or provided functions that are now available in libcrypto.
ok gsoares, sthen (for a more aggressive earlier version)
I'll revisit the other bits at p2k18.
- switch threading model to pthread since that it is the default process model in stunnel;
- fix stunnel.pem path in pkg/MESSAGE;
- add patches to make it build with libressl;
- fix some hardcoding paths in tools/stunnel.conf-sample.in.
Tweaks and Feedback:
jca@ yasuoka@ jasper@ brad@ and Markus Lude, thanks !
tested by yasuoka@ and Markus Lude on @sparc64(markus's tests against 3.18 version, but no many changes to 3.19, assuming that should work too...)...
full changelog at:
https://www.stunnel.org/sdf_ChangeLog.html
Security bugfixes
OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
The insecure SSLv2 protocol is now disabled by default. It can be
enabled with "options = -NO_SSLv2".
The insecure SSLv3 protocol is now disabled by default. It can be
enabled with "options = -NO_SSLv3".
Default sslVersion changed to "all" (also in FIPS mode) to
autonegotiate the highest supported TLS version.
New features
Added missing SSL options to match OpenSSL 1.0.1j.
New "-options" commandline option to display the list of supported
SSL options.
Bugfixes
Fixed FORK threading build regression bug.
OK gsoares@ (maintainer) OK schwarze@
postgresql where a forked child process doesn't correctly reset RNG state.
See CVE-2014-0016, http://www.openwall.com/lists/oss-security/2014/03/05/1
ok gsoares@
Note from upstream release notes:
"stunnel 5.00 disables some features previously enabled by default.
Users should review whether the new defaults are appropriate for their
particular deployments."
These changes include: FIPS mode, pid file generation and
libwrap disabled by default, and the default cipher list has
been updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2".
- new user interface (config file)
- single daemon can listen on multiple ports
- delayed DNS lookup added
- configurable timeouts
- chroot support
- private key file for a certificate can be kept in a separate file
Version 3.9, 2000.12.13:
* Updated temporary key generation:
- stunnel is now honoring requested key-lengths correctly,
- temporary key is changed every hour.
* transfer() no longer hangs on some platforms.
Special thanks to Peter Wagemans for the patch.
* Potential security problem with syslog() call fixed.
