->attach($hbox0,1,2,0,1,["fill"],["fill"],0,0); $ekey=Gtk2::Entry->new(); $hbox0->pack_start($ekey,TRUE,TRUE,0); my $bkey=Gtk2::Button->new_from_stock("gtk-open"); $bkey->signal_connect("clicked",sub { sel_file("Select private key",$ekey); }); $hbox0->pack_start($bkey,FALSE,FALSE,0); # Certificate my $hbox1=Gtk2::HBox->new(FALSE,0); $table->attach($hbox1,1,2,1,2,["fill"],["fill"],0,0); $ecert=Gtk2::Entry->new(); $hbox1->pack_start($ecert,TRUE,TRUE,0); my $bcert=Gtk2::Button->new_from_stock("gtk-open"); $bcert->signal_connect("clicked",sub { sel_file("Select certificate",$ecert); }); $hbox1->pack_start($bcert,FALSE,FALSE,0); # Auth level - verify $verify = Gtk2::Combo->new(); $verify->entry->set_text("no verify"); $verify->set_popdown_strings(("no verify", "verify peer certificate if present", "verify peer certificate", "verify peer with locally installed certificate")); $table->attach($verify,1,2,2,3,["fill"],["fill"],0,0); # Log output my $hbox2=Gtk2::HBox->new(FALSE,0); $table->attach($hbox2,1,2,3,4,["fill"],["fill"],0,0); $elog=Gtk2::Entry->new(); $hbox2->pack_start($elog,TRUE,TRUE,0); my $blog=Gtk2::Button->new_from_stock("gtk-open"); $blog->signal_connect("clicked",sub { sel_file("Select log file",$elog); }); $hbox2->pack_start($blog,FALSE,FALSE,0); # Client mode $clientmode = Gtk2::Combo->new(); $clientmode->entry->set_text("no verify"); $clientmode->set_popdown_strings(("yes","no")); $table->attach($clientmode,1,2,4,5,["fill"],["fill"],0,0); # Debug level $debuglevel = Gtk2::Combo->new(); $debuglevel->entry->set_text("no verify"); $debuglevel->set_popdown_strings(("0","1","5","7")); $table->attach($debuglevel,1,2,5,6,["fill"],["fill"],0,0); # CA path my $hbox3=Gtk2::HBox->new(FALSE,0); $table->attach($hbox3,1,2,6,7,["fill"],["fill"],0,0); $capath=Gtk2::Entry->new(); $hbox3->pack_start($capath,TRUE,TRUE,0); # my $bcapath=Gtk2::Button->new_from_stock("gtk-open"); # $bcapath->signal_connect("clicked",sub { # sel_file("Select Certificates Path",$capath); # }); # $hbox3->pack_start($bcapath,FALSE,FALSE,0); # connections section my $frame2=Gtk2::Frame->new("Connections"); $vbox->pack_start($frame2,TRUE, TRUE, 0); my $hbox4=Gtk2::HBox->new(FALSE,0); $list=Gtk2::SimpleList->new ( 'Name' => 'text', 'Accept' => 'text', 'Connect' => 'text', ); # $list->get_selection->set_mode ('multiple'); my $scwin = Gtk2::ScrolledWindow->new; $scwin->set_policy (qw/automatic automatic/); $scwin->add($list); $hbox4->pack_start($scwin,TRUE,TRUE,0); # list buttons my $vbbox=Gtk2::VButtonBox->new(); $vbbox->set_layout('spread'); my $badd = Gtk2::Button->new_from_stock('gtk-add'); $badd->signal_connect( 'clicked' => sub { add_connection; } ); $vbbox->add($badd); # my $bedit = Gtk2::Button->new_from_stock('gtk-properties'); # $bedit->signal_connect( 'clicked' => sub { # print "Edit\n"; # } ); # $vbbox->add($bedit); my $brem = Gtk2::Button->new_from_stock('gtk-remove'); $brem->signal_connect( 'clicked' => sub { my @sel = $list->get_selected_indices; print @sel; foreach my $i (@sel) { delete $list->{data}[$i]; } } ); $vbbox->add($brem); $hbox4->pack_start($vbbox,FALSE,FALSE,0); # main buttons!!! my $bbox=Gtk2::HButtonBox->new(); $bbox->set_layout('spread'); my $bok = Gtk2::Button->new_from_stock('gtk-ok'); $bok->signal_connect( 'clicked' => sub { save_config_file; } ); $bbox->add($bok); my $bcancel = Gtk2::Button->new_from_stock('gtk-cancel'); $bcancel->signal_connect( 'clicked' => sub { Gtk2->main_quit;} ); $bbox->add($bcancel); $vbox->pack_start($bbox,FALSE,FALSE,0); $frame2->add($hbox4); # App contents and show them $app->set_contents($vbox); $app->show_all; } # # MAIN MAIN MAIN # # Gnome2::Program->init ("stunnelconf", "0.1"); $app=create_main_win; load_config_file; Gtk2->main; exit 0;