Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package stunnel for openSUSE:Factory checked
in at 2023-09-08 21:15:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/stunnel (Old)
and /work/SRC/openSUSE:Factory/.stunnel.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "stunnel"
Fri Sep 8 21:15:34 2023 rev:39 rq:1109601 version:5.70
Changes:
--------
--- /work/SRC/openSUSE:Factory/stunnel/stunnel.changes 2023-07-24
18:26:17.890267042 +0200
+++ /work/SRC/openSUSE:Factory/.stunnel.new.1766/stunnel.changes
2023-09-08 21:16:24.980347569 +0200
@@ -1,0 +2,17 @@
+Thu Sep 7 11:01:11 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- Enable crypto-policies support: [bsc#1211301]
+ * The system's crypto-policies are the best source to determine
+ which cipher suites to accept in TLS. OpenSSL supports the
+ PROFILE=SYSTEM setting to use those policies. Change stunnel
+ to default to the system settings.
+ * Add patches:
+ - stunnel-5.69-system-ciphers.patch
+ - stunnel-5.69-default-tls-version.patch
+
+-------------------------------------------------------------------
+Thu Sep 7 10:34:18 UTC 2023 - Pedro Monreal <pmonr...@suse.com>
+
+- Enable bash completion support
+
+-------------------------------------------------------------------
New:
----
stunnel-5.69-default-tls-version.patch
stunnel-5.69-system-ciphers.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ stunnel.spec ++++++
--- /var/tmp/diff_new_pack.QJtl9f/_old 2023-09-08 21:16:26.476401037 +0200
+++ /var/tmp/diff_new_pack.QJtl9f/_new 2023-09-08 21:16:26.480401180 +0200
@@ -37,6 +37,11 @@
# PATCH-FIX-UPSTREAM Fix service file, so it ensure we are starting after
network is really up!
Patch1: stunnel-5.59_service_always_after_network.patch
Patch2: harden_stunnel.service.patch
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# PATCH-FIX-FEDORA bsc#1211301 Add crypto-policies support
+Patch3: stunnel-5.69-system-ciphers.patch
+Patch4: stunnel-5.69-default-tls-version.patch
+%endif
BuildRequires: libopenssl-devel
# test dependencies
BuildRequires: netcat
@@ -77,12 +82,17 @@
chmod -x %{_builddir}/stunnel-%{version}/tools/ca.*
chmod -x %{_builddir}/stunnel-%{version}/tools/importCA.*
%patch2 -p1
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+%patch3 -p1
+%patch4 -p1
+%endif
%build
sed -i 's/-m 1770//g' tools/Makefile.in
%configure \
--disable-static \
- --bindir=%{_sbindir}
+ --bindir=%{_sbindir} \
+ --with-bashcompdir=%{_datadir}/bash-completion/completions
%if 0%{?sle_version} < 150000
%define make_build %{__make} -O %{?_smp_mflags}
%endif
@@ -161,6 +171,7 @@
%dir %attr(755,stunnel,root) %{_localstatedir}/lib/stunnel%{_localstatedir}/run
%{_fillupdir}/sysconfig.syslog-stunnel
%{_unitdir}/stunnel.service
+%{_datadir}/bash-completion/completions/%{name}.bash
%files doc
%doc %{_docdir}/%{name}
++++++ stunnel-5.69-default-tls-version.patch ++++++
>From 1d3349209f339e6a68312fce076e355bc767d76c Mon Sep 17 00:00:00 2001
From: Clemens Lang <cll...@redhat.com>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 5/7] Apply patch stunnel-5.69-default-tls-version.patch
Patch-name: stunnel-5.69-default-tls-version.patch
Patch-id: 5
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/ctx.c | 34 ++++++++++++++++++++++------------
src/options.c | 15 +++++++++++----
src/prototypes.h | 3 +++
3 files changed, 36 insertions(+), 16 deletions(-)
diff --git a/src/ctx.c b/src/ctx.c
index 6a42a6b..cba24d9 100644
--- a/src/ctx.c
+++ b/src/ctx.c
@@ -152,19 +152,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS
context */
section->ctx=SSL_CTX_new(section->option.client ?
TLS_client_method() : TLS_server_method());
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
- if(section->min_proto_version &&
- !SSL_CTX_set_min_proto_version(section->ctx,
- section->min_proto_version)) {
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
- section->min_proto_version);
- return 1; /* FAILED */
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS minimum version as specified in"
+ " crypto policies. Not setting explicitly.");
+ } else {
+ if(section->min_proto_version &&
+ !SSL_CTX_set_min_proto_version(section->ctx,
+ section->min_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+ section->min_proto_version);
+ return 1; /* FAILED */
+ }
}
- if(section->max_proto_version &&
- !SSL_CTX_set_max_proto_version(section->ctx,
- section->max_proto_version)) {
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
- section->max_proto_version);
- return 1; /* FAILED */
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
+ s_log(LOG_INFO, "Using the default TLS maximum version as specified in"
+ " crypto policies. Not setting explicitly");
+ } else {
+ if(section->max_proto_version &&
+ !SSL_CTX_set_max_proto_version(section->ctx,
+ section->max_proto_version)) {
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+ section->max_proto_version);
+ return 1; /* FAILED */
+ }
}
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
if(section->option.client)
diff --git a/src/options.c b/src/options.c
index 4d31815..2ec5934 100644
--- a/src/options.c
+++ b/src/options.c
@@ -3371,8 +3371,9 @@ NOEXPORT const char *parse_service_option(CMD cmd,
SERVICE_OPTIONS **section_ptr
return "Invalid protocol version";
return NULL; /* OK */
case CMD_INITIALIZE:
- if(section->max_proto_version && section->min_proto_version &&
- section->max_proto_version<section->min_proto_version)
+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
+ && section->max_proto_version<section->min_proto_version)
return "Invalid protocol version range";
break;
case CMD_PRINT_DEFAULTS:
@@ -3390,7 +3391,10 @@ NOEXPORT const char *parse_service_option(CMD cmd,
SERVICE_OPTIONS **section_ptr
/* sslVersionMax */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->max_proto_version=0; /* highest supported */
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies.Do not
+ override it */
break;
case CMD_SET_COPY:
section->max_proto_version=new_service_options.max_proto_version;
@@ -3421,7 +3425,10 @@ NOEXPORT const char *parse_service_option(CMD cmd,
SERVICE_OPTIONS **section_ptr
/* sslVersionMin */
switch(cmd) {
case CMD_SET_DEFAULTS:
- section->min_proto_version=0; /* lowest supported */
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
+ OpenSSL crypto
+ policies. Do not
+ override it */
break;
case CMD_SET_COPY:
section->min_proto_version=new_service_options.min_proto_version;
diff --git a/src/prototypes.h b/src/prototypes.h
index 0ecd719..a126c9e 100644
--- a/src/prototypes.h
+++ b/src/prototypes.h
@@ -940,6 +940,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
ICON_IMAGE load_icon_file(const char *);
#endif
+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
+ crypto policies */
+
#endif /* defined PROTOTYPES_H */
/* end of prototypes.h */
--
2.39.2
++++++ stunnel-5.69-system-ciphers.patch ++++++
>From 6c8c4c8c85204943223b251d09ca1e93571a437a Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sprasad@localhost.localdomain>
Date: Mon, 12 Sep 2022 11:07:38 +0200
Subject: [PATCH 3/7] Use cipher configuration from crypto-policies
On Fedora, CentOS and RHEL, the system's crypto policies are the best
source to determine which cipher suites to accept in TLS. On these
platforms, OpenSSL supports the PROFILE=SYSTEM setting to use those
policies. Change stunnel to default to this setting.
Co-Authored-by: Sahana Prasad <shebb...@redhat.com>
Patch-name: stunnel-5.69-system-ciphers.patch
Patch-id: 3
From-dist-git-commit: 70b3076eb09912b3a11f371b8c523303114fffa3
---
src/options.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/options.c b/src/options.c
index 6e4a18b..4d31815 100644
--- a/src/options.c
+++ b/src/options.c
@@ -321,9 +321,9 @@ static const char *option_not_found=
"Specified option name is not valid here";
static const char *stunnel_cipher_list=
- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
static const char *fips_cipher_list=
- "FIPS:!DH:!kDHEPSK";
+ "PROFILE=SYSTEM";
#ifndef OPENSSL_NO_TLS1_3
static const char *stunnel_ciphersuites=
--
2.39.2
