Merge tag 'stunnel-5.71' into stunnel-5.71-cpro

stunnel-5.71

COPYING.md

@@ -1,7 +1,7 @@
 # stunnel license (see COPYRIGHT.md for detailed GPL conditions)
 
 
-_Copyright (C) 1998-2022 Michal Trojnara_
+_Copyright (C) 1998-2023 Michal Trojnara_
 
 This program is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software

Makefile.am

@@ -1,5 +1,5 @@
 ## Process this file with automake to produce Makefile.in
-# by Michal Trojnara 1998-2022
+# by Michal Trojnara 1998-2023
 
 AM_DISTCHECK_CONFIGURE_FLAGS = --with-bashcompdir='$$(datarootdir)/bash-completion/completions'
 
@@ -16,12 +16,12 @@ doc_DATA = README.md TODO.md COPYING.md AUTHORS.md NEWS.md
 doc_DATA += PORTS.md BUGS.md COPYRIGHT.md CREDITS.md
 doc_DATA += INSTALL.W32.md INSTALL.WCE.md INSTALL.FIPS.md
 
-EXTRA_DIST = .travis.yml $(doc_DATA)
+EXTRA_DIST = .travis.yml makedh.sh $(doc_DATA)
 
 distcleancheck_listfiles = find . -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
 
 distclean-local:
-	rm -rf autom4te.cache
+	rm -rf autom4te.cache version.txt
 
 sign:
 	cp -f $(distdir).tar.gz $(distdir)-win64-installer.exe $(distdir)-android.zip ../dist

Makefile.in

@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.16.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2021 Free Software Foundation, Inc.
@@ -14,7 +14,7 @@
 
 @SET_MAKE@
 
-# by Michal Trojnara 1998-2022
+# by Michal Trojnara 1998-2023
 
 VPATH = @srcdir@
 am__is_gnu_make = { \
@@ -299,9 +299,6 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREAD_CC = @PTHREAD_CC@
 PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
 PTHREAD_CXX = @PTHREAD_CXX@
@@ -369,14 +366,13 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-with_bashcompdir = @with_bashcompdir@
 AM_DISTCHECK_CONFIGURE_FLAGS = --with-bashcompdir='$$(datarootdir)/bash-completion/completions'
 ACLOCAL_AMFLAGS = -I m4
 SUBDIRS = src doc tools tests
 doc_DATA = README.md TODO.md COPYING.md AUTHORS.md NEWS.md PORTS.md \
 	BUGS.md COPYRIGHT.md CREDITS.md INSTALL.W32.md INSTALL.WCE.md \
 	INSTALL.FIPS.md
-EXTRA_DIST = .travis.yml $(doc_DATA)
+EXTRA_DIST = .travis.yml makedh.sh $(doc_DATA)
 distcleancheck_listfiles = find . -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';'
 all: all-recursive
 
@@ -883,7 +879,7 @@ libtool: $(LIBTOOL_DEPS)
 	$(SHELL) ./config.status libtool
 
 distclean-local:
-	rm -rf autom4te.cache
+	rm -rf autom4te.cache version.txt
 
 sign:
 	cp -f $(distdir).tar.gz $(distdir)-win64-installer.exe $(distdir)-android.zip ../dist

NEWS.md

@@ -1,13 +1,94 @@
 # stunnel change log
 
 
-### Version 5.65, 2022.07.11, urgency: HIGH
+### Version 5.71, 2023.09.19, urgency: MEDIUM
+* Security bugfixes
+  - OpenSSL DLLs updated to version 3.1.3.
+* Bugfixes
+  - Fixed the console output of tstunnel.exe.
+* Features sponsored by SAE IT-systems
+  - OCSP stapling is requested and verified in the client mode.
+  - Using "verifyChain" automatically enables OCSP
+    stapling in the client mode.
+  - OCSP stapling is always available in the server mode.
+  - An inconclusive OCSP verification breaks TLS negotiation.
+    This can be disabled with "OCSPrequire = no".
+  - Added the "TIMEOUTocsp" option to control the maximum
+    time allowed for connecting an OCSP responder.
+* Features
+  - Added support for Red Hat OpenSSL 3.x patches.
+
+### Version 5.70, 2023.07.12, urgency: HIGH
+* Security bugfixes
+  - OpenSSL DLLs updated to version 3.0.9.
+  - OpenSSL FIPS Provider updated to version 3.0.8.
+* Bugfixes
+  - Fixed TLS socket EOF handling with OpenSSL 3.x.
+    This bug caused major interoperability issues between
+    stunnel built with OpenSSL 3.x and Microsoft's
+    Schannel Security Support Provider (SSP).
+  - Fixed reading certificate chains from PKCS#12 files.
+* Features
+  - Added configurable delay for the "retry" option.
+
+### Version 5.69, 2023.03.04, urgency: MEDIUM
+* New features
+  - Improved logging performance with the "output" option.
+  - Improved file read performance on the WIN32 platform.
+  - DH and kDHEPSK ciphersuites removed from FIPS defaults.
+  - Set the LimitNOFILE ulimit in stunnel.service to allow
+    for up to 10,000 concurrent clients.
+* Bugfixes
+  - Fixed the "CApath" option on the WIN32 platform by
+    applying https://github.com/openssl/openssl/pull/20312.
+  - Fixed stunnel.spec used for building rpm packages.
+  - Fixed tests on some OSes and architectures by merging
+    Debian 07-tests-errmsg.patch (thx to Peter Pentchev).
+
+### Version 5.68, 2023.02.07, urgency: HIGH
+* Security bugfixes
+  - OpenSSL DLLs updated to version 3.0.8.
+* New features
+  - Added the new 'CAengine' service-level option
+    to load a trusted CA certificate from an engine.
+  - Added requesting client certificates in server
+    mode with 'CApath' besides 'CAfile'.
+  - Improved file read performance.
+  - Improved logging performance.
+* Bugfixes
+  - Fixed EWOULDBLOCK errors in protocol negotiation.
+  - Fixed handling TLS errors in protocol negotiation.
+  - Prevented following fatal TLS alerts with TCP resets.
+  - Improved OpenSSL initialization on WIN32.
+  - Improved testing suite stability.
+
+### Version 5.67, 2022.11.01, urgency: HIGH
+* Security bugfixes
+  - OpenSSL DLLs updated to version 3.0.7.
+* New features
+  - Provided a logging callback to custom engines.
+* Bugfixes
+  - Fixed "make cert" with OpenSSL older than 3.0.
+  - Fixed the code and the documentation to use conscious
+    language for SNI servers (thx to Clemens Lang).
+
+### Version 5.66, 2022.09.11, urgency: MEDIUM
+* New features
+  - OpenSSL 3.0 FIPS Provider support for Windows.
+* Bugfixes
+  - Fixed building on machines without pkg-config.
+  - Added the missing "environ" declaration for
+    BSD-based operating systems.
+  - Fixed the passphrase dialog with OpenSSL 3.0.
+
+### Version 5.65, 2022.07.17, urgency: HIGH
 * Security bugfixes
   - OpenSSL DLLs updated to version 3.0.5.
 * Bugfixes
   - Fixed handling globally enabled FIPS.
-  - Fixed the default openssl.cnf path in stunnel.exe.
-  - Fixed a number of MSVC warnings.
+  - Fixed openssl.cnf processing in WIN32 GUI.
+  - Fixed a number of compiler warnings.
+  - Fixed tests on older versions of OpenSSL.
 
 ### Version 5.64, 2022.05.06, urgency: MEDIUM
 * Security bugfixes
@@ -255,7 +336,7 @@
   - Clarified port binding error logs.
   - Various "make test" improvements.
 * Bugfixes
-  - Fixed a crash on switching to SNI slave sections.
+  - Fixed a crash on switching to SNI secondary sections.
 
 ### Version 5.46, 2018.05.28, urgency: MEDIUM
 * New features
@@ -376,8 +457,8 @@
 ### Version 5.37, 2016.11.06, urgency: MEDIUM
 * Bugfixes
   - OpenSSL DLLs updated to version 1.0.2j (stops crashes).
-  - The default SNI target (not handled by any slave service)
-    is handled by the master service rather than rejected.
+  - The default SNI target (not handled by any secondary service)
+    is handled by the primary service rather than rejected.
   - Removed thread synchronization in the FORK threading model.
 
 ### Version 5.36, 2016.09.22, urgency: HIGH

TODO.md

@@ -1,6 +1,11 @@
 # stunnel TODO
 
 
+### Updated defaults planned for stunnel 6.xx
+More secure defaults planned for the next major version.
+
+* OCSPaia = yes
+
 ### High priority features
 These features will likely be supported some day.
 A sponsor could allocate my time to get them faster.
@@ -17,13 +22,13 @@ A sponsor could allocate my time to get them faster.
 * MSI installer for Windows.
 * Add 'leastconn' failover strategy to order defined 'connect' targets
   by the number of active connections.
-* Optional line-buffering of the log file.
+* MariaDB (formerly MySQL) protocol negotiation:
+  [MariaDB Handshake Protocol](https://mariadb.com/kb/en/connection/)
 
 ### Low priority features
 These features will unlikely ever be supported.
 
 * Database and/or directory interface for retrieving PSK secrets.
-* Support static FIPS-enabled builds.
 * Service-level logging destination.
 * Logging to NT EventLog on Windows.
 * Internationalization of logged messages (i18n).