> I think that may be an upstream bug, OpenSSL can return NULL for > RAND_get_rand_method too. > > 351 NOEXPORT int prng_init(GLOBAL_OPTIONS *global) { > 352 int totbytes=0; > 353 char filename[256]; > 354 const RAND_METHOD *meth=RAND_get_rand_method(); > 355 > 356 /* skip PRNG initialization when no seeding methods are available */ > 357 if(meth->status==NULL || meth->add==NULL) { > 358 s_log(LOG_DEBUG, "No PRNG seeding methods"); > 359 return 0; /* success */ > 360 } > 361 > 362 if(RAND_status()) { > 363 s_log(LOG_DEBUG, "No PRNG seeding was required"); > 364 return 0; /* success */ > 365 }
Makes sense, I agree, I have addressed it upstream. > With stunnel it really feels like the dev is going out of his way to > make the software as annoying as possible to build against LibreSSL. > Which makes me definitely think we should keep building against LibreSSL! :) Diff inline below updated including the RAND_get_rand_method() changes. Thanks for your review, gsoares
Index: Makefile =================================================================== RCS file: /cvs/ports/security/stunnel/Makefile,v retrieving revision 1.93 diff -u -p -r1.93 Makefile --- Makefile 12 Jul 2019 20:49:37 -0000 1.93 +++ Makefile 3 Mar 2022 20:05:00 -0000 @@ -2,9 +2,8 @@ COMMENT= SSL encryption wrapper for standard network daemons -DISTNAME= stunnel-5.44 +DISTNAME= stunnel-5.62 CATEGORIES= security -REVISION= 2 MAINTAINER= Gleydson Soares <gsoa...@openbsd.org> @@ -13,12 +12,11 @@ PERMIT_PACKAGE= Yes WANTLIB += c crypto pthread ssl util -HOMEPAGE= http://www.stunnel.org/ +HOMEPAGE= https://www.stunnel.org/ MASTER_SITES= https://www.stunnel.org/downloads/archive/5.x/ \ - http://ftp.nluug.nl/pub/networking/stunnel/archive/5.x/ \ - http://mirror.bit.nl/stunnel/archive/5.x/ \ - ftp://ftp.stunnel.org/stunnel/archive/5.x/ + https://ftp.nluug.nl/pub/networking/stunnel/ \ + https://www.usenix.org.uk/mirrors/stunnel/ SEPARATE_BUILD= Yes CONFIGURE_STYLE= gnu Index: distinfo =================================================================== RCS file: /cvs/ports/security/stunnel/distinfo,v retrieving revision 1.45 diff -u -p -r1.45 distinfo --- distinfo 1 Dec 2017 00:08:44 -0000 1.45 +++ distinfo 3 Mar 2022 20:05:00 -0000 @@ -1,2 +1,2 @@ -SHA256 (stunnel-5.44.tar.gz) = mQoyXbtH132Idy3QL7vSfZGx/qPs52yf9EYeypPxIpk= -SIZE (stunnel-5.44.tar.gz) = 699117 +SHA256 (stunnel-5.62.tar.gz) = nPW7lJAiqmbHNsEyZVTMon0GQWBaY3AnTtxJUetb0zk= +SIZE (stunnel-5.62.tar.gz) = 862456 Index: patches/patch-Makefile_in =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-Makefile_in,v retrieving revision 1.15 diff -u -p -r1.15 patch-Makefile_in --- patches/patch-Makefile_in 1 Dec 2017 00:08:44 -0000 1.15 +++ patches/patch-Makefile_in 3 Mar 2022 20:05:00 -0000 @@ -1,13 +1,14 @@ -$OpenBSD: patch-Makefile_in,v 1.15 2017/12/01 00:08:44 gsoares Exp $ +$OpenBSD$ + Index: Makefile.in --- Makefile.in.orig +++ Makefile.in -@@ -364,7 +364,7 @@ top_build_prefix = @top_build_prefix@ - top_builddir = @top_builddir@ - top_srcdir = @top_srcdir@ +@@ -371,7 +371,7 @@ top_srcdir = @top_srcdir@ + with_bashcompdir = @with_bashcompdir@ + AM_DISTCHECK_CONFIGURE_FLAGS = --with-bashcompdir='$$(datarootdir)/bash-completion/completions' ACLOCAL_AMFLAGS = -I m4 -SUBDIRS = src doc tools tests +SUBDIRS = src doc tests - EXTRA_DIST = PORTS BUGS COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE \ - INSTALL.FIPS build-android.sh .travis.yml - doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \ + doc_DATA = README.md TODO.md COPYING.md AUTHORS.md NEWS.md PORTS.md \ + BUGS.md COPYRIGHT.md CREDITS.md INSTALL.W32.md INSTALL.WCE.md \ + INSTALL.FIPS.md Index: patches/patch-src_client_c =================================================================== RCS file: patches/patch-src_client_c diff -N patches/patch-src_client_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_client_c 3 Mar 2022 20:05:00 -0000 @@ -0,0 +1,30 @@ +Index: src/client.c +--- src/client.c.orig ++++ src/client.c +@@ -750,7 +750,7 @@ NOEXPORT void print_cipher(CLI *c) { /* print negotiat + NOEXPORT void transfer(CLI *c) { + int timeout; /* s_poll_wait timeout in seconds */ + int pending; /* either processed on unprocessed TLS data */ +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + int has_pending=0, prev_has_pending; + #endif + int watchdog=0; /* a counter to detect an infinite loop */ +@@ -797,7 +797,7 @@ NOEXPORT void transfer(CLI *c) { + + /****************************** wait for an event */ + pending=SSL_pending(c->ssl); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* only attempt to process SSL_has_pending() data once */ + prev_has_pending=has_pending; + has_pending=SSL_has_pending(c->ssl); +@@ -1202,7 +1202,7 @@ NOEXPORT void transfer(CLI *c) { + s_log(LOG_ERR, + "please report the problem to michal.trojn...@stunnel.org"); + stunnel_info(LOG_ERR); +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + s_log(LOG_ERR, "protocol=%s, SSL_pending=%d, SSL_has_pending=%d", + SSL_get_version(c->ssl), + SSL_pending(c->ssl), SSL_has_pending(c->ssl)); Index: patches/patch-src_common_h =================================================================== RCS file: patches/patch-src_common_h diff -N patches/patch-src_common_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_common_h 3 Mar 2022 20:05:00 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: src/common.h +--- src/common.h.orig ++++ src/common.h +@@ -454,7 +454,7 @@ extern char *sys_errlist[]; + #define OPENSSL_NO_TLS1_2 + #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + #ifndef OPENSSL_NO_SSL2 + #define OPENSSL_NO_SSL2 + #endif /* !defined(OPENSSL_NO_SSL2) */ Index: patches/patch-src_ctx_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_ctx_c,v retrieving revision 1.8 diff -u -p -r1.8 patch-src_ctx_c --- patches/patch-src_ctx_c 19 Mar 2019 16:51:13 -0000 1.8 +++ patches/patch-src_ctx_c 3 Mar 2022 20:05:00 -0000 @@ -1,8 +1,34 @@ -$OpenBSD: patch-src_ctx_c,v 1.8 2019/03/19 16:51:13 jsing Exp $ Index: src/ctx.c --- src/ctx.c.orig +++ src/ctx.c -@@ -398,7 +398,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { +@@ -91,7 +91,7 @@ NOEXPORT void set_prompt(const char *); + NOEXPORT int ui_retry(); + + /* session tickets */ +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int generate_session_ticket_cb(SSL *, void *); + NOEXPORT int decrypt_session_ticket_cb(SSL *, SSL_SESSION *, + const unsigned char *, size_t, SSL_TICKET_STATUS, void *); +@@ -179,7 +179,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T + } + current_section=section; /* setup current section for callbacks */ + +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* set the security level */ + if(section->security_level>=0) { + /* set the user-specified value */ +@@ -265,7 +265,7 @@ int context_init(SERVICE_OPTIONS *section) { /* init T + #endif + + /* setup session tickets */ +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CTX_set_session_ticket_cb(section->ctx, generate_session_ticket_cb, + decrypt_session_ticket_cb, NULL); + #endif /* OpenSSL 1.1.1 or later */ +@@ -539,7 +539,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { /**************************************** initialize OpenSSL CONF */ NOEXPORT int conf_init(SERVICE_OPTIONS *section) { @@ -11,3 +37,21 @@ Index: src/ctx.c SSL_CONF_CTX *cctx; NAME_LIST *curr; char *cmd, *param; +@@ -1045,7 +1045,7 @@ NOEXPORT int ui_retry() { + + /**************************************** session tickets */ + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + + typedef struct { + void *session_authenticated; +@@ -1538,7 +1538,7 @@ NOEXPORT void info_callback(const SSL *ssl, int where, + + c=SSL_get_ex_data((SSL *)ssl, index_ssl_cli); + if(c) { +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl); + #else + int state=SSL_get_state((SSL *)ssl); Index: patches/patch-src_options_c =================================================================== RCS file: patches/patch-src_options_c diff -N patches/patch-src_options_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_options_c 3 Mar 2022 20:05:00 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: src/options.c +--- src/options.c.orig ++++ src/options.c +@@ -38,7 +38,7 @@ + #include "common.h" + #include "prototypes.h" + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384" + #else /* OpenSSL version < 1.1.1 */ + #define DEFAULT_CURVES "prime256v1" Index: patches/patch-src_prototypes_h =================================================================== RCS file: patches/patch-src_prototypes_h diff -N patches/patch-src_prototypes_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_prototypes_h 3 Mar 2022 20:05:00 -0000 @@ -0,0 +1,23 @@ +$OpenBSD$ + +Index: src/prototypes.h +--- src/prototypes.h.orig ++++ src/prototypes.h +@@ -736,7 +736,7 @@ int getnameinfo(const struct sockaddr *, socklen_t, + extern CLI *thread_head; + #endif + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + #ifdef USE_OS_THREADS + +@@ -787,7 +787,7 @@ typedef enum { + + extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS]; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + /* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */ + CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void); + int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *); Index: patches/patch-src_ssl_c =================================================================== RCS file: patches/patch-src_ssl_c diff -N patches/patch-src_ssl_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_ssl_c 3 Mar 2022 20:05:00 -0000 @@ -0,0 +1,42 @@ + +# https://www.stunnel.org/mailman3/hyperkitty/list/stunnel-us...@stunnel.org/thread/KC4L7XXA4N74ZU2G77VJSDVIO37J76J5/ + +Index: src/ssl.c +--- src/ssl.c.orig ++++ src/ssl.c +@@ -44,7 +44,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRY + #if OPENSSL_VERSION_NUMBER>=0x30000000L + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void **from_d, int idx, long argl, void *argp); +-#elif OPENSSL_VERSION_NUMBER>=0x10100000L ++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp); + #else +@@ -87,7 +87,7 @@ int fips_available() { /* either FIPS provider or cont + } + + int ssl_init(void) { /* init TLS before parsing configuration file */ +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + OPENSSL_INIT_SETTINGS *conf=OPENSSL_INIT_new(); + #ifdef USE_WIN32 + OPENSSL_INIT_set_config_filename(conf, "..\\config\\openssl.cnf"); +@@ -161,7 +161,7 @@ NOEXPORT void cb_new_auth(void *parent, void *ptr, CRY + #if OPENSSL_VERSION_NUMBER>=0x30000000L + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void **from_d, int idx, long argl, void *argp) { +-#elif OPENSSL_VERSION_NUMBER>=0x10100000L ++#elif OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp) { + #else +@@ -354,7 +354,7 @@ NOEXPORT int prng_init(GLOBAL_OPTIONS *global) { + const RAND_METHOD *meth=RAND_get_rand_method(); + + /* skip PRNG initialization when no seeding methods are available */ +- if(meth->status==NULL || meth->add==NULL) { ++ if(meth==NULL || meth->status==NULL || meth->add==NULL) { + s_log(LOG_DEBUG, "No PRNG seeding methods"); + return 0; /* success */ + } Index: patches/patch-src_sthreads_c =================================================================== RCS file: patches/patch-src_sthreads_c diff -N patches/patch-src_sthreads_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_sthreads_c 3 Mar 2022 20:05:00 -0000 @@ -0,0 +1,33 @@ +$OpenBSD$ + +Index: src/sthreads.c +--- src/sthreads.c.orig ++++ src/sthreads.c +@@ -120,7 +120,7 @@ void thread_id_init(void) { + /**************************************** locking */ + + /* we only need to initialize locking with OpenSSL older than 1.1.0 */ +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + #ifdef USE_PTHREAD + +@@ -279,7 +279,7 @@ NOEXPORT int s_atomic_add(int *val, int amount, CRYPTO + + CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS]; + +-#if OPENSSL_VERSION_NUMBER<0x10100004L ++#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) + + #ifdef USE_OS_THREADS + +@@ -387,7 +387,8 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, + + void locking_init(void) { + size_t i; +-#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L ++#if defined(USE_OS_THREADS) && \ ++ (OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)) + size_t num; + + /* initialize the OpenSSL static locking */ Index: patches/patch-src_tls_c =================================================================== RCS file: patches/patch-src_tls_c diff -N patches/patch-src_tls_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_tls_c 3 Mar 2022 20:05:00 -0000 @@ -0,0 +1,30 @@ +Index: src/tls.c +--- src/tls.c.orig ++++ src/tls.c +@@ -41,7 +41,7 @@ + volatile int tls_initialized=0; + + NOEXPORT void tls_platform_init(); +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT void free_function(void *); + #endif + +@@ -52,7 +52,7 @@ void tls_init() { + tls_platform_init(); + tls_initialized=1; + ui_tls=tls_alloc(NULL, NULL, "ui"); +-#if OPENSSL_VERSION_NUMBER>=0x10100000L ++#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + CRYPTO_set_mem_functions(str_alloc_detached_debug, + str_realloc_detached_debug, str_free_debug); + #else +@@ -184,7 +184,7 @@ TLS_DATA *tls_get() { + + /**************************************** OpenSSL allocator hook */ + +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT void free_function(void *ptr) { + /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */ + /* unfortunately, OpenSSL provides no file:line information here */ Index: patches/patch-src_verify_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_verify_c,v retrieving revision 1.6 diff -u -p -r1.6 patch-src_verify_c --- patches/patch-src_verify_c 12 Sep 2017 16:15:24 -0000 1.6 +++ patches/patch-src_verify_c 3 Mar 2022 20:05:00 -0000 @@ -2,7 +2,7 @@ $OpenBSD: patch-src_verify_c,v 1.6 2017/ Index: src/verify.c --- src/verify.c.orig +++ src/verify.c -@@ -353,7 +353,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback +@@ -351,7 +351,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback cert=X509_STORE_CTX_get_current_cert(callback_ctx); subject=X509_get_subject_name(cert); Index: patches/patch-tools_stunnel_conf-sample_in =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-tools_stunnel_conf-sample_in,v retrieving revision 1.16 diff -u -p -r1.16 patch-tools_stunnel_conf-sample_in --- patches/patch-tools_stunnel_conf-sample_in 12 Sep 2017 16:15:24 -0000 1.16 +++ patches/patch-tools_stunnel_conf-sample_in 3 Mar 2022 20:05:00 -0000 @@ -1,4 +1,3 @@ -$OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.16 2017/09/12 16:15:24 gsoares Exp $ Index: tools/stunnel.conf-sample.in --- tools/stunnel.conf-sample.in.orig +++ tools/stunnel.conf-sample.in @@ -15,7 +14,7 @@ Index: tools/stunnel.conf-sample.in ; PID file is created inside the chroot jail (if enabled) -;pid = @localstatedir@/run/stunnel.pid -+pid = /stunnel.pid ++;pid = /stunnel.pid ; Debugging stuff (may be useful for troubleshooting) ;foreground = yes @@ -25,18 +24,16 @@ Index: tools/stunnel.conf-sample.in ; Enable FIPS 140-2 mode if needed for compliance ;fips = yes -@@ -46,7 +47,7 @@ - ; * Include all configuration file fragments from the specified folder * - ; ************************************************************************** +@@ -54,38 +55,38 @@ --;include = @sysconfdir@/stunnel/conf.d -+;include = ${SYSCONFDIR}/stunnel/conf.d + ; ***************************************** Example TLS client mode services - ; ************************************************************************** - ; * Service definitions (remove all services for inetd mode) * -@@ -59,32 +60,32 @@ +-; The following examples use /etc/ssl/certs, which is the common location ++; The following examples use ${SYSCONFDIR}/ssl/certs, which is the common location + ; of a hashed directory containing trusted CA certificates. This is not ; a hardcoded path of the stunnel package, as it is not related to the - ; stunnel configuration in @sysconfdir@/stunnel/. +-; stunnel configuration in @sysconfdir@/stunnel/. ++; stunnel configuration in ${SYSCONFDIR}/stunnel/. -[gmail-pop3] -client = yes @@ -54,15 +51,7 @@ Index: tools/stunnel.conf-sample.in +;CApath = ${SYSCONFDIR}/ssl/certs +;checkHost = pop.gmail.com +;OCSPaia = yes - --[gmail-imap] --client = yes --accept = 127.0.0.1:143 --connect = imap.gmail.com:993 --verifyChain = yes --CApath = /etc/ssl/certs --checkHost = imap.gmail.com --OCSPaia = yes ++; +;[gmail-imap] +;client = yes +;accept = 127.0.0.1:143 @@ -71,15 +60,7 @@ Index: tools/stunnel.conf-sample.in +;CApath = ${SYSCONFDIR}/ssl/certs +;checkHost = imap.gmail.com +;OCSPaia = yes - --[gmail-smtp] --client = yes --accept = 127.0.0.1:25 --connect = smtp.gmail.com:465 --verifyChain = yes --CApath = /etc/ssl/certs --checkHost = smtp.gmail.com --OCSPaia = yes ++; +;[gmail-smtp] +;client = yes +;accept = 127.0.0.1:25 @@ -89,38 +70,48 @@ Index: tools/stunnel.conf-sample.in +;checkHost = smtp.gmail.com +;OCSPaia = yes +-[gmail-imap] +-client = yes +-accept = 127.0.0.1:143 +-connect = imap.gmail.com:993 +-verifyChain = yes +-CApath = /etc/ssl/certs +-checkHost = imap.gmail.com +-OCSPaia = yes +- +-[gmail-smtp] +-client = yes +-accept = 127.0.0.1:25 +-connect = smtp.gmail.com:465 +-verifyChain = yes +-CApath = /etc/ssl/certs +-checkHost = smtp.gmail.com +-OCSPaia = yes +- ; Encrypted HTTP proxy authenticated with a client certificate ; located in a cryptographic token -@@ -98,43 +99,43 @@ OCSPaia = yes - - ; ***************************************** Example TLS server mode services - --;[pop3s] --;accept = 995 --;connect = 110 + ;[example-pkcs11] +@@ -101,12 +102,12 @@ OCSPaia = yes + ;[pop3s] + ;accept = 995 + ;connect = 110 -;cert = @sysconfdir@/stunnel/stunnel.pem -+[pop3s] -+accept = 995 -+connect = 110 -+cert = ${SYSCONFDIR}/stunnel/stunnel.pem - --;[imaps] --;accept = 993 --;connect = 143 ++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem + + ;[imaps] + ;accept = 993 + ;connect = 143 -;cert = @sysconfdir@/stunnel/stunnel.pem -+[imaps] -+accept = 993 -+connect = 143 -+cert = ${SYSCONFDIR}/stunnel/stunnel.pem - --;[ssmtp] --;accept = 465 --;connect = 25 ++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem + + ; Either only expose this service to trusted networks, or require + ; authentication when relaying emails originated from loopback. +@@ -114,29 +115,29 @@ OCSPaia = yes + ;[ssmtp] + ;accept = 465 + ;connect = 25 -;cert = @sysconfdir@/stunnel/stunnel.pem -+[ssmtp] -+accept = 465 -+connect = 25 -+cert = ${SYSCONFDIR}/stunnel/stunnel.pem ++;cert = ${SYSCONFDIR}/stunnel/stunnel.pem ; TLS front-end to a web server ;[https] @@ -140,7 +131,6 @@ Index: tools/stunnel.conf-sample.in ;accept = 1337 ;exec = /bin/sh ;execArgs = sh -i - ;ciphers = PSK -;PSKsecrets = @sysconfdir@/stunnel/secrets.txt +;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/stunnel/pkg/PLIST,v retrieving revision 1.13 diff -u -p -r1.13 PLIST --- pkg/PLIST 14 Oct 2015 02:05:06 -0000 1.13 +++ pkg/PLIST 3 Mar 2022 20:05:00 -0000 @@ -1,7 +1,7 @@ -@comment $OpenBSD: PLIST,v 1.13 2015/10/14 02:05:06 gsoares Exp $ @newgroup _stunnel:528 @newuser _stunnel:528:_stunnel:daemon:stunnel account:/var/stunnel:/sbin/nologin @extra /var/stunnel/stunnel.pid +@rcscript ${RCDIR}/stunnel @man man/man8/stunnel.8 @bin sbin/stunnel sbin/stunnel3 @@ -11,5 +11,3 @@ share/examples/stunnel/stunnel.conf-samp @sample ${SYSCONFDIR}/stunnel/stunnel.conf @owner _stunnel @sample /var/stunnel/ -@owner -@rcscript ${RCDIR}/stunnel