stunnel: openEuler init

2019-12-03 11:05:46 +08:00 · 2019-12-03 11:05:46 +08:00 · 0d5fdb2e5f
commit 0d5fdb2e5f
12 changed files with 269 additions and 0 deletions
--- a/9
+++ b/9
@ -0,0 +1,9 @@
+To generate a key and self signed certificate, execute the following commands:
+
+cd /etc/pki/tls/certs
+make stunnel.pem
+
+Note that by default, the file containing the key and certificate has its
+permissions set to 0600, which means that any service using it needs to be
+started as root in order to read it.  Such a service should be configured
+to switch UIDs using stunnel's "-s" flag.
--- a/pop3-redirect.xinetd
+++ b/pop3-redirect.xinetd
@ -0,0 +1,17 @@
+# default: off
+# description: The POP3 redirector allows client software which does not have \
+#	       native support for SSL to connect to the local machine's POP3 \
+#	       port and have the connection forwarded over the network using \
+#	       SSL.  You will need to modify stunnel-pop3s-client.conf to \
+#	       specify the server to connect to in order for this to be useful.
+service pop3
+{
+	disable	= yes
+	socket_type		= stream
+	wait			= no
+	user			= root
+	server			= /usr/sbin/stunnel
+	server_args		= /etc/stunnel/stunnel-pop3s-client.conf
+	log_on_success		+= USERID
+	log_on_failure		+= USERID
+}
--- a/sfinger.xinetd
+++ b/sfinger.xinetd
@ -0,0 +1,11 @@
+# Not that anyone in their right mind would tunnel the finger protocol over
+# SSL, but here's how to do it using xinetd....
+service sfinger
+{
+	disable	= yes
+	socket_type	= stream
+	wait		= no
+	user		= root
+	server		= /usr/sbin/stunnel
+	server_args	= /etc/stunnel/stunnel-sfinger.conf
+}
--- a/stunnel-5.40-authpriv.patch
+++ b/stunnel-5.40-authpriv.patch
@ -0,0 +1,56 @@
+diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in
+index a00cc78..85a0123 100644
+--- a/doc/stunnel.8.in
+++ b/doc/stunnel.8.in
+@@ -204,7 +204,7 @@ info (6), or debug (7).  All logs for the specified level and
+ all levels numerically less than it will be shown.  Use \fIdebug = debug\fR or
+ \&\fIdebug = 7\fR for greatest debugging output.  The default is notice (5).
+ .Sp
+-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
+ (Facilities are not supported on Win32.)
+ .Sp
+ Case is ignored for both facilities and levels.
+diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in
+index b7a0663..6bb01cd 100644
+--- a/doc/stunnel.html.in
+++ b/doc/stunnel.html.in
+@@ -244,7 +244,7 @@
+ 
+ <p>Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use <i>debug = debug</i> or <i>debug = 7</i> for greatest debugging output. The default is notice (5).</p>
+ 
+-<p>The syslog facility &#39;daemon&#39; will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
+<p>The syslog facility &#39;authpriv&#39; will be used unless a facility name is supplied. (Facilities are not supported on Win32.)</p>
+ 
+ <p>Case is ignored for both facilities and levels.</p>
+ 
+diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
+index 42d3a33..3806b5a 100644
+--- a/doc/stunnel.pod.in
+++ b/doc/stunnel.pod.in
+@@ -192,7 +192,7 @@ info (6), or debug (7).  All logs for the specified level and
+ all levels numerically less than it will be shown.  Use I<debug = debug> or
+ I<debug = 7> for greatest debugging output.  The default is notice (5).
+ 
+-The syslog facility 'daemon' will be used unless a facility name is supplied.
+The syslog facility 'authpriv' will be used unless a facility name is supplied.
+ (Facilities are not supported on Win32.)
+ 
+ Case is ignored for both facilities and levels.
+diff --git a/src/options.c b/src/options.c
+index 5881486..345d274 100644
+--- a/src/options.c
+++ b/src/options.c
+@@ -1554,8 +1554,12 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section,
+     case CMD_BEGIN:
+         section->log_level=LOG_NOTICE;
+ #if !defined (USE_WIN32) && !defined (__vms)
+#if defined(LOG_AUTHPRIV)
+        new_global_options.log_facility=LOG_AUTHPRIV;
+#else
+         new_global_options.log_facility=LOG_DAEMON;
+ #endif
+#endif
+         break;
+     case CMD_EXEC:
+         if(strcasecmp(opt, "debug"))
--- a/stunnel-5.40-systemd-service.patch
+++ b/stunnel-5.40-systemd-service.patch
@ -0,0 +1,17 @@
+diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
+index 53ad3e7..620a0e7 100644
+--- a/tools/stunnel.service.in
+++ b/tools/stunnel.service.in
+@@ -1,10 +1,11 @@
+ [Unit]
+ Description=TLS tunnel for network daemons
+-After=syslog.target
+After=syslog.target network.target
+ 
+ [Service]
+ ExecStart=@bindir@/stunnel
+ Type=forking
+PrivateTmp=true
+ 
+ [Install]
+ WantedBy=multi-user.target
--- a/stunnel-5.46-system-ciphers.patch
+++ b/stunnel-5.46-system-ciphers.patch
@ -0,0 +1,12 @@
+diff -up stunnel-5.46/src/options.c.system-ciphers stunnel-5.46/src/options.c
+--- stunnel-5.46/src/options.c.system-ciphers	2018-05-29 08:58:03.601089886 +0200
+++ stunnel-5.46/src/options.c	2018-05-29 08:59:00.880244728 +0200
+@@ -252,7 +252,7 @@ static char *option_not_found=
+     "Specified option name is not valid here";
+ 
+ static char *stunnel_cipher_list=
+-    "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK";
+    "PROFILE=SYSTEM";
+ 
+ /**************************************** parse commandline parameters */
+ 
--- a/stunnel-5.48.tar.gz
+++ b/stunnel-5.48.tar.gz
--- a/stunnel-5.48.tar.gz.asc
+++ b/stunnel-5.48.tar.gz.asc
@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAls6m2RfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
+QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
+4BTksRAAiWO5DWBpHrnDKy1jon+4lG/OPHe92nWxc6yH2HVeB064tXYeXYjRnnR4
+mItaO4wCJICd94+5EUO6DUfut4+7SIAWNPUnZd5OgFkgmGd0YEF6tEfM9z6BhMc3
+T8ZwKCP/hhU5oxqQyDO/esk2+Opps5ddsQLx84iUsylFwq8gK8BkVZrx2yLBX/fz
+wGpP1YnxLdx+rQQx/BkHd52nQAR3gqrGcZtMgchhTBsfZ4jgnr4Xr4XgXJPfe0Di
+xGCD7/sy+N8sNu4S6RER4qNV6PLBcZ6Bjp+VqMpODdoXlD0EQXundgbrg8Nuq8HR
+TTbL1pItHo0vy5QetFILJqlrdLw3sIG5Wy1+k87X485DKhJuvZqU0nKixYmaujB9
+as1YNccDb2FwF7Rzq4hF1J0IwYUsyfgbd58k1VdmtPp5TSUyd1lp+tpX0tEJePk6
+g1X3NecNVbw8p66gPiUadlTYkkUQdqDHnGxD9EKG7BwRE8lPR5CTJD1w8xEOzLMw
+tVKSBgcHeIA7Sn9mJtOFOJ7Y+aUccMIliprgk34P3+4bFFBxLQaRQycfLVIyRy4t
+3QRk+vsMxfuAVainN/yVU7hCtiL09ZHm3g8AnDZFKmtZzYcBbb24RWhONt0bz9j1
+fnYKvguL78ptBpsmPmXjwBY+qxmJx4LAWFxE7TUgqsaASJYWSH4=
+=KMsG
+-----END PGP SIGNATURE-----
--- a/stunnel-pop3s-client.conf
+++ b/stunnel-pop3s-client.conf
@ -0,0 +1,8 @@
+# Sample configuration for stunnel, tunnelling cleartext connections on the
+# default port (without an "accept" setting, stunnel uses stdio) over an
+# encrypted channel to pop3s-server.example.com:pop3s.  See stunnel(8) for
+# more information.
+client = yes
+connect = pop3s-server.example.com:pop3s
+CAfile = /usr/share/ssl/certs/ca-bundle.crt
+verify = 2
--- a/stunnel-sfinger.conf
+++ b/stunnel-sfinger.conf
@ -0,0 +1,8 @@
+# Sample configuration for stunnel, forwarding data from encrypted connections
+# on the default port (without an "accept" setting, stunnel uses stdio) over
+# an unencrypted set of pipes which are used for stdio by in.fingerd.  See
+# stunnel(8) for more information.
+exec = /usr/sbin/in.fingerd
+execargs = in.fingerd
+key = /etc/stunnel/stunnel.pem
+cert = /etc/stunnel/stunnel.pem
--- a/stunnel.spec
+++ b/stunnel.spec
@ -0,0 +1,102 @@
+Name:           stunnel
+Version:        5.48
+Release:        2
+Summary:        Secure traffic running between a TCP client and server
+License:        GPLv2
+URL:            http://www.stunnel.org/
+Source0:        https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
+Source1:        https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
+Source2:        Certificate-Creation
+Source3:        sfinger.xinetd
+Source4:        stunnel-sfinger.conf
+Source5:        pop3-redirect.xinetd
+Source6:        stunnel-pop3s-client.conf
+Source7:        stunnel@.service
+Patch0001:      stunnel-5.40-authpriv.patch
+Patch0002:      stunnel-5.40-systemd-service.patch
+Patch0003:      stunnel-5.46-system-ciphers.patch
+
+BuildRequires:  openssl-devel pkgconfig util-linux autoconf automake libtool
+BuildRequires:  perl-podlators perl nmap-ncat lsof procps-ng systemd
+%{?systemd_requires}
+
+%description
+The stunnel program is designed to work as SSL encryption
+wrapper between remote clients and local (inetd-startable)
+or remote servers. The concept is that having non-SSL
+aware daemons running on your system you can easily set
+them up to communicate with clients over secure SSL chan-
+nels.
+
+stunnel can be used to add SSL functionality to commonly
+used inetd daemons like POP-2, POP-3, and IMAP servers, to
+standalone daemons like NNTP, SMTP and HTTP, and in tun-
+neling PPP over network sockets without changes to the
+source code.
+
+%package        help
+Summary:        This package contains help documents
+Requires:       %{name} = %{version}-%{release}
+
+%description    help
+Files for help with stunnel.
+
+%prep
+%autosetup -n %{name}-%{version} -p1
+change_date=`date +%Y.%m.%d`
+sed -i "s/2018\.07\.02/${change_date}/g" `grep "2018\.07\.02" -lr ./`
+sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/}' configure
+sed -i '/client = yes/a \\  ciphers = PSK' tests/recipes/014_PSK_secrets
+
+%build
+CFLAGS="$RPM_OPT_FLAGS -fPIC `pkg-config --cflags openssl`"; export CFLAGS
+LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS
+%configure --enable-fips --enable-ipv6 --with-ssl=%{_prefix} --disable-libwrap \
+        CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
+make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
+
+%install
+%make_install
+for lang in pl ; do
+        install -d %{buildroot}/%{_mandir}/${lang}/man8
+        mv %{buildroot}/%{_mandir}/man8/*.${lang}.8* %{buildroot}/%{_mandir}/${lang}/man8/
+        rename ".${lang}" "" %{buildroot}/%{_mandir}/${lang}/man8/*
+done
+install -d srpm-docs
+cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs
+install -D %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
+install -D %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
+
+%post
+/sbin/ldconfig
+%systemd_post %{name}.service
+
+%preun
+%systemd_preun %{name}.service
+
+%postun
+/sbin/ldconfig
+%systemd_postun_with_restart %{name}.service
+
+%files
+%doc COPY*
+%{_bindir}/stunnel
+%exclude %{_bindir}/stunnel3
+%{_libdir}/stunnel
+%exclude %{_libdir}/stunnel/libstunnel.la
+%dir %{_sysconfdir}/%{name}
+%exclude %{_sysconfdir}/stunnel/*
+%{_unitdir}/%{name}*.service
+
+%files help
+%{_mandir}/man8/stunnel.8*
+%doc tools/stunnel.conf-sample
+%doc srpm-docs/*
+%lang(en) %doc doc/en/*
+%lang(pl) %doc doc/pl/*
+%lang(pl) %{_mandir}/pl/man8/stunnel.8*
+%exclude %{_datadir}/doc/stunnel
+
+%changelog
+* Mon Nov 25 2019 gulining<gulining1@huawei.com> - 5.48-2
+- Pakcage init
--- a/stunnel@.service
+++ b/stunnel@.service
@ -0,0 +1,11 @@
+[Unit]
+Description=TLS tunnel for %I
+After=syslog.target network.target
+
+[Service]
+ExecStart=/usr/bin/stunnel /etc/stunnel/%i.conf
+Type=forking
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target