- switch threading model to pthread since that it is the default process model in stunnel;
- fix stunnel.pem path in pkg/MESSAGE;
- add patches to make it build with libressl;
- fix some hardcoding paths in tools/stunnel.conf-sample.in.
Tweaks and Feedback:
jca@ yasuoka@ jasper@ brad@ and Markus Lude, thanks !
tested by yasuoka@ and Markus Lude on @sparc64(markus's tests against 3.18 version, but no many changes to 3.19, assuming that should work too...)...
full changelog at:
https://www.stunnel.org/sdf_ChangeLog.html
Security bugfixes
OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
The insecure SSLv2 protocol is now disabled by default. It can be
enabled with "options = -NO_SSLv2".
The insecure SSLv3 protocol is now disabled by default. It can be
enabled with "options = -NO_SSLv3".
Default sslVersion changed to "all" (also in FIPS mode) to
autonegotiate the highest supported TLS version.
New features
Added missing SSL options to match OpenSSL 1.0.1j.
New "-options" commandline option to display the list of supported
SSL options.
Bugfixes
Fixed FORK threading build regression bug.
OK gsoares@ (maintainer) OK schwarze@
postgresql where a forked child process doesn't correctly reset RNG state.
See CVE-2014-0016, http://www.openwall.com/lists/oss-security/2014/03/05/1
ok gsoares@
Note from upstream release notes:
"stunnel 5.00 disables some features previously enabled by default.
Users should review whether the new defaults are appropriate for their
particular deployments."
These changes include: FIPS mode, pid file generation and
libwrap disabled by default, and the default cipher list has
been updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2".
PLIST and delete everything under the @sample'd directory instead of the
directory itself to prevent a warning from pkg_delete(1) trying to
remove a non existing directory and to help preventing left-over files
and directories.
functionality. The bug allows a revoked certificate to successfully
authenticate. Any installations with OCSP enabled should be upgraded ASAP.
Other users are not affected.
