Compare commits

...

12 Commits

Author SHA1 Message Date
Mario Fetka
3f780093b7 Bump 2019-08-02 16:02:55 +02:00
Peter Pentchev
a4672526d7 Imported Debian patch 3:5.44-1 2018-03-29 12:42:36 +02:00
Mario Fetka
814d9ca18b Bump 2017-11-15 15:06:40 +01:00
Peter Pentchev
10de5e9e32 Imported Debian patch 3:5.42-1 2017-11-15 15:03:25 +01:00
Mario Fetka
98b4ec0cd9 Bump 2017-11-15 15:03:17 +01:00
Mario Fetka
8e9bdf3481 Bump 2017-03-28 10:47:03 +02:00
Mario Fetka
18f12ad1bc Bump 2017-03-28 10:42:58 +02:00
Mario Fetka
83fe2cf45c Bump 2017-03-28 10:30:49 +02:00
Mario Fetka
595593c0e7 Bump 2017-03-28 10:29:18 +02:00
Mario Fetka
4e8986c5ef Bump 2017-03-28 10:20:27 +02:00
Mario Fetka
b8998ae382 Merge tag 'upstream/4.57'
Upstream version 4.57
2017-03-28 10:18:04 +02:00
Salvatore Bonaccorso
8e474e5321 Imported Debian patch 3:4.53-1.1 2017-03-28 09:58:14 +02:00
42 changed files with 4073 additions and 0 deletions

84
debian/README.Debian vendored Normal file
View File

@ -0,0 +1,84 @@
This is the Stunnel 4.x package for Debian.
* Upgrading from stunnel to stunnel4
Stunnel 3 has been deprecated from Debian. The new stunnel4 has a
different command line syntax and configuration. You will need to
update your scripts.
The wrapper script /usr/bin/stunnel3 understands stunnel3 command line
syntax and calls stunnel4 with appropriate options. It appears to
support every stunnel3 option *except* -S (which controls the defaults
used for certificate sources).
* Basic configuration
After installation, you should :
- edit /etc/stunnel/stunnel.conf
- edit /etc/default/stunnel and set ENABLE=1, if you want your
configured tunnels to start automatically on boot.
- generate a certificate for use with stunnel if you want to use server mode
Sergio Rua <srua@debian.org> made a perl front-end for the stunnel
configuration. It is very simple and only includes a couple of configuration
options. This script is located in
/usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl
It requires libgnome2-perl and libgtk2-perl.
* How to create SSL keys for stunnel
The certificates default directory is /etc/ssl/certs, so cd into that dir
and issue the command:
openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem
Fill in the info requested.
Change 'stunnel.pem' to the name of the certificate you need to
create. stunnel.pem will be used by default by stunnel, but you want
to create different certificates for different services you run with
stunnel. Make sure only root can read the file (or only the user that
needs to read it, if stunnel is run as that user):
chmod 600 stunnel.pem
Now you need to append the DH parameters to the certificate.
First you need to generate some amount of random data:
dd if=/dev/urandom of=temp_file count=2
Use /dev/random if you want a more secure source of data, but make
sure you have enough entropy on you system (the output file should be
at least 512 bytes long).
And now make openssl generate the DH parameters and append them to the
certificate file:
openssl dhparam -rand temp_file 512 >> stunnel.pem
You also want to link the certificate to its hash name so that openssl
can find it also by that means:
ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0
Read the manual page for openssl for more info on the various options.
* FIPS
Since version 4.21 stunnel includes support for OpenSSL's FIPS mode. However,
using it requires stunnel to be compiled statically against OpenSSL and all
supporting libraries. Thus, this option is disabled in the Debian package.
See the OpenSSL FIPS User Guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
and the OpenSSL notes about FIPS 140-2 at
https://www.openssl.org/docs/fips/fipsnotes.html
- Julien LEMOINE <speedblue@debian.org>, Sun, 19 Feb 2006 17:31:24 +0100
-- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>, Sat, 30 Oct 2007 14:50:54 z

477
debian/StunnelConf-0.1.pl vendored Normal file
View File

@ -0,0 +1,477 @@
#!/usr/bin/perl
# Copyright (C) 2004 Sergio Rua <srua@debian.org>
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
#
# On Debian GNU/Linux systems, the complete text of the GNU General
# Public License can be found in `/usr/share/common-licenses/GPL'.
use strict;
use Gtk2;
use Gnome2;
use Gtk2::SimpleList;
use constant TRUE => 1;
use constant FALSE => 0;
# Please configure if necessary!
my $cfgfile = "/etc/stunnel/stunnel.conf";
my $backup_cfg = 1;
my $base_cfg_dir = $cfgfile;$base_cfg_dir=~s/\/stunnel\.conf//g;
# global variables
my $ekey;
my $ecert;
my $verify;
my $app;
my $elog;
my $clientmode;
my $debuglevel;
my $capath;
my $list;
sub mydie
{
my ($msg)=@_;
print "$msg\n";
Gtk2->main_quit;
exit (-1);
}
sub sel_file
{
my ($title,$entry,$isfile)=@_;
my $fsel=Gtk2::FileSelection->new($title);
$fsel->ok_button->signal_connect("clicked",sub {
print "OK: ". $fsel->get_filename."\n";
$entry->set_text($fsel->get_filename);
$fsel->destroy;
});
$fsel->cancel_button->signal_connect("clicked",sub { $fsel->destroy; });
$fsel->show;
}
sub add_connection
{
my $win = new Gtk2::Window("toplevel");
$win->set_position("center");
my $vbox = new Gtk2::VBox( 0, 2 );
$win->add($vbox);
$vbox->show;
my $druid = new Gnome2::Druid;
$druid->signal_connect("cancel", sub { $win->destroy; } );
$vbox->pack_start($druid,0,0,0);
my $druid_start = new Gnome2::DruidPageEdge("GNOME_EDGE_START");
$druid_start->set_title("Connections setup");
$druid_start->set_text("Please follow this configuration wizard to ".
"configure your connections\n");
# $druid_start->set_watermark($logo);
$druid_start->show;
$druid->append_page($druid_start);
# Second Step: accepting connections
my $druid_name = new Gnome2::DruidPageStandard();
$druid_name->set_title("Connection name");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $label=new Gtk2::Label("Enter this connection name");
$dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0);
my $ename=new Gtk2::Entry();
$dtable->attach($ename,1,2,0,1,["fill"],["fill"],0,0);
$druid_name->append_item("",$dvbox,"");
$druid_name->show_all;
# add page to the druid
$druid->append_page($druid_name);
# Second Step: accepting connections
my $druid_accept = new Gnome2::DruidPageStandard();
$druid_accept->set_title("Accepting connections");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $accept_error=new Gtk2::Label("");
$dtable->attach($accept_error,0,1,0,1,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("IP or hostname");
$dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0);
my $eip=new Gtk2::Entry();
$dtable->attach($eip,1,2,1,2,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("Port number");
$dtable->attach($label,0,1,2,3,["fill"],["fill"],0,0);
my $eport=new Gtk2::Entry();
$dtable->attach($eport,1,2,2,3,["fill"],["fill"],0,0);
$druid_accept->append_item("",$dvbox,"");
$druid_accept->show_all;
# add page to the druid
$druid->append_page($druid_accept);
# Third Step: connecting to...
my $druid_connect = new Gnome2::DruidPageStandard();
$druid_connect->set_title("Connection To...");
my $dvbox=new Gtk2::VBox(2,2);
my $dtable=new Gtk2::Table(2,2,FALSE);
$dvbox->pack_start($dtable,FALSE,FALSE,0);
my $label=new Gtk2::Label("IP or hostname");
$dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0);
my $etoip=new Gtk2::Entry();
$dtable->attach($etoip,1,2,0,1,["fill"],["fill"],0,0);
my $label=new Gtk2::Label("Port number");
$dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0);
my $etoport=new Gtk2::Entry();
$dtable->attach($etoport,1,2,1,2,["fill"],["fill"],0,0);
$druid_connect->append_item("",$dvbox,"");
$druid_connect->show_all;
# add page to the druid
$druid->append_page($druid_connect);
# Finishing and adding connection
my $druid_finish = new Gnome2::DruidPageEdge("GNOME_EDGE_FINISH");
$druid_finish->set_title("Configuration Finished.");
$druid_finish->set_text("The configuration has been finished. Click to either save or cancel");
# $druid_finish->set_logo($logo2);
$druid_finish->signal_connect("finish", sub {
my $acip=$eip->get_text();
my $acport=$eport->get_text();
my $coip=$etoip->get_text();
my $coport=$etoport->get_text();
my $dslist = $list->{data};
push @$dslist, [ $ename->get_text(), $acip.":".$acport, $coip.":".$coport ];
$win->destroy;
});
$druid_finish->show;
$druid->append_page($druid_finish);
$druid->show;
$win->show;
}
sub load_config_file
{
my $con=$list->{data};
my $name="";
my $accept="";
my $connect="";
if (! -s $cfgfile) {
print "Config file not found. Starting from scratch!\n";
return (0);
}
open F, "<$cfgfile" or die "$cfgfile: $!\n";
while (<F>) {
$_=~s/\n//g;
if ($_=~/^cert.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$ecert->set_text($value);
} elsif ($_=~/^key.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$ekey->set_text($value);
} elsif ($_=~/^verify.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
if ($value==1) {
$verify->entry->set_text("verify peer certificate if present");
} elsif ($value==2) {
$verify->entry->set_text("verify peer certificate");
} elsif ($value==3) {
$verify->entry->set_text("verify peer with locally installed certificate");
} else {
$verify->entry->set_text("no verify");
}
} elsif ($_=~/^client.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$clientmode->entry->set_text($value);
} elsif ($_=~/^(capath|CApath).*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$capath->set_text($value);
} elsif ($_=~/^debug.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$debuglevel->entry->set_text($value);
} elsif ($_=~/^output.*=.*/) {
(undef,my $value) = split "=",$_;
$value=~s/(\ |\t)//g;
$elog->set_text($value);
} elsif ($_=~/^\[.*/) {
$_=~s/\[//g;
$_=~s/\]//g;
$name=$_;
} elsif ($_=~/^accept.*=.*/) {
(undef,$accept) = split "=",$_;
$accept=~s/(\ |\t)//g;
} elsif ($_=~/^connect.*=.*/) {
(undef,$connect) = split "=",$_;
$connect=~s/(\ |\t)//g;
}
# load connection
if (($accept) && ($name) && ($connect)) {
push @$con, [ $name, $accept, $connect ];
$name=$connect=$accept="";
}
}
close F;
}
sub save_config_file
{
if ($backup_cfg) {
chdir ($base_cfg_dir);
rename($cfgfile,$cfgfile.".$$") or
print "Error at \n$cfgfile: $!\nNo backup made!\n";
}
open O, ">$cfgfile" or
mydie "Cannot open config file: $!\n";
print "Saving $cfgfile\n\n\n";
print O "# Configuration file created by \"stunnelconf\" by ".
"Sergio Rua <srua\@debian.org>\n\n";
if ($ekey->get_text()) {
print O "key = ".$ekey->get_text()."\n";
}
if ($ecert->get_text()) {
print O "cert = ".$ecert->get_text()."\n";
}
print O "verify = ".$verify->entry->get_text()."\n";
print O "output = ".$elog->get_text()."\n";
print O "client = ".$clientmode->entry->get_text()."\n";
print O "debug = ".$debuglevel->entry->get_text()."\n";
print O "CApath = ".$capath->get_text()."\n";
print O "\n\n"; # just some spaces
my @rowref = @{$list->{data}};
my $i=0;
for $i (0 .. $#rowref) {
print O "[".$rowref[$i][0] . "]\n";
# if no hostname, ugly ":" to be removed
$rowref[$i][1]=~s/^://g;
$rowref[$i][2]=~s/^://g;
print O "accept = ".$rowref[$i][1] . "\n";
print O "connect = ".$rowref[$i][2] . "\n";
print O "\n"; # just some spaces
}
close O;
Gtk2->main_quit;
return 0;
}
sub create_main_win
{
$app = Gnome2::App->new ("stunnel-conf");
$app->set_default_size(470,410);
$app->signal_connect( 'destroy' => sub { Gtk2->main_quit; } );
$app->set_title("Stunnel Configuration");
my $vbox=Gtk2::VBox->new(FALSE,0);
my $frame=Gtk2::Frame->new("Common options");
$vbox->pack_start($frame,TRUE, TRUE, 0);
my $table=Gtk2::Table->new(6, 2, FALSE);
$frame->add($table);
my $label0=Gtk2::Label->new("Private Key");
$table->attach($label0,0,1,0,1,["fill"],["fill"],0,0);
my $label1=Gtk2::Label->new("Certificate");
$table->attach($label1,0,1,1,2,["fill"],["fill"],0,0);
my $label2=Gtk2::Label->new("Verify level");
$table->attach($label2,0,1,2,3,["fill"],["fill"],0,0);
my $label3=Gtk2::Label->new("Log output");
$table->attach($label3,0,1,3,4,["fill"],["fill"],0,0);
my $label4=Gtk2::Label->new("Client mode");
$table->attach($label4,0,1,4,5,["fill"],["fill"],0,0);
my $label5=Gtk2::Label->new("Debug level");
$table->attach($label5,0,1,5,6,["fill"],["fill"],0,0);
my $label6=Gtk2::Label->new("Certificates path");
$table->attach($label6,0,1,6,7,["fill"],["fill"],0,0);
# Private Key
my $hbox0=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox0,1,2,0,1,["fill"],["fill"],0,0);
$ekey=Gtk2::Entry->new();
$hbox0->pack_start($ekey,TRUE,TRUE,0);
my $bkey=Gtk2::Button->new_from_stock("gtk-open");
$bkey->signal_connect("clicked",sub {
sel_file("Select private key",$ekey);
});
$hbox0->pack_start($bkey,FALSE,FALSE,0);
# Certificate
my $hbox1=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox1,1,2,1,2,["fill"],["fill"],0,0);
$ecert=Gtk2::Entry->new();
$hbox1->pack_start($ecert,TRUE,TRUE,0);
my $bcert=Gtk2::Button->new_from_stock("gtk-open");
$bcert->signal_connect("clicked",sub {
sel_file("Select certificate",$ecert);
});
$hbox1->pack_start($bcert,FALSE,FALSE,0);
# Auth level - verify
$verify = Gtk2::Combo->new();
$verify->entry->set_text("no verify");
$verify->set_popdown_strings(("no verify",
"verify peer certificate if present",
"verify peer certificate",
"verify peer with locally installed certificate"));
$table->attach($verify,1,2,2,3,["fill"],["fill"],0,0);
# Log output
my $hbox2=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox2,1,2,3,4,["fill"],["fill"],0,0);
$elog=Gtk2::Entry->new();
$hbox2->pack_start($elog,TRUE,TRUE,0);
my $blog=Gtk2::Button->new_from_stock("gtk-open");
$blog->signal_connect("clicked",sub {
sel_file("Select log file",$elog);
});
$hbox2->pack_start($blog,FALSE,FALSE,0);
# Client mode
$clientmode = Gtk2::Combo->new();
$clientmode->entry->set_text("no verify");
$clientmode->set_popdown_strings(("yes","no"));
$table->attach($clientmode,1,2,4,5,["fill"],["fill"],0,0);
# Debug level
$debuglevel = Gtk2::Combo->new();
$debuglevel->entry->set_text("no verify");
$debuglevel->set_popdown_strings(("0","1","5","7"));
$table->attach($debuglevel,1,2,5,6,["fill"],["fill"],0,0);
# CA path
my $hbox3=Gtk2::HBox->new(FALSE,0);
$table->attach($hbox3,1,2,6,7,["fill"],["fill"],0,0);
$capath=Gtk2::Entry->new();
$hbox3->pack_start($capath,TRUE,TRUE,0);
# my $bcapath=Gtk2::Button->new_from_stock("gtk-open");
# $bcapath->signal_connect("clicked",sub {
# sel_file("Select Certificates Path",$capath);
# });
# $hbox3->pack_start($bcapath,FALSE,FALSE,0);
# connections section
my $frame2=Gtk2::Frame->new("Connections");
$vbox->pack_start($frame2,TRUE, TRUE, 0);
my $hbox4=Gtk2::HBox->new(FALSE,0);
$list=Gtk2::SimpleList->new (
'Name' => 'text',
'Accept' => 'text',
'Connect' => 'text',
);
# $list->get_selection->set_mode ('multiple');
my $scwin = Gtk2::ScrolledWindow->new;
$scwin->set_policy (qw/automatic automatic/);
$scwin->add($list);
$hbox4->pack_start($scwin,TRUE,TRUE,0);
# list buttons
my $vbbox=Gtk2::VButtonBox->new();
$vbbox->set_layout('spread');
my $badd = Gtk2::Button->new_from_stock('gtk-add');
$badd->signal_connect( 'clicked' => sub { add_connection; } );
$vbbox->add($badd);
# my $bedit = Gtk2::Button->new_from_stock('gtk-properties');
# $bedit->signal_connect( 'clicked' => sub {
# print "Edit\n";
# } );
# $vbbox->add($bedit);
my $brem = Gtk2::Button->new_from_stock('gtk-remove');
$brem->signal_connect( 'clicked' => sub {
my @sel = $list->get_selected_indices;
print @sel;
foreach my $i (@sel) {
delete $list->{data}[$i];
}
} );
$vbbox->add($brem);
$hbox4->pack_start($vbbox,FALSE,FALSE,0);
# main buttons!!!
my $bbox=Gtk2::HButtonBox->new();
$bbox->set_layout('spread');
my $bok = Gtk2::Button->new_from_stock('gtk-ok');
$bok->signal_connect( 'clicked' => sub { save_config_file; } );
$bbox->add($bok);
my $bcancel = Gtk2::Button->new_from_stock('gtk-cancel');
$bcancel->signal_connect( 'clicked' => sub { Gtk2->main_quit;} );
$bbox->add($bcancel);
$vbox->pack_start($bbox,FALSE,FALSE,0);
$frame2->add($hbox4);
# App contents and show them
$app->set_contents($vbox);
$app->show_all;
}
#
# MAIN MAIN MAIN
#
#
Gnome2::Program->init ("stunnelconf", "0.1");
$app=create_main_win;
load_config_file;
Gtk2->main;
exit 0;

1324
debian/changelog vendored Normal file

File diff suppressed because it is too large Load Diff

6
debian/clean vendored Normal file
View File

@ -0,0 +1,6 @@
build-stamp
debian/stunnel4.init
doc/stunnel.8
doc/stunnel.html
doc/stunnel4.8
doc/stunnel4.pl.8

1
debian/compat vendored Normal file
View File

@ -0,0 +1 @@
10

45
debian/control vendored Normal file
View File

@ -0,0 +1,45 @@
Source: stunnel4
Section: net
Priority: optional
Build-Depends:
debhelper (>= 10),
autoconf-archive,
libssl-dev,
libsystemd-dev [linux-any],
libwrap0-dev,
netcat-traditional,
openssl,
net-tools,
procps
Maintainer: Peter Pentchev <roam@ringlet.net>
Uploaders: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Standards-Version: 4.1.1
Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/stunnel.git
Vcs-Git: https://anonscm.debian.org/git/collab-maint/stunnel.git
Homepage: https://www.stunnel.org/
Rules-Requires-Root: no
Package: stunnel4
Architecture: any
Provides: stunnel
Depends:
${shlibs:Depends},
${misc:Depends},
${perl:Depends},
lsb-base,
netbase,
openssl
Pre-Depends: adduser
Suggests: logcheck-database
Description: Universal SSL tunnel for network daemons
The stunnel program is designed to work as SSL encryption
wrapper between remote client and local (inetd-startable) or
remote server. The concept is that having non-SSL aware daemons
running on your system you can easily setup them to
communicate with clients over secure SSL channel.
.
stunnel can be used to add SSL functionality to commonly
used inetd daemons like POP-2, POP-3 and IMAP servers
without any changes in the programs' code.
.
This package contains a wrapper script for compatibility with stunnel 3.x

59
debian/copyright vendored Normal file
View File

@ -0,0 +1,59 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: stunnel
Upstream-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org>
Source: https://www.stunnel.org/downloads.html
License: GPL-2+-openssl
Files: *
Copyright:
(C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
(c) 2014 Mark Theunissen
License: GPL-2+-openssl
Files: src/stunnel3.in
Copyright: (C) 2004-2012 Michal Trojnara <Michal.Trojnara@stunnel.org>
License: GPL-2+
Files: debian/*
Copyright:
(C) 1998-2001 Paolo Molaro <lupus@debian.org>
(C) 2003-2007 Julien Lemoine <speedblue@debian.org>
(C) 2007-2012 Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
(C) 2013 Salvatore Bonaccorso <carnil@debian.org>
(C) 2014-2017 Peter Pentchev <roam@ringlet.net>
License: GPL-2+-openssl
License: GPL-2+-openssl
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
On Debian systems, the complete text of the GNU General Public License
can be found in file "/usr/share/common-licenses/GPL-2".
.
Linking stunnel statically or dynamically with other modules is making
a combined work based on stunnel. Thus, the terms and conditions of the
GNU General Public License cover the whole combination.
.
In addition, as a special exception, the copyright holder of stunnel gives you
permission to combine stunnel with free software programs or libraries that
are released under the GNU LGPL and with code included in the standard release
of OpenSSL under the OpenSSL License (or modified versions of such code, with
unchanged license). You may copy and distribute such a system following the
terms of the GNU GPL for stunnel and the licenses of the other code concerned.
.
Note that people who make modified versions of stunnel are not obligated to
grant this special exception for their modified versions; it is their choice
whether to do so. The GNU General Public License gives permission to release
a modified version without this exception; this exception also makes it
possible to release a modified version which carries forward this exception.
License: GPL-2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
On Debian systems, the complete text of the GNU General Public License
can be found in file "/usr/share/common-licenses/GPL-2".

1
debian/dirs vendored Normal file
View File

@ -0,0 +1 @@
etc/stunnel

10
debian/doc-base vendored Normal file
View File

@ -0,0 +1,10 @@
Document: stunnel4
Title: Stunnel documentation
Author: Michal Trojnara
Abstract: This manual documents stunnel, a SSL-enhanced client and
server wrapper.
Section: System/Security
Format: HTML
Index: /usr/share/doc/stunnel4/stunnel.html
Files: /usr/share/doc/stunnel4/stunnel*.html

4
debian/docs vendored Normal file
View File

@ -0,0 +1,4 @@
BUGS
NEWS
README
TODO

38
debian/patches/01-fix-paths.patch vendored Normal file
View File

@ -0,0 +1,38 @@
Description: Update the installation directories.
Change @prefix@/... to @localstatedir@ or @sysconfdir@ as appropriate
to comply with the FHS
Forwarded: not-needed
Author: Paolo Molaro <lupus@debian.org>
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2016-07-06
--- a/tools/stunnel.conf-sample.in
+++ b/tools/stunnel.conf-sample.in
@@ -64,7 +64,7 @@
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = pop.gmail.com
OCSPaia = yes
@@ -73,7 +73,7 @@
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes
@@ -82,7 +82,7 @@
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
-CApath = /etc/ssl/certs
+CApath = @sysconfdir/ssl/certs
checkHost = smtp.gmail.com
OCSPaia = yes

103
debian/patches/02-rename-binary.patch vendored Normal file
View File

@ -0,0 +1,103 @@
Description: Change references to the binary from stunnel to stunnel4
Forwarded: not-needed
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2017-09-23
--- a/src/stunnel3.in
+++ b/src/stunnel3.in
@@ -22,7 +22,7 @@
use Getopt::Std;
# Configuration - path to stunnel (version >=4.05)
-$stunnel_bin='@bindir@/stunnel';
+$stunnel_bin='@bindir@/stunnel4';
# stunnel3 script body begins here
($read_fd, $write_fd)=POSIX::pipe();
--- a/tools/stunnel.init.in
+++ b/tools/stunnel.init.in
@@ -1,6 +1,6 @@
#! /bin/sh -e
### BEGIN INIT INFO
-# Provides: stunnel
+# Provides: stunnel4
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
@@ -21,8 +21,8 @@
. /lib/lsb/init-functions
-DEFAULTPIDFILE="/var/run/stunnel.pid"
-DAEMON=@bindir@/stunnel
+DEFAULTPIDFILE="/var/run/stunnel4.pid"
+DAEMON=@bindir@/stunnel4
NAME=stunnel
DESC="TLS tunnels"
OPTIONS=""
@@ -49,9 +49,9 @@
startdaemons() {
local res file args pidfile warn status
- if ! [ -d /var/run/stunnel ]; then
- rm -rf /var/run/stunnel
- install -d -o stunnel -g stunnel /var/run/stunnel
+ if ! [ -d /var/run/stunnel4 ]; then
+ rm -rf /var/run/stunnel4
+ install -d -o stunnel4 -g stunnel4 /var/run/stunnel4
fi
if [ -n "$RLIMITS" ]; then
ulimit $RLIMITS
@@ -141,9 +141,9 @@
OPTIONS="-- $OPTIONS"
fi
-[ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel
+[ -f @sysconfdir@/default/stunnel4 ] && . @sysconfdir@/default/stunnel4
if [ "$ENABLED" = "0" ] ; then
- echo "$DESC disabled, see @sysconfdir@/default/stunnel"
+ echo "$DESC disabled, see @sysconfdir@/default/stunnel4"
exit 0
fi
--- a/tools/script.sh
+++ b/tools/script.sh
@@ -2,7 +2,7 @@
REMOTE_HOST="www.mirt.net:443"
echo "client script connecting $REMOTE_HOST"
-/usr/local/bin/stunnel -fd 10 \
+/usr/bin/stunnel4 -fd 10 \
11<&0 <<EOT 10<&0 0<&11 11<&-
client=yes
connect=$REMOTE_HOST
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -15,11 +15,11 @@
.pod.in.8.in:
pod2man -u -n stunnel -s 8 -r $(VERSION) \
- -c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
+ -c "stunnel4 TLS Proxy" -d `date +%Y.%m.%d` $< $@
.pod.in.html.in:
pod2html --index --backlink --header \
- --title "stunnel TLS Proxy" --infile=$< --outfile=$@
+ --title "stunnel4 TLS Proxy" --infile=$< --outfile=$@
rm -f pod2htmd.tmp pod2htmi.tmp
edit = sed \
--- a/doc/stunnel.pl.8.in
+++ b/doc/stunnel.pl.8.in
@@ -70,8 +70,8 @@
.rr rF
.\" ========================================================================
.\"
-.IX Title "stunnel 8"
-.TH stunnel 8 "2017.04.01" "5.42" "stunnel TLS Proxy"
+.IX Title "stunnel4 8"
+.TH stunnel 8 "2017.04.01" "5.42" "stunnel4 TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l

19
debian/patches/03-runas-user.patch vendored Normal file
View File

@ -0,0 +1,19 @@
Description: Change the default user the binary will run as to stunnel4
Forwarded: not-needed
Author: Julien Lemoine <speedblue@debian.org>
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
Last-Update: 2015-06-13
--- a/tools/stunnel.conf-sample.in
+++ b/tools/stunnel.conf-sample.in
@@ -8,8 +8,8 @@
; **************************************************************************
; It is recommended to drop root privileges if stunnel is started by root
-;setuid = nobody
-;setgid = @DEFAULT_GROUP@
+;setuid = stunnel4
+;setgid = stunnel4
; PID file is created inside the chroot jail (if enabled)
;pid = @localstatedir@/run/stunnel.pid

View File

@ -0,0 +1,44 @@
Description: Temporarily restore the pid file creation by default.
The init script will not be able to monitor the automatically-started
instances of stunnel if there is no pid file. For the present for the
upgrade from 4.53 the "create the pid file by default" behavior is
restored and the init script warns about configuration files that have
no "pid" setting. The intention is that in a future version the init
script will refuse to start stunnel for these configurations.
Forwarded: not-needed
Author: Peter Pentchev <roam@ringlet.net>
Bug-Debian: https://bugs.debian.org/744851
Last-Update: 2017-07-03
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -44,6 +44,7 @@
stunnel_CPPFLAGS += -I$(SSLDIR)/include
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
+stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"'
# TLS library
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
--- a/src/options.c
+++ b/src/options.c
@@ -917,7 +917,7 @@
#ifndef USE_WIN32
switch(cmd) {
case CMD_BEGIN:
- new_global_options.pidfile=NULL; /* do not create a pid file */
+ new_global_options.pidfile=PIDFILE;
break;
case CMD_EXEC:
if(strcasecmp(opt, "pid"))
@@ -932,9 +932,10 @@
case CMD_FREE:
break;
case CMD_DEFAULT:
+ s_log(LOG_NOTICE, "%-22s = %s", "pid", PIDFILE);
break;
case CMD_HELP:
- s_log(LOG_NOTICE, "%-22s = pid file", "pid");
+ s_log(LOG_NOTICE, "%-22s = pid file (empty to disable creating)", "pid");
break;
}
#endif

16
debian/patches/05-author-tests.patch vendored Normal file
View File

@ -0,0 +1,16 @@
Description: Only build the Win32 executables if requested.
Author: Peter Pentchev <roam@ringlet.net>
Forwarded: not yet
Last-Update: 2015-11-11
--- a/configure.ac
+++ b/configure.ac
@@ -8,7 +8,7 @@
AC_CONFIG_SRCDIR([src/stunnel.c])
AM_INIT_AUTOMAKE
-AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
+AM_CONDITIONAL([AUTHOR_TESTS], [test -n "$AUTHOR_TESTS"])
AC_CANONICAL_HOST
AC_SUBST([host])
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])

71
debian/patches/07-path-max.patch vendored Normal file
View File

@ -0,0 +1,71 @@
Description: Allocate the config filename dynamically.
Avoid the use of PATH_MAX which may not be defined.
Forwarded: not-yet
Author: Peter Pentchev <roam@ringlet.net>
Last-Update: 2017-07-03
--- a/src/common.h
+++ b/src/common.h
@@ -94,7 +94,6 @@
typedef int ssize_t;
#endif /* _WIN64 */
#endif /* !__MINGW32__ */
-#define PATH_MAX MAX_PATH
#define USE_IPv6
#define _CRT_SECURE_NO_DEPRECATE
#define _CRT_NONSTDC_NO_DEPRECATE
--- a/src/options.c
+++ b/src/options.c
@@ -211,7 +211,7 @@
NOEXPORT char **argalloc(char *);
#endif
-char configuration_file[PATH_MAX];
+char *configuration_file;
GLOBAL_OPTIONS global_options;
SERVICE_OPTIONS service_options;
@@ -289,17 +289,27 @@
}
#ifdef HAVE_REALPATH
+ char *nconf;
if(type==CONF_FILE) {
- if(!realpath(name, configuration_file)) {
+ nconf = realpath(name, NULL);
+ if(nconf == NULL) {
s_log(LOG_ERR, "Invalid configuration file name \"%s\"", name);
ioerror("realpath");
return 1;
}
- return options_parse(type);
- }
+ free(configuration_file);
+ } else
#endif
- strncpy(configuration_file, name, PATH_MAX-1);
- configuration_file[PATH_MAX-1]='\0';
+ {
+ size_t sz = strlen(name) + 1;
+ nconf = realloc(configuration_file, sz);
+ if(nconf == NULL) {
+ s_log(LOG_ERR, "Could not allocate memory");
+ return 1;
+ }
+ snprintf(nconf, sz, "%s", name);
+ }
+ configuration_file = nconf;
return options_parse(type);
}
--- a/src/prototypes.h
+++ b/src/prototypes.h
@@ -430,7 +430,7 @@
/**************************************** prototypes for options.c */
-extern char configuration_file[PATH_MAX];
+extern char *configuration_file;
extern unsigned number_of_sections;
int options_cmdline(char *, char *);

76
debian/patches/09-try-restart.patch vendored Normal file
View File

@ -0,0 +1,76 @@
Description: Implement try-restart in the SysV init script.
Forwarded: not-yet
Author: Peter Pentchev <roam@ringlet.net>
Last-Update: 2017-07-03
--- a/tools/stunnel.init.in
+++ b/tools/stunnel.init.in
@@ -137,6 +137,47 @@
exit "$res"
}
+restartrunningdaemons()
+{
+ local res file pidfile status args
+
+ res=0
+ for file in $FILES; do
+ echo -n " $file: "
+ pidfile=`get_pidfile "$file"`
+ if [ ! -e "$pidfile" ]; then
+ echo -n 'no pid file'
+ else
+ status=0
+ pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?"
+ if [ "$status" = 0 ]; then
+ echo -n 'stopping'
+ killproc -p "$pidfile" "$DAEMON" "$sig" || status="$?"
+ if [ "$status" -eq 0 ]; then
+ echo -n ' starting'
+ args="$file $OPTIONS"
+ start_daemon -p "$pidfile" "$DAEMON" $args || status="$?"
+ if [ "$status" -eq 0 ]; then
+ echo -n ' started'
+ else
+ echo ' failed'
+ res=1
+ fi
+ else
+ echo -n ' failed'
+ res=1
+ fi
+ elif [ "$status" = 4 ]; then
+ echo "cannot access the pid file $pidfile"
+ else
+ echo -n 'stopped'
+ fi
+ fi
+ done
+ echo ''
+ exit "$res"
+}
+
if [ "x$OPTIONS" != "x" ]; then
OPTIONS="-- $OPTIONS"
fi
@@ -194,6 +235,11 @@
killdaemons && startdaemons
res=$?
;;
+ try-restart)
+ echo -n "Restarting $DESC if running:"
+ restartrunningdaemons
+ res=$?
+ ;;
status)
echo -n "$DESC status:"
querydaemons
@@ -201,7 +247,7 @@
;;
*)
N=@sysconfdir@/init.d/$NAME
- echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2
+ echo "Usage: $N {start|stop|status|reload|reopen-logs|restart|try-restart} [<stunnel instance>]" >&2
res=1
;;
esac

7
debian/patches/series vendored Normal file
View File

@ -0,0 +1,7 @@
01-fix-paths.patch
02-rename-binary.patch
03-runas-user.patch
04-restore-pidfile-default.patch
05-author-tests.patch
07-path-max.patch
09-try-restart.patch

67
debian/postinst vendored Normal file
View File

@ -0,0 +1,67 @@
#!/bin/sh
set -e
USER="stunnel4"
CHOWN="/bin/chown"
#USERDEL="/usr/sbin/userdel"
ADDUSER="/usr/sbin/adduser"
ID="/usr/bin/id"
GROUPMOD="/usr/sbin/groupmod"
#GROUPDEL="/usr/sbin/groupdel"
###
# 1. get current stunnel uid and gid if user exists.
set -e
if $ID $USER > /dev/null 2>&1; then
IUID=`$ID --user $USER`
IGID=`$ID --group $USER`
else
IUID="NONE"
IGID="NONE"
fi
###
# 2. Ensure that no standard account or group will remain before adding the
# new user
#if [ "$IUID" != "NONE" ]; then # remove existing user
# $USERDEL $USER
#fi
#if $GROUPMOD $USER > /dev/null 2>&1; then
# $GROUPDEL $USER;
#fi
if [ "$IUID" = "NONE" ]; then
$ADDUSER --system --disabled-password --disabled-login \
--home /var/run/stunnel4 \
--no-create-home --group $USER
fi
# /var/run/stunnel4 is not a directory, create it...
if ! test -d /var/run/stunnel4; then
rm -rf /var/run/stunnel4;
mkdir /var/run/stunnel4
fi
$CHOWN $USER:$USER /var/run/stunnel4 || true
# /var/log/stunnel4 is not a directory, create it...
if ! test -d /var/log/stunnel4; then
rm -rf /var/log/stunnel4;
mkdir /var/log/stunnel4
fi
$CHOWN -R $USER:$USER /var/log/stunnel4
# /var/lib/stunnel4 is not a directory, create it...
if ! test -d /var/lib/stunnel4; then
rm -rf /var/lib/stunnel4;
mkdir /var/lib/stunnel4
fi
$CHOWN -R $USER:$USER /var/lib/stunnel4
if ! test -f /var/log/stunnel4/stunnel.log; then
touch /var/log/stunnel4/stunnel.log
$CHOWN -R $USER:$USER /var/log/stunnel4/stunnel.log
fi
#DEBHELPER#

17
debian/postrm vendored Normal file
View File

@ -0,0 +1,17 @@
#!/bin/sh
set -e
if [ x$1 = "xpurge" ]; then
echo You may want to delete the generated stunnel.pem file
echo in /etc/ssl/certs.
# Remove chroot dir if present. It may contain logfiles
rm -rf /var/lib/stunnel4 || true
# Log files must be removed on purge (Policy 10.8)
rm -f /var/log/stunnel4/stunnel.log* || true
rmdir /var/log/stunnel4 || true
fi
#DEBHELPER#

79
debian/rules vendored Executable file
View File

@ -0,0 +1,79 @@
#!/usr/bin/make -f
# -*- makefile -*-
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
# debian/rules file for the Debian GNU/Linux stunnel package
# Copyright 2003 by Julien LEMOINE <speedblue@debian.org>
# Copyright 2014 by Peter Pentchev <roam@ringlet.net>
ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
DEB_NODOC=0
else
DEB_NODOC=1
endif
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_CFLAGS_MAINT_APPEND=-Wall
multiarch_path= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
override_dh_auto_configure:
dh_auto_configure -- \
--enable-ipv6 --with-threads=pthread
override_dh_auto_install:
dh_auto_install -- -C src
ifeq ($(DEB_NODOC),0)
dh_auto_install -- -C doc
endif
# .la file is useless
rm $(CURDIR)/debian/stunnel4/usr/lib/$(multiarch_path)/stunnel/libstunnel.la
# Rename binary
mv $(CURDIR)/debian/stunnel4/usr/bin/stunnel \
$(CURDIR)/debian/stunnel4/usr/bin/stunnel4
# Copy sample init script into place for dh_installinit
cp $(CURDIR)/tools/stunnel.init $(CURDIR)/debian/stunnel4.init
ifeq ($(DEB_NODOC),0)
ln doc/stunnel.8 doc/stunnel4.8
ln doc/stunnel.pl.8 doc/stunnel4.pl.8
# Manpages will be installed by dh_installman
rm -rf $(CURDIR)/debian/stunnel4/usr/share/man
# Move docs into proper dir
mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel \
$(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
# Basic docs for the user on how to create an initial configuration
install -p -m 0644 $(CURDIR)/debian/stunnel4.conf.README \
$(CURDIR)/debian/stunnel4/etc/stunnel/README
endif
ifeq ($(DEB_NODOC),1)
override_dh_installdocs:
mkdir -p $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
install -c -o root -g root -m 644 $(CURDIR)/debian/copyright $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4/
override_dh_installman:
override_dh_link:
dh_link
rm $(CURDIR)/debian/stunnel4/usr/share/man/man8/stunnel.8.gz
rmdir $(CURDIR)/debian/stunnel4/usr/share/man/man8
rmdir $(CURDIR)/debian/stunnel4/usr/share/man
endif
override_dh_installppp:
dh_installppp --name=0stunnel4
override_dh_compress:
dh_compress --exclude=StunnelConf-0.1.pl
%:
dh $@

1
debian/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (quilt)

510
debian/stunnel3.8 vendored Normal file
View File

@ -0,0 +1,510 @@
.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. | will give a
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.\"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "STUNNEL 1"
.TH STUNNEL 8 "2003-08-01" " " " "
.SH "NAME"
stunnel \- universal SSL tunnel
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O\ a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p\ pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a\ directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user]
[\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ filename\ |\ ''\ }\ ] [\-B\ bytes] [\-R\ randfile] [\-W] [\-E\ socket] [\-I\ host]
[\-d\ [host:]port\ [\-f]\ ] [\ \-r\ [host:]port\ |\ {\ \-l\ |\ \-L\ }\ program\ [\-\-\ progname\ args]\ ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption
wrapper between remote clients and local (\fIinetd\fR\-startable) or
remote servers. The concept is that having non-SSL aware daemons
running on your system you can easily set them up to communicate with
clients over secure \s-1SSL\s0 channels.
.PP
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used
\&\fIinetd\fR daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone
daemons like \s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network
sockets without changes to the source code.
.PP
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-h\fR" 4
.IX Item "-h"
Print stunnel help menu
.IP "\fB\-D\fR level" 4
.IX Item "-D level"
Debugging level
.Sp
Level is a one of the syslog level names or numbers emerg (0), alert
(1), crit (2), err (3), warning (4), notice (5), info (6), or debug
(7). All logs for the specified level and all levels numerically less
than it will be shown. Use \-D debug or \-D 7 for greatest debugging
output. The default is notice (5).
.Sp
The syslog facility 'daemon' will be used unless a facility name is
supplied. (Facilities are not supported on windows.)
.Sp
Case is ignored for both facilities and levels.
.IP "\fB\-O\fR a|l|r:option=value[:value]" 4
.IX Item "-O a|l|r:option=value[:value]"
Set an option on accept/local/remote socket
.Sp
The values for linger option are l_onof:l_linger. The values for time
are tv_sec:tv_usec.
.Sp
\&\fBExamples:\fR
.Sp
\&\fB\-O l:SO_LINGER=1:60\fR \- set one minute timeout for closing local
socket
.Sp
\&\fB\-O r:TCP_NODELAY=1\fR \- turn off the Nagle algorithm for remote
sockets
.Sp
\&\fB\-O r:SO_OOBINLINE=1\fR \- place out-of-band data directly into the
receive data stream for remote sockets
.Sp
\&\fB\-O a:SO_REUSEADDR=0\fR \- disable address reuse (enabled by default)
.Sp
\&\fB\-O a:SO_BINDTODEVICE=lo\fR \- only accept connections on loopback
interface
.Sp
The available options and their defaults are:
Option Accept Local Remote OS default
SO_DEBUG -- -- -- 0
SO_DONTROUTE -- -- -- 0
SO_KEEPALIVE -- -- -- 0
SO_LINGER -- -- -- 0:0
SO_OOBINLINE -- -- -- 0
SO_RCVBUF -- -- -- 87380
SO_SNDBUF -- -- -- 16384
SO_RCVLOWAT -- -- -- 1
SO_SNDLOWAT -- -- -- 1
SO_RCVTIMEO -- -- -- 0:0
SO_SNDTIMEO -- -- -- 0:0
SO_REUSEADDR 1 -- -- 0
SO_BINDTODEVICE -- -- -- --
IP_TOS -- -- -- 0
IP_TTL -- -- -- 64
TCP_NODELAY -- -- -- 0
.IP "\fB\-o\fR file" 4
.IX Item "-o file"
Append log messages to a file.
.IP "\fB\-C\fR cipherlist" 4
.IX Item "-C cipherlist"
Select permitted \s-1SSL\s0 ciphers
.Sp
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
.IP "\fB\-c\fR" 4
.IX Item "-c"
client mode (remote service uses \s-1SSL\s0)
.Sp
default: server mode
.IP "\fB\-T\fR" 4
.IX Item "-T"
transparent proxy mode
.Sp
Re-write address to appear as if wrapped daemon is connecting from the
\&\s-1SSL\s0 client machine instead of the machine running stunnel. Available
only on some operating systems (Linux only, we believe) and then only
in server mode. Note that this option will not combine with proxy mode
(\-r) unless the client's default route to the target machine lies
through the host running stunnel, which cannot be localhost.
.IP "\fB\-p\fR pemfile" 4
.IX Item "-p pemfile"
private key and certificate chain \s-1PEM\s0 file name
.Sp
A \s-1PEM\s0 is always needed in server mode (by default located in
\fI/etc/stunnel/stunnel.pem\fR). Specifying this flag in client mode
will use this key and certificate chain as a client side certificate
chain. Using client side certs is optional. The certificates must be
in \s-1PEM\s0 format and must be sorted starting with the certificate
to the highest level (root \s-1CA\s0).
.IP "\fB\-v\fR level" 4
.IX Item "-v level"
verify peer certificate
.RS 4
.IP "\(bu" 8
level 1 \- verify peer certificate if present
.IP "\(bu" 8
level 2 \- verify peer certificate
.IP "\(bu" 8
level 3 \- verify peer with locally installed certificate
.IP "\(bu" 8
default \- no verify
.RE
.RS 4
.RE
.IP "\fB\-a\fR directory" 4
.IX Item "-a directory"
client certificate directory
.Sp
This is the directory in which stunnel will look for certificates when
using the \fI\-v\fR options. Note that the certificates in this directory
should be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the
cert.
.IP "\fB\-A\fR certfile" 4
.IX Item "-A certfile"
Certificate Authority file
.Sp
This file contains multiple \s-1CA\s0 certificates, used with the \fI\-v\fR
options.
.IP "\fB\-t\fR timeout" 4
.IX Item "-t timeout"
session cache timeout
.Sp
default: 300 seconds.
.IP "\fB\-N\fR servicename" 4
.IX Item "-N servicename"
Service name to use for tcpwrappers. If not specified then a
tcpwrapper service name will be generated automatically for you. This
will also be used when auto-generating pid filenames.
.IP "\fB\-u\fR ident_username" 4
.IX Item "-u ident_username"
Use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
.IP "\fB\-n\fR proto" 4
.IX Item "-n proto"
Negotiate \s-1SSL\s0 with specified protocol
.Sp
currently supported: smtp, pop3, nntp
.IP "\fB\-E\fR socket" 4
.IX Item "-E socket"
Entropy Gathering Daemon socket to use to feed OpenSSL random number
generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
.IP "\fB\-R\fR filename" 4
.IX Item "-R filename"
File containing random input. The \s-1SSL\s0 library will use data from this
file first to seed the random number generator.
.IP "\fB\-W\fR" 4
.IX Item "-W"
Do not overwrite the random seed files with new random data.
.IP "\fB\-B\fR bytes" 4
.IX Item "-B bytes"
Number of bytes of data read from random seed files. With \s-1SSL\s0
versions less than 0.9.5a, also determines how many bytes of data are
considered sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions
have a builtin function to determine when sufficient randomness is
available.
.IP "\fB\-I\fR host" 4
.IX Item "-I host"
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
Use this option to bind a static local \s-1IP\s0 address, instead.
.IP "\fB\-d\fR [host:]port" 4
.IX Item "-d [host:]port"
daemon mode
.Sp
Listen for connections on [host:]port. If no host specified, defaults
to all \s-1IP\s0 addresses for the local host.
.Sp
default: inetd mode
.IP "\fB\-f\fR" 4
.IX Item "-f"
foreground mode
.Sp
Stay in foreground (don't fork) and log to stderr instead of via
syslog (unless \-o is specified).
.Sp
default: background in daemon mode
.IP "\fB\-l\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
.IX Item "-l program [-- programname [arg1 arg2 arg3...] ]"
execute local inetd-type program.
.IP "\fB\-L\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
.IX Item "-L program [-- programname [arg1 arg2 arg3...] ]"
open local pty and execute program.
.IP "\fB\-s\fR username" 4
.IX Item "-s username"
\&\fIsetuid()\fR to username in daemon mode
.IP "\fB\-g\fR groupname" 4
.IX Item "-g groupname"
\&\fIsetgid()\fR to groupname in daemon mode. Clears all other groups.
.IP "\fB\-P\fR { file | '' }" 4
.IX Item "-P { file | '' }"
Pid file location
.Sp
If the argument is a filename, then that filename will be used for the
pid. If the argument is empty ('', not missing), then no pid file will
be created.
.IP "\fB\-r\fR [host:]port" 4
.IX Item "-r [host:]port"
connect to remote service
.Sp
If no host specified, defaults to localhost.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service,
use
.PP
.Vb 1
\& stunnel \-d 993 \-l /usr/sbin/imapd \-\- imapd
.Ve
.PP
In order to let your local e-mail client connect to a \s-1SSL\s0-enabled
\fIimapd\fR service on another server, configure the e-mail client to connect to
localhost on port 119 and use:
.PP
.Vb 1
\& stunnel \-c \-d 143 \-r servername:993
.Ve
.PP
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
use something like
.PP
.Vb 1
\& stunnel \-d 2020 \-L /usr/sbin/pppd \-\- pppd local
.Ve
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
If Stunnel is used to create local processes using the \fB\-l\fR or \fB\-L\fR
options, it will set the following environment variables
.IP "\s-1REMOTE_HOST\s0" 4
.IX Item "REMOTE_HOST"
The \s-1IP\s0 address of the remote end of the connection.
.IP "\s-1SSL_CLIENT_DN\s0" 4
.IX Item "SSL_CLIENT_DN"
The \s-1DN\s0 (Distinguished Name, aka subject name) of the peer certificate,
if a certificate was present and verified.
.IP "\s-1SSL_CLIENT_I_DN\s0" 4
.IX Item "SSL_CLIENT_I_DN"
The Issuer's \s-1DN\s0 of the peer's certificate, if a certificate was
present and verified.
.SH "CERTIFICATES"
.IX Header "CERTIFICATES"
.IP "\(bu" 4
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to
the peer. It also needs a private key to decrypt the incoming data.
The easiest way to obtain a certificate and a key is to generate them
with the free \fIopenssl\fR package. You can find more information on
certificates generation on pages listed below.
.Sp
Two things are important when generating certificate-key pairs for
\&\fBstunnel\fR. The private key cannot be encrypted, because the server
has no way to obtain the password from the user. To produce an
unencrypted key add the \fI\-nodes\fR option when running the \fBreq\fR
command from the \fIopenssl\fR kit.
.Sp
The order of contents of the \fI.pem\fR file is also important. It should
contain the unencrypted private key first, then a signed certificate
(not certificate request). There should be also empty lines after
certificate and private key. Plaintext certificate information
appended on the top of generated certificate should be discarded. So
the file should look like this:
.Sp
.Vb 8
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& [encoded key]
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
\& [empty line]
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& [encoded certificate]
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
\& [empty line]
.Ve
.SH "RANDOMNESS"
.IX Header "RANDOMNESS"
.IP "\(bu" 4
\&\fIstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
order for \s-1SSL\s0 to use good randomness. The following sources are
loaded in order until sufficient random data has been gathered:
.RS 4
.IP "\(bu" 8
The file specified with the \fI\-R\fR flag.
.IP "\(bu" 8
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
.IP "\(bu" 8
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
.IP "\(bu" 8
The file specified with '\-\-with\-random' at compile time.
.IP "\(bu" 8
The contents of the screen if running on Windows.
.IP "\(bu" 8
The egd socket specified with the \fI\-E\fR flag.
.IP "\(bu" 8
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
.IP "\(bu" 8
The /dev/urandom device.
.RE
.RS 4
.Sp
With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading
random data automatically when sufficient entropy has been gathered.
With previous versions it will continue to gather from all the above
sources since no \s-1SSL\s0 function exists to tell when enough data is
available.
.Sp
Note that on Windows machines that do not have console user
interaction (mouse movements, creating windows, etc) the screen
contents are not variable enough to be sufficient, and you should
provide a random file for use with the \fI\-R\fR flag.
.Sp
Note that the file specified with the \fI\-R\fR flag should contain random
data \*(-- that means it should contain different information each time
\&\fIstunnel\fR is run. This is handled automatically unless the \fI\-W\fR
flag is used. If you wish to update this file manually, the \fIopenssl
rand\fR command in recent versions of OpenSSL, would be useful.
.Sp
One important note \*(-- if /dev/urandom is available, OpenSSL has a
habit of seeding the \s-1PRNG\s0 with it even when checking the random state,
so on systems with /dev/urandom you're likely to use it even though
it's listed at the very bottom of the list above. This isn't
stunnel's behaviour, it's OpenSSLs.
.RE
.SH "LIMITATIONS"
.IX Header "LIMITATIONS"
.IP "\(bu" 4
\&\fIstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature of
the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons,
however.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
.RS 4
.IP "\fItcpd\fR\|(8)" 8
.IX Item "tcpd"
access control facility for internet services
.IP "\fIinetd\fR\|(8)" 8
.IX Item "inetd"
internet ``super\-server''
.IP "\fIhttps://www.stunnel.org/\fR" 8
.IX Item "https://www.stunnel.org/"
Stunnel homepage
.IP "\fIhttps://www.openssl.org/\fR" 8
.IX Item "https://www.openssl.org/"
OpenSSL project website
.RE
.RS 4
.RE
.SH "AUTHOR"
.IX Header "AUTHOR"
.RS 4
.IP "Michal Trojnara" 8
.IX Item "Michal Trojnara"
<\fIMichal.Trojnara@stunnel.org\fR>
.RE
.RS 4
.RE

9
debian/stunnel4.0stunnel4.ppp.ip-down vendored Normal file
View File

@ -0,0 +1,9 @@
#!/bin/sh
# if this script gets called, we assume that the machine has lost
# IPv4 connectivity -> restart stunnel (do not stop it, it is possible
# to have a eth connection)
test -f /etc/default/stunnel4 && . /etc/default/stunnel4
test "$PPP_RESTART" != "0" || exit 0
invoke-rc.d stunnel4 restart

7
debian/stunnel4.0stunnel4.ppp.ip-up vendored Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
test -f /etc/default/stunnel4 && . /etc/default/stunnel4
test "$PPP_RESTART" != "0" || exit 0
invoke-rc.d stunnel4 restart

96
debian/stunnel4.NEWS vendored Normal file
View File

@ -0,0 +1,96 @@
stunnel4 (3:5.06-1) unstable; urgency=medium
There are two major changes in this version of stunnel.
First, the /usr/bin/stunnel symlink has been switched from stunnel3
to stunnel4. This should not affect any tools that invoke stunnel
using the stunnel4 name, and it should not affect any Debian packages
that use stunnel. However, any local tools that invoke stunnel with
3.x-style command-line options instead of a 4.x-style configuration
file should make sure that they use the stunnel3 executable name and
not simply stunnel any more, or they should be converted to use
a 4.x-style configuration file (there is no need to create an actual
file on the filesystem, the configuration may be passed to stunnel
on its standard input using the "-fd 0" command-line option).
Second, this version DISABLES support for the SSLv2 and SSLv3 protocols!
If needed, it may be re-enabled by editing the stunnel configuration
file and adding "-NO_SSLv2" or "-NO_SSLv3" respectively to
the "options" setting; see /etc/stunnel/README for an example.
-- Peter Pentchev <roam@ringlet.net> Thu, 16 Oct 2014 13:56:35 +0300
stunnel4 (3:5.01-3) unstable; urgency=medium
This version temporarily brings back the creation of a default pid
file, /var/run/stunnel4.pid, if there is no "pid" setting in
the configuration file. The reason for this is that the init script
cannot monitor the started stunnel processes if there is no pid file
at all.
The init script now warns about configuration files that have no
"pid" setting and will thus use the default pid file location.
In the future it will refuse to start with such configurations, so
it would be best to add the "pid" setting to all the *.conf files in
the /etc/stunnel/ directory.
-- Peter Pentchev <roam@ringlet.net> Fri, 18 Apr 2014 14:37:42 +0300
stunnel (3:5.01-2) unstable; urgency=medium
This version DISABLES the RLE compression method, too. This means
that stunnel currently has no compression methods available at all,
since the underlying OpenSSL library does not have any, either.
Tunnel configurations that explicitly set "compression" will NEED
to be modified.
-- Peter Pentchev <roam@ringlet.net> Mon, 14 Apr 2014 15:04:56 +0300
stunnel (3:5.01-1) unstable; urgency=medium
This version DISABLES the creation of the process ID file and
the use of TCP wrappers for access control by default!
Tunnel configurations that use PID files (e.g. for monitoring) or
TCP wrappers (/etc/hosts.allow, /etc/hosts.deny) will NEED to be
modified to explicitly specify the 'pidfile' global option or
the 'libwrap' service-level option respectively.
This version also DISABLES the "zlib" and "deflate" compression
algorithms because they are not supported in the Debian OpenSSL
package since version 1.0.1e-5. The only supported compression
algorithm is "rle". Tunnel configurations that explicitly set
"compression" to something other than "rle" will NEED to be modified.
-- Peter Pentchev <roam@ringlet.net> Tue, 25 Mar 2014 18:05:11 +0200
stunnel (3:4.33-1) experimental; urgency=low
This version introduces support for reloading the configuration file
and for closing/reopening log files. The init script has been
updated to provide these options, and the default logrotate
configuration has been updated to take advantage of them.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Thu, 04 Feb 2010 19:52:23 -0800
stunnel (3:4.28-1) unstable; urgency=low
The default behaviour of the logrotate configuration for stunnel4
has been changed. Instead of restarting stunnel after rotating the
log files we now use the 'copytruncate' keyword. This avoids the
problems associated with the restart, but introduces the possibility
of loosing small amounts of log data. Please see Debian bugs
#535915, #535924 and #323171 for more info.
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Wed, 25 Nov 2009 17:12:42 -0800
stunnel (2:4.140-5) unstable; urgency=low
stunnel/stunnel4 binaries are located in /usr/bin instead of
/usr/sbin in order to be FHS compliant (they can be used by normal
user). You need to update your scripts to refer to this new location
-- Julien Lemoine <speedblue@debian.org> Sun, 19 Feb 2006 17:31:24 +0100

13
debian/stunnel4.conf.README vendored Normal file
View File

@ -0,0 +1,13 @@
Stunnel 4 configuration files.
Files found under the /etc/stunnel directory that end with .conf are
used by the stunnel4 service as configuration files, and each will be
used to start a daemon process setting up a tunnel with the given
configuration. Note that this directory is initially empty, as the
settings you may want for your tunnels are completely system dependent.
In order to have the tunnels start up automatically on system boot you
must *also* set ENABLED to 1 in /etc/default/stunnel4
A sample configuration file with defaults may be found at
/usr/share/doc/stunnel4/examples/stunnel.conf-sample

18
debian/stunnel4.default vendored Normal file
View File

@ -0,0 +1,18 @@
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=0
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
# Change to enable the setting of limits on the stunnel instances
# For example, to set a large limit on file descriptors (to enable
# more simultaneous client connections), set RLIMITS="-n 4096"
# More than one resource limit may be modified at the same time,
# e.g. RLIMITS="-n 4096 -d unlimited"
RLIMITS=""

6
debian/stunnel4.examples vendored Normal file
View File

@ -0,0 +1,6 @@
tools/ca.html
tools/ca.pl
tools/importCA.html
tools/importCA.sh
tools/openssl.cnf
tools/stunnel.conf-sample

1
debian/stunnel4.install vendored Normal file
View File

@ -0,0 +1 @@
debian/StunnelConf-0.1.pl usr/share/doc/stunnel4/contrib

2
debian/stunnel4.links vendored Normal file
View File

@ -0,0 +1,2 @@
/usr/bin/stunnel4 /usr/bin/stunnel
/usr/share/man/man8/stunnel4.8.gz /usr/share/man/man8/stunnel.8.gz

5
debian/stunnel4.lintian-overrides vendored Normal file
View File

@ -0,0 +1,5 @@
# No character arrays anywhere in this .so
stunnel4: hardening-no-stackprotector usr/lib/stunnel/libstunnel.so
# Not a typo at all.
stunnel4: spelling-error-in-manpage usr/share/man/man8/stunnel4.8.gz CAs Case

13
debian/stunnel4.logrotate vendored Normal file
View File

@ -0,0 +1,13 @@
/var/log/stunnel4/*.log {
daily
missingok
rotate 365
compress
delaycompress
notifempty
create 640 stunnel4 stunnel4
sharedscripts
postrotate
/etc/init.d/stunnel4 reopen-logs > /dev/null
endscript
}

3
debian/stunnel4.manpages vendored Normal file
View File

@ -0,0 +1,3 @@
doc/stunnel4.8
doc/stunnel4.pl.8
debian/stunnel3.8

21
debian/tests/certs/certificate.pem vendored Normal file
View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAwIBAgIJAPFcHvXjRYbZMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
BAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwGA1UEBwwFU29maWExEDAOBgNVBAoM
B1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzA2MTIyMzAzMjdaFw0y
NzA2MTAyMzAzMjdaMFMxCzAJBgNVBAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwG
A1UEBwwFU29maWExEDAOBgNVBAoMB1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9z
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp0QYS6IZ1To2h68NcZ
zmnAQfzodFcD7Lhp2CcDOBXRrKfPq1NUqUXMGvcHcPbmT84W2OGGfh11MKvksuof
4+juU4+1uujPJoOmREi7WjVzEVWUftvFUqeTigFz96EMsVui4UbTUxX6ACIsXXwg
v1b/rpyVZJvTucKsyP5ml5OXaPFe5mXUQtdaJsjpV4ikq4O9vcYdMt0Y8IVbxpCO
5CryW3KUHzBUS7uqO2nbLXZBOkJHCgxDawAlTeDRW/uJOl7nnSUgo0HiojG4qhY6
spYmQ9ijtj1vX5H2tsf97rZCbU5JMFqX8XcJgTWKTYHlxkBYbB6QkPyhiOXDo/M/
oJ8CAwEAAaNTMFEwHQYDVR0OBBYEFPwfXq4qd8stmvstPC3QdFL716XRMB8GA1Ud
IwQYMBaAFPwfXq4qd8stmvstPC3QdFL716XRMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
KoZIhvcNAQELBQADggEBADkuMAUB2Uyx23oN9ZxZsAWOdJoSUIWs4qxc5eQ/qjj7
64zm62ZaVc8F6AyMYxHZvOKxvN/Pg19dSZelvTpgSqXLbirstRgsBCIXO2q6UYo2
BUpZovZ4DOll+sAbmrZJRDiVO1XeCqqjr0v0I7NfJ5r31K1tfaZxGovUdC+M3xJ6
yRrFWfF+EdlvVRFQt97mZXtcTDFWk7+CT6fgfLnCxTuMcSNtzM60FCBS5wz0MPSA
BGje1qXUMzwN2T0aDyxWNRdvFGMHC8Z23EOa3roK+NybS2PVAu7MpxDTBZdHSGtG
5wqY6fq5kww8OI9AlPNYVtqXrFrF6Lj5m/jhUHcAIUU=
-----END CERTIFICATE-----

28
debian/tests/certs/key.pem vendored Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKdEGEuiGdU6No
evDXGc5pwEH86HRXA+y4adgnAzgV0aynz6tTVKlFzBr3B3D25k/OFtjhhn4ddTCr
5LLqH+Po7lOPtbrozyaDpkRIu1o1cxFVlH7bxVKnk4oBc/ehDLFbouFG01MV+gAi
LF18IL9W/66clWSb07nCrMj+ZpeTl2jxXuZl1ELXWibI6VeIpKuDvb3GHTLdGPCF
W8aQjuQq8ltylB8wVEu7qjtp2y12QTpCRwoMQ2sAJU3g0Vv7iTpe550lIKNB4qIx
uKoWOrKWJkPYo7Y9b1+R9rbH/e62Qm1OSTBal/F3CYE1ik2B5cZAWGwekJD8oYjl
w6PzP6CfAgMBAAECggEAf+TrUuamv5WLoEAyDyCdVg7/YL6UaDfxfhpXU2XkM1xu
vuAg8haEjLRAwJdx1HdwKNgkEGx/FSroIV7ra53Tw11zalC6j8H1KauKbYv1k9hq
Ne8GKN3Btl0tDHfvEk1LaYE+4Rg036g8F1qBgB3L4jDJZN+3W/1n10SCALxcuv4G
XMJOcrhW3KBlEJpIBhz+ROPeiZX8VwB2iK7jg0Bebh7XuNFCFOiFqq6UfFRNeGBi
Ca9rZdUP0YmxNPEXzGu1TEv1edX0Nf3jRKERQrZ3Sg6ogPcqQSQ1VP052Hc0Tqpl
akrRrVMfbbQQIMc9JrxJmXb7/OHeS1R50Ci5x7weoQKBgQDwYSGSypJl6lWpgrm6
5HuIem0AK9gmOAyiR0UdjMwVybeHhcldK8ABFcsdUt7v84+kCKkRhEX//QWjowMF
0OJ2i7Y1VbdyNd7exPW5zmYAiBX+oR3JKMekjPRCUamg5P2fSrVqDHvz7WU7hoQb
0jcIu8kwtPjw5uz13OWWbmEjTwKBgQDXnDZ0nQoXUO8VkNYaWQzukIcKdB71v2DZ
KiaJvPFjTGPUwwd/kEcU7/wMet4UKff4XjOaX+f2tFZm+vrYs6RfqnLlRFlkhKJZ
HColltm8KV6w+LnwkPUuY4HnDJepU6eBC2wtGPU1n1YXCwgDL+MTIpLFuveQ9w/N
wTRP3USZsQKBgDy9Tm55IWT/QYYDskq3UT+7L6/LZGLD5u1adOxyl18qCWYFOEyC
sZGUoC5YslyPfsxEI/R5J/b3SGWA21Ks5Yxu4Su47RG+6wH/YtgAf2XC/UvKCmy6
EThTJaVcXTB6rFuD1TNm1Cte4SWZZ+hfxeg/CydzkzPMJjQ6DQll+sWhAoGBAKJj
tV//JyqIeonznE4b4/GKSStGaksM6RSm+n+jHut7DXWhrnQVZnQOi/eaUsk9Etat
nJAYy8yz5p+JSIUOSC8FYaPr5qgefWhAHj5Rb4yYXAlOTD0z8HYP3Db49QFDUFWR
FNiig4zvhRe150L/PjebQpBKUUuNyQlfCtdb/98BAoGARMZNl+0FEzw714ataoWk
1IPoe7oIzaoYTqPcpQT0AGOdfYRS3ffJFe2Foa0K7MVyxNA/OjyheYVtD2IgmoTv
WkRr6xM4nphza595yB5q+psKwOdQvP5XsyiJOXDixzn+yFIqrdQlmBNZHT1z/jwr
oBRWtTVO2aX5pBUjvBu3eQ0=
-----END PRIVATE KEY-----

6
debian/tests/control vendored Normal file
View File

@ -0,0 +1,6 @@
Test-Command: env TEST_STUNNEL=/usr/bin/stunnel4 debian/tests/runtime
Depends: @, perl, libanyevent-perl, libnet-ssleay-perl, libpath-tiny-perl
Restrictions: allow-stderr
Test-Command: debian/tests/upstream
Depends: @, netcat-traditional

647
debian/tests/runtime vendored Executable file
View File

@ -0,0 +1,647 @@
#!/usr/bin/perl
use v5.14;
use strict;
use warnings;
use AnyEvent;
use AnyEvent::Handle;
use AnyEvent::Socket qw(tcp_connect tcp_server);
use AnyEvent::Util qw(portable_socketpair);
use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
use IO::Handle;
use Path::Tiny 0.097;
use POSIX qw(WNOHANG);
use Socket;
# AnyEvent's TLS support seems to require this...
use threads;
my %children;
my $child_reaper_w;
my $greeting = 'Well hello there!';
sub reap_leftover_children();
sub child_reaper();
sub register_child_reaper()
{
$child_reaper_w = AnyEvent->signal(
signal => 'CHLD',
cb => \&child_reaper,
);
$SIG{__DIE__} = sub {
my ($msg) = @_;
warn "__DIE__ handler invoked: ".($msg =~ s/[\r\n]*$//sr)."\n";
reap_leftover_children;
};
}
sub unregister_child_reaper()
{
undef $child_reaper_w;
}
sub child_reaper()
{
while (1) {
my $pid = waitpid -1, WNOHANG;
my $status = $?;
if (!defined $pid) {
die "Could not waitpid() in a SIGCHLD handler: $!\n";
} elsif ($pid == 0 || $pid == -1) {
last;
} else {
$children{$pid}{cv} //= AnyEvent->condvar;
$children{$pid}{cv}->send($status);
}
}
}
sub register_child($ $)
{
my ($pid, $desc) = @_;
# Weird, but we want it to be at least reasonably atomic-like
$children{$pid}{cv} //= AnyEvent->condvar;
my $ch = $children{$pid};
$ch->{pid} = $pid;
$ch->{desc} = $desc;
}
sub dump_children()
{
join '', map {
my $ch = $children{$_};
"\t$ch->{pid}\t".
($ch->{cv}->ready
? $ch->{cv}->recv
: '(none)'
).
"\t$ch->{desc}\n"
} sort { $a <=> $b } keys %children
}
sub wait_for_child($)
{
my ($pid) = @_;
if (!defined $children{$pid}) {
die "Internal error: wait_for_child() invoked for ".
"unregistered pid $pid\n".dump_children;
}
my $status = $children{$pid}{cv}->recv;
delete $children{$pid};
return $status;
}
sub reap_leftover_children()
{
say 'Oof, let us see if there are any children left';
if (!%children) {
say 'Everyone has been accounted for; great!';
return;
}
for my $pid (keys %children) {
my $ch = $children{$pid};
if ($ch->{cv}->ready) {
my $status = wait_for_child $pid;
say "Hm, child $pid seems to have finished already, status $status";
}
}
if (!%children) {
say 'Everyone has actually been accounted for; great!';
return;
}
for my $pid (keys %children) {
say "Pffth, sending a SIGKILL to $pid";
kill 'KILL', $pid;
}
for my $pid (keys %children) {
my $ch = $children{$pid};
if ($ch->{cv}->ready) {
wait_for_child $pid;
say "OK, $pid done";
}
}
# Bah, figure out some way to let the loop run even if we're within the loop...
if (%children) {
say 'Some children remaining, laying low for a second...';
sleep 1;
for my $pid (keys %children) {
say "- waiting for $pid ($children{$pid}{desc})";
wait_for_child $pid;
say "- OK, $pid done";
}
}
if (%children) {
say 'Something really weird happened, why are there still children around?';
say dump_children;
}
}
sub close_on_exec($ $)
{
my ($fh, $close) = @_;
my $flags = fcntl $fh, F_GETFD, 0 or
die "Could not obtain a file descriptor's flags: $!\n";
my $nflags = $close
? ($flags | FD_CLOEXEC)
: ($flags & ~FD_CLOEXEC);
fcntl $fh, F_SETFD, $nflags or
die "Could not set a file descriptor's flags: $!\n";
}
sub anyevent_socketpair($)
{
my ($name) = @_;
my ($fh1, $fh2) = portable_socketpair;
if (!defined $fh1) {
die "Could not create the $name socketpair: $!\n";
}
$fh1->autoflush(1);
$fh2->autoflush(1);
return (AnyEvent::Handle->new(fh => $fh1), AnyEvent::Handle->new(fh => $fh2));
}
sub find_listening_port($ $ $ $ $)
{
my ($address, $port_start, $step, $count, $cb) = @_;
my $res;
my $port = $port_start;
for (1..$count) {
eval {
$res = tcp_server $address, $port, $cb;
};
last if $res;
say "Could not listen on $address:$port: $@";
$port += $step;
}
if (!defined $res) {
die "Could not find a listening port on $address\n";
}
return ($port, $res);
}
my %conns;
sub register_client_connection($)
{
my ($fh) = @_;
my $sockaddr = getsockname $fh;
if (!defined $sockaddr) {
die "Could not obtain the local address of the just-connected socket: $!\n";
}
my ($port, $addr_num) = sockaddr_in $sockaddr;
if (!defined $port || !defined $addr_num) {
die "Could not decode the address and port from a sockaddr_in structure: $!\n";
}
my $addr = inet_ntoa $addr_num;
if (!defined $addr) {
die "Could not decode a numeric address: $!\n";
}
my $id = "$addr:$port";
$conns{$id}{cv} //= AnyEvent->condvar;
$conns{$id}{fh} //= $fh;
return $id;
}
sub await_client_connection($ $; $)
{
my ($lis_main, $cv, $skip_register) = @_;
my $die = sub {
warn "@_";
$cv->send(undef);
};
$lis_main->rtimeout(10);
$lis_main->on_rtimeout(sub { $die->("The listener's accept message timed out\n") });
$lis_main->push_read(line => sub {
my ($handle, $line) = @_;
if ($line !~ m{^ accept \s+ (?<id> \S+ ) $}x) {
return $die->("The accept server did not send an 'accept' message: $line\n");
}
my ($id) = $+{id};
$conns{$id}{cv} //= AnyEvent->condvar unless $skip_register;
$lis_main->rtimeout(10);
$lis_main->on_rtimeout(sub { $die->("The listener's close message timed out\n") });
$lis_main->push_read(line => sub {
my ($handle, $line) = @_;
if ($line !~ m{^ close \s+ (?<id> \S+ ) $}x) {
return $die->("The accept server did not send an 'close' message: $line\n");
}
my ($cid) = $+{id};
if ($cid ne $id) {
return $die->("The accept server's 'close' message had id '$cid' instead of the accepted one '$id'\n");
}
$lis_main->rtimeout(0);
$cv->send($id);
});
});
}
sub adopt_client_connection($ $)
{
my ($id, $opts) = @_;
my $w;
my $do_close = sub {
my ($err) = @_;
$w->push_shutdown;
$w->destroy;
undef $w;
undef $conns{$id}{handle};
#close $conns{$id}{fh};
if (defined $err) {
warn "$err\n";
$conns{$id}{cv}->send(undef);
} else {
$conns{$id}{cv}->send(1);
}
};
$w = AnyEvent::Handle->new(
fh => $conns{$id}{fh},
%{$opts}, # TLS or something?
on_error => sub {
my ($handle, $fatal, $message) = @_;
if (!$fatal) {
warn "A non-fatal error occurred reading from the $id connection: $message\n";
} else {
$do_close->("A fatal error occurred reading from the $id connection: $message");
}
},
rtimeout => 10,
on_rtimeout => sub {
$do_close->("Reading from the $id connection timed out");
},
);
$w->push_read(line => sub {
my ($handle, $line) = @_;
$w->rtimeout(0);
if ($line ne $greeting) {
$do_close->("The $id connection sent us a line that was not the greeting: expected '$greeting', got '$line'");
} else {
$do_close->(undef);
}
});
$conns{$id}{handle} = $w;
}
sub client_connect($ $ $)
{
my ($address, $port, $cv) = @_;
return tcp_connect $address, $port, sub {
my ($fh) = @_;
if (!defined $fh) {
die "Could not connect to the cleartext listening socket on $address:$port: $!\n";
}
my $id = register_client_connection $fh;
say "Connected to $address:$port, local $id";
$cv->send($id);
adopt_client_connection($id, {});
};
}
MAIN:
{
my $stunnel = $ENV{TEST_STUNNEL} // 'stunnel4';
my $test_done = AnyEvent->condvar;
my ($certsdir, $certfile, $keyfile);
for my $name (qw(certs debian/tests/certs)) {
my $dir = path($name);
if (-d $dir) {
$certfile = $dir->child('certificate.pem');
$keyfile = $dir->child('key.pem');
if (-f $certfile && -f $keyfile) {
$certsdir = path($dir);
last;
}
}
}
die "Could not locate the test certificates directory\n" unless defined $certsdir;
say "Found the certificate at $certfile and the private key at $keyfile";
my $tempdir = Path::Tiny->tempdir;
say "Using the $tempdir temporary directory";
register_child_reaper;
{
say 'About to get the stunnel version information';
pipe my $s_in, my $s_out or die "Could not create an fd pair: $!\n";
close_on_exec $s_in, 0;
close_on_exec $s_out, 0;
my $pid = fork;
if (!defined $pid) {
die "Could not fork for stunnel: $!\n";
} elsif ($pid == 0) {
open STDERR, '>&', $s_out or
die "Could not reopen stderr in the child process: $!\n";
close STDIN or
die "Could not close stdin in the child process: $!\n";
close STDOUT or
die "Could not close stdout in the child process: $!\n";
close $s_in or
die "Could not close the reader fd in the child process: $!\n";
exec $stunnel, '-version';
die "Could not execute '$stunnel': $!\n";
}
register_child $pid, "$stunnel -version";
close $s_out or
die "Could not close the writer fd in the parent process: $!\n";
my ($got_version, $before_version) = (undef, '');
my $eof = AnyEvent->condvar;
my $f_out = AnyEvent->io(
fh => $s_in,
poll => 'r',
cb => sub {
my $line = <$s_in>;
if (!defined $line) {
$eof->send($got_version);
} elsif (!$got_version) {
if ($line =~ m{^
stunnel \s+
(?<version> \d+ \. \S+)
\s+ on \s+
}x) {
$got_version = $+{version};
} else {
$before_version .= $line;
}
}
});
$eof->recv;
if ($before_version ne '') {
warn "stunnel produced output before the version number:\n$before_version\n";
}
if (!defined $got_version) {
die "Could not get the stunnel version number\n";
}
say "Got stunnel version $got_version";
my $status = wait_for_child $pid;
if ($status != 0) {
die "stunnel -version did not exit successfully, status $status\n";
}
}
my ($lis_listener, $lis_main) = anyevent_socketpair 'listener';
my $listen_address = '127.0.0.1';
my %listen_clear_conns;
my ($listen_clear_port, $listen_clear) = find_listening_port $listen_address, 6502, 200, 100, sub {
my ($fh, $host, $port) = @_;
my $id = "$host:$port";
say "Accepted a connection from $id";
$lis_listener->push_write("accept $id\n");
my $w;
my $do_close = sub {
$w->destroy;
delete $listen_clear_conns{$id};
};
$w = AnyEvent::Handle->new(
fh => $fh,
on_error => sub {
my ($handle, $fatal, $message) = @_;
warn "A ".($fatal ? 'fatal' : 'non-fatal').
"error occurred writing to the $id connection: $message\n";
$do_close->();
},
timeout => 10,
on_timeout => sub {
my ($handle) = @_;
warn "Writing to the $id connection timed out\n";
$do_close->();
},
on_read => sub {
my ($handle) = @_;
warn "The $id connection sent data to the server?!\n";
$do_close->();
},
on_eof => sub {
my ($handle) = @_;
say "Got an eof from $id, all seems well";
$do_close->();
$lis_listener->push_write("close $id\n");
},
);
$w->push_write("$greeting\n");
$w->push_shutdown;
$listen_clear_conns{$id} = $w;
};
say "Listening for cleartext connections on $listen_address:$listen_clear_port";
{
my $listener_test_id_cv = AnyEvent->condvar;
my $check_listen_clear = client_connect $listen_address, $listen_clear_port, $listener_test_id_cv;
my $id = $listener_test_id_cv->recv;
if (!defined $id) {
die "Could not connect to the cleartext server\n";
}
say "Got a local connection id $id";
my $listener_test_done = AnyEvent->condvar;
await_client_connection $lis_main, $listener_test_done;
say 'Waiting for the server to acknowledge a completed client connection';
my $sid = $listener_test_done->recv;
if (!defined $sid) {
die "The listener did not acknowledge the connection\n";
} elsif ($sid ne $id) {
die "The listener did not acknowledge the same connection: expected '$id', got '$sid'\n";
}
say 'Waiting for the client connection itself to report completion';
my $res = $conns{$id}{cv}->recv;
if (!defined $res) {
die "The client connection did not complete the chat with the cleartext server\n";
}
say 'Looks like we are done with the test cleartext connection!';
}
my $st_server_port;
{
my $dummy;
($st_server_port, $dummy) = find_listening_port $listen_address, 8086, 200, 100, sub {
my ($fh) = @_;
say "Eh, we really didn't expect a connection here, did we now...";
$fh->close;
};
say "Got listening port $st_server_port for the stunnel server";
undef $dummy;
say 'Let us hope this was enough to get stunnel to listen there...';
}
my ($st_pid, $st_logfile);
{
my $st_config = $tempdir->child('stunnel.conf');
$st_logfile = $tempdir->child('stunnel.log');
my $st_pidfile = $tempdir->child('stunnel.pid');
$st_config->spew_utf8(<<"EOCONF") or die "Could not create the $st_config stunnel config file: $!\n";
pid = $st_pidfile
foreground = yes
output = $st_logfile
cert = $certfile
key = $keyfile
[test]
accept = $listen_address:$st_server_port
connect = $listen_address:$listen_clear_port
EOCONF
say "Created the stunnel config file $st_config:\n======\n".$st_config->slurp_utf8.'======';
$st_pid = fork;
if (!defined $st_pid) {
die "Could not fork for the stunnel server: $!\n";
} elsif ($st_pid == 0) {
my @cmd = ($stunnel, $st_config);
exec { $cmd[0] } @cmd;
die "Could not execute '@cmd': $!\n";
}
say "Started the stunnel server, pid $st_pid";
register_child $st_pid, "stunnel server ($listen_address:$st_server_port)";
}
{
for my $iter (1..10) {
say "Trying a connection through stunnel, iteration $iter";
my $st_conn_cv = AnyEvent->condvar;
my $st_conn;
{
my $st_conn_attempts = 10;
my $st_conn_timer;
$st_conn_timer = AnyEvent->timer(after => 0.1, interval => 1, cb => sub {
say "Trying to connect to the stunnel server at $listen_address:$st_server_port";
$st_conn = tcp_connect $listen_address, $st_server_port, sub {
my ($fh) = @_;
if (!defined $fh) {
# FIXME: Eh, well, reschedule, right?
say "Could not connect to $listen_address:$st_server_port: $!";
if ($children{$st_pid}{cv}->ready) {
say 'Err, the stunnel process seems to have terminated';
undef $st_conn_timer;
$st_conn_cv->send(undef);
return;
}
$st_conn_attempts--;
if ($st_conn_attempts == 0) {
say 'Time after time...';
undef $st_conn_timer;
$st_conn_cv->send(undef);
return;
}
say 'Will retry in a little while';
return;
}
say '...connected!';
$st_conn_timer = undef;
$st_conn_cv->send($fh);
};
});
}
my $st_conn_fh = $st_conn_cv->recv;
if (!defined $st_conn_fh) {
my $log_text = (-f $st_logfile)
? "$st_logfile contents:\n".$st_logfile->slurp_utf8
: "(no log information)";
$log_text .= "\n" unless $log_text =~ /\n\Z/ms;
die "Could not connect to the stunnel service:\n$log_text";
}
my $id = register_client_connection $st_conn_fh;
say "Registered a client connection as $id";
adopt_client_connection $id, { tls => 'connect', };
say 'Waiting for the cleartext listener to receive this connection';
my $stunnel_test_done = AnyEvent->condvar;
await_client_connection $lis_main, $stunnel_test_done, 1;
my $sid = $stunnel_test_done->recv;
if (!defined $sid) {
die "The listener did not acknowledge the connection\n";
} elsif ($sid eq $id) {
die "The listener reported the same connection ID '$id'?!\n";
}
say "The server reported a completed connection: $sid";
my $res = $conns{$id}{cv}->recv;
if (!defined $res) {
die "The connection to stunnel did not report a successful chat\n";
}
say "The stunnel connection seems to have gone through for iteration $iter";
}
}
{
say "Trying to stop stunnel at pid $st_pid";
kill 'TERM', $st_pid or
die "Could not send a terminate signal to the stunnel at pid $st_pid: $!\n";
my $status = wait_for_child $st_pid;
if ($status != 0) {
die "The stunnel process terminated with exit status $status\n";
} else {
say 'The stunnel process terminated successfully';
}
}
{
say 'Checking for leftover children';
if (%children) {
# Our 'die' handler will kill and reap them.
die "Child processes left over:\n".
dump_children;
} else {
say 'No child processes left over';
}
unregister_child_reaper;
};
{
say 'Making sure the AnyEvent loop is still sane';
if ($test_done->ready) {
die "The AnyEvent loop raised the flag prematurely\n";
}
$test_done->send(42);
my $res = $test_done->recv;
if ($res != 42) {
die "The AnyEvent loop does not seem to be quite alive and sane, got a result of '$res' instead of 42\n";
}
say 'Fine!';
};
}

15
debian/tests/upstream vendored Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
set -e
ln -s /usr/bin/stunnel4 src/stunnel
cd tests
if ! ./make_test; then
printf '\n\n=== Some tests failed; here are all the logs...\n\n' 1>&2
for fname in logs/*.log; do
printf -- '\n\n=== %s\n\n' "$fname" 1>&2
cat -- "$fname" 1>&2
done
false
fi

5
debian/upstream/metadata vendored Normal file
View File

@ -0,0 +1,5 @@
Name: stunnel
Bug-Submit: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Contact: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
FAQ: https://www.stunnel.org/faq.html
Security-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org>

111
debian/upstream/signing-key.asc vendored Normal file
View File

@ -0,0 +1,111 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
iQI4BBMBAgAiBQJU1Q1lAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCx
BIky3Tqqo71TEACWO31ZIOrknCsgmE90Q0yBPYD8CA8aM9OLO9qVYRR+SKQ6VAFn
/qWCoG/z3aMOUJJFDMmBDTSiGZ43jReQVc1PvoNUKFXkD13vrDNGg+IMr+jefjy/
RkFC5rdIAOzl6nMRFH5D/KDtvuXUGfjaN9NorCyv5acOa6GinTFANHYW79DSvt0d
aTG0RFimVTKtAh8oxxBGGUvZ/60SJT5I3pwKKX5t6t+LaUgUz/55p5j36dyhZTmk
X6jVyczkfjBwy9i2jD8kZ1w+EQOPGy1hHCHaaN5ku3Bh4hiZrlh8ncpipOMeOJ5Y
71Cze/JROyu3jkR/59LuPJLbUkwNPZXuMM+D4EY19NWKqWFgcsjaF5juS36xgblQ
odAOXBZcnzH14bxlRElWNLhMib+piIL0BaK2cpplwJ+bzQRkyWzqrl5xu/AeE/fQ
BdeRxL1jg4e9Ozei4Pkz0acoxIg2mdR6b36UpOWKvBQYZ8m4TbsWBRrDjcxKeul7
ObsodFoGTteRxqN9glhNd+n5bJAesGzUN86e3NmCoxCUQMaKlrMEVUMwaaSOVWYN
CfwXSe42dK2ZrV4psIYIwfktTkF60N3KeBbTs7/HhS/R229+lQCL90bcKRiv2Szc
vqR6v78xnbnANm0SX/b6M7xNBf8lWXwS9TlR9AzA4XC7FqNLYTMGV56TmLQrTWlj
aGHFgiBUcm9qbmFyYSA8TWljaGFsLlRyb2puYXJhQG1pcnQubmV0PokCOAQTAQIA
IgUCVNTpjAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQsQSJMt06qqOP
9Q/+MNv7sHcx1y4xH4iysPmjL+ABTonZeUIW/j1Mlgve8jxta7ApuDm0WIgMQd/p
WgjG88g/2hSs1DRmuo67pP+v3l+HgmhQaqQe9XoaQHyygfrDwGEKAjA5++6hg88X
F5GNuchUoY2wHCLByuxdaaT9wDSUGHzj+VlQYcaVqry/u8+wRhuxr89avh7nebj2
Dw1qkIuR6+wuaYAU19mazzmdnDLh/3rYHT7vVJt751JHyx4fnJtKI7eDWxpSGfhc
K63SWtHToJKg4jbdIZMORVVvOetpRbPvF8qoR32LZSfF/rPJtNhWgcsLUCpZn6Ey
G6jigx8mhY2WupRNHutSES+qKNffCMi7fbpQfl4wJqzlNxJJK1zGu2ox255l+fXJ
eQJh7fvvcNieuQApKhOL+mOz1fyRnUhx/GjGncOmCgZldTLEF8DeHuuluXgFlDXJ
cX6poh7vyt3uJ14SCyiV1cLnXmCoxXRmQNlb4zTGoAvfOw/DFH3EzQ44dK/Z1HOI
fJeYILxe+JP2E8TNXUvr/wck12yQ8kaqFzHSQBcV+0S49+pIpoK475LVrOs6S9Jj
hMt4WVfX4PY+IE8wGnZyJw1gvPXdk1P98lHR/Fv0WG/kWiemrDXPM1tjnIas6EGm
zxT/iywGF4tdsVHviETVgRGpKHgEtB/hwsCeGUTAmHDbXQS0L01pY2hhxYIgVHJv
am5hcmEgPE1pY2hhbC5Ucm9qbmFyYUBtb2JpLWNvbS5uZXQ+iQI4BBMBAgAiBQJU
1Q03AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCxBIky3TqqoyVkEACt
MHa7x5PQ0ZNJ8TrvVd/VrT5USuHwwFwnnsYUNzSc95gSwSEaPC3xwgs9cX3VRmOw
b3IiCQQ7R0EamH/ydmZnlesbCsnamLl6dEmzS284lnnMd5X0wep2qq3SlS1z+5wW
4ZnoodX98E7RyecjMYPLH+uAqGqg3nHG8eOpoSDMvIOJtOIvDc9Y6tbNsBbeKbOC
yB7A08TMzVqayQvXzm6QShHTicra69oqIzhmu2zII3ZWVwkfEGweuN0vdocoXiqr
entcyF3KLUX/LooDzdCAxuoJdovg41E69rXEWF//IP5XBT0LUDTzqwmBe7nOfoJF
2RAHn3ySogdL6WNSGaH5B5NK1jGflj/Hr/HBHIYYx820P4aEXSyxbLQW1F0HWlAA
Q9+EmjJssbv7cIq2DV2Ls3AOeY0GAWhTdvUVdVpOG+TuWRUi61XwjWPfvrJDH8ME
oLRb2MhNRffle8hSdF8TP4CO1TCxtSFs0NXT1I/HazvacHzvbXspFDJvbYJsy+pR
vOsf2QCcY5xb633duU60+IHJ9GMOV/ZqQR744wAxu+e/ZHpa2+mpI9VpTMuBTMFC
OQKbiLacsDJtFqsenZAyhcTU4DPFa0bkMO67Gwl0skuk2x8/0R3EgJ9JvNlsEz6v
BaHpWhEddU1m6FMKKZkfo0xnyFr/WPT6zti9iKTnIbkCDQRU1OvDARAA8gIC641d
K6ap9W1K3EkqRn0z6zizdVGr/jvf8xFXeUq+auxixZ0tEY6NM5CBSya5BCK9IGVW
mJNbazyWUa4llA6EvmUxcTeGE7ppQA4Kl1bzvUq5upo+8+0VuqvLC/bVz0DUnFSW
JYHAZrPZ+yO0yMq8vaGTo5kwKixQ4Ni+N+1EiALKZex1g6UW9d0HAcYEa/lTWhz3
J0V1yyY4Vov30gtoo67KkSC/SswZzIR00CQGrz3twlGuB73Sm1YfqDqbY8dQLJey
U0ovIeU95VI5cQF6D1H8YdaMWQm6MtVAfIX5WMoH+eq4Ank9hilReGANkIWNSqM2
1Drdu3crbGIYiZPEadKfGxwquwvRDTEgD4gjqMvEdxA2W6s4WR36SwMkeOtESj21
MiR2YDcbIzIbUh9p0P8DZGvQcVh45jCgdOcL5th9R076npXHn8FIe2IfAZnX1Onp
sKn/YqJ0wNFhGYWxV/yZA10NbFKFXhD1FGqrOz6lSqmqDz00tXofF432ae+7PzTP
9n4cij4k0SYG1l/LThnOYL3SNUCG3rCASeWoXmhxCYRGi0Xw3IJrcpVNmNQD+SLL
TjVB94AlDjSlx1q0V+9ymhGHi51wsBSajMwDexaSI/WM1y9lROwl7eeAD41fPArz
TleAqT89akWLevTBLWvj59mku9vZAW26/1UAEQEAAYkCHwQYAQIACQUCVNTrwwIb
DAAKCRCxBIky3Tqqo2NCEACHJ7e0l8NhS4slfzej1AAXOwL1wDexn6thpgexAyqZ
LIaibqhIybhSo1LOL1NY/55ytscbOQL7NliRAXVN6F9lcer+qzxL5JgxzUU6drya
pNZYs06u3wfr8ZtSbvIAON/w89tm9tHxoNUIYZZUZROFBW6fn8RkhboQs0hJFxWf
WghOxhS0TXJ8/MZ4YcfDy+Ew6LIAym3A1XY+++2VMEHqKcyhU95W5sqAsfO5MkRW
a0E9JTS2dWTteNTWPonywJGX/mSVVMZgOZF6o32Vb9LTnB676YQaPiMlu2qg+vRk
RM/zyGjvPx7hilf68CWxZcIHslfp5gJV6RvtlK+muEvIkSmNYyi8hQp1Y5C6uWb9
JWt/9ISJ+Xz+n+5nAHEUzW/LeEDyhjVlS9vOoAAy18r47mQybzJ2q2zOHo9zl3fK
OJ2S4SFBKGHuIhPOxG2CruhxN9U5+RwTDqKECeuCZROMYQLzlmIP2vM/NuFVhQm8
iNhbTvEenh4mWD4IuOHJkqvzKKzAXllosuUK4B0kblh4GaOVmEjaXGw8789rOlQz
D5566SgKPDNUtom5/eIcy6/UYBoFd7lLltIVSSCA1VUMU4MWJgjwa9gk6MxoNe8d
cJ197oQMfhZNjJ80S5C+a2al4wrR2vL/3hXhy2M2kG73RLSzxEiVoJsG+hbzNtfI
a7kCDQRU1O5ZARAA1pGrQ1V3YMXF3DzwvA/uWb912pwqUvMAAKvYCDiELIOP07c3
2+z04N/bOXjiZ2Jb8AuICj4v92tXAygtf18zxwoU8AOXiuScP3wy1ZprBw8k71dN
y0XmEXbiX7tkLoe0OzWlCaNTajSXTELT+nYHTOkBsrC4T+y7AwYueQJYUaRkJR/5
Tc68UnRSO295pgJd7EoWWAky3bdH+TKN0MsagCJwa+RrXFGtIKjU0XAKsddTxQKx
2SUGF0QVdNZ/14Duo73btoXtHgB0oxewnsiJp5XKWYm57RSNLv1LKr26iSUtUM1C
AIZALuGMAyQXVEo7OmzuZmN0yRYM7FSnpG4rIDnDxYhDTaa+xWb738V8uLQDZAVn
AuBEhq1RQEDrRM/XLbibvVBzpd+JI9WneNEp0ehq5sEC6FbKYz0HqVk2SH1Dpb0t
grtxz3c7rPs7vRdmFMxTuYctSzuqNHpKX+C6rgyAW2sxEKD0ys8OYEa3hvrQFSAz
nM/j3X8dge1DriHIQd/Dt4+LMdPcsQk3vty7pYxZIDRa9hl7ngaesQSZ/7PV/cj7
U7qieTr1ulO1Gc5GcyS2Hu4P9109HX1tBEQvGHpbqe9Lc2d0VKgHVjG9vDLrE1h/
qXKbmn0LF1YR4djaM+sYCfYOO+WzZKUACPdMq3Lid/3oQ71p6eNgu6lQcgEAEQEA
AYkEPgQYAQIACQUCVNTuWQIbAgIpCRCxBIky3Tqqo8FdIAQZAQIABgUCVNTuWQAK
CRAu/H/w1BbgFNx6EACR7CKB3Mv2lNaRRraVRwjNrumyODqsnX/oe3lad04iCBb9
JxGyNyTGF0s6teoaocXxIeZ50bF7GuYcnepMGpniMCkE2ymlM6ruFNNTUYC02Fsr
owKQboC7S5DN2l7lb4nlgyDX7nOlOMmhTc3D/QsduMyS9H5kjFFKtzLYOwREV/RH
I/wQUyTyze8qs/BxpT3/HsSJuGZybLSd/fmeM43xghcdfDgKTaGkFkhhW7UWgtOh
QtYxr0VD4HEw4C+nMyksqKAIFMBjJAqtsuWeSgavVrbU8KrzlcJFHSrovZ7Pi0mK
MYHGomPstZcZxwr15t3BhDvogMSRscU1mLUigLEGiWxPVxtQlmHTZfMns4Cy04S7
jK4Gix0PN4Xi/9rOcLFCb5zddcLVrqiuT+dt/O/TPKUKHTvLL1gF4Dlypbu8TQWt
O7xDSPy7wSdPWUN5GBjsxbZfVlWpvvVMmGUuygIl0LkrJLKGxk36AnNpEPqsQ9e9
Rsgu5dP9lGPz3igxE3p+UlhWo5eqJqZwAfEFb+0PQzKSQ6zIFQAf50eSI/pWf+Xp
9XOT47d4y8aWzHA7T/ja9tbyd+eg71ZOqOFtVP8zFWvmPnoosxrBR7qK/RBY5/PX
KhfG10yEYXSjTap4dmsy430l8Mcuqo55iixgT5vxZfTeyFjTjHmjuHD1rTTfpXk4
D/9GI9cIfrWczhrbWN8BoP66ImMXpVhZzDt6S5u9dHSNJdqivDzCkktb/psXILvv
u3qLmb1nJbsNzN9GJm6LoduzCJ4SqaodjhMkNi/Tc95dx0n2cCP2Rh/jvzo7zrqQ
O09c8at/pFEiF8LgUlc5QaB/GNhXBqJog2yOzUPGKq0OMy/wttW42TCe7V+J8fnn
16xfGhnVwmiWRQaqdCiFDY2IiOHhnRwfJVANrddfuU/AJ8vY8XXzrxI7YZL43V53
0Wich1VB00XLFU8aj08FsjdFvR77AAxFU+Cd6sH6yq6jsRXppQ0BOO15aR+wopEv
tKwDdRu3TaweC1XMLLQ4XuN9Ql0bMH0d626uMG2zUfZGO1jNTOS4sUhEqJsImbsL
/hgNDKYvfo0wSHPWmQo9njw7aG8Mey77I3fL1ELj/Tfa86njPpJ/tmFMLV9ntWAC
cW/c3tojdcP278rTw/4zk+Sr2Zv+3bP1yjJd0z4B3gYYz2BUYTU7dyiA41Kgk4Zf
V1n2NUAxQJYzvEIAZcMEWA3rOTb+AjcBVXX89Gk0BEykVmA9G808tbmI+4DUd2c/
+d1xeufb43TGOiwKqwY+Os9iey3FbsnoYuzKPsd5LByJFEudbMB152h95u/NysaM
0AjC+yPtlpSLUIaDUW75VAlQKPWj1Ag5uVpc2ScMEjevQQ==
=muMw
-----END PGP PUBLIC KEY BLOCK-----

8
debian/watch vendored Normal file
View File

@ -0,0 +1,8 @@
version=4
# Latest version is directly at /stunnel
opts=pgpsigurlmangle=s/$/.asc/ \
https://www.stunnel.org/downloads.html downloads/stunnel-([\d.]+)@ARCHIVE_EXT@ debian
opts=pgpsigurlmangle=s/$/.asc/,pasv \
ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-([\d.]+)@ARCHIVE_EXT@