Compare commits
12 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
3f780093b7 | ||
|
a4672526d7 | ||
|
814d9ca18b | ||
|
10de5e9e32 | ||
|
98b4ec0cd9 | ||
|
8e9bdf3481 | ||
|
18f12ad1bc | ||
|
83fe2cf45c | ||
|
595593c0e7 | ||
|
4e8986c5ef | ||
|
b8998ae382 | ||
|
8e474e5321 |
84
debian/README.Debian
vendored
Normal file
84
debian/README.Debian
vendored
Normal file
@ -0,0 +1,84 @@
|
||||
This is the Stunnel 4.x package for Debian.
|
||||
|
||||
* Upgrading from stunnel to stunnel4
|
||||
|
||||
Stunnel 3 has been deprecated from Debian. The new stunnel4 has a
|
||||
different command line syntax and configuration. You will need to
|
||||
update your scripts.
|
||||
|
||||
The wrapper script /usr/bin/stunnel3 understands stunnel3 command line
|
||||
syntax and calls stunnel4 with appropriate options. It appears to
|
||||
support every stunnel3 option *except* -S (which controls the defaults
|
||||
used for certificate sources).
|
||||
|
||||
* Basic configuration
|
||||
|
||||
After installation, you should :
|
||||
|
||||
- edit /etc/stunnel/stunnel.conf
|
||||
|
||||
- edit /etc/default/stunnel and set ENABLE=1, if you want your
|
||||
configured tunnels to start automatically on boot.
|
||||
|
||||
- generate a certificate for use with stunnel if you want to use server mode
|
||||
|
||||
Sergio Rua <srua@debian.org> made a perl front-end for the stunnel
|
||||
configuration. It is very simple and only includes a couple of configuration
|
||||
options. This script is located in
|
||||
/usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl
|
||||
|
||||
It requires libgnome2-perl and libgtk2-perl.
|
||||
|
||||
* How to create SSL keys for stunnel
|
||||
|
||||
The certificates default directory is /etc/ssl/certs, so cd into that dir
|
||||
and issue the command:
|
||||
|
||||
openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem
|
||||
|
||||
Fill in the info requested.
|
||||
|
||||
Change 'stunnel.pem' to the name of the certificate you need to
|
||||
create. stunnel.pem will be used by default by stunnel, but you want
|
||||
to create different certificates for different services you run with
|
||||
stunnel. Make sure only root can read the file (or only the user that
|
||||
needs to read it, if stunnel is run as that user):
|
||||
|
||||
chmod 600 stunnel.pem
|
||||
|
||||
Now you need to append the DH parameters to the certificate.
|
||||
|
||||
First you need to generate some amount of random data:
|
||||
|
||||
dd if=/dev/urandom of=temp_file count=2
|
||||
|
||||
Use /dev/random if you want a more secure source of data, but make
|
||||
sure you have enough entropy on you system (the output file should be
|
||||
at least 512 bytes long).
|
||||
|
||||
And now make openssl generate the DH parameters and append them to the
|
||||
certificate file:
|
||||
|
||||
openssl dhparam -rand temp_file 512 >> stunnel.pem
|
||||
|
||||
You also want to link the certificate to its hash name so that openssl
|
||||
can find it also by that means:
|
||||
|
||||
ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0
|
||||
|
||||
Read the manual page for openssl for more info on the various options.
|
||||
|
||||
* FIPS
|
||||
|
||||
Since version 4.21 stunnel includes support for OpenSSL's FIPS mode. However,
|
||||
using it requires stunnel to be compiled statically against OpenSSL and all
|
||||
supporting libraries. Thus, this option is disabled in the Debian package.
|
||||
|
||||
See the OpenSSL FIPS User Guide at
|
||||
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
|
||||
and the OpenSSL notes about FIPS 140-2 at
|
||||
https://www.openssl.org/docs/fips/fipsnotes.html
|
||||
|
||||
- Julien LEMOINE <speedblue@debian.org>, Sun, 19 Feb 2006 17:31:24 +0100
|
||||
|
||||
-- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>, Sat, 30 Oct 2007 14:50:54 z
|
477
debian/StunnelConf-0.1.pl
vendored
Normal file
477
debian/StunnelConf-0.1.pl
vendored
Normal file
@ -0,0 +1,477 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
# Copyright (C) 2004 Sergio Rua <srua@debian.org>
|
||||
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2, or (at your option)
|
||||
# any later version.
|
||||
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
# 02111-1307, USA.
|
||||
#
|
||||
# On Debian GNU/Linux systems, the complete text of the GNU General
|
||||
# Public License can be found in `/usr/share/common-licenses/GPL'.
|
||||
|
||||
use strict;
|
||||
use Gtk2;
|
||||
use Gnome2;
|
||||
use Gtk2::SimpleList;
|
||||
|
||||
use constant TRUE => 1;
|
||||
use constant FALSE => 0;
|
||||
# Please configure if necessary!
|
||||
my $cfgfile = "/etc/stunnel/stunnel.conf";
|
||||
my $backup_cfg = 1;
|
||||
my $base_cfg_dir = $cfgfile;$base_cfg_dir=~s/\/stunnel\.conf//g;
|
||||
|
||||
# global variables
|
||||
my $ekey;
|
||||
my $ecert;
|
||||
my $verify;
|
||||
my $app;
|
||||
my $elog;
|
||||
my $clientmode;
|
||||
my $debuglevel;
|
||||
my $capath;
|
||||
my $list;
|
||||
|
||||
|
||||
sub mydie
|
||||
{
|
||||
my ($msg)=@_;
|
||||
|
||||
print "$msg\n";
|
||||
Gtk2->main_quit;
|
||||
exit (-1);
|
||||
}
|
||||
|
||||
|
||||
sub sel_file
|
||||
{
|
||||
my ($title,$entry,$isfile)=@_;
|
||||
|
||||
my $fsel=Gtk2::FileSelection->new($title);
|
||||
$fsel->ok_button->signal_connect("clicked",sub {
|
||||
print "OK: ". $fsel->get_filename."\n";
|
||||
$entry->set_text($fsel->get_filename);
|
||||
$fsel->destroy;
|
||||
});
|
||||
$fsel->cancel_button->signal_connect("clicked",sub { $fsel->destroy; });
|
||||
|
||||
$fsel->show;
|
||||
}
|
||||
|
||||
sub add_connection
|
||||
{
|
||||
my $win = new Gtk2::Window("toplevel");
|
||||
$win->set_position("center");
|
||||
|
||||
my $vbox = new Gtk2::VBox( 0, 2 );
|
||||
$win->add($vbox);
|
||||
$vbox->show;
|
||||
my $druid = new Gnome2::Druid;
|
||||
$druid->signal_connect("cancel", sub { $win->destroy; } );
|
||||
$vbox->pack_start($druid,0,0,0);
|
||||
my $druid_start = new Gnome2::DruidPageEdge("GNOME_EDGE_START");
|
||||
$druid_start->set_title("Connections setup");
|
||||
$druid_start->set_text("Please follow this configuration wizard to ".
|
||||
"configure your connections\n");
|
||||
# $druid_start->set_watermark($logo);
|
||||
$druid_start->show;
|
||||
$druid->append_page($druid_start);
|
||||
|
||||
# Second Step: accepting connections
|
||||
my $druid_name = new Gnome2::DruidPageStandard();
|
||||
$druid_name->set_title("Connection name");
|
||||
my $dvbox=new Gtk2::VBox(2,2);
|
||||
my $dtable=new Gtk2::Table(2,2,FALSE);
|
||||
$dvbox->pack_start($dtable,FALSE,FALSE,0);
|
||||
|
||||
my $label=new Gtk2::Label("Enter this connection name");
|
||||
$dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0);
|
||||
my $ename=new Gtk2::Entry();
|
||||
$dtable->attach($ename,1,2,0,1,["fill"],["fill"],0,0);
|
||||
$druid_name->append_item("",$dvbox,"");
|
||||
$druid_name->show_all;
|
||||
# add page to the druid
|
||||
$druid->append_page($druid_name);
|
||||
|
||||
|
||||
# Second Step: accepting connections
|
||||
my $druid_accept = new Gnome2::DruidPageStandard();
|
||||
$druid_accept->set_title("Accepting connections");
|
||||
my $dvbox=new Gtk2::VBox(2,2);
|
||||
my $dtable=new Gtk2::Table(2,2,FALSE);
|
||||
$dvbox->pack_start($dtable,FALSE,FALSE,0);
|
||||
|
||||
my $accept_error=new Gtk2::Label("");
|
||||
$dtable->attach($accept_error,0,1,0,1,["fill"],["fill"],0,0);
|
||||
my $label=new Gtk2::Label("IP or hostname");
|
||||
$dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0);
|
||||
my $eip=new Gtk2::Entry();
|
||||
$dtable->attach($eip,1,2,1,2,["fill"],["fill"],0,0);
|
||||
|
||||
my $label=new Gtk2::Label("Port number");
|
||||
$dtable->attach($label,0,1,2,3,["fill"],["fill"],0,0);
|
||||
my $eport=new Gtk2::Entry();
|
||||
$dtable->attach($eport,1,2,2,3,["fill"],["fill"],0,0);
|
||||
|
||||
$druid_accept->append_item("",$dvbox,"");
|
||||
$druid_accept->show_all;
|
||||
# add page to the druid
|
||||
$druid->append_page($druid_accept);
|
||||
|
||||
# Third Step: connecting to...
|
||||
my $druid_connect = new Gnome2::DruidPageStandard();
|
||||
$druid_connect->set_title("Connection To...");
|
||||
my $dvbox=new Gtk2::VBox(2,2);
|
||||
my $dtable=new Gtk2::Table(2,2,FALSE);
|
||||
$dvbox->pack_start($dtable,FALSE,FALSE,0);
|
||||
|
||||
my $label=new Gtk2::Label("IP or hostname");
|
||||
$dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0);
|
||||
my $etoip=new Gtk2::Entry();
|
||||
$dtable->attach($etoip,1,2,0,1,["fill"],["fill"],0,0);
|
||||
|
||||
my $label=new Gtk2::Label("Port number");
|
||||
$dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0);
|
||||
my $etoport=new Gtk2::Entry();
|
||||
$dtable->attach($etoport,1,2,1,2,["fill"],["fill"],0,0);
|
||||
|
||||
$druid_connect->append_item("",$dvbox,"");
|
||||
$druid_connect->show_all;
|
||||
# add page to the druid
|
||||
$druid->append_page($druid_connect);
|
||||
|
||||
|
||||
# Finishing and adding connection
|
||||
my $druid_finish = new Gnome2::DruidPageEdge("GNOME_EDGE_FINISH");
|
||||
$druid_finish->set_title("Configuration Finished.");
|
||||
$druid_finish->set_text("The configuration has been finished. Click to either save or cancel");
|
||||
# $druid_finish->set_logo($logo2);
|
||||
$druid_finish->signal_connect("finish", sub {
|
||||
my $acip=$eip->get_text();
|
||||
my $acport=$eport->get_text();
|
||||
my $coip=$etoip->get_text();
|
||||
my $coport=$etoport->get_text();
|
||||
|
||||
my $dslist = $list->{data};
|
||||
push @$dslist, [ $ename->get_text(), $acip.":".$acport, $coip.":".$coport ];
|
||||
|
||||
|
||||
$win->destroy;
|
||||
});
|
||||
$druid_finish->show;
|
||||
$druid->append_page($druid_finish);
|
||||
$druid->show;
|
||||
$win->show;
|
||||
}
|
||||
|
||||
sub load_config_file
|
||||
{
|
||||
my $con=$list->{data};
|
||||
my $name="";
|
||||
my $accept="";
|
||||
my $connect="";
|
||||
|
||||
if (! -s $cfgfile) {
|
||||
print "Config file not found. Starting from scratch!\n";
|
||||
return (0);
|
||||
}
|
||||
|
||||
open F, "<$cfgfile" or die "$cfgfile: $!\n";
|
||||
|
||||
while (<F>) {
|
||||
$_=~s/\n//g;
|
||||
if ($_=~/^cert.*=.*/) {
|
||||
(undef,my $value) = split "=",$_;
|
||||
$value=~s/(\ |\t)//g;
|
||||
$ecert->set_text($value);
|
||||
} elsif ($_=~/^key.*=.*/) {
|
||||
(undef,my $value) = split "=",$_;
|
||||
$value=~s/(\ |\t)//g;
|
||||
$ekey->set_text($value);
|
||||
} elsif ($_=~/^verify.*=.*/) {
|
||||
(undef,my $value) = split "=",$_;
|
||||
$value=~s/(\ |\t)//g;
|
||||
if ($value==1) {
|
||||
$verify->entry->set_text("verify peer certificate if present");
|
||||
} elsif ($value==2) {
|
||||
$verify->entry->set_text("verify peer certificate");
|
||||
} elsif ($value==3) {
|
||||
$verify->entry->set_text("verify peer with locally installed certificate");
|
||||
} else {
|
||||
$verify->entry->set_text("no verify");
|
||||
}
|
||||
} elsif ($_=~/^client.*=.*/) {
|
||||
(undef,my $value) = split "=",$_;
|
||||
$value=~s/(\ |\t)//g;
|
||||
$clientmode->entry->set_text($value);
|
||||
} elsif ($_=~/^(capath|CApath).*=.*/) {
|
||||
(undef,my $value) = split "=",$_;
|
||||
$value=~s/(\ |\t)//g;
|
||||
$capath->set_text($value);
|
||||
} elsif ($_=~/^debug.*=.*/) {
|
||||
(undef,my $value) = split "=",$_;
|
||||
$value=~s/(\ |\t)//g;
|
||||
$debuglevel->entry->set_text($value);
|
||||
} elsif ($_=~/^output.*=.*/) {
|
||||
(undef,my $value) = split "=",$_;
|
||||
$value=~s/(\ |\t)//g;
|
||||
$elog->set_text($value);
|
||||
} elsif ($_=~/^\[.*/) {
|
||||
$_=~s/\[//g;
|
||||
$_=~s/\]//g;
|
||||
$name=$_;
|
||||
} elsif ($_=~/^accept.*=.*/) {
|
||||
(undef,$accept) = split "=",$_;
|
||||
$accept=~s/(\ |\t)//g;
|
||||
} elsif ($_=~/^connect.*=.*/) {
|
||||
(undef,$connect) = split "=",$_;
|
||||
$connect=~s/(\ |\t)//g;
|
||||
}
|
||||
|
||||
# load connection
|
||||
if (($accept) && ($name) && ($connect)) {
|
||||
push @$con, [ $name, $accept, $connect ];
|
||||
$name=$connect=$accept="";
|
||||
}
|
||||
}
|
||||
close F;
|
||||
|
||||
}
|
||||
|
||||
sub save_config_file
|
||||
{
|
||||
if ($backup_cfg) {
|
||||
chdir ($base_cfg_dir);
|
||||
rename($cfgfile,$cfgfile.".$$") or
|
||||
print "Error at \n$cfgfile: $!\nNo backup made!\n";
|
||||
}
|
||||
open O, ">$cfgfile" or
|
||||
mydie "Cannot open config file: $!\n";
|
||||
|
||||
print "Saving $cfgfile\n\n\n";
|
||||
print O "# Configuration file created by \"stunnelconf\" by ".
|
||||
"Sergio Rua <srua\@debian.org>\n\n";
|
||||
if ($ekey->get_text()) {
|
||||
print O "key = ".$ekey->get_text()."\n";
|
||||
}
|
||||
if ($ecert->get_text()) {
|
||||
print O "cert = ".$ecert->get_text()."\n";
|
||||
}
|
||||
print O "verify = ".$verify->entry->get_text()."\n";
|
||||
print O "output = ".$elog->get_text()."\n";
|
||||
print O "client = ".$clientmode->entry->get_text()."\n";
|
||||
print O "debug = ".$debuglevel->entry->get_text()."\n";
|
||||
print O "CApath = ".$capath->get_text()."\n";
|
||||
print O "\n\n"; # just some spaces
|
||||
|
||||
my @rowref = @{$list->{data}};
|
||||
my $i=0;
|
||||
|
||||
for $i (0 .. $#rowref) {
|
||||
print O "[".$rowref[$i][0] . "]\n";
|
||||
# if no hostname, ugly ":" to be removed
|
||||
$rowref[$i][1]=~s/^://g;
|
||||
$rowref[$i][2]=~s/^://g;
|
||||
print O "accept = ".$rowref[$i][1] . "\n";
|
||||
print O "connect = ".$rowref[$i][2] . "\n";
|
||||
print O "\n"; # just some spaces
|
||||
}
|
||||
|
||||
close O;
|
||||
Gtk2->main_quit;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
sub create_main_win
|
||||
{
|
||||
$app = Gnome2::App->new ("stunnel-conf");
|
||||
$app->set_default_size(470,410);
|
||||
$app->signal_connect( 'destroy' => sub { Gtk2->main_quit; } );
|
||||
$app->set_title("Stunnel Configuration");
|
||||
|
||||
my $vbox=Gtk2::VBox->new(FALSE,0);
|
||||
my $frame=Gtk2::Frame->new("Common options");
|
||||
$vbox->pack_start($frame,TRUE, TRUE, 0);
|
||||
|
||||
my $table=Gtk2::Table->new(6, 2, FALSE);
|
||||
$frame->add($table);
|
||||
|
||||
my $label0=Gtk2::Label->new("Private Key");
|
||||
$table->attach($label0,0,1,0,1,["fill"],["fill"],0,0);
|
||||
my $label1=Gtk2::Label->new("Certificate");
|
||||
$table->attach($label1,0,1,1,2,["fill"],["fill"],0,0);
|
||||
my $label2=Gtk2::Label->new("Verify level");
|
||||
$table->attach($label2,0,1,2,3,["fill"],["fill"],0,0);
|
||||
my $label3=Gtk2::Label->new("Log output");
|
||||
$table->attach($label3,0,1,3,4,["fill"],["fill"],0,0);
|
||||
my $label4=Gtk2::Label->new("Client mode");
|
||||
$table->attach($label4,0,1,4,5,["fill"],["fill"],0,0);
|
||||
my $label5=Gtk2::Label->new("Debug level");
|
||||
$table->attach($label5,0,1,5,6,["fill"],["fill"],0,0);
|
||||
my $label6=Gtk2::Label->new("Certificates path");
|
||||
$table->attach($label6,0,1,6,7,["fill"],["fill"],0,0);
|
||||
|
||||
# Private Key
|
||||
my $hbox0=Gtk2::HBox->new(FALSE,0);
|
||||
$table->attach($hbox0,1,2,0,1,["fill"],["fill"],0,0);
|
||||
|
||||
$ekey=Gtk2::Entry->new();
|
||||
$hbox0->pack_start($ekey,TRUE,TRUE,0);
|
||||
|
||||
my $bkey=Gtk2::Button->new_from_stock("gtk-open");
|
||||
$bkey->signal_connect("clicked",sub {
|
||||
sel_file("Select private key",$ekey);
|
||||
});
|
||||
$hbox0->pack_start($bkey,FALSE,FALSE,0);
|
||||
|
||||
# Certificate
|
||||
my $hbox1=Gtk2::HBox->new(FALSE,0);
|
||||
$table->attach($hbox1,1,2,1,2,["fill"],["fill"],0,0);
|
||||
|
||||
$ecert=Gtk2::Entry->new();
|
||||
$hbox1->pack_start($ecert,TRUE,TRUE,0);
|
||||
|
||||
my $bcert=Gtk2::Button->new_from_stock("gtk-open");
|
||||
$bcert->signal_connect("clicked",sub {
|
||||
sel_file("Select certificate",$ecert);
|
||||
});
|
||||
$hbox1->pack_start($bcert,FALSE,FALSE,0);
|
||||
|
||||
# Auth level - verify
|
||||
$verify = Gtk2::Combo->new();
|
||||
$verify->entry->set_text("no verify");
|
||||
$verify->set_popdown_strings(("no verify",
|
||||
"verify peer certificate if present",
|
||||
"verify peer certificate",
|
||||
"verify peer with locally installed certificate"));
|
||||
$table->attach($verify,1,2,2,3,["fill"],["fill"],0,0);
|
||||
|
||||
# Log output
|
||||
my $hbox2=Gtk2::HBox->new(FALSE,0);
|
||||
$table->attach($hbox2,1,2,3,4,["fill"],["fill"],0,0);
|
||||
|
||||
$elog=Gtk2::Entry->new();
|
||||
$hbox2->pack_start($elog,TRUE,TRUE,0);
|
||||
|
||||
my $blog=Gtk2::Button->new_from_stock("gtk-open");
|
||||
$blog->signal_connect("clicked",sub {
|
||||
sel_file("Select log file",$elog);
|
||||
});
|
||||
$hbox2->pack_start($blog,FALSE,FALSE,0);
|
||||
|
||||
# Client mode
|
||||
$clientmode = Gtk2::Combo->new();
|
||||
$clientmode->entry->set_text("no verify");
|
||||
$clientmode->set_popdown_strings(("yes","no"));
|
||||
$table->attach($clientmode,1,2,4,5,["fill"],["fill"],0,0);
|
||||
|
||||
# Debug level
|
||||
$debuglevel = Gtk2::Combo->new();
|
||||
$debuglevel->entry->set_text("no verify");
|
||||
$debuglevel->set_popdown_strings(("0","1","5","7"));
|
||||
$table->attach($debuglevel,1,2,5,6,["fill"],["fill"],0,0);
|
||||
|
||||
# CA path
|
||||
my $hbox3=Gtk2::HBox->new(FALSE,0);
|
||||
$table->attach($hbox3,1,2,6,7,["fill"],["fill"],0,0);
|
||||
|
||||
$capath=Gtk2::Entry->new();
|
||||
$hbox3->pack_start($capath,TRUE,TRUE,0);
|
||||
|
||||
# my $bcapath=Gtk2::Button->new_from_stock("gtk-open");
|
||||
# $bcapath->signal_connect("clicked",sub {
|
||||
# sel_file("Select Certificates Path",$capath);
|
||||
# });
|
||||
# $hbox3->pack_start($bcapath,FALSE,FALSE,0);
|
||||
|
||||
# connections section
|
||||
my $frame2=Gtk2::Frame->new("Connections");
|
||||
$vbox->pack_start($frame2,TRUE, TRUE, 0);
|
||||
|
||||
my $hbox4=Gtk2::HBox->new(FALSE,0);
|
||||
$list=Gtk2::SimpleList->new (
|
||||
'Name' => 'text',
|
||||
'Accept' => 'text',
|
||||
'Connect' => 'text',
|
||||
);
|
||||
# $list->get_selection->set_mode ('multiple');
|
||||
my $scwin = Gtk2::ScrolledWindow->new;
|
||||
$scwin->set_policy (qw/automatic automatic/);
|
||||
$scwin->add($list);
|
||||
|
||||
$hbox4->pack_start($scwin,TRUE,TRUE,0);
|
||||
|
||||
# list buttons
|
||||
my $vbbox=Gtk2::VButtonBox->new();
|
||||
$vbbox->set_layout('spread');
|
||||
my $badd = Gtk2::Button->new_from_stock('gtk-add');
|
||||
$badd->signal_connect( 'clicked' => sub { add_connection; } );
|
||||
$vbbox->add($badd);
|
||||
|
||||
|
||||
# my $bedit = Gtk2::Button->new_from_stock('gtk-properties');
|
||||
# $bedit->signal_connect( 'clicked' => sub {
|
||||
# print "Edit\n";
|
||||
# } );
|
||||
# $vbbox->add($bedit);
|
||||
|
||||
|
||||
my $brem = Gtk2::Button->new_from_stock('gtk-remove');
|
||||
$brem->signal_connect( 'clicked' => sub {
|
||||
my @sel = $list->get_selected_indices;
|
||||
print @sel;
|
||||
foreach my $i (@sel) {
|
||||
delete $list->{data}[$i];
|
||||
}
|
||||
} );
|
||||
$vbbox->add($brem);
|
||||
|
||||
$hbox4->pack_start($vbbox,FALSE,FALSE,0);
|
||||
|
||||
# main buttons!!!
|
||||
my $bbox=Gtk2::HButtonBox->new();
|
||||
$bbox->set_layout('spread');
|
||||
|
||||
my $bok = Gtk2::Button->new_from_stock('gtk-ok');
|
||||
$bok->signal_connect( 'clicked' => sub { save_config_file; } );
|
||||
$bbox->add($bok);
|
||||
|
||||
my $bcancel = Gtk2::Button->new_from_stock('gtk-cancel');
|
||||
$bcancel->signal_connect( 'clicked' => sub { Gtk2->main_quit;} );
|
||||
$bbox->add($bcancel);
|
||||
|
||||
$vbox->pack_start($bbox,FALSE,FALSE,0);
|
||||
$frame2->add($hbox4);
|
||||
|
||||
|
||||
# App contents and show them
|
||||
$app->set_contents($vbox);
|
||||
$app->show_all;
|
||||
}
|
||||
|
||||
#
|
||||
# MAIN MAIN MAIN
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
Gnome2::Program->init ("stunnelconf", "0.1");
|
||||
$app=create_main_win;
|
||||
load_config_file;
|
||||
|
||||
Gtk2->main;
|
||||
|
||||
exit 0;
|
||||
|
1324
debian/changelog
vendored
Normal file
1324
debian/changelog
vendored
Normal file
File diff suppressed because it is too large
Load Diff
6
debian/clean
vendored
Normal file
6
debian/clean
vendored
Normal file
@ -0,0 +1,6 @@
|
||||
build-stamp
|
||||
debian/stunnel4.init
|
||||
doc/stunnel.8
|
||||
doc/stunnel.html
|
||||
doc/stunnel4.8
|
||||
doc/stunnel4.pl.8
|
1
debian/compat
vendored
Normal file
1
debian/compat
vendored
Normal file
@ -0,0 +1 @@
|
||||
10
|
45
debian/control
vendored
Normal file
45
debian/control
vendored
Normal file
@ -0,0 +1,45 @@
|
||||
Source: stunnel4
|
||||
Section: net
|
||||
Priority: optional
|
||||
Build-Depends:
|
||||
debhelper (>= 10),
|
||||
autoconf-archive,
|
||||
libssl-dev,
|
||||
libsystemd-dev [linux-any],
|
||||
libwrap0-dev,
|
||||
netcat-traditional,
|
||||
openssl,
|
||||
net-tools,
|
||||
procps
|
||||
Maintainer: Peter Pentchev <roam@ringlet.net>
|
||||
Uploaders: Laszlo Boszormenyi (GCS) <gcs@debian.org>
|
||||
Standards-Version: 4.1.1
|
||||
Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/stunnel.git
|
||||
Vcs-Git: https://anonscm.debian.org/git/collab-maint/stunnel.git
|
||||
Homepage: https://www.stunnel.org/
|
||||
Rules-Requires-Root: no
|
||||
|
||||
Package: stunnel4
|
||||
Architecture: any
|
||||
Provides: stunnel
|
||||
Depends:
|
||||
${shlibs:Depends},
|
||||
${misc:Depends},
|
||||
${perl:Depends},
|
||||
lsb-base,
|
||||
netbase,
|
||||
openssl
|
||||
Pre-Depends: adduser
|
||||
Suggests: logcheck-database
|
||||
Description: Universal SSL tunnel for network daemons
|
||||
The stunnel program is designed to work as SSL encryption
|
||||
wrapper between remote client and local (inetd-startable) or
|
||||
remote server. The concept is that having non-SSL aware daemons
|
||||
running on your system you can easily setup them to
|
||||
communicate with clients over secure SSL channel.
|
||||
.
|
||||
stunnel can be used to add SSL functionality to commonly
|
||||
used inetd daemons like POP-2, POP-3 and IMAP servers
|
||||
without any changes in the programs' code.
|
||||
.
|
||||
This package contains a wrapper script for compatibility with stunnel 3.x
|
59
debian/copyright
vendored
Normal file
59
debian/copyright
vendored
Normal file
@ -0,0 +1,59 @@
|
||||
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
|
||||
Upstream-Name: stunnel
|
||||
Upstream-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
Source: https://www.stunnel.org/downloads.html
|
||||
License: GPL-2+-openssl
|
||||
|
||||
Files: *
|
||||
Copyright:
|
||||
(C) 1998-2017 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
(c) 2014 Mark Theunissen
|
||||
License: GPL-2+-openssl
|
||||
|
||||
Files: src/stunnel3.in
|
||||
Copyright: (C) 2004-2012 Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
License: GPL-2+
|
||||
|
||||
Files: debian/*
|
||||
Copyright:
|
||||
(C) 1998-2001 Paolo Molaro <lupus@debian.org>
|
||||
(C) 2003-2007 Julien Lemoine <speedblue@debian.org>
|
||||
(C) 2007-2012 Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
|
||||
(C) 2013 Salvatore Bonaccorso <carnil@debian.org>
|
||||
(C) 2014-2017 Peter Pentchev <roam@ringlet.net>
|
||||
License: GPL-2+-openssl
|
||||
|
||||
License: GPL-2+-openssl
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
.
|
||||
On Debian systems, the complete text of the GNU General Public License
|
||||
can be found in file "/usr/share/common-licenses/GPL-2".
|
||||
.
|
||||
Linking stunnel statically or dynamically with other modules is making
|
||||
a combined work based on stunnel. Thus, the terms and conditions of the
|
||||
GNU General Public License cover the whole combination.
|
||||
.
|
||||
In addition, as a special exception, the copyright holder of stunnel gives you
|
||||
permission to combine stunnel with free software programs or libraries that
|
||||
are released under the GNU LGPL and with code included in the standard release
|
||||
of OpenSSL under the OpenSSL License (or modified versions of such code, with
|
||||
unchanged license). You may copy and distribute such a system following the
|
||||
terms of the GNU GPL for stunnel and the licenses of the other code concerned.
|
||||
.
|
||||
Note that people who make modified versions of stunnel are not obligated to
|
||||
grant this special exception for their modified versions; it is their choice
|
||||
whether to do so. The GNU General Public License gives permission to release
|
||||
a modified version without this exception; this exception also makes it
|
||||
possible to release a modified version which carries forward this exception.
|
||||
|
||||
License: GPL-2+
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
.
|
||||
On Debian systems, the complete text of the GNU General Public License
|
||||
can be found in file "/usr/share/common-licenses/GPL-2".
|
1
debian/dirs
vendored
Normal file
1
debian/dirs
vendored
Normal file
@ -0,0 +1 @@
|
||||
etc/stunnel
|
10
debian/doc-base
vendored
Normal file
10
debian/doc-base
vendored
Normal file
@ -0,0 +1,10 @@
|
||||
Document: stunnel4
|
||||
Title: Stunnel documentation
|
||||
Author: Michal Trojnara
|
||||
Abstract: This manual documents stunnel, a SSL-enhanced client and
|
||||
server wrapper.
|
||||
Section: System/Security
|
||||
|
||||
Format: HTML
|
||||
Index: /usr/share/doc/stunnel4/stunnel.html
|
||||
Files: /usr/share/doc/stunnel4/stunnel*.html
|
4
debian/docs
vendored
Normal file
4
debian/docs
vendored
Normal file
@ -0,0 +1,4 @@
|
||||
BUGS
|
||||
NEWS
|
||||
README
|
||||
TODO
|
38
debian/patches/01-fix-paths.patch
vendored
Normal file
38
debian/patches/01-fix-paths.patch
vendored
Normal file
@ -0,0 +1,38 @@
|
||||
Description: Update the installation directories.
|
||||
Change @prefix@/... to @localstatedir@ or @sysconfdir@ as appropriate
|
||||
to comply with the FHS
|
||||
Forwarded: not-needed
|
||||
Author: Paolo Molaro <lupus@debian.org>
|
||||
Author: Julien Lemoine <speedblue@debian.org>
|
||||
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
|
||||
Last-Update: 2016-07-06
|
||||
|
||||
--- a/tools/stunnel.conf-sample.in
|
||||
+++ b/tools/stunnel.conf-sample.in
|
||||
@@ -64,7 +64,7 @@
|
||||
accept = 127.0.0.1:110
|
||||
connect = pop.gmail.com:995
|
||||
verifyChain = yes
|
||||
-CApath = /etc/ssl/certs
|
||||
+CApath = @sysconfdir/ssl/certs
|
||||
checkHost = pop.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
@@ -73,7 +73,7 @@
|
||||
accept = 127.0.0.1:143
|
||||
connect = imap.gmail.com:993
|
||||
verifyChain = yes
|
||||
-CApath = /etc/ssl/certs
|
||||
+CApath = @sysconfdir/ssl/certs
|
||||
checkHost = imap.gmail.com
|
||||
OCSPaia = yes
|
||||
|
||||
@@ -82,7 +82,7 @@
|
||||
accept = 127.0.0.1:25
|
||||
connect = smtp.gmail.com:465
|
||||
verifyChain = yes
|
||||
-CApath = /etc/ssl/certs
|
||||
+CApath = @sysconfdir/ssl/certs
|
||||
checkHost = smtp.gmail.com
|
||||
OCSPaia = yes
|
||||
|
103
debian/patches/02-rename-binary.patch
vendored
Normal file
103
debian/patches/02-rename-binary.patch
vendored
Normal file
@ -0,0 +1,103 @@
|
||||
Description: Change references to the binary from stunnel to stunnel4
|
||||
Forwarded: not-needed
|
||||
Author: Julien Lemoine <speedblue@debian.org>
|
||||
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
|
||||
Last-Update: 2017-09-23
|
||||
|
||||
--- a/src/stunnel3.in
|
||||
+++ b/src/stunnel3.in
|
||||
@@ -22,7 +22,7 @@
|
||||
use Getopt::Std;
|
||||
|
||||
# Configuration - path to stunnel (version >=4.05)
|
||||
-$stunnel_bin='@bindir@/stunnel';
|
||||
+$stunnel_bin='@bindir@/stunnel4';
|
||||
|
||||
# stunnel3 script body begins here
|
||||
($read_fd, $write_fd)=POSIX::pipe();
|
||||
--- a/tools/stunnel.init.in
|
||||
+++ b/tools/stunnel.init.in
|
||||
@@ -1,6 +1,6 @@
|
||||
#! /bin/sh -e
|
||||
### BEGIN INIT INFO
|
||||
-# Provides: stunnel
|
||||
+# Provides: stunnel4
|
||||
# Required-Start: $local_fs $remote_fs
|
||||
# Required-Stop: $local_fs $remote_fs
|
||||
# Should-Start: $syslog
|
||||
@@ -21,8 +21,8 @@
|
||||
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
-DEFAULTPIDFILE="/var/run/stunnel.pid"
|
||||
-DAEMON=@bindir@/stunnel
|
||||
+DEFAULTPIDFILE="/var/run/stunnel4.pid"
|
||||
+DAEMON=@bindir@/stunnel4
|
||||
NAME=stunnel
|
||||
DESC="TLS tunnels"
|
||||
OPTIONS=""
|
||||
@@ -49,9 +49,9 @@
|
||||
startdaemons() {
|
||||
local res file args pidfile warn status
|
||||
|
||||
- if ! [ -d /var/run/stunnel ]; then
|
||||
- rm -rf /var/run/stunnel
|
||||
- install -d -o stunnel -g stunnel /var/run/stunnel
|
||||
+ if ! [ -d /var/run/stunnel4 ]; then
|
||||
+ rm -rf /var/run/stunnel4
|
||||
+ install -d -o stunnel4 -g stunnel4 /var/run/stunnel4
|
||||
fi
|
||||
if [ -n "$RLIMITS" ]; then
|
||||
ulimit $RLIMITS
|
||||
@@ -141,9 +141,9 @@
|
||||
OPTIONS="-- $OPTIONS"
|
||||
fi
|
||||
|
||||
-[ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel
|
||||
+[ -f @sysconfdir@/default/stunnel4 ] && . @sysconfdir@/default/stunnel4
|
||||
if [ "$ENABLED" = "0" ] ; then
|
||||
- echo "$DESC disabled, see @sysconfdir@/default/stunnel"
|
||||
+ echo "$DESC disabled, see @sysconfdir@/default/stunnel4"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
--- a/tools/script.sh
|
||||
+++ b/tools/script.sh
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
REMOTE_HOST="www.mirt.net:443"
|
||||
echo "client script connecting $REMOTE_HOST"
|
||||
-/usr/local/bin/stunnel -fd 10 \
|
||||
+/usr/bin/stunnel4 -fd 10 \
|
||||
11<&0 <<EOT 10<&0 0<&11 11<&-
|
||||
client=yes
|
||||
connect=$REMOTE_HOST
|
||||
--- a/doc/Makefile.am
|
||||
+++ b/doc/Makefile.am
|
||||
@@ -15,11 +15,11 @@
|
||||
|
||||
.pod.in.8.in:
|
||||
pod2man -u -n stunnel -s 8 -r $(VERSION) \
|
||||
- -c "stunnel TLS Proxy" -d `date +%Y.%m.%d` $< $@
|
||||
+ -c "stunnel4 TLS Proxy" -d `date +%Y.%m.%d` $< $@
|
||||
|
||||
.pod.in.html.in:
|
||||
pod2html --index --backlink --header \
|
||||
- --title "stunnel TLS Proxy" --infile=$< --outfile=$@
|
||||
+ --title "stunnel4 TLS Proxy" --infile=$< --outfile=$@
|
||||
rm -f pod2htmd.tmp pod2htmi.tmp
|
||||
|
||||
edit = sed \
|
||||
--- a/doc/stunnel.pl.8.in
|
||||
+++ b/doc/stunnel.pl.8.in
|
||||
@@ -70,8 +70,8 @@
|
||||
.rr rF
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
-.IX Title "stunnel 8"
|
||||
-.TH stunnel 8 "2017.04.01" "5.42" "stunnel TLS Proxy"
|
||||
+.IX Title "stunnel4 8"
|
||||
+.TH stunnel 8 "2017.04.01" "5.42" "stunnel4 TLS Proxy"
|
||||
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||
.\" way too many mistakes in technical documents.
|
||||
.if n .ad l
|
19
debian/patches/03-runas-user.patch
vendored
Normal file
19
debian/patches/03-runas-user.patch
vendored
Normal file
@ -0,0 +1,19 @@
|
||||
Description: Change the default user the binary will run as to stunnel4
|
||||
Forwarded: not-needed
|
||||
Author: Julien Lemoine <speedblue@debian.org>
|
||||
Author: Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
|
||||
Last-Update: 2015-06-13
|
||||
|
||||
--- a/tools/stunnel.conf-sample.in
|
||||
+++ b/tools/stunnel.conf-sample.in
|
||||
@@ -8,8 +8,8 @@
|
||||
; **************************************************************************
|
||||
|
||||
; It is recommended to drop root privileges if stunnel is started by root
|
||||
-;setuid = nobody
|
||||
-;setgid = @DEFAULT_GROUP@
|
||||
+;setuid = stunnel4
|
||||
+;setgid = stunnel4
|
||||
|
||||
; PID file is created inside the chroot jail (if enabled)
|
||||
;pid = @localstatedir@/run/stunnel.pid
|
44
debian/patches/04-restore-pidfile-default.patch
vendored
Normal file
44
debian/patches/04-restore-pidfile-default.patch
vendored
Normal file
@ -0,0 +1,44 @@
|
||||
Description: Temporarily restore the pid file creation by default.
|
||||
The init script will not be able to monitor the automatically-started
|
||||
instances of stunnel if there is no pid file. For the present for the
|
||||
upgrade from 4.53 the "create the pid file by default" behavior is
|
||||
restored and the init script warns about configuration files that have
|
||||
no "pid" setting. The intention is that in a future version the init
|
||||
script will refuse to start stunnel for these configurations.
|
||||
Forwarded: not-needed
|
||||
Author: Peter Pentchev <roam@ringlet.net>
|
||||
Bug-Debian: https://bugs.debian.org/744851
|
||||
Last-Update: 2017-07-03
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -44,6 +44,7 @@
|
||||
stunnel_CPPFLAGS += -I$(SSLDIR)/include
|
||||
stunnel_CPPFLAGS += -DLIBDIR='"$(pkglibdir)"'
|
||||
stunnel_CPPFLAGS += -DCONFDIR='"$(sysconfdir)/stunnel"'
|
||||
+stunnel_CPPFLAGS += -DPIDFILE='"$(localstatedir)/run/stunnel4.pid"'
|
||||
|
||||
# TLS library
|
||||
stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -917,7 +917,7 @@
|
||||
#ifndef USE_WIN32
|
||||
switch(cmd) {
|
||||
case CMD_BEGIN:
|
||||
- new_global_options.pidfile=NULL; /* do not create a pid file */
|
||||
+ new_global_options.pidfile=PIDFILE;
|
||||
break;
|
||||
case CMD_EXEC:
|
||||
if(strcasecmp(opt, "pid"))
|
||||
@@ -932,9 +932,10 @@
|
||||
case CMD_FREE:
|
||||
break;
|
||||
case CMD_DEFAULT:
|
||||
+ s_log(LOG_NOTICE, "%-22s = %s", "pid", PIDFILE);
|
||||
break;
|
||||
case CMD_HELP:
|
||||
- s_log(LOG_NOTICE, "%-22s = pid file", "pid");
|
||||
+ s_log(LOG_NOTICE, "%-22s = pid file (empty to disable creating)", "pid");
|
||||
break;
|
||||
}
|
||||
#endif
|
16
debian/patches/05-author-tests.patch
vendored
Normal file
16
debian/patches/05-author-tests.patch
vendored
Normal file
@ -0,0 +1,16 @@
|
||||
Description: Only build the Win32 executables if requested.
|
||||
Author: Peter Pentchev <roam@ringlet.net>
|
||||
Forwarded: not yet
|
||||
Last-Update: 2015-11-11
|
||||
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -8,7 +8,7 @@
|
||||
AC_CONFIG_SRCDIR([src/stunnel.c])
|
||||
AM_INIT_AUTOMAKE
|
||||
|
||||
-AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"])
|
||||
+AM_CONDITIONAL([AUTHOR_TESTS], [test -n "$AUTHOR_TESTS"])
|
||||
AC_CANONICAL_HOST
|
||||
AC_SUBST([host])
|
||||
AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description])
|
71
debian/patches/07-path-max.patch
vendored
Normal file
71
debian/patches/07-path-max.patch
vendored
Normal file
@ -0,0 +1,71 @@
|
||||
Description: Allocate the config filename dynamically.
|
||||
Avoid the use of PATH_MAX which may not be defined.
|
||||
Forwarded: not-yet
|
||||
Author: Peter Pentchev <roam@ringlet.net>
|
||||
Last-Update: 2017-07-03
|
||||
|
||||
--- a/src/common.h
|
||||
+++ b/src/common.h
|
||||
@@ -94,7 +94,6 @@
|
||||
typedef int ssize_t;
|
||||
#endif /* _WIN64 */
|
||||
#endif /* !__MINGW32__ */
|
||||
-#define PATH_MAX MAX_PATH
|
||||
#define USE_IPv6
|
||||
#define _CRT_SECURE_NO_DEPRECATE
|
||||
#define _CRT_NONSTDC_NO_DEPRECATE
|
||||
--- a/src/options.c
|
||||
+++ b/src/options.c
|
||||
@@ -211,7 +211,7 @@
|
||||
NOEXPORT char **argalloc(char *);
|
||||
#endif
|
||||
|
||||
-char configuration_file[PATH_MAX];
|
||||
+char *configuration_file;
|
||||
|
||||
GLOBAL_OPTIONS global_options;
|
||||
SERVICE_OPTIONS service_options;
|
||||
@@ -289,17 +289,27 @@
|
||||
}
|
||||
|
||||
#ifdef HAVE_REALPATH
|
||||
+ char *nconf;
|
||||
if(type==CONF_FILE) {
|
||||
- if(!realpath(name, configuration_file)) {
|
||||
+ nconf = realpath(name, NULL);
|
||||
+ if(nconf == NULL) {
|
||||
s_log(LOG_ERR, "Invalid configuration file name \"%s\"", name);
|
||||
ioerror("realpath");
|
||||
return 1;
|
||||
}
|
||||
- return options_parse(type);
|
||||
- }
|
||||
+ free(configuration_file);
|
||||
+ } else
|
||||
#endif
|
||||
- strncpy(configuration_file, name, PATH_MAX-1);
|
||||
- configuration_file[PATH_MAX-1]='\0';
|
||||
+ {
|
||||
+ size_t sz = strlen(name) + 1;
|
||||
+ nconf = realloc(configuration_file, sz);
|
||||
+ if(nconf == NULL) {
|
||||
+ s_log(LOG_ERR, "Could not allocate memory");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ snprintf(nconf, sz, "%s", name);
|
||||
+ }
|
||||
+ configuration_file = nconf;
|
||||
return options_parse(type);
|
||||
}
|
||||
|
||||
--- a/src/prototypes.h
|
||||
+++ b/src/prototypes.h
|
||||
@@ -430,7 +430,7 @@
|
||||
|
||||
/**************************************** prototypes for options.c */
|
||||
|
||||
-extern char configuration_file[PATH_MAX];
|
||||
+extern char *configuration_file;
|
||||
extern unsigned number_of_sections;
|
||||
|
||||
int options_cmdline(char *, char *);
|
76
debian/patches/09-try-restart.patch
vendored
Normal file
76
debian/patches/09-try-restart.patch
vendored
Normal file
@ -0,0 +1,76 @@
|
||||
Description: Implement try-restart in the SysV init script.
|
||||
Forwarded: not-yet
|
||||
Author: Peter Pentchev <roam@ringlet.net>
|
||||
Last-Update: 2017-07-03
|
||||
|
||||
--- a/tools/stunnel.init.in
|
||||
+++ b/tools/stunnel.init.in
|
||||
@@ -137,6 +137,47 @@
|
||||
exit "$res"
|
||||
}
|
||||
|
||||
+restartrunningdaemons()
|
||||
+{
|
||||
+ local res file pidfile status args
|
||||
+
|
||||
+ res=0
|
||||
+ for file in $FILES; do
|
||||
+ echo -n " $file: "
|
||||
+ pidfile=`get_pidfile "$file"`
|
||||
+ if [ ! -e "$pidfile" ]; then
|
||||
+ echo -n 'no pid file'
|
||||
+ else
|
||||
+ status=0
|
||||
+ pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?"
|
||||
+ if [ "$status" = 0 ]; then
|
||||
+ echo -n 'stopping'
|
||||
+ killproc -p "$pidfile" "$DAEMON" "$sig" || status="$?"
|
||||
+ if [ "$status" -eq 0 ]; then
|
||||
+ echo -n ' starting'
|
||||
+ args="$file $OPTIONS"
|
||||
+ start_daemon -p "$pidfile" "$DAEMON" $args || status="$?"
|
||||
+ if [ "$status" -eq 0 ]; then
|
||||
+ echo -n ' started'
|
||||
+ else
|
||||
+ echo ' failed'
|
||||
+ res=1
|
||||
+ fi
|
||||
+ else
|
||||
+ echo -n ' failed'
|
||||
+ res=1
|
||||
+ fi
|
||||
+ elif [ "$status" = 4 ]; then
|
||||
+ echo "cannot access the pid file $pidfile"
|
||||
+ else
|
||||
+ echo -n 'stopped'
|
||||
+ fi
|
||||
+ fi
|
||||
+ done
|
||||
+ echo ''
|
||||
+ exit "$res"
|
||||
+}
|
||||
+
|
||||
if [ "x$OPTIONS" != "x" ]; then
|
||||
OPTIONS="-- $OPTIONS"
|
||||
fi
|
||||
@@ -194,6 +235,11 @@
|
||||
killdaemons && startdaemons
|
||||
res=$?
|
||||
;;
|
||||
+ try-restart)
|
||||
+ echo -n "Restarting $DESC if running:"
|
||||
+ restartrunningdaemons
|
||||
+ res=$?
|
||||
+ ;;
|
||||
status)
|
||||
echo -n "$DESC status:"
|
||||
querydaemons
|
||||
@@ -201,7 +247,7 @@
|
||||
;;
|
||||
*)
|
||||
N=@sysconfdir@/init.d/$NAME
|
||||
- echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2
|
||||
+ echo "Usage: $N {start|stop|status|reload|reopen-logs|restart|try-restart} [<stunnel instance>]" >&2
|
||||
res=1
|
||||
;;
|
||||
esac
|
7
debian/patches/series
vendored
Normal file
7
debian/patches/series
vendored
Normal file
@ -0,0 +1,7 @@
|
||||
01-fix-paths.patch
|
||||
02-rename-binary.patch
|
||||
03-runas-user.patch
|
||||
04-restore-pidfile-default.patch
|
||||
05-author-tests.patch
|
||||
07-path-max.patch
|
||||
09-try-restart.patch
|
67
debian/postinst
vendored
Normal file
67
debian/postinst
vendored
Normal file
@ -0,0 +1,67 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
USER="stunnel4"
|
||||
CHOWN="/bin/chown"
|
||||
#USERDEL="/usr/sbin/userdel"
|
||||
ADDUSER="/usr/sbin/adduser"
|
||||
ID="/usr/bin/id"
|
||||
GROUPMOD="/usr/sbin/groupmod"
|
||||
#GROUPDEL="/usr/sbin/groupdel"
|
||||
|
||||
###
|
||||
# 1. get current stunnel uid and gid if user exists.
|
||||
set -e
|
||||
if $ID $USER > /dev/null 2>&1; then
|
||||
IUID=`$ID --user $USER`
|
||||
IGID=`$ID --group $USER`
|
||||
else
|
||||
IUID="NONE"
|
||||
IGID="NONE"
|
||||
fi
|
||||
|
||||
###
|
||||
# 2. Ensure that no standard account or group will remain before adding the
|
||||
# new user
|
||||
#if [ "$IUID" != "NONE" ]; then # remove existing user
|
||||
# $USERDEL $USER
|
||||
#fi
|
||||
|
||||
#if $GROUPMOD $USER > /dev/null 2>&1; then
|
||||
# $GROUPDEL $USER;
|
||||
#fi
|
||||
|
||||
if [ "$IUID" = "NONE" ]; then
|
||||
$ADDUSER --system --disabled-password --disabled-login \
|
||||
--home /var/run/stunnel4 \
|
||||
--no-create-home --group $USER
|
||||
fi
|
||||
|
||||
# /var/run/stunnel4 is not a directory, create it...
|
||||
if ! test -d /var/run/stunnel4; then
|
||||
rm -rf /var/run/stunnel4;
|
||||
mkdir /var/run/stunnel4
|
||||
fi
|
||||
$CHOWN $USER:$USER /var/run/stunnel4 || true
|
||||
|
||||
# /var/log/stunnel4 is not a directory, create it...
|
||||
if ! test -d /var/log/stunnel4; then
|
||||
rm -rf /var/log/stunnel4;
|
||||
mkdir /var/log/stunnel4
|
||||
fi
|
||||
$CHOWN -R $USER:$USER /var/log/stunnel4
|
||||
|
||||
# /var/lib/stunnel4 is not a directory, create it...
|
||||
if ! test -d /var/lib/stunnel4; then
|
||||
rm -rf /var/lib/stunnel4;
|
||||
mkdir /var/lib/stunnel4
|
||||
fi
|
||||
$CHOWN -R $USER:$USER /var/lib/stunnel4
|
||||
|
||||
if ! test -f /var/log/stunnel4/stunnel.log; then
|
||||
touch /var/log/stunnel4/stunnel.log
|
||||
$CHOWN -R $USER:$USER /var/log/stunnel4/stunnel.log
|
||||
fi
|
||||
|
||||
#DEBHELPER#
|
17
debian/postrm
vendored
Normal file
17
debian/postrm
vendored
Normal file
@ -0,0 +1,17 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
if [ x$1 = "xpurge" ]; then
|
||||
echo You may want to delete the generated stunnel.pem file
|
||||
echo in /etc/ssl/certs.
|
||||
|
||||
# Remove chroot dir if present. It may contain logfiles
|
||||
rm -rf /var/lib/stunnel4 || true
|
||||
|
||||
# Log files must be removed on purge (Policy 10.8)
|
||||
rm -f /var/log/stunnel4/stunnel.log* || true
|
||||
rmdir /var/log/stunnel4 || true
|
||||
fi
|
||||
|
||||
#DEBHELPER#
|
79
debian/rules
vendored
Executable file
79
debian/rules
vendored
Executable file
@ -0,0 +1,79 @@
|
||||
#!/usr/bin/make -f
|
||||
# -*- makefile -*-
|
||||
|
||||
# Uncomment this to turn on verbose mode.
|
||||
#export DH_VERBOSE=1
|
||||
|
||||
# debian/rules file for the Debian GNU/Linux stunnel package
|
||||
# Copyright 2003 by Julien LEMOINE <speedblue@debian.org>
|
||||
# Copyright 2014 by Peter Pentchev <roam@ringlet.net>
|
||||
|
||||
ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
|
||||
DEB_NODOC=0
|
||||
else
|
||||
DEB_NODOC=1
|
||||
endif
|
||||
|
||||
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
|
||||
export DEB_CFLAGS_MAINT_APPEND=-Wall
|
||||
|
||||
multiarch_path= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
|
||||
|
||||
override_dh_auto_configure:
|
||||
dh_auto_configure -- \
|
||||
--enable-ipv6 --with-threads=pthread
|
||||
|
||||
override_dh_auto_install:
|
||||
dh_auto_install -- -C src
|
||||
ifeq ($(DEB_NODOC),0)
|
||||
dh_auto_install -- -C doc
|
||||
endif
|
||||
|
||||
# .la file is useless
|
||||
rm $(CURDIR)/debian/stunnel4/usr/lib/$(multiarch_path)/stunnel/libstunnel.la
|
||||
|
||||
# Rename binary
|
||||
mv $(CURDIR)/debian/stunnel4/usr/bin/stunnel \
|
||||
$(CURDIR)/debian/stunnel4/usr/bin/stunnel4
|
||||
|
||||
# Copy sample init script into place for dh_installinit
|
||||
cp $(CURDIR)/tools/stunnel.init $(CURDIR)/debian/stunnel4.init
|
||||
|
||||
ifeq ($(DEB_NODOC),0)
|
||||
ln doc/stunnel.8 doc/stunnel4.8
|
||||
ln doc/stunnel.pl.8 doc/stunnel4.pl.8
|
||||
|
||||
# Manpages will be installed by dh_installman
|
||||
rm -rf $(CURDIR)/debian/stunnel4/usr/share/man
|
||||
|
||||
# Move docs into proper dir
|
||||
mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel \
|
||||
$(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
|
||||
|
||||
# Basic docs for the user on how to create an initial configuration
|
||||
install -p -m 0644 $(CURDIR)/debian/stunnel4.conf.README \
|
||||
$(CURDIR)/debian/stunnel4/etc/stunnel/README
|
||||
endif
|
||||
|
||||
ifeq ($(DEB_NODOC),1)
|
||||
override_dh_installdocs:
|
||||
mkdir -p $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4
|
||||
install -c -o root -g root -m 644 $(CURDIR)/debian/copyright $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4/
|
||||
|
||||
override_dh_installman:
|
||||
|
||||
override_dh_link:
|
||||
dh_link
|
||||
rm $(CURDIR)/debian/stunnel4/usr/share/man/man8/stunnel.8.gz
|
||||
rmdir $(CURDIR)/debian/stunnel4/usr/share/man/man8
|
||||
rmdir $(CURDIR)/debian/stunnel4/usr/share/man
|
||||
endif
|
||||
|
||||
override_dh_installppp:
|
||||
dh_installppp --name=0stunnel4
|
||||
|
||||
override_dh_compress:
|
||||
dh_compress --exclude=StunnelConf-0.1.pl
|
||||
|
||||
%:
|
||||
dh $@
|
1
debian/source/format
vendored
Normal file
1
debian/source/format
vendored
Normal file
@ -0,0 +1 @@
|
||||
3.0 (quilt)
|
510
debian/stunnel3.8
vendored
Normal file
510
debian/stunnel3.8
vendored
Normal file
@ -0,0 +1,510 @@
|
||||
.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13
|
||||
.\"
|
||||
.\" Standard preamble:
|
||||
.\" ========================================================================
|
||||
.de Sh \" Subsection heading
|
||||
.br
|
||||
.if t .Sp
|
||||
.ne 5
|
||||
.PP
|
||||
\fB\\$1\fR
|
||||
.PP
|
||||
..
|
||||
.de Sp \" Vertical space (when we can't use .PP)
|
||||
.if t .sp .5v
|
||||
.if n .sp
|
||||
..
|
||||
.de Vb \" Begin verbatim text
|
||||
.ft CW
|
||||
.nf
|
||||
.ne \\$1
|
||||
..
|
||||
.de Ve \" End verbatim text
|
||||
.ft R
|
||||
.fi
|
||||
..
|
||||
.\" Set up some character translations and predefined strings. \*(-- will
|
||||
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
||||
.\" double quote, and \*(R" will give a right double quote. | will give a
|
||||
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
|
||||
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
|
||||
.\" expand to `' in nroff, nothing in troff, for use with C<>.
|
||||
.tr \(*W-|\(bv\*(Tr
|
||||
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
||||
.ie n \{\
|
||||
. ds -- \(*W-
|
||||
. ds PI pi
|
||||
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
||||
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
||||
. ds L" ""
|
||||
. ds R" ""
|
||||
. ds C` ""
|
||||
. ds C' ""
|
||||
'br\}
|
||||
.el\{\
|
||||
. ds -- \|\(em\|
|
||||
. ds PI \(*p
|
||||
. ds L" ``
|
||||
. ds R" ''
|
||||
'br\}
|
||||
.\"
|
||||
.\" If the F register is turned on, we'll generate index entries on stderr for
|
||||
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
|
||||
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
||||
.\" output yourself in some meaningful fashion.
|
||||
.if \nF \{\
|
||||
. de IX
|
||||
. tm Index:\\$1\t\\n%\t"\\$2"
|
||||
..
|
||||
. nr % 0
|
||||
. rr F
|
||||
.\}
|
||||
.\"
|
||||
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||
.\" way too many mistakes in technical documents.
|
||||
.hy 0
|
||||
.if n .na
|
||||
.\"
|
||||
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
|
||||
.\" Fear. Run. Save yourself. No user-serviceable parts.
|
||||
. \" fudge factors for nroff and troff
|
||||
.if n \{\
|
||||
. ds #H 0
|
||||
. ds #V .8m
|
||||
. ds #F .3m
|
||||
. ds #[ \f1
|
||||
. ds #] \fP
|
||||
.\}
|
||||
.if t \{\
|
||||
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
|
||||
. ds #V .6m
|
||||
. ds #F 0
|
||||
. ds #[ \&
|
||||
. ds #] \&
|
||||
.\}
|
||||
. \" simple accents for nroff and troff
|
||||
.if n \{\
|
||||
. ds ' \&
|
||||
. ds ` \&
|
||||
. ds ^ \&
|
||||
. ds , \&
|
||||
. ds ~ ~
|
||||
. ds /
|
||||
.\}
|
||||
.if t \{\
|
||||
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
|
||||
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
|
||||
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
|
||||
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
|
||||
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
|
||||
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
|
||||
.\}
|
||||
. \" troff and (daisy-wheel) nroff accents
|
||||
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
|
||||
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
|
||||
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
|
||||
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
|
||||
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
|
||||
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
|
||||
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
|
||||
.ds ae a\h'-(\w'a'u*4/10)'e
|
||||
.ds Ae A\h'-(\w'A'u*4/10)'E
|
||||
. \" corrections for vroff
|
||||
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
|
||||
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
|
||||
. \" for low resolution devices (crt and lpr)
|
||||
.if \n(.H>23 .if \n(.V>19 \
|
||||
\{\
|
||||
. ds : e
|
||||
. ds 8 ss
|
||||
. ds o a
|
||||
. ds d- d\h'-1'\(ga
|
||||
. ds D- D\h'-1'\(hy
|
||||
. ds th \o'bp'
|
||||
. ds Th \o'LP'
|
||||
. ds ae ae
|
||||
. ds Ae AE
|
||||
.\}
|
||||
.rm #[ #] #H #V #F C
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "STUNNEL 1"
|
||||
.TH STUNNEL 8 "2003-08-01" " " " "
|
||||
.SH "NAME"
|
||||
stunnel \- universal SSL tunnel
|
||||
.SH "SYNOPSIS"
|
||||
.IX Header "SYNOPSIS"
|
||||
\&\fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O\ a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p\ pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a\ directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user]
|
||||
[\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ filename\ |\ ''\ }\ ] [\-B\ bytes] [\-R\ randfile] [\-W] [\-E\ socket] [\-I\ host]
|
||||
[\-d\ [host:]port\ [\-f]\ ] [\ \-r\ [host:]port\ |\ {\ \-l\ |\ \-L\ }\ program\ [\-\-\ progname\ args]\ ]
|
||||
.SH "DESCRIPTION"
|
||||
.IX Header "DESCRIPTION"
|
||||
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption
|
||||
wrapper between remote clients and local (\fIinetd\fR\-startable) or
|
||||
remote servers. The concept is that having non-SSL aware daemons
|
||||
running on your system you can easily set them up to communicate with
|
||||
clients over secure \s-1SSL\s0 channels.
|
||||
.PP
|
||||
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used
|
||||
\&\fIinetd\fR daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone
|
||||
daemons like \s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network
|
||||
sockets without changes to the source code.
|
||||
.PP
|
||||
This product includes cryptographic software written by Eric Young
|
||||
(eay@cryptsoft.com)
|
||||
.SH "OPTIONS"
|
||||
.IX Header "OPTIONS"
|
||||
.IP "\fB\-h\fR" 4
|
||||
.IX Item "-h"
|
||||
Print stunnel help menu
|
||||
.IP "\fB\-D\fR level" 4
|
||||
.IX Item "-D level"
|
||||
Debugging level
|
||||
.Sp
|
||||
Level is a one of the syslog level names or numbers emerg (0), alert
|
||||
(1), crit (2), err (3), warning (4), notice (5), info (6), or debug
|
||||
(7). All logs for the specified level and all levels numerically less
|
||||
than it will be shown. Use \-D debug or \-D 7 for greatest debugging
|
||||
output. The default is notice (5).
|
||||
.Sp
|
||||
The syslog facility 'daemon' will be used unless a facility name is
|
||||
supplied. (Facilities are not supported on windows.)
|
||||
.Sp
|
||||
Case is ignored for both facilities and levels.
|
||||
.IP "\fB\-O\fR a|l|r:option=value[:value]" 4
|
||||
.IX Item "-O a|l|r:option=value[:value]"
|
||||
Set an option on accept/local/remote socket
|
||||
.Sp
|
||||
The values for linger option are l_onof:l_linger. The values for time
|
||||
are tv_sec:tv_usec.
|
||||
.Sp
|
||||
\&\fBExamples:\fR
|
||||
.Sp
|
||||
\&\fB\-O l:SO_LINGER=1:60\fR \- set one minute timeout for closing local
|
||||
socket
|
||||
.Sp
|
||||
\&\fB\-O r:TCP_NODELAY=1\fR \- turn off the Nagle algorithm for remote
|
||||
sockets
|
||||
.Sp
|
||||
\&\fB\-O r:SO_OOBINLINE=1\fR \- place out-of-band data directly into the
|
||||
receive data stream for remote sockets
|
||||
.Sp
|
||||
\&\fB\-O a:SO_REUSEADDR=0\fR \- disable address reuse (enabled by default)
|
||||
.Sp
|
||||
\&\fB\-O a:SO_BINDTODEVICE=lo\fR \- only accept connections on loopback
|
||||
interface
|
||||
.Sp
|
||||
The available options and their defaults are:
|
||||
Option Accept Local Remote OS default
|
||||
SO_DEBUG -- -- -- 0
|
||||
SO_DONTROUTE -- -- -- 0
|
||||
SO_KEEPALIVE -- -- -- 0
|
||||
SO_LINGER -- -- -- 0:0
|
||||
SO_OOBINLINE -- -- -- 0
|
||||
SO_RCVBUF -- -- -- 87380
|
||||
SO_SNDBUF -- -- -- 16384
|
||||
SO_RCVLOWAT -- -- -- 1
|
||||
SO_SNDLOWAT -- -- -- 1
|
||||
SO_RCVTIMEO -- -- -- 0:0
|
||||
SO_SNDTIMEO -- -- -- 0:0
|
||||
SO_REUSEADDR 1 -- -- 0
|
||||
SO_BINDTODEVICE -- -- -- --
|
||||
IP_TOS -- -- -- 0
|
||||
IP_TTL -- -- -- 64
|
||||
TCP_NODELAY -- -- -- 0
|
||||
.IP "\fB\-o\fR file" 4
|
||||
.IX Item "-o file"
|
||||
Append log messages to a file.
|
||||
.IP "\fB\-C\fR cipherlist" 4
|
||||
.IX Item "-C cipherlist"
|
||||
Select permitted \s-1SSL\s0 ciphers
|
||||
.Sp
|
||||
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
|
||||
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
|
||||
.IP "\fB\-c\fR" 4
|
||||
.IX Item "-c"
|
||||
client mode (remote service uses \s-1SSL\s0)
|
||||
.Sp
|
||||
default: server mode
|
||||
.IP "\fB\-T\fR" 4
|
||||
.IX Item "-T"
|
||||
transparent proxy mode
|
||||
.Sp
|
||||
Re-write address to appear as if wrapped daemon is connecting from the
|
||||
\&\s-1SSL\s0 client machine instead of the machine running stunnel. Available
|
||||
only on some operating systems (Linux only, we believe) and then only
|
||||
in server mode. Note that this option will not combine with proxy mode
|
||||
(\-r) unless the client's default route to the target machine lies
|
||||
through the host running stunnel, which cannot be localhost.
|
||||
.IP "\fB\-p\fR pemfile" 4
|
||||
.IX Item "-p pemfile"
|
||||
private key and certificate chain \s-1PEM\s0 file name
|
||||
.Sp
|
||||
A \s-1PEM\s0 is always needed in server mode (by default located in
|
||||
\fI/etc/stunnel/stunnel.pem\fR). Specifying this flag in client mode
|
||||
will use this key and certificate chain as a client side certificate
|
||||
chain. Using client side certs is optional. The certificates must be
|
||||
in \s-1PEM\s0 format and must be sorted starting with the certificate
|
||||
to the highest level (root \s-1CA\s0).
|
||||
.IP "\fB\-v\fR level" 4
|
||||
.IX Item "-v level"
|
||||
verify peer certificate
|
||||
.RS 4
|
||||
.IP "\(bu" 8
|
||||
level 1 \- verify peer certificate if present
|
||||
.IP "\(bu" 8
|
||||
level 2 \- verify peer certificate
|
||||
.IP "\(bu" 8
|
||||
level 3 \- verify peer with locally installed certificate
|
||||
.IP "\(bu" 8
|
||||
default \- no verify
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
||||
.IP "\fB\-a\fR directory" 4
|
||||
.IX Item "-a directory"
|
||||
client certificate directory
|
||||
.Sp
|
||||
This is the directory in which stunnel will look for certificates when
|
||||
using the \fI\-v\fR options. Note that the certificates in this directory
|
||||
should be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the
|
||||
cert.
|
||||
.IP "\fB\-A\fR certfile" 4
|
||||
.IX Item "-A certfile"
|
||||
Certificate Authority file
|
||||
.Sp
|
||||
This file contains multiple \s-1CA\s0 certificates, used with the \fI\-v\fR
|
||||
options.
|
||||
.IP "\fB\-t\fR timeout" 4
|
||||
.IX Item "-t timeout"
|
||||
session cache timeout
|
||||
.Sp
|
||||
default: 300 seconds.
|
||||
.IP "\fB\-N\fR servicename" 4
|
||||
.IX Item "-N servicename"
|
||||
Service name to use for tcpwrappers. If not specified then a
|
||||
tcpwrapper service name will be generated automatically for you. This
|
||||
will also be used when auto-generating pid filenames.
|
||||
.IP "\fB\-u\fR ident_username" 4
|
||||
.IX Item "-u ident_username"
|
||||
Use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
|
||||
.IP "\fB\-n\fR proto" 4
|
||||
.IX Item "-n proto"
|
||||
Negotiate \s-1SSL\s0 with specified protocol
|
||||
.Sp
|
||||
currently supported: smtp, pop3, nntp
|
||||
.IP "\fB\-E\fR socket" 4
|
||||
.IX Item "-E socket"
|
||||
Entropy Gathering Daemon socket to use to feed OpenSSL random number
|
||||
generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
|
||||
.IP "\fB\-R\fR filename" 4
|
||||
.IX Item "-R filename"
|
||||
File containing random input. The \s-1SSL\s0 library will use data from this
|
||||
file first to seed the random number generator.
|
||||
.IP "\fB\-W\fR" 4
|
||||
.IX Item "-W"
|
||||
Do not overwrite the random seed files with new random data.
|
||||
.IP "\fB\-B\fR bytes" 4
|
||||
.IX Item "-B bytes"
|
||||
Number of bytes of data read from random seed files. With \s-1SSL\s0
|
||||
versions less than 0.9.5a, also determines how many bytes of data are
|
||||
considered sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions
|
||||
have a builtin function to determine when sufficient randomness is
|
||||
available.
|
||||
.IP "\fB\-I\fR host" 4
|
||||
.IX Item "-I host"
|
||||
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
|
||||
Use this option to bind a static local \s-1IP\s0 address, instead.
|
||||
.IP "\fB\-d\fR [host:]port" 4
|
||||
.IX Item "-d [host:]port"
|
||||
daemon mode
|
||||
.Sp
|
||||
Listen for connections on [host:]port. If no host specified, defaults
|
||||
to all \s-1IP\s0 addresses for the local host.
|
||||
.Sp
|
||||
default: inetd mode
|
||||
.IP "\fB\-f\fR" 4
|
||||
.IX Item "-f"
|
||||
foreground mode
|
||||
.Sp
|
||||
Stay in foreground (don't fork) and log to stderr instead of via
|
||||
syslog (unless \-o is specified).
|
||||
.Sp
|
||||
default: background in daemon mode
|
||||
.IP "\fB\-l\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
|
||||
.IX Item "-l program [-- programname [arg1 arg2 arg3...] ]"
|
||||
execute local inetd-type program.
|
||||
.IP "\fB\-L\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
|
||||
.IX Item "-L program [-- programname [arg1 arg2 arg3...] ]"
|
||||
open local pty and execute program.
|
||||
.IP "\fB\-s\fR username" 4
|
||||
.IX Item "-s username"
|
||||
\&\fIsetuid()\fR to username in daemon mode
|
||||
.IP "\fB\-g\fR groupname" 4
|
||||
.IX Item "-g groupname"
|
||||
\&\fIsetgid()\fR to groupname in daemon mode. Clears all other groups.
|
||||
.IP "\fB\-P\fR { file | '' }" 4
|
||||
.IX Item "-P { file | '' }"
|
||||
Pid file location
|
||||
.Sp
|
||||
If the argument is a filename, then that filename will be used for the
|
||||
pid. If the argument is empty ('', not missing), then no pid file will
|
||||
be created.
|
||||
.IP "\fB\-r\fR [host:]port" 4
|
||||
.IX Item "-r [host:]port"
|
||||
connect to remote service
|
||||
.Sp
|
||||
If no host specified, defaults to localhost.
|
||||
.SH "EXAMPLES"
|
||||
.IX Header "EXAMPLES"
|
||||
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service,
|
||||
use
|
||||
.PP
|
||||
.Vb 1
|
||||
\& stunnel \-d 993 \-l /usr/sbin/imapd \-\- imapd
|
||||
.Ve
|
||||
.PP
|
||||
In order to let your local e-mail client connect to a \s-1SSL\s0-enabled
|
||||
\fIimapd\fR service on another server, configure the e-mail client to connect to
|
||||
localhost on port 119 and use:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& stunnel \-c \-d 143 \-r servername:993
|
||||
.Ve
|
||||
.PP
|
||||
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
|
||||
use something like
|
||||
.PP
|
||||
.Vb 1
|
||||
\& stunnel \-d 2020 \-L /usr/sbin/pppd \-\- pppd local
|
||||
.Ve
|
||||
.SH "ENVIRONMENT"
|
||||
.IX Header "ENVIRONMENT"
|
||||
If Stunnel is used to create local processes using the \fB\-l\fR or \fB\-L\fR
|
||||
options, it will set the following environment variables
|
||||
.IP "\s-1REMOTE_HOST\s0" 4
|
||||
.IX Item "REMOTE_HOST"
|
||||
The \s-1IP\s0 address of the remote end of the connection.
|
||||
.IP "\s-1SSL_CLIENT_DN\s0" 4
|
||||
.IX Item "SSL_CLIENT_DN"
|
||||
The \s-1DN\s0 (Distinguished Name, aka subject name) of the peer certificate,
|
||||
if a certificate was present and verified.
|
||||
.IP "\s-1SSL_CLIENT_I_DN\s0" 4
|
||||
.IX Item "SSL_CLIENT_I_DN"
|
||||
The Issuer's \s-1DN\s0 of the peer's certificate, if a certificate was
|
||||
present and verified.
|
||||
.SH "CERTIFICATES"
|
||||
.IX Header "CERTIFICATES"
|
||||
.IP "\(bu" 4
|
||||
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to
|
||||
the peer. It also needs a private key to decrypt the incoming data.
|
||||
The easiest way to obtain a certificate and a key is to generate them
|
||||
with the free \fIopenssl\fR package. You can find more information on
|
||||
certificates generation on pages listed below.
|
||||
.Sp
|
||||
Two things are important when generating certificate-key pairs for
|
||||
\&\fBstunnel\fR. The private key cannot be encrypted, because the server
|
||||
has no way to obtain the password from the user. To produce an
|
||||
unencrypted key add the \fI\-nodes\fR option when running the \fBreq\fR
|
||||
command from the \fIopenssl\fR kit.
|
||||
.Sp
|
||||
The order of contents of the \fI.pem\fR file is also important. It should
|
||||
contain the unencrypted private key first, then a signed certificate
|
||||
(not certificate request). There should be also empty lines after
|
||||
certificate and private key. Plaintext certificate information
|
||||
appended on the top of generated certificate should be discarded. So
|
||||
the file should look like this:
|
||||
.Sp
|
||||
.Vb 8
|
||||
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
|
||||
\& [encoded key]
|
||||
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
|
||||
\& [empty line]
|
||||
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
|
||||
\& [encoded certificate]
|
||||
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
|
||||
\& [empty line]
|
||||
.Ve
|
||||
.SH "RANDOMNESS"
|
||||
.IX Header "RANDOMNESS"
|
||||
.IP "\(bu" 4
|
||||
\&\fIstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
|
||||
order for \s-1SSL\s0 to use good randomness. The following sources are
|
||||
loaded in order until sufficient random data has been gathered:
|
||||
.RS 4
|
||||
.IP "\(bu" 8
|
||||
The file specified with the \fI\-R\fR flag.
|
||||
.IP "\(bu" 8
|
||||
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
|
||||
.IP "\(bu" 8
|
||||
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
|
||||
.IP "\(bu" 8
|
||||
The file specified with '\-\-with\-random' at compile time.
|
||||
.IP "\(bu" 8
|
||||
The contents of the screen if running on Windows.
|
||||
.IP "\(bu" 8
|
||||
The egd socket specified with the \fI\-E\fR flag.
|
||||
.IP "\(bu" 8
|
||||
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
|
||||
.IP "\(bu" 8
|
||||
The /dev/urandom device.
|
||||
.RE
|
||||
.RS 4
|
||||
.Sp
|
||||
With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading
|
||||
random data automatically when sufficient entropy has been gathered.
|
||||
With previous versions it will continue to gather from all the above
|
||||
sources since no \s-1SSL\s0 function exists to tell when enough data is
|
||||
available.
|
||||
.Sp
|
||||
Note that on Windows machines that do not have console user
|
||||
interaction (mouse movements, creating windows, etc) the screen
|
||||
contents are not variable enough to be sufficient, and you should
|
||||
provide a random file for use with the \fI\-R\fR flag.
|
||||
.Sp
|
||||
Note that the file specified with the \fI\-R\fR flag should contain random
|
||||
data \*(-- that means it should contain different information each time
|
||||
\&\fIstunnel\fR is run. This is handled automatically unless the \fI\-W\fR
|
||||
flag is used. If you wish to update this file manually, the \fIopenssl
|
||||
rand\fR command in recent versions of OpenSSL, would be useful.
|
||||
.Sp
|
||||
One important note \*(-- if /dev/urandom is available, OpenSSL has a
|
||||
habit of seeding the \s-1PRNG\s0 with it even when checking the random state,
|
||||
so on systems with /dev/urandom you're likely to use it even though
|
||||
it's listed at the very bottom of the list above. This isn't
|
||||
stunnel's behaviour, it's OpenSSLs.
|
||||
.RE
|
||||
.SH "LIMITATIONS"
|
||||
.IX Header "LIMITATIONS"
|
||||
.IP "\(bu" 4
|
||||
\&\fIstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature of
|
||||
the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
|
||||
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons,
|
||||
however.
|
||||
.SH "SEE ALSO"
|
||||
.IX Header "SEE ALSO"
|
||||
.RS 4
|
||||
.IP "\fItcpd\fR\|(8)" 8
|
||||
.IX Item "tcpd"
|
||||
access control facility for internet services
|
||||
.IP "\fIinetd\fR\|(8)" 8
|
||||
.IX Item "inetd"
|
||||
internet ``super\-server''
|
||||
.IP "\fIhttps://www.stunnel.org/\fR" 8
|
||||
.IX Item "https://www.stunnel.org/"
|
||||
Stunnel homepage
|
||||
.IP "\fIhttps://www.openssl.org/\fR" 8
|
||||
.IX Item "https://www.openssl.org/"
|
||||
OpenSSL project website
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
||||
.SH "AUTHOR"
|
||||
.IX Header "AUTHOR"
|
||||
.RS 4
|
||||
.IP "Michal Trojnara" 8
|
||||
.IX Item "Michal Trojnara"
|
||||
<\fIMichal.Trojnara@stunnel.org\fR>
|
||||
.RE
|
||||
.RS 4
|
||||
.RE
|
9
debian/stunnel4.0stunnel4.ppp.ip-down
vendored
Normal file
9
debian/stunnel4.0stunnel4.ppp.ip-down
vendored
Normal file
@ -0,0 +1,9 @@
|
||||
#!/bin/sh
|
||||
# if this script gets called, we assume that the machine has lost
|
||||
# IPv4 connectivity -> restart stunnel (do not stop it, it is possible
|
||||
# to have a eth connection)
|
||||
|
||||
test -f /etc/default/stunnel4 && . /etc/default/stunnel4
|
||||
test "$PPP_RESTART" != "0" || exit 0
|
||||
|
||||
invoke-rc.d stunnel4 restart
|
7
debian/stunnel4.0stunnel4.ppp.ip-up
vendored
Normal file
7
debian/stunnel4.0stunnel4.ppp.ip-up
vendored
Normal file
@ -0,0 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
test -f /etc/default/stunnel4 && . /etc/default/stunnel4
|
||||
test "$PPP_RESTART" != "0" || exit 0
|
||||
|
||||
|
||||
invoke-rc.d stunnel4 restart
|
96
debian/stunnel4.NEWS
vendored
Normal file
96
debian/stunnel4.NEWS
vendored
Normal file
@ -0,0 +1,96 @@
|
||||
stunnel4 (3:5.06-1) unstable; urgency=medium
|
||||
|
||||
There are two major changes in this version of stunnel.
|
||||
|
||||
First, the /usr/bin/stunnel symlink has been switched from stunnel3
|
||||
to stunnel4. This should not affect any tools that invoke stunnel
|
||||
using the stunnel4 name, and it should not affect any Debian packages
|
||||
that use stunnel. However, any local tools that invoke stunnel with
|
||||
3.x-style command-line options instead of a 4.x-style configuration
|
||||
file should make sure that they use the stunnel3 executable name and
|
||||
not simply stunnel any more, or they should be converted to use
|
||||
a 4.x-style configuration file (there is no need to create an actual
|
||||
file on the filesystem, the configuration may be passed to stunnel
|
||||
on its standard input using the "-fd 0" command-line option).
|
||||
|
||||
Second, this version DISABLES support for the SSLv2 and SSLv3 protocols!
|
||||
|
||||
If needed, it may be re-enabled by editing the stunnel configuration
|
||||
file and adding "-NO_SSLv2" or "-NO_SSLv3" respectively to
|
||||
the "options" setting; see /etc/stunnel/README for an example.
|
||||
|
||||
-- Peter Pentchev <roam@ringlet.net> Thu, 16 Oct 2014 13:56:35 +0300
|
||||
|
||||
stunnel4 (3:5.01-3) unstable; urgency=medium
|
||||
|
||||
This version temporarily brings back the creation of a default pid
|
||||
file, /var/run/stunnel4.pid, if there is no "pid" setting in
|
||||
the configuration file. The reason for this is that the init script
|
||||
cannot monitor the started stunnel processes if there is no pid file
|
||||
at all.
|
||||
|
||||
The init script now warns about configuration files that have no
|
||||
"pid" setting and will thus use the default pid file location.
|
||||
In the future it will refuse to start with such configurations, so
|
||||
it would be best to add the "pid" setting to all the *.conf files in
|
||||
the /etc/stunnel/ directory.
|
||||
|
||||
-- Peter Pentchev <roam@ringlet.net> Fri, 18 Apr 2014 14:37:42 +0300
|
||||
|
||||
stunnel (3:5.01-2) unstable; urgency=medium
|
||||
|
||||
This version DISABLES the RLE compression method, too. This means
|
||||
that stunnel currently has no compression methods available at all,
|
||||
since the underlying OpenSSL library does not have any, either.
|
||||
Tunnel configurations that explicitly set "compression" will NEED
|
||||
to be modified.
|
||||
|
||||
-- Peter Pentchev <roam@ringlet.net> Mon, 14 Apr 2014 15:04:56 +0300
|
||||
|
||||
stunnel (3:5.01-1) unstable; urgency=medium
|
||||
|
||||
This version DISABLES the creation of the process ID file and
|
||||
the use of TCP wrappers for access control by default!
|
||||
|
||||
Tunnel configurations that use PID files (e.g. for monitoring) or
|
||||
TCP wrappers (/etc/hosts.allow, /etc/hosts.deny) will NEED to be
|
||||
modified to explicitly specify the 'pidfile' global option or
|
||||
the 'libwrap' service-level option respectively.
|
||||
|
||||
This version also DISABLES the "zlib" and "deflate" compression
|
||||
algorithms because they are not supported in the Debian OpenSSL
|
||||
package since version 1.0.1e-5. The only supported compression
|
||||
algorithm is "rle". Tunnel configurations that explicitly set
|
||||
"compression" to something other than "rle" will NEED to be modified.
|
||||
|
||||
-- Peter Pentchev <roam@ringlet.net> Tue, 25 Mar 2014 18:05:11 +0200
|
||||
|
||||
stunnel (3:4.33-1) experimental; urgency=low
|
||||
|
||||
This version introduces support for reloading the configuration file
|
||||
and for closing/reopening log files. The init script has been
|
||||
updated to provide these options, and the default logrotate
|
||||
configuration has been updated to take advantage of them.
|
||||
|
||||
|
||||
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Thu, 04 Feb 2010 19:52:23 -0800
|
||||
|
||||
stunnel (3:4.28-1) unstable; urgency=low
|
||||
|
||||
The default behaviour of the logrotate configuration for stunnel4
|
||||
has been changed. Instead of restarting stunnel after rotating the
|
||||
log files we now use the 'copytruncate' keyword. This avoids the
|
||||
problems associated with the restart, but introduces the possibility
|
||||
of loosing small amounts of log data. Please see Debian bugs
|
||||
#535915, #535924 and #323171 for more info.
|
||||
|
||||
-- Luis Rodrigo Gallardo Cruz <rodrigo@debian.org> Wed, 25 Nov 2009 17:12:42 -0800
|
||||
|
||||
stunnel (2:4.140-5) unstable; urgency=low
|
||||
|
||||
stunnel/stunnel4 binaries are located in /usr/bin instead of
|
||||
/usr/sbin in order to be FHS compliant (they can be used by normal
|
||||
user). You need to update your scripts to refer to this new location
|
||||
|
||||
-- Julien Lemoine <speedblue@debian.org> Sun, 19 Feb 2006 17:31:24 +0100
|
||||
|
13
debian/stunnel4.conf.README
vendored
Normal file
13
debian/stunnel4.conf.README
vendored
Normal file
@ -0,0 +1,13 @@
|
||||
Stunnel 4 configuration files.
|
||||
|
||||
Files found under the /etc/stunnel directory that end with .conf are
|
||||
used by the stunnel4 service as configuration files, and each will be
|
||||
used to start a daemon process setting up a tunnel with the given
|
||||
configuration. Note that this directory is initially empty, as the
|
||||
settings you may want for your tunnels are completely system dependent.
|
||||
|
||||
In order to have the tunnels start up automatically on system boot you
|
||||
must *also* set ENABLED to 1 in /etc/default/stunnel4
|
||||
|
||||
A sample configuration file with defaults may be found at
|
||||
/usr/share/doc/stunnel4/examples/stunnel.conf-sample
|
18
debian/stunnel4.default
vendored
Normal file
18
debian/stunnel4.default
vendored
Normal file
@ -0,0 +1,18 @@
|
||||
# /etc/default/stunnel
|
||||
# Julien LEMOINE <speedblue@debian.org>
|
||||
# September 2003
|
||||
|
||||
# Change to one to enable stunnel automatic startup
|
||||
ENABLED=0
|
||||
FILES="/etc/stunnel/*.conf"
|
||||
OPTIONS=""
|
||||
|
||||
# Change to one to enable ppp restart scripts
|
||||
PPP_RESTART=0
|
||||
|
||||
# Change to enable the setting of limits on the stunnel instances
|
||||
# For example, to set a large limit on file descriptors (to enable
|
||||
# more simultaneous client connections), set RLIMITS="-n 4096"
|
||||
# More than one resource limit may be modified at the same time,
|
||||
# e.g. RLIMITS="-n 4096 -d unlimited"
|
||||
RLIMITS=""
|
6
debian/stunnel4.examples
vendored
Normal file
6
debian/stunnel4.examples
vendored
Normal file
@ -0,0 +1,6 @@
|
||||
tools/ca.html
|
||||
tools/ca.pl
|
||||
tools/importCA.html
|
||||
tools/importCA.sh
|
||||
tools/openssl.cnf
|
||||
tools/stunnel.conf-sample
|
1
debian/stunnel4.install
vendored
Normal file
1
debian/stunnel4.install
vendored
Normal file
@ -0,0 +1 @@
|
||||
debian/StunnelConf-0.1.pl usr/share/doc/stunnel4/contrib
|
2
debian/stunnel4.links
vendored
Normal file
2
debian/stunnel4.links
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
/usr/bin/stunnel4 /usr/bin/stunnel
|
||||
/usr/share/man/man8/stunnel4.8.gz /usr/share/man/man8/stunnel.8.gz
|
5
debian/stunnel4.lintian-overrides
vendored
Normal file
5
debian/stunnel4.lintian-overrides
vendored
Normal file
@ -0,0 +1,5 @@
|
||||
# No character arrays anywhere in this .so
|
||||
stunnel4: hardening-no-stackprotector usr/lib/stunnel/libstunnel.so
|
||||
|
||||
# Not a typo at all.
|
||||
stunnel4: spelling-error-in-manpage usr/share/man/man8/stunnel4.8.gz CAs Case
|
13
debian/stunnel4.logrotate
vendored
Normal file
13
debian/stunnel4.logrotate
vendored
Normal file
@ -0,0 +1,13 @@
|
||||
/var/log/stunnel4/*.log {
|
||||
daily
|
||||
missingok
|
||||
rotate 365
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
create 640 stunnel4 stunnel4
|
||||
sharedscripts
|
||||
postrotate
|
||||
/etc/init.d/stunnel4 reopen-logs > /dev/null
|
||||
endscript
|
||||
}
|
3
debian/stunnel4.manpages
vendored
Normal file
3
debian/stunnel4.manpages
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
doc/stunnel4.8
|
||||
doc/stunnel4.pl.8
|
||||
debian/stunnel3.8
|
21
debian/tests/certs/certificate.pem
vendored
Normal file
21
debian/tests/certs/certificate.pem
vendored
Normal file
@ -0,0 +1,21 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDfDCCAmSgAwIBAgIJAPFcHvXjRYbZMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
|
||||
BAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwGA1UEBwwFU29maWExEDAOBgNVBAoM
|
||||
B1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzA2MTIyMzAzMjdaFw0y
|
||||
NzA2MTAyMzAzMjdaMFMxCzAJBgNVBAYTAkJHMQ4wDAYDVQQIDAVTb2ZpYTEOMAwG
|
||||
A1UEBwwFU29maWExEDAOBgNVBAoMB1JpbmdsZXQxEjAQBgNVBAMMCWxvY2FsaG9z
|
||||
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp0QYS6IZ1To2h68NcZ
|
||||
zmnAQfzodFcD7Lhp2CcDOBXRrKfPq1NUqUXMGvcHcPbmT84W2OGGfh11MKvksuof
|
||||
4+juU4+1uujPJoOmREi7WjVzEVWUftvFUqeTigFz96EMsVui4UbTUxX6ACIsXXwg
|
||||
v1b/rpyVZJvTucKsyP5ml5OXaPFe5mXUQtdaJsjpV4ikq4O9vcYdMt0Y8IVbxpCO
|
||||
5CryW3KUHzBUS7uqO2nbLXZBOkJHCgxDawAlTeDRW/uJOl7nnSUgo0HiojG4qhY6
|
||||
spYmQ9ijtj1vX5H2tsf97rZCbU5JMFqX8XcJgTWKTYHlxkBYbB6QkPyhiOXDo/M/
|
||||
oJ8CAwEAAaNTMFEwHQYDVR0OBBYEFPwfXq4qd8stmvstPC3QdFL716XRMB8GA1Ud
|
||||
IwQYMBaAFPwfXq4qd8stmvstPC3QdFL716XRMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
|
||||
KoZIhvcNAQELBQADggEBADkuMAUB2Uyx23oN9ZxZsAWOdJoSUIWs4qxc5eQ/qjj7
|
||||
64zm62ZaVc8F6AyMYxHZvOKxvN/Pg19dSZelvTpgSqXLbirstRgsBCIXO2q6UYo2
|
||||
BUpZovZ4DOll+sAbmrZJRDiVO1XeCqqjr0v0I7NfJ5r31K1tfaZxGovUdC+M3xJ6
|
||||
yRrFWfF+EdlvVRFQt97mZXtcTDFWk7+CT6fgfLnCxTuMcSNtzM60FCBS5wz0MPSA
|
||||
BGje1qXUMzwN2T0aDyxWNRdvFGMHC8Z23EOa3roK+NybS2PVAu7MpxDTBZdHSGtG
|
||||
5wqY6fq5kww8OI9AlPNYVtqXrFrF6Lj5m/jhUHcAIUU=
|
||||
-----END CERTIFICATE-----
|
28
debian/tests/certs/key.pem
vendored
Normal file
28
debian/tests/certs/key.pem
vendored
Normal file
@ -0,0 +1,28 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKdEGEuiGdU6No
|
||||
evDXGc5pwEH86HRXA+y4adgnAzgV0aynz6tTVKlFzBr3B3D25k/OFtjhhn4ddTCr
|
||||
5LLqH+Po7lOPtbrozyaDpkRIu1o1cxFVlH7bxVKnk4oBc/ehDLFbouFG01MV+gAi
|
||||
LF18IL9W/66clWSb07nCrMj+ZpeTl2jxXuZl1ELXWibI6VeIpKuDvb3GHTLdGPCF
|
||||
W8aQjuQq8ltylB8wVEu7qjtp2y12QTpCRwoMQ2sAJU3g0Vv7iTpe550lIKNB4qIx
|
||||
uKoWOrKWJkPYo7Y9b1+R9rbH/e62Qm1OSTBal/F3CYE1ik2B5cZAWGwekJD8oYjl
|
||||
w6PzP6CfAgMBAAECggEAf+TrUuamv5WLoEAyDyCdVg7/YL6UaDfxfhpXU2XkM1xu
|
||||
vuAg8haEjLRAwJdx1HdwKNgkEGx/FSroIV7ra53Tw11zalC6j8H1KauKbYv1k9hq
|
||||
Ne8GKN3Btl0tDHfvEk1LaYE+4Rg036g8F1qBgB3L4jDJZN+3W/1n10SCALxcuv4G
|
||||
XMJOcrhW3KBlEJpIBhz+ROPeiZX8VwB2iK7jg0Bebh7XuNFCFOiFqq6UfFRNeGBi
|
||||
Ca9rZdUP0YmxNPEXzGu1TEv1edX0Nf3jRKERQrZ3Sg6ogPcqQSQ1VP052Hc0Tqpl
|
||||
akrRrVMfbbQQIMc9JrxJmXb7/OHeS1R50Ci5x7weoQKBgQDwYSGSypJl6lWpgrm6
|
||||
5HuIem0AK9gmOAyiR0UdjMwVybeHhcldK8ABFcsdUt7v84+kCKkRhEX//QWjowMF
|
||||
0OJ2i7Y1VbdyNd7exPW5zmYAiBX+oR3JKMekjPRCUamg5P2fSrVqDHvz7WU7hoQb
|
||||
0jcIu8kwtPjw5uz13OWWbmEjTwKBgQDXnDZ0nQoXUO8VkNYaWQzukIcKdB71v2DZ
|
||||
KiaJvPFjTGPUwwd/kEcU7/wMet4UKff4XjOaX+f2tFZm+vrYs6RfqnLlRFlkhKJZ
|
||||
HColltm8KV6w+LnwkPUuY4HnDJepU6eBC2wtGPU1n1YXCwgDL+MTIpLFuveQ9w/N
|
||||
wTRP3USZsQKBgDy9Tm55IWT/QYYDskq3UT+7L6/LZGLD5u1adOxyl18qCWYFOEyC
|
||||
sZGUoC5YslyPfsxEI/R5J/b3SGWA21Ks5Yxu4Su47RG+6wH/YtgAf2XC/UvKCmy6
|
||||
EThTJaVcXTB6rFuD1TNm1Cte4SWZZ+hfxeg/CydzkzPMJjQ6DQll+sWhAoGBAKJj
|
||||
tV//JyqIeonznE4b4/GKSStGaksM6RSm+n+jHut7DXWhrnQVZnQOi/eaUsk9Etat
|
||||
nJAYy8yz5p+JSIUOSC8FYaPr5qgefWhAHj5Rb4yYXAlOTD0z8HYP3Db49QFDUFWR
|
||||
FNiig4zvhRe150L/PjebQpBKUUuNyQlfCtdb/98BAoGARMZNl+0FEzw714ataoWk
|
||||
1IPoe7oIzaoYTqPcpQT0AGOdfYRS3ffJFe2Foa0K7MVyxNA/OjyheYVtD2IgmoTv
|
||||
WkRr6xM4nphza595yB5q+psKwOdQvP5XsyiJOXDixzn+yFIqrdQlmBNZHT1z/jwr
|
||||
oBRWtTVO2aX5pBUjvBu3eQ0=
|
||||
-----END PRIVATE KEY-----
|
6
debian/tests/control
vendored
Normal file
6
debian/tests/control
vendored
Normal file
@ -0,0 +1,6 @@
|
||||
Test-Command: env TEST_STUNNEL=/usr/bin/stunnel4 debian/tests/runtime
|
||||
Depends: @, perl, libanyevent-perl, libnet-ssleay-perl, libpath-tiny-perl
|
||||
Restrictions: allow-stderr
|
||||
|
||||
Test-Command: debian/tests/upstream
|
||||
Depends: @, netcat-traditional
|
647
debian/tests/runtime
vendored
Executable file
647
debian/tests/runtime
vendored
Executable file
@ -0,0 +1,647 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
use v5.14;
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use AnyEvent;
|
||||
use AnyEvent::Handle;
|
||||
use AnyEvent::Socket qw(tcp_connect tcp_server);
|
||||
use AnyEvent::Util qw(portable_socketpair);
|
||||
use Fcntl qw(F_GETFD F_SETFD FD_CLOEXEC);
|
||||
use IO::Handle;
|
||||
use Path::Tiny 0.097;
|
||||
use POSIX qw(WNOHANG);
|
||||
use Socket;
|
||||
|
||||
# AnyEvent's TLS support seems to require this...
|
||||
use threads;
|
||||
|
||||
my %children;
|
||||
my $child_reaper_w;
|
||||
|
||||
my $greeting = 'Well hello there!';
|
||||
|
||||
sub reap_leftover_children();
|
||||
sub child_reaper();
|
||||
|
||||
sub register_child_reaper()
|
||||
{
|
||||
$child_reaper_w = AnyEvent->signal(
|
||||
signal => 'CHLD',
|
||||
cb => \&child_reaper,
|
||||
);
|
||||
$SIG{__DIE__} = sub {
|
||||
my ($msg) = @_;
|
||||
warn "__DIE__ handler invoked: ".($msg =~ s/[\r\n]*$//sr)."\n";
|
||||
reap_leftover_children;
|
||||
};
|
||||
}
|
||||
|
||||
sub unregister_child_reaper()
|
||||
{
|
||||
undef $child_reaper_w;
|
||||
}
|
||||
|
||||
sub child_reaper()
|
||||
{
|
||||
while (1) {
|
||||
my $pid = waitpid -1, WNOHANG;
|
||||
my $status = $?;
|
||||
|
||||
if (!defined $pid) {
|
||||
die "Could not waitpid() in a SIGCHLD handler: $!\n";
|
||||
} elsif ($pid == 0 || $pid == -1) {
|
||||
last;
|
||||
} else {
|
||||
$children{$pid}{cv} //= AnyEvent->condvar;
|
||||
$children{$pid}{cv}->send($status);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub register_child($ $)
|
||||
{
|
||||
my ($pid, $desc) = @_;
|
||||
|
||||
# Weird, but we want it to be at least reasonably atomic-like
|
||||
$children{$pid}{cv} //= AnyEvent->condvar;
|
||||
|
||||
my $ch = $children{$pid};
|
||||
$ch->{pid} = $pid;
|
||||
$ch->{desc} = $desc;
|
||||
}
|
||||
|
||||
sub dump_children()
|
||||
{
|
||||
join '', map {
|
||||
my $ch = $children{$_};
|
||||
|
||||
"\t$ch->{pid}\t".
|
||||
($ch->{cv}->ready
|
||||
? $ch->{cv}->recv
|
||||
: '(none)'
|
||||
).
|
||||
"\t$ch->{desc}\n"
|
||||
} sort { $a <=> $b } keys %children
|
||||
}
|
||||
|
||||
sub wait_for_child($)
|
||||
{
|
||||
my ($pid) = @_;
|
||||
|
||||
if (!defined $children{$pid}) {
|
||||
die "Internal error: wait_for_child() invoked for ".
|
||||
"unregistered pid $pid\n".dump_children;
|
||||
}
|
||||
my $status = $children{$pid}{cv}->recv;
|
||||
delete $children{$pid};
|
||||
return $status;
|
||||
}
|
||||
|
||||
sub reap_leftover_children()
|
||||
{
|
||||
say 'Oof, let us see if there are any children left';
|
||||
if (!%children) {
|
||||
say 'Everyone has been accounted for; great!';
|
||||
return;
|
||||
}
|
||||
|
||||
for my $pid (keys %children) {
|
||||
my $ch = $children{$pid};
|
||||
if ($ch->{cv}->ready) {
|
||||
my $status = wait_for_child $pid;
|
||||
say "Hm, child $pid seems to have finished already, status $status";
|
||||
}
|
||||
}
|
||||
if (!%children) {
|
||||
say 'Everyone has actually been accounted for; great!';
|
||||
return;
|
||||
}
|
||||
|
||||
for my $pid (keys %children) {
|
||||
say "Pffth, sending a SIGKILL to $pid";
|
||||
kill 'KILL', $pid;
|
||||
}
|
||||
for my $pid (keys %children) {
|
||||
my $ch = $children{$pid};
|
||||
if ($ch->{cv}->ready) {
|
||||
wait_for_child $pid;
|
||||
say "OK, $pid done";
|
||||
}
|
||||
}
|
||||
# Bah, figure out some way to let the loop run even if we're within the loop...
|
||||
if (%children) {
|
||||
say 'Some children remaining, laying low for a second...';
|
||||
sleep 1;
|
||||
for my $pid (keys %children) {
|
||||
say "- waiting for $pid ($children{$pid}{desc})";
|
||||
wait_for_child $pid;
|
||||
say "- OK, $pid done";
|
||||
}
|
||||
}
|
||||
if (%children) {
|
||||
say 'Something really weird happened, why are there still children around?';
|
||||
say dump_children;
|
||||
}
|
||||
}
|
||||
|
||||
sub close_on_exec($ $)
|
||||
{
|
||||
my ($fh, $close) = @_;
|
||||
|
||||
my $flags = fcntl $fh, F_GETFD, 0 or
|
||||
die "Could not obtain a file descriptor's flags: $!\n";
|
||||
my $nflags = $close
|
||||
? ($flags | FD_CLOEXEC)
|
||||
: ($flags & ~FD_CLOEXEC);
|
||||
fcntl $fh, F_SETFD, $nflags or
|
||||
die "Could not set a file descriptor's flags: $!\n";
|
||||
}
|
||||
|
||||
sub anyevent_socketpair($)
|
||||
{
|
||||
my ($name) = @_;
|
||||
my ($fh1, $fh2) = portable_socketpair;
|
||||
if (!defined $fh1) {
|
||||
die "Could not create the $name socketpair: $!\n";
|
||||
}
|
||||
$fh1->autoflush(1);
|
||||
$fh2->autoflush(1);
|
||||
return (AnyEvent::Handle->new(fh => $fh1), AnyEvent::Handle->new(fh => $fh2));
|
||||
}
|
||||
|
||||
sub find_listening_port($ $ $ $ $)
|
||||
{
|
||||
my ($address, $port_start, $step, $count, $cb) = @_;
|
||||
|
||||
my $res;
|
||||
my $port = $port_start;
|
||||
for (1..$count) {
|
||||
eval {
|
||||
$res = tcp_server $address, $port, $cb;
|
||||
};
|
||||
last if $res;
|
||||
say "Could not listen on $address:$port: $@";
|
||||
$port += $step;
|
||||
}
|
||||
if (!defined $res) {
|
||||
die "Could not find a listening port on $address\n";
|
||||
}
|
||||
return ($port, $res);
|
||||
}
|
||||
|
||||
my %conns;
|
||||
|
||||
sub register_client_connection($)
|
||||
{
|
||||
my ($fh) = @_;
|
||||
|
||||
my $sockaddr = getsockname $fh;
|
||||
if (!defined $sockaddr) {
|
||||
die "Could not obtain the local address of the just-connected socket: $!\n";
|
||||
}
|
||||
my ($port, $addr_num) = sockaddr_in $sockaddr;
|
||||
if (!defined $port || !defined $addr_num) {
|
||||
die "Could not decode the address and port from a sockaddr_in structure: $!\n";
|
||||
}
|
||||
my $addr = inet_ntoa $addr_num;
|
||||
if (!defined $addr) {
|
||||
die "Could not decode a numeric address: $!\n";
|
||||
}
|
||||
|
||||
my $id = "$addr:$port";
|
||||
$conns{$id}{cv} //= AnyEvent->condvar;
|
||||
$conns{$id}{fh} //= $fh;
|
||||
return $id;
|
||||
}
|
||||
|
||||
sub await_client_connection($ $; $)
|
||||
{
|
||||
my ($lis_main, $cv, $skip_register) = @_;
|
||||
|
||||
my $die = sub {
|
||||
warn "@_";
|
||||
$cv->send(undef);
|
||||
};
|
||||
|
||||
$lis_main->rtimeout(10);
|
||||
$lis_main->on_rtimeout(sub { $die->("The listener's accept message timed out\n") });
|
||||
$lis_main->push_read(line => sub {
|
||||
my ($handle, $line) = @_;
|
||||
|
||||
if ($line !~ m{^ accept \s+ (?<id> \S+ ) $}x) {
|
||||
return $die->("The accept server did not send an 'accept' message: $line\n");
|
||||
}
|
||||
my ($id) = $+{id};
|
||||
$conns{$id}{cv} //= AnyEvent->condvar unless $skip_register;
|
||||
|
||||
$lis_main->rtimeout(10);
|
||||
$lis_main->on_rtimeout(sub { $die->("The listener's close message timed out\n") });
|
||||
$lis_main->push_read(line => sub {
|
||||
my ($handle, $line) = @_;
|
||||
|
||||
if ($line !~ m{^ close \s+ (?<id> \S+ ) $}x) {
|
||||
return $die->("The accept server did not send an 'close' message: $line\n");
|
||||
}
|
||||
my ($cid) = $+{id};
|
||||
if ($cid ne $id) {
|
||||
return $die->("The accept server's 'close' message had id '$cid' instead of the accepted one '$id'\n");
|
||||
}
|
||||
$lis_main->rtimeout(0);
|
||||
$cv->send($id);
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
sub adopt_client_connection($ $)
|
||||
{
|
||||
my ($id, $opts) = @_;
|
||||
|
||||
my $w;
|
||||
my $do_close = sub {
|
||||
my ($err) = @_;
|
||||
$w->push_shutdown;
|
||||
$w->destroy;
|
||||
undef $w;
|
||||
undef $conns{$id}{handle};
|
||||
#close $conns{$id}{fh};
|
||||
if (defined $err) {
|
||||
warn "$err\n";
|
||||
$conns{$id}{cv}->send(undef);
|
||||
} else {
|
||||
$conns{$id}{cv}->send(1);
|
||||
}
|
||||
};
|
||||
$w = AnyEvent::Handle->new(
|
||||
fh => $conns{$id}{fh},
|
||||
|
||||
%{$opts}, # TLS or something?
|
||||
|
||||
on_error => sub {
|
||||
my ($handle, $fatal, $message) = @_;
|
||||
|
||||
if (!$fatal) {
|
||||
warn "A non-fatal error occurred reading from the $id connection: $message\n";
|
||||
} else {
|
||||
$do_close->("A fatal error occurred reading from the $id connection: $message");
|
||||
}
|
||||
},
|
||||
|
||||
rtimeout => 10,
|
||||
on_rtimeout => sub {
|
||||
$do_close->("Reading from the $id connection timed out");
|
||||
},
|
||||
);
|
||||
|
||||
$w->push_read(line => sub {
|
||||
my ($handle, $line) = @_;
|
||||
$w->rtimeout(0);
|
||||
if ($line ne $greeting) {
|
||||
$do_close->("The $id connection sent us a line that was not the greeting: expected '$greeting', got '$line'");
|
||||
} else {
|
||||
$do_close->(undef);
|
||||
}
|
||||
});
|
||||
|
||||
$conns{$id}{handle} = $w;
|
||||
}
|
||||
|
||||
sub client_connect($ $ $)
|
||||
{
|
||||
my ($address, $port, $cv) = @_;
|
||||
|
||||
return tcp_connect $address, $port, sub {
|
||||
my ($fh) = @_;
|
||||
if (!defined $fh) {
|
||||
die "Could not connect to the cleartext listening socket on $address:$port: $!\n";
|
||||
}
|
||||
my $id = register_client_connection $fh;
|
||||
say "Connected to $address:$port, local $id";
|
||||
$cv->send($id);
|
||||
|
||||
adopt_client_connection($id, {});
|
||||
};
|
||||
}
|
||||
|
||||
MAIN:
|
||||
{
|
||||
my $stunnel = $ENV{TEST_STUNNEL} // 'stunnel4';
|
||||
my $test_done = AnyEvent->condvar;
|
||||
|
||||
my ($certsdir, $certfile, $keyfile);
|
||||
for my $name (qw(certs debian/tests/certs)) {
|
||||
my $dir = path($name);
|
||||
if (-d $dir) {
|
||||
$certfile = $dir->child('certificate.pem');
|
||||
$keyfile = $dir->child('key.pem');
|
||||
if (-f $certfile && -f $keyfile) {
|
||||
$certsdir = path($dir);
|
||||
last;
|
||||
}
|
||||
}
|
||||
}
|
||||
die "Could not locate the test certificates directory\n" unless defined $certsdir;
|
||||
say "Found the certificate at $certfile and the private key at $keyfile";
|
||||
|
||||
my $tempdir = Path::Tiny->tempdir;
|
||||
say "Using the $tempdir temporary directory";
|
||||
|
||||
register_child_reaper;
|
||||
|
||||
{
|
||||
say 'About to get the stunnel version information';
|
||||
pipe my $s_in, my $s_out or die "Could not create an fd pair: $!\n";
|
||||
close_on_exec $s_in, 0;
|
||||
close_on_exec $s_out, 0;
|
||||
|
||||
my $pid = fork;
|
||||
if (!defined $pid) {
|
||||
die "Could not fork for stunnel: $!\n";
|
||||
} elsif ($pid == 0) {
|
||||
open STDERR, '>&', $s_out or
|
||||
die "Could not reopen stderr in the child process: $!\n";
|
||||
close STDIN or
|
||||
die "Could not close stdin in the child process: $!\n";
|
||||
close STDOUT or
|
||||
die "Could not close stdout in the child process: $!\n";
|
||||
close $s_in or
|
||||
die "Could not close the reader fd in the child process: $!\n";
|
||||
|
||||
exec $stunnel, '-version';
|
||||
die "Could not execute '$stunnel': $!\n";
|
||||
}
|
||||
register_child $pid, "$stunnel -version";
|
||||
close $s_out or
|
||||
die "Could not close the writer fd in the parent process: $!\n";
|
||||
|
||||
my ($got_version, $before_version) = (undef, '');
|
||||
my $eof = AnyEvent->condvar;
|
||||
my $f_out = AnyEvent->io(
|
||||
fh => $s_in,
|
||||
poll => 'r',
|
||||
cb => sub {
|
||||
my $line = <$s_in>;
|
||||
|
||||
if (!defined $line) {
|
||||
$eof->send($got_version);
|
||||
} elsif (!$got_version) {
|
||||
if ($line =~ m{^
|
||||
stunnel \s+
|
||||
(?<version> \d+ \. \S+)
|
||||
\s+ on \s+
|
||||
}x) {
|
||||
$got_version = $+{version};
|
||||
} else {
|
||||
$before_version .= $line;
|
||||
}
|
||||
}
|
||||
});
|
||||
$eof->recv;
|
||||
|
||||
if ($before_version ne '') {
|
||||
warn "stunnel produced output before the version number:\n$before_version\n";
|
||||
}
|
||||
if (!defined $got_version) {
|
||||
die "Could not get the stunnel version number\n";
|
||||
}
|
||||
say "Got stunnel version $got_version";
|
||||
|
||||
my $status = wait_for_child $pid;
|
||||
if ($status != 0) {
|
||||
die "stunnel -version did not exit successfully, status $status\n";
|
||||
}
|
||||
}
|
||||
|
||||
my ($lis_listener, $lis_main) = anyevent_socketpair 'listener';
|
||||
my $listen_address = '127.0.0.1';
|
||||
my %listen_clear_conns;
|
||||
my ($listen_clear_port, $listen_clear) = find_listening_port $listen_address, 6502, 200, 100, sub {
|
||||
my ($fh, $host, $port) = @_;
|
||||
my $id = "$host:$port";
|
||||
|
||||
say "Accepted a connection from $id";
|
||||
$lis_listener->push_write("accept $id\n");
|
||||
my $w;
|
||||
my $do_close = sub {
|
||||
$w->destroy;
|
||||
delete $listen_clear_conns{$id};
|
||||
};
|
||||
$w = AnyEvent::Handle->new(
|
||||
fh => $fh,
|
||||
|
||||
on_error => sub {
|
||||
my ($handle, $fatal, $message) = @_;
|
||||
|
||||
warn "A ".($fatal ? 'fatal' : 'non-fatal').
|
||||
"error occurred writing to the $id connection: $message\n";
|
||||
$do_close->();
|
||||
},
|
||||
|
||||
timeout => 10,
|
||||
on_timeout => sub {
|
||||
my ($handle) = @_;
|
||||
|
||||
warn "Writing to the $id connection timed out\n";
|
||||
$do_close->();
|
||||
},
|
||||
|
||||
on_read => sub {
|
||||
my ($handle) = @_;
|
||||
|
||||
warn "The $id connection sent data to the server?!\n";
|
||||
$do_close->();
|
||||
},
|
||||
|
||||
on_eof => sub {
|
||||
my ($handle) = @_;
|
||||
|
||||
say "Got an eof from $id, all seems well";
|
||||
$do_close->();
|
||||
$lis_listener->push_write("close $id\n");
|
||||
},
|
||||
);
|
||||
$w->push_write("$greeting\n");
|
||||
$w->push_shutdown;
|
||||
$listen_clear_conns{$id} = $w;
|
||||
};
|
||||
say "Listening for cleartext connections on $listen_address:$listen_clear_port";
|
||||
|
||||
{
|
||||
my $listener_test_id_cv = AnyEvent->condvar;
|
||||
my $check_listen_clear = client_connect $listen_address, $listen_clear_port, $listener_test_id_cv;
|
||||
my $id = $listener_test_id_cv->recv;
|
||||
if (!defined $id) {
|
||||
die "Could not connect to the cleartext server\n";
|
||||
}
|
||||
say "Got a local connection id $id";
|
||||
my $listener_test_done = AnyEvent->condvar;
|
||||
await_client_connection $lis_main, $listener_test_done;
|
||||
say 'Waiting for the server to acknowledge a completed client connection';
|
||||
my $sid = $listener_test_done->recv;
|
||||
if (!defined $sid) {
|
||||
die "The listener did not acknowledge the connection\n";
|
||||
} elsif ($sid ne $id) {
|
||||
die "The listener did not acknowledge the same connection: expected '$id', got '$sid'\n";
|
||||
}
|
||||
say 'Waiting for the client connection itself to report completion';
|
||||
my $res = $conns{$id}{cv}->recv;
|
||||
if (!defined $res) {
|
||||
die "The client connection did not complete the chat with the cleartext server\n";
|
||||
}
|
||||
say 'Looks like we are done with the test cleartext connection!';
|
||||
}
|
||||
|
||||
my $st_server_port;
|
||||
{
|
||||
my $dummy;
|
||||
($st_server_port, $dummy) = find_listening_port $listen_address, 8086, 200, 100, sub {
|
||||
my ($fh) = @_;
|
||||
say "Eh, we really didn't expect a connection here, did we now...";
|
||||
$fh->close;
|
||||
};
|
||||
say "Got listening port $st_server_port for the stunnel server";
|
||||
undef $dummy;
|
||||
say 'Let us hope this was enough to get stunnel to listen there...';
|
||||
}
|
||||
|
||||
my ($st_pid, $st_logfile);
|
||||
{
|
||||
my $st_config = $tempdir->child('stunnel.conf');
|
||||
$st_logfile = $tempdir->child('stunnel.log');
|
||||
my $st_pidfile = $tempdir->child('stunnel.pid');
|
||||
$st_config->spew_utf8(<<"EOCONF") or die "Could not create the $st_config stunnel config file: $!\n";
|
||||
pid = $st_pidfile
|
||||
foreground = yes
|
||||
output = $st_logfile
|
||||
|
||||
cert = $certfile
|
||||
key = $keyfile
|
||||
|
||||
[test]
|
||||
accept = $listen_address:$st_server_port
|
||||
connect = $listen_address:$listen_clear_port
|
||||
EOCONF
|
||||
say "Created the stunnel config file $st_config:\n======\n".$st_config->slurp_utf8.'======';
|
||||
|
||||
$st_pid = fork;
|
||||
if (!defined $st_pid) {
|
||||
die "Could not fork for the stunnel server: $!\n";
|
||||
} elsif ($st_pid == 0) {
|
||||
my @cmd = ($stunnel, $st_config);
|
||||
exec { $cmd[0] } @cmd;
|
||||
die "Could not execute '@cmd': $!\n";
|
||||
}
|
||||
say "Started the stunnel server, pid $st_pid";
|
||||
register_child $st_pid, "stunnel server ($listen_address:$st_server_port)";
|
||||
}
|
||||
|
||||
{
|
||||
for my $iter (1..10) {
|
||||
say "Trying a connection through stunnel, iteration $iter";
|
||||
|
||||
my $st_conn_cv = AnyEvent->condvar;
|
||||
my $st_conn;
|
||||
{
|
||||
my $st_conn_attempts = 10;
|
||||
my $st_conn_timer;
|
||||
$st_conn_timer = AnyEvent->timer(after => 0.1, interval => 1, cb => sub {
|
||||
say "Trying to connect to the stunnel server at $listen_address:$st_server_port";
|
||||
$st_conn = tcp_connect $listen_address, $st_server_port, sub {
|
||||
my ($fh) = @_;
|
||||
if (!defined $fh) {
|
||||
# FIXME: Eh, well, reschedule, right?
|
||||
say "Could not connect to $listen_address:$st_server_port: $!";
|
||||
if ($children{$st_pid}{cv}->ready) {
|
||||
say 'Err, the stunnel process seems to have terminated';
|
||||
undef $st_conn_timer;
|
||||
$st_conn_cv->send(undef);
|
||||
return;
|
||||
}
|
||||
$st_conn_attempts--;
|
||||
if ($st_conn_attempts == 0) {
|
||||
say 'Time after time...';
|
||||
undef $st_conn_timer;
|
||||
$st_conn_cv->send(undef);
|
||||
return;
|
||||
}
|
||||
say 'Will retry in a little while';
|
||||
return;
|
||||
}
|
||||
say '...connected!';
|
||||
$st_conn_timer = undef;
|
||||
$st_conn_cv->send($fh);
|
||||
};
|
||||
});
|
||||
}
|
||||
|
||||
my $st_conn_fh = $st_conn_cv->recv;
|
||||
if (!defined $st_conn_fh) {
|
||||
my $log_text = (-f $st_logfile)
|
||||
? "$st_logfile contents:\n".$st_logfile->slurp_utf8
|
||||
: "(no log information)";
|
||||
$log_text .= "\n" unless $log_text =~ /\n\Z/ms;
|
||||
die "Could not connect to the stunnel service:\n$log_text";
|
||||
}
|
||||
my $id = register_client_connection $st_conn_fh;
|
||||
say "Registered a client connection as $id";
|
||||
adopt_client_connection $id, { tls => 'connect', };
|
||||
say 'Waiting for the cleartext listener to receive this connection';
|
||||
my $stunnel_test_done = AnyEvent->condvar;
|
||||
await_client_connection $lis_main, $stunnel_test_done, 1;
|
||||
my $sid = $stunnel_test_done->recv;
|
||||
if (!defined $sid) {
|
||||
die "The listener did not acknowledge the connection\n";
|
||||
} elsif ($sid eq $id) {
|
||||
die "The listener reported the same connection ID '$id'?!\n";
|
||||
}
|
||||
say "The server reported a completed connection: $sid";
|
||||
my $res = $conns{$id}{cv}->recv;
|
||||
if (!defined $res) {
|
||||
die "The connection to stunnel did not report a successful chat\n";
|
||||
}
|
||||
say "The stunnel connection seems to have gone through for iteration $iter";
|
||||
}
|
||||
}
|
||||
|
||||
{
|
||||
say "Trying to stop stunnel at pid $st_pid";
|
||||
kill 'TERM', $st_pid or
|
||||
die "Could not send a terminate signal to the stunnel at pid $st_pid: $!\n";
|
||||
my $status = wait_for_child $st_pid;
|
||||
if ($status != 0) {
|
||||
die "The stunnel process terminated with exit status $status\n";
|
||||
} else {
|
||||
say 'The stunnel process terminated successfully';
|
||||
}
|
||||
}
|
||||
|
||||
{
|
||||
say 'Checking for leftover children';
|
||||
|
||||
if (%children) {
|
||||
# Our 'die' handler will kill and reap them.
|
||||
die "Child processes left over:\n".
|
||||
dump_children;
|
||||
} else {
|
||||
say 'No child processes left over';
|
||||
}
|
||||
|
||||
unregister_child_reaper;
|
||||
};
|
||||
|
||||
{
|
||||
say 'Making sure the AnyEvent loop is still sane';
|
||||
|
||||
if ($test_done->ready) {
|
||||
die "The AnyEvent loop raised the flag prematurely\n";
|
||||
}
|
||||
|
||||
$test_done->send(42);
|
||||
my $res = $test_done->recv;
|
||||
if ($res != 42) {
|
||||
die "The AnyEvent loop does not seem to be quite alive and sane, got a result of '$res' instead of 42\n";
|
||||
}
|
||||
say 'Fine!';
|
||||
};
|
||||
}
|
15
debian/tests/upstream
vendored
Executable file
15
debian/tests/upstream
vendored
Executable file
@ -0,0 +1,15 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
ln -s /usr/bin/stunnel4 src/stunnel
|
||||
|
||||
cd tests
|
||||
if ! ./make_test; then
|
||||
printf '\n\n=== Some tests failed; here are all the logs...\n\n' 1>&2
|
||||
for fname in logs/*.log; do
|
||||
printf -- '\n\n=== %s\n\n' "$fname" 1>&2
|
||||
cat -- "$fname" 1>&2
|
||||
done
|
||||
false
|
||||
fi
|
5
debian/upstream/metadata
vendored
Normal file
5
debian/upstream/metadata
vendored
Normal file
@ -0,0 +1,5 @@
|
||||
Name: stunnel
|
||||
Bug-Submit: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
|
||||
Contact: https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
|
||||
FAQ: https://www.stunnel.org/faq.html
|
||||
Security-Contact: Michal Trojnara <Michal.Trojnara@stunnel.org>
|
111
debian/upstream/signing-key.asc
vendored
Normal file
111
debian/upstream/signing-key.asc
vendored
Normal file
@ -0,0 +1,111 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v1
|
||||
|
||||
mQINBFTU6YwBEAC6PP7E4J6cRZQsJlFE+o3zdQYo7Mg2sVxDR6K9Cha52wn7P0t0
|
||||
hHUd0CSmWyfjmYUy3/7jYjgKe4oiGzeSCVK8b3TiX3ylHi/nW3mixwpDPwFmr5Cf
|
||||
ce55Ro3TdIeslRGigK8Hl+/l4n9c9z/AiTvcdAEQ34BJhERce4/KFx+/omiaxe7S
|
||||
fzzU/+52zy+v4FfnclgRQrzrD8sxNag6CQOaQ8lTMczNkBkDlhQTOPYkfNf76PUY
|
||||
kbWpcH7n9N50nddjEaLf7DPjOETc4OH/g5a99FSEJL7jyEgn+C8RX7RpbbAxCNlX
|
||||
1231NZoresLmxSulB6fRWLmhJ8pES3sRxE1IfwUfPpUZuTPzwXEFJY6StY5OCVy8
|
||||
rNFpkYlEePuVn74XkGbvv7dkkisq4Hp59zfIUaNVRod0Xk2rM8Rx8d5IK801Ywsn
|
||||
RyzCE02zt3N2O4IdXI1qQ1gMJNyaE/k2Qk8buh8BsKJzZca34WGocHOxz2O5s7FN
|
||||
Q1pLNpLmuHZIdyvYqcsenLz5EV8X2LztRmJ3Se4ag/XyXPYwS6lXX1YUGVxZpk0E
|
||||
sQDRdJvYCsGcUy253w+W7Nm/BtjKi6/PJmjEEU7ieHppR9Yp+LI3lyzNBeZAIVqk
|
||||
4Hco05l4GUKtEDFfOQ58sULDqJWmpH4T72DHeCpfRB0guaPa5TYY7B0umQARAQAB
|
||||
tC5NaWNoYcWCIFRyb2puYXJhIDxNaWNoYWwuVHJvam5hcmFAc3R1bm5lbC5vcmc+
|
||||
iQI4BBMBAgAiBQJU1Q1lAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCx
|
||||
BIky3Tqqo71TEACWO31ZIOrknCsgmE90Q0yBPYD8CA8aM9OLO9qVYRR+SKQ6VAFn
|
||||
/qWCoG/z3aMOUJJFDMmBDTSiGZ43jReQVc1PvoNUKFXkD13vrDNGg+IMr+jefjy/
|
||||
RkFC5rdIAOzl6nMRFH5D/KDtvuXUGfjaN9NorCyv5acOa6GinTFANHYW79DSvt0d
|
||||
aTG0RFimVTKtAh8oxxBGGUvZ/60SJT5I3pwKKX5t6t+LaUgUz/55p5j36dyhZTmk
|
||||
X6jVyczkfjBwy9i2jD8kZ1w+EQOPGy1hHCHaaN5ku3Bh4hiZrlh8ncpipOMeOJ5Y
|
||||
71Cze/JROyu3jkR/59LuPJLbUkwNPZXuMM+D4EY19NWKqWFgcsjaF5juS36xgblQ
|
||||
odAOXBZcnzH14bxlRElWNLhMib+piIL0BaK2cpplwJ+bzQRkyWzqrl5xu/AeE/fQ
|
||||
BdeRxL1jg4e9Ozei4Pkz0acoxIg2mdR6b36UpOWKvBQYZ8m4TbsWBRrDjcxKeul7
|
||||
ObsodFoGTteRxqN9glhNd+n5bJAesGzUN86e3NmCoxCUQMaKlrMEVUMwaaSOVWYN
|
||||
CfwXSe42dK2ZrV4psIYIwfktTkF60N3KeBbTs7/HhS/R229+lQCL90bcKRiv2Szc
|
||||
vqR6v78xnbnANm0SX/b6M7xNBf8lWXwS9TlR9AzA4XC7FqNLYTMGV56TmLQrTWlj
|
||||
aGHFgiBUcm9qbmFyYSA8TWljaGFsLlRyb2puYXJhQG1pcnQubmV0PokCOAQTAQIA
|
||||
IgUCVNTpjAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQsQSJMt06qqOP
|
||||
9Q/+MNv7sHcx1y4xH4iysPmjL+ABTonZeUIW/j1Mlgve8jxta7ApuDm0WIgMQd/p
|
||||
WgjG88g/2hSs1DRmuo67pP+v3l+HgmhQaqQe9XoaQHyygfrDwGEKAjA5++6hg88X
|
||||
F5GNuchUoY2wHCLByuxdaaT9wDSUGHzj+VlQYcaVqry/u8+wRhuxr89avh7nebj2
|
||||
Dw1qkIuR6+wuaYAU19mazzmdnDLh/3rYHT7vVJt751JHyx4fnJtKI7eDWxpSGfhc
|
||||
K63SWtHToJKg4jbdIZMORVVvOetpRbPvF8qoR32LZSfF/rPJtNhWgcsLUCpZn6Ey
|
||||
G6jigx8mhY2WupRNHutSES+qKNffCMi7fbpQfl4wJqzlNxJJK1zGu2ox255l+fXJ
|
||||
eQJh7fvvcNieuQApKhOL+mOz1fyRnUhx/GjGncOmCgZldTLEF8DeHuuluXgFlDXJ
|
||||
cX6poh7vyt3uJ14SCyiV1cLnXmCoxXRmQNlb4zTGoAvfOw/DFH3EzQ44dK/Z1HOI
|
||||
fJeYILxe+JP2E8TNXUvr/wck12yQ8kaqFzHSQBcV+0S49+pIpoK475LVrOs6S9Jj
|
||||
hMt4WVfX4PY+IE8wGnZyJw1gvPXdk1P98lHR/Fv0WG/kWiemrDXPM1tjnIas6EGm
|
||||
zxT/iywGF4tdsVHviETVgRGpKHgEtB/hwsCeGUTAmHDbXQS0L01pY2hhxYIgVHJv
|
||||
am5hcmEgPE1pY2hhbC5Ucm9qbmFyYUBtb2JpLWNvbS5uZXQ+iQI4BBMBAgAiBQJU
|
||||
1Q03AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCxBIky3TqqoyVkEACt
|
||||
MHa7x5PQ0ZNJ8TrvVd/VrT5USuHwwFwnnsYUNzSc95gSwSEaPC3xwgs9cX3VRmOw
|
||||
b3IiCQQ7R0EamH/ydmZnlesbCsnamLl6dEmzS284lnnMd5X0wep2qq3SlS1z+5wW
|
||||
4ZnoodX98E7RyecjMYPLH+uAqGqg3nHG8eOpoSDMvIOJtOIvDc9Y6tbNsBbeKbOC
|
||||
yB7A08TMzVqayQvXzm6QShHTicra69oqIzhmu2zII3ZWVwkfEGweuN0vdocoXiqr
|
||||
entcyF3KLUX/LooDzdCAxuoJdovg41E69rXEWF//IP5XBT0LUDTzqwmBe7nOfoJF
|
||||
2RAHn3ySogdL6WNSGaH5B5NK1jGflj/Hr/HBHIYYx820P4aEXSyxbLQW1F0HWlAA
|
||||
Q9+EmjJssbv7cIq2DV2Ls3AOeY0GAWhTdvUVdVpOG+TuWRUi61XwjWPfvrJDH8ME
|
||||
oLRb2MhNRffle8hSdF8TP4CO1TCxtSFs0NXT1I/HazvacHzvbXspFDJvbYJsy+pR
|
||||
vOsf2QCcY5xb633duU60+IHJ9GMOV/ZqQR744wAxu+e/ZHpa2+mpI9VpTMuBTMFC
|
||||
OQKbiLacsDJtFqsenZAyhcTU4DPFa0bkMO67Gwl0skuk2x8/0R3EgJ9JvNlsEz6v
|
||||
BaHpWhEddU1m6FMKKZkfo0xnyFr/WPT6zti9iKTnIbkCDQRU1OvDARAA8gIC641d
|
||||
K6ap9W1K3EkqRn0z6zizdVGr/jvf8xFXeUq+auxixZ0tEY6NM5CBSya5BCK9IGVW
|
||||
mJNbazyWUa4llA6EvmUxcTeGE7ppQA4Kl1bzvUq5upo+8+0VuqvLC/bVz0DUnFSW
|
||||
JYHAZrPZ+yO0yMq8vaGTo5kwKixQ4Ni+N+1EiALKZex1g6UW9d0HAcYEa/lTWhz3
|
||||
J0V1yyY4Vov30gtoo67KkSC/SswZzIR00CQGrz3twlGuB73Sm1YfqDqbY8dQLJey
|
||||
U0ovIeU95VI5cQF6D1H8YdaMWQm6MtVAfIX5WMoH+eq4Ank9hilReGANkIWNSqM2
|
||||
1Drdu3crbGIYiZPEadKfGxwquwvRDTEgD4gjqMvEdxA2W6s4WR36SwMkeOtESj21
|
||||
MiR2YDcbIzIbUh9p0P8DZGvQcVh45jCgdOcL5th9R076npXHn8FIe2IfAZnX1Onp
|
||||
sKn/YqJ0wNFhGYWxV/yZA10NbFKFXhD1FGqrOz6lSqmqDz00tXofF432ae+7PzTP
|
||||
9n4cij4k0SYG1l/LThnOYL3SNUCG3rCASeWoXmhxCYRGi0Xw3IJrcpVNmNQD+SLL
|
||||
TjVB94AlDjSlx1q0V+9ymhGHi51wsBSajMwDexaSI/WM1y9lROwl7eeAD41fPArz
|
||||
TleAqT89akWLevTBLWvj59mku9vZAW26/1UAEQEAAYkCHwQYAQIACQUCVNTrwwIb
|
||||
DAAKCRCxBIky3Tqqo2NCEACHJ7e0l8NhS4slfzej1AAXOwL1wDexn6thpgexAyqZ
|
||||
LIaibqhIybhSo1LOL1NY/55ytscbOQL7NliRAXVN6F9lcer+qzxL5JgxzUU6drya
|
||||
pNZYs06u3wfr8ZtSbvIAON/w89tm9tHxoNUIYZZUZROFBW6fn8RkhboQs0hJFxWf
|
||||
WghOxhS0TXJ8/MZ4YcfDy+Ew6LIAym3A1XY+++2VMEHqKcyhU95W5sqAsfO5MkRW
|
||||
a0E9JTS2dWTteNTWPonywJGX/mSVVMZgOZF6o32Vb9LTnB676YQaPiMlu2qg+vRk
|
||||
RM/zyGjvPx7hilf68CWxZcIHslfp5gJV6RvtlK+muEvIkSmNYyi8hQp1Y5C6uWb9
|
||||
JWt/9ISJ+Xz+n+5nAHEUzW/LeEDyhjVlS9vOoAAy18r47mQybzJ2q2zOHo9zl3fK
|
||||
OJ2S4SFBKGHuIhPOxG2CruhxN9U5+RwTDqKECeuCZROMYQLzlmIP2vM/NuFVhQm8
|
||||
iNhbTvEenh4mWD4IuOHJkqvzKKzAXllosuUK4B0kblh4GaOVmEjaXGw8789rOlQz
|
||||
D5566SgKPDNUtom5/eIcy6/UYBoFd7lLltIVSSCA1VUMU4MWJgjwa9gk6MxoNe8d
|
||||
cJ197oQMfhZNjJ80S5C+a2al4wrR2vL/3hXhy2M2kG73RLSzxEiVoJsG+hbzNtfI
|
||||
a7kCDQRU1O5ZARAA1pGrQ1V3YMXF3DzwvA/uWb912pwqUvMAAKvYCDiELIOP07c3
|
||||
2+z04N/bOXjiZ2Jb8AuICj4v92tXAygtf18zxwoU8AOXiuScP3wy1ZprBw8k71dN
|
||||
y0XmEXbiX7tkLoe0OzWlCaNTajSXTELT+nYHTOkBsrC4T+y7AwYueQJYUaRkJR/5
|
||||
Tc68UnRSO295pgJd7EoWWAky3bdH+TKN0MsagCJwa+RrXFGtIKjU0XAKsddTxQKx
|
||||
2SUGF0QVdNZ/14Duo73btoXtHgB0oxewnsiJp5XKWYm57RSNLv1LKr26iSUtUM1C
|
||||
AIZALuGMAyQXVEo7OmzuZmN0yRYM7FSnpG4rIDnDxYhDTaa+xWb738V8uLQDZAVn
|
||||
AuBEhq1RQEDrRM/XLbibvVBzpd+JI9WneNEp0ehq5sEC6FbKYz0HqVk2SH1Dpb0t
|
||||
grtxz3c7rPs7vRdmFMxTuYctSzuqNHpKX+C6rgyAW2sxEKD0ys8OYEa3hvrQFSAz
|
||||
nM/j3X8dge1DriHIQd/Dt4+LMdPcsQk3vty7pYxZIDRa9hl7ngaesQSZ/7PV/cj7
|
||||
U7qieTr1ulO1Gc5GcyS2Hu4P9109HX1tBEQvGHpbqe9Lc2d0VKgHVjG9vDLrE1h/
|
||||
qXKbmn0LF1YR4djaM+sYCfYOO+WzZKUACPdMq3Lid/3oQ71p6eNgu6lQcgEAEQEA
|
||||
AYkEPgQYAQIACQUCVNTuWQIbAgIpCRCxBIky3Tqqo8FdIAQZAQIABgUCVNTuWQAK
|
||||
CRAu/H/w1BbgFNx6EACR7CKB3Mv2lNaRRraVRwjNrumyODqsnX/oe3lad04iCBb9
|
||||
JxGyNyTGF0s6teoaocXxIeZ50bF7GuYcnepMGpniMCkE2ymlM6ruFNNTUYC02Fsr
|
||||
owKQboC7S5DN2l7lb4nlgyDX7nOlOMmhTc3D/QsduMyS9H5kjFFKtzLYOwREV/RH
|
||||
I/wQUyTyze8qs/BxpT3/HsSJuGZybLSd/fmeM43xghcdfDgKTaGkFkhhW7UWgtOh
|
||||
QtYxr0VD4HEw4C+nMyksqKAIFMBjJAqtsuWeSgavVrbU8KrzlcJFHSrovZ7Pi0mK
|
||||
MYHGomPstZcZxwr15t3BhDvogMSRscU1mLUigLEGiWxPVxtQlmHTZfMns4Cy04S7
|
||||
jK4Gix0PN4Xi/9rOcLFCb5zddcLVrqiuT+dt/O/TPKUKHTvLL1gF4Dlypbu8TQWt
|
||||
O7xDSPy7wSdPWUN5GBjsxbZfVlWpvvVMmGUuygIl0LkrJLKGxk36AnNpEPqsQ9e9
|
||||
Rsgu5dP9lGPz3igxE3p+UlhWo5eqJqZwAfEFb+0PQzKSQ6zIFQAf50eSI/pWf+Xp
|
||||
9XOT47d4y8aWzHA7T/ja9tbyd+eg71ZOqOFtVP8zFWvmPnoosxrBR7qK/RBY5/PX
|
||||
KhfG10yEYXSjTap4dmsy430l8Mcuqo55iixgT5vxZfTeyFjTjHmjuHD1rTTfpXk4
|
||||
D/9GI9cIfrWczhrbWN8BoP66ImMXpVhZzDt6S5u9dHSNJdqivDzCkktb/psXILvv
|
||||
u3qLmb1nJbsNzN9GJm6LoduzCJ4SqaodjhMkNi/Tc95dx0n2cCP2Rh/jvzo7zrqQ
|
||||
O09c8at/pFEiF8LgUlc5QaB/GNhXBqJog2yOzUPGKq0OMy/wttW42TCe7V+J8fnn
|
||||
16xfGhnVwmiWRQaqdCiFDY2IiOHhnRwfJVANrddfuU/AJ8vY8XXzrxI7YZL43V53
|
||||
0Wich1VB00XLFU8aj08FsjdFvR77AAxFU+Cd6sH6yq6jsRXppQ0BOO15aR+wopEv
|
||||
tKwDdRu3TaweC1XMLLQ4XuN9Ql0bMH0d626uMG2zUfZGO1jNTOS4sUhEqJsImbsL
|
||||
/hgNDKYvfo0wSHPWmQo9njw7aG8Mey77I3fL1ELj/Tfa86njPpJ/tmFMLV9ntWAC
|
||||
cW/c3tojdcP278rTw/4zk+Sr2Zv+3bP1yjJd0z4B3gYYz2BUYTU7dyiA41Kgk4Zf
|
||||
V1n2NUAxQJYzvEIAZcMEWA3rOTb+AjcBVXX89Gk0BEykVmA9G808tbmI+4DUd2c/
|
||||
+d1xeufb43TGOiwKqwY+Os9iey3FbsnoYuzKPsd5LByJFEudbMB152h95u/NysaM
|
||||
0AjC+yPtlpSLUIaDUW75VAlQKPWj1Ag5uVpc2ScMEjevQQ==
|
||||
=muMw
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
8
debian/watch
vendored
Normal file
8
debian/watch
vendored
Normal file
@ -0,0 +1,8 @@
|
||||
version=4
|
||||
|
||||
# Latest version is directly at /stunnel
|
||||
opts=pgpsigurlmangle=s/$/.asc/ \
|
||||
https://www.stunnel.org/downloads.html downloads/stunnel-([\d.]+)@ARCHIVE_EXT@ debian
|
||||
|
||||
opts=pgpsigurlmangle=s/$/.asc/,pasv \
|
||||
ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-([\d.]+)@ARCHIVE_EXT@
|
Loading…
Reference in New Issue
Block a user