commit 0d5fdb2e5f95d8fae1df946ed9da3f48a8ece325 Author: gu-gu-gu Date: Tue Dec 3 11:05:46 2019 +0800 stunnel: openEuler init diff --git a/Certificate-Creation b/Certificate-Creation new file mode 100644 index 0000000..16d86f9 --- /dev/null +++ b/Certificate-Creation @@ -0,0 +1,9 @@ +To generate a key and self signed certificate, execute the following commands: + +cd /etc/pki/tls/certs +make stunnel.pem + +Note that by default, the file containing the key and certificate has its +permissions set to 0600, which means that any service using it needs to be +started as root in order to read it. Such a service should be configured +to switch UIDs using stunnel's "-s" flag. diff --git a/pop3-redirect.xinetd b/pop3-redirect.xinetd new file mode 100644 index 0000000..73b95ad --- /dev/null +++ b/pop3-redirect.xinetd @@ -0,0 +1,17 @@ +# default: off +# description: The POP3 redirector allows client software which does not have \ +# native support for SSL to connect to the local machine's POP3 \ +# port and have the connection forwarded over the network using \ +# SSL. You will need to modify stunnel-pop3s-client.conf to \ +# specify the server to connect to in order for this to be useful. +service pop3 +{ + disable = yes + socket_type = stream + wait = no + user = root + server = /usr/sbin/stunnel + server_args = /etc/stunnel/stunnel-pop3s-client.conf + log_on_success += USERID + log_on_failure += USERID +} diff --git a/sfinger.xinetd b/sfinger.xinetd new file mode 100644 index 0000000..39a91f5 --- /dev/null +++ b/sfinger.xinetd @@ -0,0 +1,11 @@ +# Not that anyone in their right mind would tunnel the finger protocol over +# SSL, but here's how to do it using xinetd.... +service sfinger +{ + disable = yes + socket_type = stream + wait = no + user = root + server = /usr/sbin/stunnel + server_args = /etc/stunnel/stunnel-sfinger.conf +} diff --git a/stunnel-5.40-authpriv.patch b/stunnel-5.40-authpriv.patch new file mode 100644 index 0000000..4100df5 --- /dev/null +++ b/stunnel-5.40-authpriv.patch @@ -0,0 +1,56 @@ +diff --git a/doc/stunnel.8.in b/doc/stunnel.8.in +index a00cc78..85a0123 100644 +--- a/doc/stunnel.8.in ++++ b/doc/stunnel.8.in +@@ -204,7 +204,7 @@ info (6), or debug (7). All logs for the specified level and + all levels numerically less than it will be shown. Use \fIdebug = debug\fR or + \&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). + .Sp +-The syslog facility 'daemon' will be used unless a facility name is supplied. ++The syslog facility 'authpriv' will be used unless a facility name is supplied. + (Facilities are not supported on Win32.) + .Sp + Case is ignored for both facilities and levels. +diff --git a/doc/stunnel.html.in b/doc/stunnel.html.in +index b7a0663..6bb01cd 100644 +--- a/doc/stunnel.html.in ++++ b/doc/stunnel.html.in +@@ -244,7 +244,7 @@ + +

Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).

+ +-

The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

++

The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

+ +

Case is ignored for both facilities and levels.

+ +diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in +index 42d3a33..3806b5a 100644 +--- a/doc/stunnel.pod.in ++++ b/doc/stunnel.pod.in +@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for the specified level and + all levels numerically less than it will be shown. Use I or + I for greatest debugging output. The default is notice (5). + +-The syslog facility 'daemon' will be used unless a facility name is supplied. ++The syslog facility 'authpriv' will be used unless a facility name is supplied. + (Facilities are not supported on Win32.) + + Case is ignored for both facilities and levels. +diff --git a/src/options.c b/src/options.c +index 5881486..345d274 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -1554,8 +1554,12 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, + case CMD_BEGIN: + section->log_level=LOG_NOTICE; + #if !defined (USE_WIN32) && !defined (__vms) ++#if defined(LOG_AUTHPRIV) ++ new_global_options.log_facility=LOG_AUTHPRIV; ++#else + new_global_options.log_facility=LOG_DAEMON; + #endif ++#endif + break; + case CMD_EXEC: + if(strcasecmp(opt, "debug")) diff --git a/stunnel-5.40-systemd-service.patch b/stunnel-5.40-systemd-service.patch new file mode 100644 index 0000000..10ad1bb --- /dev/null +++ b/stunnel-5.40-systemd-service.patch @@ -0,0 +1,17 @@ +diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in +index 53ad3e7..620a0e7 100644 +--- a/tools/stunnel.service.in ++++ b/tools/stunnel.service.in +@@ -1,10 +1,11 @@ + [Unit] + Description=TLS tunnel for network daemons +-After=syslog.target ++After=syslog.target network.target + + [Service] + ExecStart=@bindir@/stunnel + Type=forking ++PrivateTmp=true + + [Install] + WantedBy=multi-user.target diff --git a/stunnel-5.46-system-ciphers.patch b/stunnel-5.46-system-ciphers.patch new file mode 100644 index 0000000..869c162 --- /dev/null +++ b/stunnel-5.46-system-ciphers.patch @@ -0,0 +1,12 @@ +diff -up stunnel-5.46/src/options.c.system-ciphers stunnel-5.46/src/options.c +--- stunnel-5.46/src/options.c.system-ciphers 2018-05-29 08:58:03.601089886 +0200 ++++ stunnel-5.46/src/options.c 2018-05-29 08:59:00.880244728 +0200 +@@ -252,7 +252,7 @@ static char *option_not_found= + "Specified option name is not valid here"; + + static char *stunnel_cipher_list= +- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + + /**************************************** parse commandline parameters */ + diff --git a/stunnel-5.48.tar.gz b/stunnel-5.48.tar.gz new file mode 100644 index 0000000..3ab4a12 Binary files /dev/null and b/stunnel-5.48.tar.gz differ diff --git a/stunnel-5.48.tar.gz.asc b/stunnel-5.48.tar.gz.asc new file mode 100644 index 0000000..86a5b06 --- /dev/null +++ b/stunnel-5.48.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAls6m2RfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC +QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW +4BTksRAAiWO5DWBpHrnDKy1jon+4lG/OPHe92nWxc6yH2HVeB064tXYeXYjRnnR4 +mItaO4wCJICd94+5EUO6DUfut4+7SIAWNPUnZd5OgFkgmGd0YEF6tEfM9z6BhMc3 +T8ZwKCP/hhU5oxqQyDO/esk2+Opps5ddsQLx84iUsylFwq8gK8BkVZrx2yLBX/fz +wGpP1YnxLdx+rQQx/BkHd52nQAR3gqrGcZtMgchhTBsfZ4jgnr4Xr4XgXJPfe0Di +xGCD7/sy+N8sNu4S6RER4qNV6PLBcZ6Bjp+VqMpODdoXlD0EQXundgbrg8Nuq8HR +TTbL1pItHo0vy5QetFILJqlrdLw3sIG5Wy1+k87X485DKhJuvZqU0nKixYmaujB9 +as1YNccDb2FwF7Rzq4hF1J0IwYUsyfgbd58k1VdmtPp5TSUyd1lp+tpX0tEJePk6 +g1X3NecNVbw8p66gPiUadlTYkkUQdqDHnGxD9EKG7BwRE8lPR5CTJD1w8xEOzLMw +tVKSBgcHeIA7Sn9mJtOFOJ7Y+aUccMIliprgk34P3+4bFFBxLQaRQycfLVIyRy4t +3QRk+vsMxfuAVainN/yVU7hCtiL09ZHm3g8AnDZFKmtZzYcBbb24RWhONt0bz9j1 +fnYKvguL78ptBpsmPmXjwBY+qxmJx4LAWFxE7TUgqsaASJYWSH4= +=KMsG +-----END PGP SIGNATURE----- diff --git a/stunnel-pop3s-client.conf b/stunnel-pop3s-client.conf new file mode 100644 index 0000000..eb7fda9 --- /dev/null +++ b/stunnel-pop3s-client.conf @@ -0,0 +1,8 @@ +# Sample configuration for stunnel, tunnelling cleartext connections on the +# default port (without an "accept" setting, stunnel uses stdio) over an +# encrypted channel to pop3s-server.example.com:pop3s. See stunnel(8) for +# more information. +client = yes +connect = pop3s-server.example.com:pop3s +CAfile = /usr/share/ssl/certs/ca-bundle.crt +verify = 2 diff --git a/stunnel-sfinger.conf b/stunnel-sfinger.conf new file mode 100644 index 0000000..912888a --- /dev/null +++ b/stunnel-sfinger.conf @@ -0,0 +1,8 @@ +# Sample configuration for stunnel, forwarding data from encrypted connections +# on the default port (without an "accept" setting, stunnel uses stdio) over +# an unencrypted set of pipes which are used for stdio by in.fingerd. See +# stunnel(8) for more information. +exec = /usr/sbin/in.fingerd +execargs = in.fingerd +key = /etc/stunnel/stunnel.pem +cert = /etc/stunnel/stunnel.pem diff --git a/stunnel.spec b/stunnel.spec new file mode 100644 index 0000000..3ca62ed --- /dev/null +++ b/stunnel.spec @@ -0,0 +1,102 @@ +Name: stunnel +Version: 5.48 +Release: 2 +Summary: Secure traffic running between a TCP client and server +License: GPLv2 +URL: http://www.stunnel.org/ +Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz +Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc +Source2: Certificate-Creation +Source3: sfinger.xinetd +Source4: stunnel-sfinger.conf +Source5: pop3-redirect.xinetd +Source6: stunnel-pop3s-client.conf +Source7: stunnel@.service +Patch0001: stunnel-5.40-authpriv.patch +Patch0002: stunnel-5.40-systemd-service.patch +Patch0003: stunnel-5.46-system-ciphers.patch + +BuildRequires: openssl-devel pkgconfig util-linux autoconf automake libtool +BuildRequires: perl-podlators perl nmap-ncat lsof procps-ng systemd +%{?systemd_requires} + +%description +The stunnel program is designed to work as SSL encryption +wrapper between remote clients and local (inetd-startable) +or remote servers. The concept is that having non-SSL +aware daemons running on your system you can easily set +them up to communicate with clients over secure SSL chan- +nels. + +stunnel can be used to add SSL functionality to commonly +used inetd daemons like POP-2, POP-3, and IMAP servers, to +standalone daemons like NNTP, SMTP and HTTP, and in tun- +neling PPP over network sockets without changes to the +source code. + +%package help +Summary: This package contains help documents +Requires: %{name} = %{version}-%{release} + +%description help +Files for help with stunnel. + +%prep +%autosetup -n %{name}-%{version} -p1 +change_date=`date +%Y.%m.%d` +sed -i "s/2018\.07\.02/${change_date}/g" `grep "2018\.07\.02" -lr ./` +sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/}' configure +sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets + +%build +CFLAGS="$RPM_OPT_FLAGS -fPIC `pkg-config --cflags openssl`"; export CFLAGS +LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS +%configure --enable-fips --enable-ipv6 --with-ssl=%{_prefix} --disable-libwrap \ + CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" +make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" + +%install +%make_install +for lang in pl ; do + install -d %{buildroot}/%{_mandir}/${lang}/man8 + mv %{buildroot}/%{_mandir}/man8/*.${lang}.8* %{buildroot}/%{_mandir}/${lang}/man8/ + rename ".${lang}" "" %{buildroot}/%{_mandir}/${lang}/man8/* +done +install -d srpm-docs +cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs +install -D %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service +install -D %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service + +%post +/sbin/ldconfig +%systemd_post %{name}.service + +%preun +%systemd_preun %{name}.service + +%postun +/sbin/ldconfig +%systemd_postun_with_restart %{name}.service + +%files +%doc COPY* +%{_bindir}/stunnel +%exclude %{_bindir}/stunnel3 +%{_libdir}/stunnel +%exclude %{_libdir}/stunnel/libstunnel.la +%dir %{_sysconfdir}/%{name} +%exclude %{_sysconfdir}/stunnel/* +%{_unitdir}/%{name}*.service + +%files help +%{_mandir}/man8/stunnel.8* +%doc tools/stunnel.conf-sample +%doc srpm-docs/* +%lang(en) %doc doc/en/* +%lang(pl) %doc doc/pl/* +%lang(pl) %{_mandir}/pl/man8/stunnel.8* +%exclude %{_datadir}/doc/stunnel + +%changelog +* Mon Nov 25 2019 gulining - 5.48-2 +- Pakcage init diff --git a/stunnel@.service b/stunnel@.service new file mode 100644 index 0000000..d31ac9c --- /dev/null +++ b/stunnel@.service @@ -0,0 +1,11 @@ +[Unit] +Description=TLS tunnel for %I +After=syslog.target network.target + +[Service] +ExecStart=/usr/bin/stunnel /etc/stunnel/%i.conf +Type=forking +PrivateTmp=true + +[Install] +WantedBy=multi-user.target