Skip to content
Permalink
Browse files Browse the repository at this point in the history
stunnel-5.57
  • Loading branch information
mtrojnar committed Oct 11, 2020
1 parent 0e158f6 commit ebad9dd
Show file tree
Hide file tree
Showing 79 changed files with 1,123 additions and 595 deletions.
2 changes: 1 addition & 1 deletion COPYING.md
@@ -1,7 +1,7 @@
# stunnel license (see COPYRIGHT.md for detailed GPL conditions)


_Copyright (C) 1998-2019 Michal Trojnara_
_Copyright (C) 1998-2020 Michal Trojnara_

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Expand Down
12 changes: 6 additions & 6 deletions INSTALL.W32.md
Expand Up @@ -17,9 +17,9 @@
3) Build and install OpenSSL.
./Configure \
--cross-compile-prefix=x86_64-w64-mingw32- \
--prefix=/opt/openssl-mingw64 mingw64 shared
sed -i 's/^\(OPENSSLDIR=\).*/\1..\/config/' Makefile
sed -i 's/^\(ENGINESDIR=\).*/\1..\/engines/' Makefile
--prefix=/opt/openssl-mingw64 mingw64 shared enable-capieng
sed -i 's/"\$(OPENSSLDIR)/"..\/config/' Makefile
sed -i 's/"\$(ENGINESDIR)/"..\/engines/' Makefile
make
sudo make install
sudo cp ms/applink.c /opt/openssl-mingw64/include/openssl/
Expand Down Expand Up @@ -51,9 +51,9 @@
3) Build and install OpenSSL.
./Configure \
--cross-compile-prefix=i686-w64-mingw32- \
--prefix=/opt/openssl-mingw mingw shared
sed -i 's/^\(OPENSSLDIR=\).*/\1..\/config/' Makefile
sed -i 's/^\(ENGINESDIR=\).*/\1..\/engines/' Makefile
--prefix=/opt/openssl-mingw mingw shared enable-capieng
sed -i 's/"\$(OPENSSLDIR)/"..\/config/' Makefile
sed -i 's/"\$(ENGINESDIR)/"..\/engines/' Makefile
make
sudo make install
sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/
Expand Down
2 changes: 1 addition & 1 deletion Makefile.am
@@ -1,5 +1,5 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 1998-2019
# by Michal Trojnara 1998-2020

ACLOCAL_AMFLAGS = -I m4

Expand Down
2 changes: 1 addition & 1 deletion Makefile.in
Expand Up @@ -14,7 +14,7 @@

@SET_MAKE@

# by Michal Trojnara 1998-2019
# by Michal Trojnara 1998-2020

VPATH = @srcdir@
am__is_gnu_make = { \
Expand Down
19 changes: 19 additions & 0 deletions NEWS.md
@@ -1,6 +1,25 @@
# stunnel change log


### Version 5.57, 2020.10.11, urgency: HIGH
* Security bugfixes
- The "redirect" option was fixed to properly
handle "verifyChain = yes" (thx to Rob Hoes).
- OpenSSL DLLs updated to version 1.1.1h.
* New features
- New securityLevel configuration file option.
- FIPS support for RHEL-based distributions.
- Support for modern PostgreSQL clients (thx to Bram Geron).
- Windows tooltip texts updated to mention "stunnel".
- TLS 1.3 configuration updated for better compatibility.
* Bugfixes
- Fixed a transfer() loop bug.
- Fixed memory leaks on configuration reloading errors.
- DH/ECDH initialization restored for client sections.
- Delay startup with systemd until network is online.
- bin\libssp-0.dll removed when uninstalling.
- A number of testing framework fixes and improvements.

### Version 5.56, 2019.11.22, urgency: HIGH
* New features
- Various text files converted to Markdown format.
Expand Down
2 changes: 1 addition & 1 deletion build-android.sh
@@ -1,6 +1,6 @@
#!/bin/sh
set -ev
VERSION=5.56
VERSION=5.57
DST=stunnel-$VERSION-android

# install Android NDK on Arch Linux:
Expand Down
20 changes: 10 additions & 10 deletions configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for stunnel 5.56.
# Generated by GNU Autoconf 2.69 for stunnel 5.57.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
Expand Down Expand Up @@ -587,8 +587,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='stunnel'
PACKAGE_TARNAME='stunnel'
PACKAGE_VERSION='5.56'
PACKAGE_STRING='stunnel 5.56'
PACKAGE_VERSION='5.57'
PACKAGE_STRING='stunnel 5.57'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''

Expand Down Expand Up @@ -1338,7 +1338,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures stunnel 5.56 to adapt to many kinds of systems.
\`configure' configures stunnel 5.57 to adapt to many kinds of systems.

Usage: $0 [OPTION]... [VAR=VALUE]...

Expand Down Expand Up @@ -1409,7 +1409,7 @@ fi

if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of stunnel 5.56:";;
short | recursive ) echo "Configuration of stunnel 5.57:";;
esac
cat <<\_ACEOF

Expand Down Expand Up @@ -1528,7 +1528,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
stunnel configure 5.56
stunnel configure 5.57
generated by GNU Autoconf 2.69

Copyright (C) 2012 Free Software Foundation, Inc.
Expand Down Expand Up @@ -2134,7 +2134,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by stunnel $as_me 5.56, which was
It was created by stunnel $as_me 5.57, which was
generated by GNU Autoconf 2.69. Invocation command line was

$ $0 $@
Expand Down Expand Up @@ -3003,7 +3003,7 @@ fi

# Define the identity of the package.
PACKAGE='stunnel'
VERSION='5.56'
VERSION='5.57'


cat >>confdefs.h <<_ACEOF
Expand Down Expand Up @@ -16902,7 +16902,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by stunnel $as_me 5.56, which was
This file was extended by stunnel $as_me 5.57, which was
generated by GNU Autoconf 2.69. Invocation command line was

CONFIG_FILES = $CONFIG_FILES
Expand Down Expand Up @@ -16968,7 +16968,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
stunnel config.status 5.56
stunnel config.status 5.57
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

Expand Down
2 changes: 1 addition & 1 deletion configure.ac
@@ -1,6 +1,6 @@
# Process this file with autoconf to produce a configure script.

AC_INIT([stunnel],[5.56])
AC_INIT([stunnel],[5.57])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AC_CONFIG_MACRO_DIR([m4])
Expand Down
2 changes: 1 addition & 1 deletion doc/Makefile.am
@@ -1,5 +1,5 @@
## Process this file with automake to produce Makefile.in
# by Michal Trojnara 1998-2019
# by Michal Trojnara 1998-2020

EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en
EXTRA_DIST += stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl
Expand Down
2 changes: 1 addition & 1 deletion doc/Makefile.in
Expand Up @@ -14,7 +14,7 @@

@SET_MAKE@

# by Michal Trojnara 1998-2019
# by Michal Trojnara 1998-2020

VPATH = @srcdir@
am__is_gnu_make = { \
Expand Down
37 changes: 35 additions & 2 deletions doc/stunnel.8.in
Expand Up @@ -71,7 +71,7 @@
.\" ========================================================================
.\"
.IX Title "stunnel 8"
.TH stunnel 8 "2019.06.10" "5.55" "stunnel TLS Proxy"
.TH stunnel 8 "2020.05.14" "5.57" "stunnel TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Expand Down Expand Up @@ -439,6 +439,8 @@ configuration file. Supported commands are described on the
.Sp
Several \fIconfig\fR lines can be used to specify multiple configuration commands.
.Sp
Use \fIcurves\fR option instead of enabling \fIconfig = Curves:list_curves\fR to support elliptic curves.
.Sp
This option requires OpenSSL 1.0.2 or later.
.IP "\fBconnect\fR = [\s-1HOST:\s0]PORT" 4
.IX Item "connect = [HOST:]PORT"
Expand Down Expand Up @@ -473,7 +475,7 @@ This file contains multiple CRLs, used with the \fIverifyChain\fR and
.IX Item "curves = list"
\&\s-1ECDH\s0 curves separated with ':'
.Sp
Only a single curve name is allowed for OpenSSL older than 1.1.0.
Only a single curve name is allowed for OpenSSL older than 1.1.1.
.Sp
To get a list of supported curves use:
.Sp
Expand Down Expand Up @@ -836,6 +838,37 @@ default: yes
reconnect a connect+exec section after it was disconnected
.Sp
default: no
.IP "\fBsecurityLevel\fR = \s-1LEVEL\s0" 4
.IX Item "securityLevel = LEVEL"
set the security level
.Sp
The meaning of each level is described below:
.RS 4
.IP "level 0" 4
.IX Item "level 0"
Everything is permitted.
.IP "level 1" 4
.IX Item "level 1"
The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys shorter than 1024 bits and \s-1ECC\s0 keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. \s-1SSL\s0 version 2 is prohibited. Any cipher suite using \s-1MD5\s0 for the \s-1MAC\s0 is also prohibited.
.IP "level 2" 4
.IX Item "level 2"
Security level set to 112 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys shorter than 2048 bits and \s-1ECC\s0 keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using \s-1RC4\s0 is also prohibited. \s-1SSL\s0 version 3 is also not allowed. Compression is disabled.
.IP "level 3" 4
.IX Item "level 3"
Security level set to 128 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys shorter than 3072 bits and \s-1ECC\s0 keys shorter than 256 bits are prohibited. In addition to the level 2 exclusions cipher suites not offering forward secrecy are prohibited. \s-1TLS\s0 versions below 1.1 are not permitted. Session tickets are disabled.
.IP "level 4" 4
.IX Item "level 4"
Security level set to 192 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys shorter than 7680 bits and \s-1ECC\s0 keys shorter than 384 bits are prohibited. Cipher suites using \s-1SHA1\s0 for the \s-1MAC\s0 are prohibited. \s-1TLS\s0 versions below 1.2 are not permitted.
.IP "level 5" 4
.IX Item "level 5"
Security level set to 256 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys shorter than 15360 bits and \s-1ECC\s0 keys shorter than 512 bits are prohibited.
.IP "default: 2" 4
.IX Item "default: 2"
.RE
.RS 4
.Sp
The \fIsecurityLevel\fR option is only available when compiled with \fBOpenSSL 1.1.0\fR and later.
.RE
.IP "\fBrequireCert\fR = yes | no" 4
.IX Item "requireCert = yes | no"
require a client certificate for \fIverifyChain\fR or \fIverifyPeer\fR
Expand Down
68 changes: 62 additions & 6 deletions doc/stunnel.html.in
Expand Up @@ -528,6 +528,8 @@

<p>Several <i>config</i> lines can be used to specify multiple configuration commands.</p>

<p>Use <i>curves</i> option instead of enabling <i>config = Curves:list_curves</i> to support elliptic curves.</p>

<p>This option requires OpenSSL 1.0.2 or later.</p>

</dd>
Expand Down Expand Up @@ -568,7 +570,7 @@

<p>ECDH curves separated with &#39;:&#39;</p>

<p>Only a single curve name is allowed for OpenSSL older than 1.1.0.</p>
<p>Only a single curve name is allowed for OpenSSL older than 1.1.1.</p>

<p>To get a list of supported curves use:</p>

Expand Down Expand Up @@ -999,6 +1001,60 @@

<p>default: no</p>

</dd>
<dt id="securityLevel-LEVEL"><b>securityLevel</b> = LEVEL</dt>
<dd>

<p>set the security level</p>

<p>The meaning of each level is described below:</p>

<dl>

<dt id="level-0">level 0</dt>
<dd>

<p>Everything is permitted.</p>

</dd>
<dt id="level-1">level 1</dt>
<dd>

<p>The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite using MD5 for the MAC is also prohibited.</p>

</dd>
<dt id="level-2">level 2</dt>
<dd>

<p>Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled.</p>

</dd>
<dt id="level-3">level 3</dt>
<dd>

<p>Security level set to 128 bits of security. As a result RSA, DSA and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited. In addition to the level 2 exclusions cipher suites not offering forward secrecy are prohibited. TLS versions below 1.1 are not permitted. Session tickets are disabled.</p>

</dd>
<dt id="level-4">level 4</dt>
<dd>

<p>Security level set to 192 bits of security. As a result RSA, DSA and DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are prohibited. Cipher suites using SHA1 for the MAC are prohibited. TLS versions below 1.2 are not permitted.</p>

</dd>
<dt id="level-5">level 5</dt>
<dd>

<p>Security level set to 256 bits of security. As a result RSA, DSA and DH keys shorter than 15360 bits and ECC keys shorter than 512 bits are prohibited.</p>

</dd>
<dt id="default:-2">default: 2</dt>
<dd>

</dd>
</dl>

<p>The <i>securityLevel</i> option is only available when compiled with <b>OpenSSL 1.1.0</b> and later.</p>

</dd>
<dt id="requireCert-yes-no"><b>requireCert</b> = yes | no</dt>
<dd>
Expand Down Expand Up @@ -1351,31 +1407,31 @@

<dl>

<dt id="level-0">level 0</dt>
<dt id="level-01">level 0</dt>
<dd>

<p>Request and ignore the peer certificate.</p>

</dd>
<dt id="level-1">level 1</dt>
<dt id="level-11">level 1</dt>
<dd>

<p>Verify the peer certificate if present.</p>

</dd>
<dt id="level-2">level 2</dt>
<dt id="level-21">level 2</dt>
<dd>

<p>Verify the peer certificate.</p>

</dd>
<dt id="level-3">level 3</dt>
<dt id="level-31">level 3</dt>
<dd>

<p>Verify the peer against a locally installed certificate.</p>

</dd>
<dt id="level-4">level 4</dt>
<dt id="level-41">level 4</dt>
<dd>

<p>Ignore the chain and only verify the peer certificate.</p>
Expand Down

0 comments on commit ebad9dd

Please sign in to comment.