| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
4.24: fix security problem (properly reject revoked certs)
4.23: WinNT bugfix
4.22:
- A new global option to control logging to syslog.
Simultaneous logging to a file and the syslog is now possible.
- A new service level option to control stack size.
- Restored chroot() to be executed after decoding numerical
userid and groupid values in drop_privileges().
- A few bugs fixed the in the new libwrap support code.
- TLSv1 method used by default in FIPS mode instead of
SSLv3 client and SSLv23 server methods.
4.21:
- Initial FIPS 140-2 support (see INSTALL.FIPS for details).
- Experimental fast support for non-MT-safe libwrap is provided
with pre-spawned processes.
- Stunnel binary moved from /usr/local/sbin to /usr/local/bin
in order to meet FHS and LSB requirements.
- Added code to disallow compiling stunnel with pthreads when
OpenSSL is compiled without threads support.
- Minor manual update.
- TODO file updated.
- Dynamic locking callbacks added (needed by some engines to work).
- AC_ARG_ENABLE fixed in configure.am to accept yes/no arguments.
- On some systems libwrap requires yp_get_default_domain from libnsl,
additional checking for libnsl was added to the ./configure script.
- Sending a list of trusted CAs for the client to choose the right
certificate restored.
- Some compatibility issues with NTLM authentication fixed.
|
|
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
|
|
|
|
/var/run/stunnel.pid
|
|
Version 4.20, 2006.11.30, urgency: MEDIUM:
* Release notes
- The new transfer() function has been well tested.
I recommend upgrading any previous version with this one.
* Bugfixes
- Fixed support for encrypted passphases (broken in 4.19).
- Reduced amount of debug logs.
- A minor man page update.
Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL:
* Release notes
- There are a lot of new features in this version. I recommend
to test it well before upgrading your mission-critical systems.
* New features
- New service-level option to specify OCSP server flag:
OCSPflag = <flag>
- "protocolCredentials" option changed to "protocolUsername"
and "protocolPassword"
- NTLM support to be enabled with the new service-level option:
protocolAuthentication = NTLM
- imap protocol negotiation support added.
- Passphrase cache was added so the user does not need to reenter
the same passphrase for each defined service any more.
- New service-level option to retry connect+exec section:
retry = yes|no
- Local IP and port is logged for each established connection.
- Win32 DLLs for OpenSSL 0.9.8d.
* Bugfixes
- Serious problem with SSL_WANT_* retries fixed.
The new code requires extensive testing!
Version 4.18, 2006.09.26, urgency: MEDIUM:
* Bugfixes
- GPF on entering private key pass phrase on Win32 fixed.
- Updated OpenSSL Win32 DLLs.
- Minor configure script update.
Version 4.17, 2006.09.10, urgency: MEDIUM:
* New features
- Win32 DLLs for OpenSSL 0.9.8c.
* Bugfixes
- Problem with detecting getaddrinfo() in ./configure fixed.
- Compilation problem due to misplaced #endif in ssl.c fixed.
- Duplicate 220 in smtp_server() function in protocol.c fixed.
- Minor os2.mak update.
- Minor update of safestring()/safename() macros.
Version 4.16, 2006.08.31, urgency: MEDIUM:
* New features sponsored by Hewlett-Packard
- A new global option to control engine:
engineCtrl = <command>[:<parameter>]
- A new service-level option to select engine to read private key:
engineNum = <engine number>
- OCSP support:
ocsp = <URL>
* New features
- A new option to select version of SSL protocol:
sslVersion = all|SSLv2|SSLv3|TLSv1
- Visual Studio vc.mak by David Gillingham <dgillingham@gmail.com>.
- OS2 support by Paul Smedley (http://smedley.info)
* Bugfixes
- An ordinary user can install stunnel again.
- Compilation problem with --enable-dh fixed.
- Some minor compilation warnings fixed.
- Service-level CRL cert store implemented.
- GPF on protocol negotiations fixed.
- Problem detecting addrinfo() on Tru64 fixed.
- Default group is now detected by configure script.
- Check for maximum number of defined services added.
- OpenSSL_add_all_algorithms() added to SSL initialization.
- configure script sections reordered to detect pthread library funcions.
- RFC 2487 autdoetection improved. High resolution s_poll_wait()
not currently supported by UCONTEXT threading.
- More precise description of cert directory file names (thx to Muhammad
Muquit).
* Other changes
- Maximum number of services increased from 64 to 256 when poll() is used.
|
|
(PKG_SYSCONFDIR already includes "stunnel" by default, so avoid the
package adding another and making $PREFIX/etc/stunnel/stunnel/stunnel.conf;
the pidfile does not normally belong under $PREFIX as $PREFIX/var/run is
not normally cleaned/checked by OS-supplied processes.)
|
|
Patch provided by Shaun Amott via PR 34436, take maintainership.
And define USE_LIBTOOL, regen patch with mkpatches.
|
|
PKGREVISION.
|
|
time to handle PRs and update this any more.
|
|
|
|
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.
|
|
CONFIGURE_ARGS.
|
|
NO_BUILD, USE_LIBTOOL.
|
|
bsd.prefs.mk automatically.
|
|
Add as an options.mk switch, on by default where available. Bump to 4.07nb2.
|
|
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
|
|
|
|
|
|
* An "stunnel3" perl script is installed. REPLACE_PERL and add to PLIST.
* Regenerate patches to lose fuzz.
* Format DESCR.
* Bump PKGREVISION.
|
|
Version 4.07, 2005.01.03, urgency: MEDIUM:
* Bugfixes
- Problem with infinite poll() timeout negative, but not equal to -1 fixed.
- Problem with a file descriptor ready to be read just after a non-blocking
connect call fixed.
- Compile error with EAI_NODATA not defined or equal to EAI_NONAME fixed.
- IP address and TCP port textual representation length (IPLEN) increased
to 128 bytes.
- OpenSSL engine support is only used if engine.h header file exists.
|
|
|
|
Version 4.06, 2004.12.26, urgency: LOW:
* New feature sponsored by SURFnet http://www.surfnet.nl/
- IPv6 support (to be enabled with ./configure --enable-ipv6).
* New features
- poll() support - no more FD_SETSIZE limit!
- Multiple connect=host:port options are allowed in a single service
section. Remote hosts are connected using round-robin algorithm.
This feature is not compatible with delayed resolver.
- New 'compression' option to enable compression. To use zlib
algorithm you have to enable it when building OpenSSL library.
- New 'engine' option to select a hardware engine.
- New 'TIMEOUTconnect' option with 10 seconds default added.
- stunnel3 perl script to emulate version 3.x command line options.
- French manual updated by Bernard Choppy <choppy AT free POINT fr>.
- A watchdog to detect transfer() infinite loops added.
- Configuration file comment character changed from '#' to ';'.
'#' will still be recognized to keep compatibility.
- MT-safe getaddrinfo() and getnameinfo() are used where available
to get better performance on resolver calls.
- Automake upgraded from 1.4-p4 to 1.7.9.
* Bugfixes
- log() changed to s_log() to avoid conflicts on some systems.
- Common CRIT_INET critical section introduced instead of separate
CRIT_NTOA and CRIT_RESOLVER to avoid potential problems with
libwrap (TCP Wrappers) library.
- CreateThread() finally replaced with _beginthread() on Win32.
- make install creates $(localstatedir)/stunnel.
$(localstatedir)/stunnel/dev/zero is also created on Solaris.
- Race condition with client session cache fixed.
- Other minor bugfixes.
* Release notes
- Default is *not* to use IPv6 '::' for accept and '::1' for
connect. For example to accept pop3s on IPv6 you could use:
'accept = :::995'. I hope the new syntax is clear enough.
|
|
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
|
|
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
|
|
All library names listed by *.la files no longer need to be listed
in the PLIST, e.g., instead of:
lib/libfoo.a
lib/libfoo.la
lib/libfoo.so
lib/libfoo.so.0
lib/libfoo.so.0.1
one simply needs:
lib/libfoo.la
and bsd.pkg.mk will automatically ensure that the additional library
names are listed in the installed package +CONTENTS file.
Also make LIBTOOLIZE_PLIST default to "yes".
|
|
|
|
|
|
Buildlink files: RECOMMENDED version changed to current version.
|
|
* New feature sponsored by SURFnet http://www.surfnet.nl/
- Support for CIFS aka SMB protocol SSL negotiation.
* New features
- CRL support with new CApath and CAfile global options.
- New 'taskbar' option on WIN32 (thx to Ken Mattsen
<ken.Mattsen@roxio.com>).
- New -fd command line parameter to read configuration
from a specified file descriptor instead of a file.
- accept is reported as error with [section] defined (in
stunnel 4.04 it was silently ignored causing problems
for lusers that did not read the fine manual).
- Use fcntl() instead of ioctlsocket() to set socket
nonblocking when it is supported.
- Basic support for hardware engines with OpenSSL >= 0.9.7.
- French manual by Bernard Choppy <choppy@imaginet.fr>.
- Thread stack size reduced to 64KB for maximum scalability.
- Added optional code to debug thread stack usage.
- Support for nsr-tandem-nsk (thx to Tom Bates <tom.bates@hp.com>).
* Bugfixes
- TCP wrappers code moved to CRIT_NTOA critical section
since it uses static inet_ntoa() result buffer.
- SSL_ERROR_SYSCALL handling problems fixed.
- added code to retry nonblocking SSL_shutdown() calls.
- Use FD_SETSIZE instead of 16 file descriptors in inetd
mode.
- fdscanf groks lowercase protocol negotiation commands.
- WIN32 taskbar GDI objects leak fixed.
- Libwrap detection bug in ./configure script fixed.
- grp.h header detection fixed for NetBSD and possibly
other systems.
- Some other minor updates.
|
|
bump PKGREVISION.
|
|
|
|
doesn't exist. It's apparently only mapped in the FTP server configuration.
|
|
Bump PKGREVISION to 1.
|
|
|
|
* New features sponsored by MAXIMUS http://www.maximus.com/
- New 'options' configuration option to setup
OpenSSL library hacks with SSL_CTX_set_options().
- 'service' option also changes the name for
TCP Wrappers access control in inetd mode.
- SSL is negotiated before connecting remote host
or spawning local process whenever possible.
- REMOTE_HOST variable is always placed in the
enrivonment of a process spawned with 'exec'.
- Whole SSL error stack is dumped on errors.
- Manual page updated (special thanks to Brian Hatch).
- New user interface (config file).
- Single daemon can listen on multiple ports, now.
- Delayed DNS lookup added.
* Other new features
- All the timeouts are now configurable including
TIMEOUTclose that can be set to 0 for MSIE and other
buggy clients that do not send close_notify.
- Stunnel process can be chrooted in a specified directory.
- Numerical values for setuid() and setgid() are allowed, now.
- Confusing code for setting certificate defaults introduced in
version 3.8p3 was removed to simplify stunnel setup.
There are no built-in defaults for CApath and CAfile options.
- Private key file for a certificate can be kept in a separate
file. Default remains to keep it in the cert file.
- Manual page updated.
|
|
have been converted to USE_BUILDLINK2.
|
|
|
|
- Format string bug fixed in protocol.c
smtp, pop3 and nntp in client mode were affected.
(stunnel clients could be attacked by malicious servers)
- Certificate chain can be supplied with -p option or in stunnel.pem.
- Problem with -r and -l options used together fixed.
- memmove() instead of memcpy() is used to move data in buffers.
- More detailed information about negotiated ciphers is printed.
- New ./configure options: "--enable-no-rsa" and "--enable-dh".
|
|
Changelog for version 3.21c, 2001.11.11, urgency: LOW:
* autoconf scripts upgraded to version 2.52.
* Problem with pthread_sigmask on Darwin fixed (I hope).
* Some documentation typos corrected.
* Attempt to ignore EINTR in transfer().
* Shared library version reported on startup.
* DLLs for OpenSSL 0.9.6b.
|
|
failed connect() calls.
|
|
|
|
3.21:
- Small bug in Makefile fixed.
|
|
|
|
* Problem with errno and posix threads fixed.
* It is assumed that system has getopt() if it has getopt.h header file.
* SSL_CLIENT_DN and SSL_CLIENT_I_DN environment variables set in local mode
(-l) process. This feature doesn't work if
client mode (-c) or protocol negotiation (-n) is used.
* Winsock error descriptions hardcoded (English version only).
* SetConsoleCtrlHandler() used to handle CTRL+C, logoff and shutdown on Win32.
* Stunnel always requests peer certificate with -v 0.
* sysconf()/getrlimit() used to calculate number of clients allowed.
* SSL mode changed for OpenSSL >= 0.9.6.
* close-on-exec option used to avoid socket inheriting.
* Buffer size increased from 8KB to 16KB.
* fdscanf()/fdprintf() changes:
- non-blocking socket support,
- timeout after 1 minute of inactivity.
* auth_user() redesigned to force 1 minute timeout.
* Some source arrangement towards 4.x architecture.
* No need for "goto" any more.
* New Makefile "test" rule. It performs basic test of
standalone/inetd, remote/local and server/client mode.
* pop3 server mode support added.
|
|
|
|
Changelog for version 3.20, 2001.08.15, urgency: LOW:
* setsockopt() optlen set according to the optval for Solaris.
* Minor NetBSD compatibility fixes by Martti Kuparinen.
* Minor MSVC6 compatibility fixes by Patrick Mayweg.
* SSL close_notify timeout reduced to 10 seconds of inactivity.
* Socket close instead of reset on close_notify timeout.
* Some source arrangement and minor bugfixes.
|
|
Based on PR pkg/13679 by Martti Kuparinen.
Changelog for version 3.19, 2001.08.10, urgency: MEDIUM:
* Critical section added around non MT-safe TCP Wrappers code.
* Problem with "select: Interrupted system call" error fixed.
* errno replaced with get_last_socket_error() for Win32.
* Some FreeBSD/NetBSD patches to ./configure from Martti Kuparinen.
* Local mode process pid logged.
* Default FQDN (localhost) removed from stunnel.cnf
* ./configure changed to recognize POSIX threads library on OSF.
* New -O option to set socket options.
|
|
Changes:
* Some transfer() bugfixes/improvements.
* STDIN/STDOUT are no logner assumed to be non-socket decriptors.
* Problem with --with-tcp-wrappers patch fixed.
* pop3 and nntp support bug fixed by Martin Germann.
* -o option to append log messages to a file added.
* Changed error message for SSL error 0.
Provided by Martti Kuparinen in PR 13537.
|
|
time faster from Germany and the USA.
|
