- switch threading model to pthread since that it is the default process model in stunnel;
- fix stunnel.pem path in pkg/MESSAGE;
- add patches to make it build with libressl;
- fix some hardcoding paths in tools/stunnel.conf-sample.in.
Tweaks and Feedback:
jca@ yasuoka@ jasper@ brad@ and Markus Lude, thanks !
tested by yasuoka@ and Markus Lude on @sparc64(markus's tests against 3.18 version, but no many changes to 3.19, assuming that should work too...)...
full changelog at:
https://www.stunnel.org/sdf_ChangeLog.html
Security bugfixes
OpenSSL DLLs updated to version 1.0.1j.
https://www.openssl.org/news/secadv_20141015.txt
The insecure SSLv2 protocol is now disabled by default. It can be
enabled with "options = -NO_SSLv2".
The insecure SSLv3 protocol is now disabled by default. It can be
enabled with "options = -NO_SSLv3".
Default sslVersion changed to "all" (also in FIPS mode) to
autonegotiate the highest supported TLS version.
New features
Added missing SSL options to match OpenSSL 1.0.1j.
New "-options" commandline option to display the list of supported
SSL options.
Bugfixes
Fixed FORK threading build regression bug.
OK gsoares@ (maintainer) OK schwarze@
postgresql where a forked child process doesn't correctly reset RNG state.
See CVE-2014-0016, http://www.openwall.com/lists/oss-security/2014/03/05/1
ok gsoares@
Note from upstream release notes:
"stunnel 5.00 disables some features previously enabled by default.
Users should review whether the new defaults are appropriate for their
particular deployments."
These changes include: FIPS mode, pid file generation and
libwrap disabled by default, and the default cipher list has
been updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2".
functionality. The bug allows a revoked certificate to successfully
authenticate. Any installations with OCSP enabled should be upgraded ASAP.
Other users are not affected.
- new user interface (config file)
- single daemon can listen on multiple ports
- delayed DNS lookup added
- configurable timeouts
- chroot support
- private key file for a certificate can be kept in a separate file
* Format string bug fixed in protocol.c
smtp, pop3 and nntp in client mode were affected.
(stunnel clients could be attacked by malicious servers)
* Certificate chain can be supplied with -p option or in stunnel.pem.
* Problem with -r and -l options used together fixed.
* memmove() instead of memcpy() is used to move data in buffers.
* More detailed information about negotiated ciphers is printed.
* New ./configure options: "--enable-no-rsa" and "--enable-dh".
