diff -Nru stunnel4-5.44/build-android.sh stunnel4-5.50/build-android.sh --- stunnel4-5.44/build-android.sh 2017-11-14 14:01:47.000000000 +0000 +++ stunnel4-5.50/build-android.sh 2018-12-01 14:03:29.000000000 +0000 @@ -1,18 +1,34 @@ #!/bin/sh set -ev -VERSION=5.44 +VERSION=5.50 DST=stunnel-$VERSION-android -# to build OpenSSL: -# ./Configure threads no-shared no-dso --cross-compile-prefix=arm-linux-androideabi- --prefix=/opt/androideabi/sysroot linux-armv4 -# make install +# install Android NDK on Arch Linux: +# aurman -S android-ndk-14b +# install Android NDK on Debian: +# sudo apt install google-android-ndk-installer + +# build OpenSSL: +# export ANDROID_NDK=/usr/lib/android-ndk +# export PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH +# ./Configure no-shared --prefix=/opt/openssl-android android-arm +# make && sudo make install + +# Debian does not deploy /etc/profile.d/android-ndk.sh +test -d "$ANDROID_NDK" || ANDROID_NDK=/usr/lib/android-ndk + +ANDROID_SYSROOT=$ANDROID_NDK/platforms/android-23/arch-arm +export CPPFLAGS="--sysroot=$ANDROID_SYSROOT" +export CFLAGS="--sysroot=$ANDROID_SYSROOT" +export PATH="$ANDROID_NDK/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH" test -f Makefile && make distclean mkdir -p bin/android cd bin/android -../../configure --with-sysroot --build=i686-pc-linux-gnu --host=arm-linux-androideabi --prefix=/data/local +../../configure --with-ssl=/opt/openssl-android --prefix=/data/local/tmp \ + --build=x86_64-pc-linux-gnu --host=arm-linux-androideabi make clean -make +make V=1 cd ../.. mkdir $DST cp bin/android/src/stunnel $DST diff -Nru stunnel4-5.44/ChangeLog stunnel4-5.50/ChangeLog --- stunnel4-5.44/ChangeLog 2017-11-26 22:03:02.000000000 +0000 +++ stunnel4-5.50/ChangeLog 2018-12-02 22:51:10.000000000 +0000 @@ -1,5 +1,93 @@ stunnel change log +Version 5.50, 2018.12.02, urgency: MEDIUM +* New features + - 32-bit Windows builds replaced with 64-bit builds. + - OpenSSL DLLs updated to version 1.1.1. + - Check whether "output" is not a relative file name. + - Major code cleanup in the configuration file parser. + - Added sslVersion, sslVersionMin and sslVersionMax + for OpenSSL 1.1.0 and later. +* Bugfixes + - Fixed PSK session resumption with TLS 1.3. + - Fixed a memory leak in WIN32 logging subsystem. + - Allow for zero value (ignored) TLS options. + - Partially refactored configuration file parsing + and logging subsystems for clearer code and minor + bugfixes. +* Caveats + - We removed FIPS support from our standard builds. + FIPS will still be available with bespoke builds. + +Version 5.49, 2018.09.03, urgency: MEDIUM +* New features + - Performance optimizations. + - Logging of negotiated or resumed TLS session IDs (thx + to ANSSI - National Cybersecurity Agency of France). + - Merged Debian 10-enabled.patch and 11-killproc.patch + (thx to Peter Pentchev). + - OpenSSL DLLs updated to version 1.0.2p. + - PKCS#11 engine DLL updated to version 0.4.9. +* Bugfixes + - Fixed a crash in the session persistence implementation. + - Fixed syslog identifier after configuration file reload. + - Fixed non-interactive "make check" invocations. + - Fixed reloading syslog configuration. + - stunnel.pem created with SHA-256 instead of SHA-1. + - SHA-256 "make check" certificates. + +Version 5.48, 2018.07.02, urgency: HIGH +* Security bugfixes + - Fixed requesting client certificate when specified + as a global option. +* New features + - Certificate subject checks modified to accept certificates + if at least one of the specified checks matches. + +Version 5.47, 2018.06.23, urgency: HIGH +* New features + - Fast add_lock_callback for OpenSSL < 1.1.0. + This largely improves performance on heavy load. + - Automatic detection of Homebrew OpenSSL. + - Clarified port binding error logs. + - Various "make test" improvements. +* Bugfixes + - Fixed a crash on switching to SNI slave sections. + +Version 5.46, 2018.05.28, urgency: MEDIUM +* New features + - The default cipher list was updated to a safer value: + "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK". +* Bugfixes + - Default accept address restored to INADDR_ANY. + +Version 5.45, 2018.05.21, urgency: MEDIUM +* New feature sponsored by https://loadbalancer.org/ + - Implemented delayed deallocation of service sections + after configuration file reload. +* Other new features + - OpenSSL DLLs updated to version 1.0.2o. + - Deprecated the sslVersion option. + - The "socket" option is now also available in service sections. + - Implemented try-restart in the SysV init script (thx to + Peter Pentchev). + - TLS 1.3 compliant session handling for OpenSSL 1.1.1. + - Default "failover" value changed from "rr" to "prio". + - New "make check" tests. +* Bugfixes + - A service no longer refuses to start if binding fails for + some (but not all) addresses:ports. + - Fixed compression handling with OpenSSL 1.1.0 and later. + - _beginthread() replaced with safer _beginthreadex(). + - Fixed exception handling in libwrap. + - Fixed exec+connect services. + - Fixed automatic resolver delaying. + - Fixed a Gentoo cross-compilation bug (thx to Joe Harvell). + - A number of "make check" framework fixes. + - Fixed false postive memory leak logs. + - Build fixes for OpenSSL versions down to 0.9.7. + - Fixed (again) round-robin failover in the FORK threading model. + Version 5.44, 2017.11.26, urgency: MEDIUM * New features - Signed Win32 executables, libraries, and installer. diff -Nru stunnel4-5.44/configure stunnel4-5.50/configure --- stunnel4-5.44/configure 2017-11-14 14:07:50.000000000 +0000 +++ stunnel4-5.50/configure 2018-11-09 15:53:57.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for stunnel 5.44. +# Generated by GNU Autoconf 2.69 for stunnel 5.50. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='stunnel' PACKAGE_TARNAME='stunnel' -PACKAGE_VERSION='5.44' -PACKAGE_STRING='stunnel 5.44' +PACKAGE_VERSION='5.50' +PACKAGE_STRING='stunnel 5.50' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -689,8 +689,6 @@ build_vendor build_cpu build -AUTHOR_TESTS_FALSE -AUTHOR_TESTS_TRUE AM_BACKSLASH AM_DEFAULT_VERBOSITY AM_DEFAULT_V @@ -1340,7 +1338,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures stunnel 5.44 to adapt to many kinds of systems. +\`configure' configures stunnel 5.50 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1411,7 +1409,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of stunnel 5.44:";; + short | recursive ) echo "Configuration of stunnel 5.50:";; esac cat <<\_ACEOF @@ -1530,7 +1528,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -stunnel configure 5.44 +stunnel configure 5.50 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2136,7 +2134,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by stunnel $as_me 5.44, which was +It was created by stunnel $as_me 5.50, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3005,7 +3003,7 @@ # Define the identity of the package. PACKAGE='stunnel' - VERSION='5.44' + VERSION='5.50' cat >>confdefs.h <<_ACEOF @@ -3099,14 +3097,6 @@ fi - if test -d ".git"; then - AUTHOR_TESTS_TRUE= - AUTHOR_TESTS_FALSE='#' -else - AUTHOR_TESTS_TRUE='#' - AUTHOR_TESTS_FALSE= -fi - # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 @@ -16256,32 +16246,39 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** TLS" >&5 $as_echo "$as_me: **************************************** TLS" >&6;} -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for compiler sysroot" >&5 -$as_echo_n "checking for compiler sysroot... " >&6; } -if test "x$GCC" = "xyes"; then - sysroot=`$CC --print-sysroot 2>/dev/null` -fi -if test -z "$sysroot" -o "x$sysroot" = "x/"; then - sysroot="" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: /" >&5 -$as_echo "/" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sysroot" >&5 -$as_echo "$sysroot" >&6; } -fi - check_ssl_dir() { : test -n "$1" -a -f "$1/include/openssl/ssl.h" && SSLDIR="$1" } -find_ssl_dir() { : - stunnel_prefix="$prefix" - test "x$stunnel_prefix" = "xNONE" && stunnel_prefix=$ac_default_prefix - for main_dir in "$stunnel_prefix" "/usr/local" "/usr/lib" "/usr/pkg" "/opt/local" "/opt" "/opt/csw" "/usr" ""; do +iterate_ssl_dir() { : + # OpenSSL directory search order: + # - the user-specified prefix + # - common locations for packages built from sources + # - common locations for non-OS-default package managers + # - common locations for OS-default package managers + # - empty prefix + for main_dir in "/usr/local" "/opt" "/opt/local" "/usr/local/opt" "/opt/csw" "/usr/pkg" "/usr/lib" "/usr" ""; do for sub_dir in "/ssl" "/openssl" "/ossl" ""; do - check_ssl_dir "$sysroot$main_dir$sub_dir" && return + check_ssl_dir "$1$main_dir$sub_dir" && return 0 done done + return 1 +} + +find_ssl_dir() { : + # try Android *first* + case "$host_os" in + *androideabi*) + iterate_ssl_dir "$ANDROID_NDK/sysroot" && return + ;; + esac + + test -d "$lt_sysroot" && iterate_ssl_dir "$lt_sysroot" && return + test "$prefix" != "NONE" && iterate_ssl_dir "$prefix" && return + test -d "$ac_default_prefix" && iterate_ssl_dir "$ac_default_prefix" && return + iterate_ssl_dir "" && return + + # try Xcode *last* if test -x "/usr/bin/xcrun"; then sdk_path=`/usr/bin/xcrun --sdk macosx --show-sdk-path` check_ssl_dir "$sdk_path/usr" && return @@ -16346,12 +16343,13 @@ fi +SYSROOT="$lt_sysroot" CPPFLAGS="$valid_CPPFLAGS" LIBS="$valid_LIBS" { $as_echo "$as_me:${as_lineno-$LINENO}: **************************************** write the results" >&5 $as_echo "$as_me: **************************************** write the results" >&6;} -ac_config_files="$ac_config_files Makefile src/Makefile doc/Makefile tools/Makefile tests/Makefile" +ac_config_files="$ac_config_files Makefile src/Makefile doc/Makefile tools/Makefile tests/Makefile tests/certs/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -16478,10 +16476,6 @@ am__EXEEXT_FALSE= fi -if test -z "${AUTHOR_TESTS_TRUE}" && test -z "${AUTHOR_TESTS_FALSE}"; then - as_fn_error $? "conditional \"AUTHOR_TESTS\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then as_fn_error $? "conditional \"AMDEP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -16887,7 +16881,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by stunnel $as_me 5.44, which was +This file was extended by stunnel $as_me 5.50, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16953,7 +16947,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -stunnel config.status 5.44 +stunnel config.status 5.50 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -17373,6 +17367,7 @@ "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;; "tools/Makefile") CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;; + "tests/certs/Makefile") CONFIG_FILES="$CONFIG_FILES tests/certs/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac diff -Nru stunnel4-5.44/configure.ac stunnel4-5.50/configure.ac --- stunnel4-5.44/configure.ac 2017-11-14 14:01:47.000000000 +0000 +++ stunnel4-5.50/configure.ac 2018-11-09 15:53:43.000000000 +0000 @@ -1,6 +1,6 @@ # Process this file with autoconf to produce a configure script. -AC_INIT([stunnel],[5.44]) +AC_INIT([stunnel],[5.50]) AC_MSG_NOTICE([**************************************** initialization]) AC_CONFIG_AUX_DIR(auto) AC_CONFIG_MACRO_DIR([m4]) @@ -8,7 +8,6 @@ AC_CONFIG_SRCDIR([src/stunnel.c]) AM_INIT_AUTOMAKE -AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"]) AC_CANONICAL_HOST AC_SUBST([host]) AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description]) @@ -397,29 +396,39 @@ AC_MSG_NOTICE([**************************************** TLS]) -AC_MSG_CHECKING([for compiler sysroot]) -if test "x$GCC" = "xyes"; then - sysroot=`$CC --print-sysroot 2>/dev/null` -fi -if test -z "$sysroot" -o "x$sysroot" = "x/"; then - sysroot="" - AC_MSG_RESULT([/]) -else - AC_MSG_RESULT([$sysroot]) -fi - check_ssl_dir() { : test -n "$1" -a -f "$1/include/openssl/ssl.h" && SSLDIR="$1" } -find_ssl_dir() { : - stunnel_prefix="$prefix" - test "x$stunnel_prefix" = "xNONE" && stunnel_prefix=$ac_default_prefix - for main_dir in "$stunnel_prefix" "/usr/local" "/usr/lib" "/usr/pkg" "/opt/local" "/opt" "/opt/csw" "/usr" ""; do +iterate_ssl_dir() { : + # OpenSSL directory search order: + # - the user-specified prefix + # - common locations for packages built from sources + # - common locations for non-OS-default package managers + # - common locations for OS-default package managers + # - empty prefix + for main_dir in "/usr/local" "/opt" "/opt/local" "/usr/local/opt" "/opt/csw" "/usr/pkg" "/usr/lib" "/usr" ""; do for sub_dir in "/ssl" "/openssl" "/ossl" ""; do - check_ssl_dir "$sysroot$main_dir$sub_dir" && return + check_ssl_dir "$1$main_dir$sub_dir" && return 0 done done + return 1 +} + +find_ssl_dir() { : + # try Android *first* + case "$host_os" in + *androideabi*) + iterate_ssl_dir "$ANDROID_NDK/sysroot" && return + ;; + esac + + test -d "$lt_sysroot" && iterate_ssl_dir "$lt_sysroot" && return + test "$prefix" != "NONE" && iterate_ssl_dir "$prefix" && return + test -d "$ac_default_prefix" && iterate_ssl_dir "$ac_default_prefix" && return + iterate_ssl_dir "" && return + + # try Xcode *last* if test -x "/usr/bin/xcrun"; then sdk_path=`/usr/bin/xcrun --sdk macosx --show-sdk-path` check_ssl_dir "$sdk_path/usr" && return @@ -457,11 +466,12 @@ ]) fi +SYSROOT="$lt_sysroot" CPPFLAGS="$valid_CPPFLAGS" LIBS="$valid_LIBS" AC_MSG_NOTICE([**************************************** write the results]) -AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile tests/Makefile]) +AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile tests/Makefile tests/certs/Makefile]) AC_OUTPUT AC_MSG_NOTICE([**************************************** success]) diff -Nru stunnel4-5.44/COPYING stunnel4-5.50/COPYING --- stunnel4-5.44/COPYING 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/COPYING 2018-04-06 14:25:10.000000000 +0000 @@ -1,6 +1,6 @@ stunnel license (see COPYRIGHT.GPL for detailed GPL conditions) -Copyright (C) 1998-2017 Michal Trojnara +Copyright (C) 1998-2018 Michal Trojnara This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software diff -Nru stunnel4-5.44/debian/changelog stunnel4-5.50/debian/changelog --- stunnel4-5.44/debian/changelog 2018-09-25 10:28:59.000000000 +0000 +++ stunnel4-5.50/debian/changelog 2018-12-06 15:05:38.000000000 +0000 @@ -1,27 +1,90 @@ -stunnel4 (3:5.44-1ubuntu4) cosmic; urgency=high +stunnel4 (3:5.50-1) unstable; urgency=medium - * No change rebuild against openssl 1.1.1 with TLS1.3 support. + * New upstream version: + - drop the 05-author-tests and 07-path-max patches, integrated upstream + - refresh the 02-rename-binary and 04-restore-pidfile-default patches + + -- Peter Pentchev Thu, 06 Dec 2018 17:05:38 +0200 + +stunnel4 (3:5.49-1) unstable; urgency=medium + + * Declare compliance with Debian Policy 4.2.1 with no changes. + * Use the B-D: debhelper-compat (= 11) mechanism. + * New upstream version: + - drop the 10-enabled and 11-killproc patches, integrated upstream + - refresh patch line numbers + - reenable the upstream test suite, both at build time and as + an autopkgtest, since this upstream version Closes: #906981 + + -- Peter Pentchev Mon, 10 Sep 2018 12:05:18 +0300 - -- Dimitri John Ledkov Tue, 25 Sep 2018 11:28:59 +0100 +stunnel4 (3:5.48-2) unstable; urgency=medium -stunnel4 (3:5.44-1ubuntu3) bionic; urgency=medium + * Bring up to compliance with Debian Policy 4.2.0: install + the upstream release notes as "NEWS" instead of "changelog". + * Temporarily disable the upstream test suite, both during the build + and as an autopkgtest, until #906981 is fixed. Add the requisite + Perl module build dependencies. + * Also add Unicode::UTF8 as a dependency for our test program. - * d/p/disable_expired_cert_tests.patch: disable failing tests due to - expired test certs until upstream publishes new ones. + -- Peter Pentchev Fri, 24 Aug 2018 23:47:08 +0300 - -- Marc Deslauriers Thu, 19 Apr 2018 14:02:03 -0400 +stunnel4 (3:5.48-1) unstable; urgency=high -stunnel4 (3:5.44-1ubuntu2) bionic; urgency=high + * Declare compliance with Debian Policy 4.1.5 with no changes. + * New upstream version. - * No change rebuild against openssl1.1. + -- Peter Pentchev Fri, 13 Jul 2018 17:18:17 +0300 - -- Dimitri John Ledkov Mon, 05 Feb 2018 16:54:19 +0000 +stunnel4 (3:5.47-1) unstable; urgency=high -stunnel4 (3:5.44-1ubuntu1) bionic; urgency=medium + * New upstream release with a fix for a SNI mode crash, + add a build and test dependency on net-tools now needed for + the upstream test suite. - * Add missing test dependency on net-tools for ifconfig command. + -- Peter Pentchev Mon, 25 Jun 2018 11:28:17 +0300 - -- Steve Langasek Sun, 04 Feb 2018 23:20:12 -0800 +stunnel4 (3:5.46-1) unstable; urgency=medium + + * New upstream release. + + -- Peter Pentchev Tue, 29 May 2018 02:04:44 +0300 + +stunnel4 (3:5.45-1) unstable; urgency=medium + + * New upstream version: + - drop the 09-try-restart patch, integrated upstream + - drop the 12-disable-tests patch, no longer needed + - refresh patch line numbers + - update the upstream copyright years + + -- Peter Pentchev Thu, 24 May 2018 17:15:06 +0300 + +stunnel4 (3:5.44-2) unstable; urgency=medium + + * Declare compliance with Debian Policy 4.1.4 with no changes. + * Add procps to the build dependencies for the upstream test suite. + * Bump the debhelper compat level to 11 with no changes. + * Bump the year on my debian/* copyright notice. + * Change the way the service handles the lack of default configuration: + - drop the ENABLED option from /etc/defaults/stunnel4 + - let debhelper take care of not starting the service immediately + after installation (when there are no valid config files yet) + - add a NEWS blurb pointing out how to disable the service if it + is indeed meant to only be started on demand + * Let the init script actually wait for the old stunnel instances to + stop before starting the new ones or even reporting that the old + ones are dead. Closes: #782030 + * Use my Debian e-mail address. + * Point the Vcs-* URLs to salsa.debian.org. + * Temporarily drop two tests that rely on an expired certificate and + an expired CRL. Closes: #895954, #899130 + * Drop an empty line at the end of the Debian changelog file. + * Drop the "CAs" spelling error override, since recent versions of + Lintian do not consider it an error any more. + * Add a trivial autopkgtest running adequate on the installed package. + + -- Peter Pentchev Mon, 21 May 2018 18:23:00 +0300 stunnel4 (3:5.44-1) unstable; urgency=medium @@ -1346,4 +1409,3 @@ * Initial release. -- Paolo Molaro Mon, 30 Nov 1998 11:41:29 +0100 - diff -Nru stunnel4-5.44/debian/compat stunnel4-5.50/debian/compat --- stunnel4-5.44/debian/compat 2016-06-27 08:17:21.000000000 +0000 +++ stunnel4-5.50/debian/compat 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -10 diff -Nru stunnel4-5.44/debian/control stunnel4-5.50/debian/control --- stunnel4-5.44/debian/control 2018-02-05 07:20:12.000000000 +0000 +++ stunnel4-5.50/debian/control 2018-08-26 20:29:02.000000000 +0000 @@ -2,19 +2,24 @@ Section: net Priority: optional Build-Depends: - debhelper (>= 10), + debhelper-compat (= 11), autoconf-archive, + libanyevent-perl, + libnet-ssleay-perl, + libpath-tiny-perl, libssl-dev, libsystemd-dev [linux-any], + libunicode-utf8-perl, libwrap0-dev, netcat-traditional, - openssl -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Peter Pentchev + net-tools, + openssl, + procps +Maintainer: Peter Pentchev Uploaders: Laszlo Boszormenyi (GCS) -Standards-Version: 4.1.1 -Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/stunnel.git -Vcs-Git: https://anonscm.debian.org/git/collab-maint/stunnel.git +Standards-Version: 4.2.1 +Vcs-Browser: https://salsa.debian.org/debian/stunnel/ +Vcs-Git: https://salsa.debian.org/debian/stunnel.git Homepage: https://www.stunnel.org/ Rules-Requires-Root: no diff -Nru stunnel4-5.44/debian/copyright stunnel4-5.50/debian/copyright --- stunnel4-5.44/debian/copyright 2017-09-23 15:59:40.000000000 +0000 +++ stunnel4-5.50/debian/copyright 2018-05-23 10:39:48.000000000 +0000 @@ -6,12 +6,12 @@ Files: * Copyright: - (C) 1998-2017 Michal Trojnara + (C) 1998-2018 Michal Trojnara (c) 2014 Mark Theunissen License: GPL-2+-openssl Files: src/stunnel3.in -Copyright: (C) 2004-2012 Michal Trojnara +Copyright: (C) 1998-2018 Michal Trojnara License: GPL-2+ Files: debian/* @@ -20,7 +20,7 @@ (C) 2003-2007 Julien Lemoine (C) 2007-2012 Luis Rodrigo Gallardo Cruz (C) 2013 Salvatore Bonaccorso - (C) 2014-2017 Peter Pentchev + (C) 2014-2018 Peter Pentchev License: GPL-2+-openssl License: GPL-2+-openssl diff -Nru stunnel4-5.44/debian/patches/02-rename-binary.patch stunnel4-5.50/debian/patches/02-rename-binary.patch --- stunnel4-5.44/debian/patches/02-rename-binary.patch 2017-09-23 12:33:22.000000000 +0000 +++ stunnel4-5.50/debian/patches/02-rename-binary.patch 2018-12-06 09:57:19.000000000 +0000 @@ -2,7 +2,7 @@ Forwarded: not-needed Author: Julien Lemoine Author: Luis Rodrigo Gallardo Cruz -Last-Update: 2017-09-23 +Last-Update: 2018-12-06 --- a/src/stunnel3.in +++ b/src/stunnel3.in @@ -36,7 +36,7 @@ NAME=stunnel DESC="TLS tunnels" OPTIONS="" -@@ -49,9 +49,9 @@ +@@ -48,9 +48,9 @@ startdaemons() { local res file args pidfile warn status @@ -49,18 +49,15 @@ fi if [ -n "$RLIMITS" ]; then ulimit $RLIMITS -@@ -141,9 +141,9 @@ +@@ -181,7 +181,7 @@ OPTIONS="-- $OPTIONS" fi -[ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel +[ -f @sysconfdir@/default/stunnel4 ] && . @sysconfdir@/default/stunnel4 - if [ "$ENABLED" = "0" ] ; then -- echo "$DESC disabled, see @sysconfdir@/default/stunnel" -+ echo "$DESC disabled, see @sysconfdir@/default/stunnel4" - exit 0 - fi + # If the user want to manage a single tunnel, the conf file's name + # is in $2. Otherwise, respect @sysconfdir@/default/stunnel4 setting. --- a/tools/script.sh +++ b/tools/script.sh @@ -2,7 +2,7 @@ @@ -90,14 +87,14 @@ edit = sed \ --- a/doc/stunnel.pl.8.in +++ b/doc/stunnel.pl.8.in -@@ -70,8 +70,8 @@ - .rr rF +@@ -66,8 +66,8 @@ + .\} .\" ======================================================================== .\" -.IX Title "stunnel 8" --.TH stunnel 8 "2017.04.01" "5.42" "stunnel TLS Proxy" +-.TH stunnel 8 "2018.12.02" "5.50" "stunnel TLS Proxy" +.IX Title "stunnel4 8" -+.TH stunnel 8 "2017.04.01" "5.42" "stunnel4 TLS Proxy" ++.TH stunnel 8 "2018.12.02" "5.50" "stunnel4 TLS Proxy" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -Nru stunnel4-5.44/debian/patches/04-restore-pidfile-default.patch stunnel4-5.50/debian/patches/04-restore-pidfile-default.patch --- stunnel4-5.44/debian/patches/04-restore-pidfile-default.patch 2017-09-23 12:33:22.000000000 +0000 +++ stunnel4-5.50/debian/patches/04-restore-pidfile-default.patch 2018-12-06 10:01:32.000000000 +0000 @@ -8,7 +8,7 @@ Forwarded: not-needed Author: Peter Pentchev Bug-Debian: https://bugs.debian.org/744851 -Last-Update: 2017-07-03 +Last-Update: 2018-12-06 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -44,6 +44,7 @@ @@ -21,22 +21,22 @@ stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto --- a/src/options.c +++ b/src/options.c -@@ -917,7 +917,7 @@ +@@ -1025,7 +1025,7 @@ #ifndef USE_WIN32 switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: - new_global_options.pidfile=NULL; /* do not create a pid file */ + new_global_options.pidfile=PIDFILE; break; - case CMD_EXEC: - if(strcasecmp(opt, "pid")) -@@ -932,9 +932,10 @@ - case CMD_FREE: + case CMD_SET_COPY: /* not used for global options */ break; - case CMD_DEFAULT: +@@ -1049,9 +1049,10 @@ + return "Pid file must include full path name"; + break; + case CMD_PRINT_DEFAULTS: + s_log(LOG_NOTICE, "%-22s = %s", "pid", PIDFILE); break; - case CMD_HELP: + case CMD_PRINT_HELP: - s_log(LOG_NOTICE, "%-22s = pid file", "pid"); + s_log(LOG_NOTICE, "%-22s = pid file (empty to disable creating)", "pid"); break; diff -Nru stunnel4-5.44/debian/patches/05-author-tests.patch stunnel4-5.50/debian/patches/05-author-tests.patch --- stunnel4-5.44/debian/patches/05-author-tests.patch 2016-09-25 09:40:15.000000000 +0000 +++ stunnel4-5.50/debian/patches/05-author-tests.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,16 +0,0 @@ -Description: Only build the Win32 executables if requested. -Author: Peter Pentchev -Forwarded: not yet -Last-Update: 2015-11-11 - ---- a/configure.ac -+++ b/configure.ac -@@ -8,7 +8,7 @@ - AC_CONFIG_SRCDIR([src/stunnel.c]) - AM_INIT_AUTOMAKE - --AM_CONDITIONAL([AUTHOR_TESTS], [test -d ".git"]) -+AM_CONDITIONAL([AUTHOR_TESTS], [test -n "$AUTHOR_TESTS"]) - AC_CANONICAL_HOST - AC_SUBST([host]) - AC_DEFINE_UNQUOTED([HOST], ["$host"], [Host description]) diff -Nru stunnel4-5.44/debian/patches/07-path-max.patch stunnel4-5.50/debian/patches/07-path-max.patch --- stunnel4-5.44/debian/patches/07-path-max.patch 2017-11-27 10:11:51.000000000 +0000 +++ stunnel4-5.50/debian/patches/07-path-max.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -Description: Allocate the config filename dynamically. - Avoid the use of PATH_MAX which may not be defined. -Forwarded: not-yet -Author: Peter Pentchev -Last-Update: 2017-07-03 - ---- a/src/common.h -+++ b/src/common.h -@@ -94,7 +94,6 @@ - typedef int ssize_t; - #endif /* _WIN64 */ - #endif /* !__MINGW32__ */ --#define PATH_MAX MAX_PATH - #define USE_IPv6 - #define _CRT_SECURE_NO_DEPRECATE - #define _CRT_NONSTDC_NO_DEPRECATE ---- a/src/options.c -+++ b/src/options.c -@@ -211,7 +211,7 @@ - NOEXPORT char **argalloc(char *); - #endif - --char configuration_file[PATH_MAX]; -+char *configuration_file; - - GLOBAL_OPTIONS global_options; - SERVICE_OPTIONS service_options; -@@ -289,17 +289,27 @@ - } - - #ifdef HAVE_REALPATH -+ char *nconf; - if(type==CONF_FILE) { -- if(!realpath(name, configuration_file)) { -+ nconf = realpath(name, NULL); -+ if(nconf == NULL) { - s_log(LOG_ERR, "Invalid configuration file name \"%s\"", name); - ioerror("realpath"); - return 1; - } -- return options_parse(type); -- } -+ free(configuration_file); -+ } else - #endif -- strncpy(configuration_file, name, PATH_MAX-1); -- configuration_file[PATH_MAX-1]='\0'; -+ { -+ size_t sz = strlen(name) + 1; -+ nconf = realloc(configuration_file, sz); -+ if(nconf == NULL) { -+ s_log(LOG_ERR, "Could not allocate memory"); -+ return 1; -+ } -+ snprintf(nconf, sz, "%s", name); -+ } -+ configuration_file = nconf; - return options_parse(type); - } - ---- a/src/prototypes.h -+++ b/src/prototypes.h -@@ -430,7 +430,7 @@ - - /**************************************** prototypes for options.c */ - --extern char configuration_file[PATH_MAX]; -+extern char *configuration_file; - extern unsigned number_of_sections; - - int options_cmdline(char *, char *); diff -Nru stunnel4-5.44/debian/patches/09-try-restart.patch stunnel4-5.50/debian/patches/09-try-restart.patch --- stunnel4-5.44/debian/patches/09-try-restart.patch 2017-09-23 12:33:22.000000000 +0000 +++ stunnel4-5.50/debian/patches/09-try-restart.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,76 +0,0 @@ -Description: Implement try-restart in the SysV init script. -Forwarded: not-yet -Author: Peter Pentchev -Last-Update: 2017-07-03 - ---- a/tools/stunnel.init.in -+++ b/tools/stunnel.init.in -@@ -137,6 +137,47 @@ - exit "$res" - } - -+restartrunningdaemons() -+{ -+ local res file pidfile status args -+ -+ res=0 -+ for file in $FILES; do -+ echo -n " $file: " -+ pidfile=`get_pidfile "$file"` -+ if [ ! -e "$pidfile" ]; then -+ echo -n 'no pid file' -+ else -+ status=0 -+ pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?" -+ if [ "$status" = 0 ]; then -+ echo -n 'stopping' -+ killproc -p "$pidfile" "$DAEMON" "$sig" || status="$?" -+ if [ "$status" -eq 0 ]; then -+ echo -n ' starting' -+ args="$file $OPTIONS" -+ start_daemon -p "$pidfile" "$DAEMON" $args || status="$?" -+ if [ "$status" -eq 0 ]; then -+ echo -n ' started' -+ else -+ echo ' failed' -+ res=1 -+ fi -+ else -+ echo -n ' failed' -+ res=1 -+ fi -+ elif [ "$status" = 4 ]; then -+ echo "cannot access the pid file $pidfile" -+ else -+ echo -n 'stopped' -+ fi -+ fi -+ done -+ echo '' -+ exit "$res" -+} -+ - if [ "x$OPTIONS" != "x" ]; then - OPTIONS="-- $OPTIONS" - fi -@@ -194,6 +235,11 @@ - killdaemons && startdaemons - res=$? - ;; -+ try-restart) -+ echo -n "Restarting $DESC if running:" -+ restartrunningdaemons -+ res=$? -+ ;; - status) - echo -n "$DESC status:" - querydaemons -@@ -201,7 +247,7 @@ - ;; - *) - N=@sysconfdir@/init.d/$NAME -- echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} []" >&2 -+ echo "Usage: $N {start|stop|status|reload|reopen-logs|restart|try-restart} []" >&2 - res=1 - ;; - esac diff -Nru stunnel4-5.44/debian/patches/disable_expired_cert_tests.patch stunnel4-5.50/debian/patches/disable_expired_cert_tests.patch --- stunnel4-5.44/debian/patches/disable_expired_cert_tests.patch 2018-04-19 18:02:03.000000000 +0000 +++ stunnel4-5.50/debian/patches/disable_expired_cert_tests.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,32 +0,0 @@ -Description: disable failing tests due to expired test certs -Author: Marc Deslauriers -Forwarded: not-needed - -Index: stunnel4-5.44/tests/recipes/012_verify_chain -=================================================================== ---- stunnel4-5.44.orig/tests/recipes/012_verify_chain 2017-11-26 16:50:09.000000000 -0500 -+++ stunnel4-5.44/tests/recipes/012_verify_chain 2018-04-19 14:01:47.038512017 -0400 -@@ -22,6 +22,9 @@ start() { - EOT - } - -+# disabled because of expired test certs -+exit 0 -+ - check_ports "012_verify_chain" - start 2> "error.log" - test_log_for "012_verify_chain" "success" "$1" 2>> "stderr.log" -Index: stunnel4-5.44/tests/recipes/013_CRL_file -=================================================================== ---- stunnel4-5.44.orig/tests/recipes/013_CRL_file 2017-11-26 16:50:09.000000000 -0500 -+++ stunnel4-5.44/tests/recipes/013_CRL_file 2018-04-19 14:01:54.754519892 -0400 -@@ -23,6 +23,9 @@ start() { - EOT - } - -+# disabled because of expired test certs -+exit 0 -+ - check_ports "013_CRL_file" - start 2> "error.log" - test_log_for "013_CRL_file" "success" "$1" 2>> "stderr.log" diff -Nru stunnel4-5.44/debian/patches/series stunnel4-5.50/debian/patches/series --- stunnel4-5.44/debian/patches/series 2018-04-19 18:01:09.000000000 +0000 +++ stunnel4-5.50/debian/patches/series 2018-12-06 14:41:27.000000000 +0000 @@ -2,7 +2,3 @@ 02-rename-binary.patch 03-runas-user.patch 04-restore-pidfile-default.patch -05-author-tests.patch -07-path-max.patch -09-try-restart.patch -disable_expired_cert_tests.patch diff -Nru stunnel4-5.44/debian/rules stunnel4-5.50/debian/rules --- stunnel4-5.44/debian/rules 2017-11-14 09:14:40.000000000 +0000 +++ stunnel4-5.50/debian/rules 2018-09-10 08:50:47.000000000 +0000 @@ -23,6 +23,12 @@ dh_auto_configure -- \ --enable-ipv6 --with-threads=pthread +override_dh_auto_test: +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) + env TEST_STUNNEL=$(CURDIR)/src/stunnel debian/tests/runtime + dh_auto_test +endif + override_dh_auto_install: dh_auto_install -- -C src ifeq ($(DEB_NODOC),0) @@ -69,6 +75,13 @@ rmdir $(CURDIR)/debian/stunnel4/usr/share/man endif +override_dh_installchangelogs: + dh_installchangelogs -X ChangeLog + install -m 644 ChangeLog $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4/NEWS + +override_dh_installinit: + dh_installinit --no-start + override_dh_installppp: dh_installppp --name=0stunnel4 diff -Nru stunnel4-5.44/debian/stunnel4.conf.README stunnel4-5.50/debian/stunnel4.conf.README --- stunnel4-5.44/debian/stunnel4.conf.README 2016-12-09 08:41:36.000000000 +0000 +++ stunnel4-5.50/debian/stunnel4.conf.README 2018-05-23 10:34:48.000000000 +0000 @@ -6,8 +6,5 @@ configuration. Note that this directory is initially empty, as the settings you may want for your tunnels are completely system dependent. -In order to have the tunnels start up automatically on system boot you -must *also* set ENABLED to 1 in /etc/default/stunnel4 - A sample configuration file with defaults may be found at /usr/share/doc/stunnel4/examples/stunnel.conf-sample diff -Nru stunnel4-5.44/debian/stunnel4.default stunnel4-5.50/debian/stunnel4.default --- stunnel4-5.44/debian/stunnel4.default 2015-11-12 16:30:31.000000000 +0000 +++ stunnel4-5.50/debian/stunnel4.default 2018-05-23 10:34:48.000000000 +0000 @@ -2,8 +2,6 @@ # Julien LEMOINE # September 2003 -# Change to one to enable stunnel automatic startup -ENABLED=0 FILES="/etc/stunnel/*.conf" OPTIONS="" diff -Nru stunnel4-5.44/debian/stunnel4.lintian-overrides stunnel4-5.50/debian/stunnel4.lintian-overrides --- stunnel4-5.44/debian/stunnel4.lintian-overrides 2017-09-23 12:33:22.000000000 +0000 +++ stunnel4-5.50/debian/stunnel4.lintian-overrides 2018-05-23 10:34:48.000000000 +0000 @@ -1,5 +1,2 @@ # No character arrays anywhere in this .so stunnel4: hardening-no-stackprotector usr/lib/stunnel/libstunnel.so - -# Not a typo at all. -stunnel4: spelling-error-in-manpage usr/share/man/man8/stunnel4.8.gz CAs Case diff -Nru stunnel4-5.44/debian/stunnel4.NEWS stunnel4-5.50/debian/stunnel4.NEWS --- stunnel4-5.44/debian/stunnel4.NEWS 2016-12-09 08:41:36.000000000 +0000 +++ stunnel4-5.50/debian/stunnel4.NEWS 2018-05-23 10:34:48.000000000 +0000 @@ -1,3 +1,19 @@ +stunnel4 (3:5.44-2) unstable; urgency=medium + + The ENABLED option has been removed from the /etc/default/stunnel4 + file and the stunnel4 init script no longer checks for it. Instead, + new installations of the stunnel4 package will not attempt to start + the service immediately after installation, because there are no + valid configuration files yet. + + For existing installations where ENABLED=0 was specified and stunnel + was e.g. only started on demand for certain tunnels, the service will + now need to be explicitly disabled by the following command: + + update-rc.d stunnel4 defaults-disabled + + -- Peter Pentchev Mon, 21 May 2018 18:23:00 +0300 + stunnel4 (3:5.06-1) unstable; urgency=medium There are two major changes in this version of stunnel. diff -Nru stunnel4-5.44/debian/tests/control stunnel4-5.50/debian/tests/control --- stunnel4-5.44/debian/tests/control 2018-02-05 07:19:59.000000000 +0000 +++ stunnel4-5.50/debian/tests/control 2018-09-10 08:50:59.000000000 +0000 @@ -1,6 +1,9 @@ Test-Command: env TEST_STUNNEL=/usr/bin/stunnel4 debian/tests/runtime -Depends: @, perl, libanyevent-perl, libnet-ssleay-perl, libpath-tiny-perl +Depends: @, perl, libanyevent-perl, libnet-ssleay-perl, libpath-tiny-perl, libunicode-utf8-perl Restrictions: allow-stderr Test-Command: debian/tests/upstream Depends: @, netcat-traditional, net-tools + +Test-Command: adequate stunnel4 +Depends: @, adequate diff -Nru stunnel4-5.44/doc/Makefile.am stunnel4-5.50/doc/Makefile.am --- stunnel4-5.44/doc/Makefile.am 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/doc/Makefile.am 2018-06-08 17:30:06.000000000 +0000 @@ -1,5 +1,5 @@ ## Process this file with automake to produce Makefile.in -# by Michal Trojnara 2015-2017 +# by Michal Trojnara 1998-2018 EXTRA_DIST = stunnel.pod.in stunnel.8.in stunnel.html.in en EXTRA_DIST += stunnel.pl.pod.in stunnel.pl.8.in stunnel.pl.html.in pl @@ -24,7 +24,8 @@ edit = sed \ -e 's|@bindir[@]|$(bindir)|g' \ - -e 's|@sysconfdir[@]|$(sysconfdir)|g' + -e 's|@sysconfdir[@]|$(sysconfdir)|g' \ + -e '\|^0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. @@ -54,24 +54,20 @@ .\" Avoid warning from groff about undefined register 'F'. .de IX .. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 . \} .\} -.rr rF .\" ======================================================================== .\" .IX Title "stunnel 8" -.TH stunnel 8 "2017.04.01" "5.42" "stunnel TLS Proxy" +.TH stunnel 8 "2018.12.02" "5.50" "stunnel TLS Proxy" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -313,26 +309,6 @@ service sections, it is only useful in global options. .Sp default: stunnel -.IP "\fBsocket\fR = a|l|r:OPTION=VALUE[:VALUE]" 4 -.IX Item "socket = a|l|r:OPTION=VALUE[:VALUE]" -Set an option on the accept/local/remote socket -.Sp -The values for the linger option are l_onof:l_linger. -The values for the time are tv_sec:tv_usec. -.Sp -Examples: -.Sp -.Vb 9 -\& socket = l:SO_LINGER=1:60 -\& set one minute timeout for closing local socket -\& socket = r:SO_OOBINLINE=yes -\& place out\-of\-band data directly into the -\& receive data stream for remote sockets -\& socket = a:SO_REUSEADDR=no -\& disable address reuse (enabled by default) -\& socket = a:SO_BINDTODEVICE=lo -\& only accept connections on loopback interface -.Ve .IP "\fBsyslog\fR = yes | no (Unix only)" 4 .IX Item "syslog = yes | no (Unix only)" enable logging via syslog @@ -402,9 +378,9 @@ email address of the peer certificate subject .Sp Multiple \fIcheckEmail\fR options are allowed in a single service section. -Certificates are accepted if no \fIcheckEmail\fR option was specified, or the -email address of the peer certificate matches any of the email addresses -specified with \fIcheckEmail\fR. +Certificates are accepted if no subject checks were specified, or the email +address of the peer certificate matches any of the email addresses specified +with \fIcheckEmail\fR. .Sp This option requires OpenSSL 1.0.2 or later. .IP "\fBcheckHost\fR = \s-1HOST\s0" 4 @@ -412,9 +388,8 @@ host of the peer certificate subject .Sp Multiple \fIcheckHost\fR options are allowed in a single service section. -Certificates are accepted if no \fIcheckHost\fR option was specified, or the host -name of the peer certificate matches any of the hosts specified with -\&\fIcheckHost\fR. +Certificates are accepted if no subject checks were specified, or the host name +of the peer certificate matches any of the hosts specified with \fIcheckHost\fR. .Sp This option requires OpenSSL 1.0.2 or later. .IP "\fBcheckIP\fR = \s-1IP\s0" 4 @@ -422,7 +397,7 @@ \&\s-1IP\s0 address of the peer certificate subject .Sp Multiple \fIcheckIP\fR options are allowed in a single service section. -Certificates are accepted if no \fIcheckIP\fR option was specified, or the \s-1IP\s0 +Certificates are accepted if no subject checks were specified, or the \s-1IP\s0 address of the peer certificate matches any of the \s-1IP\s0 addresses specified with \&\fIcheckIP\fR. .Sp @@ -578,7 +553,7 @@ .RE .RS 4 .Sp -default: rr +default: prio .RE .IP "\fBident\fR = \s-1USERNAME\s0" 4 .IX Item "ident = USERNAME" @@ -587,7 +562,21 @@ .IX Item "include = DIRECTORY" include all configuration file parts located in \s-1DIRECTORY\s0 .Sp -The files are included in the ascending alphabetical order of their names. +The files are included in the ascending alphabetical order of their names. The recommended filename convention is +.Sp +for global options: +.Sp +.Vb 1 +\& 00\-global.conf +.Ve +.Sp +for local service-level options: +.Sp +.Vb 1 +\& 01\-service.conf +\& +\& 02\-service.conf +.Ve .IP "\fBkey\fR = \s-1KEY_FILE\s0" 4 .IX Item "key = KEY_FILE" private key for the certificate specified with \fIcert\fR option @@ -664,6 +653,9 @@ \& options = NO_SSLv2 \& options = NO_SSLv3 .Ve +.Sp +Use \fIsslVersionMax\fR or \fIsslVersionMin\fR option instead of disabling specific \s-1TLS\s0 protocol +versions when compiled with \fBOpenSSL 1.1.0\fR or later. .IP "\fBprotocol\fR = \s-1PROTO\s0" 4 .IX Item "protocol = PROTO" application protocol to negotiate \s-1TLS\s0 @@ -894,21 +886,88 @@ .Sp The \fIsni\fR option is only available when compiled with \fBOpenSSL 1.0.0\fR and later. +.IP "\fBsocket\fR = a|l|r:OPTION=VALUE[:VALUE]" 4 +.IX Item "socket = a|l|r:OPTION=VALUE[:VALUE]" +Set an option on the accept/local/remote socket +.Sp +The values for the linger option are l_onof:l_linger. +The values for the time are tv_sec:tv_usec. +.Sp +Examples: +.Sp +.Vb 9 +\& socket = l:SO_LINGER=1:60 +\& set one minute timeout for closing local socket +\& socket = r:SO_OOBINLINE=yes +\& place out\-of\-band data directly into the +\& receive data stream for remote sockets +\& socket = a:SO_REUSEADDR=no +\& disable address reuse (enabled by default) +\& socket = a:SO_BINDTODEVICE=lo +\& only accept connections on loopback interface +.Ve .IP "\fBsslVersion\fR = \s-1SSL_VERSION\s0" 4 .IX Item "sslVersion = SSL_VERSION" select the \s-1TLS\s0 protocol version .Sp -Supported values: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 +Supported versions: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 .Sp Availability of specific protocols depends on the linked OpenSSL library. -Older versions of OpenSSL do not support TLSv1.1 and TLSv1.2. +Older versions of OpenSSL do not support TLSv1.1, TLSv1.2 and TLSv1.3. Newer versions of OpenSSL do not support SSLv2. .Sp Obsolete SSLv2 and SSLv3 are currently disabled by default. -See the \fBoptions\fR option documentation for details. +.Sp +Setting the option +.Sp +.Vb 1 +\& sslVersion = SSL_VERSION +.Ve +.Sp +is equivalent to options +.Sp +.Vb 2 +\& sslVersionMax = SSL_VERSION +\& sslVersionMin = SSL_VERSION +.Ve +.Sp +when compiled with \fBOpenSSL 1.1.0\fR and later. +.IP "\fBsslVersionMax\fR = \s-1SSL_VERSION\s0" 4 +.IX Item "sslVersionMax = SSL_VERSION" +maximum supported protocol versions +.Sp +Supported versions: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 +.Sp +\&\fIall\fR enable protocol versions up to the highest version supported by the +linked OpenSSL library. +.Sp +Availability of specific protocols depends on the linked OpenSSL library. +.Sp +The \fIsslVersionMax\fR option is only available when compiled with \fBOpenSSL 1.1.0\fR and later. +.Sp +default: all +.IP "\fBsslVersionMin\fR = \s-1SSL_VERSION\s0" 4 +.IX Item "sslVersionMin = SSL_VERSION" +minimum supported protocol versions +.Sp +Supported versions: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 +.Sp +\&\fIall\fR enable protocol versions down to the lowest version supported by the +linked OpenSSL library. +.Sp +Availability of specific protocols depends on the linked OpenSSL library. +.Sp +The \fIsslVersionMin\fR option is only available when compiled with \fBOpenSSL 1.1.0\fR and later. +.Sp +default: TLSv1 .IP "\fBstack\fR = \s-1BYTES \s0(except for \s-1FORK\s0 model)" 4 .IX Item "stack = BYTES (except for FORK model)" -thread stack size +\&\s-1CPU\s0 stack size of created threads +.Sp +Excessive thread stack size increases virtual memory usage. +Insufficient thread stack size may cause application crashes. +.Sp +default: 65536 bytes (sufficient for all platforms we tested) .IP "\fBTIMEOUTbusy\fR = \s-1SECONDS\s0" 4 .IX Item "TIMEOUTbusy = SECONDS" time to wait for expected data @@ -1298,21 +1357,17 @@ generate them with the free \fBOpenSSL\fR package. You can find more information on certificates generation on pages listed below. .PP -The order of contents of the \fI.pem\fR file is important. It should contain the -unencrypted private key first, then a signed certificate (not certificate -request). There should also be empty lines after the certificate and the private key. -Any plaintext certificate information appended on the top of generated certificate -should be discarded. So the file should look like this: +The \fI.pem\fR file should contain the unencrypted private key and +a signed certificate (not certificate request). +So the file should look like this: .PP -.Vb 8 +.Vb 6 \& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- \& [encoded key] \& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- -\& [empty line] \& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- \& [encoded certificate] \& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- -\& [empty line] .Ve .SS "\s-1RANDOMNESS\s0" .IX Subsection "RANDOMNESS" @@ -1367,8 +1422,7 @@ .Ve .SH "FILES" .IX Header "FILES" -.ie n .IP "\fI\fI@sysconfdir\fI@/stunnel/stunnel.conf\fR" 4 -.el .IP "\fI\f(CI@sysconfdir\fI@/stunnel/stunnel.conf\fR" 4 +.IP "\fI\f(CI@sysconfdir\fI@/stunnel/stunnel.conf\fR" 4 .IX Item "@sysconfdir@/stunnel/stunnel.conf" \&\fBstunnel\fR configuration file .SH "BUGS" diff -Nru stunnel4-5.44/doc/stunnel.html.in stunnel4-5.50/doc/stunnel.html.in --- stunnel4-5.44/doc/stunnel.html.in 2017-04-01 12:21:27.000000000 +0000 +++ stunnel4-5.50/doc/stunnel.html.in 2018-12-02 22:47:21.000000000 +0000 @@ -389,26 +389,6 @@

default: stunnel

-
socket = a|l|r:OPTION=VALUE[:VALUE]
-
- -

Set an option on the accept/local/remote socket

- -

The values for the linger option are l_onof:l_linger. The values for the time are tv_sec:tv_usec.

- -

Examples:

- -
    socket = l:SO_LINGER=1:60
-        set one minute timeout for closing local socket
-    socket = r:SO_OOBINLINE=yes
-        place out-of-band data directly into the
-        receive data stream for remote sockets
-    socket = a:SO_REUSEADDR=no
-        disable address reuse (enabled by default)
-    socket = a:SO_BINDTODEVICE=lo
-        only accept connections on loopback interface
- -
syslog = yes | no (Unix only)
@@ -484,7 +464,7 @@

email address of the peer certificate subject

-

Multiple checkEmail options are allowed in a single service section. Certificates are accepted if no checkEmail option was specified, or the email address of the peer certificate matches any of the email addresses specified with checkEmail.

+

Multiple checkEmail options are allowed in a single service section. Certificates are accepted if no subject checks were specified, or the email address of the peer certificate matches any of the email addresses specified with checkEmail.

This option requires OpenSSL 1.0.2 or later.

@@ -494,7 +474,7 @@

host of the peer certificate subject

-

Multiple checkHost options are allowed in a single service section. Certificates are accepted if no checkHost option was specified, or the host name of the peer certificate matches any of the hosts specified with checkHost.

+

Multiple checkHost options are allowed in a single service section. Certificates are accepted if no subject checks were specified, or the host name of the peer certificate matches any of the hosts specified with checkHost.

This option requires OpenSSL 1.0.2 or later.

@@ -504,7 +484,7 @@

IP address of the peer certificate subject

-

Multiple checkIP options are allowed in a single service section. Certificates are accepted if no checkIP option was specified, or the IP address of the peer certificate matches any of the IP addresses specified with checkIP.

+

Multiple checkIP options are allowed in a single service section. Certificates are accepted if no subject checks were specified, or the IP address of the peer certificate matches any of the IP addresses specified with checkIP.

This option requires OpenSSL 1.0.2 or later.

@@ -696,7 +676,7 @@
-

default: rr

+

default: prio

ident = USERNAME
@@ -710,7 +690,17 @@

include all configuration file parts located in DIRECTORY

-

The files are included in the ascending alphabetical order of their names.

+

The files are included in the ascending alphabetical order of their names. The recommended filename convention is

+ +

for global options:

+ +
        00-global.conf
+ +

for local service-level options:

+ +
        01-service.conf
+
+        02-service.conf
key = KEY_FILE
@@ -791,6 +781,8 @@ 
    options = NO_SSLv2
     options = NO_SSLv3
+

Use sslVersionMax or sslVersionMin option instead of disabling specific TLS protocol versions when compiled with OpenSSL 1.1.0 or later.

+
protocol = PROTO
@@ -1070,22 +1062,89 @@

The sni option is only available when compiled with OpenSSL 1.0.0 and later.

+
socket = a|l|r:OPTION=VALUE[:VALUE]
+
+ +

Set an option on the accept/local/remote socket

+ +

The values for the linger option are l_onof:l_linger. The values for the time are tv_sec:tv_usec.

+ +

Examples:

+ +
    socket = l:SO_LINGER=1:60
+        set one minute timeout for closing local socket
+    socket = r:SO_OOBINLINE=yes
+        place out-of-band data directly into the
+        receive data stream for remote sockets
+    socket = a:SO_REUSEADDR=no
+        disable address reuse (enabled by default)
+    socket = a:SO_BINDTODEVICE=lo
+        only accept connections on loopback interface
+ +
sslVersion = SSL_VERSION

select the TLS protocol version

-

Supported values: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

+

Supported versions: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

+ +

Availability of specific protocols depends on the linked OpenSSL library. Older versions of OpenSSL do not support TLSv1.1, TLSv1.2 and TLSv1.3. Newer versions of OpenSSL do not support SSLv2.

+ +

Obsolete SSLv2 and SSLv3 are currently disabled by default.

+ +

Setting the option

+ +
    sslVersion = SSL_VERSION
-

Availability of specific protocols depends on the linked OpenSSL library. Older versions of OpenSSL do not support TLSv1.1 and TLSv1.2. Newer versions of OpenSSL do not support SSLv2.

+

is equivalent to options

-

Obsolete SSLv2 and SSLv3 are currently disabled by default. See the options option documentation for details.

+
    sslVersionMax = SSL_VERSION
+    sslVersionMin = SSL_VERSION
+ +

when compiled with OpenSSL 1.1.0 and later.

+ +
+
sslVersionMax = SSL_VERSION
+
+ +

maximum supported protocol versions

+ +

Supported versions: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

+ +

all enable protocol versions up to the highest version supported by the linked OpenSSL library.

+ +

Availability of specific protocols depends on the linked OpenSSL library.

+ +

The sslVersionMax option is only available when compiled with OpenSSL 1.1.0 and later.

+ +

default: all

+ +
+
sslVersionMin = SSL_VERSION
+
+ +

minimum supported protocol versions

+ +

Supported versions: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

+ +

all enable protocol versions down to the lowest version supported by the linked OpenSSL library.

+ +

Availability of specific protocols depends on the linked OpenSSL library.

+ +

The sslVersionMin option is only available when compiled with OpenSSL 1.1.0 and later.

+ +

default: TLSv1

stack = BYTES (except for FORK model)
-

thread stack size

+

CPU stack size of created threads

+ +

Excessive thread stack size increases virtual memory usage. Insufficient thread stack size may cause application crashes.

+ +

default: 65536 bytes (sufficient for all platforms we tested)

TIMEOUTbusy = SECONDS
@@ -1497,16 +1556,14 @@

Each TLS-enabled daemon needs to present a valid X.509 certificate to the peer. It also needs a private key to decrypt the incoming data. The easiest way to obtain a certificate and a key is to generate them with the free OpenSSL package. You can find more information on certificates generation on pages listed below.

-

The order of contents of the .pem file is important. It should contain the unencrypted private key first, then a signed certificate (not certificate request). There should also be empty lines after the certificate and the private key. Any plaintext certificate information appended on the top of generated certificate should be discarded. So the file should look like this:

+

The .pem file should contain the unencrypted private key and a signed certificate (not certificate request). So the file should look like this:

    -----BEGIN RSA PRIVATE KEY-----
     [encoded key]
     -----END RSA PRIVATE KEY-----
-    [empty line]
     -----BEGIN CERTIFICATE-----
     [encoded certificate]
-    -----END CERTIFICATE-----
-    [empty line]
+ -----END CERTIFICATE-----

RANDOMNESS

diff -Nru stunnel4-5.44/doc/stunnel.pl.8.in stunnel4-5.50/doc/stunnel.pl.8.in --- stunnel4-5.44/doc/stunnel.pl.8.in 2017-04-01 12:21:27.000000000 +0000 +++ stunnel4-5.50/doc/stunnel.pl.8.in 2018-12-02 22:47:20.000000000 +0000 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) +.\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.32) .\" .\" Standard preamble: .\" ======================================================================== @@ -46,7 +46,7 @@ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" -.\" If the F register is turned on, we'll generate index entries on stderr for +.\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. @@ -54,24 +54,20 @@ .\" Avoid warning from groff about undefined register 'F'. .de IX .. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 . \} .\} -.rr rF .\" ======================================================================== .\" .IX Title "stunnel 8" -.TH stunnel 8 "2017.04.01" "5.42" "stunnel TLS Proxy" +.TH stunnel 8 "2018.12.02" "5.50" "stunnel TLS Proxy" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -318,30 +314,6 @@ globalnych. .Sp domyślnie: stunnel -.IP "\fBsocket\fR = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ]" 4 -.IX Item "socket = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ]" -ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe -.Sp -Dla opcji linger wartości mają postać l_onof:l_linger. -Dla opcji time wartości mają postać tv_sec:tv_usec. -.Sp -Przykłady: -.Sp -.Vb 10 -\& socket = l:SO_LINGER=1:60 -\& ustaw jednominutowe przeterminowanie -\& przy zamykaniu lokalnego gniazda -\& socket = r:SO_OOBINLINE=yes -\& umieść dane pozapasmowe (out\-of\-band) -\& bezpośrednio w strumieniu danych -\& wejściowych dla zdalnych gniazd -\& socket = a:SO_REUSEADDR=no -\& zablokuj ponowne używanie portu -\& (domyślnie włączone) -\& socket = a:SO_BINDTODEVICE=lo -\& przyjmuj połączenia wyłącznie na -\& interfejsie zwrotnym (ang. loopback) -.Ve .IP "\fBsyslog\fR = yes | no (tylko Unix)" 4 .IX Item "syslog = yes | no (tylko Unix)" włącz logowanie poprzez mechanizm syslog @@ -411,31 +383,31 @@ pozwala wybrać identyfikator używanego certyfikatu. .IP "\fBcheckEmail\fR = \s-1EMAIL\s0" 4 .IX Item "checkEmail = EMAIL" -adres email przedstawionego certyfikatu +adres email podmiotu przedstawionego certyfikatu .Sp Pojedyncza sekcja może zawierać wiele wystąpień opcji \fBcheckEmail\fR. -Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji \fBcheckEmail\fR, -albo adres email przedstawionego certyfikatu pasuje do jednego z adresów -email określonych przy pomocy \fBcheckEmail\fR. +Certyfikaty są akceptowane, jeżeli sekcja nie weryfikuje podmiotu certyfikatu, +albo adres email przedstawionego certyfikatu pasuje do jednego z adresów email +określonych przy pomocy \fBcheckEmail\fR. .Sp Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. .IP "\fBcheckHost\fR = \s-1NAZWA_SERWERA\s0" 4 .IX Item "checkHost = NAZWA_SERWERA" -nazwa serwera przedstawionego certyfikatu +nazwa serwera podmiotu przedstawionego certyfikatu .Sp Pojedyncza sekcja może zawierać wiele wystąpień opcji \fBcheckHost\fR. -Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji \fBcheckHost\fR, albo -nazwa serwera przedstawionego certyfikatu pasuje do jednego nazw określonych -przy pomocy \fBcheckHost\fR. +Certyfikaty są akceptowane, jeżeli sekcja nie weryfikuje podmiotu certyfikatu, +albo nazwa serwera przedstawionego certyfikatu pasuje do jednego nazw +określonych przy pomocy \fBcheckHost\fR. .Sp Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. .IP "\fBcheckIP\fR = \s-1IP\s0" 4 .IX Item "checkIP = IP" -adres \s-1IP\s0 przedstawionego certyfikatu +adres \s-1IP\s0 podmiotu przedstawionego certyfikatu .Sp Pojedyncza sekcja może zawierać wiele wystąpień opcji \fBcheckIP\fR. Certyfikaty -są akceptowane, jeżeli sekcja nie zawiera opcji \fBcheckIP\fR, albo adres \s-1IP\s0 -przedstawionego certyfikatu pasuje do jednego z adresów \s-1IP\s0 określonych przy +są akceptowane, jeżeli sekcja nie weryfikuje podmiotu certyfikatu, albo adres +\&\s-1IP\s0 przedstawionego certyfikatu pasuje do jednego z adresów \s-1IP\s0 określonych przy pomocy \fBcheckIP\fR. .Sp Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. @@ -558,7 +530,7 @@ .Sp Opóźnione rozwijanie adresu automatycznie aktywuje \fIfailover = prio\fR. .Sp -default: no +domyślnie: no .IP "\fBengineId\fR = NUMER_URZĄDZENIA" 4 .IX Item "engineId = NUMER_URZĄDZENIA" wybierz urządzenie dla usługi @@ -596,7 +568,7 @@ .RE .RS 4 .Sp -domyślnie: rr +domyślnie: prio .RE .IP "\fBident\fR = NAZWA_UŻYTKOWNIKA" 4 .IX Item "ident = NAZWA_UŻYTKOWNIKA" @@ -605,7 +577,21 @@ .IX Item "include = KATALOG" wczytaj fragmenty plików konfiguracyjnych z podanego katalogu .Sp -Pliki są wczytywane w rosnącej kolejności alfabetycznej ich nazw. +Pliki są wczytywane w rosnącej kolejności alfabetycznej ich nazw. Rekomendowana konwencja nazewnictwa plików +.Sp +dla opcji globalnych: +.Sp +.Vb 1 +\& 00\-global.conf +.Ve +.Sp +dla lokalnych opcji usług: +.Sp +.Vb 1 +\& 01\-service.conf +\& +\& 02\-service.conf +.Ve .IP "\fBkey\fR = \s-1PLIK_KLUCZA\s0" 4 .IX Item "key = PLIK_KLUCZA" klucz prywatny do certyfikatu podanego w opcji \fIcert\fR @@ -684,6 +670,9 @@ \& options = NO_SSLv2 \& options = NO_SSLv3 .Ve +.Sp +Począwszy od \fBOpenSSL 1.1.0\fR, zamiast wyłączać określone wersje protokołów \s-1TLS\s0 +użyj opcji \fIsslVersionMax\fR lub \fIsslVersionMin\fR. .IP "\fBprotocol\fR = PROTOKÓŁ" 4 .IX Item "protocol = PROTOKÓŁ" negocjuj \s-1TLS\s0 podanym protokołem aplikacyjnym @@ -910,21 +899,90 @@ Pusta wartość parametru \s-1NAZWA_SERWERA\s0 wyłącza wysyłanie rozszerzenia \s-1SNI.\s0 .Sp Opcja \fIsni\fR jest dostępna począwszy od \fBOpenSSL 1.0.0\fR. +.IP "\fBsocket\fR = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ]" 4 +.IX Item "socket = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ]" +ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe +.Sp +Dla opcji linger wartości mają postać l_onof:l_linger. +Dla opcji time wartości mają postać tv_sec:tv_usec. +.Sp +Przykłady: +.Sp +.Vb 10 +\& socket = l:SO_LINGER=1:60 +\& ustaw jednominutowe przeterminowanie +\& przy zamykaniu lokalnego gniazda +\& socket = r:SO_OOBINLINE=yes +\& umieść dane pozapasmowe (out\-of\-band) +\& bezpośrednio w strumieniu danych +\& wejściowych dla zdalnych gniazd +\& socket = a:SO_REUSEADDR=no +\& zablokuj ponowne używanie portu +\& (domyślnie włączone) +\& socket = a:SO_BINDTODEVICE=lo +\& przyjmuj połączenia wyłącznie na +\& interfejsie zwrotnym (ang. loopback) +.Ve .IP "\fBsslVersion\fR = \s-1WERSJA_SSL\s0" 4 .IX Item "sslVersion = WERSJA_SSL" wersja protokołu \s-1TLS\s0 .Sp -Wspierane opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 +Wspierane wersje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 .Sp Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. -Starsze wersje OpenSSL nie wspierają TLSv1.1 i TLSv1.2. +Starsze wersje OpenSSL nie wspierają TLSv1.1, TLSv1.2, TLSv1.3. Nowsze wersje OpenSSL nie wspierają SSLv2. .Sp Przestarzałe protokoły SSLv2 i SSLv3 są domyślnie wyłączone. -Szczegółowe informacje dostępne są w opisie opcji \fBoptions\fR. +.Sp +Począwszy od \fBOpenSSL 1.1.0\fR, ustawienie +.Sp +.Vb 1 +\& sslVersion = WERSJA_SSL +.Ve +.Sp +jest równoważne opcjom +.Sp +.Vb 2 +\& sslVersionMax = WERSJA_SSL +\& sslVersionMin = WERSJA_SSL +.Ve +.IP "\fBsslVersionMax\fR = \s-1WERSJA_SSL\s0" 4 +.IX Item "sslVersionMax = WERSJA_SSL" +maksymalna wspierana wersja protokołu \s-1TLS\s0 +.Sp +Wspierane wersje: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 +.Sp +\&\fIall\fR włącza wszystkie wersje protokołów aż do maksymalnej wersji wspieranej +przez bibliotekę użytej wersji OpenSSL. +.Sp +Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. +.Sp +Opcja \fIsslVersionMax\fR jest dostępna począwszy od \fBOpenSSL 1.1.0\fR. +.Sp +domyślnie: all +.IP "\fBsslVersionMin\fR = \s-1WERSJA_SSL\s0" 4 +.IX Item "sslVersionMin = WERSJA_SSL" +minimalna wspierana wersja protokołu \s-1TLS\s0 +.Sp +Wspierane wersje: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 +.Sp +\&\fIall\fR włącza wszystkie wersje protokołów aż do minimalnej wersji wspieranej +przez bibliotekę użytej wersji OpenSSL. +.Sp +Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. +.Sp +Opcja \fIsslVersionMin\fR jest dostępna począwszy od \fBOpenSSL 1.1.0\fR. +.Sp +domyślnie: TLSv1 .IP "\fBstack\fR = LICZBA_BAJTÓW (z wyjątkiem modelu \s-1FORK\s0)" 4 .IX Item "stack = LICZBA_BAJTÓW (z wyjątkiem modelu FORK)" -rozmiar stosu procesora wątku +rozmiar stosu procesora tworzonych wątków +.Sp +Zbyt duży stos zwiększa zużycie pamięci wirtualnej. +Zbyt mały stos może powodować problemy ze stabilnością aplikacji. +.Sp +domyślnie: 65536 bytes (wystarczający dla testowanych platform) .IP "\fBTIMEOUTbusy\fR = \s-1LICZBA_SEKUND\s0" 4 .IX Item "TIMEOUTbusy = LICZBA_SEKUND" czas oczekiwania na spodziewane dane @@ -941,7 +999,7 @@ .IX Item "transparent = none | source | destination | both (tylko Unix)" tryb przezroczystego proxy na wspieranych platformach .Sp -Wspierane opcje: +Wspierane wartości: .RS 4 .IP "\fBnone\fR" 4 .IX Item "none" @@ -1320,23 +1378,17 @@ wolnego pakietu \fBOpenSSL\fR. Więcej informacji na temat generowania certyfikatów można znaleźć na umieszczonych poniżej stronach. .PP -Istotną kwestią jest kolejność zawartości pliku \fI.pem\fR. -W pierwszej kolejności powinien on zawierać klucz prywatny, -a dopiero za nim podpisany certyfikat (nie żądanie certyfikatu). -Po certyfikacie i kluczu prywatnym powinny znajdować się puste linie. -Jeżeli przed certyfikatem znajdują się dodatkowe informacje tekstowe, -to powinny one zostać usunięte. Otrzymany plik powinien mieć -następującą postać: +Plik \fI.pem\fR powinien zawierać klucz prywatny oraz podpisany certyfikat +(nie żądanie certyfikatu). +Otrzymany plik powinien mieć następującą postać: .PP -.Vb 8 +.Vb 6 \& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- \& [zakodowany klucz] \& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- -\& [pusta linia] \& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- \& [zakodowany certyfikat] \& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- -\& [pusta linia] .Ve .SS "LOSOWOŚĆ" .IX Subsection "LOSOWOŚĆ" @@ -1397,8 +1449,7 @@ .Ve .SH "PLIKI" .IX Header "PLIKI" -.ie n .IP "\fI\fI@sysconfdir\fI@/stunnel/stunnel.conf\fR" 4 -.el .IP "\fI\f(CI@sysconfdir\fI@/stunnel/stunnel.conf\fR" 4 +.IP "\fI\f(CI@sysconfdir\fI@/stunnel/stunnel.conf\fR" 4 .IX Item "@sysconfdir@/stunnel/stunnel.conf" plik konfiguracyjny programu .SH "BŁĘDY" diff -Nru stunnel4-5.44/doc/stunnel.pl.html.in stunnel4-5.50/doc/stunnel.pl.html.in --- stunnel4-5.44/doc/stunnel.pl.html.in 2017-04-01 12:21:28.000000000 +0000 +++ stunnel4-5.50/doc/stunnel.pl.html.in 2018-12-02 22:47:21.000000000 +0000 @@ -387,30 +387,6 @@

domyślnie: stunnel

-
socket = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ]
-
- -

ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe

- -

Dla opcji linger wartości mają postać l_onof:l_linger. Dla opcji time wartości mają postać tv_sec:tv_usec.

- -

Przykłady:

- -
    socket = l:SO_LINGER=1:60
-        ustaw jednominutowe przeterminowanie
-        przy zamykaniu lokalnego gniazda
-    socket = r:SO_OOBINLINE=yes
-        umieść dane pozapasmowe (out-of-band)
-        bezpośrednio w strumieniu danych
-        wejściowych dla zdalnych gniazd
-    socket = a:SO_REUSEADDR=no
-        zablokuj ponowne używanie portu
-        (domyślnie włączone)
-    socket = a:SO_BINDTODEVICE=lo
-        przyjmuj połączenia wyłącznie na
-        interfejsie zwrotnym (ang. loopback)
- -
syslog = yes | no (tylko Unix)
@@ -484,9 +460,9 @@
checkEmail = EMAIL
-

adres email przedstawionego certyfikatu

+

adres email podmiotu przedstawionego certyfikatu

-

Pojedyncza sekcja może zawierać wiele wystąpień opcji checkEmail. Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji checkEmail, albo adres email przedstawionego certyfikatu pasuje do jednego z adresów email określonych przy pomocy checkEmail.

+

Pojedyncza sekcja może zawierać wiele wystąpień opcji checkEmail. Certyfikaty są akceptowane, jeżeli sekcja nie weryfikuje podmiotu certyfikatu, albo adres email przedstawionego certyfikatu pasuje do jednego z adresów email określonych przy pomocy checkEmail.

Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej.

@@ -494,9 +470,9 @@
checkHost = NAZWA_SERWERA
-

nazwa serwera przedstawionego certyfikatu

+

nazwa serwera podmiotu przedstawionego certyfikatu

-

Pojedyncza sekcja może zawierać wiele wystąpień opcji checkHost. Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji checkHost, albo nazwa serwera przedstawionego certyfikatu pasuje do jednego nazw określonych przy pomocy checkHost.

+

Pojedyncza sekcja może zawierać wiele wystąpień opcji checkHost. Certyfikaty są akceptowane, jeżeli sekcja nie weryfikuje podmiotu certyfikatu, albo nazwa serwera przedstawionego certyfikatu pasuje do jednego nazw określonych przy pomocy checkHost.

Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej.

@@ -504,9 +480,9 @@
checkIP = IP
-

adres IP przedstawionego certyfikatu

+

adres IP podmiotu przedstawionego certyfikatu

-

Pojedyncza sekcja może zawierać wiele wystąpień opcji checkIP. Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji checkIP, albo adres IP przedstawionego certyfikatu pasuje do jednego z adresów IP określonych przy pomocy checkIP.

+

Pojedyncza sekcja może zawierać wiele wystąpień opcji checkIP. Certyfikaty są akceptowane, jeżeli sekcja nie weryfikuje podmiotu certyfikatu, albo adres IP przedstawionego certyfikatu pasuje do jednego z adresów IP określonych przy pomocy checkIP.

Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej.

@@ -640,7 +616,7 @@

Opóźnione rozwijanie adresu automatycznie aktywuje failover = prio.

-

default: no

+

domyślnie: no

engineId = NUMER_URZĄDZENIA
@@ -696,7 +672,7 @@ -

domyślnie: rr

+

domyślnie: prio

ident = NAZWA_UŻYTKOWNIKA
@@ -710,7 +686,17 @@

wczytaj fragmenty plików konfiguracyjnych z podanego katalogu

-

Pliki są wczytywane w rosnącej kolejności alfabetycznej ich nazw.

+

Pliki są wczytywane w rosnącej kolejności alfabetycznej ich nazw. Rekomendowana konwencja nazewnictwa plików

+ +

dla opcji globalnych:

+ +
        00-global.conf
+ +

dla lokalnych opcji usług:

+ +
        01-service.conf
+
+        02-service.conf
key = PLIK_KLUCZA
@@ -793,6 +779,8 @@ 
    options = NO_SSLv2
     options = NO_SSLv3
+

Począwszy od OpenSSL 1.1.0, zamiast wyłączać określone wersje protokołów TLS użyj opcji sslVersionMax lub sslVersionMin.

+
protocol = PROTOKÓŁ
@@ -1072,22 +1060,91 @@

Opcja sni jest dostępna począwszy od OpenSSL 1.0.0.

+
socket = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ]
+
+ +

ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe

+ +

Dla opcji linger wartości mają postać l_onof:l_linger. Dla opcji time wartości mają postać tv_sec:tv_usec.

+ +

Przykłady:

+ +
    socket = l:SO_LINGER=1:60
+        ustaw jednominutowe przeterminowanie
+        przy zamykaniu lokalnego gniazda
+    socket = r:SO_OOBINLINE=yes
+        umieść dane pozapasmowe (out-of-band)
+        bezpośrednio w strumieniu danych
+        wejściowych dla zdalnych gniazd
+    socket = a:SO_REUSEADDR=no
+        zablokuj ponowne używanie portu
+        (domyślnie włączone)
+    socket = a:SO_BINDTODEVICE=lo
+        przyjmuj połączenia wyłącznie na
+        interfejsie zwrotnym (ang. loopback)
+ +
sslVersion = WERSJA_SSL

wersja protokołu TLS

-

Wspierane opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

+

Wspierane wersje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

-

Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. Starsze wersje OpenSSL nie wspierają TLSv1.1 i TLSv1.2. Nowsze wersje OpenSSL nie wspierają SSLv2.

+

Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. Starsze wersje OpenSSL nie wspierają TLSv1.1, TLSv1.2, TLSv1.3. Nowsze wersje OpenSSL nie wspierają SSLv2.

-

Przestarzałe protokoły SSLv2 i SSLv3 są domyślnie wyłączone. Szczegółowe informacje dostępne są w opisie opcji options.

+

Przestarzałe protokoły SSLv2 i SSLv3 są domyślnie wyłączone.

+ +

Począwszy od OpenSSL 1.1.0, ustawienie

+ +
    sslVersion = WERSJA_SSL
+ +

jest równoważne opcjom

+ +
    sslVersionMax = WERSJA_SSL
+    sslVersionMin = WERSJA_SSL
+ +
+
sslVersionMax = WERSJA_SSL
+
+ +

maksymalna wspierana wersja protokołu TLS

+ +

Wspierane wersje: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

+ +

all włącza wszystkie wersje protokołów aż do maksymalnej wersji wspieranej przez bibliotekę użytej wersji OpenSSL.

+ +

Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL.

+ +

Opcja sslVersionMax jest dostępna począwszy od OpenSSL 1.1.0.

+ +

domyślnie: all

+ +
+
sslVersionMin = WERSJA_SSL
+
+ +

minimalna wspierana wersja protokołu TLS

+ +

Wspierane wersje: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

+ +

all włącza wszystkie wersje protokołów aż do minimalnej wersji wspieranej przez bibliotekę użytej wersji OpenSSL.

+ +

Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL.

+ +

Opcja sslVersionMin jest dostępna począwszy od OpenSSL 1.1.0.

+ +

domyślnie: TLSv1

stack = LICZBA_BAJTÓW (z wyjątkiem modelu FORK)
-

rozmiar stosu procesora wątku

+

rozmiar stosu procesora tworzonych wątków

+ +

Zbyt duży stos zwiększa zużycie pamięci wirtualnej. Zbyt mały stos może powodować problemy ze stabilnością aplikacji.

+ +

domyślnie: 65536 bytes (wystarczający dla testowanych platform)

TIMEOUTbusy = LICZBA_SEKUND
@@ -1119,7 +1176,7 @@

tryb przezroczystego proxy na wspieranych platformach

-

Wspierane opcje:

+

Wspierane wartości:

@@ -1498,16 +1555,14 @@

Protokół TLS wymaga, aby każdy serwer przedstawiał się nawiązującemu połączenie klientowi prawidłowym certyfikatem X.509. Potwierdzenie tożsamości serwera polega na wykazaniu, że posiada on odpowiadający certyfikatowi klucz prywatny. Najprostszą metodą uzyskania certyfikatu jest wygenerowanie go przy pomocy wolnego pakietu OpenSSL. Więcej informacji na temat generowania certyfikatów można znaleźć na umieszczonych poniżej stronach.

-

Istotną kwestią jest kolejność zawartości pliku .pem. W pierwszej kolejności powinien on zawierać klucz prywatny, a dopiero za nim podpisany certyfikat (nie żądanie certyfikatu). Po certyfikacie i kluczu prywatnym powinny znajdować się puste linie. Jeżeli przed certyfikatem znajdują się dodatkowe informacje tekstowe, to powinny one zostać usunięte. Otrzymany plik powinien mieć następującą postać:

+

Plik .pem powinien zawierać klucz prywatny oraz podpisany certyfikat (nie żądanie certyfikatu). Otrzymany plik powinien mieć następującą postać:

    -----BEGIN RSA PRIVATE KEY-----
     [zakodowany klucz]
     -----END RSA PRIVATE KEY-----
-    [pusta linia]
     -----BEGIN CERTIFICATE-----
     [zakodowany certyfikat]
-    -----END CERTIFICATE-----
-    [pusta linia]
+ -----END CERTIFICATE-----

LOSOWOŚĆ

diff -Nru stunnel4-5.44/doc/stunnel.pl.pod.in stunnel4-5.50/doc/stunnel.pl.pod.in --- stunnel4-5.44/doc/stunnel.pl.pod.in 2017-04-01 12:21:18.000000000 +0000 +++ stunnel4-5.50/doc/stunnel.pl.pod.in 2018-12-02 22:47:18.000000000 +0000 @@ -322,29 +322,6 @@ domyślnie: stunnel -=item B = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ] - -ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe - -Dla opcji linger wartości mają postać l_onof:l_linger. -Dla opcji time wartości mają postać tv_sec:tv_usec. - -Przykłady: - - socket = l:SO_LINGER=1:60 - ustaw jednominutowe przeterminowanie - przy zamykaniu lokalnego gniazda - socket = r:SO_OOBINLINE=yes - umieść dane pozapasmowe (out-of-band) - bezpośrednio w strumieniu danych - wejściowych dla zdalnych gniazd - socket = a:SO_REUSEADDR=no - zablokuj ponowne używanie portu - (domyślnie włączone) - socket = a:SO_BINDTODEVICE=lo - przyjmuj połączenia wyłącznie na - interfejsie zwrotnym (ang. loopback) - =item B = yes | no (tylko Unix) włącz logowanie poprzez mechanizm syslog @@ -424,33 +401,33 @@ =item B = EMAIL -adres email przedstawionego certyfikatu +adres email podmiotu przedstawionego certyfikatu Pojedyncza sekcja może zawierać wiele wystąpień opcji B. -Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji B, -albo adres email przedstawionego certyfikatu pasuje do jednego z adresów -email określonych przy pomocy B. +Certyfikaty są akceptowane, jeżeli sekcja nie weryfikuje podmiotu certyfikatu, +albo adres email przedstawionego certyfikatu pasuje do jednego z adresów email +określonych przy pomocy B. Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. =item B = NAZWA_SERWERA -nazwa serwera przedstawionego certyfikatu +nazwa serwera podmiotu przedstawionego certyfikatu Pojedyncza sekcja może zawierać wiele wystąpień opcji B. -Certyfikaty są akceptowane, jeżeli sekcja nie zawiera opcji B, albo -nazwa serwera przedstawionego certyfikatu pasuje do jednego nazw określonych -przy pomocy B. +Certyfikaty są akceptowane, jeżeli sekcja nie weryfikuje podmiotu certyfikatu, +albo nazwa serwera przedstawionego certyfikatu pasuje do jednego nazw +określonych przy pomocy B. Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. =item B = IP -adres IP przedstawionego certyfikatu +adres IP podmiotu przedstawionego certyfikatu Pojedyncza sekcja może zawierać wiele wystąpień opcji B. Certyfikaty -są akceptowane, jeżeli sekcja nie zawiera opcji B, albo adres IP -przedstawionego certyfikatu pasuje do jednego z adresów IP określonych przy +są akceptowane, jeżeli sekcja nie weryfikuje podmiotu certyfikatu, albo adres +IP przedstawionego certyfikatu pasuje do jednego z adresów IP określonych przy pomocy B. Opcja ta wymaga biblioteki OpenSSL w wersji 1.0.2 lub nowszej. @@ -585,7 +562,7 @@ Opóźnione rozwijanie adresu automatycznie aktywuje I. -default: no +domyślnie: no =item B = NUMER_URZĄDZENIA @@ -630,7 +607,7 @@ =back -domyślnie: rr +domyślnie: prio =item B = NAZWA_UŻYTKOWNIKA @@ -640,7 +617,17 @@ wczytaj fragmenty plików konfiguracyjnych z podanego katalogu -Pliki są wczytywane w rosnącej kolejności alfabetycznej ich nazw. +Pliki są wczytywane w rosnącej kolejności alfabetycznej ich nazw. Rekomendowana konwencja nazewnictwa plików + +dla opcji globalnych: + + 00-global.conf + +dla lokalnych opcji usług: + + 01-service.conf + + 02-service.conf =item B = PLIK_KLUCZA @@ -722,6 +709,9 @@ options = NO_SSLv2 options = NO_SSLv3 +Począwszy od B, zamiast wyłączać określone wersje protokołów TLS +użyj opcji I lub I. + =item B = PROTOKÓŁ negocjuj TLS podanym protokołem aplikacyjnym @@ -976,22 +966,88 @@ Opcja I jest dostępna począwszy od B. +=item B = a|l|r:OPCJA=WARTOŚĆ[:WARTOŚĆ] + +ustaw opcję na akceptującym/lokalnym/zdalnym gnieździe + +Dla opcji linger wartości mają postać l_onof:l_linger. +Dla opcji time wartości mają postać tv_sec:tv_usec. + +Przykłady: + + socket = l:SO_LINGER=1:60 + ustaw jednominutowe przeterminowanie + przy zamykaniu lokalnego gniazda + socket = r:SO_OOBINLINE=yes + umieść dane pozapasmowe (out-of-band) + bezpośrednio w strumieniu danych + wejściowych dla zdalnych gniazd + socket = a:SO_REUSEADDR=no + zablokuj ponowne używanie portu + (domyślnie włączone) + socket = a:SO_BINDTODEVICE=lo + przyjmuj połączenia wyłącznie na + interfejsie zwrotnym (ang. loopback) + =item B = WERSJA_SSL wersja protokołu TLS -Wspierane opcje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 +Wspierane wersje: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. -Starsze wersje OpenSSL nie wspierają TLSv1.1 i TLSv1.2. +Starsze wersje OpenSSL nie wspierają TLSv1.1, TLSv1.2, TLSv1.3. Nowsze wersje OpenSSL nie wspierają SSLv2. Przestarzałe protokoły SSLv2 i SSLv3 są domyślnie wyłączone. -Szczegółowe informacje dostępne są w opisie opcji B. + +Począwszy od B, ustawienie + + sslVersion = WERSJA_SSL + +jest równoważne opcjom + + sslVersionMax = WERSJA_SSL + sslVersionMin = WERSJA_SSL + +=item B = WERSJA_SSL + +maksymalna wspierana wersja protokołu TLS + +Wspierane wersje: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 + +I włącza wszystkie wersje protokołów aż do maksymalnej wersji wspieranej +przez bibliotekę użytej wersji OpenSSL. + +Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. + +Opcja I jest dostępna począwszy od B. + +domyślnie: all + +=item B = WERSJA_SSL + +minimalna wspierana wersja protokołu TLS + +Wspierane wersje: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 + +I włącza wszystkie wersje protokołów aż do minimalnej wersji wspieranej +przez bibliotekę użytej wersji OpenSSL. + +Dostępność konkretnych protokołów zależy od użytej wersji OpenSSL. + +Opcja I jest dostępna począwszy od B. + +domyślnie: TLSv1 =item B = LICZBA_BAJTÓW (z wyjątkiem modelu FORK) -rozmiar stosu procesora wątku +rozmiar stosu procesora tworzonych wątków + +Zbyt duży stos zwiększa zużycie pamięci wirtualnej. +Zbyt mały stos może powodować problemy ze stabilnością aplikacji. + +domyślnie: 65536 bytes (wystarczający dla testowanych platform) =item B = LICZBA_SEKUND @@ -1013,7 +1069,7 @@ tryb przezroczystego proxy na wspieranych platformach -Wspierane opcje: +Wspierane wartości: =over 4 @@ -1407,22 +1463,16 @@ wolnego pakietu B. Więcej informacji na temat generowania certyfikatów można znaleźć na umieszczonych poniżej stronach. -Istotną kwestią jest kolejność zawartości pliku I<.pem>. -W pierwszej kolejności powinien on zawierać klucz prywatny, -a dopiero za nim podpisany certyfikat (nie żądanie certyfikatu). -Po certyfikacie i kluczu prywatnym powinny znajdować się puste linie. -Jeżeli przed certyfikatem znajdują się dodatkowe informacje tekstowe, -to powinny one zostać usunięte. Otrzymany plik powinien mieć -następującą postać: +Plik I<.pem> powinien zawierać klucz prywatny oraz podpisany certyfikat +(nie żądanie certyfikatu). +Otrzymany plik powinien mieć następującą postać: -----BEGIN RSA PRIVATE KEY----- [zakodowany klucz] -----END RSA PRIVATE KEY----- - [pusta linia] -----BEGIN CERTIFICATE----- [zakodowany certyfikat] -----END CERTIFICATE----- - [pusta linia] =head2 LOSOWOŚĆ diff -Nru stunnel4-5.44/doc/stunnel.pod.in stunnel4-5.50/doc/stunnel.pod.in --- stunnel4-5.44/doc/stunnel.pod.in 2017-04-01 12:21:24.000000000 +0000 +++ stunnel4-5.50/doc/stunnel.pod.in 2018-12-02 22:47:18.000000000 +0000 @@ -318,25 +318,6 @@ default: stunnel -=item B = a|l|r:OPTION=VALUE[:VALUE] - -Set an option on the accept/local/remote socket - -The values for the linger option are l_onof:l_linger. -The values for the time are tv_sec:tv_usec. - -Examples: - - socket = l:SO_LINGER=1:60 - set one minute timeout for closing local socket - socket = r:SO_OOBINLINE=yes - place out-of-band data directly into the - receive data stream for remote sockets - socket = a:SO_REUSEADDR=no - disable address reuse (enabled by default) - socket = a:SO_BINDTODEVICE=lo - only accept connections on loopback interface - =item B = yes | no (Unix only) enable logging via syslog @@ -417,9 +398,9 @@ email address of the peer certificate subject Multiple I options are allowed in a single service section. -Certificates are accepted if no I option was specified, or the -email address of the peer certificate matches any of the email addresses -specified with I. +Certificates are accepted if no subject checks were specified, or the email +address of the peer certificate matches any of the email addresses specified +with I. This option requires OpenSSL 1.0.2 or later. @@ -428,9 +409,8 @@ host of the peer certificate subject Multiple I options are allowed in a single service section. -Certificates are accepted if no I option was specified, or the host -name of the peer certificate matches any of the hosts specified with -I. +Certificates are accepted if no subject checks were specified, or the host name +of the peer certificate matches any of the hosts specified with I. This option requires OpenSSL 1.0.2 or later. @@ -439,7 +419,7 @@ IP address of the peer certificate subject Multiple I options are allowed in a single service section. -Certificates are accepted if no I option was specified, or the IP +Certificates are accepted if no subject checks were specified, or the IP address of the peer certificate matches any of the IP addresses specified with I. @@ -614,7 +594,7 @@ =back -default: rr +default: prio =item B = USERNAME @@ -624,7 +604,17 @@ include all configuration file parts located in DIRECTORY -The files are included in the ascending alphabetical order of their names. +The files are included in the ascending alphabetical order of their names. The recommended filename convention is + +for global options: + + 00-global.conf + +for local service-level options: + + 01-service.conf + + 02-service.conf =item B = KEY_FILE @@ -704,6 +694,9 @@ options = NO_SSLv2 options = NO_SSLv3 +Use I or I option instead of disabling specific TLS protocol +versions when compiled with B or later. + =item B = PROTO application protocol to negotiate TLS @@ -962,22 +955,86 @@ The I option is only available when compiled with B and later. +=item B = a|l|r:OPTION=VALUE[:VALUE] + +Set an option on the accept/local/remote socket + +The values for the linger option are l_onof:l_linger. +The values for the time are tv_sec:tv_usec. + +Examples: + + socket = l:SO_LINGER=1:60 + set one minute timeout for closing local socket + socket = r:SO_OOBINLINE=yes + place out-of-band data directly into the + receive data stream for remote sockets + socket = a:SO_REUSEADDR=no + disable address reuse (enabled by default) + socket = a:SO_BINDTODEVICE=lo + only accept connections on loopback interface + =item B = SSL_VERSION select the TLS protocol version -Supported values: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 +Supported versions: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 Availability of specific protocols depends on the linked OpenSSL library. -Older versions of OpenSSL do not support TLSv1.1 and TLSv1.2. +Older versions of OpenSSL do not support TLSv1.1, TLSv1.2 and TLSv1.3. Newer versions of OpenSSL do not support SSLv2. Obsolete SSLv2 and SSLv3 are currently disabled by default. -See the B option documentation for details. + +Setting the option + + sslVersion = SSL_VERSION + +is equivalent to options + + sslVersionMax = SSL_VERSION + sslVersionMin = SSL_VERSION + +when compiled with B and later. + +=item B = SSL_VERSION + +maximum supported protocol versions + +Supported versions: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 + +I enable protocol versions up to the highest version supported by the +linked OpenSSL library. + +Availability of specific protocols depends on the linked OpenSSL library. + +The I option is only available when compiled with B and later. + +default: all + +=item B = SSL_VERSION + +minimum supported protocol versions + +Supported versions: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 + +I enable protocol versions down to the lowest version supported by the +linked OpenSSL library. + +Availability of specific protocols depends on the linked OpenSSL library. + +The I option is only available when compiled with B and later. + +default: TLSv1 =item B = BYTES (except for FORK model) -thread stack size +CPU stack size of created threads + +Excessive thread stack size increases virtual memory usage. +Insufficient thread stack size may cause application crashes. + +default: 65536 bytes (sufficient for all platforms we tested) =item B = SECONDS @@ -1389,20 +1446,16 @@ generate them with the free B package. You can find more information on certificates generation on pages listed below. -The order of contents of the I<.pem> file is important. It should contain the -unencrypted private key first, then a signed certificate (not certificate -request). There should also be empty lines after the certificate and the private key. -Any plaintext certificate information appended on the top of generated certificate -should be discarded. So the file should look like this: +The I<.pem> file should contain the unencrypted private key and +a signed certificate (not certificate request). +So the file should look like this: -----BEGIN RSA PRIVATE KEY----- [encoded key] -----END RSA PRIVATE KEY----- - [empty line] -----BEGIN CERTIFICATE----- [encoded certificate] -----END CERTIFICATE----- - [empty line] =head2 RANDOMNESS diff -Nru stunnel4-5.44/INSTALL.W32 stunnel4-5.50/INSTALL.W32 --- stunnel4-5.44/INSTALL.W32 2017-01-16 20:10:16.000000000 +0000 +++ stunnel4-5.50/INSTALL.W32 2018-04-06 14:25:10.000000000 +0000 @@ -14,29 +14,29 @@ mv openssl-(version) openssl-(version)-i686 cd openssl-(version)-i686/ - 3) Build OpenSSL. + 3) Build and install OpenSSL. For 32-bit Windows: ./Configure \ --cross-compile-prefix=i686-w64-mingw32- \ - --openssldir=/opt/openssl-mingw mingw shared + --prefix=/opt/openssl-mingw mingw shared make sudo make install sudo cp ms/applink.c /opt/openssl-mingw/include/openssl/ For 64-bit Windows: ./Configure \ --cross-compile-prefix=x86_64-w64-mingw32- \ - --openssldir=/opt/openssl-mingw64 mingw64 shared + --prefix=/opt/openssl-mingw64 mingw64 shared make sudo make install sudo cp ms/applink.c /opt/openssl-mingw64/include/openssl/ 4) Download and unpack stunnel-(version).tar.gz. - 5) Configure stunnel: + 5) Configure stunnel. cd stunnel-(version) ./configure - 6) Build Windows 32-bit and/or 64-bit executables: + 6) Build Windows 32-bit and/or 64-bit executables. cd src make mingw make mingw64 @@ -44,22 +44,32 @@ Building stunnel from source with MinGW (optional): - Building on a Windows machine is possible, but not currently supported. + Building stunnel with MinGW on a Windows machine is possible, + but not currently supported. Building stunnel from source with Visual Studio (optional): - TODO + 1) Build your own or download pre-built OpenSSL library and headers. + TODO + + 2) Configure path to your OpenSSL in the src\vc.mak file. + + 3) Build stunnel in Visual Studio Command Prompt. + cd src + nmake -f vc.mak Installing stunnel: - 1) Run installer to install the precompiled binaries, or - copy the stunnel.exe or tstunnel.exe executable located in the - /stunnel-(version)/bin/mingw/ directory into the destination - directory on a Windows machine, and - copy OpenSSL DLLs: libeay32.dll, libssp-0.dll and ssleay32.dll - into the same directory, if necessary. + 1) Install stunnel. + Run installer to install the precompiled binaries. + Alternatively, copy the stunnel.exe and/or tstunnel.exe executable located in + /stunnel-(version)/bin/mingw/ or /stunnel-(version)/bin/mingw64/ directory + into the destination directory on a Windows machine. + Copy OpenSSL DLLs into the same directory if necessary. + For a MinGW build also copy libssp-0.dll. + For a Visual Studio build also install Microsoft Visual C++ Redistributable. 2) Read the manual (stunnel.html). diff -Nru stunnel4-5.44/Makefile.am stunnel4-5.50/Makefile.am --- stunnel4-5.44/Makefile.am 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/Makefile.am 2018-12-02 22:55:32.000000000 +0000 @@ -1,5 +1,5 @@ ## Process this file with automake to produce Makefile.in -# by Michal Trojnara 2015-2017 +# by Michal Trojnara 1998-2018 ACLOCAL_AMFLAGS = -I m4 @@ -22,37 +22,38 @@ distclean-local: rm -rf autom4te.cache -# rm -f $(distdir)-win32-installer.exe + rm -f $(distdir)-win64-installer.exe -#dist-hook: -# makensis -NOCD -DVERSION=${VERSION} \ -# -DSTUNNEL_DIR=$(srcdir) \ -# -DROOT_DIR=/usr/src \ -# $(srcdir)/tools/stunnel.nsi - -sign: dist - cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist - gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip" +dist-hook: + $(MAKE) -C src mingw64 + $(MAKE) -C doc stunnel.html + makensis -NOCD -DARCH=win64 -DVERSION=${VERSION} \ + -DSTUNNEL_DIR=$(srcdir) \ + -DDEST_DIR=. \ + -DOPENSSL_DIR=/opt/openssl-mingw64 \ + $(srcdir)/tools/stunnel.nsi + -$(srcdir)/sign/sign.sh $(distdir)-win64-installer.exe + +sign: + cp -f $(distdir).tar.gz $(distdir)-win64-installer.exe $(distdir)-android.zip ../dist + gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win64-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip" sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256 - sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256 + sha256sum $(distdir)-win64-installer.exe >../dist/$(distdir)-win64-installer.exe.sha256 sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256 cat ../dist/$(distdir)*.sha256 | tac cert: $(MAKE) -C tools cert +mingw: + $(MAKE) -C src mingw + +mingw64: + $(MAKE) -C src mingw64 + test: check install-data-hook: @echo "*********************************************************" @echo "* Type 'make cert' to also install a sample certificate *" @echo "*********************************************************" - -edit = sed \ - -e 's|@bindir[@]|$(bindir)|g' \ - -e 's|@sysconfdir[@]|$(sysconfdir)|g' - -stunnel.pod: Makefile - $(edit) '$(srcdir)/$@.in' >$@ - -stunnel.pod: $(srcdir)/stunnel.pod diff -Nru stunnel4-5.44/Makefile.in stunnel4-5.50/Makefile.in --- stunnel4-5.44/Makefile.in 2017-11-14 14:07:50.000000000 +0000 +++ stunnel4-5.50/Makefile.in 2018-12-02 22:55:36.000000000 +0000 @@ -14,7 +14,7 @@ @SET_MAKE@ -# by Michal Trojnara 2015-2017 +# by Michal Trojnara 1998-2018 VPATH = @srcdir@ am__is_gnu_make = { \ @@ -370,10 +370,6 @@ doc_DATA = INSTALL README TODO COPYING AUTHORS ChangeLog PORTS BUGS \ COPYRIGHT.GPL CREDITS INSTALL.W32 INSTALL.WCE INSTALL.FIPS distcleancheck_listfiles = find -type f -exec sh -c 'test -f $(srcdir)/{} || echo {}' ';' -edit = sed \ - -e 's|@bindir[@]|$(bindir)|g' \ - -e 's|@sysconfdir[@]|$(sysconfdir)|g' - all: all-recursive .SUFFIXES: @@ -604,6 +600,9 @@ || exit 1; \ fi; \ done + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$(top_distdir)" distdir="$(distdir)" \ + dist-hook -test -n "$(am__skip_mode_fix)" \ || find "$(distdir)" -type d ! -perm -755 \ -exec chmod u+rwx,go+rx {} \; -o \ @@ -850,19 +849,20 @@ .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ am--refresh check check-am clean clean-cscope clean-generic \ clean-libtool cscope cscopelist-am ctags ctags-am dist \ - dist-all dist-bzip2 dist-gzip dist-lzip dist-shar dist-tarZ \ - dist-xz dist-zip distcheck distclean distclean-generic \ - distclean-libtool distclean-local distclean-tags \ - distcleancheck distdir distuninstallcheck dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-data-hook install-docDATA install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - installdirs-am maintainer-clean maintainer-clean-generic \ - mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ - ps ps-am tags tags-am uninstall uninstall-am uninstall-docDATA + dist-all dist-bzip2 dist-gzip dist-hook dist-lzip dist-shar \ + dist-tarZ dist-xz dist-zip distcheck distclean \ + distclean-generic distclean-libtool distclean-local \ + distclean-tags distcleancheck distdir distuninstallcheck dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-data-hook install-docDATA \ + install-dvi install-dvi-am install-exec install-exec-am \ + install-html install-html-am install-info install-info-am \ + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs installdirs-am maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-docDATA .PRECIOUS: Makefile @@ -871,25 +871,35 @@ distclean-local: rm -rf autom4te.cache -# rm -f $(distdir)-win32-installer.exe + rm -f $(distdir)-win64-installer.exe -#dist-hook: -# makensis -NOCD -DVERSION=${VERSION} \ -# -DSTUNNEL_DIR=$(srcdir) \ -# -DROOT_DIR=/usr/src \ -# $(srcdir)/tools/stunnel.nsi - -sign: dist - cp -f $(distdir).tar.gz $(distdir)-win32-installer.exe $(distdir)-android.zip ../dist - gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win32-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip" +dist-hook: + $(MAKE) -C src mingw64 + $(MAKE) -C doc stunnel.html + makensis -NOCD -DARCH=win64 -DVERSION=${VERSION} \ + -DSTUNNEL_DIR=$(srcdir) \ + -DDEST_DIR=. \ + -DOPENSSL_DIR=/opt/openssl-mingw64 \ + $(srcdir)/tools/stunnel.nsi + -$(srcdir)/sign/sign.sh $(distdir)-win64-installer.exe + +sign: + cp -f $(distdir).tar.gz $(distdir)-win64-installer.exe $(distdir)-android.zip ../dist + gpg-agent --daemon /bin/sh -c "cd ../dist; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir).tar.gz; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-win64-installer.exe; gpg --yes --armor --detach-sign --force-v3-sigs $(distdir)-android.zip" sha256sum $(distdir).tar.gz >../dist/$(distdir).tar.gz.sha256 - sha256sum $(distdir)-win32-installer.exe >../dist/$(distdir)-win32-installer.exe.sha256 + sha256sum $(distdir)-win64-installer.exe >../dist/$(distdir)-win64-installer.exe.sha256 sha256sum $(distdir)-android.zip >../dist/$(distdir)-android.zip.sha256 cat ../dist/$(distdir)*.sha256 | tac cert: $(MAKE) -C tools cert +mingw: + $(MAKE) -C src mingw + +mingw64: + $(MAKE) -C src mingw64 + test: check install-data-hook: @@ -897,11 +907,6 @@ @echo "* Type 'make cert' to also install a sample certificate *" @echo "*********************************************************" -stunnel.pod: Makefile - $(edit) '$(srcdir)/$@.in' >$@ - -stunnel.pod: $(srcdir)/stunnel.pod - # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -Nru stunnel4-5.44/src/client.c stunnel4-5.50/src/client.c --- stunnel4-5.44/src/client.c 2017-11-14 14:01:47.000000000 +0000 +++ stunnel4-5.50/src/client.c 2018-11-05 07:19:29.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -49,18 +49,18 @@ #endif NOEXPORT void client_try(CLI *); +NOEXPORT void exec_connect_loop(CLI *); +NOEXPORT void exec_connect_once(CLI *); NOEXPORT void client_run(CLI *); NOEXPORT void local_start(CLI *); NOEXPORT void remote_start(CLI *); NOEXPORT void ssl_start(CLI *); -NOEXPORT void session_cache_save(CLI *); NOEXPORT void session_cache_retrieve(CLI *); -NOEXPORT void new_chain(CLI *); +NOEXPORT void print_cipher(CLI *); NOEXPORT void transfer(CLI *); NOEXPORT int parse_socket_error(CLI *, const char *); -NOEXPORT void print_cipher(CLI *); -NOEXPORT void auth_user(CLI *, char *); +NOEXPORT void auth_user(CLI *); NOEXPORT SOCKET connect_local(CLI *); #if !defined(USE_WIN32) && !defined(__vms) NOEXPORT char **env_alloc(CLI *); @@ -85,78 +85,156 @@ c->local_rfd.fd=rfd; c->local_wfd.fd=wfd; c->seq=seq++; - c->opt->seq++; + c->rr=c->opt->rr++; return c; } -void *client_thread(void *arg) { +#if defined(USE_WIN32) || defined(USE_OS2) +unsigned __stdcall +#else +void * +#endif +client_thread(void *arg) { CLI *c=arg; +#ifdef DEBUG_STACK_SIZE + size_t stack_size=c->opt->stack_size; +#endif + /* initialize */ c->tls=NULL; /* do not reuse */ tls_alloc(c, NULL, NULL); #ifdef DEBUG_STACK_SIZE - stack_info(1); /* initialize */ + stack_info(stack_size, 1); /* initialize */ #endif + + /* execute */ client_main(c); + + /* cleanup */ #ifdef DEBUG_STACK_SIZE - stack_info(0); /* display computed value */ + stack_info(stack_size, 0); /* display computed value */ #endif str_stats(); /* client thread allocation tracking */ tls_cleanup(); /* s_log() is not allowed after tls_cleanup() */ -#if defined(USE_WIN32) && !defined(_WIN32_WCE) - _endthread(); + + /* terminate */ +#if defined(USE_WIN32) || defined(USE_OS2) +#if !defined(_WIN32_WCE) + _endthreadex(0); #endif + return 0; +#else #ifdef USE_UCONTEXT s_poll_wait(NULL, 0, 0); /* wait on poll() */ #endif return NULL; +#endif } +#ifdef DEBUG_STACK_SIZE +void ignore_value(void *ptr) { + (void)ptr; /* squash the unused parameter warning */ +} +#endif + void client_main(CLI *c) { s_log(LOG_DEBUG, "Service [%s] started", c->opt->servname); if(c->opt->exec_name && c->opt->connect_addr.names) { - /* exec+connect options specified together - * -> spawn a local program instead of stdio */ - for(;;) { - SERVICE_OPTIONS *opt=c->opt; - memset(c, 0, sizeof(CLI)); /* connect_local needs clean c */ - c->opt=opt; - if(!setjmp(c->err)) - c->local_rfd.fd=c->local_wfd.fd=connect_local(c); - else - break; - client_run(c); - if(!c->opt->option.retry) - break; - sleep(1); /* FIXME: not a good idea in ucontext threading */ - s_poll_free(c->fds); - c->fds=NULL; + if(c->opt->option.retry) + exec_connect_loop(c); + else + exec_connect_once(c); + } else { + client_run(c); + } +#ifndef USE_FORK + service_free(c->opt); +#endif + str_free(c); +} + +#ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) +#pragma GCC diagnostic push +#endif /* __GNUC__>=4.6 */ +#pragma GCC diagnostic ignored "-Wformat" +#pragma GCC diagnostic ignored "-Wformat-extra-args" +#endif /* __GNUC__ */ +NOEXPORT void exec_connect_loop(CLI *c) { + unsigned long long seq=0; + char *fresh_id=c->tls->id; + unsigned retry; + + do { + /* make sure c->tls->id is valid in str_printf() */ + char *id=str_printf("%s_%llu", fresh_id, seq++); + str_detach(id); + c->tls->id=id; + + exec_connect_once(c); + /* retry is asynchronously changed in the main thread, + * so we make sure to use the same value for both checks */ + retry=c->opt->option.retry; + if(retry) { + s_log(LOG_INFO, "Retrying an exec+connect section"); + /* c and id are detached, so it is safe to call str_stats() */ str_stats(); /* client thread allocation tracking */ - /* c allocation is detached, so it is safe to call str_stats() */ - if(service_options.next) /* no tls_cleanup() in inetd mode */ - tls_cleanup(); + sleep(1); /* FIXME: not a good idea in ucontext threading */ + c->rr++; } - } else + + /* make sure c->tls->id is valid in str_free() */ + c->tls->id=fresh_id; + str_free(id); + } while(retry); /* retry is disabled on config reload */ +} +#ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) +#pragma GCC diagnostic pop +#endif /* __GNUC__>=4.6 */ +#endif /* __GNUC__ */ + +/* exec+connect options specified together + * -> spawn a local program instead of stdio */ +NOEXPORT void exec_connect_once(CLI *fresh_c) { + jmp_buf exception_buffer, *exception_backup; + /* connect_local() needs an unmodified copy of c each time */ + CLI *c=str_alloc(sizeof(CLI)); + memcpy(c, fresh_c, sizeof(CLI)); + + exception_backup=c->exception_pointer; + c->exception_pointer=&exception_buffer; + if(!setjmp(exception_buffer)) { + c->local_rfd.fd=c->local_wfd.fd=connect_local(c); client_run(c); + } + c->exception_pointer=exception_backup; + str_free(c); } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic push +#endif /* __GNUC__>=4.6 */ #pragma GCC diagnostic ignored "-Wformat" #pragma GCC diagnostic ignored "-Wformat-extra-args" #endif /* __GNUC__ */ NOEXPORT void client_run(CLI *c) { + jmp_buf exception_buffer, *exception_backup; int err, rst; #ifndef USE_FORK - long num_clients_copy; + int num; #endif #ifndef USE_FORK - stunnel_write_lock(&stunnel_locks[LOCK_CLIENTS]); - ui_clients(++num_clients); - stunnel_write_unlock(&stunnel_locks[LOCK_CLIENTS]); +#ifdef USE_OS_THREADS + CRYPTO_atomic_add(&num_clients, 1, &num, stunnel_locks[LOCK_CLIENTS]); +#else + num=++num_clients; +#endif + ui_clients(num); #endif /* initialize the client context */ @@ -177,9 +255,14 @@ addrlist_clear(&c->connect_addr, 0); /* try to process the request */ - err=setjmp(c->err); - if(!err) + exception_backup=c->exception_pointer; + c->exception_pointer=&exception_buffer; + err=setjmp(exception_buffer); + if(!err) { client_try(c); + } + c->exception_pointer=exception_backup; + rst=err==1 && c->opt->option.reset; s_log(LOG_NOTICE, "Connection %s: %llu byte(s) sent to TLS, %llu byte(s) sent to socket", @@ -242,15 +325,16 @@ /* display child return code if it managed to arrive on time */ /* otherwise it will be retrieved by the init process and ignored */ if(c->opt->exec_name) /* 'exec' specified */ - child_status(); /* null SIGCHLD handler was used */ + pid_status_hang("Child process"); /* null SIGCHLD handler was used */ s_log(LOG_DEBUG, "Service [%s] finished", c->opt->servname); #else - stunnel_write_lock(&stunnel_locks[LOCK_CLIENTS]); - ui_clients(--num_clients); - num_clients_copy=num_clients; /* to move s_log() away from CRIT_CLIENTS */ - stunnel_write_unlock(&stunnel_locks[LOCK_CLIENTS]); - s_log(LOG_DEBUG, "Service [%s] finished (%ld left)", - c->opt->servname, num_clients_copy); +#ifdef USE_OS_THREADS + CRYPTO_atomic_add(&num_clients, -1, &num, stunnel_locks[LOCK_CLIENTS]); +#else + num=--num_clients; +#endif + ui_clients(num); + s_log(LOG_DEBUG, "Service [%s] finished (%ld left)", c->opt->servname, num); #endif /* free the client context */ @@ -258,10 +342,12 @@ /* a client does not have its own local copy of c->connect_addr.session and c->connect_addr.fd */ s_poll_free(c->fds); - c->fds=NULL; + str_free(c->accepted_address); } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic pop +#endif /* __GNUC__>=4.6 */ #endif /* __GNUC__ */ NOEXPORT void client_try(CLI *c) { @@ -283,7 +369,6 @@ NOEXPORT void local_start(CLI *c) { SOCKADDR_UNION addr; socklen_t addr_len; - char *accepted_address; /* check if local_rfd is a socket and get peer address */ addr_len=sizeof(SOCKADDR_UNION); @@ -291,12 +376,12 @@ if(c->local_rfd.is_socket) { memcpy(&c->peer_addr.sa, &addr.sa, (size_t)addr_len); c->peer_addr_len=addr_len; - if(set_socket_options(c->local_rfd.fd, 1)) + if(socket_options_set(c->opt, c->local_rfd.fd, 1)) s_log(LOG_WARNING, "Failed to set local socket options"); } else { if(get_last_socket_error()!=S_ENOTSOCK) { sockerror("getpeerbyname (local_rfd)"); - longjmp(c->err, 1); + throw_exception(c, 1); } } @@ -311,12 +396,12 @@ memcpy(&c->peer_addr.sa, &addr.sa, (size_t)addr_len); c->peer_addr_len=addr_len; } - if(set_socket_options(c->local_wfd.fd, 1)) + if(socket_options_set(c->opt, c->local_wfd.fd, 1)) s_log(LOG_WARNING, "Failed to set local socket options"); } else { if(get_last_socket_error()!=S_ENOTSOCK) { sockerror("getpeerbyname (local_wfd)"); - longjmp(c->err, 1); + throw_exception(c, 1); } } } @@ -326,7 +411,7 @@ #ifndef USE_WIN32 if(c->opt->option.transparent_src) { s_log(LOG_ERR, "Transparent source needs a socket"); - longjmp(c->err, 1); + throw_exception(c, 1); } #endif s_log(LOG_NOTICE, "Service [%s] accepted connection", c->opt->servname); @@ -334,14 +419,13 @@ } /* authenticate based on retrieved IP address of the client */ - accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len); + c->accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len); #ifdef USE_LIBWRAP - libwrap_auth(c, accepted_address); + libwrap_auth(c); #endif /* USE_LIBWRAP */ - auth_user(c, accepted_address); + auth_user(c); s_log(LOG_NOTICE, "Service [%s] accepted connection from %s", - c->opt->servname, accepted_address); - str_free(accepted_address); + c->opt->servname, c->accepted_address); } NOEXPORT void remote_start(CLI *c) { @@ -368,7 +452,7 @@ #endif { c->remote_fd.is_socket=1; - if(set_socket_options(c->remote_fd.fd, 2)) + if(socket_options_set(c->opt, c->remote_fd.fd, 2)) s_log(LOG_WARNING, "Failed to set remote socket options"); } s_log(LOG_DEBUG, "Remote descriptor (FD=%ld) initialized", @@ -382,21 +466,26 @@ c->ssl=SSL_new(c->opt->ctx); if(!c->ssl) { sslerror("SSL_new"); - longjmp(c->err, 1); + throw_exception(c, 1); } /* for callbacks */ if(!SSL_set_ex_data(c->ssl, index_ssl_cli, c)) { sslerror("SSL_set_ex_data"); - longjmp(c->err, 1); + throw_exception(c, 1); } if(c->opt->option.client) { #ifndef OPENSSL_NO_TLSEXT + /* c->opt->sni should always be initialized at this point, + * either explicitly with "sni" + * or implicitly with "protocolHost" or "connect" */ if(c->opt->sni && *c->opt->sni) { s_log(LOG_INFO, "SNI: sending servername: %s", c->opt->sni); if(!SSL_set_tlsext_host_name(c->ssl, c->opt->sni)) { sslerror("SSL_set_tlsext_host_name"); - longjmp(c->err, 1); + throw_exception(c, 1); } + } else { /* c->opt->sni was set to an empty value */ + s_log(LOG_INFO, "SNI: extension disabled"); } #endif session_cache_retrieve(c); @@ -428,7 +517,7 @@ * alternative solution is to disable internal session caching * * NOTE: this critical section also covers callbacks (e.g. OCSP) */ if(unsafe_openssl) - stunnel_write_lock(&stunnel_locks[LOCK_SSL]); + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_SSL]); if(c->opt->option.client) i=SSL_connect(c->ssl); @@ -436,7 +525,7 @@ i=SSL_accept(c->ssl); if(unsafe_openssl) - stunnel_write_unlock(&stunnel_locks[LOCK_SSL]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SSL]); err=SSL_get_error(c->ssl, i); if(err==SSL_ERROR_NONE) @@ -449,16 +538,17 @@ switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) { case -1: sockerror("ssl_start: s_poll_wait"); - longjmp(c->err, 1); + throw_exception(c, 1); case 0: s_log(LOG_INFO, "ssl_start: s_poll_wait:" " TIMEOUTbusy exceeded: sending reset"); - longjmp(c->err, 1); + s_poll_dump(c->fds, LOG_DEBUG); + throw_exception(c, 1); case 1: break; /* OK */ default: s_log(LOG_ERR, "ssl_start: s_poll_wait: unknown result"); - longjmp(c->err, 1); + throw_exception(c, 1); } continue; /* ok -> retry */ } @@ -476,94 +566,59 @@ sslerror("SSL_connect"); else sslerror("SSL_accept"); - longjmp(c->err, 1); + throw_exception(c, 1); } - s_log(LOG_INFO, "TLS %s: %s", - c->opt->option.client ? "connected" : "accepted", - SSL_session_reused(c->ssl) ? - "previous session reused" : "new session negotiated"); - if(!SSL_session_reused(c->ssl)) { /* a new session was negotiated */ - new_chain(c); - if(c->opt->option.client) - session_cache_save(c); - print_cipher(c); - } -} - -/* cache client sessions */ -NOEXPORT void session_cache_save(CLI *c) { - SSL_SESSION *old1, *old2; - - stunnel_write_lock(&stunnel_locks[LOCK_SESSION]); - /* per-destination client cache */ - /* "parent->" part is added for future use (not currently needed) */ - old1=c->connect_addr.parent->session[c->idx]; - c->connect_addr.parent->session[c->idx]=SSL_get1_session(c->ssl); - /* per-section client cache (for delayed resolver) */ - old2=c->opt->session; - c->opt->session=SSL_get1_session(c->ssl); - stunnel_write_unlock(&stunnel_locks[LOCK_SESSION]); - if(old1) - SSL_SESSION_free(old1); - if(old2) - SSL_SESSION_free(old2); + print_cipher(c); + if(SSL_session_reused(c->ssl)) + print_session_id(SSL_get_session(c->ssl)); } NOEXPORT void session_cache_retrieve(CLI *c) { - stunnel_read_lock(&stunnel_locks[LOCK_SESSION]); - /* try per-destination cache first */ - /* "parent->" part is added for future use (not currently needed) */ - if(c->connect_addr.parent->session[c->idx]) - SSL_set_session(c->ssl, c->connect_addr.parent->session[c->idx]); - else if(c->opt->session) - SSL_set_session(c->ssl, c->opt->session); - stunnel_read_unlock(&stunnel_locks[LOCK_SESSION]); -} + SSL_SESSION *sess; -NOEXPORT void new_chain(CLI *c) { - BIO *bio; - int i, len; - X509 *peer_cert; - STACK_OF(X509) *sk; - char *chain; - - if(c->opt->chain) /* already cached */ - return; /* this race condition is safe to ignore */ - bio=BIO_new(BIO_s_mem()); - if(!bio) - return; - sk=SSL_get_peer_cert_chain(c->ssl); - for(i=0; sk && iopt->option.client) { - peer_cert=SSL_get_peer_certificate(c->ssl); - if(peer_cert) { - PEM_write_bio_X509(bio, peer_cert); - X509_free(peer_cert); + CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_SESSION]); + if(c->opt->option.delayed_lookup) { + sess=c->opt->session; + } else { /* per-destination client cache */ + if(c->opt->connect_session) { + sess=c->opt->connect_session[c->idx]; + } else { + s_log(LOG_ERR, "INTERNAL ERROR: Uninitialized client session cache"); + sess=NULL; } } - len=BIO_pending(bio); - if(len<=0) { - s_log(LOG_INFO, "No peer certificate received"); - BIO_free(bio); - return; - } - /* prevent automatic deallocation of the cached value */ - chain=str_alloc_detached((size_t)len+1); - len=BIO_read(bio, chain, len); - if(len<0) { - s_log(LOG_ERR, "BIO_read failed"); - BIO_free(bio); - str_free(chain); + if(sess) + SSL_set_session(c->ssl, sess); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SESSION]); +} + +NOEXPORT void print_cipher(CLI *c) { /* print negotiated cipher */ + SSL_CIPHER *cipher; +#ifndef OPENSSL_NO_COMP + const COMP_METHOD *compression, *expansion; +#endif + + if(c->opt->log_levelopt->chain=chain; /* this race condition is safe to ignore */ - ui_new_chain(c->opt->section_number); - s_log(LOG_DEBUG, "Peer certificate was cached (%d bytes)", len); + + s_log(LOG_INFO, "TLS %s: %s", + c->opt->option.client ? "connected" : "accepted", + SSL_session_reused(c->ssl) && !c->flag.psk ? + "previous session reused" : "new session negotiated"); + + cipher=(SSL_CIPHER *)SSL_get_current_cipher(c->ssl); + s_log(LOG_INFO, "%s ciphersuite: %s (%d-bit encryption)", + SSL_get_version(c->ssl), SSL_CIPHER_get_name(cipher), + SSL_CIPHER_get_bits(cipher, NULL)); + +#ifndef OPENSSL_NO_COMP + compression=SSL_get_current_compression(c->ssl); + expansion=SSL_get_current_expansion(c->ssl); + s_log(compression||expansion ? LOG_INFO : LOG_DEBUG, + "Compression: %s, expansion: %s", + compression ? SSL_COMP_get_name(compression) : "null", + expansion ? SSL_COMP_get_name(expansion) : "null"); +#endif } /****************************** transfer data */ @@ -621,17 +676,19 @@ switch(err) { case -1: sockerror("transfer: s_poll_wait"); - longjmp(c->err, 1); + throw_exception(c, 1); case 0: /* timeout */ if((sock_open_rd && !(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN)) || c->ssl_ptr || c->sock_ptr) { s_log(LOG_INFO, "transfer: s_poll_wait:" " TIMEOUTidle exceeded: sending reset"); - longjmp(c->err, 1); + s_poll_dump(c->fds, LOG_DEBUG); + throw_exception(c, 1); } else { /* already closing connection */ s_log(LOG_ERR, "transfer: s_poll_wait:" " TIMEOUTclose exceeded: closing"); + s_poll_dump(c->fds, LOG_DEBUG); return; /* OK */ } } @@ -691,7 +748,7 @@ s_log(LOG_ERR, "Socket closed (HUP) with %ld unsent byte(s)", (long)c->ssl_ptr); - longjmp(c->err, 1); /* reset the sockets */ + throw_exception(c, 1); /* reset the sockets */ } s_log(LOG_INFO, "Socket closed (HUP)"); sock_open_rd=sock_open_wr=0; @@ -701,7 +758,7 @@ s_log(LOG_ERR, "TLS socket closed (HUP) with %ld unsent byte(s)", (long)c->sock_ptr); - longjmp(c->err, 1); /* reset the sockets */ + throw_exception(c, 1); /* reset the sockets */ } s_log(LOG_INFO, "TLS socket closed (HUP)"); SSL_set_shutdown(c->ssl, @@ -711,7 +768,7 @@ if(c->reneg_state==RENEG_DETECTED && !c->opt->option.renegotiation) { s_log(LOG_ERR, "Aborting due to renegotiation request"); - longjmp(c->err, 1); + throw_exception(c, 1); } /****************************** send TLS close_notify alert */ @@ -748,10 +805,10 @@ break; case SSL_ERROR_SSL: /* TLS error */ sslerror("SSL_shutdown"); - longjmp(c->err, 1); + throw_exception(c, 1); default: s_log(LOG_ERR, "SSL_shutdown/SSL_get_error returned %d", err); - longjmp(c->err, 1); + throw_exception(c, 1); } } @@ -843,7 +900,7 @@ s_log(LOG_ERR, "TLS socket closed (SSL_write) with %ld unsent byte(s)", (long)c->sock_ptr); - longjmp(c->err, 1); /* reset the sockets */ + throw_exception(c, 1); /* reset the sockets */ } s_log(LOG_INFO, "TLS socket closed (SSL_write)"); SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); @@ -855,10 +912,10 @@ break; case SSL_ERROR_SSL: sslerror("SSL_write"); - longjmp(c->err, 1); + throw_exception(c, 1); default: s_log(LOG_ERR, "SSL_write/SSL_get_error returned %d", err); - longjmp(c->err, 1); + throw_exception(c, 1); } } @@ -902,7 +959,7 @@ s_log(LOG_ERR, "TLS socket closed (SSL_read) with %ld unsent byte(s)", (long)c->sock_ptr); - longjmp(c->err, 1); /* reset the sockets */ + throw_exception(c, 1); /* reset the sockets */ } s_log(LOG_INFO, "TLS socket closed (SSL_read)"); SSL_set_shutdown(c->ssl, @@ -916,10 +973,10 @@ break; case SSL_ERROR_SSL: sslerror("SSL_read"); - longjmp(c->err, 1); + throw_exception(c, 1); default: s_log(LOG_ERR, "SSL_read/SSL_get_error returned %d", err); - longjmp(c->err, 1); + throw_exception(c, 1); } } @@ -936,7 +993,7 @@ s_log(LOG_ERR, "Write socket closed (write hangup) with %ld unsent byte(s)", (long)c->ssl_ptr); - longjmp(c->err, 1); /* reset the sockets */ + throw_exception(c, 1); /* reset the sockets */ } s_log(LOG_INFO, "Write socket closed (write hangup)"); sock_open_wr=0; @@ -957,7 +1014,7 @@ s_log(LOG_ERR, "TLS socket closed (write hangup) with %ld unsent byte(s)", (long)c->sock_ptr); - longjmp(c->err, 1); /* reset the sockets */ + throw_exception(c, 1); /* reset the sockets */ } s_log(LOG_INFO, "TLS socket closed (write hangup)"); SSL_set_shutdown(c->ssl, @@ -1022,7 +1079,7 @@ s_log(LOG_ERR, "socket input buffer: %ld byte(s), " "TLS input buffer: %ld byte(s)", (long)c->sock_ptr, (long)c->ssl_ptr); - longjmp(c->err, 1); + throw_exception(c, 1); } } while(sock_open_wr || !(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) || @@ -1030,10 +1087,12 @@ } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic push +#endif /* __GNUC__>=4.6 */ #if __GNUC__ >= 7 #pragma GCC diagnostic ignored "-Wimplicit-fallthrough" -#endif +#endif /* __GNUC__>=7 */ #endif /* __GNUC__ */ /* returns 0 on close and 1 on non-critical errors */ @@ -1071,39 +1130,18 @@ #endif default: sockerror(text); - longjmp(c->err, 1); + throw_exception(c, 1); return -1; /* some C compilers require a return value */ } } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic pop +#endif /* __GNUC__>=4.6 */ #endif /* __GNUC__ */ -NOEXPORT void print_cipher(CLI *c) { /* print negotiated cipher */ - SSL_CIPHER *cipher; -#ifndef OPENSSL_NO_COMP - const COMP_METHOD *compression, *expansion; -#endif - - if(c->opt->log_levelssl); - s_log(LOG_INFO, "Negotiated %s ciphersuite %s (%d-bit encryption)", - SSL_get_version(c->ssl), SSL_CIPHER_get_name(cipher), - SSL_CIPHER_get_bits(cipher, NULL)); - -#ifndef OPENSSL_NO_COMP - compression=SSL_get_current_compression(c->ssl); - expansion=SSL_get_current_expansion(c->ssl); - s_log(compression||expansion ? LOG_INFO : LOG_DEBUG, - "Compression: %s, expansion: %s", - compression ? SSL_COMP_get_name(compression) : "null", - expansion ? SSL_COMP_get_name(expansion) : "null"); -#endif -} - -NOEXPORT void auth_user(CLI *c, char *accepted_address) { +NOEXPORT void auth_user(CLI *c) { #ifndef _WIN32_WCE struct servent *s_ent; /* structure for getservbyname */ #endif @@ -1122,7 +1160,7 @@ c->fd=s_socket(c->peer_addr.sa.sa_family, SOCK_STREAM, 0, 1, "socket (auth_user)"); if(c->fd==INVALID_SOCKET) - longjmp(c->err, 1); + throw_exception(c, 1); memcpy(&ident, &c->peer_addr, (size_t)c->peer_addr_len); #ifndef _WIN32_WCE s_ent=getservbyname("auth", "tcp"); @@ -1135,7 +1173,7 @@ ident.in.sin_port=htons(113); } if(s_connect(c, &ident, addr_len(&ident))) - longjmp(c->err, 1); + throw_exception(c, 1); s_log(LOG_DEBUG, "IDENT server connected"); remote_port=ntohs(c->peer_addr.in.sin_port); local_port=(unsigned)(c->opt->local_addr.addr ? @@ -1148,35 +1186,35 @@ if(!type) { s_log(LOG_ERR, "Malformed IDENT response"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } *type++='\0'; system=strchr(type, ':'); if(!system) { s_log(LOG_ERR, "Malformed IDENT response"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } *system++='\0'; if(strcmp(type, " USERID ")) { s_log(LOG_ERR, "Incorrect INETD response type"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } user=strchr(system, ':'); if(!user) { s_log(LOG_ERR, "Malformed IDENT response"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } *user++='\0'; while(*user==' ') /* skip leading spaces */ ++user; if(strcmp(user, c->opt->username)) { s_log(LOG_WARNING, "Connection from %s REFUSED by IDENT (user \"%s\")", - accepted_address, user); + c->accepted_address, user); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } s_log(LOG_INFO, "IDENT authentication passed"); str_free(line); @@ -1186,7 +1224,7 @@ NOEXPORT int connect_local(CLI *c) { /* spawn local process */ s_log(LOG_ERR, "Local mode is not supported on this platform"); - longjmp(c->err, 1); + throw_exception(c, 1); return -1; /* some C compilers require a return value */ } @@ -1199,7 +1237,7 @@ LPTSTR name, args; if(make_sockets(fd)) - longjmp(c->err, 1); + throw_exception(c, 1); memset(&si, 0, sizeof si); si.cb=sizeof si; si.dwFlags=STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; @@ -1234,11 +1272,11 @@ char tty[64]; if(pty_allocate(fd, fd+1, tty)) - longjmp(c->err, 1); + throw_exception(c, 1); s_log(LOG_DEBUG, "TTY=%s allocated", tty); } else if(make_sockets(fd)) - longjmp(c->err, 1); + throw_exception(c, 1); set_nonblock(fd[1], 0); /* switch back to the blocking mode */ env=env_alloc(c); @@ -1250,7 +1288,7 @@ closesocket(fd[1]); env_free(env); ioerror("fork"); - longjmp(c->err, 1); + throw_exception(c, 1); case 0: /* child */ /* the child is not allowed to play with thread-local storage */ /* see http://linux.die.net/man/3/pthread_atfork for details */ @@ -1258,7 +1296,7 @@ /* dup2() does not copy FD_CLOEXEC flag */ dup2(fd[1], 0); dup2(fd[1], 1); - if(!global_options.option.log_stderr) + if(!c->opt->option.log_stderr) dup2(fd[1], 2); closesocket(fd[1]); /* not really needed due to FD_CLOEXEC */ #ifdef HAVE_PTHREAD_SIGMASK @@ -1356,7 +1394,7 @@ switch(c->connect_addr.num) { case 0: s_log(LOG_ERR, "No remote host resolved"); - longjmp(c->err, 1); + throw_exception(c, 1); case 1: idx_start=0; break; @@ -1384,7 +1422,7 @@ } } s_log(LOG_ERR, "No more addresses to connect"); - longjmp(c->err, 1); + throw_exception(c, 1); return INVALID_SOCKET; /* some C compilers require a return value */ } @@ -1402,12 +1440,16 @@ s_log(LOG_INFO, "persistence: %s cached", addr_txt); str_free(addr_txt); - stunnel_write_lock(&stunnel_locks[LOCK_ADDR]); + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_ADDR]); old_addr=SSL_SESSION_get_ex_data(sess, index_session_connect_address); - /* we can safely ignore the SSL_SESSION_set_ex_data() failure */ - SSL_SESSION_set_ex_data(sess, index_session_connect_address, new_addr); - stunnel_write_unlock(&stunnel_locks[LOCK_ADDR]); - str_free(old_addr); /* NULL pointers are ignored */ + if(SSL_SESSION_set_ex_data(sess, index_session_connect_address, new_addr)) { + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]); + str_free(old_addr); /* NULL pointers are ignored */ + } else { /* failed to store new_addr -> remove it */ + sslerror("SSL_SESSION_set_ex_data"); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]); + str_free(new_addr); /* NULL pointers are ignored */ + } } NOEXPORT unsigned idx_cache_retrieve(CLI *c) { @@ -1417,13 +1459,13 @@ char *addr_txt; if(c->ssl && SSL_session_reused(c->ssl)) { - stunnel_read_lock(&stunnel_locks[LOCK_ADDR]); + CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_ADDR]); ptr=SSL_SESSION_get_ex_data(SSL_get_session(c->ssl), index_session_connect_address); if(ptr) { len=addr_len(ptr); memcpy(&addr, ptr, (size_t)len); - stunnel_read_unlock(&stunnel_locks[LOCK_ADDR]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]); /* address was copied, ptr itself is no longer valid */ for(i=0; iconnect_addr.num; ++i) { if(addr_len(&c->connect_addr.addr[i])==len && @@ -1439,13 +1481,13 @@ s_log(LOG_INFO, "persistence: %s not available", addr_txt); str_free(addr_txt); } else { - stunnel_read_unlock(&stunnel_locks[LOCK_ADDR]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_ADDR]); s_log(LOG_NOTICE, "persistence: No cached address found"); } } if(c->opt->failover==FAILOVER_RR) { - i=(c->connect_addr.start+c->opt->seq)%c->connect_addr.num; + i=(c->connect_addr.start+c->rr)%c->connect_addr.num; s_log(LOG_INFO, "failover: round-robin, starting at entry #%d", i); } else { i=0; @@ -1473,7 +1515,7 @@ c->connect_addr.num=1; c->connect_addr.addr=str_alloc(sizeof(SOCKADDR_UNION)); if(original_dst(c->local_rfd.fd, c->connect_addr.addr)) - longjmp(c->err, 1); + throw_exception(c, 1); return; } @@ -1552,7 +1594,7 @@ /* FIXME: move this check to options.c */ s_log(LOG_ERR, "Transparent proxy in remote mode is not supported" " on this platform"); - longjmp(c->err, 1); + throw_exception(c, 1); #endif } #endif /* !defined(USE_WIN32) */ @@ -1616,4 +1658,10 @@ log_error(LOG_DEBUG, get_last_socket_error(), txt); } +void throw_exception(CLI *c, int v) { + if(!c || !c->exception_pointer) + fatal("No exception handler"); + longjmp(*c->exception_pointer, v); +} + /* end of client.c */ diff -Nru stunnel4-5.44/src/common.h stunnel4-5.50/src/common.h --- stunnel4-5.44/src/common.h 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/src/common.h 2018-11-06 17:42:50.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -52,8 +52,10 @@ #define BUFFSIZE 18432 /* how many bytes of random input to read from files for PRNG */ -/* OpenSSL likes at least 128 bits, so 64 bytes seems plenty. */ -#define RANDOM_BYTES 64 +/* security margin is huge to compensate for flawed entropy */ +#define RANDOM_BYTES 1024 + +/**************************************** debugging */ /* for FormatGuard */ /* #define __NO_FORMATGUARD_ */ @@ -67,6 +69,12 @@ #define NOEXPORT static #endif +#ifdef __GNUC__ +#define NORETURN __attribute__((noreturn)) +#else +#define NORETURN +#endif /* __GNUC__ */ + /**************************************** platform */ #ifdef _WIN32 @@ -94,7 +102,6 @@ typedef int ssize_t; #endif /* _WIN64 */ #endif /* !__MINGW32__ */ -#define PATH_MAX MAX_PATH #define USE_IPv6 #define _CRT_SECURE_NO_DEPRECATE #define _CRT_NONSTDC_NO_DEPRECATE @@ -355,16 +362,6 @@ #define INADDR_LOOPBACK (u32)0x7F000001 #endif -#if defined(HAVE_WAITPID) -/* for SYSV systems */ -#define wait_for_pid(a, b, c) waitpid((a), (b), (c)) -#define HAVE_WAIT_FOR_PID 1 -#elif defined(HAVE_WAIT4) -/* for BSD systems */ -#define wait_for_pid(a, b, c) wait4((a), (b), (c), NULL) -#define HAVE_WAIT_FOR_PID 1 -#endif - /* SunOS 4 */ #if defined(sun) && !defined(__svr4__) && !defined(__SVR4) #define atexit(a) on_exit((a), NULL) @@ -460,6 +457,7 @@ #define USE_FIPS #endif +#include #include #include #include diff -Nru stunnel4-5.44/src/cron.c stunnel4-5.50/src/cron.c --- stunnel4-5.44/src/cron.c 2017-08-17 09:18:53.000000000 +0000 +++ stunnel4-5.50/src/cron.c 2018-11-05 07:19:29.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -42,9 +42,9 @@ NOEXPORT void *cron_thread(void *arg); #endif #ifdef USE_WIN32 -NOEXPORT void cron_thread(void *arg); +NOEXPORT unsigned __stdcall cron_thread(void *arg); #endif -#if defined(USE_PTHREAD) || defined(USE_WIN32) +#ifdef USE_OS_THREADS NOEXPORT void cron_worker(void); NOEXPORT void cron_dh_param(void); #endif @@ -92,21 +92,28 @@ #elif defined(USE_WIN32) int cron_init() { - if((long)_beginthread(cron_thread, 0, NULL)==-1) - ioerror("_beginthread"); + HANDLE handle; + + handle=(HANDLE)_beginthreadex(NULL, 0, cron_thread, NULL, 0, NULL); + if(!handle) { + ioerror("_beginthreadex"); + return 1; + } + CloseHandle(handle); return 0; } -NOEXPORT void cron_thread(void *arg) { +NOEXPORT unsigned __stdcall cron_thread(void *arg) { (void)arg; /* squash the unused parameter warning */ tls_alloc(NULL, NULL, "cron"); if(!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_LOWEST)) ioerror("SetThreadPriority"); cron_worker(); - _endthread(); /* it should never be executed */ + _endthreadex(0); /* it should never be executed */ + return 0; } -#else /* !defined(USE_PTHREAD) && !defined(USE_WIN32) */ +#else /* USE_OS_THREADS */ int cron_init() { /* not implemented for now */ @@ -118,7 +125,7 @@ /* run the cron job every 24 hours */ #define CRON_PERIOD (24*60*60) -#if defined(USE_PTHREAD) || defined(USE_WIN32) +#ifdef USE_OS_THREADS NOEXPORT void cron_worker(void) { time_t now, then; @@ -158,7 +165,7 @@ SERVICE_OPTIONS *opt; DH *dh; - if(!dh_needed) + if(!dh_temp_params || !service_options.next) return; s_log(LOG_NOTICE, "Updating DH parameters"); @@ -183,19 +190,21 @@ #endif /* update global dh_params for future configuration reloads */ - stunnel_write_lock(&stunnel_locks[LOCK_DH]); + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_DH]); DH_free(dh_params); dh_params=dh; - stunnel_write_unlock(&stunnel_locks[LOCK_DH]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_DH]); /* set for all sections that require it */ + CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_SECTIONS]); for(opt=service_options.next; opt; opt=opt->next) - if(opt->option.dh_needed) + if(opt->option.dh_temp_params) SSL_CTX_set_tmp_dh(opt->ctx, dh); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SECTIONS]); s_log(LOG_NOTICE, "DH parameters updated"); } #endif /* OPENSSL_NO_DH */ -#endif /* USE_PTHREAD || USE_WIN32 */ +#endif /* USE_OS_THREADS */ /* end of cron.c */ diff -Nru stunnel4-5.44/src/ctx.c stunnel4-5.50/src/ctx.c --- stunnel4-5.44/src/ctx.c 2017-08-17 09:18:53.000000000 +0000 +++ stunnel4-5.50/src/ctx.c 2018-11-05 07:19:29.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -46,7 +46,7 @@ #ifndef OPENSSL_NO_DH DH *dh_params=NULL; -int dh_needed=0; +int dh_temp_params=0; #endif /* OPENSSL_NO_DH */ /**************************************** prototypes */ @@ -54,7 +54,7 @@ /* SNI */ #ifndef OPENSSL_NO_TLSEXT NOEXPORT int servername_cb(SSL *, int *, void *); -NOEXPORT int matches_wildcard(char *, char *); +NOEXPORT int matches_wildcard(const char *, const char *); #endif /* DH/ECDH */ @@ -92,6 +92,8 @@ /* session callbacks */ NOEXPORT int sess_new_cb(SSL *, SSL_SESSION *); +NOEXPORT void new_chain(CLI *); +NOEXPORT void session_cache_save(CLI *, SSL_SESSION *); NOEXPORT SSL_SESSION *sess_get_cb(SSL *, #if OPENSSL_VERSION_NUMBER>=0x10100000L const @@ -124,10 +126,29 @@ int context_init(SERVICE_OPTIONS *section) { /* init TLS context */ /* create TLS context */ +#if OPENSSL_VERSION_NUMBER>=0x10100000L + if(section->option.client) + section->ctx=SSL_CTX_new(TLS_client_method()); + else /* server mode */ + section->ctx=SSL_CTX_new(TLS_server_method()); + if(!SSL_CTX_set_min_proto_version(section->ctx, + section->min_proto_version)) { + s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", + section->min_proto_version); + return 1; /* FAILED */ + } + if(!SSL_CTX_set_max_proto_version(section->ctx, + section->max_proto_version)) { + s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", + section->max_proto_version); + return 1; /* FAILED */ + } +#else /* OPENSSL_VERSION_NUMBER<0x10100000L */ if(section->option.client) section->ctx=SSL_CTX_new(section->client_method); else /* server mode */ section->ctx=SSL_CTX_new(section->server_method); +#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */ if(!section->ctx) { sslerror("SSL_CTX_new"); return 1; /* FAILED */ @@ -148,19 +169,29 @@ } } - /* options */ + /* TLS options: configure the stunnel defaults first */ + SSL_CTX_set_options(section->ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); +#ifdef SSL_OP_NO_COMPRESSION + /* we implemented a better way to disable compression if needed */ + SSL_CTX_clear_options(section->ctx, SSL_OP_NO_COMPRESSION); +#endif /* SSL_OP_NO_COMPRESSION */ + + /* TLS options: configure the user-specified values */ SSL_CTX_set_options(section->ctx, (SSL_OPTIONS_TYPE)(section->ssl_options_set)); #if OPENSSL_VERSION_NUMBER>=0x009080dfL SSL_CTX_clear_options(section->ctx, (SSL_OPTIONS_TYPE)(section->ssl_options_clear)); +#endif /* OpenSSL 0.9.8m or later */ + + /* TLS options: log the configured values */ +#if OPENSSL_VERSION_NUMBER>=0x009080dfL s_log(LOG_DEBUG, "TLS options: 0x%08lX (+0x%08lX, -0x%08lX)", SSL_CTX_get_options(section->ctx), section->ssl_options_set, section->ssl_options_clear); #else /* OpenSSL older than 0.9.8m */ s_log(LOG_DEBUG, "TLS options: 0x%08lX (+0x%08lX)", - SSL_CTX_get_options(section->ctx), - section->ssl_options_set); + SSL_CTX_get_options(section->ctx), section->ssl_options_set); #endif /* OpenSSL 0.9.8m or later */ /* initialize OpenSSL CONF options */ @@ -190,6 +221,8 @@ return 1; /* FAILED */ } } + SSL_CTX_set_session_cache_mode(section->ctx, + SSL_SESS_CACHE_BOTH | SSL_SESS_CACHE_NO_INTERNAL_STORE); SSL_CTX_sess_set_cache_size(section->ctx, section->session_size); SSL_CTX_set_timeout(section->ctx, section->session_timeout); SSL_CTX_sess_set_new_cb(section->ctx, sess_new_cb); @@ -210,7 +243,6 @@ /* initialize the DH/ECDH key agreement in the server mode */ if(!section->option.client) { #ifndef OPENSSL_NO_TLSEXT - SSL_CTX_set_tlsext_servername_arg(section->ctx, section); SSL_CTX_set_tlsext_servername_callback(section->ctx, servername_cb); #endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_DH @@ -229,17 +261,16 @@ #ifndef OPENSSL_NO_TLSEXT NOEXPORT int servername_cb(SSL *ssl, int *ad, void *arg) { - SERVICE_OPTIONS *section=(SERVICE_OPTIONS *)arg; const char *servername=SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); + CLI *c=SSL_get_ex_data(ssl, index_ssl_cli); SERVERNAME_LIST *list; - CLI *c; -#ifdef USE_LIBWRAP - char *accepted_address; -#endif /* USE_LIBWRAP */ /* leave the alert type at SSL_AD_UNRECOGNIZED_NAME */ (void)ad; /* squash the unused parameter warning */ - if(!section->servername_list_head) { + (void)arg; /* squash the unused parameter warning */ + + /* handle trivial cases first */ + if(!c->opt->servername_list_head) { s_log(LOG_DEBUG, "SNI: no virtual services defined"); return SSL_TLSEXT_ERR_OK; } @@ -247,26 +278,31 @@ s_log(LOG_NOTICE, "SNI: no servername received"); return SSL_TLSEXT_ERR_NOACK; } + + /* find a matching section */ s_log(LOG_INFO, "SNI: requested servername: %s", servername); + for(list=c->opt->servername_list_head; list; list=list->next) + if(matches_wildcard(servername, list->servername)) + break; + if(!list) { + s_log(LOG_ERR, "SNI: no pattern matched servername: %s", servername); + return SSL_TLSEXT_ERR_OK; + } + s_log(LOG_DEBUG, "SNI: matched pattern: %s", list->servername); - for(list=section->servername_list_head; list; list=list->next) - if(matches_wildcard((char *)servername, list->servername)) { - s_log(LOG_DEBUG, "SNI: matched pattern: %s", list->servername); - c=SSL_get_ex_data(ssl, index_ssl_cli); - c->opt=list->opt; - SSL_set_SSL_CTX(ssl, c->opt->ctx); - SSL_set_verify(ssl, SSL_CTX_get_verify_mode(c->opt->ctx), - SSL_CTX_get_verify_callback(c->opt->ctx)); - s_log(LOG_NOTICE, "SNI: switched to service [%s]", - c->opt->servname); + /* switch to the new section */ +#ifndef USE_FORK + service_up_ref(list->opt); + service_free(c->opt); +#endif + c->opt=list->opt; + SSL_set_SSL_CTX(ssl, c->opt->ctx); + SSL_set_verify(ssl, SSL_CTX_get_verify_mode(c->opt->ctx), + SSL_CTX_get_verify_callback(c->opt->ctx)); + s_log(LOG_NOTICE, "SNI: switched to service [%s]", c->opt->servname); #ifdef USE_LIBWRAP - accepted_address=s_ntop(&c->peer_addr, c->peer_addr_len); - libwrap_auth(c, accepted_address); /* retry on a service switch */ - str_free(accepted_address); + libwrap_auth(c); /* retry on a service switch */ #endif /* USE_LIBWRAP */ - return SSL_TLSEXT_ERR_OK; - } - s_log(LOG_ERR, "SNI: no pattern matched servername: %s", servername); return SSL_TLSEXT_ERR_OK; } /* TLSEXT callback return codes: @@ -275,18 +311,17 @@ * - SSL_TLSEXT_ERR_ALERT_FATAL * - SSL_TLSEXT_ERR_NOACK */ -NOEXPORT int matches_wildcard(char *servername, char *pattern) { - ssize_t diff; - +NOEXPORT int matches_wildcard(const char *servername, const char *pattern) { if(!servername || !pattern) return 0; if(*pattern=='*') { /* wildcard comparison */ - diff=(ssize_t)strlen(servername)-(ssize_t)strlen(++pattern); + ssize_t diff=(ssize_t)strlen(servername)-((ssize_t)strlen(pattern)-1); if(diff<0) /* pattern longer than servername */ return 0; - servername+=diff; + return !strcasecmp(servername+diff, pattern+1); + } else { /* string comparison */ + return !strcasecmp(servername, pattern); } - return !strcasecmp(servername, pattern); } #endif /* OPENSSL_NO_TLSEXT */ @@ -307,8 +342,9 @@ char description[128]; STACK_OF(SSL_CIPHER) *ciphers; + section->option.dh_temp_params=0; /* disable by default */ + /* check if DH is actually enabled for this section */ - section->option.dh_needed=0; ciphers=SSL_CTX_get_ciphers(section->ctx); if(!ciphers) return 1; /* ERROR (unlikely) */ @@ -319,12 +355,15 @@ description, sizeof description); /* s_log(LOG_INFO, "Ciphersuite: %s", description); */ if(strstr(description, " Kx=DH")) { - section->option.dh_needed=1; /* update this context */ + s_log(LOG_INFO, "DH initialization needed for %s", + SSL_CIPHER_get_name(sk_SSL_CIPHER_value(ciphers, i))); break; } } - if(!section->option.dh_needed) /* no DH ciphers found */ + if(i==n) { /* no DH ciphers found */ + s_log(LOG_INFO, "DH initialization not needed"); return 0; /* OK */ + } s_log(LOG_DEBUG, "DH initialization"); #ifndef OPENSSL_NO_ENGINE @@ -337,11 +376,11 @@ DH_free(dh); return 0; /* OK */ } - stunnel_read_lock(&stunnel_locks[LOCK_DH]); + CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_DH]); SSL_CTX_set_tmp_dh(section->ctx, dh_params); - stunnel_read_unlock(&stunnel_locks[LOCK_DH]); - dh_needed=1; /* generate temporary DH parameters in cron */ - section->option.dh_needed=1; /* update this context */ + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_DH]); + dh_temp_params=1; /* generate temporary DH parameters in cron */ + section->option.dh_temp_params=1; /* update this section in cron */ s_log(LOG_INFO, "Using dynamic DH parameters"); return 0; /* OK */ } @@ -561,33 +600,21 @@ unsigned char *psk, unsigned max_psk_len) { CLI *c; PSK_KEYS *found; - size_t len; c=SSL_get_ex_data(ssl, index_ssl_cli); found=psk_find(&c->opt->psk_sorted, identity); - if(found) { - len=found->key_len; - } else { - s_log(LOG_ERR, "No key found for PSK identity \"%s\"", identity); - len=0; - } - if(len>max_psk_len) { - s_log(LOG_ERR, "PSK too long (%lu>%d bytes)", - (long unsigned)len, max_psk_len); - len=0; + if(!found) { + s_log(LOG_INFO, "PSK identity not found (session resumption?)"); + return 0; } - if(len) { - memcpy(psk, found->key_val, len); - s_log(LOG_NOTICE, "Key configured for PSK identity \"%s\"", identity); - } else { /* block identity probes if possible */ - if(max_psk_len>=32 && RAND_bytes(psk, 32)>0) { - len=32; /* 256 random bits */ - s_log(LOG_ERR, "Configured random PSK"); - } else { - s_log(LOG_ERR, "Rejecting with unknown_psk_identity alert"); - } + if(found->key_len>max_psk_len) { + s_log(LOG_ERR, "PSK too long (%u>%u)", found->key_len, max_psk_len); + return 0; } - return (unsigned)len; + memcpy(psk, found->key_val, found->key_len); + s_log(LOG_NOTICE, "Key configured for PSK identity \"%s\"", identity); + c->flag.psk=1; + return found->key_len; } NOEXPORT int psk_compar(const void *a, const void *b) { @@ -608,7 +635,7 @@ ++table->num; s_log(LOG_INFO, "PSK identities: %lu retrieved", (long unsigned)table->num); - table->val=str_alloc(table->num*sizeof(PSK_KEYS *)); + table->val=str_alloc_detached(table->num*sizeof(PSK_KEYS *)); for(curr=head, i=0; inum; ++i) { table->val[i]=curr; curr=curr->next; @@ -901,11 +928,116 @@ s_log(LOG_DEBUG, "New session callback"); c=SSL_get_ex_data(ssl, index_ssl_cli); + + new_chain(c); /* new session -> we may have a new peer certificate chain */ + + if(c->opt->option.client) + session_cache_save(c, sess); + else /* SSL_SESS_CACHE_NO_INTERNAL_STORE prevented automatic caching */ + SSL_CTX_add_session(SSL_get_SSL_CTX(ssl), sess); if(c->opt->option.sessiond) cache_new(ssl, sess); + + print_session_id(sess); + return 0; /* the OpenSSL's manual is really bad -> use the source here */ } +#if OPENSSL_VERSION_NUMBER<0x0090800fL +NOEXPORT const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, + unsigned int *len) { + if(len) + *len=s->session_id_length; + return (const unsigned char *)s->session_id; +} +#endif + +void print_session_id(SSL_SESSION *sess) { + const unsigned char *session_id; + unsigned int session_id_length; + char session_id_txt[2*SSL_MAX_SSL_SESSION_ID_LENGTH+1]; + + session_id=SSL_SESSION_get_id(sess, &session_id_length); + bin2hexstring(session_id, session_id_length, + session_id_txt, sizeof session_id_txt); + s_log(LOG_INFO, "Session id: %s", session_id_txt); +} + +NOEXPORT void new_chain(CLI *c) { + BIO *bio; + int i, len; + X509 *peer_cert; + STACK_OF(X509) *sk; + char *chain; + + if(c->opt->chain) /* already cached */ + return; /* this race condition is safe to ignore */ + bio=BIO_new(BIO_s_mem()); + if(!bio) + return; + sk=SSL_get_peer_cert_chain(c->ssl); + for(i=0; sk && iopt->option.client) { + peer_cert=SSL_get_peer_certificate(c->ssl); + if(peer_cert) { + PEM_write_bio_X509(bio, peer_cert); + X509_free(peer_cert); + } + } + len=BIO_pending(bio); + if(len<=0) { + s_log(LOG_INFO, "No peer certificate received"); + BIO_free(bio); + return; + } + /* prevent automatic deallocation of the cached value */ + chain=str_alloc_detached((size_t)len+1); + len=BIO_read(bio, chain, len); + if(len<0) { + s_log(LOG_ERR, "BIO_read failed"); + BIO_free(bio); + str_free(chain); + return; + } + chain[len]='\0'; + BIO_free(bio); + c->opt->chain=chain; /* this race condition is safe to ignore */ + ui_new_chain(c->opt->section_number); + s_log(LOG_DEBUG, "Peer certificate was cached (%d bytes)", len); +} + +/* cache client sessions */ +NOEXPORT void session_cache_save(CLI *c, SSL_SESSION *sess) { + SSL_SESSION *old; + +#if OPENSSL_VERSION_NUMBER>=0x10100000L + SSL_SESSION_up_ref(sess); +#else + sess=SSL_get1_session(c->ssl); +#endif + + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_SESSION]); + if(c->opt->option.delayed_lookup) { + old=c->opt->session; + c->opt->session=sess; + } else { /* per-destination client cache */ + if(c->opt->connect_session) { + old=c->opt->connect_session[c->idx]; + c->opt->connect_session[c->idx]=sess; + } else { + s_log(LOG_ERR, "INTERNAL ERROR: Uninitialized client session cache"); + old=NULL; + } + } + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SESSION]); + + if(old) + SSL_SESSION_free(old); +} + NOEXPORT SSL_SESSION *sess_get_cb(SSL *ssl, #if OPENSSL_VERSION_NUMBER>=0x10100000L const @@ -948,12 +1080,7 @@ val_tmp=val=str_alloc((size_t)val_len); i2d_SSL_SESSION(sess, &val_tmp); -#if OPENSSL_VERSION_NUMBER>=0x0090800fL session_id=SSL_SESSION_get_id(sess, &session_id_length); -#else - session_id=(const unsigned char *)sess->session_id; - session_id_length=sess->session_id_length; -#endif cache_transfer(SSL_get_SSL_CTX(ssl), CACHE_CMD_NEW, SSL_SESSION_get_timeout(sess), session_id, session_id_length, val, (size_t)val_len, NULL, NULL); @@ -972,9 +1099,9 @@ return NULL; val_tmp=val; sess=d2i_SSL_SESSION(NULL, -#if OPENSSL_VERSION_NUMBER>=0x0090800fL +#if OPENSSL_VERSION_NUMBER>=0x0090707fL (const unsigned char **) -#endif /* OpenSSL version >= 0.8.0 */ +#endif /* OpenSSL version >= 0.9.7g */ &val_tmp, (long)val_len); str_free(val); return sess; @@ -984,12 +1111,7 @@ const unsigned char *session_id; unsigned int session_id_length; -#if OPENSSL_VERSION_NUMBER>=0x0090800fL session_id=SSL_SESSION_get_id(sess, &session_id_length); -#else - session_id=(const unsigned char *)sess->session_id; - session_id_length=sess->session_id_length; -#endif cache_transfer(ctx, CACHE_CMD_REMOVE, 0, session_id, session_id_length, NULL, 0, NULL, NULL); } @@ -1008,9 +1130,7 @@ const u_char *val, const size_t val_len, unsigned char **ret, size_t *ret_len) { char session_id_txt[2*SSL_MAX_SSL_SESSION_ID_LENGTH+1]; - const char hex[16]="0123456789ABCDEF"; const char *type_description[]={"new", "get", "remove"}; - unsigned i; SOCKET s; ssize_t len; struct timeval t; @@ -1021,11 +1141,7 @@ *ret=NULL; /* log the request information */ - for(i=0; i>4]; - session_id_txt[2*i+1]=hex[key[i]&0x0f]; - } - session_id_txt[2*i]='\0'; + bin2hexstring(key, key_len, session_id_txt, sizeof session_id_txt); s_log(LOG_INFO, "cache_transfer: request=%s, timeout=%ld, id=%s, length=%lu", type_description[type], timeout, session_id_txt, (long unsigned)val_len); @@ -1131,7 +1247,11 @@ c=SSL_get_ex_data((SSL *)ssl, index_ssl_cli); if(c) { +#if OPENSSL_VERSION_NUMBER>=0x10100000L + OSSL_HANDSHAKE_STATE state=SSL_get_state(ssl); +#else int state=SSL_get_state((SSL *)ssl); +#endif #if 0 s_log(LOG_DEBUG, "state = %x", state); @@ -1143,13 +1263,13 @@ #else if(state==SSL3_ST_CR_CERT_REQ_A) #endif - print_client_CA_list(SSL_get_client_CA_list(ssl)); + print_client_CA_list(SSL_get_client_CA_list((SSL *)ssl)); #ifndef SSL3_ST_CR_SRVR_DONE_A if(state==TLS_ST_CR_SRVR_DONE) #else if(state==SSL3_ST_CR_SRVR_DONE_A) #endif - if(!SSL_get_client_CA_list(ssl)) + if(!SSL_get_client_CA_list((SSL *)ssl)) s_log(LOG_INFO, "Client certificate not requested"); /* prevent renegotiation DoS attack */ diff -Nru stunnel4-5.44/src/dhparam.c stunnel4-5.50/src/dhparam.c --- stunnel4-5.44/src/dhparam.c 2017-11-14 14:01:47.000000000 +0000 +++ stunnel4-5.50/src/dhparam.c 2018-10-09 14:37:38.000000000 +0000 @@ -8,32 +8,32 @@ DH *get_dh2048() { static unsigned char dhp_2048[] = { - 0xEF, 0xED, 0x5C, 0xA2, 0x8E, 0x37, 0xD8, 0xF4, 0xD1, 0xE9, - 0x85, 0x06, 0x79, 0x0E, 0xC0, 0xBC, 0xD2, 0xF3, 0xBC, 0x26, - 0xAE, 0x63, 0xB9, 0x06, 0xDF, 0x16, 0xDB, 0xE5, 0x76, 0x76, - 0xD5, 0xBC, 0x4F, 0xC1, 0x55, 0x28, 0xC9, 0x7A, 0xC8, 0xD6, - 0x1E, 0xB0, 0x5D, 0x85, 0x12, 0x39, 0x62, 0x06, 0x9D, 0x99, - 0x4D, 0xCF, 0x79, 0x27, 0x94, 0xB6, 0xE1, 0xC2, 0x92, 0x06, - 0xA3, 0xCF, 0x10, 0x25, 0xC4, 0x3D, 0x01, 0xD2, 0x34, 0x0C, - 0x1F, 0xB2, 0xA3, 0x0D, 0xA8, 0xDC, 0xB6, 0x5F, 0xDB, 0x8C, - 0xF6, 0x73, 0xC2, 0x07, 0x70, 0x4D, 0x01, 0x85, 0xE8, 0x49, - 0xBC, 0xC1, 0x80, 0x6C, 0x77, 0x71, 0xFF, 0x5D, 0x25, 0x2F, - 0x64, 0x5F, 0x0D, 0x33, 0xB3, 0x43, 0x24, 0xC0, 0xFC, 0xB3, - 0x94, 0xEA, 0xF2, 0xB7, 0x24, 0x08, 0x12, 0x74, 0x9D, 0xEA, - 0x20, 0x31, 0xD7, 0x0C, 0x0A, 0x84, 0x37, 0xCF, 0x34, 0x56, - 0x85, 0xFB, 0xF4, 0x7C, 0xF4, 0x4E, 0x67, 0x0E, 0x63, 0xB2, - 0x49, 0xAF, 0xA6, 0x43, 0xD3, 0x6E, 0x60, 0xA9, 0x96, 0xD6, - 0xE8, 0x63, 0x7E, 0x23, 0x39, 0x91, 0xE1, 0xF6, 0xC3, 0x8B, - 0x60, 0x92, 0x73, 0xB9, 0x5A, 0x69, 0xDF, 0x8A, 0xD4, 0x0E, - 0x1C, 0x95, 0x82, 0x59, 0xE4, 0x3B, 0xA8, 0xAC, 0x46, 0x47, - 0xE2, 0xFE, 0x98, 0xD7, 0xC2, 0xD4, 0xC6, 0x0A, 0xC5, 0x23, - 0x98, 0xCA, 0x0C, 0x5A, 0x82, 0xE1, 0x17, 0xC8, 0xA4, 0x5C, - 0x43, 0x2A, 0xE5, 0x5B, 0x20, 0x7C, 0x36, 0x90, 0x71, 0xB6, - 0x02, 0x55, 0xF5, 0x26, 0x13, 0xCF, 0xB3, 0x4C, 0xB7, 0x89, - 0x57, 0xC8, 0x27, 0x28, 0x72, 0x04, 0xF1, 0x78, 0x4B, 0xFF, - 0xB3, 0x78, 0x60, 0x79, 0xEF, 0xDD, 0xDE, 0x34, 0x88, 0xE2, - 0x00, 0x13, 0xED, 0x4B, 0x9F, 0xE7, 0x71, 0xBA, 0x68, 0xF6, - 0xD2, 0x9E, 0xF3, 0x3B, 0x2D, 0x2B + 0x96, 0xB4, 0xED, 0x78, 0xAF, 0xD4, 0xDD, 0xBF, 0x55, 0xDB, + 0xAD, 0x85, 0xA0, 0x5C, 0x22, 0xC3, 0x8C, 0x14, 0x79, 0xE5, + 0x0A, 0xB1, 0x48, 0xAC, 0x22, 0x77, 0xDA, 0x86, 0x57, 0xCF, + 0x3C, 0xEC, 0x12, 0xD2, 0x28, 0x41, 0x7A, 0xCD, 0xD0, 0x55, + 0x1B, 0x80, 0xEB, 0x9E, 0x60, 0xFA, 0x36, 0x7B, 0xB0, 0x33, + 0x2A, 0xD3, 0x32, 0xD3, 0x19, 0xB6, 0x51, 0x26, 0x4C, 0x6F, + 0x62, 0xE5, 0x90, 0x32, 0x75, 0xEB, 0x85, 0x6E, 0x4E, 0x0A, + 0xC5, 0x1E, 0x16, 0x73, 0x00, 0xB0, 0xB3, 0x46, 0xCA, 0x9D, + 0xD9, 0xD2, 0x72, 0x43, 0xBB, 0xDB, 0xED, 0x82, 0xDF, 0xD7, + 0x6E, 0x61, 0x65, 0x62, 0x73, 0x27, 0x0E, 0xD6, 0x92, 0x4E, + 0x7F, 0x11, 0x7A, 0xDE, 0x8E, 0x3A, 0xB6, 0x5C, 0x67, 0x73, + 0xD0, 0x5D, 0xC6, 0xC8, 0x86, 0x01, 0xAA, 0x93, 0x19, 0x7E, + 0x59, 0xDE, 0xEB, 0x51, 0x83, 0x10, 0x76, 0x46, 0x50, 0x60, + 0xEE, 0xBD, 0x6F, 0xB3, 0x6F, 0x6A, 0x0D, 0x9C, 0x4E, 0x4D, + 0xB8, 0x51, 0x89, 0x8D, 0x4C, 0x15, 0xCD, 0x91, 0x01, 0x13, + 0x3C, 0x79, 0x57, 0x0A, 0x17, 0x33, 0x68, 0x85, 0x71, 0xA3, + 0xF9, 0x7C, 0x22, 0x91, 0x7E, 0x75, 0xB1, 0x7B, 0x60, 0x33, + 0x84, 0xFB, 0xB2, 0x42, 0x4D, 0x51, 0x6F, 0x2C, 0x41, 0xD6, + 0xC4, 0x5E, 0x3A, 0xFF, 0x49, 0x93, 0x8A, 0xEE, 0xCC, 0x2A, + 0xCB, 0x0F, 0x1C, 0x17, 0x85, 0x57, 0x2F, 0x65, 0xC3, 0x54, + 0x1F, 0xE0, 0x98, 0x1C, 0x2F, 0x3D, 0x67, 0xA1, 0x53, 0x67, + 0xD7, 0xFC, 0xAC, 0x31, 0x68, 0xBF, 0x43, 0x71, 0xA7, 0xBF, + 0xE5, 0x1F, 0x9D, 0xD9, 0x72, 0x74, 0xD6, 0x92, 0x1D, 0x36, + 0x1B, 0xBC, 0x49, 0x09, 0x84, 0x06, 0xC8, 0x4B, 0xD9, 0xB7, + 0x17, 0xF3, 0x2F, 0x82, 0x9F, 0x3F, 0x50, 0x51, 0x34, 0x25, + 0x84, 0x1A, 0xC5, 0x75, 0x1C, 0x93 }; static unsigned char dhg_2048[] = { 0x02 @@ -43,8 +43,8 @@ if (dh == NULL) return NULL; - dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); - dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); + dhp_bn = BN_bin2bn(dhp_2048, sizeof(dhp_2048), NULL); + dhg_bn = BN_bin2bn(dhg_2048, sizeof(dhg_2048), NULL); if (dhp_bn == NULL || dhg_bn == NULL || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { DH_free(dh); diff -Nru stunnel4-5.44/src/env.c stunnel4-5.50/src/env.c --- stunnel4-5.44/src/env.c 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/src/env.c 2018-04-06 14:25:10.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff -Nru stunnel4-5.44/src/evc.mak stunnel4-5.50/src/evc.mak --- stunnel4-5.44/src/evc.mak 2015-05-23 16:55:47.000000000 +0000 +++ stunnel4-5.50/src/evc.mak 2018-04-06 14:25:10.000000000 +0000 @@ -1,4 +1,4 @@ -# wce.mak for stunnel.exe by Michal Trojnara 2006-2012 +# wce.mak for stunnel.exe by Michal Trojnara 1998-2018 # with help of Pierre Delaage # pdelaage 20140610 : added UNICODE optional FLAG, always ACTIVE on WCE because of poor ANSI support # pdelaage 20140610 : added _WIN32_WCE flag for RC compilation, to preprocess out "HELP" unsupported menu flag on WCE diff -Nru stunnel4-5.44/src/fd.c stunnel4-5.50/src/fd.c --- stunnel4-5.44/src/fd.c 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/src/fd.c 2018-07-02 21:30:10.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -89,8 +89,8 @@ max_fds=16; if(max_fds) { - max_clients=(long)(max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2); - s_log(LOG_DEBUG, "Clients allowed=%ld", max_clients); + max_clients=(int)(max_fds>=256 ? max_fds*125/256 : (max_fds-6)/2); + s_log(LOG_DEBUG, "Clients allowed=%d", max_clients); } else { max_clients=0; s_log(LOG_DEBUG, "No limit detected for the number of clients"); @@ -197,8 +197,8 @@ } #ifndef USE_FORK if(max_fds && fd>=max_fds) { - s_log(LOG_ERR, "%s: FD=%d out of range (max %d)", - msg, (int)fd, (int)max_fds); + s_log(LOG_ERR, "%s: FD=%ld out of range (max %d)", + msg, (long)fd, (int)max_fds); closesocket(fd); return INVALID_SOCKET; } @@ -218,8 +218,8 @@ #endif /* USE_NEW_LINUX_API */ #ifdef DEBUG_FD_ALLOC - s_log(LOG_DEBUG, "%s: FD=%d allocated (%sblocking mode)", - msg, fd, nonblock?"non-":""); + s_log(LOG_DEBUG, "%s: FD=%ld allocated (%sblocking mode)", + msg, (long)fd, nonblock?"non-":""); #endif /* DEBUG_FD_ALLOC */ return fd; diff -Nru stunnel4-5.44/src/file.c stunnel4-5.50/src/file.c --- stunnel4-5.44/src/file.c 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/src/file.c 2018-04-06 14:25:10.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff -Nru stunnel4-5.44/src/libwrap.c stunnel4-5.50/src/libwrap.c --- stunnel4-5.44/src/libwrap.c 2017-08-17 09:18:53.000000000 +0000 +++ stunnel4-5.50/src/libwrap.c 2018-07-02 21:30:10.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -47,7 +47,7 @@ #define USE_LIBWRAP_POOL #endif /* USE_PTHREAD && !__CYGWIN__ */ -NOEXPORT int check(char *, int); +NOEXPORT uint8_t check(char *, int); int allow_severity=LOG_NOTICE, deny_severity=LOG_WARNING; @@ -68,7 +68,8 @@ int libwrap_init() { #ifdef USE_LIBWRAP_POOL unsigned i, j; - int rfd, result; + int rfd; + uint8_t result; char servname[SERVNAME_LEN]; static int initialized=0; SERVICE_OPTIONS *opt; @@ -104,7 +105,7 @@ if(read_fd(ipc_socket[2*i+1], servname, SERVNAME_LEN, &rfd)<=0) _exit(0); result=check(servname, rfd); - write(ipc_socket[2*i+1], (uint8_t *)&result, sizeof result); + write(ipc_socket[2*i+1], &result, sizeof result); if(rfd>=0) close(rfd); } @@ -120,9 +121,10 @@ #pragma GCC diagnostic pop #endif /* __GNUC__ */ -void libwrap_auth(CLI *c, char *accepted_address) { - int result=0; /* deny by default */ +void libwrap_auth(CLI *c) { + uint8_t result=0; /* deny by default */ #ifdef USE_LIBWRAP_POOL + jmp_buf exception_buffer, *exception_backup; static volatile unsigned num_busy=0, roundrobin=0; unsigned my_process; int retval; @@ -146,14 +148,12 @@ if(retval) { errno=retval; ioerror("pthread_mutex_lock"); - longjmp(c->err, 1); } while(num_busy==num_processes) { /* all child processes are busy */ retval=pthread_cond_wait(&cond, &mutex); if(retval) { errno=retval; ioerror("pthread_cond_wait"); - longjmp(c->err, 1); } } while(busy[roundrobin]) /* find a free child process */ @@ -165,21 +165,23 @@ if(retval) { errno=retval; ioerror("pthread_mutex_unlock"); - longjmp(c->err, 1); } s_log(LOG_DEBUG, "Acquired libwrap process #%d", my_process); - write_fd(ipc_socket[2*my_process], c->opt->servname, - strlen(c->opt->servname)+1, c->local_rfd.fd); - s_read(c, ipc_socket[2*my_process], - (uint8_t *)&result, sizeof result); + exception_backup=c->exception_pointer; + c->exception_pointer=&exception_buffer; + if(!setjmp(exception_buffer)) { + write_fd(ipc_socket[2*my_process], c->opt->servname, + strlen(c->opt->servname)+1, c->local_rfd.fd); + s_read(c, ipc_socket[2*my_process], &result, sizeof result); + } + c->exception_pointer=exception_backup; s_log(LOG_DEBUG, "Releasing libwrap process #%d", my_process); retval=pthread_mutex_lock(&mutex); if(retval) { errno=retval; ioerror("pthread_mutex_lock"); - longjmp(c->err, 1); } busy[my_process]=0; /* mark the child process as free */ --num_busy; /* the child process has been released */ @@ -187,39 +189,37 @@ if(retval) { errno=retval; ioerror("pthread_cond_signal"); - longjmp(c->err, 1); } retval=pthread_mutex_unlock(&mutex); if(retval) { errno=retval; ioerror("pthread_mutex_unlock"); - longjmp(c->err, 1); } s_log(LOG_DEBUG, "Released libwrap process #%d", my_process); } else #endif /* USE_LIBWRAP_POOL */ { /* use original, synchronous libwrap calls */ - stunnel_write_lock(&stunnel_locks[LOCK_LIBWRAP]); + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LIBWRAP]); result=check(c->opt->servname, c->local_rfd.fd); - stunnel_write_unlock(&stunnel_locks[LOCK_LIBWRAP]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LIBWRAP]); } if(!result) { s_log(LOG_WARNING, "Service [%s] REFUSED by libwrap from %s", - c->opt->servname, accepted_address); + c->opt->servname, c->accepted_address); s_log(LOG_DEBUG, "See hosts_access(5) manual for details"); - longjmp(c->err, 1); + throw_exception(c, 1); } s_log(LOG_DEBUG, "Service [%s] permitted by libwrap from %s", - c->opt->servname, accepted_address); + c->opt->servname, c->accepted_address); } -NOEXPORT int check(char *name, int fd) { +NOEXPORT uint8_t check(char *name, int fd) { struct request_info request; request_init(&request, RQ_DAEMON, name, RQ_FILE, fd, 0); fromhost(&request); - return hosts_access(&request); + return hosts_access(&request)!=0; } #ifdef USE_LIBWRAP_POOL diff -Nru stunnel4-5.44/src/log.c stunnel4-5.50/src/log.c --- stunnel4-5.44/src/log.c 2017-08-23 05:05:15.000000000 +0000 +++ stunnel4-5.50/src/log.c 2018-10-09 14:37:38.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -55,19 +55,25 @@ static int syslog_opened=0; -void syslog_open(void) { - syslog_close(); - if(global_options.option.log_syslog) +NOEXPORT void syslog_open(void) { + if(global_options.option.log_syslog) { + static char *servname=NULL; + char *servname_old; + + /* openlog(3) requires a persistent copy of the "ident" parameter */ + servname_old=servname; + servname=str_dup(service_options.servname); #ifdef __ultrix__ - openlog(service_options.servname, 0); + openlog(servname, 0); #else - openlog(service_options.servname, - LOG_CONS|LOG_NDELAY, global_options.log_facility); + openlog(servname, LOG_CONS|LOG_NDELAY, global_options.log_facility); #endif /* __ultrix__ */ + str_free(servname_old); + } syslog_opened=1; } -void syslog_close(void) { +NOEXPORT void syslog_close(void) { if(syslog_opened) { if(global_options.option.log_syslog) closelog(); @@ -77,7 +83,7 @@ #endif /* !defined(USE_WIN32) && !defined(__vms) */ -int log_open(void) { +NOEXPORT int outfile_open(void) { if(global_options.output_file) { /* 'output' option specified */ outfile=file_open(global_options.output_file, global_options.log_file_mode); @@ -100,19 +106,36 @@ return 1; } } - log_flush(LOG_MODE_CONFIGURED); return 0; } -void log_close(void) { - /* prevent changing the mode while logging */ - stunnel_write_lock(&stunnel_locks[LOCK_LOG_MODE]); - log_mode=LOG_MODE_BUFFER; +NOEXPORT void outfile_close(void) { if(outfile) { file_close(outfile); outfile=NULL; } - stunnel_write_unlock(&stunnel_locks[LOCK_LOG_MODE]); +} + +int log_open(int sink) { +#if !defined(USE_WIN32) && !defined(__vms) + if(sink&SINK_SYSLOG) + syslog_open(); +#endif + if(sink&SINK_OUTFILE && outfile_open()) + return 1; + return 0; +} + +void log_close(int sink) { + /* prevent changing the mode while logging */ + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LOG_MODE]); +#if !defined(USE_WIN32) && !defined(__vms) + if(sink&SINK_SYSLOG) + syslog_close(); +#endif + if(sink&SINK_OUTFILE) + outfile_close(); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LOG_MODE]); } void s_log(int level, const char *format, ...) { @@ -162,12 +185,12 @@ safestring(text); /* either log or queue for logging */ - stunnel_read_lock(&stunnel_locks[LOCK_LOG_MODE]); + CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_LOG_MODE]); if(log_mode==LOG_MODE_BUFFER) log_queue(tls_data->opt, level, stamp, id, text); else log_raw(tls_data->opt, level, stamp, id, text); - stunnel_read_unlock(&stunnel_locks[LOCK_LOG_MODE]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LOG_MODE]); } set_last_error(libc_error); @@ -191,32 +214,39 @@ str_detach(tmp->text); /* append the new element to the list */ - stunnel_write_lock(&stunnel_locks[LOCK_LOG_BUFFER]); + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LOG_BUFFER]); if(tail) tail->next=tmp; else head=tmp; tail=tmp; - stunnel_write_unlock(&stunnel_locks[LOCK_LOG_BUFFER]); + if(stunnel_locks[LOCK_LOG_BUFFER]) + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LOG_BUFFER]); } void log_flush(LOG_MODE new_mode) { - stunnel_write_lock(&stunnel_locks[LOCK_LOG_MODE]); + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LOG_MODE]); + /* prevent changing LOG_MODE_CONFIGURED to LOG_MODE_ERROR * once stderr file descriptor is closed */ - if(log_mode!=LOG_MODE_CONFIGURED) + if(log_mode!=LOG_MODE_CONFIGURED || new_mode!=LOG_MODE_ERROR) log_mode=new_mode; - /* log_raw() will use the new value of log_mode */ - stunnel_write_lock(&stunnel_locks[LOCK_LOG_BUFFER]); - while(head) { - struct LIST *tmp=head; - head=head->next; - log_raw(tmp->opt, tmp->level, tmp->stamp, tmp->id, tmp->text); - str_free(tmp); - } - head=tail=NULL; - stunnel_write_unlock(&stunnel_locks[LOCK_LOG_BUFFER]); - stunnel_write_unlock(&stunnel_locks[LOCK_LOG_MODE]); + + /* emit the buffered logs (unless we just started buffering) */ + if(new_mode!=LOG_MODE_BUFFER) { + /* log_raw() will use the new value of log_mode */ + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LOG_BUFFER]); + while(head) { + struct LIST *tmp=head; + head=head->next; + log_raw(tmp->opt, tmp->level, tmp->stamp, tmp->id, tmp->text); + str_free(tmp); + } + head=tail=NULL; + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LOG_BUFFER]); + } + + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LOG_MODE]); } NOEXPORT void log_raw(SERVICE_OPTIONS *opt, @@ -263,7 +293,7 @@ level<=opt->log_level #else (level<=opt->log_level && - global_options.option.log_stderr) + opt->option.log_stderr) #endif ) ui_new_log(line); @@ -272,7 +302,9 @@ } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic push +#endif /* __GNUC__>=4.6 */ #pragma GCC diagnostic ignored "-Wformat" #pragma GCC diagnostic ignored "-Wformat-extra-args" #endif /* __GNUC__ */ @@ -314,14 +346,18 @@ return str_dup("error"); } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic pop +#endif /* __GNUC__>=4.6 */ #endif /* __GNUC__ */ /* critical problem handling */ /* str.c functions are not safe to use here */ #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) || defined(__clang__) #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wunused-result" +#endif /* __GNUC__>=4.6 */ #endif /* __GNUC__ */ void fatal_debug(char *txt, const char *file, int line) { char msg[80]; @@ -372,7 +408,9 @@ abort(); } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic pop +#endif /* __GNUC__>=4.6 */ #endif /* __GNUC__ */ void ioerror(const char *txt) { /* input/output error */ @@ -507,4 +545,17 @@ *c='.'; } +/* provide hex string corresponding to the input string + * will be NULL terminated */ +void bin2hexstring(const unsigned char *in_data, size_t in_size, char *out_data, size_t out_size) { + const char hex[16]="0123456789ABCDEF"; + size_t i; + + for(i=0; i>4]; + out_data[2*i+1]=hex[in_data[i]&0x0f]; + } + out_data[2*i]='\0'; +} + /* end of log.c */ diff -Nru stunnel4-5.44/src/Makefile.am stunnel4-5.50/src/Makefile.am --- stunnel4-5.44/src/Makefile.am 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/src/Makefile.am 2018-10-09 14:37:38.000000000 +0000 @@ -1,5 +1,5 @@ ## Process this file with automake to produce Makefile.in -# by Michal Trojnara 2015-2017 +# by Michal Trojnara 1998-2018 ############################################################################### # File lists # @@ -38,7 +38,7 @@ CLEANFILES = stunnel3 # Red Hat "by design" bug #82369 -stunnel_CPPFLAGS = -I/usr/kerberos/include +stunnel_CPPFLAGS = -I$(SYSROOT)/usr/kerberos/include # Additional preprocesor definitions stunnel_CPPFLAGS += -I$(SSLDIR)/include @@ -64,15 +64,12 @@ # Win32 executables # ############################################################################### -if AUTHOR_TESTS -# Just check if the programs can be built, don't perform any actual tests -#check-local: mingw mingw64 -endif - mingw: - $(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=i686 win32_mingw=mingw + $(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_arch=win32 win32_targetcpu=i686 win32_mingw=mingw + mingw64: - $(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=x86_64 win32_mingw=mingw64 + $(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_arch=win64 win32_targetcpu=x86_64 win32_mingw=mingw64 + .PHONY: mingw mingw64 clean-local: diff -Nru stunnel4-5.44/src/Makefile.in stunnel4-5.50/src/Makefile.in --- stunnel4-5.44/src/Makefile.in 2017-11-14 14:07:50.000000000 +0000 +++ stunnel4-5.50/src/Makefile.in 2018-11-09 15:53:56.000000000 +0000 @@ -14,7 +14,7 @@ @SET_MAKE@ -# by Michal Trojnara 2015-2017 +# by Michal Trojnara 1998-2018 ############################################################################### # File lists # @@ -381,8 +381,9 @@ # Red Hat "by design" bug #82369 # Additional preprocesor definitions -stunnel_CPPFLAGS = -I/usr/kerberos/include -I$(SSLDIR)/include \ - -DLIBDIR='"$(pkglibdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' +stunnel_CPPFLAGS = -I$(SYSROOT)/usr/kerberos/include \ + -I$(SSLDIR)/include -DLIBDIR='"$(pkglibdir)"' \ + -DCONFDIR='"$(sysconfdir)/stunnel"' # TLS library stunnel_LDFLAGS = -L$(SSLDIR)/lib64 -L$(SSLDIR)/lib -lssl -lcrypto @@ -1140,13 +1141,12 @@ # Win32 executables # ############################################################################### -# Just check if the programs can be built, don't perform any actual tests -#check-local: mingw mingw64 - mingw: - $(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=i686 win32_mingw=mingw + $(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_arch=win32 win32_targetcpu=i686 win32_mingw=mingw + mingw64: - $(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_targetcpu=x86_64 win32_mingw=mingw64 + $(MAKE) -f $(srcdir)/mingw.mk srcdir=$(srcdir) win32_arch=win64 win32_targetcpu=x86_64 win32_mingw=mingw64 + .PHONY: mingw mingw64 clean-local: diff -Nru stunnel4-5.44/src/mingw.mak stunnel4-5.50/src/mingw.mak --- stunnel4-5.44/src/mingw.mak 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/src/mingw.mak 2018-04-06 14:25:10.000000000 +0000 @@ -1,4 +1,4 @@ -# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2017 +# Simple Makefile.w32 for stunnel.exe by Michal Trojnara 1998-2018 # # Modified by Brian Hatch (bri@stunnel.org) # 20101030 pdelaage: diff -Nru stunnel4-5.44/src/mingw.mk stunnel4-5.50/src/mingw.mk --- stunnel4-5.44/src/mingw.mk 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/src/mingw.mk 2018-11-28 21:03:38.000000000 +0000 @@ -1,29 +1,35 @@ ## mingw/mingw64 Makefile -# by Michal Trojnara 2015-2017 +# by Michal Trojnara 1998-2018 # 32-bit Windows +#win32_arch=win32 #win32_targetcpu=i686 #win32_mingw=mingw # 64-bit Windows +#win32_arch=win64 #win32_targetcpu=x86_64 #win32_mingw=mingw64 -bindir = ../bin/$(win32_mingw) -objdir = ../obj/$(win32_mingw) +bindir = ../bin/$(win32_arch) +objdir = ../obj/$(win32_arch) win32_ssl_dir = /opt/openssl-$(win32_mingw) win32_cppflags = -I$(win32_ssl_dir)/include -win32_cflags = -mthreads -fstack-protector -O2 +win32_cflags = -mthreads -O2 +#win32_cflags += -fstack-protector win32_cflags += -Wall -Wextra -Wpedantic -Wformat=2 -Wconversion -Wno-long-long win32_cflags += -D_FORTIFY_SOURCE=2 -DUNICODE -D_UNICODE -win32_ldflags = -mthreads -fstack-protector -s +win32_ldflags = -s -mthreads +#win32_ldflags += -fstack-protector +# -fstack-protector is broken (at least in x86_64-w64-mingw32-gcc 8.2.0) win32_common_libs = -lws2_32 -lkernel32 win32_ssl_libs = -L$(win32_ssl_dir)/lib -lcrypto -lssl win32_gui_libs = $(win32_common_libs) -lgdi32 -lpsapi $(win32_ssl_libs) win32_cli_libs = $(win32_common_libs) $(win32_ssl_libs) +common_headers = common.h prototypes.h version.h win32_common = tls str file client log options protocol network resolver win32_common += ssl ctx verify sthreads fd dhparam cron stunnel win32_gui = ui_win_gui resources @@ -43,12 +49,20 @@ $(bindir)/stunnel.exe: $(win32_common_objs) $(win32_gui_objs) $(win32_cc) -mwindows $(win32_ldflags) -o $(bindir)/stunnel.exe $(win32_common_objs) $(win32_gui_objs) $(win32_gui_libs) + -$(srcdir)/../sign/sign.sh $(bindir)/stunnel.exe $(bindir)/tstunnel.exe: $(win32_common_objs) $(win32_cli_objs) $(win32_cc) $(win32_ldflags) -o $(bindir)/tstunnel.exe $(win32_common_objs) $(win32_cli_objs) $(win32_cli_libs) + -$(srcdir)/../sign/sign.sh $(bindir)/tstunnel.exe -$(objdir)/%.o: $(srcdir)/%.c $(common_headers) +$(objdir)/%.o: $(srcdir)/%.c $(win32_cc) -c $(win32_cppflags) $(win32_cflags) -o $@ $< -$(objdir)/resources.o: $(srcdir)/resources.rc $(srcdir)/resources.h $(srcdir)/version.h +$(objdir)/%.o: $(common_headers) + +$(win32_gui_objs): $(srcdir)/resources.h + +$(objdir)/resources.o: $(srcdir)/resources.rc $(win32_windres) --include-dir $(srcdir) $< $@ + +$(objdir)/resources.o: $(srcdir)/version.h diff -Nru stunnel4-5.44/src/network.c stunnel4-5.50/src/network.c --- stunnel4-5.44/src/network.c 2017-01-19 08:51:32.000000000 +0000 +++ stunnel4-5.50/src/network.c 2018-06-08 17:30:06.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -222,8 +222,8 @@ for(i=0; ifds->nfds; i++) { context->fds->ufds[i].revents=ufds[nfds].revents; #ifdef DEBUG_UCONTEXT - s_log(LOG_DEBUG, "CONTEXT %ld, FD=%d,%s%s ->%s%s%s%s%s", - context->id, ufds[nfds].fd, + s_log(LOG_DEBUG, "CONTEXT %ld, FD=%ld,%s%s ->%s%s%s%s%s", + context->id, (long)ufds[nfds].fd, (ufds[nfds].events & POLLIN) ? " IN" : "", (ufds[nfds].events & POLLOUT) ? " OUT" : "", (ufds[nfds].revents & POLLIN) ? " IN" : "", @@ -483,14 +483,15 @@ /**************************************** fd management */ -int set_socket_options(SOCKET s, int type) { +int socket_options_set(SERVICE_OPTIONS *service, SOCKET s, int type) { SOCK_OPT *ptr; - extern SOCK_OPT *sock_opts; static char *type_str[3]={"accept", "local", "remote"}; socklen_t opt_size; int retval=0; /* no error found */ - for(ptr=sock_opts; ptr->opt_str; ptr++) { + s_log(LOG_DEBUG, "Setting %s socket options (FD=%ld)", + type_str[type], (long)s); + for(ptr=service->sock_opts; ptr->opt_str; ptr++) { if(!ptr->opt_val[type]) continue; /* default */ switch(ptr->opt_type) { @@ -605,21 +606,21 @@ switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) { case -1: sockerror("s_write: s_poll_wait"); - longjmp(c->err, 1); /* error */ + throw_exception(c, 1); /* error */ case 0: s_log(LOG_INFO, "s_write: s_poll_wait:" " TIMEOUTbusy exceeded: sending reset"); - longjmp(c->err, 1); /* timeout */ + throw_exception(c, 1); /* timeout */ case 1: break; /* OK */ default: s_log(LOG_ERR, "s_write: s_poll_wait: unknown result"); - longjmp(c->err, 1); /* error */ + throw_exception(c, 1); /* error */ } num=writesocket(fd, (void *)ptr, len); if(num==-1) { /* error */ sockerror("writesocket (s_write)"); - longjmp(c->err, 1); + throw_exception(c, 1); } ptr+=(size_t)num; len-=(size_t)num; @@ -636,25 +637,25 @@ switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) { case -1: sockerror("s_read: s_poll_wait"); - longjmp(c->err, 1); /* error */ + throw_exception(c, 1); /* error */ case 0: s_log(LOG_INFO, "s_read: s_poll_wait:" " TIMEOUTbusy exceeded: sending reset"); - longjmp(c->err, 1); /* timeout */ + throw_exception(c, 1); /* timeout */ case 1: break; /* OK */ default: s_log(LOG_ERR, "s_read: s_poll_wait: unknown result"); - longjmp(c->err, 1); /* error */ + throw_exception(c, 1); /* error */ } num=readsocket(fd, ptr, len); switch(num) { case -1: /* error */ sockerror("readsocket (s_read)"); - longjmp(c->err, 1); + throw_exception(c, 1); case 0: /* EOF */ s_log(LOG_ERR, "Unexpected socket close (s_read)"); - longjmp(c->err, 1); + throw_exception(c, 1); } ptr=(uint8_t *)ptr+num; len-=(size_t)num; @@ -682,7 +683,7 @@ if(ptr>65536) { /* >64KB --> DoS protection */ s_log(LOG_ERR, "fd_getline: Line too long"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } if(allocatederr, 1); + throw_exception(c, 1); } fd_putline(c, fd, line); str_free(line); @@ -728,21 +729,21 @@ switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) { case -1: sockerror("s_write: s_poll_wait"); - longjmp(c->err, 1); /* error */ + throw_exception(c, 1); /* error */ case 0: s_log(LOG_INFO, "s_write: s_poll_wait:" " TIMEOUTbusy exceeded: sending reset"); - longjmp(c->err, 1); /* timeout */ + throw_exception(c, 1); /* timeout */ case 1: break; /* OK */ default: s_log(LOG_ERR, "s_write: s_poll_wait: unknown result"); - longjmp(c->err, 1); /* error */ + throw_exception(c, 1); /* error */ } num=SSL_write(c->ssl, (void *)ptr, len); if(num==-1) { /* error */ sockerror("SSL_write (s_ssl_write)"); - longjmp(c->err, 1); + throw_exception(c, 1); } ptr+=num; len-=num; @@ -760,26 +761,26 @@ switch(s_poll_wait(c->fds, c->opt->timeout_busy, 0)) { case -1: sockerror("s_read: s_poll_wait"); - longjmp(c->err, 1); /* error */ + throw_exception(c, 1); /* error */ case 0: s_log(LOG_INFO, "s_read: s_poll_wait:" " TIMEOUTbusy exceeded: sending reset"); - longjmp(c->err, 1); /* timeout */ + throw_exception(c, 1); /* timeout */ case 1: break; /* OK */ default: s_log(LOG_ERR, "s_read: s_poll_wait: unknown result"); - longjmp(c->err, 1); /* error */ + throw_exception(c, 1); /* error */ } } num=SSL_read(c->ssl, ptr, len); switch(num) { case -1: /* error */ sockerror("SSL_read (s_ssl_read)"); - longjmp(c->err, 1); + throw_exception(c, 1); case 0: /* EOF */ s_log(LOG_ERR, "Unexpected socket close (s_ssl_read)"); - longjmp(c->err, 1); + throw_exception(c, 1); } ptr=(uint8_t *)ptr+num; len-=num; @@ -795,7 +796,7 @@ if(ptr>65536) { /* >64KB --> DoS protection */ s_log(LOG_ERR, "ssl_getstring: Line too long"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } if(allocated65536) { /* >64KB --> DoS protection */ s_log(LOG_ERR, "ssl_getline: Line too long"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } if(allocatedINT_MAX) { /* paranoia */ s_log(LOG_ERR, "ssl_putline: Line too long"); str_free(tmpline); - longjmp(c->err, 1); + throw_exception(c, 1); } s_ssl_write(c, tmpline, (int)len); str_free(tmpline); diff -Nru stunnel4-5.44/src/options.c stunnel4-5.50/src/options.c --- stunnel4-5.44/src/options.c 2017-11-15 07:06:12.000000000 +0000 +++ stunnel4-5.50/src/options.c 2018-11-05 14:37:18.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -44,17 +44,20 @@ #define CONFLINELEN (16*1024) +#define INVALID_SSL_OPTION ((long unsigned)-1) + typedef enum { - CMD_BEGIN, /* initialize defaults */ - CMD_EXEC, /* process command */ - CMD_END, /* end of section */ - CMD_FREE, /* TODO: deallocate memory */ - CMD_DEFAULT, /* print default value */ - CMD_HELP /* print help */ + CMD_SET_DEFAULTS, /* set default values */ + CMD_SET_COPY, /* duplicate from new_service_options */ + CMD_FREE, /* deallocate memory */ + CMD_SET_VALUE, /* set a user-specified value */ + CMD_INITIALIZE, /* initialize the global options or a section */ + CMD_PRINT_DEFAULTS, /* print default values */ + CMD_PRINT_HELP /* print help */ } CMD; NOEXPORT int options_file(char *, CONF_TYPE, SERVICE_OPTIONS **); -NOEXPORT int options_include(char *, SERVICE_OPTIONS **); +NOEXPORT int init_section(int, SERVICE_OPTIONS **); #ifdef USE_WIN32 struct dirent { char d_name[MAX_PATH]; @@ -65,16 +68,25 @@ int alphasort(const struct dirent **, const struct dirent **); #endif NOEXPORT char *parse_global_option(CMD, char *, char *); -NOEXPORT char *parse_service_option(CMD, SERVICE_OPTIONS *, char *, char *); +NOEXPORT char *parse_service_option(CMD, SERVICE_OPTIONS **, char *, char *); #ifndef OPENSSL_NO_TLSEXT NOEXPORT char *sni_init(SERVICE_OPTIONS *); +NOEXPORT void sni_free(SERVICE_OPTIONS *); #endif /* !defined(OPENSSL_NO_TLSEXT) */ +#if OPENSSL_VERSION_NUMBER>=0x10100000L +NOEXPORT int str_to_proto_version(const char *); +#else /* OPENSSL_VERSION_NUMBER<0x10100000L */ +NOEXPORT char *tls_methods_set(SERVICE_OPTIONS *, const char *); +NOEXPORT char *tls_methods_check(SERVICE_OPTIONS *); +#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */ + NOEXPORT char *parse_debug_level(char *, SERVICE_OPTIONS *); #ifndef OPENSSL_NO_PSK NOEXPORT PSK_KEYS *psk_read(char *); +NOEXPORT PSK_KEYS *psk_dup(PSK_KEYS *); NOEXPORT void psk_free(PSK_KEYS *); #endif /* !defined(OPENSSL_NO_PSK) */ @@ -146,9 +158,20 @@ {"NO_TLSv1", SSL_OP_NO_TLSv1}, #ifdef SSL_OP_NO_TLSv1_1 {"NO_TLSv1.1", SSL_OP_NO_TLSv1_1}, +#else /* ignore if unsupported by OpenSSL */ + {"NO_TLSv1.1", 0}, #endif #ifdef SSL_OP_NO_TLSv1_2 {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2}, +#else /* ignore if unsupported by OpenSSL */ + {"NO_TLSv1.2", 0}, +#endif +#ifdef SSL_OP_NO_TLSv1_3 + {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3}, + {"NO_TLSv1_3", SSL_OP_NO_TLSv1_3}, /* keep compatibility with our typo */ +#else /* ignore if unsupported by OpenSSL */ + {"NO_TLSv1.3", 0}, + {"NO_TLSv1_3", 0}, /* keep compatibility with our typo */ #endif {"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1}, {"PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2}, @@ -175,8 +198,17 @@ #ifdef SSL_OP_NO_ENCRYPT_THEN_MAC {"NO_ENCRYPT_THEN_MAC", SSL_OP_NO_ENCRYPT_THEN_MAC}, #endif -#ifdef SSL_OP_NO_TLSv1_3 - {"NO_TLSv1_3", SSL_OP_NO_TLSv1_3}, +#ifdef SSL_OP_ALLOW_NO_DHE_KEX + {"ALLOW_NO_DHE_KEX", SSL_OP_ALLOW_NO_DHE_KEX}, +#endif +#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT + {"ENABLE_MIDDLEBOX_COMPAT", SSL_OP_ENABLE_MIDDLEBOX_COMPAT}, +#endif +#ifdef SSL_OP_NO_RENEGOTIATION + {"NO_RENEGOTIATION", SSL_OP_NO_RENEGOTIATION}, +#endif +#ifdef SSL_OP_PRIORITIZE_CHACHA + {"PRIORITIZE_CHACHA", SSL_OP_PRIORITIZE_CHACHA}, #endif {NULL, 0} }; @@ -184,10 +216,13 @@ NOEXPORT long unsigned parse_ssl_option(char *); NOEXPORT void print_ssl_options(void); -NOEXPORT void init_socket_options(void); -NOEXPORT int print_socket_options(void); -NOEXPORT char *print_option(int, OPT_UNION *); -NOEXPORT int parse_socket_option(char *); +NOEXPORT SOCK_OPT *socket_options_init(void); +NOEXPORT void socket_option_set_int(SOCK_OPT *, char *, int, int); +NOEXPORT SOCK_OPT *socket_options_dup(SOCK_OPT *); +NOEXPORT void socket_options_free(SOCK_OPT *); +NOEXPORT int socket_options_print(void); +NOEXPORT char *socket_option_text(VAL_TYPE, OPT_UNION *); +NOEXPORT int socket_option_parse(SOCK_OPT *, char *); #ifndef OPENSSL_NO_OCSP NOEXPORT unsigned long parse_ocsp_flag(char *); @@ -204,14 +239,20 @@ NOEXPORT ENGINE *engine_get_by_num(const int); #endif /* !defined(OPENSSL_NO_ENGINE) */ +NOEXPORT char *include_config(char *, SERVICE_OPTIONS **); + NOEXPORT void print_syntax(void); NOEXPORT void name_list_append(NAME_LIST **, char *); +NOEXPORT void name_list_dup(NAME_LIST **, NAME_LIST *); +NOEXPORT void name_list_free(NAME_LIST *); #ifndef USE_WIN32 -NOEXPORT char **argalloc(char *); +NOEXPORT char **arg_alloc(char *); +NOEXPORT char **arg_dup(char **); +NOEXPORT void arg_free(char **arg); #endif -char configuration_file[PATH_MAX]; +char *configuration_file=NULL; GLOBAL_OPTIONS global_options; SERVICE_OPTIONS service_options; @@ -224,7 +265,7 @@ "Specified option name is not valid here"; static char *stunnel_cipher_list= - "HIGH:!DH:!aNULL:!SSLv2"; + "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; /**************************************** parse commandline parameters */ @@ -254,17 +295,17 @@ "stunnel.conf"; type=CONF_FILE; } else if(!strcasecmp(arg1, "-help")) { - parse_global_option(CMD_HELP, NULL, NULL); - parse_service_option(CMD_HELP, NULL, NULL, NULL); + parse_global_option(CMD_PRINT_HELP, NULL, NULL); + parse_service_option(CMD_PRINT_HELP, NULL, NULL, NULL); log_flush(LOG_MODE_INFO); return 2; } else if(!strcasecmp(arg1, "-version")) { - parse_global_option(CMD_DEFAULT, NULL, NULL); - parse_service_option(CMD_DEFAULT, NULL, NULL, NULL); + parse_global_option(CMD_PRINT_DEFAULTS, NULL, NULL); + parse_service_option(CMD_PRINT_DEFAULTS, NULL, NULL, NULL); log_flush(LOG_MODE_INFO); return 2; } else if(!strcasecmp(arg1, "-sockets")) { - print_socket_options(); + socket_options_print(); log_flush(LOG_MODE_INFO); return 2; } else if(!strcasecmp(arg1, "-options")) { @@ -288,18 +329,24 @@ type=CONF_FILE; } -#ifdef HAVE_REALPATH if(type==CONF_FILE) { - if(!realpath(name, configuration_file)) { +#ifdef HAVE_REALPATH + char *real_path=realpath(name, NULL); + if(!real_path) { s_log(LOG_ERR, "Invalid configuration file name \"%s\"", name); ioerror("realpath"); return 1; } - return options_parse(type); - } + configuration_file=str_dup(real_path); + free(real_path); +#else + configuration_file=str_dup(name); +#endif +#ifndef USE_WIN32 + } else if(type==CONF_FD) { + configuration_file=str_dup(name); #endif - strncpy(configuration_file, name, PATH_MAX-1); - configuration_file[PATH_MAX-1]='\0'; + } return options_parse(type); } @@ -307,40 +354,20 @@ int options_parse(CONF_TYPE type) { SERVICE_OPTIONS *section; - char *errstr; options_defaults(); section=&new_service_options; if(options_file(configuration_file, type, §ion)) return 1; - - if(new_service_options.next) { /* daemon mode: initialize sections */ - for(section=new_service_options.next; section; section=section->next) { - s_log(LOG_INFO, "Initializing service [%s]", section->servname); - errstr=parse_service_option(CMD_END, section, NULL, NULL); - if(errstr) - break; - } - } else { /* inetd mode: need to initialize global options */ - errstr=parse_global_option(CMD_END, NULL, NULL); - if(errstr) { - s_log(LOG_ERR, "Global options: %s", errstr); - return 1; - } - s_log(LOG_INFO, "Initializing inetd mode configuration"); - section=&new_service_options; - errstr=parse_service_option(CMD_END, section, NULL, NULL); - } - if(errstr) { - s_log(LOG_ERR, "Service [%s]: %s", section->servname, errstr); + if(init_section(1, §ion)) return 1; - } s_log(LOG_NOTICE, "Configuration successful"); return 0; } -NOEXPORT int options_file(char *path, CONF_TYPE type, SERVICE_OPTIONS **section) { +NOEXPORT int options_file(char *path, CONF_TYPE type, + SERVICE_OPTIONS **section_ptr) { DISK_FILE *df; char line_text[CONFLINELEN], *errstr; char config_line[CONFLINELEN], *config_opt, *config_arg; @@ -394,26 +421,26 @@ continue; if(config_opt[0]=='[' && config_opt[strlen(config_opt)-1]==']') { /* new section */ - SERVICE_OPTIONS *new_section; + if(init_section(0, section_ptr)) { + file_close(df); + return 1; + } - if(!new_service_options.next) { /* initialize global options */ - errstr=parse_global_option(CMD_END, NULL, NULL); - if(errstr) { - s_log(LOG_ERR, "%s:%d: \"%s\": %s", - path, line_number, line_text, errstr); - file_close(df); - return 1; - } + /* append a new SERVICE_OPTIONS structure to the list */ + { + SERVICE_OPTIONS *new_section; + new_section=str_alloc_detached(sizeof(SERVICE_OPTIONS)); + new_section->next=NULL; + (*section_ptr)->next=new_section; + *section_ptr=new_section; } + + /* initialize the newly allocated section */ ++config_opt; config_opt[strlen(config_opt)-1]='\0'; - new_section=str_alloc(sizeof(SERVICE_OPTIONS)); - memcpy(new_section, &new_service_options, sizeof(SERVICE_OPTIONS)); - new_section->servname=str_dup(config_opt); - new_section->session=NULL; - new_section->next=NULL; - (*section)->next=new_section; - *section=new_section; + (*section_ptr)->servname=str_dup_detached(config_opt); + (*section_ptr)->session=NULL; + parse_service_option(CMD_SET_COPY, section_ptr, NULL, NULL); continue; } @@ -430,22 +457,12 @@ while(isspace((unsigned char)*config_arg)) ++config_arg; /* remove initial whitespaces */ - if(!strcasecmp(config_opt, "include")) { - if(options_include(config_arg, section)) { - s_log(LOG_ERR, "%s:%d: Failed to include directory \"%s\"", - path, line_number, config_arg); - file_close(df); - return 1; - } - continue; - } - errstr=option_not_found; /* try global options first (e.g. for 'debug') */ if(!new_service_options.next) - errstr=parse_global_option(CMD_EXEC, config_opt, config_arg); + errstr=parse_global_option(CMD_SET_VALUE, config_opt, config_arg); if(errstr==option_not_found) - errstr=parse_service_option(CMD_EXEC, *section, config_opt, config_arg); + errstr=parse_service_option(CMD_SET_VALUE, section_ptr, config_opt, config_arg); if(errstr) { s_log(LOG_ERR, "%s:%d: \"%s\": %s", path, line_number, line_text, errstr); @@ -457,36 +474,40 @@ return 0; } -NOEXPORT int options_include(char *directory, SERVICE_OPTIONS **section) { - struct dirent **namelist; - int i, num, err=0; +NOEXPORT int init_section(int eof, SERVICE_OPTIONS **section_ptr) { + char *errstr; - num=scandir(directory, &namelist, NULL, alphasort); - if(num<0) { - ioerror("scandir"); - return 1; +#ifndef USE_WIN32 + (*section_ptr)->option.log_stderr=new_global_options.option.log_stderr; +#endif /* USE_WIN32 */ + + if(*section_ptr==&new_service_options) { + /* end of global options or inetd mode -> initialize globals */ + errstr=parse_global_option(CMD_INITIALIZE, NULL, NULL); + if(errstr) { + s_log(LOG_ERR, "Global options: %s", errstr); + return 1; + } } - for(i=0; id_name); - stat(name, &sb); - if(S_ISREG(sb.st_mode)) - err=options_file(name, CONF_FILE, section); + + if(*section_ptr!=&new_service_options || eof) { + /* end service section or inetd mode -> initialize service */ + if(*section_ptr==&new_service_options) + s_log(LOG_INFO, "Initializing inetd mode configuration"); + else + s_log(LOG_INFO, "Initializing service [%s]", + (*section_ptr)->servname); + errstr=parse_service_option(CMD_INITIALIZE, section_ptr, NULL, NULL); + if(errstr) { + if(*section_ptr==&new_service_options) + s_log(LOG_ERR, "Inetd mode: %s", errstr); else - s_log(LOG_DEBUG, "\"%s\" is not a file", name); - str_free(name); + s_log(LOG_ERR, "Service [%s]: %s", + (*section_ptr)->servname, errstr); + return 1; } - free(namelist[i]); } - free(namelist); - return err; + return 0; } #ifdef USE_WIN32 @@ -541,31 +562,69 @@ #endif void options_defaults() { + SERVICE_OPTIONS *service; + /* initialize globals *before* opening the config file */ - memset(&new_global_options, 0, sizeof(GLOBAL_OPTIONS)); /* reset global options */ - memset(&new_service_options, 0, sizeof(SERVICE_OPTIONS)); /* reset local options */ + memset(&new_global_options, 0, sizeof(GLOBAL_OPTIONS)); + memset(&new_service_options, 0, sizeof(SERVICE_OPTIONS)); new_service_options.next=NULL; - parse_global_option(CMD_BEGIN, NULL, NULL); - parse_service_option(CMD_BEGIN, &new_service_options, NULL, NULL); + + parse_global_option(CMD_SET_DEFAULTS, NULL, NULL); + service=&new_service_options; + parse_service_option(CMD_SET_DEFAULTS, &service, NULL, NULL); } void options_apply() { /* apply default/validated configuration */ unsigned num=0; SERVICE_OPTIONS *section; - for(section=new_service_options.next; section; section=section->next) - section->section_number=num++; - /* FIXME: this operation may be unsafe, as client() threads use it */ + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_SECTIONS]); + memcpy(&global_options, &new_global_options, sizeof(GLOBAL_OPTIONS)); + /* service_options are used for inetd mode and to enumerate services */ + for(section=new_service_options.next; section; section=section->next) + section->section_number=num++; memcpy(&service_options, &new_service_options, sizeof(SERVICE_OPTIONS)); number_of_sections=num; + + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SECTIONS]); +} + +void options_free() { + parse_global_option(CMD_FREE, NULL, NULL); +} + +void service_up_ref(SERVICE_OPTIONS *section) { +#ifdef USE_OS_THREADS + int ref; + + CRYPTO_atomic_add(§ion->ref, 1, &ref, stunnel_locks[LOCK_REF]); +#else + ++(section->ref); +#endif +} + +void service_free(SERVICE_OPTIONS *section) { + int ref; + +#ifdef USE_OS_THREADS + CRYPTO_atomic_add(§ion->ref, -1, &ref, stunnel_locks[LOCK_REF]); +#else + ref=--(section->ref); +#endif + if(ref<0) + fatal("Negative section reference counter"); + if(ref==0) + parse_service_option(CMD_FREE, §ion, NULL, NULL); } /**************************************** global options */ NOEXPORT char *parse_global_option(CMD cmd, char *opt, char *arg) { - if(cmd==CMD_DEFAULT || cmd==CMD_HELP) { + void *tmp; + + if(cmd==CMD_PRINT_DEFAULTS || cmd==CMD_PRINT_HELP) { s_log(LOG_NOTICE, " "); s_log(LOG_NOTICE, "Global options:"); } @@ -573,21 +632,26 @@ /* chroot */ #ifdef HAVE_CHROOT switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.chroot_dir=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + tmp=global_options.chroot_dir; + global_options.chroot_dir=NULL; + str_free(tmp); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "chroot")) break; new_global_options.chroot_dir=str_dup(arg); return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = directory to chroot stunnel process", "chroot"); break; } @@ -596,26 +660,32 @@ /* compression */ #ifndef OPENSSL_NO_COMP switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.compression=COMP_NONE; break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "compression")) break; - if(OpenSSL_version_num()>=0x00908051L && !strcasecmp(arg, "deflate")) + /* only allow compression with OpenSSL 0.9.8 or later + * with OpenSSL #1468 zlib memory leak fixed */ + if(OpenSSL_version_num()<0x00908051L) /* 0.9.8e-beta1 */ + return "Compression unsupported due to a memory leak"; + if(!strcasecmp(arg, "deflate")) new_global_options.compression=COMP_DEFLATE; else if(!strcasecmp(arg, "zlib")) new_global_options.compression=COMP_ZLIB; else return "Specified compression type is not available"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = compression type", "compression"); break; @@ -624,28 +694,33 @@ /* EGD */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: #ifdef EGD_SOCKET new_global_options.egd_sock=EGD_SOCKET; #else new_global_options.egd_sock=NULL; #endif break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + tmp=global_options.egd_sock; + global_options.egd_sock=NULL; + str_free(tmp); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "EGD")) break; new_global_options.egd_sock=str_dup(arg); return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: #ifdef EGD_SOCKET s_log(LOG_NOTICE, "%-22s = %s", "EGD", EGD_SOCKET); #endif break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = path to Entropy Gathering Daemon socket", "EGD"); break; } @@ -654,24 +729,27 @@ /* engine */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: engine_reset_list(); break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + /* FIXME: investigate if we can free it */ + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "engine")) break; if(!strcasecmp(arg, "auto")) return engine_auto(); else return engine_open(arg); - case CMD_END: + case CMD_INITIALIZE: engine_init(); break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = auto|engine_id", "engine"); break; @@ -679,9 +757,13 @@ /* engineCtrl */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "engineCtrl")) break; { @@ -690,13 +772,11 @@ *tmp_str++='\0'; return engine_ctrl(arg, tmp_str); } - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = cmd[:arg]", "engineCtrl"); break; @@ -704,19 +784,21 @@ /* engineDefault */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: + break; + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: break; - case CMD_EXEC: + case CMD_SET_VALUE: if(strcasecmp(opt, "engineDefault")) break; return engine_default(arg); - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = TASK_LIST", "engineDefault"); break; @@ -726,12 +808,16 @@ /* fips */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: #ifdef USE_FIPS new_global_options.option.fips=0; #endif /* USE_FIPS */ break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "fips")) break; #ifdef USE_FIPS @@ -746,13 +832,11 @@ return "FIPS support is not available"; #endif /* USE_FIPS */ return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: #ifdef USE_FIPS s_log(LOG_NOTICE, "%-22s = yes|no FIPS 140-2 mode", "fips"); @@ -763,11 +847,15 @@ /* foreground */ #ifndef USE_WIN32 switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.option.foreground=0; new_global_options.option.log_stderr=0; break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "foreground")) break; if(!strcasecmp(arg, "yes")) { @@ -782,13 +870,11 @@ } else return "The argument needs to be either 'yes', 'quiet' or 'no'"; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|quiet|no foreground mode (don't fork, log to stderr)", "foreground"); break; @@ -799,66 +885,75 @@ /* iconActive */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.icon[ICON_ACTIVE]=load_icon_default(ICON_ACTIVE); break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + /* FIXME: investigate if we can free it */ + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "iconActive")) break; if(!(new_global_options.icon[ICON_ACTIVE]=load_icon_file(arg))) return "Failed to load the specified icon"; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = icon when connections are established", "iconActive"); break; } /* iconError */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.icon[ICON_ERROR]=load_icon_default(ICON_ERROR); break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + /* FIXME: investigate if we can free it */ + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "iconError")) break; if(!(new_global_options.icon[ICON_ERROR]=load_icon_file(arg))) return "Failed to load the specified icon"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = icon for invalid configuration file", "iconError"); break; } /* iconIdle */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.icon[ICON_IDLE]=load_icon_default(ICON_IDLE); break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + /* FIXME: investigate if we can free it */ + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "iconIdle")) break; if(!(new_global_options.icon[ICON_IDLE]=load_icon_file(arg))) return "Failed to load the specified icon"; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = icon when no connections were established", "iconIdle"); break; } @@ -867,10 +962,14 @@ /* log */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.log_file_mode=FILE_MODE_APPEND; break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "log")) break; if(!strcasecmp(arg, "append")) @@ -880,13 +979,11 @@ else return "The argument needs to be either 'append' or 'overwrite'"; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = append|overwrite log file", "log"); break; @@ -894,21 +991,32 @@ /* output */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.output_file=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + tmp=global_options.output_file; + global_options.output_file=NULL; + str_free(tmp); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "output")) break; new_global_options.output_file=str_dup(arg); return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: +#ifndef USE_WIN32 + if(!new_global_options.option.foreground /* daemonize() used */ && + new_global_options.output_file /* log file enabled */ && + new_global_options.output_file[0]!='/' /* relative path */) + return "Log file must include full path name"; +#endif break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = file to append log messages", "output"); break; } @@ -916,10 +1024,17 @@ /* pid */ #ifndef USE_WIN32 switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.pidfile=NULL; /* do not create a pid file */ break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + tmp=global_options.pidfile; + global_options.pidfile=NULL; + str_free(tmp); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "pid")) break; if(arg[0]) /* is argument not empty? */ @@ -927,13 +1042,15 @@ else new_global_options.pidfile=NULL; /* empty -> do not create a pid file */ return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: + if(!new_global_options.option.foreground /* daemonize() used */ && + new_global_options.pidfile /* pid file enabled */ && + new_global_options.pidfile[0]!='/' /* relative path */) + return "Pid file must include full path name"; break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = pid file", "pid"); break; } @@ -941,10 +1058,14 @@ /* RNDbytes */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.random_bytes=RANDOM_BYTES; break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "RNDbytes")) break; { @@ -954,48 +1075,59 @@ return "Illegal number of bytes to read from random seed files"; } return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = %d", "RNDbytes", RANDOM_BYTES); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = bytes to read from random seed files", "RNDbytes"); break; } /* RNDfile */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: +#ifdef RANDOM_FILE + new_global_options.rand_file=str_dup(RANDOM_FILE); +#else new_global_options.rand_file=NULL; +#endif break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + tmp=global_options.rand_file; + global_options.rand_file=NULL; + str_free(tmp); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "RNDfile")) break; new_global_options.rand_file=str_dup(arg); return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: #ifdef RANDOM_FILE s_log(LOG_NOTICE, "%-22s = %s", "RNDfile", RANDOM_FILE); #endif break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = path to file with random seed data", "RNDfile"); break; } /* RNDoverwrite */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.option.rand_write=1; break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "RNDoverwrite")) break; if(!strcasecmp(arg, "yes")) @@ -1005,72 +1137,28 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = yes", "RNDoverwrite"); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no overwrite seed datafiles with new random data", "RNDoverwrite"); break; } + /* syslog */ #ifndef USE_WIN32 - /* service */ - switch(cmd) { - case CMD_BEGIN: - new_service_options.servname=str_dup("stunnel"); - break; - case CMD_EXEC: - if(strcasecmp(opt, "service")) - break; - new_service_options.servname=str_dup(arg); - return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: - break; - case CMD_DEFAULT: - break; - case CMD_HELP: - s_log(LOG_NOTICE, "%-22s = service name", "service"); - break; - } -#endif - - /* socket */ switch(cmd) { - case CMD_BEGIN: - init_socket_options(); + case CMD_SET_DEFAULTS: + new_global_options.option.log_syslog=1; break; - case CMD_EXEC: - if(strcasecmp(opt, "socket")) - break; - if(parse_socket_option(arg)) - return "Illegal socket option"; - return NULL; /* OK */ - case CMD_END: + case CMD_SET_COPY: /* not used for global options */ break; case CMD_FREE: break; - case CMD_DEFAULT: - break; - case CMD_HELP: - s_log(LOG_NOTICE, "%-22s = a|l|r:option=value[:value]", "socket"); - s_log(LOG_NOTICE, "%25sset an option on accept/local/remote socket", ""); - break; - } - - /* syslog */ -#ifndef USE_WIN32 - switch(cmd) { - case CMD_BEGIN: - new_global_options.option.log_syslog=1; - break; - case CMD_EXEC: + case CMD_SET_VALUE: if(strcasecmp(opt, "syslog")) break; if(!strcasecmp(arg, "yes")) @@ -1080,13 +1168,11 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no send logging messages to syslog", "syslog"); break; @@ -1096,10 +1182,14 @@ /* taskbar */ #ifdef USE_WIN32 switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: new_global_options.option.taskbar=1; break; - case CMD_EXEC: + case CMD_SET_COPY: /* not used for global options */ + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "taskbar")) break; if(!strcasecmp(arg, "yes")) @@ -1109,68 +1199,101 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = yes", "taskbar"); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no enable the taskbar icon", "taskbar"); break; } #endif - if(cmd==CMD_EXEC) + /* final checks */ + switch(cmd) { + case CMD_SET_DEFAULTS: + break; + case CMD_SET_COPY: + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: return option_not_found; - - if(cmd==CMD_END) { + case CMD_INITIALIZE: /* FIPS needs to be initialized as early as possible */ if(ssl_configure(&new_global_options)) /* configure global TLS settings */ return "Failed to initialize TLS"; + case CMD_PRINT_DEFAULTS: + break; + case CMD_PRINT_HELP: + break; } return NULL; /* OK */ } /**************************************** service-level options */ -NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, +NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS **section_ptr, char *opt, char *arg) { + SERVICE_OPTIONS *section; int endpoints=0; #ifndef USE_WIN32 struct group *gr; struct passwd *pw; #endif - if(cmd==CMD_DEFAULT || cmd==CMD_HELP) { + section=section_ptr ? *section_ptr : NULL; + + if(cmd==CMD_SET_DEFAULTS || cmd==CMD_SET_COPY) { + section->ref=1; + } else if(cmd==CMD_FREE) { + if(section==&service_options || section==&new_service_options) + s_log(LOG_DEBUG, "Deallocating section defaults"); + else + s_log(LOG_DEBUG, "Deallocating section [%s]", section->servname); + } else if(cmd==CMD_PRINT_DEFAULTS || cmd==CMD_PRINT_HELP) { s_log(LOG_NOTICE, " "); s_log(LOG_NOTICE, "Service-level options:"); } /* accept */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: + addrlist_clear(§ion->local_addr, 1); + section->local_fd=NULL; + break; + case CMD_SET_COPY: addrlist_clear(§ion->local_addr, 1); + section->local_fd=NULL; + name_list_dup(§ion->local_addr.names, + new_service_options.local_addr.names); break; - case CMD_EXEC: + case CMD_FREE: + name_list_free(section->local_addr.names); + str_free(section->local_addr.addr); + str_free(section->local_fd); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "accept")) break; section->option.accept=1; name_list_append(§ion->local_addr.names, arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: if(section->local_addr.names) { + unsigned i; if(!addrlist_resolve(§ion->local_addr)) return "Cannot resolve accept target"; + section->local_fd=str_alloc_detached(section->local_addr.num*sizeof(SOCKET)); + for(i=0; ilocal_addr.num; ++i) + section->local_fd[i]=INVALID_SOCKET; ++endpoints; } break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = [host:]port accept connections on specified host:port", "accept"); break; @@ -1178,31 +1301,36 @@ /* CApath */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: #if 0 section->ca_dir=(char *)X509_get_default_cert_dir(); #endif section->ca_dir=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->ca_dir=str_dup_detached(new_service_options.ca_dir); + break; + case CMD_FREE: + str_free(section->ca_dir); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "CApath")) break; + str_free(section->ca_dir); if(arg[0]) /* not empty */ - section->ca_dir=str_dup(arg); + section->ca_dir=str_dup_detached(arg); else section->ca_dir=NULL; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: #if 0 s_log(LOG_NOTICE, "%-22s = %s", "CApath", section->ca_dir ? section->ca_dir : "(none)"); #endif break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = CA certificate directory for 'verify' option", "CApath"); break; @@ -1210,31 +1338,36 @@ /* CAfile */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: #if 0 section->ca_file=(char *)X509_get_default_certfile(); #endif section->ca_file=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->ca_file=str_dup_detached(new_service_options.ca_file); + break; + case CMD_FREE: + str_free(section->ca_file); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "CAfile")) break; + str_free(section->ca_file); if(arg[0]) /* not empty */ - section->ca_file=str_dup(arg); + section->ca_file=str_dup_detached(arg); else section->ca_file=NULL; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: #if 0 s_log(LOG_NOTICE, "%-22s = %s", "CAfile", section->ca_file ? section->ca_file : "(none)"); #endif break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = CA certificate file for 'verify' option", "CAfile"); break; @@ -1242,15 +1375,22 @@ /* cert */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->cert=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->cert=str_dup_detached(new_service_options.cert); + break; + case CMD_FREE: + str_free(section->cert); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "cert")) break; - section->cert=str_dup(arg); + str_free(section->cert); + section->cert=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: #ifndef OPENSSL_NO_PSK if(section->psk_keys) break; @@ -1262,11 +1402,9 @@ if(!section->option.client && !section->cert) return "TLS server needs a certificate"; break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; /* no default certificate */ - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = certificate chain", "cert"); break; } @@ -1275,23 +1413,28 @@ /* checkEmail */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->check_email=NULL; break; - case CMD_EXEC: - if(strcasecmp(opt, "checkEmail")) + case CMD_SET_COPY: + name_list_dup(§ion->check_email, + new_service_options.check_email); + break; + case CMD_FREE: + name_list_free(section->check_email); + break; + case CMD_SET_VALUE: + if(strcasecmp(opt, "checkEmail")) break; name_list_append(§ion->check_email, arg); return NULL; /* OK */ - case CMD_END: - if(section->check_email && !section->option.verify_chain && !section->option.verify_peer) + case CMD_INITIALIZE: + if(section->check_email && !section->option.verify_chain && !section->option.verify_peer) return "Either \"verifyChain\" or \"verifyPeer\" has to be enabled"; break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = peer certificate email address", "checkEmail"); break; @@ -1299,23 +1442,28 @@ /* checkHost */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->check_host=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + name_list_dup(§ion->check_host, + new_service_options.check_host); + break; + case CMD_FREE: + name_list_free(section->check_host); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "checkHost")) break; name_list_append(§ion->check_host, arg); return NULL; /* OK */ - case CMD_END: - if(section->check_host && !section->option.verify_chain && !section->option.verify_peer) + case CMD_INITIALIZE: + if(section->check_host && !section->option.verify_chain && !section->option.verify_peer) return "Either \"verifyChain\" or \"verifyPeer\" has to be enabled"; break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = peer certificate host name pattern", "checkHost"); break; @@ -1323,21 +1471,28 @@ /* checkIP */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->check_ip=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + name_list_dup(§ion->check_ip, + new_service_options.check_ip); + break; + case CMD_FREE: + name_list_free(section->check_ip); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "checkIP")) break; name_list_append(§ion->check_ip, arg); return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: + if(section->check_ip && !section->option.verify_chain && !section->option.verify_peer) + return "Either \"verifyChain\" or \"verifyPeer\" has to be enabled"; break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = peer certificate IP address", "checkIP"); break; @@ -1347,29 +1502,34 @@ /* ciphers */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->cipher_list=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->cipher_list=str_dup_detached(new_service_options.cipher_list); + break; + case CMD_FREE: + str_free(section->cipher_list); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "ciphers")) break; - section->cipher_list=str_dup(arg); + str_free(section->cipher_list); + section->cipher_list=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: if(!section->cipher_list) { /* this is only executed for global options, * because section->cipher_list is no longer NULL */ #ifdef USE_FIPS if(new_global_options.option.fips) - section->cipher_list="FIPS"; + section->cipher_list=str_dup_detached("FIPS"); else #endif /* USE_FIPS */ - section->cipher_list=stunnel_cipher_list; + section->cipher_list=str_dup_detached(stunnel_cipher_list); } break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: #ifdef USE_FIPS s_log(LOG_NOTICE, "%-22s = %s %s", "ciphers", "FIPS", "(with \"fips = yes\")"); @@ -1379,17 +1539,22 @@ s_log(LOG_NOTICE, "%-22s = %s", "ciphers", stunnel_cipher_list); #endif /* USE_FIPS */ break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = list of permitted TLS ciphers", "ciphers"); break; } /* client */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.client=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.client=new_service_options.option.client; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "client")) break; if(!strcasecmp(arg, "yes")) @@ -1399,13 +1564,11 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no client mode (remote service uses TLS)", "client"); break; @@ -1415,21 +1578,25 @@ /* config */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->config=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + name_list_dup(§ion->config, new_service_options.config); + break; + case CMD_FREE: + name_list_free(section->config); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "config")) break; name_list_append(§ion->config, arg); return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = command[:parameter] to execute", "config"); break; @@ -1439,33 +1606,45 @@ /* connect */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: + addrlist_clear(§ion->connect_addr, 0); + section->connect_session=NULL; + break; + case CMD_SET_COPY: addrlist_clear(§ion->connect_addr, 0); + section->connect_session=NULL; + name_list_dup(§ion->connect_addr.names, + new_service_options.connect_addr.names); break; - case CMD_EXEC: + case CMD_FREE: + name_list_free(section->connect_addr.names); + str_free(section->connect_addr.addr); + str_free(section->connect_session); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "connect")) break; name_list_append(§ion->connect_addr.names, arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: if(section->connect_addr.names) { if(!section->option.delayed_lookup && !addrlist_resolve(§ion->connect_addr)) { s_log(LOG_INFO, "Cannot resolve connect target - delaying DNS lookup"); + section->connect_addr.num=0; section->redirect_addr.num=0; - str_free(section->redirect_addr.names); - section->redirect_addr.names=NULL; section->option.delayed_lookup=1; } + if(section->option.client) + section->connect_session= + str_alloc_detached(section->connect_addr.num*sizeof(SSL_SESSION *)); ++endpoints; } break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = [host:]port to connect", "connect"); break; @@ -1473,48 +1652,58 @@ /* CRLpath */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->crl_dir=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->crl_dir=str_dup_detached(new_service_options.crl_dir); + break; + case CMD_FREE: + str_free(section->crl_dir); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "CRLpath")) break; + str_free(section->crl_dir); if(arg[0]) /* not empty */ - section->crl_dir=str_dup(arg); + section->crl_dir=str_dup_detached(arg); else section->crl_dir=NULL; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: + case CMD_PRINT_DEFAULTS: break; - case CMD_DEFAULT: - break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = CRL directory", "CRLpath"); break; } /* CRLfile */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->crl_file=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->crl_file=str_dup_detached(new_service_options.crl_file); + break; + case CMD_FREE: + str_free(section->crl_file); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "CRLfile")) break; + str_free(section->crl_file); if(arg[0]) /* not empty */ - section->crl_file=str_dup(arg); + section->crl_file=str_dup_detached(arg); else section->crl_file=NULL; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = CRL file", "CRLfile"); break; } @@ -1524,24 +1713,27 @@ /* curve */ #define DEFAULT_CURVE NID_X9_62_prime256v1 switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->curve=DEFAULT_CURVE; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->curve=new_service_options.curve; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "curve")) break; section->curve=OBJ_txt2nid(arg); if(section->curve==NID_undef) return "Curve name not supported"; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = %s", "curve", OBJ_nid2ln(DEFAULT_CURVE)); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = ECDH curve name", "curve"); break; } @@ -1550,28 +1742,31 @@ /* debug */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->log_level=LOG_NOTICE; #if !defined (USE_WIN32) && !defined (__vms) new_global_options.log_facility=LOG_DAEMON; #endif break; - case CMD_EXEC: + case CMD_SET_COPY: + section->log_level=new_service_options.log_level; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "debug")) break; return parse_debug_level(arg, section); - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: #if !defined (USE_WIN32) && !defined (__vms) s_log(LOG_NOTICE, "%-22s = %s", "debug", "daemon.notice"); #else s_log(LOG_NOTICE, "%-22s = %s", "debug", "notice"); #endif break; - case CMD_HELP: + case CMD_PRINT_HELP: #if !defined (USE_WIN32) && !defined (__vms) s_log(LOG_NOTICE, "%-22s = [facility].level (e.g. daemon.info)", "debug"); #else @@ -1582,10 +1777,15 @@ /* delay */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.delayed_lookup=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.delayed_lookup=new_service_options.option.delayed_lookup; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "delay")) break; if(!strcasecmp(arg, "yes")) @@ -1595,13 +1795,11 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no delay DNS lookup for 'connect' option", "delay"); @@ -1612,22 +1810,25 @@ /* engineId */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: + break; + case CMD_SET_COPY: + section->engine=new_service_options.engine; + break; + case CMD_FREE: break; - case CMD_EXEC: + case CMD_SET_VALUE: if(strcasecmp(opt, "engineId")) break; section->engine=engine_get_by_id(arg); if(!section->engine) return "Engine ID not found"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = ID of engine to read the key from", "engineId"); break; @@ -1635,9 +1836,14 @@ /* engineNum */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: + break; + case CMD_SET_COPY: + section->engine=new_service_options.engine; break; - case CMD_EXEC: + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "engineNum")) break; { @@ -1650,13 +1856,11 @@ if(!section->engine) return "Illegal engine number"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: + case CMD_PRINT_DEFAULTS: break; - case CMD_DEFAULT: - break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = number of engine to read the key from", "engineNum"); break; @@ -1666,32 +1870,37 @@ /* exec */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->exec_name=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->exec_name=str_dup_detached(new_service_options.exec_name); + break; + case CMD_FREE: + str_free(section->exec_name); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "exec")) break; - section->exec_name=str_dup(arg); + str_free(section->exec_name); + section->exec_name=str_dup_detached(arg); #ifdef USE_WIN32 - section->exec_args=str_dup(arg); + section->exec_args=str_dup_detached(arg); #else if(!section->exec_args) { - section->exec_args=str_alloc(2*sizeof(char *)); - section->exec_args[0]=section->exec_name; - section->exec_args[1]=NULL; /* to show that it's null-terminated */ + section->exec_args=str_alloc_detached(2*sizeof(char *)); + section->exec_args[0]=str_dup_detached(section->exec_name); + section->exec_args[1]=NULL; /* null-terminate */ } #endif return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: if(section->exec_name) ++endpoints; break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = file execute local inetd-type program", "exec"); break; @@ -1699,25 +1908,39 @@ /* execArgs */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->exec_args=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: +#ifdef USE_WIN32 + section->exec_args=str_dup_detached(new_service_options.exec_args); +#else + section->exec_args=arg_dup(new_service_options.exec_args); +#endif + break; + case CMD_FREE: +#ifdef USE_WIN32 + str_free(section->exec_args); +#else + arg_free(section->exec_args); +#endif + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "execArgs")) break; #ifdef USE_WIN32 - section->exec_args=str_dup(arg); + str_free(section->exec_args); + section->exec_args=str_dup_detached(arg); #else - section->exec_args=argalloc(arg); + arg_free(section->exec_args); + section->exec_args=arg_alloc(arg); #endif return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: + case CMD_PRINT_DEFAULTS: break; - case CMD_DEFAULT: - break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = arguments for 'exec' (including $0)", "execArgs"); break; @@ -1725,11 +1948,17 @@ /* failover */ switch(cmd) { - case CMD_BEGIN: - section->failover=FAILOVER_RR; - section->seq=0; + case CMD_SET_DEFAULTS: + section->failover=FAILOVER_PRIO; + section->rr=0; + break; + case CMD_SET_COPY: + section->failover=new_service_options.failover; + section->rr=new_service_options.rr; + break; + case CMD_FREE: break; - case CMD_EXEC: + case CMD_SET_VALUE: if(strcasecmp(opt, "failover")) break; if(!strcasecmp(arg, "rr")) @@ -1739,15 +1968,13 @@ else return "The argument needs to be either 'rr' or 'prio'"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: if(section->option.delayed_lookup) section->failover=FAILOVER_PRIO; break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = rr|prio failover strategy", "failover"); break; @@ -1755,54 +1982,92 @@ /* ident */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->username=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->username=str_dup_detached(new_service_options.username); + break; + case CMD_FREE: + str_free(section->username); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "ident")) break; - section->username=str_dup(arg); + str_free(section->username); + section->username=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: + break; + case CMD_PRINT_DEFAULTS: + break; + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = username for IDENT (RFC 1413) checking", "ident"); + break; + } + + /* include */ + switch(cmd) { + case CMD_SET_DEFAULTS: + break; + case CMD_SET_COPY: break; case CMD_FREE: break; - case CMD_DEFAULT: + case CMD_SET_VALUE: + if(strcasecmp(opt, "include")) + break; + return include_config(arg, section_ptr); + case CMD_INITIALIZE: break; - case CMD_HELP: - s_log(LOG_NOTICE, "%-22s = username for IDENT (RFC 1413) checking", "ident"); + case CMD_PRINT_DEFAULTS: + break; + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = directory with configuration file snippets", + "include"); break; } /* key */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->key=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->key=str_dup_detached(new_service_options.key); + break; + case CMD_FREE: + str_free(section->key); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "key")) break; - section->key=str_dup(arg); + str_free(section->key); + section->key=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: if(section->cert && !section->key) - section->key=str_dup(section->cert); - break; - case CMD_FREE: + section->key=str_dup_detached(section->cert); break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = certificate private key", "key"); break; } + /* libwrap */ #ifdef USE_LIBWRAP switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.libwrap=0; /* disable libwrap by default */ break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.libwrap=new_service_options.option.libwrap; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "libwrap")) break; if(!strcasecmp(arg, "yes")) @@ -1812,13 +2077,11 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no use /etc/hosts.allow and /etc/hosts.deny", "libwrap"); break; @@ -1827,23 +2090,28 @@ /* local */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.local=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.local=new_service_options.option.local; + memcpy(§ion->source_addr, &new_service_options.source_addr, + sizeof(SOCKADDR_UNION)); + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "local")) break; if(!hostport2addr(§ion->source_addr, arg, "0", 1)) return "Failed to resolve local address"; section->option.local=1; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = IP address to be used as source for remote" " connections", "local"); break; @@ -1851,10 +2119,15 @@ /* logId */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->log_id=LOG_ID_SEQUENTIAL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->log_id=new_service_options.log_id; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "logId")) break; if(!strcasecmp(arg, "sequential")) @@ -1868,14 +2141,12 @@ else return "Invalid connection identifier type"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = %s", "logId", "sequential"); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = connection identifier type", "logId"); break; @@ -1885,31 +2156,41 @@ /* OCSP */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->ocsp_url=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->ocsp_url=str_dup_detached(new_service_options.ocsp_url); + break; + case CMD_FREE: + str_free(section->ocsp_url); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "ocsp")) break; - section->ocsp_url=str_dup(arg); + str_free(section->ocsp_url); + section->ocsp_url=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: - s_log(LOG_NOTICE, "%-22s = OCSP responder URL", "ocsp"); + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = OCSP responder URL", "OCSP"); break; } /* OCSPaia */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.aia=0; /* disable AIA by default */ break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.aia=new_service_options.option.aia; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "OCSPaia")) break; if(!strcasecmp(arg, "yes")) @@ -1919,13 +2200,11 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no check the AIA responders from certificates", "OCSPaia"); @@ -1934,10 +2213,15 @@ /* OCSPflag */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->ocsp_flags=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->ocsp_flags=new_service_options.ocsp_flags; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "OCSPflag")) break; { @@ -1947,23 +2231,26 @@ section->ocsp_flags|=tmp_ulong; } return NULL; - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = OCSP responder flags", "OCSPflag"); break; } /* OCSPnonce */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.nonce=0; /* disable OCSP nonce by default */ break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.nonce=new_service_options.option.nonce; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "OCSPnonce")) break; if(!strcasecmp(arg, "yes")) @@ -1973,13 +2260,11 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no send and verify the OCSP nonce extension", "OCSPnonce"); @@ -1990,19 +2275,27 @@ /* options */ switch(cmd) { - case CMD_BEGIN: - section->ssl_options_set|=SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; + case CMD_SET_DEFAULTS: + section->ssl_options_set=0; #if OPENSSL_VERSION_NUMBER>=0x009080dfL section->ssl_options_clear=0; #endif /* OpenSSL 0.9.8m or later */ break; - case CMD_EXEC: + case CMD_SET_COPY: + section->ssl_options_set=new_service_options.ssl_options_set; +#if OPENSSL_VERSION_NUMBER>=0x009080dfL + section->ssl_options_clear=new_service_options.ssl_options_clear; +#endif /* OpenSSL 0.9.8m or later */ + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "options")) break; #if OPENSSL_VERSION_NUMBER>=0x009080dfL if(*arg=='-') { long unsigned tmp=parse_ssl_option(arg+1); - if(!tmp) + if(tmp==INVALID_SSL_OPTION) return "Illegal TLS option"; section->ssl_options_clear|=tmp; return NULL; /* OK */ @@ -2010,35 +2303,40 @@ #endif /* OpenSSL 0.9.8m or later */ { long unsigned tmp=parse_ssl_option(arg); - if(!tmp) + if(tmp==INVALID_SSL_OPTION) return "Illegal TLS option"; section->ssl_options_set|=tmp; } return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = %s", "options", "NO_SSLv2"); s_log(LOG_NOTICE, "%-22s = %s", "options", "NO_SSLv3"); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = TLS option to set/reset", "options"); break; } /* protocol */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->protocol=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->protocol=str_dup_detached(new_service_options.protocol); + break; + case CMD_FREE: + str_free(section->protocol); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "protocol")) break; - section->protocol=str_dup(arg); + str_free(section->protocol); + section->protocol=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: /* PROTOCOL_CHECK also initializes: section->option.connect_before_ssl section->option.protocol_endpoint */ @@ -2055,11 +2353,9 @@ section->ssl_options_set|=SSL_OP_NO_TICKET; #endif break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = protocol to negotiate before TLS initialization", "protocol"); s_log(LOG_NOTICE, "%25scurrently supported: cifs, connect, imap,", ""); @@ -2069,21 +2365,27 @@ /* protocolAuthentication */ switch(cmd) { - case CMD_BEGIN: - section->protocol_authentication="basic"; + case CMD_SET_DEFAULTS: + section->protocol_authentication=str_dup_detached("basic"); break; - case CMD_EXEC: + case CMD_SET_COPY: + section->protocol_authentication= + str_dup_detached(new_service_options.protocol_authentication); + break; + case CMD_FREE: + str_free(section->protocol_authentication); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "protocolAuthentication")) break; - section->protocol_authentication=str_dup(arg); + str_free(section->protocol_authentication); + section->protocol_authentication=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = authentication type for protocol negotiations", "protocolAuthentication"); break; @@ -2091,21 +2393,27 @@ /* protocolDomain */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->protocol_domain=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->protocol_domain= + str_dup_detached(new_service_options.protocol_domain); + break; + case CMD_FREE: + str_free(section->protocol_domain); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "protocolDomain")) break; - section->protocol_domain=str_dup(arg); + str_free(section->protocol_domain); + section->protocol_domain=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = domain for protocol negotiations", "protocolDomain"); break; @@ -2113,21 +2421,27 @@ /* protocolHost */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->protocol_host=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->protocol_host= + str_dup_detached(new_service_options.protocol_host); + break; + case CMD_FREE: + str_free(section->protocol_host); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "protocolHost")) break; - section->protocol_host=str_dup(arg); + str_free(section->protocol_host); + section->protocol_host=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: + case CMD_PRINT_DEFAULTS: break; - case CMD_DEFAULT: - break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = host:port for protocol negotiations", "protocolHost"); break; @@ -2135,21 +2449,27 @@ /* protocolPassword */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->protocol_password=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->protocol_password= + str_dup_detached(new_service_options.protocol_password); + break; + case CMD_FREE: + str_free(section->protocol_password); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "protocolPassword")) break; - section->protocol_password=str_dup(arg); + str_free(section->protocol_password); + section->protocol_password=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = password for protocol negotiations", "protocolPassword"); break; @@ -2157,21 +2477,27 @@ /* protocolUsername */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->protocol_username=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->protocol_username= + str_dup_detached(new_service_options.protocol_username); + break; + case CMD_FREE: + str_free(section->protocol_username); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "protocolUsername")) break; - section->protocol_username=str_dup(arg); + str_free(section->protocol_username); + section->protocol_username=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = username for protocol negotiations", "protocolUsername"); break; @@ -2181,18 +2507,27 @@ /* PSKidentity */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->psk_identity=NULL; section->psk_selected=NULL; section->psk_sorted.val=NULL; section->psk_sorted.num=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->psk_identity= + str_dup_detached(new_service_options.psk_identity); + break; + case CMD_FREE: + str_free(section->psk_identity); + str_free(section->psk_sorted.val); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "PSKidentity")) break; - section->psk_identity=str_dup(arg); + str_free(section->psk_identity); + section->psk_identity=str_dup_detached(arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: if(!section->psk_keys) /* PSK not configured */ break; psk_sort(§ion->psk_sorted, section->psk_keys); @@ -2211,11 +2546,9 @@ "PSK identity is ignored in the server mode"); } break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = identity for PSK authentication", "PSKidentity"); break; @@ -2223,24 +2556,27 @@ /* PSKsecrets */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->psk_keys=NULL; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->psk_keys=psk_dup(new_service_options.psk_keys); + break; + case CMD_FREE: + psk_free(section->psk_keys); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "PSKsecrets")) break; section->psk_keys=psk_read(arg); if(!section->psk_keys) return "Failed to read PSK secrets"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - psk_free(section->psk_keys); + case CMD_PRINT_DEFAULTS: break; - case CMD_DEFAULT: - break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = secrets for PSK authentication", "PSKsecrets"); break; @@ -2251,10 +2587,15 @@ /* pty */ #ifndef USE_WIN32 switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.pty=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.pty=new_service_options.option.pty; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "pty")) break; if(!strcasecmp(arg, "yes")) @@ -2264,13 +2605,11 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no allocate pseudo terminal for 'exec' option", "pty"); break; @@ -2279,10 +2618,19 @@ /* redirect */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: + addrlist_clear(§ion->redirect_addr, 0); + break; + case CMD_SET_COPY: addrlist_clear(§ion->redirect_addr, 0); + name_list_dup(§ion->redirect_addr.names, + new_service_options.redirect_addr.names); break; - case CMD_EXEC: + case CMD_FREE: + name_list_free(section->redirect_addr.names); + str_free(section->redirect_addr.addr); + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "redirect")) break; #ifdef SSL_OP_NO_TICKET @@ -2292,26 +2640,23 @@ #endif name_list_append(§ion->redirect_addr.names, arg); return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: if(section->redirect_addr.names) { if(!section->option.delayed_lookup && !addrlist_resolve(§ion->redirect_addr)) { s_log(LOG_INFO, "Cannot resolve redirect target - delaying DNS lookup"); section->connect_addr.num=0; - str_free(section->connect_addr.names); - section->connect_addr.names=NULL; + section->redirect_addr.num=0; section->option.delayed_lookup=1; } if(!section->option.verify_chain && !section->option.verify_peer) return "Either \"verifyChain\" or \"verifyPeer\" has to be enabled for \"redirect\" to work"; } break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = [host:]port to redirect on authentication failures", "redirect"); @@ -2320,10 +2665,15 @@ /* renegotiation */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.renegotiation=1; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.renegotiation=new_service_options.option.renegotiation; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "renegotiation")) break; if(!strcasecmp(arg, "yes")) @@ -2333,13 +2683,11 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no support renegotiation", "renegotiation"); break; @@ -2347,10 +2695,15 @@ /* requireCert */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.require_cert=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.require_cert=new_service_options.option.require_cert; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "requireCert")) break; if(!strcasecmp(arg, "yes")) { @@ -2362,13 +2715,11 @@ return "The argument needs to be either 'yes' or 'no'"; } return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: + case CMD_PRINT_DEFAULTS: break; - case CMD_DEFAULT: - break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no require client certificate", "requireCert"); break; @@ -2376,10 +2727,15 @@ /* reset */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.reset=1; /* enabled by default */ break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.reset=new_service_options.option.reset; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "reset")) break; if(!strcasecmp(arg, "yes")) @@ -2389,24 +2745,27 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no send TCP RST on error", - "retry"); + "reset"); break; } /* retry */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.retry=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.retry=new_service_options.option.retry; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "retry")) break; if(!strcasecmp(arg, "yes")) @@ -2416,25 +2775,56 @@ else return "The argument needs to be either 'yes' or 'no'"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: + case CMD_PRINT_DEFAULTS: break; - case CMD_DEFAULT: - break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no retry connect+exec section", "retry"); break; } #ifndef USE_WIN32 + /* service */ + switch(cmd) { + case CMD_SET_DEFAULTS: + section->servname=str_dup_detached("stunnel"); + break; + case CMD_SET_COPY: + /* servname is *not* copied from the global section */ + break; + case CMD_FREE: + /* deallocation is performed at the end CMD_FREE */ + break; + case CMD_SET_VALUE: + if(strcasecmp(opt, "service")) + break; + str_free(section->servname); + section->servname=str_dup_detached(arg); + return NULL; /* OK */ + case CMD_INITIALIZE: + break; + case CMD_PRINT_DEFAULTS: + break; + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = service name", "service"); + break; + } +#endif + +#ifndef USE_WIN32 /* setgid */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->gid=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->gid=new_service_options.gid; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "setgid")) break; gr=getgrnam(arg); @@ -2449,13 +2839,11 @@ return "Illegal GID"; } return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: + case CMD_PRINT_DEFAULTS: break; - case CMD_DEFAULT: - break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = groupname for setgid()", "setgid"); break; } @@ -2464,10 +2852,15 @@ #ifndef USE_WIN32 /* setuid */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->uid=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->uid=new_service_options.uid; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "setuid")) break; pw=getpwnam(arg); @@ -2482,13 +2875,11 @@ return "Illegal UID"; } return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = username for setuid()", "setuid"); break; } @@ -2496,10 +2887,15 @@ /* sessionCacheSize */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->session_size=1000L; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->session_size=new_service_options.session_size; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "sessionCacheSize")) break; { @@ -2509,24 +2905,27 @@ return "Illegal session cache size"; } return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = %ld", "sessionCacheSize", 1000L); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = session cache size", "sessionCacheSize"); break; } /* sessionCacheTimeout */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->session_timeout=300L; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->session_timeout=new_service_options.session_timeout; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "sessionCacheTimeout") && strcasecmp(opt, "session")) break; { @@ -2536,186 +2935,268 @@ return "Illegal session cache timeout"; } return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: + break; + case CMD_PRINT_DEFAULTS: + s_log(LOG_NOTICE, "%-22s = %ld seconds", "sessionCacheTimeout", 300L); + break; + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = session cache timeout (in seconds)", + "sessionCacheTimeout"); + break; + } + + /* sessiond */ + switch(cmd) { + case CMD_SET_DEFAULTS: + section->option.sessiond=0; + memset(§ion->sessiond_addr, 0, sizeof(SOCKADDR_UNION)); + section->sessiond_addr.in.sin_family=AF_INET; + break; + case CMD_SET_COPY: + section->option.sessiond=new_service_options.option.sessiond; + memcpy(§ion->sessiond_addr, &new_service_options.sessiond_addr, + sizeof(SOCKADDR_UNION)); break; case CMD_FREE: break; - case CMD_DEFAULT: - s_log(LOG_NOTICE, "%-22s = %ld seconds", "sessionCacheTimeout", 300L); + case CMD_SET_VALUE: + if(strcasecmp(opt, "sessiond")) + break; + section->option.sessiond=1; +#ifdef SSL_OP_NO_TICKET + /* disable RFC4507 support introduced in OpenSSL 0.9.8f */ + /* this prevents session callbacks from being executed */ + section->ssl_options_set|=SSL_OP_NO_TICKET; +#endif + if(!name2addr(§ion->sessiond_addr, arg, 0)) + return "Failed to resolve sessiond server address"; + return NULL; /* OK */ + case CMD_INITIALIZE: + break; + case CMD_PRINT_DEFAULTS: + break; + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = [host:]port use sessiond at host:port", + "sessiond"); + break; + } + +#ifndef OPENSSL_NO_TLSEXT + /* sni */ + switch(cmd) { + case CMD_SET_DEFAULTS: + section->servername_list_head=NULL; + section->servername_list_tail=NULL; + break; + case CMD_SET_COPY: + section->sni= + str_dup_detached(new_service_options.sni); + break; + case CMD_FREE: + str_free(section->sni); + sni_free(section); + break; + case CMD_SET_VALUE: + if(strcasecmp(opt, "sni")) + break; + str_free(section->sni); + section->sni=str_dup_detached(arg); + return NULL; /* OK */ + case CMD_INITIALIZE: + { + char *tmp_str=sni_init(section); + if(tmp_str) + return tmp_str; + } + if(!section->option.client && section->sni) + ++endpoints; + break; + case CMD_PRINT_DEFAULTS: + break; + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = master_service:host_name for an SNI virtual service", + "sni"); + break; + } +#endif /* !defined(OPENSSL_NO_TLSEXT) */ + + /* socket */ + switch(cmd) { + case CMD_SET_DEFAULTS: + section->sock_opts=socket_options_init(); + break; + case CMD_SET_COPY: + section->sock_opts=socket_options_dup(new_service_options.sock_opts); + break; + case CMD_FREE: + socket_options_free(section->sock_opts); + break; + case CMD_SET_VALUE: + if(strcasecmp(opt, "socket")) + break; + if(socket_option_parse(section->sock_opts, arg)) + return "Illegal socket option"; + return NULL; /* OK */ + case CMD_INITIALIZE: + break; + case CMD_PRINT_DEFAULTS: + break; + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = a|l|r:option=value[:value]", "socket"); + s_log(LOG_NOTICE, "%25sset an option on accept/local/remote socket", ""); + break; + } + +#if OPENSSL_VERSION_NUMBER>=0x10100000L + + /* sslVersion */ + switch(cmd) { + case CMD_SET_DEFAULTS: + /* handled in sslVersionMax and sslVersionMin */ + break; + case CMD_SET_COPY: + /* handled in sslVersionMax and sslVersionMin */ + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: + if(strcasecmp(opt, "sslVersion")) + break; + section->max_proto_version= + section->min_proto_version=str_to_proto_version(arg); + if(section->max_proto_version==-1) + return "Invalid protocol version"; + return NULL; /* OK */ + case CMD_INITIALIZE: + if(section->max_proto_version && section->min_proto_version && + section->max_proto_versionmin_proto_version) + return "Invalid protocol version range"; + break; + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: - s_log(LOG_NOTICE, "%-22s = session cache timeout (in seconds)", - "sessionCacheTimeout"); + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = all" + "|SSLv3|TLSv1|TLSv1.1|TLSv1.2" +#ifdef TLS1_3_VERSION + "|TLSv1.3" +#endif + " TLS version", "sslVersion"); break; } - /* sessiond */ + /* sslVersionMax */ switch(cmd) { - case CMD_BEGIN: - section->option.sessiond=0; - memset(§ion->sessiond_addr, 0, sizeof(SOCKADDR_UNION)); - section->sessiond_addr.in.sin_family=AF_INET; + case CMD_SET_DEFAULTS: + section->max_proto_version=0; /* highest supported */ break; - case CMD_EXEC: - if(strcasecmp(opt, "sessiond")) - break; - section->option.sessiond=1; -#ifdef SSL_OP_NO_TICKET - /* disable RFC4507 support introduced in OpenSSL 0.9.8f */ - /* this prevents session callbacks from being executed */ - section->ssl_options_set|=SSL_OP_NO_TICKET; -#endif - if(!name2addr(§ion->sessiond_addr, arg, 0)) - return "Failed to resolve sessiond server address"; - return NULL; /* OK */ - case CMD_END: + case CMD_SET_COPY: + section->max_proto_version=new_service_options.max_proto_version; break; case CMD_FREE: break; - case CMD_DEFAULT: + case CMD_SET_VALUE: + if(strcasecmp(opt, "sslVersionMax")) + break; + section->max_proto_version=str_to_proto_version(arg); + if(section->max_proto_version==-1) + return "Invalid protocol version"; + return NULL; /* OK */ + case CMD_INITIALIZE: + break; + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: - s_log(LOG_NOTICE, "%-22s = [host:]port use sessiond at host:port", - "sessiond"); + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = all" + "|SSLv3|TLSv1|TLSv1.1|TLSv1.2" +#ifdef TLS1_3_VERSION + "|TLSv1.3" +#endif + " TLS version", "sslVersionMax"); break; } -#ifndef OPENSSL_NO_TLSEXT - /* sni */ + /* sslVersionMin */ switch(cmd) { - case CMD_BEGIN: - section->servername_list_head=NULL; - section->servername_list_tail=NULL; - section->option.sni=0; + case CMD_SET_DEFAULTS: + section->min_proto_version=TLS1_VERSION; break; - case CMD_EXEC: - if(strcasecmp(opt, "sni")) - break; - section->sni=str_dup(arg); - return NULL; /* OK */ - case CMD_END: - { - char *tmp_str=sni_init(section); - if(tmp_str) - return tmp_str; - } - if(section->option.sni) - ++endpoints; + case CMD_SET_COPY: + section->min_proto_version=new_service_options.min_proto_version; break; case CMD_FREE: break; - case CMD_DEFAULT: + case CMD_SET_VALUE: + if(strcasecmp(opt, "sslVersionMin")) + break; + section->min_proto_version=str_to_proto_version(arg); + if(section->min_proto_version==-1) + return "Invalid protocol version"; + return NULL; /* OK */ + case CMD_INITIALIZE: + break; + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: - s_log(LOG_NOTICE, "%-22s = master_service:host_name for an SNI virtual service", - "sni"); + case CMD_PRINT_HELP: + s_log(LOG_NOTICE, "%-22s = all" + "|SSLv3|TLSv1|TLSv1.1|TLSv1.2" +#ifdef TLS1_3_VERSION + "|TLSv1.3" +#endif + " TLS version", "sslVersionMin"); break; } -#endif /* !defined(OPENSSL_NO_TLSEXT) */ + +#else /* OPENSSL_VERSION_NUMBER<0x10100000L */ /* sslVersion */ switch(cmd) { - case CMD_BEGIN: -#if OPENSSL_VERSION_NUMBER>=0x10100000L - section->client_method=(SSL_METHOD *)TLS_client_method(); - section->server_method=(SSL_METHOD *)TLS_server_method(); -#else - section->client_method=(SSL_METHOD *)SSLv23_client_method(); - section->server_method=(SSL_METHOD *)SSLv23_server_method(); -#endif + case CMD_SET_DEFAULTS: + tls_methods_set(section, NULL); + break; + case CMD_SET_COPY: + section->client_method=new_service_options.client_method; + section->server_method=new_service_options.server_method; + break; + case CMD_FREE: break; - case CMD_EXEC: + case CMD_SET_VALUE: if(strcasecmp(opt, "sslVersion")) break; - if(!strcasecmp(arg, "all")) { -#if OPENSSL_VERSION_NUMBER>=0x10100000L - section->client_method=(SSL_METHOD *)TLS_client_method(); - section->server_method=(SSL_METHOD *)TLS_server_method(); -#else - section->client_method=(SSL_METHOD *)SSLv23_client_method(); - section->server_method=(SSL_METHOD *)SSLv23_server_method(); -#endif -#if OPENSSL_API_COMPAT<0x10100000L - } else if(!strcasecmp(arg, "SSLv2")) { -#ifndef OPENSSL_NO_SSL2 - section->client_method=(SSL_METHOD *)SSLv2_client_method(); - section->server_method=(SSL_METHOD *)SSLv2_server_method(); -#else /* defined(OPENSSL_NO_SSL2) */ - return "SSLv2 not supported"; -#endif /* !defined(OPENSSL_NO_SSL2) */ - } else if(!strcasecmp(arg, "SSLv3")) { -#ifndef OPENSSL_NO_SSL3 - section->client_method=(SSL_METHOD *)SSLv3_client_method(); - section->server_method=(SSL_METHOD *)SSLv3_server_method(); -#else /* defined(OPENSSL_NO_SSL3) */ - return "SSLv3 not supported"; -#endif /* !defined(OPENSSL_NO_SSL3) */ - } else if(!strcasecmp(arg, "TLSv1")) { -#ifndef OPENSSL_NO_TLS1 - section->client_method=(SSL_METHOD *)TLSv1_client_method(); - section->server_method=(SSL_METHOD *)TLSv1_server_method(); -#else /* defined(OPENSSL_NO_TLS1) */ - return "TLSv1 not supported"; -#endif /* !defined(OPENSSL_NO_TLS1) */ - } else if(!strcasecmp(arg, "TLSv1.1")) { -#ifndef OPENSSL_NO_TLS1_1 - section->client_method=(SSL_METHOD *)TLSv1_1_client_method(); - section->server_method=(SSL_METHOD *)TLSv1_1_server_method(); -#else /* defined(OPENSSL_NO_TLS1_1) */ - return "TLSv1.1 not supported"; -#endif /* !defined(OPENSSL_NO_TLS1_1) */ - } else if(!strcasecmp(arg, "TLSv1.2")) { -#ifndef OPENSSL_NO_TLS1_2 - section->client_method=(SSL_METHOD *)TLSv1_2_client_method(); - section->server_method=(SSL_METHOD *)TLSv1_2_server_method(); -#else /* defined(OPENSSL_NO_TLS1_2) */ - return "TLSv1.2 not supported"; -#endif /* !defined(OPENSSL_NO_TLS1_2) */ -#endif /* OPENSSL_API_COMPAT<0x10100000L */ - } else - return "Incorrect version of TLS protocol"; - return NULL; /* OK */ - case CMD_END: -#ifdef USE_FIPS - if(new_global_options.option.fips) { -#ifndef OPENSSL_NO_SSL2 - if(section->option.client ? - section->client_method==(SSL_METHOD *)SSLv2_client_method() : - section->server_method==(SSL_METHOD *)SSLv2_server_method()) - return "\"sslVersion = SSLv2\" not supported in FIPS mode"; -#endif /* !defined(OPENSSL_NO_SSL2) */ -#ifndef OPENSSL_NO_SSL3 - if(section->option.client ? - section->client_method==(SSL_METHOD *)SSLv3_client_method() : - section->server_method==(SSL_METHOD *)SSLv3_server_method()) - return "\"sslVersion = SSLv3\" not supported in FIPS mode"; -#endif /* !defined(OPENSSL_NO_SSL3) */ + return tls_methods_set(section, arg); + case CMD_INITIALIZE: + { + char *tmp_str=tls_methods_check(section); + if(tmp_str) + return tmp_str; } -#endif /* USE_FIPS */ - break; - case CMD_FREE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = all" -#if OPENSSL_VERSION_NUMBER<0x10100000L "|SSLv2|SSLv3|TLSv1" #if OPENSSL_VERSION_NUMBER>=0x10001000L "|TLSv1.1|TLSv1.2" #endif /* OPENSSL_VERSION_NUMBER>=0x10001000L */ -#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */ " TLS method", "sslVersion"); break; } +#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */ + #ifndef USE_FORK /* stack */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->stack_size=DEFAULT_STACK_SIZE; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->stack_size=new_service_options.stack_size; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "stack")) break; { @@ -2725,14 +3206,12 @@ return "Illegal thread stack size"; } return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = %d bytes", "stack", DEFAULT_STACK_SIZE); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = thread stack size (in bytes)", "stack"); break; } @@ -2740,10 +3219,15 @@ /* TIMEOUTbusy */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->timeout_busy=300; /* 5 minutes */ break; - case CMD_EXEC: + case CMD_SET_COPY: + section->timeout_busy=new_service_options.timeout_busy; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "TIMEOUTbusy")) break; { @@ -2753,24 +3237,27 @@ return "Illegal busy timeout"; } return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = %d seconds", "TIMEOUTbusy", 300); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = seconds to wait for expected data", "TIMEOUTbusy"); break; } /* TIMEOUTclose */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->timeout_close=60; /* 1 minute */ break; - case CMD_EXEC: + case CMD_SET_COPY: + section->timeout_close=new_service_options.timeout_close; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "TIMEOUTclose")) break; { @@ -2780,14 +3267,12 @@ return "Illegal close timeout"; } return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = %d seconds", "TIMEOUTclose", 60); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = seconds to wait for close_notify", "TIMEOUTclose"); break; @@ -2795,10 +3280,15 @@ /* TIMEOUTconnect */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->timeout_connect=10; /* 10 seconds */ break; - case CMD_EXEC: + case CMD_SET_COPY: + section->timeout_connect=new_service_options.timeout_connect; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "TIMEOUTconnect")) break; { @@ -2808,24 +3298,27 @@ return "Illegal connect timeout"; } return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = %d seconds", "TIMEOUTconnect", 10); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = seconds to connect remote host", "TIMEOUTconnect"); break; } /* TIMEOUTidle */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->timeout_idle=43200; /* 12 hours */ break; - case CMD_EXEC: + case CMD_SET_COPY: + section->timeout_idle=new_service_options.timeout_idle; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "TIMEOUTidle")) break; { @@ -2835,14 +3328,12 @@ return "Illegal idle timeout"; return NULL; /* OK */ } - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = %d seconds", "TIMEOUTidle", 43200); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = seconds to keep an idle connection", "TIMEOUTidle"); break; } @@ -2850,11 +3341,17 @@ /* transparent */ #ifndef USE_WIN32 switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.transparent_src=0; section->option.transparent_dst=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.transparent_src=new_service_options.option.transparent_src; + section->option.transparent_dst=new_service_options.option.transparent_dst; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "transparent")) break; if(!strcasecmp(arg, "none") || !strcasecmp(arg, "no")) { @@ -2872,15 +3369,13 @@ } else return "Selected transparent proxy mode is not available"; return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: if(section->option.transparent_dst) ++endpoints; break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = none|source|destination|both transparent proxy mode", "transparent"); @@ -2890,10 +3385,15 @@ /* verify */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.request_cert=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.request_cert=new_service_options.option.request_cert; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "verify")) break; { @@ -2907,17 +3407,15 @@ section->option.verify_peer=(tmp_int>=3); } return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: if((section->option.verify_chain || section->option.verify_peer) && !section->ca_file && !section->ca_dir) return "Either \"CAfile\" or \"CApath\" has to be configured"; break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: s_log(LOG_NOTICE, "%-22s = none", "verify"); break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = level of peer certificate verification", "verify"); s_log(LOG_NOTICE, @@ -2935,10 +3433,15 @@ /* verifyChain */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.verify_chain=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.verify_chain=new_service_options.option.verify_chain; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "verifyChain")) break; if(!strcasecmp(arg, "yes")) { @@ -2951,13 +3454,11 @@ return "The argument needs to be either 'yes' or 'no'"; } return NULL; /* OK */ - case CMD_END: + case CMD_INITIALIZE: break; - case CMD_FREE: - break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no verify certificate chain", "verifyChain"); break; @@ -2965,10 +3466,15 @@ /* verifyPeer */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: section->option.verify_peer=0; break; - case CMD_EXEC: + case CMD_SET_COPY: + section->option.verify_peer=new_service_options.option.verify_peer; + break; + case CMD_FREE: + break; + case CMD_SET_VALUE: if(strcasecmp(opt, "verifyPeer")) break; if(!strcasecmp(arg, "yes")) { @@ -2981,13 +3487,11 @@ return "The argument needs to be either 'yes' or 'no'"; } return NULL; /* OK */ - case CMD_END: - break; - case CMD_FREE: + case CMD_INITIALIZE: break; - case CMD_DEFAULT: + case CMD_PRINT_DEFAULTS: break; - case CMD_HELP: + case CMD_PRINT_HELP: s_log(LOG_NOTICE, "%-22s = yes|no verify peer certificate", "verifyPeer"); break; @@ -2995,27 +3499,42 @@ /* final checks */ switch(cmd) { - case CMD_BEGIN: + case CMD_SET_DEFAULTS: + break; + case CMD_SET_COPY: break; - case CMD_EXEC: + case CMD_FREE: + str_free(section->chain); + if(section->session) + SSL_SESSION_free(section->session); + if(section->ctx) + SSL_CTX_free(section->ctx); + str_free(section->servname); + if(section==&service_options) + memset(section, 0, sizeof(SERVICE_OPTIONS)); + else + str_free(section); + break; + case CMD_SET_VALUE: return option_not_found; - case CMD_END: - if(new_service_options.next) { /* daemon mode checks */ + case CMD_INITIALIZE: + if(section!=&new_service_options) { /* daemon mode checks */ if(endpoints!=2) return "Each service must define two endpoints"; } else { /* inetd mode checks */ if(section->option.accept) return "'accept' option is only allowed in a [section]"; - /* no need to check for section->option.sni in inetd mode, + /* no need to check for section->sni in inetd mode, as it requires valid sections to be set */ if(endpoints!=1) return "Inetd mode must define one endpoint"; } if(context_init(section)) /* initialize TLS context */ return "Failed to initialize TLS context"; - case CMD_FREE: - case CMD_DEFAULT: - case CMD_HELP: + break; + case CMD_PRINT_DEFAULTS: + break; + case CMD_PRINT_HELP: break; } @@ -3025,6 +3544,7 @@ /**************************************** validate and initialize configuration */ #ifndef OPENSSL_NO_TLSEXT + NOEXPORT char *sni_init(SERVICE_OPTIONS *section) { char *tmp_str; SERVICE_OPTIONS *tmpsrv; @@ -3043,19 +3563,21 @@ if(tmpsrv->option.client) return "SNI master service is a TLS client"; if(tmpsrv->servername_list_tail) { - tmpsrv->servername_list_tail->next=str_alloc(sizeof(SERVERNAME_LIST)); + tmpsrv->servername_list_tail->next=str_alloc_detached(sizeof(SERVERNAME_LIST)); tmpsrv->servername_list_tail=tmpsrv->servername_list_tail->next; } else { /* first virtual service */ tmpsrv->servername_list_head= tmpsrv->servername_list_tail= - str_alloc(sizeof(SERVERNAME_LIST)); + str_alloc_detached(sizeof(SERVERNAME_LIST)); tmpsrv->ssl_options_set|= SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; } - tmpsrv->servername_list_tail->servername=str_dup(tmp_str); + /* a slave section reference is needed to prevent a race condition + while switching to a section after configuration file reload */ + service_up_ref(section); + tmpsrv->servername_list_tail->servername=str_dup_detached(tmp_str); tmpsrv->servername_list_tail->opt=section; tmpsrv->servername_list_tail->next=NULL; - section->option.sni=1; /* always negotiate a new session on renegotiation, as the TLS * context settings (including access control) may be different */ section->ssl_options_set|= @@ -3066,23 +3588,142 @@ if(section->option.client && !section->sni) { /* setup host_name for SNI, prefer SNI and protocolHost if specified */ if(section->protocol_host) /* 'protocolHost' option */ - section->sni=str_dup(section->protocol_host); + section->sni=str_dup_detached(section->protocol_host); else if(section->connect_addr.names) /* 'connect' option */ - section->sni=str_dup(section->connect_addr.names->name); /* first hostname */ + section->sni=str_dup_detached(section->connect_addr.names->name); /* first hostname */ if(section->sni) { /* either 'protocolHost' or 'connect' specified */ tmp_str=strrchr(section->sni, ':'); if(tmp_str) { /* 'host:port' -> drop ':port' */ *tmp_str='\0'; } else { /* 'port' -> default to 'localhost' */ str_free(section->sni); - section->sni=str_dup("localhost"); + section->sni=str_dup_detached("localhost"); } } } return NULL; } + +NOEXPORT void sni_free(SERVICE_OPTIONS *section) { + SERVERNAME_LIST *curr=section->servername_list_head; + while(curr) { + SERVERNAME_LIST *next=curr->next; + str_free(curr->servername); + service_free(curr->opt); /* free the slave section */ + str_free(curr); + curr=next; + } + section->servername_list_head=NULL; + section->servername_list_tail=NULL; +} + #endif /* !defined(OPENSSL_NO_TLSEXT) */ +/**************************************** modern TLS version handling */ + +#if OPENSSL_VERSION_NUMBER>=0x10100000L + +NOEXPORT int str_to_proto_version(const char *name) { + if(!strcasecmp(name, "all")) + return 0; + if(!strcasecmp(name, "SSLv3")) + return SSL3_VERSION; + if(!strcasecmp(name, "TLSv1")) + return TLS1_VERSION; + if(!strcasecmp(name, "TLSv1.1")) + return TLS1_1_VERSION; + if(!strcasecmp(name, "TLSv1.2")) + return TLS1_2_VERSION; +#ifdef TLS1_3_VERSION + if(!strcasecmp(name, "TLSv1.3")) + return TLS1_3_VERSION; +#endif + return -1; +} + +/**************************************** deprecated TLS version handling */ + +#else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + +#ifdef __GNUC__ +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +#endif /* __GNUC__ */ + +NOEXPORT char *tls_methods_set(SERVICE_OPTIONS *section, const char *arg) { + if(!arg) { /* defaults */ + section->client_method=(SSL_METHOD *)SSLv23_client_method(); + section->server_method=(SSL_METHOD *)SSLv23_server_method(); + } else if(!strcasecmp(arg, "all")) { + section->client_method=(SSL_METHOD *)SSLv23_client_method(); + section->server_method=(SSL_METHOD *)SSLv23_server_method(); + } else if(!strcasecmp(arg, "SSLv2")) { +#ifndef OPENSSL_NO_SSL2 + section->client_method=(SSL_METHOD *)SSLv2_client_method(); + section->server_method=(SSL_METHOD *)SSLv2_server_method(); +#else /* OPENSSL_NO_SSL2 */ + return "SSLv2 not supported"; +#endif /* !OPENSSL_NO_SSL2 */ + } else if(!strcasecmp(arg, "SSLv3")) { +#ifndef OPENSSL_NO_SSL3 + section->client_method=(SSL_METHOD *)SSLv3_client_method(); + section->server_method=(SSL_METHOD *)SSLv3_server_method(); +#else /* OPENSSL_NO_SSL3 */ + return "SSLv3 not supported"; +#endif /* !OPENSSL_NO_SSL3 */ + } else if(!strcasecmp(arg, "TLSv1")) { +#ifndef OPENSSL_NO_TLS1 + section->client_method=(SSL_METHOD *)TLSv1_client_method(); + section->server_method=(SSL_METHOD *)TLSv1_server_method(); +#else /* OPENSSL_NO_TLS1 */ + return "TLSv1 not supported"; +#endif /* !OPENSSL_NO_TLS1 */ + } else if(!strcasecmp(arg, "TLSv1.1")) { +#ifndef OPENSSL_NO_TLS1_1 + section->client_method=(SSL_METHOD *)TLSv1_1_client_method(); + section->server_method=(SSL_METHOD *)TLSv1_1_server_method(); +#else /* OPENSSL_NO_TLS1_1 */ + return "TLSv1.1 not supported"; +#endif /* !OPENSSL_NO_TLS1_1 */ + } else if(!strcasecmp(arg, "TLSv1.2")) { +#ifndef OPENSSL_NO_TLS1_2 + section->client_method=(SSL_METHOD *)TLSv1_2_client_method(); + section->server_method=(SSL_METHOD *)TLSv1_2_server_method(); +#else /* OPENSSL_NO_TLS1_2 */ + return "TLSv1.2 not supported"; +#endif /* !OPENSSL_NO_TLS1_2 */ + } else + return "Incorrect version of TLS protocol"; + return NULL; /* OK */ +} + +NOEXPORT char *tls_methods_check(SERVICE_OPTIONS *section) { + (void)section; /* squash the unused parameter warning */ +#ifdef USE_FIPS + if(new_global_options.option.fips) { +#ifndef OPENSSL_NO_SSL2 + if(section->option.client ? + section->client_method==(SSL_METHOD *)SSLv2_client_method() : + section->server_method==(SSL_METHOD *)SSLv2_server_method()) + return "\"sslVersion = SSLv2\" not supported in FIPS mode"; +#endif /* !OPENSSL_NO_SSL2 */ +#ifndef OPENSSL_NO_SSL3 + if(section->option.client ? + section->client_method==(SSL_METHOD *)SSLv3_client_method() : + section->server_method==(SSL_METHOD *)SSLv3_server_method()) + return "\"sslVersion = SSLv3\" not supported in FIPS mode"; +#endif /* !OPENSSL_NO_SSL3 */ + } +#endif /* USE_FIPS */ + return NULL; +} + +#ifdef __GNUC__ +#pragma GCC diagnostic pop +#endif /* __GNUC__ */ + +#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */ + /**************************************** facility/debug level */ typedef struct { @@ -3091,8 +3732,6 @@ } facilitylevel; NOEXPORT char *parse_debug_level(char *arg, SERVICE_OPTIONS *section) { - char *arg_copy; - char *string; facilitylevel *fl; /* facilities only make sense on unix */ @@ -3127,36 +3766,33 @@ {NULL, -1} }; - arg_copy=str_dup(arg); - string=arg_copy; - /* facilities only make sense on Unix */ #if !defined (USE_WIN32) && !defined (__vms) - if(section==&new_service_options && strchr(string, '.')) { + if(section==&new_service_options && strchr(arg, '.')) { /* a facility was specified in the global options */ new_global_options.log_facility=-1; - string=strtok(arg_copy, "."); /* break it up */ + arg=strtok(arg, "."); /* break it up */ for(fl=facilities; fl->name; ++fl) { - if(!strcasecmp(fl->name, string)) { + if(!strcasecmp(fl->name, arg)) { new_global_options.log_facility=fl->value; break; } } if(new_global_options.log_facility==-1) return "Illegal syslog facility"; - string=strtok(NULL, "."); /* set to the remainder */ + arg=strtok(NULL, "."); /* set to the remainder */ } #endif /* USE_WIN32, __vms */ /* time to check the syslog level */ - if(string && strlen(string)==1 && *string>='0' && *string<='7') { - section->log_level=*string-'0'; + if(arg && strlen(arg)==1 && *arg>='0' && *arg<='7') { + section->log_level=*arg-'0'; return NULL; /* OK */ } section->log_level=8; /* illegal level */ for(fl=levels; fl->name; ++fl) { - if(!strcasecmp(fl->name, string)) { + if(!strcasecmp(fl->name, arg)) { section->log_level=fl->value; break; } @@ -3174,7 +3810,7 @@ for(option=(SSL_OPTION *)ssl_opts; option->name; ++option) if(!strcasecmp(option->name, arg)) return option->value; - return 0; /* FAILED */ + return INVALID_SSL_OPTION; /* FAILED */ } NOEXPORT void print_ssl_options(void) { @@ -3193,7 +3829,7 @@ NOEXPORT PSK_KEYS *psk_read(char *key_file) { DISK_FILE *df; char line[CONFLINELEN], *key_val; - size_t key_len; + unsigned key_len; PSK_KEYS *head=NULL, *tail=NULL, *curr; int line_number=0; @@ -3218,7 +3854,7 @@ return NULL; } *key_val++='\0'; - key_len=strlen(key_val); + key_len=(unsigned)strlen(key_val); if(strlen(line)+1>PSK_MAX_IDENTITY_LEN) { /* with the trailing '\0' */ s_log(LOG_ERR, "PSKsecrets line %d: Identity longer than %d characters", @@ -3244,9 +3880,9 @@ psk_free(head); return NULL; } - curr=str_alloc(sizeof(PSK_KEYS)); - curr->identity=str_dup(line); - curr->key_val=(unsigned char *)str_dup(key_val); + curr=str_alloc_detached(sizeof(PSK_KEYS)); + curr->identity=str_dup_detached(line); + curr->key_val=(unsigned char *)str_dup_detached(key_val); curr->key_len=key_len; curr->next=NULL; if(head) @@ -3259,11 +3895,27 @@ return head; } -NOEXPORT void psk_free(PSK_KEYS *head) { - PSK_KEYS *next; +NOEXPORT PSK_KEYS *psk_dup(PSK_KEYS *src) { + PSK_KEYS *head=NULL, *tail=NULL, *curr; + + while(src) { + curr=str_alloc_detached(sizeof(PSK_KEYS)); + curr->identity=str_dup_detached(src->identity); + curr->key_val=(unsigned char *)str_dup_detached((char *)src->key_val); + curr->key_len=src->key_len; + curr->next=NULL; + if(head) + tail->next=curr; + else + head=curr; + tail=curr; + } + return head; +} +NOEXPORT void psk_free(PSK_KEYS *head) { while(head) { - next=head->next; + PSK_KEYS *next=head->next; str_free(head->identity); str_free(head->key_val); str_free(head); @@ -3275,104 +3927,146 @@ /**************************************** socket options */ -static int on=1; -#define DEF_ON ((void *)&on) +#define VAL_TAB {NULL, NULL, NULL} -SOCK_OPT *sock_opts=NULL, sock_opts_def[]= { - {"SO_DEBUG", SOL_SOCKET, SO_DEBUG, TYPE_FLAG, {NULL, NULL, NULL}}, - {"SO_DONTROUTE", SOL_SOCKET, SO_DONTROUTE, TYPE_FLAG, {NULL, NULL, NULL}}, - {"SO_KEEPALIVE", SOL_SOCKET, SO_KEEPALIVE, TYPE_FLAG, {NULL, NULL, NULL}}, - {"SO_LINGER", SOL_SOCKET, SO_LINGER, TYPE_LINGER, {NULL, NULL, NULL}}, - {"SO_OOBINLINE", SOL_SOCKET, SO_OOBINLINE, TYPE_FLAG, {NULL, NULL, NULL}}, - {"SO_RCVBUF", SOL_SOCKET, SO_RCVBUF, TYPE_INT, {NULL, NULL, NULL}}, - {"SO_SNDBUF", SOL_SOCKET, SO_SNDBUF, TYPE_INT, {NULL, NULL, NULL}}, +SOCK_OPT sock_opts_def[]={ + {"SO_DEBUG", SOL_SOCKET, SO_DEBUG, TYPE_FLAG, VAL_TAB}, + {"SO_DONTROUTE", SOL_SOCKET, SO_DONTROUTE, TYPE_FLAG, VAL_TAB}, + {"SO_KEEPALIVE", SOL_SOCKET, SO_KEEPALIVE, TYPE_FLAG, VAL_TAB}, + {"SO_LINGER", SOL_SOCKET, SO_LINGER, TYPE_LINGER, VAL_TAB}, + {"SO_OOBINLINE", SOL_SOCKET, SO_OOBINLINE, TYPE_FLAG, VAL_TAB}, + {"SO_RCVBUF", SOL_SOCKET, SO_RCVBUF, TYPE_INT, VAL_TAB}, + {"SO_SNDBUF", SOL_SOCKET, SO_SNDBUF, TYPE_INT, VAL_TAB}, #ifdef SO_RCVLOWAT - {"SO_RCVLOWAT", SOL_SOCKET, SO_RCVLOWAT, TYPE_INT, {NULL, NULL, NULL}}, + {"SO_RCVLOWAT", SOL_SOCKET, SO_RCVLOWAT, TYPE_INT, VAL_TAB}, #endif #ifdef SO_SNDLOWAT - {"SO_SNDLOWAT", SOL_SOCKET, SO_SNDLOWAT, TYPE_INT, {NULL, NULL, NULL}}, + {"SO_SNDLOWAT", SOL_SOCKET, SO_SNDLOWAT, TYPE_INT, VAL_TAB}, #endif #ifdef SO_RCVTIMEO - {"SO_RCVTIMEO", SOL_SOCKET, SO_RCVTIMEO, TYPE_TIMEVAL, {NULL, NULL, NULL}}, + {"SO_RCVTIMEO", SOL_SOCKET, SO_RCVTIMEO, TYPE_TIMEVAL, VAL_TAB}, #endif #ifdef SO_SNDTIMEO - {"SO_SNDTIMEO", SOL_SOCKET, SO_SNDTIMEO, TYPE_TIMEVAL, {NULL, NULL, NULL}}, + {"SO_SNDTIMEO", SOL_SOCKET, SO_SNDTIMEO, TYPE_TIMEVAL, VAL_TAB}, #endif #ifdef USE_WIN32 - {"SO_EXCLUSIVEADDRUSE", SOL_SOCKET, SO_EXCLUSIVEADDRUSE, TYPE_FLAG, {DEF_ON, NULL, NULL}}, - {"SO_REUSEADDR", SOL_SOCKET, SO_REUSEADDR, TYPE_FLAG, {NULL, NULL, NULL}}, -#else - {"SO_REUSEADDR", SOL_SOCKET, SO_REUSEADDR, TYPE_FLAG, {DEF_ON, NULL, NULL}}, + {"SO_EXCLUSIVEADDRUSE", SOL_SOCKET, SO_EXCLUSIVEADDRUSE, TYPE_FLAG, VAL_TAB}, #endif + {"SO_REUSEADDR", SOL_SOCKET, SO_REUSEADDR, TYPE_FLAG, VAL_TAB}, #ifdef SO_BINDTODEVICE - {"SO_BINDTODEVICE", SOL_SOCKET, SO_BINDTODEVICE, TYPE_STRING, {NULL, NULL, NULL}}, + {"SO_BINDTODEVICE", SOL_SOCKET, SO_BINDTODEVICE, TYPE_STRING, VAL_TAB}, #endif #ifdef SOL_TCP #ifdef TCP_KEEPCNT - {"TCP_KEEPCNT", SOL_TCP, TCP_KEEPCNT, TYPE_INT, {NULL, NULL, NULL}}, + {"TCP_KEEPCNT", SOL_TCP, TCP_KEEPCNT, TYPE_INT, VAL_TAB}, #endif #ifdef TCP_KEEPIDLE - {"TCP_KEEPIDLE", SOL_TCP, TCP_KEEPIDLE, TYPE_INT, {NULL, NULL, NULL}}, + {"TCP_KEEPIDLE", SOL_TCP, TCP_KEEPIDLE, TYPE_INT, VAL_TAB}, #endif #ifdef TCP_KEEPINTVL - {"TCP_KEEPINTVL", SOL_TCP, TCP_KEEPINTVL, TYPE_INT, {NULL, NULL, NULL}}, + {"TCP_KEEPINTVL", SOL_TCP, TCP_KEEPINTVL, TYPE_INT, VAL_TAB}, #endif #endif /* SOL_TCP */ #ifdef IP_TOS - {"IP_TOS", IPPROTO_IP, IP_TOS, TYPE_INT, {NULL, NULL, NULL}}, + {"IP_TOS", IPPROTO_IP, IP_TOS, TYPE_INT, VAL_TAB}, #endif #ifdef IP_TTL - {"IP_TTL", IPPROTO_IP, IP_TTL, TYPE_INT, {NULL, NULL, NULL}}, + {"IP_TTL", IPPROTO_IP, IP_TTL, TYPE_INT, VAL_TAB}, #endif #ifdef IP_MAXSEG - {"TCP_MAXSEG", IPPROTO_TCP, TCP_MAXSEG, TYPE_INT, {NULL, NULL, NULL}}, + {"TCP_MAXSEG", IPPROTO_TCP, TCP_MAXSEG, TYPE_INT, VAL_TAB}, #endif - {"TCP_NODELAY", IPPROTO_TCP, TCP_NODELAY, TYPE_FLAG, {NULL, DEF_ON, DEF_ON}}, + {"TCP_NODELAY", IPPROTO_TCP, TCP_NODELAY, TYPE_FLAG, VAL_TAB}, #ifdef IP_FREEBIND - {"IP_FREEBIND", IPPROTO_IP, IP_FREEBIND, TYPE_FLAG, {NULL, NULL, NULL}}, + {"IP_FREEBIND", IPPROTO_IP, IP_FREEBIND, TYPE_FLAG, VAL_TAB}, #endif #ifdef IP_BINDANY - {"IP_BINDANY", IPPROTO_IP, IP_BINDANY, TYPE_FLAG, {NULL, NULL, NULL}}, + {"IP_BINDANY", IPPROTO_IP, IP_BINDANY, TYPE_FLAG, VAL_TAB}, #endif #ifdef IPV6_BINDANY - {"IPV6_BINDANY", IPPROTO_IPV6, IPV6_BINDANY, TYPE_FLAG, {NULL, NULL, NULL}}, + {"IPV6_BINDANY", IPPROTO_IPV6, IPV6_BINDANY, TYPE_FLAG, VAL_TAB}, #endif #ifdef IPV6_V6ONLY - {"IPV6_V6ONLY", IPPROTO_IPV6, IPV6_V6ONLY, TYPE_FLAG, {NULL, NULL, NULL}}, + {"IPV6_V6ONLY", IPPROTO_IPV6, IPV6_V6ONLY, TYPE_FLAG, VAL_TAB}, #endif - {NULL, 0, 0, TYPE_NONE, {NULL, NULL, NULL}} + {NULL, 0, 0, TYPE_NONE, VAL_TAB} }; -NOEXPORT void init_socket_options(void) { +NOEXPORT SOCK_OPT *socket_options_init(void) { #ifdef USE_WIN32 DWORD version; int major, minor; - SOCK_OPT *ptr; +#endif + SOCK_OPT *opt=str_alloc_detached(sizeof sock_opts_def); + memcpy(opt, sock_opts_def, sizeof sock_opts_def); + +#ifdef USE_WIN32 version=GetVersion(); major=LOBYTE(LOWORD(version)); minor=HIBYTE(LOWORD(version)); s_log(LOG_DEBUG, "Running on Windows %d.%d", major, minor); - for(ptr=sock_opts_def; ptr->opt_str; ++ptr) - if(ptr->opt_level==SOL_SOCKET && ptr->opt_name==SO_EXCLUSIVEADDRUSE) - ptr->opt_val[0]=major>5 ? DEF_ON : NULL; /* Vista or later */ + if(major>5) /* Vista or later */ + socket_option_set_int(opt, "SO_EXCLUSIVEADDRUSE", 0, 1); /* accepting socket */ +#else + socket_option_set_int(opt, "SO_REUSEADDR", 0, 1); /* accepting socket */ #endif + socket_option_set_int(opt, "TCP_NODELAY", 1, 1); /* local socket */ + socket_option_set_int(opt, "TCP_NODELAY", 2, 1); /* remote socket */ + return opt; +} + +NOEXPORT void socket_option_set_int(SOCK_OPT *opt, char *name, int type, int value) { + for(; opt->opt_str; ++opt) { + if(!strcmp(name, opt->opt_str)) { + opt->opt_val[type]=str_alloc_detached(sizeof(OPT_UNION)); + opt->opt_val[type]->i_val=value; + } + } +} + +NOEXPORT SOCK_OPT *socket_options_dup(SOCK_OPT *src) { + SOCK_OPT *dst=str_alloc_detached(sizeof sock_opts_def); + SOCK_OPT *ptr; + + memcpy(dst, sock_opts_def, sizeof sock_opts_def); + for(ptr=dst; src->opt_str; ++src, ++ptr) { + int type; + for(type=0; type<3; ++type) { + if(src->opt_val[type]) { + ptr->opt_val[type]=str_alloc_detached(sizeof(OPT_UNION)); + memcpy(ptr->opt_val[type], + src->opt_val[type], sizeof(OPT_UNION)); + } + } + } + return dst; +} - if(!sock_opts) - sock_opts=str_alloc_detached(sizeof sock_opts_def); - memcpy(sock_opts, sock_opts_def, sizeof sock_opts_def); +NOEXPORT void socket_options_free(SOCK_OPT *opt) { + SOCK_OPT *ptr; + if(!opt) { + s_log(LOG_ERR, "INTERNAL ERROR: Socket options not initialized"); + return; + } + for(ptr=opt; ptr->opt_str; ++ptr) { + int type; + for(type=0; type<3; ++type) + str_free(ptr->opt_val[type]); + } + str_free(opt); } -NOEXPORT int print_socket_options(void) { +NOEXPORT int socket_options_print(void) { + SOCK_OPT *opt, *ptr; SOCKET fd; socklen_t optlen; - SOCK_OPT *ptr; OPT_UNION val; char *ta, *tl, *tr, *td; fd=socket(AF_INET, SOCK_STREAM, 0); - init_socket_options(); + opt=socket_options_init(); s_log(LOG_NOTICE, " "); s_log(LOG_NOTICE, "Socket option defaults:"); @@ -3380,7 +4074,7 @@ " Option Name | Accept | Local | Remote |OS default"); s_log(LOG_NOTICE, " --------------------+----------+----------+----------+----------"); - for(ptr=sock_opts; ptr->opt_str; ++ptr) { + for(ptr=opt; ptr->opt_str; ++ptr) { /* get OS default value */ optlen=sizeof val; if(getsockopt(fd, ptr->opt_level, @@ -3397,21 +4091,22 @@ return 1; /* FAILED */ } } else - td=print_option(ptr->opt_type, &val); + td=socket_option_text(ptr->opt_type, &val); /* get stunnel default values */ - ta=print_option(ptr->opt_type, ptr->opt_val[0]); - tl=print_option(ptr->opt_type, ptr->opt_val[1]); - tr=print_option(ptr->opt_type, ptr->opt_val[2]); + ta=socket_option_text(ptr->opt_type, ptr->opt_val[0]); + tl=socket_option_text(ptr->opt_type, ptr->opt_val[1]); + tr=socket_option_text(ptr->opt_type, ptr->opt_val[2]); /* print collected data and fee the memory */ s_log(LOG_NOTICE, " %-20s|%10s|%10s|%10s|%10s", ptr->opt_str, ta, tl, tr, td); str_free(ta); str_free(tl); str_free(tr); str_free(td); } + socket_options_free(opt); closesocket(fd); return 0; /* OK */ } -NOEXPORT char *print_option(int type, OPT_UNION *val) { +NOEXPORT char *socket_option_text(VAL_TYPE type, OPT_UNION *val) { if(!val) return str_dup(" -- "); switch(type) { @@ -3427,14 +4122,16 @@ (int)val->timeval_val.tv_sec, (int)val->timeval_val.tv_usec); case TYPE_STRING: return str_printf("%s", val->c_val); + case TYPE_NONE: + return str_dup(" none "); /* internal error? */ } return str_dup(" Ooops? "); /* internal error? */ } -NOEXPORT int parse_socket_option(char *arg) { +NOEXPORT int socket_option_parse(SOCK_OPT *opt, char *arg) { int socket_type; /* 0-accept, 1-local, 2-remote */ char *opt_val_str, *opt_val2_str, *tmp_str; - SOCK_OPT *ptr; + OPT_UNION opt_val; if(arg[1]!=':') return 1; /* FAILED */ @@ -3453,72 +4150,72 @@ if(!opt_val_str) /* no '='? */ return 1; /* FAILED */ *opt_val_str++='\0'; - ptr=sock_opts; - for(;;) { - if(!ptr->opt_str) - return 1; /* FAILED */ - if(!strcmp(arg, ptr->opt_str)) - break; /* option name found */ - ++ptr; - } - ptr->opt_val[socket_type]=str_alloc(sizeof(OPT_UNION)); - switch(ptr->opt_type) { + + for(; opt->opt_str && strcmp(arg, opt->opt_str); ++opt) + ; + if(!opt->opt_str) + return 1; /* FAILED */ + + switch(opt->opt_type) { case TYPE_FLAG: if(!strcasecmp(opt_val_str, "yes") || !strcmp(opt_val_str, "1")) { - ptr->opt_val[socket_type]->i_val=1; - return 0; /* OK */ + opt_val.i_val=1; + break; /* OK */ } if(!strcasecmp(opt_val_str, "no") || !strcmp(opt_val_str, "0")) { - ptr->opt_val[socket_type]->i_val=0; - return 0; /* OK */ + opt_val.i_val=0; + break; /* OK */ } return 1; /* FAILED */ case TYPE_INT: - ptr->opt_val[socket_type]->i_val=(int)strtol(opt_val_str, &tmp_str, 10); + opt_val.i_val=(int)strtol(opt_val_str, &tmp_str, 10); if(tmp_str==arg || *tmp_str) /* not a number */ return 1; /* FAILED */ - return 0; /* OK */ + break; /* OK */ case TYPE_LINGER: opt_val2_str=strchr(opt_val_str, ':'); if(opt_val2_str) { *opt_val2_str++='\0'; - ptr->opt_val[socket_type]->linger_val.l_linger= + opt_val.linger_val.l_linger= (u_short)strtol(opt_val2_str, &tmp_str, 10); if(tmp_str==arg || *tmp_str) /* not a number */ return 1; /* FAILED */ } else { - ptr->opt_val[socket_type]->linger_val.l_linger=0; + opt_val.linger_val.l_linger=0; } - ptr->opt_val[socket_type]->linger_val.l_onoff= + opt_val.linger_val.l_onoff= (u_short)strtol(opt_val_str, &tmp_str, 10); if(tmp_str==arg || *tmp_str) /* not a number */ return 1; /* FAILED */ - return 0; /* OK */ + break; /* OK */ case TYPE_TIMEVAL: opt_val2_str=strchr(opt_val_str, ':'); if(opt_val2_str) { *opt_val2_str++='\0'; - ptr->opt_val[socket_type]->timeval_val.tv_usec= + opt_val.timeval_val.tv_usec= (int)strtol(opt_val2_str, &tmp_str, 10); if(tmp_str==arg || *tmp_str) /* not a number */ return 1; /* FAILED */ } else { - ptr->opt_val[socket_type]->timeval_val.tv_usec=0; + opt_val.timeval_val.tv_usec=0; } - ptr->opt_val[socket_type]->timeval_val.tv_sec= + opt_val.timeval_val.tv_sec= (int)strtol(opt_val_str, &tmp_str, 10); if(tmp_str==arg || *tmp_str) /* not a number */ return 1; /* FAILED */ - return 0; /* OK */ + break; /* OK */ case TYPE_STRING: if(strlen(opt_val_str)+1>sizeof(OPT_UNION)) return 1; /* FAILED */ - strcpy(ptr->opt_val[socket_type]->c_val, opt_val_str); - return 0; /* OK */ + strcpy(opt_val.c_val, opt_val_str); + break; /* OK */ default: - ; /* ANSI C compiler needs it */ + return 1; /* FAILED */ } - return 1; /* FAILED */ + str_free(opt->opt_val[socket_type]); + opt->opt_val[socket_type]=str_alloc_detached(sizeof(OPT_UNION)); + memcpy(opt->opt_val[socket_type], &opt_val, sizeof(OPT_UNION)); + return 0; } /**************************************** OCSP */ @@ -3688,6 +4385,41 @@ #endif /* !defined(OPENSSL_NO_ENGINE) */ +/**************************************** include config directory */ + +NOEXPORT char *include_config(char *directory, SERVICE_OPTIONS **section_ptr) { + struct dirent **namelist; + int i, num, err=0; + + num=scandir(directory, &namelist, NULL, alphasort); + if(num<0) { + ioerror("scandir"); + return "Failed to include directory"; + } + for(i=0; id_name); + if(!stat(name, &sb) && S_ISREG(sb.st_mode)) + err=options_file(name, CONF_FILE, section_ptr); + else + s_log(LOG_DEBUG, "\"%s\" is not a file", name); + str_free(name); + } + free(namelist[i]); + } + free(namelist); + if(err) + return "Failed to include a file"; + return NULL; +} + /**************************************** fatal error */ NOEXPORT void print_syntax(void) { @@ -3731,31 +4463,76 @@ NOEXPORT void name_list_append(NAME_LIST **ptr, char *name) { while(*ptr) /* find the null pointer */ ptr=&(*ptr)->next; - *ptr=str_alloc(sizeof(NAME_LIST)); - (*ptr)->name=str_dup(name); + *ptr=str_alloc_detached(sizeof(NAME_LIST)); + (*ptr)->name=str_dup_detached(name); (*ptr)->next=NULL; } +NOEXPORT void name_list_dup(NAME_LIST **dst, NAME_LIST *src) { + for(; src; src=src->next) + name_list_append(dst, src->name); +} + +NOEXPORT void name_list_free(NAME_LIST *ptr) { + while(ptr) { + NAME_LIST *next=ptr->next; + str_free(ptr->name); + str_free(ptr); + ptr=next; + } +} + #ifndef USE_WIN32 -NOEXPORT char **argalloc(char *str) { /* allocate 'exec' argumets */ +/* allocate 'exec' arguments */ +/* TODO: support quotes */ +NOEXPORT char **arg_alloc(char *str) { size_t max_arg, i; - char *ptr, **retval; + char **tmp, **retval; max_arg=strlen(str)/2+1; - ptr=str_dup(str); - retval=str_alloc((max_arg+1)*sizeof(char *)); + tmp=str_alloc((max_arg+1)*sizeof(char *)); + i=0; - while(*ptr && i + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -161,12 +161,12 @@ s_ssl_read(c, &resp, sizeof resp); if(resp.ver!=5) { s_log(LOG_ERR, "Invalid SOCKS5 message version 0x%02x", resp.ver); - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ } /* TODO: add USERNAME/PASSWORD authentication */ if(resp.method!=0x00) { s_log(LOG_ERR, "No supported SOCKS5 authentication method received"); - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ } } @@ -175,7 +175,7 @@ SOCKS5_UNION socks; if(original_dst(c->local_rfd.fd, &addr)) - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ memset(&socks, 0, sizeof socks); socks.req.ver=5; /* SOCKS5 */ socks.req.cmd=0x01; /* CONNECT */ @@ -198,7 +198,7 @@ #endif default: s_log(LOG_ERR, "Unsupported address type 0x%02x", addr.sa.sa_family); - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ } s_ssl_read(c, &socks, sizeof socks.resp); @@ -208,7 +208,7 @@ s_ssl_read(c, &socks.v4.addr, 4+2); if(socks.resp.ver!=5) { s_log(LOG_ERR, "Invalid SOCKS5 message version 0x%02x", socks.req.ver); - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ } switch(socks.resp.rep) { case 0x00: @@ -251,7 +251,7 @@ s_log(LOG_ERR, "SOCKS5 request failed: Unknown error 0x%02x", socks.resp.rep); } - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ } NOEXPORT char *socks_server(CLI *c, SERVICE_OPTIONS *opt, const PHASE phase) { @@ -274,7 +274,7 @@ break; default: s_log(LOG_ERR, "Unsupported SOCKS version 0x%02x", version); - longjmp(c->err, 1); + throw_exception(c, 1); } break; case PROTOCOL_LATE: @@ -359,7 +359,7 @@ } s_ssl_write(c, &socks, sizeof socks); if(close_connection) - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ } NOEXPORT void socks5_server_method(CLI *c) { @@ -383,7 +383,7 @@ s_ssl_write(c, &response, sizeof response); if(response.method) { /* request failed */ s_log(LOG_ERR, "No supported SOCKS5 authentication method received"); - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ } } @@ -509,7 +509,7 @@ s_ssl_write(c, &socks, sizeof socks.v4); } if(close_connection) /* request failed */ - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ } /* validate the allocated address */ @@ -574,25 +574,25 @@ addrlen=sizeof addr; if(getpeername(c->local_rfd.fd, &addr.sa, &addrlen)) { sockerror("getpeername"); - longjmp(c->err, 1); + throw_exception(c, 1); } err=getnameinfo(&addr.sa, addr_len(&addr), src_host, IP_LEN, src_port, PORT_LEN, NI_NUMERICHOST|NI_NUMERICSERV); if(err) { s_log(LOG_ERR, "getnameinfo: %s", s_gai_strerror(err)); - longjmp(c->err, 1); + throw_exception(c, 1); } addrlen=sizeof addr; if(getsockname(c->local_rfd.fd, &addr.sa, &addrlen)) { sockerror("getsockname"); - longjmp(c->err, 1); + throw_exception(c, 1); } err=getnameinfo(&addr.sa, addr_len(&addr), dst_host, IP_LEN, dst_port, PORT_LEN, NI_NUMERICHOST|NI_NUMERICSERV); if(err) { s_log(LOG_ERR, "getnameinfo: %s", s_gai_strerror(err)); - longjmp(c->err, 1); + throw_exception(c, 1); } switch(addr.sa.sa_family) { @@ -625,15 +625,15 @@ s_read(c, c->remote_fd.fd, buffer, 5); if(buffer[0]!=0x83) { /* NB_SSN_NEGRESP */ s_log(LOG_ERR, "Negative response expected"); - longjmp(c->err, 1); + throw_exception(c, 1); } if(buffer[2]!=0 || buffer[3]!=1) { /* length != 1 */ s_log(LOG_ERR, "Unexpected NetBIOS response size"); - longjmp(c->err, 1); + throw_exception(c, 1); } if(buffer[4]!=0x8e) { /* use TLS */ s_log(LOG_ERR, "Remote server does not require TLS"); - longjmp(c->err, 1); + throw_exception(c, 1); } return NULL; } @@ -651,13 +651,13 @@ len=(uint16_t)(((uint16_t)(buffer[2])<<8)|buffer[3]); if(len>sizeof buffer-4) { s_log(LOG_ERR, "Received block too long"); - longjmp(c->err, 1); + throw_exception(c, 1); } s_read(c, c->local_rfd.fd, buffer+4, len); if(buffer[0]!=0x81) { /* NB_SSN_REQUEST */ s_log(LOG_ERR, "Client did not send session setup"); s_write(c, c->local_wfd.fd, response_access_denied, 5); - longjmp(c->err, 1); + throw_exception(c, 1); } s_write(c, c->local_wfd.fd, response_use_ssl, 5); return NULL; @@ -679,7 +679,7 @@ /* S - accepted, N - rejected, non-TLS preferred */ if(buffer[0]!='S') { s_log(LOG_ERR, "PostgreSQL server rejected TLS"); - longjmp(c->err, 1); + throw_exception(c, 1); } return NULL; } @@ -695,7 +695,7 @@ if(safe_memcmp(buffer, ssl_request, sizeof ssl_request)) { s_log(LOG_ERR, "PostgreSQL client did not request TLS, rejecting"); /* no way to send error on startup, so just drop the client */ - longjmp(c->err, 1); + throw_exception(c, 1); } s_write(c, c->local_wfd.fd, ssl_ok, sizeof ssl_ok); return NULL; @@ -743,7 +743,7 @@ if(!is_prefix(line, "250 ")) { /* error */ s_log(LOG_ERR, "Remote server is not RFC 1425 compliant"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } fd_putline(c, c->remote_fd.fd, "STARTTLS"); @@ -754,7 +754,7 @@ if(!is_prefix(line, "220 ")) { /* error */ s_log(LOG_ERR, "Remote server is not RFC 2487 compliant"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(line); } @@ -769,7 +769,7 @@ if(!encoded) { s_log(LOG_ERR, "Base64 encoder failed"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(line); line=str_printf("AUTH PLAIN %s", encoded); @@ -781,7 +781,7 @@ if(!is_prefix(line, "235 ")) { /* not 'Authentication successful' */ s_log(LOG_ERR, "PLAIN Authentication Failed"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(line); } @@ -794,14 +794,14 @@ if(!is_prefix(line, "334 ")) { /* not the username challenge */ s_log(LOG_ERR, "Remote server does not support LOGIN authentication"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(line); encoded=base64(1, user, (int)strlen(user)); if(!encoded) { s_log(LOG_ERR, "Base64 encoder failed"); - longjmp(c->err, 1); + throw_exception(c, 1); } ssl_putline(c, encoded); str_free(encoded); @@ -809,14 +809,14 @@ if(!is_prefix(line, "334 ")) { /* not the password challenge */ s_log(LOG_ERR, "LOGIN authentication failed"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(line); encoded=base64(1, pass, (int)strlen(pass)); if(!encoded) { s_log(LOG_ERR, "Base64 encoder failed"); - longjmp(c->err, 1); + throw_exception(c, 1); } ssl_putline(c, encoded); str_free(encoded); @@ -824,7 +824,7 @@ if(!is_prefix(line, "235 ")) { /* not 'Authentication successful' */ s_log(LOG_ERR, "LOGIN authentication failed"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(line); } @@ -849,7 +849,7 @@ return NULL; /* return if RFC 2487 is not used */ default: /* -1 */ sockerror("RFC2487 (s_poll_wait)"); - longjmp(c->err, 1); + throw_exception(c, 1); } /* process server's greeting */ @@ -857,7 +857,7 @@ if(!(is_prefix(line, "220 ") || is_prefix(line, "220-"))) { s_log(LOG_ERR, "Unknown server welcome"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } domain=str_dup(line+4); /* skip "220" and the separator */ line[4]='\0'; /* only leave "220" and the separator */ @@ -882,7 +882,7 @@ s_log(LOG_ERR, "Unknown client EHLO"); str_free(line); str_free(domain); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(line); fd_printf(c, c->local_wfd.fd, "250-%s", domain); @@ -894,7 +894,7 @@ if(!is_prefix(line, "STARTTLS")) { s_log(LOG_ERR, "STARTTLS expected"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } fd_putline(c, c->local_wfd.fd, "220 Go ahead"); str_free(line); @@ -914,7 +914,7 @@ if(!is_prefix(line, "+OK ")) { s_log(LOG_ERR, "Unknown server welcome"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } fd_putline(c, c->local_wfd.fd, line); fd_putline(c, c->remote_fd.fd, "STLS"); @@ -923,7 +923,7 @@ if(!is_prefix(line, "+OK ")) { s_log(LOG_ERR, "Server does not support TLS"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(line); return NULL; @@ -950,7 +950,7 @@ if(!is_prefix(line, "STLS")) { s_log(LOG_ERR, "Client does not want TLS"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(line); fd_putline(c, c->local_wfd.fd, "+OK Stunnel starts TLS negotiation"); @@ -969,7 +969,7 @@ if(!is_prefix(line, "* OK")) { s_log(LOG_ERR, "Unknown server welcome"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } fd_putline(c, c->local_wfd.fd, line); fd_putline(c, c->remote_fd.fd, "stunnel STARTTLS"); @@ -980,7 +980,7 @@ "* BYE stunnel: Server does not support TLS"); s_log(LOG_ERR, "Server does not support TLS"); str_free(line); - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ } str_free(line); return NULL; @@ -1004,7 +1004,7 @@ return NULL; /* return if RFC 2595 is not used */ default: /* -1 */ sockerror("RFC2595 (s_poll_wait)"); - longjmp(c->err, 1); + throw_exception(c, 1); } /* process server welcome and send it to client */ @@ -1012,7 +1012,7 @@ if(!is_prefix(line, "* OK")) { s_log(LOG_ERR, "Unknown server welcome"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } capa=strstr(line, "CAPABILITY"); if(!capa) @@ -1083,7 +1083,7 @@ line=fd_getline(c, c->remote_fd.fd); } str_free(line); - longjmp(c->err, 2); /* don't reset */ + throw_exception(c, 2); /* don't reset */ return NULL; /* some C compilers require a return value */ } @@ -1099,7 +1099,7 @@ if(!is_prefix(line, "200 ") && !is_prefix(line, "201 ")) { s_log(LOG_ERR, "Unknown server welcome"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } fd_putline(c, c->local_wfd.fd, line); fd_putline(c, c->remote_fd.fd, "STARTTLS"); @@ -1108,7 +1108,7 @@ if(!is_prefix(line, "382 ")) { s_log(LOG_ERR, "Server does not support TLS"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(line); return NULL; @@ -1128,7 +1128,7 @@ fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION); fd_putline(c, c->local_wfd.fd, ""); str_free(request); - longjmp(c->err, 1); + throw_exception(c, 1); } proto=strchr(request+8, ' '); if(!proto || !is_prefix(proto, " HTTP/")) { @@ -1136,7 +1136,7 @@ fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION); fd_putline(c, c->local_wfd.fd, ""); str_free(request); - longjmp(c->err, 1); + throw_exception(c, 1); } *proto='\0'; @@ -1152,7 +1152,7 @@ fd_putline(c, c->local_wfd.fd, "Server: stunnel/" STUNNEL_VERSION); fd_putline(c, c->local_wfd.fd, ""); str_free(request); - longjmp(c->err, 1); + throw_exception(c, 1); } str_free(request); fd_putline(c, c->local_wfd.fd, "HTTP/1.0 200 OK"); @@ -1168,7 +1168,7 @@ return NULL; if(!opt->protocol_host) { s_log(LOG_ERR, "protocolHost not specified"); - longjmp(c->err, 1); + throw_exception(c, 1); } fd_printf(c, c->remote_fd.fd, "CONNECT %s HTTP/1.1", opt->protocol_host); @@ -1179,7 +1179,7 @@ ntlm(c, opt); #else s_log(LOG_ERR, "NTLM authentication is not available"); - longjmp(c->err, 1); + throw_exception(c, 1); #endif } else { /* basic authentication */ line=str_printf("%s:%s", @@ -1188,7 +1188,7 @@ str_free(line); if(!encoded) { s_log(LOG_ERR, "Base64 encoder failed"); - longjmp(c->err, 1); + throw_exception(c, 1); } fd_printf(c, c->remote_fd.fd, "Proxy-Authorization: basic %s", encoded); @@ -1205,7 +1205,7 @@ line=fd_getline(c, c->remote_fd.fd); } while(*line); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } s_log(LOG_INFO, "CONNECT request accepted"); do { @@ -1235,7 +1235,7 @@ ntlm1_txt=ntlm1(); if(!ntlm1_txt) { s_log(LOG_ERR, "Proxy-Authenticate: Failed to build NTLM request"); - longjmp(c->err, 1); + throw_exception(c, 1); } fd_printf(c, c->remote_fd.fd, "Proxy-Authorization: NTLM %s", ntlm1_txt); str_free(ntlm1_txt); @@ -1250,7 +1250,7 @@ line=fd_getline(c, c->remote_fd.fd); } while(*line); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } ntlm2_txt=NULL; do { /* read all headers */ @@ -1266,14 +1266,14 @@ if(tmpstr==line+16 || *tmpstr || content_length<0) { s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } } } while(*line); if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */ s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found"); str_free(line); - longjmp(c->err, 1); + throw_exception(c, 1); } /* read and ignore HTTP content (if any) */ @@ -1291,7 +1291,7 @@ str_free(ntlm2_txt); if(!ntlm3_txt) { s_log(LOG_ERR, "Proxy-Authenticate: Failed to build NTLM response"); - longjmp(c->err, 1); + throw_exception(c, 1); } fd_printf(c, c->remote_fd.fd, "Proxy-Authorization: NTLM %s", ntlm3_txt); str_free(ntlm3_txt); @@ -1372,8 +1372,8 @@ crypt_DES(phase3+ntlm_off+16, decoded+24, md4_hash+14); str_free(decoded); - strncpy((char *)phase3+domain_off, domain, domain_len); - strncpy((char *)phase3+user_off, user, user_len); + memcpy((char *)phase3+domain_off, domain, domain_len); + memcpy((char *)phase3+user_off, user, user_len); return base64(1, (char *)phase3, (int)end_off); /* encode */ } diff -Nru stunnel4-5.44/src/prototypes.h stunnel4-5.50/src/prototypes.h --- stunnel4-5.44/src/prototypes.h 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/src/prototypes.h 2018-11-05 07:19:29.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -43,6 +43,7 @@ /**************************************** forward declarations */ typedef struct tls_data_struct TLS_DATA; +typedef struct sock_opt_struct SOCK_OPT; /**************************************** data structures */ @@ -98,8 +99,6 @@ typedef struct sockaddr_list { /* list of addresses */ struct sockaddr_list *parent; /* used by copies to locate their parent */ SOCKADDR_UNION *addr; /* array of resolved addresses */ - SOCKET *fd; /* array of accepting file descriptors */ - SSL_SESSION **session; /* array of cached client sessions */ unsigned start; /* initial address for round-robin failover */ unsigned num; /* how many addresses are used */ int passive; /* listening socket */ @@ -167,7 +166,7 @@ typedef struct psk_keys_struct { char *identity; unsigned char *key_val; - size_t key_len; + unsigned key_len; struct psk_keys_struct *next; } PSK_KEYS; typedef struct psk_table_struct { @@ -180,12 +179,14 @@ struct service_options_struct *next; /* next node in the services list */ SSL_CTX *ctx; /* TLS context */ char *servname; /* service name for logging & permission checking */ + int ref; /* reference counter for delayed deallocation */ /* service-specific data for stunnel.c */ #ifndef USE_WIN32 uid_t uid; gid_t gid; #endif + int bound_ports; /* number of ports bound to this service */ /* service-specific data for log.c */ int log_level; /* debug level for logging */ @@ -196,6 +197,9 @@ size_t stack_size; /* stack size for this thread */ #endif + /* some global data for network.c */ + SOCK_OPT *sock_opts; + /* service-specific data for verify.c */ char *ca_dir; /* directory for hashed certs */ char *ca_file; /* file containing bunches of certs */ @@ -219,7 +223,11 @@ #if OPENSSL_VERSION_NUMBER>=0x009080dfL long unsigned ssl_options_clear; #endif /* OpenSSL 0.9.8m or later */ +#if OPENSSL_VERSION_NUMBER>=0x10100000L + int min_proto_version, max_proto_version; +#else /* OPENSSL_VERSION_NUMBER<0x10100000L */ SSL_METHOD *client_method, *server_method; +#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */ SOCKADDR_UNION sessiond_addr; #ifndef OPENSSL_NO_TLSEXT char *sni; @@ -238,7 +246,6 @@ #endif /* !defined(OPENSSL_NO_ENGINE) */ /* service-specific data for client.c */ - SSL_SESSION *session; /* recently used session */ char *exec_name; /* program name for local mode */ #ifdef USE_WIN32 char *exec_args; /* program arguments for local mode */ @@ -247,12 +254,15 @@ #endif SOCKADDR_UNION source_addr; SOCKADDR_LIST local_addr, connect_addr, redirect_addr; + SOCKET *local_fd; /* array of accepting file descriptors */ + SSL_SESSION **connect_session; /* per-destination client session cache */ + SSL_SESSION *session; /* previous client session for delayed resolver */ int timeout_busy; /* maximum waiting for data time */ int timeout_close; /* maximum close_notify time */ int timeout_connect; /* maximum connect() time */ int timeout_idle; /* maximum idle connection time */ enum {FAILOVER_RR, FAILOVER_PRIO} failover; /* failover strategy */ - unsigned seq; /* sequential number for round-robin failover */ + unsigned rr; /* per-service sequential number for round-robin failover */ char *username; /* service-specific data for protocol.c */ @@ -285,9 +295,6 @@ unsigned local:1; /* outgoing interface specified */ unsigned retry:1; /* loop remote+program */ unsigned sessiond:1; -#ifndef OPENSSL_NO_TLSEXT - unsigned sni:1; /* endpoint: sni */ -#endif /* !defined(OPENSSL_NO_TLSEXT) */ #ifndef USE_WIN32 unsigned pty:1; unsigned transparent_src:1; @@ -302,8 +309,11 @@ unsigned nonce:1; /* send and verify OCSP nonce */ #endif /* !defined(OPENSSL_NO_OCSP) */ #ifndef OPENSSL_NO_DH - unsigned dh_needed:1; + unsigned dh_temp_params:1; #endif /* OPENSSL_NO_DH */ +#ifndef USE_WIN32 + unsigned log_stderr:1; /* a copy of the global switch */ +#endif /* USE_WIN32 */ } option; } SERVICE_OPTIONS; @@ -329,13 +339,13 @@ struct timeval timeval_val; } OPT_UNION; -typedef struct { +struct sock_opt_struct { char *opt_str; int opt_level; int opt_name; VAL_TYPE opt_type; OPT_UNION *opt_val[3]; -} SOCK_OPT; +}; typedef enum { CONF_RELOAD, CONF_FILE, CONF_FD @@ -380,39 +390,44 @@ } RENEG_STATE; typedef struct { - jmp_buf err; /* 64-bit platforms require jmp_buf to be 16-byte aligned */ - SSL *ssl; /* TLS connection */ + jmp_buf *exception_pointer; + + SSL *ssl; /* TLS connection */ SERVICE_OPTIONS *opt; TLS_DATA *tls; - SOCKADDR_UNION peer_addr; /* peer address */ + SOCKADDR_UNION peer_addr; /* peer address */ socklen_t peer_addr_len; - SOCKADDR_UNION *bind_addr; /* address to bind() the socket */ - SOCKADDR_LIST connect_addr; /* either copied or resolved dynamically */ - unsigned idx; /* actually connected address in connect_addr */ - FD local_rfd, local_wfd; /* read and write local descriptors */ - FD remote_fd; /* remote file descriptor */ - /* IP for explicit local bind or transparent proxy */ - unsigned long pid; /* PID of the local process */ - SOCKET fd; /* temporary file descriptor */ - RENEG_STATE reneg_state; /* used to track renegotiation attempts */ - unsigned long long seq; /* sequential thread number for logging */ + char *accepted_address; /* textual representation of the peer address */ + SOCKADDR_UNION *bind_addr; /* address to bind() the socket */ + SOCKADDR_LIST connect_addr; /* either copied or resolved dynamically */ + unsigned idx; /* actually connected address in connect_addr */ + FD local_rfd, local_wfd; /* read and write local descriptors */ + FD remote_fd; /* remote file descriptor */ + unsigned long pid; /* PID of the local process */ + SOCKET fd; /* temporary file descriptor */ + RENEG_STATE reneg_state; /* used to track renegotiation attempts */ + unsigned long long seq; /* sequential thread number for logging */ + unsigned rr; /* per-client sequential number for round-robin failover */ /* data for transfer() function */ - char sock_buff[BUFFSIZE]; /* socket read buffer */ - char ssl_buff[BUFFSIZE]; /* TLS read buffer */ - size_t sock_ptr, ssl_ptr; /* index of the first unused byte */ - FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */ - FD *ssl_rfd, *ssl_wfd; /* read and write TLS descriptors */ - uint64_t sock_bytes, ssl_bytes; /* bytes written to socket and TLS */ - s_poll_set *fds; /* file descriptors */ + char sock_buff[BUFFSIZE]; /* socket read buffer */ + char ssl_buff[BUFFSIZE]; /* TLS read buffer */ + size_t sock_ptr, ssl_ptr; /* index of the first unused byte */ + FD *sock_rfd, *sock_wfd; /* read and write socket descriptors */ + FD *ssl_rfd, *ssl_wfd; /* read and write TLS descriptors */ + uint64_t sock_bytes, ssl_bytes; /* bytes written to socket and TLS */ + s_poll_set *fds; /* file descriptors */ + struct { + unsigned psk:1; /* PSK identity was found */ + } flag; } CLI; /**************************************** prototypes for stunnel.c */ #ifndef USE_FORK -extern long max_clients; -extern volatile long num_clients; +extern int max_clients; +extern int num_clients; #endif void main_init(void); @@ -422,21 +437,25 @@ void daemon_loop(void); void unbind_ports(void); int bind_ports(void); -void signal_post(int); +void signal_post(uint8_t); #if !defined(USE_WIN32) && !defined(USE_OS2) -void child_status(void); /* dead libwrap or 'exec' process detected */ +void pid_status_hang(const char *); #endif void stunnel_info(int); /**************************************** prototypes for options.c */ -extern char configuration_file[PATH_MAX]; +extern char *configuration_file; extern unsigned number_of_sections; int options_cmdline(char *, char *); int options_parse(CONF_TYPE); void options_defaults(void); void options_apply(void); +void options_free(void); + +void service_up_ref(SERVICE_OPTIONS *); +void service_free(SERVICE_OPTIONS *); /**************************************** prototypes for fd.c */ @@ -451,12 +470,11 @@ /**************************************** prototypes for log.c */ -#if !defined(USE_WIN32) && !defined(__vms) -void syslog_open(void); -void syslog_close(void); -#endif -int log_open(void); -void log_close(void); +#define SINK_SYSLOG 1 +#define SINK_OUTFILE 2 + +int log_open(int); +void log_close(int); void log_flush(LOG_MODE); void s_log(int, const char *, ...) #ifdef __GNUC__ @@ -465,12 +483,13 @@ ; #endif char *log_id(CLI *); -void fatal_debug(char *, const char *, int); +void fatal_debug(char *, const char *, int) NORETURN; #define fatal(a) fatal_debug((a), __FILE__, __LINE__) void ioerror(const char *); void sockerror(const char *); void log_error(int, int, const char *); char *s_strerror(int); +void bin2hexstring(const unsigned char *, size_t, char *, size_t); /**************************************** prototypes for pty.c */ @@ -498,7 +517,7 @@ #ifndef OPENSSL_NO_DH extern DH *dh_params; -extern int dh_needed; +extern int dh_temp_params; #endif /* OPENSSL_NO_DH */ int context_init(SERVICE_OPTIONS *); @@ -506,6 +525,7 @@ void psk_sort(PSK_TABLE *, PSK_KEYS *); PSK_KEYS *psk_find(const PSK_TABLE *, const char *); #endif /* !defined(OPENSSL_NO_PSK) */ +void print_session_id(SSL_SESSION *); void sslerror(char *); /**************************************** prototypes for verify.c */ @@ -539,15 +559,21 @@ #define SIGNAL_TERMINATE SIGTERM #endif -int set_socket_options(SOCKET, int); +int socket_options_set(SERVICE_OPTIONS *, SOCKET, int); int make_sockets(SOCKET[2]); int original_dst(const SOCKET, SOCKADDR_UNION *); /**************************************** prototypes for client.c */ CLI *alloc_client_session(SERVICE_OPTIONS *, SOCKET, SOCKET); -void *client_thread(void *); +#if defined(USE_WIN32) || defined(USE_OS2) +unsigned __stdcall +#else +void * +#endif +client_thread(void *); void client_main(CLI *); +void throw_exception(CLI *, int) NORETURN; /**************************************** prototypes for network.c */ @@ -616,7 +642,7 @@ #ifndef _WIN32_WCE typedef int (CALLBACK * GETADDRINFO) (const char *, const char *, const struct addrinfo *, struct addrinfo **); -typedef void (CALLBACK * FREEADDRINFO) (struct addrinfo FAR *); +typedef void (CALLBACK * FREEADDRINFO) (struct addrinfo *); typedef int (CALLBACK * GETNAMEINFO) (const struct sockaddr *, socklen_t, char *, size_t, char *, size_t, int); extern GETADDRINFO s_getaddrinfo; @@ -634,6 +660,12 @@ /**************************************** prototypes for sthreads.c */ #if defined(USE_PTHREAD) || defined(USE_WIN32) +#define USE_OS_THREADS +#endif + +#if OPENSSL_VERSION_NUMBER<0x10100004L + +#ifdef USE_OS_THREADS struct CRYPTO_dynlock_value { #ifdef USE_PTHREAD @@ -643,14 +675,24 @@ CRITICAL_SECTION critical_section; #endif const char *init_file, *read_lock_file, *write_lock_file, - *read_unlock_file, *write_unlock_file, *destroy_file; - int init_line, read_lock_line, write_lock_line, - read_unlock_line, write_unlock_line, destroy_line; + *unlock_file, *destroy_file; + int init_line, read_lock_line, write_lock_line, unlock_line, destroy_line; }; +typedef struct CRYPTO_dynlock_value CRYPTO_RWLOCK; + +#else /* USE_OS_THREADS */ + +typedef void CRYPTO_RWLOCK; + +#endif /* USE_OS_THREADS */ + +#endif /* OPENSSL_VERSION_NUMBER<0x10100004L */ + typedef enum { LOCK_SESSION, LOCK_ADDR, LOCK_CLIENTS, LOCK_SSL, /* client.c */ + LOCK_REF, /* options.c */ LOCK_INET, /* resolver.c */ #ifndef USE_WIN32 LOCK_LIBWRAP, /* libwrap.c */ @@ -660,44 +702,29 @@ #ifndef OPENSSL_NO_DH LOCK_DH, /* ctx.c */ #endif /* OPENSSL_NO_DH */ +#ifdef USE_WIN32 + LOCK_WIN_LOG, /* ui_win_gui.c */ +#endif + LOCK_SECTIONS, /* traversing section list */ STUNNEL_LOCKS /* number of locks */ } LOCK_TYPE; -extern struct CRYPTO_dynlock_value stunnel_locks[STUNNEL_LOCKS]; -void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *, const char *, int); -void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *, const char *, int); -void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *, const char *, int); -void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *, const char *, int); -void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *, const char *, int); -void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *, const char *, int); - -#define stunnel_rwlock_init(x) stunnel_rwlock_init_debug((x),__FILE__,__LINE__) -#define stunnel_read_lock(x) stunnel_read_lock_debug((x),__FILE__,__LINE__) -#define stunnel_write_lock(x) stunnel_write_lock_debug((x),__FILE__,__LINE__) -#define stunnel_read_unlock(x) stunnel_read_unlock_debug((x),__FILE__,__LINE__) -#define stunnel_write_unlock(x) stunnel_write_unlock_debug((x),__FILE__,__LINE__) -#define stunnel_rwlock_destroy(x) stunnel_rwlock_destroy_debug((x),__FILE__,__LINE__) +extern CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS]; #if OPENSSL_VERSION_NUMBER<0x10100004L -#define CRYPTO_atomic_add(addr,amount,result,type) \ - *result = type ? CRYPTO_add(addr,amount,type) : (*addr+=amount) +/* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */ +CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void); +int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *); +int CRYPTO_THREAD_write_lock(CRYPTO_RWLOCK *); +int CRYPTO_THREAD_unlock(CRYPTO_RWLOCK *); +void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *); +int CRYPTO_atomic_add(int *, int, int *, CRYPTO_RWLOCK *); #endif -#else /* defined(USE_PTHREAD) || defined(USE_WIN32) */ - -#define stunnel_rwlock_init(x) {} -#define stunnel_read_lock(x) {} -#define stunnel_write_lock(x) {} -#define stunnel_read_unlock(x) {} -#define stunnel_write_unlock(x) {} -#define stunnel_rwlock_destroy(x) {} - -#endif /* defined(USE_PTHREAD) || defined(USE_WIN32) */ - int sthreads_init(void); unsigned long stunnel_process_id(void); unsigned long stunnel_thread_id(void); -int create_client(SOCKET, SOCKET, CLI *, void *(*)(void *)); +int create_client(SOCKET, SOCKET, CLI *); #ifdef USE_UCONTEXT typedef struct CONTEXT_STRUCTURE { char *stack; /* CPU stack for this thread */ @@ -717,7 +744,8 @@ void _endthread(void); #endif #ifdef DEBUG_STACK_SIZE -void stack_info(int); +void stack_info(size_t, int); +void ignore_value(void *); #endif /**************************************** prototypes for file.c */ @@ -739,7 +767,7 @@ /**************************************** prototypes for libwrap.c */ int libwrap_init(); -void libwrap_auth(CLI *, char *); +void libwrap_auth(CLI *); /**************************************** prototypes for tls.c */ @@ -768,6 +796,8 @@ void str_cleanup(TLS_DATA *); char *str_dup_debug(const char *, const char *, int); #define str_dup(a) str_dup_debug((a), __FILE__, __LINE__) +char *str_dup_detached_debug(const char *, const char *, int); +#define str_dup_detached(a) str_dup_detached_debug((a), __FILE__, __LINE__) char *str_vprintf(const char *, va_list); char *str_printf(const char *, ...) #ifdef __GNUC__ @@ -785,15 +815,18 @@ #define str_alloc(a) str_alloc_debug((a), __FILE__, __LINE__) void *str_alloc_detached_debug(size_t, const char *, int); #define str_alloc_detached(a) str_alloc_detached_debug((a), __FILE__, __LINE__) -void *str_realloc_detached_debug(void *, size_t, const char *, int); void *str_realloc_debug(void *, size_t, const char *, int); #define str_realloc(a, b) str_realloc_debug((a), (b), __FILE__, __LINE__) +void *str_realloc_detached_debug(void *, size_t, const char *, int); +#define str_realloc_detached(a, b) str_realloc_detached_debug((a), (b), __FILE__, __LINE__) void str_detach_debug(void *, const char *, int); #define str_detach(a) str_detach_debug((a), __FILE__, __LINE__) void str_free_debug(void *, const char *, int); #define str_free(a) str_free_debug((a), __FILE__, __LINE__), (a)=NULL #define str_free_expression(a) str_free_debug((a), __FILE__, __LINE__) +void leak_table_utilization(void); + int safe_memcmp(const void *, const void *, size_t); /**************************************** prototypes for ui_*.c */ diff -Nru stunnel4-5.44/src/pty.c stunnel4-5.50/src/pty.c --- stunnel4-5.44/src/pty.c 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/src/pty.c 2018-04-06 14:25:10.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff -Nru stunnel4-5.44/src/resolver.c stunnel4-5.50/src/resolver.c --- stunnel4-5.44/src/resolver.c 2017-10-16 18:38:47.000000000 +0000 +++ stunnel4-5.50/src/resolver.c 2018-07-02 21:30:10.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -106,6 +106,11 @@ } #if defined(USE_WIN32) && !defined(_WIN32_WCE) +#ifdef __GNUC__ +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wpragmas" +#pragma GCC diagnostic ignored "-Wcast-function-type" +#endif /* __GNUC__ */ NOEXPORT int get_ipv6(LPTSTR file) { HINSTANCE handle; @@ -124,6 +129,9 @@ } return 1; /* IPv6 detected -> OK */ } +#ifdef __GNUC__ +#pragma GCC diagnostic pop +#endif /* __GNUC__ */ #endif /**************************************** stunnel resolver API */ @@ -138,8 +146,6 @@ if(retval) addrlist2addr(addr, addr_list); str_free(addr_list->addr); - str_free(addr_list->fd); - str_free(addr_list->session); str_free(addr_list); return retval; } @@ -155,8 +161,6 @@ if(num) addrlist2addr(addr, addr_list); str_free(addr_list->addr); - str_free(addr_list->fd); - str_free(addr_list->session); str_free(addr_list); return num; } @@ -194,16 +198,10 @@ s_log(LOG_ERR, "Unix socket path is too long"); return 0; /* no results */ } - addr_list->addr=str_realloc(addr_list->addr, + addr_list->addr=str_realloc_detached(addr_list->addr, (addr_list->num+1)*sizeof(SOCKADDR_UNION)); addr_list->addr[addr_list->num].un.sun_family=AF_UNIX; strcpy(addr_list->addr[addr_list->num].un.sun_path, name); - addr_list->fd=str_realloc(addr_list->fd, - (addr_list->num+1)*sizeof(SOCKET)); - addr_list->fd[addr_list->num]=INVALID_SOCKET; - addr_list->session=str_realloc(addr_list->session, - (addr_list->num+1)*sizeof(SSL_SESSION *)); - addr_list->session[addr_list->num]=NULL; ++(addr_list->num); return 1; /* ok - return the number of new addresses */ } @@ -228,9 +226,9 @@ unsigned hostport2addrlist(SOCKADDR_LIST *addr_list, char *host_name, char *port_name) { - struct addrinfo hints, *res=NULL, *cur; + struct addrinfo hints, *res, *cur; int err, retry=0; - unsigned num=0; + unsigned num; memset(&hints, 0, sizeof hints); #if defined(USE_IPv6) || defined(USE_WIN32) @@ -241,19 +239,20 @@ hints.ai_socktype=SOCK_STREAM; hints.ai_protocol=IPPROTO_TCP; hints.ai_flags=0; - if(addr_list->passive) { - hints.ai_family=AF_INET; /* first try IPv4 for passive requests */ + if(addr_list->passive) hints.ai_flags|=AI_PASSIVE; - } #ifdef AI_ADDRCONFIG hints.ai_flags|=AI_ADDRCONFIG; #endif for(;;) { + res=NULL; err=getaddrinfo(host_name, port_name, &hints, &res); - if(!err) + if(!err) /* success */ break; - if(res) - freeaddrinfo(res); + if(err==EAI_SERVICE) { + s_log(LOG_ERR, "Unknown TCP service \"%s\"", port_name); + return 0; /* error */ + } if(err==EAI_AGAIN && ++retry<=3) { s_log(LOG_DEBUG, "getaddrinfo: EAI_AGAIN received: retrying"); sleep(1); @@ -265,19 +264,6 @@ continue; /* retry for unconfigured network interfaces */ } #endif -#if defined(USE_IPv6) || defined(USE_WIN32) - if(hints.ai_family==AF_INET) { - hints.ai_family=AF_UNSPEC; - continue; /* retry for non-IPv4 addresses */ - } -#endif - break; - } - if(err==EAI_SERVICE) { - s_log(LOG_ERR, "Unknown TCP service \"%s\"", port_name); - return 0; /* error */ - } - if(err) { s_log(LOG_ERR, "Error resolving \"%s\": %s", host_name ? host_name : (addr_list->passive ? DEFAULT_ANY : DEFAULT_LOOPBACK), @@ -285,26 +271,24 @@ return 0; /* error */ } - /* copy the list of addresses */ + /* find the number of newly resolved addresses */ + num=0; for(cur=res; cur; cur=cur->ai_next) { if(cur->ai_addrlen>(int)sizeof(SOCKADDR_UNION)) { s_log(LOG_ERR, "INTERNAL ERROR: ai_addrlen value too big"); freeaddrinfo(res); return 0; /* no results */ } - addr_list->addr=str_realloc(addr_list->addr, - (addr_list->num+1)*sizeof(SOCKADDR_UNION)); - memcpy(&addr_list->addr[addr_list->num], cur->ai_addr, - (size_t)cur->ai_addrlen); - addr_list->fd=str_realloc(addr_list->fd, - (addr_list->num+1)*sizeof(SOCKET)); - addr_list->fd[addr_list->num]=INVALID_SOCKET; - addr_list->session=str_realloc(addr_list->session, - (addr_list->num+1)*sizeof(SSL_SESSION *)); - addr_list->session[addr_list->num]=NULL; - ++(addr_list->num); ++num; } + + /* append the newly resolved addresses to addr_list->addr */ + addr_list->addr=str_realloc_detached(addr_list->addr, + (addr_list->num+num)*sizeof(SOCKADDR_UNION)); + for(cur=res; cur; cur=cur->ai_next) + memcpy(&addr_list->addr[(addr_list->num)++], cur->ai_addr, + (size_t)cur->ai_addrlen); + freeaddrinfo(res); return num; /* ok - return the number of new addresses */ } @@ -320,8 +304,6 @@ NOEXPORT void addrlist_reset(SOCKADDR_LIST *addr_list) { addr_list->num=0; addr_list->addr=NULL; - addr_list->fd=NULL; - addr_list->session=NULL; addr_list->start=0; addr_list->parent=addr_list; /* allow a copy to locate its parent */ } @@ -329,13 +311,11 @@ unsigned addrlist_dup(SOCKADDR_LIST *dst, const SOCKADDR_LIST *src) { memcpy(dst, src, sizeof(SOCKADDR_LIST)); if(src->num) { /* already resolved */ - dst->addr=str_alloc(src->num*sizeof(SOCKADDR_UNION)); + dst->addr=str_alloc_detached(src->num*sizeof(SOCKADDR_UNION)); memcpy(dst->addr, src->addr, src->num*sizeof(SOCKADDR_UNION)); } else { /* delayed resolver */ addrlist_resolve(dst); } - /* a client does not have its own local copy of - src->session and src->fd */ return dst->num; } @@ -459,7 +439,7 @@ /* not numerical: need to call resolver library */ *res=NULL; ai=NULL; - stunnel_write_lock(&stunnel_locks[LOCK_INET]); + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_INET]); #ifdef HAVE_GETHOSTBYNAME2 h=gethostbyname2(node, AF_INET6); if(h) /* some IPv6 addresses found */ @@ -477,7 +457,7 @@ #ifdef HAVE_ENDHOSTENT endhostent(); #endif - stunnel_write_unlock(&stunnel_locks[LOCK_INET]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_INET]); if(retval) { /* error: free allocated memory */ freeaddrinfo(*res); *res=NULL; @@ -612,10 +592,11 @@ (void *)&((struct sockaddr_in *)sa)->sin_addr, host, hostlen); #else /* USE_IPv6 */ - stunnel_write_lock(&stunnel_locks[LOCK_INET]); /* inet_ntoa is not mt-safe */ + /* inet_ntoa is not mt-safe */ + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_INET]); strncpy(host, inet_ntoa(((struct sockaddr_in *)sa)->sin_addr), hostlen); - stunnel_write_unlock(&stunnel_locks[LOCK_INET]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_INET]); host[hostlen-1]='\0'; #endif /* USE_IPv6 */ } diff -Nru stunnel4-5.44/src/resources.h stunnel4-5.50/src/resources.h --- stunnel4-5.44/src/resources.h 2014-09-01 10:33:24.000000000 +0000 +++ stunnel4-5.50/src/resources.h 2018-10-09 14:37:38.000000000 +0000 @@ -2,9 +2,8 @@ #define WM_VALID_CONFIG (WM_APP+0) #define WM_INVALID_CONFIG (WM_APP+1) -#define WM_LOG (WM_APP+2) -#define WM_NEW_CHAIN (WM_APP+3) -#define WM_CLIENTS (WM_APP+4) +#define WM_NEW_CHAIN (WM_APP+2) +#define WM_CLIENTS (WM_APP+3) #define IDI_STUNNEL_MAIN 10 #define IDI_STUNNEL_ACTIVE 11 diff -Nru stunnel4-5.44/src/resources.rc stunnel4-5.50/src/resources.rc --- stunnel4-5.44/src/resources.rc 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/src/resources.rc 2018-04-06 14:25:10.000000000 +0000 @@ -19,7 +19,7 @@ VALUE "FileDescription", "stunnel - TLS offloading and load-balancing proxy" VALUE "FileVersion", STUNNEL_VERSION VALUE "InternalName", "stunnel" - VALUE "LegalCopyright", " by Michal Trojnara, 1998-2017" + VALUE "LegalCopyright", " by Michal Trojnara, 1998-2018" VALUE "OriginalFilename", "stunnel.exe" VALUE "ProductName", STUNNEL_PRODUCTNAME VALUE "ProductVersion", STUNNEL_VERSION @@ -104,7 +104,7 @@ ICON IDI_STUNNEL_MAIN, -1, 6, 6, 20, 20 LTEXT "stunnel version", -1, 30, 4, 49, 8 LTEXT STUNNEL_VERSION, -1, 79, 4, 57, 8 - LTEXT " by Michal Trojnara, 1998-2017", -1, 30, 12, 106, 8 + LTEXT " by Michal Trojnara, 1998-2018", -1, 30, 12, 106, 8 LTEXT "All Rights Reserved", -1, 30, 20, 106, 8 LTEXT "Licensed under the GNU GPL version 2", -1, 4, 28, 132, 8 LTEXT "with a special exception for OpenSSL", -1, 4, 36, 132, 8 diff -Nru stunnel4-5.44/src/ssl.c stunnel4-5.50/src/ssl.c --- stunnel4-5.44/src/ssl.c 2017-10-07 14:23:08.000000000 +0000 +++ stunnel4-5.50/src/ssl.c 2018-10-09 14:37:38.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -39,13 +39,21 @@ #include "prototypes.h" /* global OpenSSL initialization: compression, engine, entropy */ -NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, +#if OPENSSL_VERSION_NUMBER>=0x10100000L +NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp); +#else +NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp); +#endif +NOEXPORT void cb_free_addr(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp); #ifndef OPENSSL_NO_COMP NOEXPORT int compression_init(GLOBAL_OPTIONS *); #endif NOEXPORT int prng_init(GLOBAL_OPTIONS *); NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const char *); +NOEXPORT void update_rand_file(const char *); int index_ssl_cli, index_ssl_ctx_opt; int index_session_authenticated, index_session_connect_address; @@ -66,7 +74,7 @@ index_session_authenticated=SSL_SESSION_get_ex_new_index(0, "session authenticated", NULL, NULL, NULL); index_session_connect_address=SSL_SESSION_get_ex_new_index(0, - "session connect address", NULL, NULL, cb_free); + "session connect address", NULL, cb_dup_addr, cb_free_addr); if(index_ssl_cli<0 || index_ssl_ctx_opt<0 || index_session_authenticated<0 || index_session_connect_address<0) { @@ -106,7 +114,31 @@ #endif #endif -NOEXPORT void cb_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, +#if OPENSSL_VERSION_NUMBER>=0x10100000L +NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp) { +#else +NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, + void *from_d, int idx, long argl, void *argp) { +#endif + SOCKADDR_UNION *src, *dst; + socklen_t len; + + (void)to; /* squash the unused parameter warning */ + (void)from; /* squash the unused parameter warning */ + (void)idx; /* squash the unused parameter warning */ + (void)argl; /* squash the unused parameter warning */ + s_log(LOG_DEBUG, "Duplicating application specific data for %s", + (char *)argp); + src=*(void **)from_d; + len=addr_len(src); + dst=str_alloc_detached((size_t)len); + memcpy(dst, src, (size_t)len); + *(void **)from_d=dst; + return 1; +} + +NOEXPORT void cb_free_addr(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp) { (void)parent; /* squash the unused parameter warning */ (void)ad; /* squash the unused parameter warning */ @@ -140,13 +172,30 @@ #endif /* OPENSSL_NO_COMP */ if(prng_init(global)) return 1; - s_log(LOG_DEBUG, "PRNG seeded successfully"); return 0; /* SUCCESS */ } #ifndef OPENSSL_NO_COMP + +#if OPENSSL_VERSION_NUMBER<0x10100000L + +NOEXPORT int COMP_get_type(const COMP_METHOD *meth) { + return meth->type; +} + +NOEXPORT const char *SSL_COMP_get0_name(const SSL_COMP *comp) { + return comp->name; +} + +NOEXPORT int SSL_COMP_get_id(const SSL_COMP *comp) { + return comp->id; +} + +#endif /* OPENSSL_VERSION_NUMBER<0x10100000L */ + NOEXPORT int compression_init(GLOBAL_OPTIONS *global) { STACK_OF(SSL_COMP) *methods; + int num_methods, i; methods=SSL_COMP_get_compression_methods(); if(!methods) { @@ -159,40 +208,51 @@ } } - if(global->compression==COMP_NONE || - OpenSSL_version_num()<0x00908051L /* 0.9.8e-beta1 */) { + if(global->compression==COMP_NONE) { /* delete OpenSSL defaults (empty the SSL_COMP stack) */ /* cannot use sk_SSL_COMP_pop_free, * as it also destroys the stack itself */ /* only leave the standard RFC 1951 (DEFLATE) algorithm, * if any of the private algorithms is enabled */ - /* only allow DEFLATE with OpenSSL 0.9.8 or later - * with OpenSSL #1468 zlib memory leak fixed */ while(sk_SSL_COMP_num(methods)) OPENSSL_free(sk_SSL_COMP_pop(methods)); - } - - if(global->compression==COMP_NONE) { s_log(LOG_DEBUG, "Compression disabled"); return 0; /* success */ } + if(!sk_SSL_COMP_num(methods)) { + s_log(LOG_ERR, "No compression method is available"); + return 1; + } + /* also insert the obsolete ZLIB algorithm */ if(global->compression==COMP_ZLIB) { /* 224 - within the private range (193 to 255) */ COMP_METHOD *meth=COMP_zlib(); -#if OPENSSL_VERSION_NUMBER>=0x10100000L if(!meth || COMP_get_type(meth)==NID_undef) { -#else - if(!meth || meth->type==NID_undef) { -#endif s_log(LOG_ERR, "ZLIB compression is not supported"); return 1; } - SSL_COMP_add_compression_method(0xe0, meth); + if(SSL_COMP_add_compression_method(0xe0, meth)) { + sslerror("SSL_COMP_add_compression_method"); + return 1; + } + } + + num_methods=sk_SSL_COMP_num(methods); + s_log(LOG_INFO, "Compression enabled: %d method%s", + num_methods, num_methods==1 ? "" : "s"); + for(i=0; iegd_sock) { int bytes=RAND_egd(global->egd_sock); - if(bytes==-1) { - s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock); - bytes=0; - } else { - totbytes+=bytes; + if(bytes>=0) { s_log(LOG_DEBUG, "Snagged %d random bytes from EGD Socket %s", bytes, global->egd_sock); return 0; /* OpenSSL always gets what it needs or fails, so no need to check if seeded sufficiently */ } + s_log(LOG_WARNING, "EGD Socket %s failed", global->egd_sock); } #endif - /* try the good-old default /dev/urandom, if available */ + +#ifndef RANDOM_FILE + /* try the good-old default /dev/urandom, if no RANDOM_FILE is defined */ totbytes+=add_rand_file(global, "/dev/urandom"); if(RAND_status()) return 0; /* success */ +#endif + #endif /* USE_WIN32 */ /* random file specified during configure */ @@ -262,28 +326,39 @@ NOEXPORT int add_rand_file(GLOBAL_OPTIONS *global, const char *filename) { int readbytes; - int writebytes; struct stat sb; if(stat(filename, &sb)) return 0; /* could not stat() file --> return 0 bytes */ - if((readbytes=RAND_load_file(filename, global->random_bytes))) - s_log(LOG_DEBUG, "Snagged %d random bytes from %s", - readbytes, filename); - else + + readbytes=RAND_load_file(filename, global->random_bytes); + if(readbytes<0) { + sslerror("RAND_load_file"); s_log(LOG_INFO, "Cannot retrieve any random data from %s", filename); - /* write new random data for future seeding if it's a regular file */ - if(global->option.rand_write && S_ISREG(sb.st_mode)) { - writebytes=RAND_write_file(filename); - if(writebytes==-1) - s_log(LOG_WARNING, "Failed to write strong random data to %s - " - "may be a permissions or seeding problem", filename); - else - s_log(LOG_DEBUG, "Wrote %d new random bytes to %s", - writebytes, filename); + return 0; } + s_log(LOG_DEBUG, "Snagged %d random bytes from %s", readbytes, filename); + + /* write new random data for future seeding if it's a regular file */ + if(global->option.rand_write && S_ISREG(sb.st_mode)) + update_rand_file(filename); + return readbytes; } +NOEXPORT void update_rand_file(const char *filename) { + int writebytes; + + writebytes=RAND_write_file(filename); + if(writebytes<0) { + sslerror("RAND_write_file"); + s_log(LOG_WARNING, "Failed to write strong random data to %s - " + "may be a permissions or seeding problem", filename); + return; + } + s_log(LOG_DEBUG, "Wrote %d new random bytes to %s", + writebytes, filename); +} + /* end of ssl.c */ diff -Nru stunnel4-5.44/src/sthreads.c stunnel4-5.50/src/sthreads.c --- stunnel4-5.44/src/sthreads.c 2017-08-17 09:18:53.000000000 +0000 +++ stunnel4-5.50/src/sthreads.c 2018-11-06 13:25:39.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -114,44 +114,40 @@ /**************************************** locking */ +/* we only need to initialize locking with OpenSSL older than 1.1.0 */ +#if OPENSSL_VERSION_NUMBER<0x10100004L + #ifdef USE_PTHREAD -void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_lock_init_debug(struct CRYPTO_dynlock_value *lock, const char *file, int line) { pthread_rwlock_init(&lock->rwlock, NULL); lock->init_file=file; lock->init_line=line; } -void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_read_lock_debug(struct CRYPTO_dynlock_value *lock, const char *file, int line) { pthread_rwlock_rdlock(&lock->rwlock); lock->read_lock_file=file; lock->read_lock_line=line; } -void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_write_lock_debug(struct CRYPTO_dynlock_value *lock, const char *file, int line) { pthread_rwlock_wrlock(&lock->rwlock); lock->write_lock_file=file; lock->write_lock_line=line; } -void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *lock, - const char *file, int line) { - pthread_rwlock_unlock(&lock->rwlock); - lock->read_unlock_file=file; - lock->read_unlock_line=line; -} - -void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_unlock_debug(struct CRYPTO_dynlock_value *lock, const char *file, int line) { pthread_rwlock_unlock(&lock->rwlock); - lock->write_unlock_file=file; - lock->write_unlock_line=line; + lock->unlock_file=file; + lock->unlock_line=line; } -void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_lock_destroy_debug(struct CRYPTO_dynlock_value *lock, const char *file, int line) { pthread_rwlock_destroy(&lock->rwlock); lock->destroy_file=file; @@ -167,42 +163,35 @@ * but it is unsupported on Windows XP (and earlier versions of Windows): * https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */ -void stunnel_rwlock_init_debug(struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_lock_init_debug(struct CRYPTO_dynlock_value *lock, const char *file, int line) { InitializeCriticalSection(&lock->critical_section); lock->init_file=file; lock->init_line=line; } -void stunnel_read_lock_debug(struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_read_lock_debug(struct CRYPTO_dynlock_value *lock, const char *file, int line) { EnterCriticalSection(&lock->critical_section); lock->read_lock_file=file; lock->read_lock_line=line; } -void stunnel_write_lock_debug(struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_write_lock_debug(struct CRYPTO_dynlock_value *lock, const char *file, int line) { EnterCriticalSection(&lock->critical_section); lock->write_lock_file=file; lock->write_lock_line=line; } -void stunnel_read_unlock_debug(struct CRYPTO_dynlock_value *lock, - const char *file, int line) { - LeaveCriticalSection(&lock->critical_section); - lock->read_unlock_file=file; - lock->read_unlock_line=line; -} - -void stunnel_write_unlock_debug(struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_unlock_debug(struct CRYPTO_dynlock_value *lock, const char *file, int line) { LeaveCriticalSection(&lock->critical_section); - lock->write_unlock_file=file; - lock->write_unlock_line=line; + lock->unlock_file=file; + lock->unlock_line=line; } -void stunnel_rwlock_destroy_debug(struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_lock_destroy_debug(struct CRYPTO_dynlock_value *lock, const char *file, int line) { DeleteCriticalSection(&lock->critical_section); lock->destroy_file=file; @@ -212,81 +201,162 @@ #endif /* USE_WIN32 */ -#if defined(USE_PTHREAD) || defined(USE_WIN32) +NOEXPORT int s_atomic_add(int *val, int amount, CRYPTO_RWLOCK *lock) { + int ret; -struct CRYPTO_dynlock_value stunnel_locks[STUNNEL_LOCKS]; - -#if OPENSSL_VERSION_NUMBER<0x10100004L -#define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid() + (void)lock; /* squash the unused parameter warning */ +#if !defined(USE_OS_THREADS) + /* no synchronization is needed */ + return *val+=amount; +#elif defined(__GNUC__) && defined(__ATOMIC_ACQ_REL) + if(__atomic_is_lock_free(sizeof *val, val)) + return __atomic_add_fetch(val, amount, __ATOMIC_ACQ_REL); +#elif defined(_MSC_VER) + return InterlockedExchangeAdd(val, amount)+amount; #endif + CRYPTO_THREAD_write_lock(lock); + ret=(*val+=amount); + CRYPTO_THREAD_unlock(lock); + return ret; +} + +#endif /* OPENSSL_VERSION_NUMBER<0x10100004L */ + +CRYPTO_RWLOCK *stunnel_locks[STUNNEL_LOCKS]; #if OPENSSL_VERSION_NUMBER<0x10100004L +#ifdef USE_OS_THREADS + static struct CRYPTO_dynlock_value *lock_cs; -NOEXPORT struct CRYPTO_dynlock_value *dyn_create_function(const char *file, +NOEXPORT struct CRYPTO_dynlock_value *s_dynlock_create_cb(const char *file, int line) { struct CRYPTO_dynlock_value *lock; lock=str_alloc_detached(sizeof(struct CRYPTO_dynlock_value)); - stunnel_rwlock_init_debug(lock, file, line); + s_lock_init_debug(lock, file, line); return lock; } -NOEXPORT void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *lock, +NOEXPORT void s_dynlock_lock_cb(int mode, struct CRYPTO_dynlock_value *lock, const char *file, int line) { if(mode&CRYPTO_LOCK) { /* either CRYPTO_READ or CRYPTO_WRITE (but not both) are needed */ if(!(mode&CRYPTO_READ)==!(mode&CRYPTO_WRITE)) fatal("Invalid locking mode"); if(mode&CRYPTO_WRITE) - stunnel_write_lock_debug(lock, file, line); + s_write_lock_debug(lock, file, line); else - stunnel_read_lock_debug(lock, file, line); + s_read_lock_debug(lock, file, line); } else - stunnel_write_unlock_debug(lock, file, line); + s_unlock_debug(lock, file, line); +} + +NOEXPORT void s_dynlock_destroy_cb(struct CRYPTO_dynlock_value *lock, + const char *file, int line) { + s_lock_destroy_debug(lock, file, line); + str_free(lock); +} + +NOEXPORT void s_locking_cb(int mode, int type, const char *file, int line) { + s_dynlock_lock_cb(mode, lock_cs+type, file, line); } -NOEXPORT void dyn_destroy_function(struct CRYPTO_dynlock_value *lock, +NOEXPORT int s_add_lock_cb(int *num, int amount, int type, const char *file, int line) { - stunnel_rwlock_destroy_debug(lock, file, line); + (void)file; /* squash the unused parameter warning */ + (void)line; /* squash the unused parameter warning */ + return s_atomic_add(num, amount, lock_cs+type); +} + +CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void) { + struct CRYPTO_dynlock_value *lock; + + lock=str_alloc_detached(sizeof(CRYPTO_RWLOCK)); + s_lock_init_debug(lock, __FILE__, __LINE__); + return lock; +} + +int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *lock) { + s_read_lock_debug(lock, __FILE__, __LINE__); + return 1; +} + +int CRYPTO_THREAD_write_lock(CRYPTO_RWLOCK *lock) { + s_write_lock_debug(lock, __FILE__, __LINE__); + return 1; +} + +int CRYPTO_THREAD_unlock(CRYPTO_RWLOCK *lock) { + s_unlock_debug(lock, __FILE__, __LINE__); + return 1; +} + +void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock) { + s_lock_destroy_debug(lock, __FILE__, __LINE__); str_free(lock); } -NOEXPORT void locking_callback(int mode, int type, const char *file, int line) { - dyn_lock_function(mode, lock_cs+type, file, line); +#else /* USE_OS_THREADS */ + +CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void) { + return NULL; +} + +int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *lock) { + (void)lock; /* squash the unused parameter warning */ + return 1; +} + +int CRYPTO_THREAD_write_lock(CRYPTO_RWLOCK *lock) { + (void)lock; /* squash the unused parameter warning */ + return 1; +} + +int CRYPTO_THREAD_unlock(CRYPTO_RWLOCK *lock) { + (void)lock; /* squash the unused parameter warning */ + return 1; +} + +void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock) { + (void)lock; /* squash the unused parameter warning */ +} + +#endif /* USE_OS_THREADS */ + +int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock) { + *ret=s_atomic_add(val, amount, lock); + return 1; } #endif /* OPENSSL_VERSION_NUMBER<0x10100004L */ void locking_init(void) { size_t i; -#if OPENSSL_VERSION_NUMBER<0x10100004L +#if defined(USE_OS_THREADS) && OPENSSL_VERSION_NUMBER<0x10100004L size_t num; -#endif - /* initialize stunnel critical sections */ - for(i=0; icontext.uc_stack.ss_size=arg->opt->stack_size; context->context.uc_stack.ss_flags=0; - makecontext(&context->context, (void(*)(void))cli, ARGC, arg); + makecontext(&context->context, (void(*)(void))client_thread, ARGC, arg); s_log(LOG_DEBUG, "New context created"); return 0; } @@ -397,6 +468,7 @@ int sthreads_init(void) { thread_id_init(); + locking_init(); return 0; } @@ -405,7 +477,7 @@ signal(SIGCHLD, null_handler); } -int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) { +int create_client(SOCKET ls, SOCKET s, CLI *arg) { switch(fork()) { case -1: /* error */ str_free(arg); @@ -416,7 +488,7 @@ if(ls>=0) closesocket(ls); signal(SIGCHLD, null_handler); - cli(arg); + client_thread(arg); _exit(0); default: /* parent */ str_free(arg); @@ -436,7 +508,7 @@ return 0; } -int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) { +int create_client(SOCKET ls, SOCKET s, CLI *arg) { pthread_t thread; pthread_attr_t pth_attr; int error; @@ -458,7 +530,7 @@ pthread_attr_init(&pth_attr); pthread_attr_setdetachstate(&pth_attr, PTHREAD_CREATE_DETACHED); pthread_attr_setstacksize(&pth_attr, arg->opt->stack_size); - error=pthread_create(&thread, &pth_attr, cli, arg); + error=pthread_create(&thread, &pth_attr, client_thread, arg); pthread_attr_destroy(&pth_attr); #if defined(HAVE_PTHREAD_SIGMASK) && !defined(__APPLE__) pthread_sigmask(SIG_SETMASK, &old_set, NULL); /* unblock signals */ @@ -479,23 +551,31 @@ #ifdef USE_WIN32 +#if !defined(_MT) +#error _beginthreadex requires a multithreaded C run-time library +#endif + int sthreads_init(void) { thread_id_init(); locking_init(); return 0; } -int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) { +int create_client(SOCKET ls, SOCKET s, CLI *arg) { + HANDLE thread; + (void)ls; /* this parameter is only used with USE_FORK */ s_log(LOG_DEBUG, "Creating a new thread"); - if((long)_beginthread((void(*)(void *))cli, - (unsigned)arg->opt->stack_size, arg)==-1) { - ioerror("_beginthread"); + thread=(HANDLE)_beginthreadex(NULL, (unsigned)arg->opt->stack_size, + client_thread, arg, STACK_SIZE_PARAM_IS_A_RESERVATION, NULL); + if(!thread) { + ioerror("_beginthreadex"); str_free(arg); if(s!=INVALID_SOCKET) closesocket(s); return -1; } + CloseHandle(thread); s_log(LOG_DEBUG, "New thread created"); return 0; } @@ -520,10 +600,10 @@ return (unsigned long)ppib->pib_ulpid; } -int create_client(SOCKET ls, SOCKET s, CLI *arg, void *(*cli)(void *)) { +int create_client(SOCKET ls, SOCKET s, CLI *arg) { (void)ls; /* this parameter is only used with USE_FORK */ s_log(LOG_DEBUG, "Creating a new thread"); - if((long)_beginthread((void(*)(void *))cli, NULL, arg->opt->stack_size, arg)==-1L) { + if((long)_beginthread(client_thread, NULL, arg->opt->stack_size, arg)==-1L) { ioerror("_beginthread"); str_free(arg); if(s>=0) @@ -538,69 +618,109 @@ #ifdef _WIN32_WCE -long _beginthread(void (*start_address)(void *), - int stack_size, void *arglist) { - DWORD thread_id; - HANDLE handle; - - handle=CreateThread(NULL, stack_size, +uintptr_t _beginthreadex(void *security, unsigned stack_size, + unsigned ( __stdcall *start_address)(void *), + void *arglist, unsigned initflag, unsigned *thrdaddr) { + return CreateThread(NULL, stack_size, (LPTHREAD_START_ROUTINE)start_address, arglist, - STACK_SIZE_PARAM_IS_A_RESERVATION, &thread_id); - if(!handle) - return -1L; - CloseHandle(handle); - return 0; + (DWORD)initflag, (LPDWORD)thrdaddr); } -void _endthread(void) { - ExitThread(0); +void _endthreadex(unsigned retval) { + ExitThread(retval); } #endif /* _WIN32_WCE */ #ifdef DEBUG_STACK_SIZE -#define STACK_RESERVE (STACK_SIZE/8) -#define VERIFY_AREA ((STACK_SIZE-STACK_RESERVE)/sizeof(uint32_t)) -#define TEST_VALUE 0xdeadbeef +#define STACK_RESERVE 16384 /* some heuristic to determine the usage of client stack size */ -void stack_info(int init) { /* 1-initialize, 0-display */ - uint32_t table[VERIFY_AREA]; - int i, num; - static int min_num=VERIFY_AREA; +NOEXPORT size_t stack_num(size_t stack_size, int init) { +#ifdef _WIN64 + typedef unsigned long long TL; +#else + typedef unsigned long TL; +#endif + size_t verify_area, verify_num, i; + TL test_value, *table; + + if(stack_size=16) + return stack_size-i*sizeof(TL); /* the stack grows up */ - for(i=0; inum) /* use the higher value */ - num=i; - if(num<64) { - s_log(LOG_NOTICE, "STACK_RESERVE is too high"); - return; - } - if(num=16) + return stack_size-(i*sizeof(TL)+STACK_RESERVE); + return 0; /* not enough samples for meaningful results */ } } +#ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) +#pragma GCC diagnostic push +#endif /* __GNUC__>=4.6 */ +#pragma GCC diagnostic ignored "-Wformat" +#endif /* __GNUC__ */ +void stack_info(size_t stack_size, int init) { /* 1-initialize, 0-display */ + static size_t max_num=0; + size_t num; + +#ifdef USE_WIN32 + SYSTEM_INFO si; + GetSystemInfo(&si); + stack_size&=~((size_t)si.dwPageSize-1); +#elif defined(_SC_PAGESIZE) + stack_size&=~((size_t)sysconf(_SC_PAGESIZE)-1); +#elif defined(_SC_PAGE_SIZE) + stack_size&=~((size_t)sysconf(_SC_PAGE_SIZE)-1); +#else + stack_size&=~(4096-1); /* just a guess */ +#endif + num=stack_num(stack_size, init); + if(init) + return; + if(!num) { + s_log(LOG_NOTICE, "STACK_RESERVE is too high"); + return; + } + if(num>max_num) + max_num=num; + s_log(LOG_NOTICE, +#ifdef USE_WIN32 + "stack_info: size=%Iu, current=%Iu (%Iu%%), maximum=%Iu (%Iu%%)", +#else + "stack_info: size=%zu, current=%zu (%zu%%), maximum=%zu (%zu%%)", +#endif + stack_size, + num, num*100/stack_size, + max_num, max_num*100/stack_size); +} +#ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) +#pragma GCC diagnostic pop +#endif /* __GNUC__>=4.6 */ +#endif /* __GNUC__ */ + #endif /* DEBUG_STACK_SIZE */ /* end of sthreads.c */ diff -Nru stunnel4-5.44/src/str.c stunnel4-5.50/src/str.c --- stunnel4-5.44/src/str.c 2017-08-17 09:18:53.000000000 +0000 +++ stunnel4-5.50/src/str.c 2018-08-09 05:43:52.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -38,6 +38,9 @@ #include "common.h" #include "prototypes.h" +/* Uncomment to see allocation sources in core dumps */ +/* #define DEBUG_PADDING 64 */ + /* reportedly, malloc does not always return 16-byte aligned addresses * for 64-bit targets as specified by * https://msdn.microsoft.com/en-us/library/6ewkz86d.aspx */ @@ -66,6 +69,9 @@ size_t size; const char *alloc_file, *free_file; int alloc_line, free_line; +#ifdef DEBUG_PADDING + char debug[DEBUG_PADDING]; +#endif uint64_t valid_canary, magic; #ifdef __GNUC__ } __attribute__((aligned(16))); @@ -116,11 +122,23 @@ char *str_dup_debug(const char *str, const char *file, int line) { char *retval; + if(!str) + return NULL; retval=str_alloc_debug(strlen(str)+1, file, line); strcpy(retval, str); return retval; } +char *str_dup_detached_debug(const char *str, const char *file, int line) { + char *retval; + + if(!str) + return NULL; + retval=str_alloc_detached_debug(strlen(str)+1, file, line); + strcpy(retval, str); + return retval; +} + char *str_printf(const char *format, ...) { char *txt; va_list arglist; @@ -132,7 +150,9 @@ } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic push +#endif /* __GNUC__>=4.6 */ #pragma GCC diagnostic ignored "-Wformat-nonliteral" #endif /* __GNUC__ */ char *str_vprintf(const char *format, va_list start_ap) { @@ -155,7 +175,9 @@ } } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic pop +#endif /* __GNUC__>=4.6 */ #endif /* __GNUC__ */ #ifdef USE_WIN32 @@ -246,7 +268,7 @@ tls_data=tls_get(); if(!tls_data) { tls_data=tls_alloc(NULL, NULL, "alloc"); - s_log(LOG_ERR, "INTERNAL ERROR: Uninitialized TLS at %s, line %d", + s_log(LOG_CRIT, "INTERNAL ERROR: Uninitialized TLS at %s, line %d", file, line); } @@ -281,6 +303,10 @@ alloc_list->alloc_line=line; alloc_list->free_file="none"; alloc_list->free_line=0; +#ifdef DEBUG_PADDING + snprintf(alloc_list->debug+1, DEBUG_PADDING-1, "ALLOC_%lu@%s:%d", + (unsigned long)size, file, line); +#endif alloc_list->valid_canary=canary_initialized; /* before memcpy */ memcpy((uint8_t *)(alloc_list+1)+size, canary, sizeof canary); alloc_list->magic=MAGIC_ALLOCATED; @@ -332,6 +358,10 @@ alloc_list->alloc_line=line; alloc_list->free_file="none"; alloc_list->free_line=0; +#ifdef DEBUG_PADDING + snprintf(alloc_list->debug+1, DEBUG_PADDING-1, "ALLOC_%lu@%s:%d", + (unsigned long)size, file, line); +#endif alloc_list->valid_canary=canary_initialized; /* before memcpy */ memcpy((uint8_t *)ptr+size, canary, sizeof canary); str_leak_debug(alloc_list, 1); @@ -372,8 +402,8 @@ alloc_list=(ALLOC_LIST *)ptr-1; if(alloc_list->magic==MAGIC_DEALLOCATED) { /* double free */ /* this may (unlikely) log garbage instead of file names */ - s_log(LOG_CRIT, - "Double free attempt: ptr=%p alloc=%s:%d free#1=%s:%d free#2=%s:%d", + s_log(LOG_CRIT, "INTERNAL ERROR: Double free attempt: " + "ptr=%p alloc=%s:%d free#1=%s:%d free#2=%s:%d", ptr, alloc_list->alloc_file, alloc_list->alloc_line, alloc_list->free_file, alloc_list->free_line, @@ -410,12 +440,15 @@ NOEXPORT void str_leak_debug(const ALLOC_LIST *alloc_list, int change) { static size_t entries=0; LEAK_ENTRY *entry; - int new_entry, allocations; + int new_entry; + int allocations; -#if defined(USE_PTHREAD) || defined(USE_WIN32) - if(!&stunnel_locks[STUNNEL_LOCKS-1]) /* threads not initialized */ + if(service_options.log_levelalloc_file!=alloc_list->alloc_file; if(new_entry) { /* the file:line pair was encountered for the first time */ - stunnel_write_lock(&stunnel_locks[LOCK_LEAK_HASH]); + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LEAK_HASH]); entry=leak_search(alloc_list); /* the list may have changed */ if(entry->alloc_line==0) { if(entries>LEAK_TABLE_SIZE-100) { /* this should never happen */ - stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_HASH]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LEAK_HASH]); return; } entries++; entry->alloc_line=alloc_list->alloc_line; entry->alloc_file=alloc_list->alloc_file; } - stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_HASH]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LEAK_HASH]); } -#ifdef PRECISE_LEAK_ALLOCATON_COUNTERS - /* this is *really* slow in OpenSSL < 1.1.0 */ + /* for performance we try to avoid calling CRYPTO_atomic_add() here */ +#ifdef USE_OS_THREADS +#if defined(__GNUC__) && defined(__ATOMIC_ACQ_REL) + if(__atomic_is_lock_free(sizeof entry->num, &entry->num)) + allocations=__atomic_add_fetch(&entry->num, change, __ATOMIC_ACQ_REL); + else + CRYPTO_atomic_add(&entry->num, change, &allocations, + stunnel_locks[LOCK_LEAK_HASH]); +#elif defined(_MSC_VER) + allocations=InterlockedExchangeAdd(&entry->num, change)+change; +#else /* atomic add not directly supported by the compiler */ CRYPTO_atomic_add(&entry->num, change, &allocations, - &stunnel_locks[LOCK_LEAK_HASH]); -#else - allocations=(entry->num+=change); /* we just need an estimate... */ + stunnel_locks[LOCK_LEAK_HASH]); #endif +#else /* USE_OS_THREADS */ + allocations=(entry->num+=change); +#endif /* USE_OS_THREADS */ if(allocations<=leak_threshold()) /* leak not detected */ return; @@ -457,7 +500,7 @@ } /* we *may* need to allocate a new leak_results entry */ /* locking is slow, so we try to avoid it if possible */ - stunnel_write_lock(&stunnel_locks[LOCK_LEAK_RESULTS]); + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_LEAK_RESULTS]); if(entry->max==0) { /* the table may have changed */ leak_results[leak_result_num]=entry; entry->max=allocations; @@ -465,12 +508,14 @@ } else { /* gracefully handle the race condition */ entry->max=allocations; } - stunnel_write_unlock(&stunnel_locks[LOCK_LEAK_RESULTS]); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_LEAK_RESULTS]); } /* O(1) hash table lookup */ NOEXPORT LEAK_ENTRY *leak_search(const ALLOC_LIST *alloc_list) { - int i=alloc_list->alloc_line%LEAK_TABLE_SIZE; + /* a trivial hash based on source file name *address* and line number */ + unsigned i=((unsigned)(uintptr_t)alloc_list->alloc_file+ + (unsigned)alloc_list->alloc_line)%LEAK_TABLE_SIZE; while(!(leak_hash_table[i].alloc_line==0 || (leak_hash_table[i].alloc_line==alloc_list->alloc_line && @@ -479,6 +524,22 @@ return leak_hash_table+i; } +void leak_table_utilization() { + int i, utilization=0; + + for(i=0; i compare full words */ + pl1=(TL *)s1; + pl2=(TL *)s2; + while(n>=sizeof(TL)) { + n-=sizeof(TL); + r|=(*pl1++)^(*pl2++); + } + ps1=(TS *)pl1; + ps2=(TS *)pl2; + } while(n--) - r|=(*p1++)^(*p2++); - return r; + r|=(*ps1++)^(*ps2++); + return r!=0; } /* end of str.c */ diff -Nru stunnel4-5.44/src/stunnel3.in stunnel4-5.50/src/stunnel3.in --- stunnel4-5.44/src/stunnel3.in 2016-05-03 18:35:03.000000000 +0000 +++ stunnel4-5.50/src/stunnel3.in 2018-04-06 14:25:10.000000000 +0000 @@ -1,7 +1,7 @@ #!/usr/bin/perl # # stunnel3 Perl wrapper to use stunnel 3.x syntax in stunnel >=4.05 -# Copyright (C) 2004-2012 Michal Trojnara +# Copyright (C) 1998-2018 Michal Trojnara # Version: 2.03 # Date: 2011.10.22 # diff -Nru stunnel4-5.44/src/stunnel.c stunnel4-5.50/src/stunnel.c --- stunnel4-5.44/src/stunnel.c 2017-10-07 14:23:08.000000000 +0000 +++ stunnel4-5.50/src/stunnel.c 2018-10-23 11:24:33.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -42,14 +42,18 @@ #ifdef USE_WIN32 #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic push +#endif /* __GNUC__>=4.6 */ #pragma GCC diagnostic ignored "-Wpedantic" #endif /* __GNUC__ */ #include #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic pop +#endif /* __GNUC__>=4.6 */ #endif /* __GNUC__ */ #endif /* USE_WIN32 */ @@ -64,7 +68,12 @@ }; #endif +#if !defined(USE_WIN32) && !defined(USE_OS2) +NOEXPORT void pid_status_nohang(const char *); +NOEXPORT void status_info(int, int, const char *); +#endif NOEXPORT int accept_connection(SERVICE_OPTIONS *, unsigned); +NOEXPORT int exec_connect_start(void); NOEXPORT void unbind_port(SERVICE_OPTIONS *, unsigned); NOEXPORT SOCKET bind_port(SERVICE_OPTIONS *, int, unsigned); #ifdef HAVE_CHROOT @@ -72,9 +81,6 @@ #endif NOEXPORT int signal_pipe_init(void); NOEXPORT int signal_pipe_dispatch(void); -#ifdef USE_FORK -NOEXPORT void client_status(void); /* dead children detected */ -#endif NOEXPORT char *signal_name(int); /**************************************** global variables */ @@ -82,9 +88,9 @@ static SOCKET signal_pipe[2]={INVALID_SOCKET, INVALID_SOCKET}; #ifndef USE_FORK -long max_clients=0; +int max_clients=0; /* -1 before a valid config is loaded, then the current number of clients */ -volatile long num_clients=-1; +int num_clients=-1; #endif s_poll_set *fds; /* file descriptors of listening sockets */ int systemd_fds; /* number of file descriptors passed by systemd */ @@ -143,11 +149,9 @@ return cmdline_status; options_apply(); str_canary_init(); /* needs prng initialization from options_cmdline */ -#if !defined(USE_WIN32) && !defined(__vms) - /* syslog_open() must be called before change_root() + /* log_open(SINK_SYSLOG) must be called before change_root() * to be able to access /dev/log socket */ - syslog_open(); -#endif /* !defined(USE_WIN32) && !defined(__vms) */ + log_open(SINK_SYSLOG); if(bind_ports()) return 1; @@ -161,15 +165,16 @@ if(drop_privileges(1)) return 1; - /* log_open() must be called after drop_privileges() + /* log_open(SINK_OUTFILE) must be called after drop_privileges() * or logfile rotation won't be possible */ - /* log_open() must be called before daemonize() - * since daemonize() invalidates stderr */ - if(log_open()) + if(log_open(SINK_OUTFILE)) return 1; #ifndef USE_FORK num_clients=0; /* the first valid config */ #endif + /* log_flush(LOG_MODE_CONFIGURED) must be called before daemonize() + * since daemonize() invalidates stderr */ + log_flush(LOG_MODE_CONFIGURED); return 0; } @@ -213,79 +218,65 @@ str_stats(); /* main thread allocation tracking */ #endif log_flush(LOG_MODE_ERROR); -#if !defined(USE_WIN32) && !defined(__vms) - syslog_close(); -#endif /* !defined(USE_WIN32) && !defined(__vms) */ + log_close(SINK_SYSLOG|SINK_OUTFILE); } /**************************************** Unix-specific initialization */ -#ifndef USE_WIN32 +#if !defined(USE_WIN32) && !defined(USE_OS2) -#ifdef USE_FORK -NOEXPORT void client_status(void) { /* dead children detected */ +NOEXPORT void pid_status_nohang(const char *info) { int pid, status; -#ifdef HAVE_WAIT_FOR_PID - while((pid=wait_for_pid(-1, &status, WNOHANG))>0) { -#else - if((pid=wait(&status))>0) { -#endif -#ifdef WIFSIGNALED - if(WIFSIGNALED(status)) { - char *sig_name=signal_name(WTERMSIG(status)); - s_log(LOG_DEBUG, "Process %d terminated on %s", - pid, sig_name); - str_free(sig_name); - } else { - s_log(LOG_DEBUG, "Process %d finished with code %d", - pid, WEXITSTATUS(status)); - } - } -#else - s_log(LOG_DEBUG, "Process %d finished with code %d", - pid, status); - } +#ifdef HAVE_WAITPID /* POSIX.1 */ + s_log(LOG_DEBUG, "Retrieving pid statuses with waitpid()"); + while((pid=waitpid(-1, &status, WNOHANG))>0) + status_info(pid, status, info); +#elif defined(HAVE_WAIT4) /* 4.3BSD */ + s_log(LOG_DEBUG, "Retrieving pid statuses with wait4()"); + while((pid=wait4(-1, &status, WNOHANG, NULL))>0) + status_info(pid, status, info); +#else /* no support for WNOHANG */ + pid_status_hang(info); #endif } -#endif /* defined USE_FORK */ - -#ifndef USE_OS2 -void child_status(void) { /* dead libwrap or 'exec' process detected */ +void pid_status_hang(const char *info) { int pid, status; -#ifdef HAVE_WAIT_FOR_PID - while((pid=wait_for_pid(-1, &status, WNOHANG))>0) { -#else - if((pid=wait(&status))>0) { -#endif + s_log(LOG_DEBUG, "Retrieving a pid status with wait()"); + if((pid=wait(&status))>0) + status_info(pid, status, info); +} + +NOEXPORT void status_info(int pid, int status, const char *info) { #ifdef WIFSIGNALED - if(WIFSIGNALED(status)) { - char *sig_name=signal_name(WTERMSIG(status)); - s_log(LOG_INFO, "Child process %d terminated on %s", - pid, sig_name); - str_free(sig_name); - } else { - s_log(LOG_INFO, "Child process %d finished with code %d", - pid, WEXITSTATUS(status)); - } + if(WIFSIGNALED(status)) { + char *sig_name=signal_name(WTERMSIG(status)); + s_log(LOG_INFO, "%s %d terminated on %s", info, pid, sig_name); + str_free(sig_name); + } else { + s_log(LOG_INFO, "%s %d finished with code %d", + info, pid, WEXITSTATUS(status)); + } #else - s_log(LOG_INFO, "Child process %d finished with status %d", - pid, status); + s_log(LOG_INFO, "%s %d finished with status %d", info, pid, status); #endif - } } -#endif /* !defined(USE_OS2) */ - -#endif /* !defined(USE_WIN32) */ +#endif /* !defined(USE_WIN32) && !defined(USE_OS2) */ /**************************************** main loop accepting connections */ void daemon_loop(void) { - if(cron_init()) /* initialize periodic events */ - fatal("Cron initialization failed"); + if(cron_init()) { /* initialize periodic events */ + s_log(LOG_CRIT, "Cron initialization failed"); + exit(1); + } + if(exec_connect_start()) { + s_log(LOG_CRIT, "Failed to start exec+connect services"); + exit(1); + } while(1) { int temporary_lack_of_resources=0; int num=s_poll_wait(fds, -1, -1); @@ -299,10 +290,13 @@ break; /* terminate daemon_loop */ for(opt=service_options.next; opt; opt=opt->next) { unsigned i; - for(i=0; ilocal_addr.num; ++i) - if(s_poll_canread(fds, opt->local_addr.fd[i])) - if(accept_connection(opt, i)) - temporary_lack_of_resources=1; + for(i=0; ilocal_addr.num; ++i) { + SOCKET fd=opt->local_fd[i]; + if(fd!=INVALID_SOCKET && + s_poll_canread(fds, fd) && + accept_connection(opt, i)) + temporary_lack_of_resources=1; + } } } else { log_error(LOG_NOTICE, get_last_socket_error(), @@ -315,13 +309,14 @@ sleep(1); /* to avoid log trashing */ } } + leak_table_utilization(); } /* return 1 when a short delay is needed before another try */ NOEXPORT int accept_connection(SERVICE_OPTIONS *opt, unsigned i) { SOCKADDR_UNION addr; char *from_address; - SOCKET s, fd=opt->local_addr.fd[i]; + SOCKET s, fd=opt->local_fd[i]; socklen_t addrlen; addrlen=sizeof addr; @@ -355,15 +350,21 @@ RAND_add("", 1, 0.0); /* each child needs a unique entropy pool */ #else if(max_clients && num_clients>=max_clients) { - s_log(LOG_WARNING, "Connection rejected: too many clients (>=%ld)", + s_log(LOG_WARNING, "Connection rejected: too many clients (>=%d)", max_clients); closesocket(s); return 0; } #endif - if(create_client(fd, s, alloc_client_session(opt, s, s), client_thread)) { +#ifndef USE_FORK + service_up_ref(opt); +#endif + if(create_client(fd, s, alloc_client_session(opt, s, s))) { s_log(LOG_ERR, "Connection rejected: create_client failed"); closesocket(s); +#ifndef USE_FORK + service_free(opt); +#endif return 0; } return 0; @@ -371,6 +372,30 @@ /**************************************** initialization helpers */ +NOEXPORT int exec_connect_start(void) { + SERVICE_OPTIONS *opt; + + for(opt=service_options.next; opt; opt=opt->next) { + if(opt->exec_name && opt->connect_addr.names) { + s_log(LOG_DEBUG, "Starting exec+connect service [%s]", + opt->servname); +#ifndef USE_FORK + service_up_ref(opt); +#endif + if(create_client(INVALID_SOCKET, INVALID_SOCKET, + alloc_client_session(opt, INVALID_SOCKET, INVALID_SOCKET))) { + s_log(LOG_ERR, "Failed to start exec+connect service [%s]", + opt->servname); +#ifndef USE_FORK + service_free(opt); +#endif + return 1; /* fatal error */ + } + } + } + return 0; /* OK */ +} + /* clear fds, close old ports */ void unbind_ports(void) { SERVICE_OPTIONS *opt; @@ -378,7 +403,13 @@ s_poll_init(fds); s_poll_add(fds, signal_pipe[0], 1, 0); - for(opt=service_options.next; opt; opt=opt->next) { + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_SECTIONS]); + + opt=service_options.next; + service_options.next=NULL; + service_free(&service_options); + + while(opt) { unsigned i; s_log(LOG_DEBUG, "Unbinding service [%s]", opt->servname); for(i=0; ilocal_addr.num; ++i) @@ -388,6 +419,7 @@ /* create exec+connect services */ /* FIXME: this is just a crude workaround */ /* is it better to kill the service? */ + /* FIXME: this won't work with FORK threads */ opt->option.retry=0; } /* purge session cache of the old SSL_CTX object */ @@ -397,19 +429,28 @@ SSL_CTX_flush_sessions(opt->ctx, (long)time(NULL)+opt->session_timeout+1); s_log(LOG_DEBUG, "Service [%s] closed", opt->servname); + + { + SERVICE_OPTIONS *garbage=opt; + opt=opt->next; + garbage->next=NULL; + service_free(garbage); + } } + + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SECTIONS]); } NOEXPORT void unbind_port(SERVICE_OPTIONS *opt, unsigned i) { - SOCKET fd=opt->local_addr.fd[i]; - SOCKADDR_UNION *addr=opt->local_addr.addr+i; + SOCKET fd=opt->local_fd[i]; #ifdef HAVE_STRUCT_SOCKADDR_UN + SOCKADDR_UNION *addr=opt->local_addr.addr+i; struct stat sb; /* buffer for lstat() */ #endif if(fd==INVALID_SOCKET) return; - opt->local_addr.fd[i]=INVALID_SOCKET; + opt->local_fd[i]=INVALID_SOCKET; if(fd<(SOCKET)listen_fds_start || fd>=(SOCKET)(listen_fds_start+systemd_fds)) @@ -454,29 +495,38 @@ for(opt=service_options.next; opt; opt=opt->next) { unsigned i; for(i=0; ilocal_addr.num; ++i) - opt->local_addr.fd[i]=INVALID_SOCKET; + opt->local_fd[i]=INVALID_SOCKET; } listening_section=0; for(opt=service_options.next; opt; opt=opt->next) { - unsigned i; - s_log(LOG_DEBUG, "Binding service [%s]", opt->servname); - for(i=0; ilocal_addr.num; ++i) { - SOCKET fd; - fd=bind_port(opt, listening_section, i); - if(fd==INVALID_SOCKET) + opt->bound_ports=0; + if(opt->local_addr.num) { /* ports to bind for this service */ + unsigned i; + s_log(LOG_DEBUG, "Binding service [%s]", opt->servname); + for(i=0; ilocal_addr.num; ++i) { + SOCKET fd; + fd=bind_port(opt, listening_section, i); + opt->local_fd[i]=fd; + if(fd!=INVALID_SOCKET) { + s_poll_add(fds, fd, 1, 0); + ++opt->bound_ports; + } + } + if(!opt->bound_ports) { + s_log(LOG_ERR, "Binding service [%s] failed", opt->servname); return 1; - s_poll_add(fds, fd, 1, 0); - opt->local_addr.fd[i]=fd; - } - if(opt->local_addr.num) + } ++listening_section; - /* create exec+connect services */ - if(opt->exec_name && opt->connect_addr.names) { - /* FIXME: needs to be delayed on reload with opt->option.retry set */ - create_client(INVALID_SOCKET, INVALID_SOCKET, - alloc_client_session(opt, INVALID_SOCKET, INVALID_SOCKET), - client_thread); + } else if(opt->exec_name && opt->connect_addr.names) { + s_log(LOG_DEBUG, "Skipped exec+connect service [%s]", opt->servname); +#ifndef OPENSSL_NO_TLSEXT + } else if(!opt->option.client && opt->sni) { + s_log(LOG_DEBUG, "Skipped SNI slave service [%s]", opt->servname); +#endif + } else { /* each service must define two endpoints */ + s_log(LOG_ERR, "Invalid service [%s]", opt->servname); + return 1; } } if(listening_section=systemd_fds) { if(bind(fd, &addr->sa, addr_len(addr))) { - sockerror("bind"); - s_log(LOG_ERR, "Error binding service [%s] to %s", - opt->servname, local_address); + int err=get_last_socket_error(); + s_log(LOG_NOTICE, "Binding service [%s] to %s: %s (%d)", + opt->servname, local_address, s_strerror(err), err); str_free(local_address); closesocket(fd); return INVALID_SOCKET; @@ -558,7 +608,7 @@ } #endif - s_log(LOG_DEBUG, "Service [%s] (FD=%ld) bound to %s", + s_log(LOG_INFO, "Service [%s] (FD=%ld) bound to %s", opt->servname, (long)fd, local_address); str_free(local_address); return fd; @@ -576,6 +626,7 @@ sockerror("chdir"); return 1; } + s_log(LOG_NOTICE, "Switched to chroot directory: %s", global_options.chroot_dir); return 0; } #endif /* HAVE_CHROOT */ @@ -623,96 +674,117 @@ } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) || defined(__clang__) #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wunused-result" +#endif /* __GNUC__>=4.6 */ #endif /* __GNUC__ */ -void signal_post(int sig) { +void signal_post(uint8_t sig) { /* no meaningful way here to handle the result */ - writesocket(signal_pipe[1], (char *)&sig, sizeof sig); + writesocket(signal_pipe[1], (char *)&sig, 1); } #ifdef __GNUC__ +#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) #pragma GCC diagnostic pop +#endif /* __GNUC__>=4.6 */ #endif /* __GNUC__ */ +/* make a single attempt to dispatch a signal from the signal pipe */ +/* return 1 on SIGNAL_TERMINATE or a fatal error, 0 otherwise */ NOEXPORT int signal_pipe_dispatch(void) { - static int sig; - static size_t ptr=0; + uint8_t sig=0xff; ssize_t num; char *sig_name; - s_log(LOG_DEBUG, "Dispatching signals from the signal pipe"); - for(;;) { - num=readsocket(signal_pipe[0], (char *)&sig+ptr, sizeof sig-ptr); - if(num==-1 && get_last_socket_error()==S_EWOULDBLOCK) { - s_log(LOG_DEBUG, "Signal pipe is empty"); - return 0; - } - if(num==-1 || num==0) { - if(num) - sockerror("signal pipe read"); - else - s_log(LOG_ERR, "Signal pipe closed"); - s_poll_remove(fds, signal_pipe[0]); - closesocket(signal_pipe[0]); - closesocket(signal_pipe[1]); - if(signal_pipe_init()) { - s_log(LOG_ERR, - "Signal pipe reinitialization failed; terminating"); - return 1; + s_log(LOG_DEBUG, "Dispatching a signal from the signal pipe"); + num=readsocket(signal_pipe[0], (char *)&sig, 1); + if(num!=1) { + if(num) { + if(get_last_socket_error()==S_EWOULDBLOCK) { + s_log(LOG_DEBUG, "Signal pipe is empty"); + return 0; } - s_poll_add(fds, signal_pipe[0], 1, 0); - s_log(LOG_ERR, "Signal pipe reinitialized"); - return 0; - } - ptr+=(size_t)num; - if(ptr + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff -Nru stunnel4-5.44/src/ui_unix.c stunnel4-5.50/src/ui_unix.c --- stunnel4-5.44/src/ui_unix.c 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/src/ui_unix.c 2018-10-09 14:37:38.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -38,8 +38,6 @@ #include "common.h" #include "prototypes.h" -NOEXPORT unsigned long dpid; - NOEXPORT int main_unix(int, char*[]); #if !defined(__vms) && !defined(USE_OS2) NOEXPORT int daemonize(int); @@ -110,6 +108,9 @@ signal(SIGINT, signal_handler); /* fatal */ #endif daemon_loop(); +#if !defined(__vms) && !defined(USE_OS2) + delete_pid(); +#endif /* standard Unix */ } else { /* inetd mode */ CLI *c; #if !defined(__vms) && !defined(USE_OS2) @@ -123,6 +124,7 @@ set_nonblock(1, 1); /* stdout */ c=alloc_client_session(&service_options, 0, 1); tls_alloc(c, ui_tls, NULL); + service_up_ref(&service_options); client_main(c); } return 0; @@ -133,7 +135,7 @@ int saved_errno; saved_errno=errno; - signal_post(sig); + signal_post((uint8_t)sig); signal(sig, signal_handler); errno=saved_errno; } @@ -181,22 +183,18 @@ s_log(LOG_DEBUG, "No pid file being created"); return 0; } - if(global_options.pidfile[0]!='/') { - /* to prevent creating pid file relative to '/' after daemonize() */ - s_log(LOG_ERR, "Pid file (%s) must be full path name", global_options.pidfile); - return 1; - } - dpid=(unsigned long)getpid(); - /* silently remove old pid file */ + /* silently remove the old pid file */ unlink(global_options.pidfile); + + /* create a new pid file */ pf=open(global_options.pidfile, O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, 0644); if(pf==-1) { s_log(LOG_ERR, "Cannot create pid file %s", global_options.pidfile); ioerror("create"); return 1; } - pid=str_printf("%lu\n", dpid); + pid=str_printf("%lu\n", (unsigned long)getpid()); if(write(pf, pid, strlen(pid))<(int)strlen(pid)) { s_log(LOG_ERR, "Cannot write pid file %s", global_options.pidfile); ioerror("write"); @@ -205,16 +203,18 @@ str_free(pid); close(pf); s_log(LOG_DEBUG, "Created pid file %s", global_options.pidfile); - atexit(delete_pid); return 0; } NOEXPORT void delete_pid(void) { - if((unsigned long)getpid()!=dpid) - return; /* current process is not main daemon process */ - s_log(LOG_DEBUG, "removing pid file %s", global_options.pidfile); - if(unlink(global_options.pidfile)<0) - ioerror(global_options.pidfile); /* not critical */ + if(global_options.pidfile) { + if(unlink(global_options.pidfile)<0) + ioerror(global_options.pidfile); /* not critical */ + else + s_log(LOG_DEBUG, "Removed pid file %s", global_options.pidfile); + } else { + s_log(LOG_DEBUG, "No pid file to remove"); + } } #endif /* standard Unix */ diff -Nru stunnel4-5.44/src/ui_win_cli.c stunnel4-5.50/src/ui_win_cli.c --- stunnel4-5.44/src/ui_win_cli.c 2017-02-19 22:16:00.000000000 +0000 +++ stunnel4-5.50/src/ui_win_cli.c 2018-04-06 14:25:10.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff -Nru stunnel4-5.44/src/ui_win_gui.c stunnel4-5.50/src/ui_win_gui.c --- stunnel4-5.44/src/ui_win_gui.c 2017-02-23 13:52:40.000000000 +0000 +++ stunnel4-5.50/src/ui_win_gui.c 2018-10-23 11:24:33.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -69,6 +69,7 @@ NOEXPORT void CALLBACK timer_proc(HWND, UINT, UINT_PTR, DWORD); NOEXPORT LRESULT CALLBACK window_proc(HWND, UINT, WPARAM, LPARAM); +NOEXPORT void save_peer_certificate(WPARAM wParam); NOEXPORT LRESULT CALLBACK about_proc(HWND, UINT, WPARAM, LPARAM); NOEXPORT LRESULT CALLBACK pass_proc(HWND, UINT, WPARAM, LPARAM); NOEXPORT int pin_cb(UI *, UI_STRING *); @@ -79,11 +80,12 @@ NOEXPORT void update_logs(void); NOEXPORT LPTSTR log_txt(void); -NOEXPORT void daemon_thread(void *); +NOEXPORT unsigned __stdcall daemon_thread(void *); NOEXPORT void valid_config(void); NOEXPORT void invalid_config(void); NOEXPORT void update_peer_menu(void); +NOEXPORT void update_peer_menu_unlocked(void); NOEXPORT void tray_update(const int); NOEXPORT void tray_delete(void); NOEXPORT void error_box(LPCTSTR); @@ -135,7 +137,7 @@ static BOOL visible=FALSE; static HANDLE main_initialized=NULL; /* global initialization performed */ static HANDLE config_ready=NULL; /* reload without a valid configuration */ -static LONG new_logs=0; +static BOOL new_logs=FALSE; static struct { char *config_file; @@ -331,6 +333,7 @@ /**************************************** GUI thread */ NOEXPORT int gui_loop() { + HANDLE handle; #ifdef _WIN32_WCE WNDCLASS wc; #else @@ -381,8 +384,12 @@ /* auto-reset, non-signaled events */ main_initialized=CreateEvent(NULL, FALSE, FALSE, NULL); config_ready=CreateEvent(NULL, FALSE, FALSE, NULL); - /* hwnd needs to be initialized before _beginthread() */ - _beginthread(daemon_thread, DEFAULT_STACK_SIZE, NULL); + /* hwnd needs to be initialized before _beginthreadex() */ + handle=(HANDLE)_beginthreadex(NULL, DEFAULT_STACK_SIZE, + daemon_thread, NULL, 0, NULL); + if(!handle) + fatal("Failed to create the daemon thread"); + CloseHandle(handle); WaitForSingleObject(main_initialized, INFINITE); /* logging subsystem is now available */ @@ -419,15 +426,11 @@ POINT pt; RECT rect; PAINTSTRUCT ps; - SERVICE_OPTIONS *section; - unsigned section_number; - LPTSTR txt; #if 0 switch(message) { case WM_CTLCOLORSTATIC: case WM_TIMER: - case WM_LOG: break; default: s_log(LOG_DEBUG, "Window message: 0x%x(0x%hx,0x%lx)", @@ -521,24 +524,6 @@ return 0; case WM_COMMAND: - if(wParam>=IDM_PEER_MENU && wParamnext, ++section_number) - ; - if(!section) - return 0; - if(save_text_file(section->file, section->chain)) - return 0; -#ifndef _WIN32_WCE - if(main_menu_handle) - CheckMenuItem(main_menu_handle, (UINT)wParam, MF_CHECKED); -#endif - if(tray_menu_handle) - CheckMenuItem(tray_menu_handle, (UINT)wParam, MF_CHECKED); - message_box(section->help, MB_ICONINFORMATION); - return 0; - } switch(wParam) { case IDM_ABOUT: DialogBox(ghInst, TEXT("AboutBox"), main_window_handle, @@ -593,6 +578,9 @@ TEXT("http://www.stunnel.org/"), NULL, NULL, SW_SHOWNORMAL); #endif break; + default: + if(wParam>=IDM_PEER_MENU && wParamnext, ++section_number) + ; + if(section && !save_text_file(section->file, section->chain)) { +#ifndef _WIN32_WCE + if(main_menu_handle) + CheckMenuItem(main_menu_handle, (UINT)wParam, MF_CHECKED); +#endif + if(tray_menu_handle) + CheckMenuItem(tray_menu_handle, (UINT)wParam, MF_CHECKED); + message_box(section->help, MB_ICONINFORMATION); + } + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SECTIONS]); +} + NOEXPORT LRESULT CALLBACK about_proc(HWND dialog_handle, UINT message, WPARAM wParam, LPARAM lParam) { (void)lParam; /* squash the unused parameter warning */ @@ -809,7 +812,9 @@ if(!GetSaveFileName(&ofn)) return; + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_WIN_LOG]); txt=log_txt(); /* need to convert the result to UTF-8 */ + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_WIN_LOG]); str=tstr2str(txt); str_free(txt); save_text_file(file_name, str); @@ -841,34 +846,49 @@ static size_t log_len=0; txt_len=_tcslen(txt); - curr=str_alloc(sizeof(struct LIST)+txt_len*sizeof(TCHAR)); + curr=str_alloc_detached(sizeof(struct LIST)+txt_len*sizeof(TCHAR)); curr->len=txt_len; _tcscpy(curr->txt, txt); curr->next=NULL; + + /* this critical section is performance critical */ + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_WIN_LOG]); if(tail) tail->next=curr; tail=curr; if(!head) head=tail; log_len++; - while(log_len>LOG_LINES) { + new_logs=TRUE; + if(log_len>LOG_LINES) { curr=head; head=head->next; - str_free(curr); log_len--; + } else { + curr=NULL; } - new_logs=1; + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_WIN_LOG]); + + str_free(curr); } NOEXPORT void update_logs(void) { LPTSTR txt; - if(!InterlockedExchange(&new_logs, 0)) - return; - txt=log_txt(); - SetWindowText(edit_handle, txt); - str_free(txt); - SendMessage(edit_handle, WM_VSCROLL, (WPARAM)SB_BOTTOM, (LPARAM)0); + CRYPTO_THREAD_write_lock(stunnel_locks[LOCK_WIN_LOG]); + if(new_logs) { + txt=log_txt(); + new_logs=FALSE; + } else { + txt=NULL; + } + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_WIN_LOG]); + + if(txt) { + SetWindowText(edit_handle, txt); + str_free(txt); + SendMessage(edit_handle, WM_VSCROLL, (WPARAM)SB_BOTTOM, (LPARAM)0); + } } NOEXPORT LPTSTR log_txt(void) { @@ -893,7 +913,7 @@ /**************************************** worker thread */ -NOEXPORT void daemon_thread(void *arg) { +NOEXPORT unsigned __stdcall daemon_thread(void *arg) { (void)arg; /* squash the unused parameter warning */ tls_alloc(NULL, NULL, "main"); /* new thread-local storage */ @@ -907,14 +927,14 @@ log_flush(LOG_MODE_ERROR); /* otherwise logs are buffered */ PostMessage(hwnd, WM_INVALID_CONFIG, 0, 0); /* display error */ WaitForSingleObject(config_ready, INFINITE); - log_close(); /* prevent main_configure() from logging in error mode */ } PostMessage(hwnd, WM_VALID_CONFIG, 0, 0); /* start the main loop */ daemon_loop(); main_cleanup(); - _endthread(); /* SIGNAL_TERMINATE received */ + _endthreadex(0); /* SIGNAL_TERMINATE received */ + return 0; } /**************************************** helper functions */ @@ -960,6 +980,12 @@ } NOEXPORT void update_peer_menu(void) { + CRYPTO_THREAD_read_lock(stunnel_locks[LOCK_SECTIONS]); + update_peer_menu_unlocked(); + CRYPTO_THREAD_unlock(stunnel_locks[LOCK_SECTIONS]); +} + +NOEXPORT void update_peer_menu_unlocked(void) { SERVICE_OPTIONS *section; #ifndef _WIN32_WCE HMENU main_peer_list=NULL; @@ -1157,9 +1183,10 @@ void ui_new_log(const char *line) { LPTSTR txt; + txt=str2tstr(line); - str_detach(txt); /* this allocation will be freed in the GUI thread */ - PostMessage(hwnd, WM_LOG, (WPARAM)txt, 0); + win_log(txt); + str_free(txt); } void ui_config_reloaded(void) { diff -Nru stunnel4-5.44/src/vc.mak stunnel4-5.50/src/vc.mak --- stunnel4-5.44/src/vc.mak 2017-11-14 14:01:47.000000000 +0000 +++ stunnel4-5.50/src/vc.mak 2018-04-06 14:25:10.000000000 +0000 @@ -1,4 +1,4 @@ -# vc.mak by Michal Trojnara 1998-2017 +# vc.mak by Michal Trojnara 1998-2018 # with help of David Gillingham # with help of Pierre Delaage diff -Nru stunnel4-5.44/src/verify.c stunnel4-5.50/src/verify.c --- stunnel4-5.44/src/verify.c 2017-05-13 09:01:07.000000000 +0000 +++ stunnel4-5.50/src/verify.c 2018-07-02 21:30:10.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -302,42 +302,35 @@ NAME_LIST *ptr; char *peername=NULL; - if(c->opt->check_host) { - for(ptr=c->opt->check_host; ptr; ptr=ptr->next) - if(X509_check_host(cert, ptr->name, 0, 0, &peername)>0) - break; - if(!ptr) { - s_log(LOG_WARNING, "CERT: No matching host name found"); - return 0; /* reject */ - } - s_log(LOG_INFO, "CERT: Host name \"%s\" matched with \"%s\"", - ptr->name, peername); - OPENSSL_free(peername); + if(!c->opt->check_host && !c->opt->check_email && !c->opt->check_ip) { + s_log(LOG_INFO, "CERT: No subject checks configured"); + return 1; /* accept */ } - if(c->opt->check_email) { - for(ptr=c->opt->check_email; ptr; ptr=ptr->next) - if(X509_check_email(cert, ptr->name, 0, 0)>0) - break; - if(!ptr) { - s_log(LOG_WARNING, "CERT: No matching email address found"); - return 0; /* reject */ + for(ptr=c->opt->check_host; ptr; ptr=ptr->next) + if(X509_check_host(cert, ptr->name, 0, 0, &peername)>0) { + s_log(LOG_INFO, "CERT: Host name \"%s\" matched with \"%s\"", + ptr->name, peername); + OPENSSL_free(peername); + return 1; /* accept */ } - s_log(LOG_INFO, "CERT: Email address \"%s\" matched", ptr->name); - } - if(c->opt->check_ip) { - for(ptr=c->opt->check_ip; ptr; ptr=ptr->next) - if(X509_check_ip_asc(cert, ptr->name, 0)>0) - break; - if(!ptr) { - s_log(LOG_WARNING, "CERT: No matching IP address found"); - return 0; /* reject */ + for(ptr=c->opt->check_email; ptr; ptr=ptr->next) + if(X509_check_email(cert, ptr->name, 0, 0)>0) { + s_log(LOG_INFO, "CERT: Email address \"%s\" matched", + ptr->name); + return 1; /* accept */ } - s_log(LOG_INFO, "CERT: IP address \"%s\" matched", ptr->name); - } - return 1; /* accept */ + for(ptr=c->opt->check_ip; ptr; ptr=ptr->next) + if(X509_check_ip_asc(cert, ptr->name, 0)>0) { + s_log(LOG_INFO, "CERT: IP address \"%s\" matched", + ptr->name); + return 1; /* accept */ + } + + s_log(LOG_WARNING, "CERT: Subject checks failed"); + return 0; /* reject */ } #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */ diff -Nru stunnel4-5.44/src/version.h stunnel4-5.50/src/version.h --- stunnel4-5.44/src/version.h 2017-11-14 14:01:47.000000000 +0000 +++ stunnel4-5.50/src/version.h 2018-10-09 14:37:38.000000000 +0000 @@ -1,6 +1,6 @@ /* * stunnel TLS offloading and load-balancing proxy - * Copyright (C) 1998-2017 Michal Trojnara + * Copyright (C) 1998-2018 Michal Trojnara * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -65,7 +65,7 @@ /* START CUSTOMIZE */ #define VERSION_MAJOR 5 -#define VERSION_MINOR 44 +#define VERSION_MINOR 50 /* END CUSTOMIZE */ /* all the following macros are ABSOLUTELY NECESSARY to have proper string diff -Nru stunnel4-5.44/tests/certs/CACertCRL.pem stunnel4-5.50/tests/certs/CACertCRL.pem --- stunnel4-5.44/tests/certs/CACertCRL.pem 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/CACertCRL.pem 2018-10-09 14:49:40.000000000 +0000 @@ -1,13 +1,13 @@ -----BEGIN X509 CRL----- -MIIB/jCB5wIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJwbDEQMA4GA1UE -CgwHQ0FfY2VydDEQMA4GA1UECwwHQ0FfY2VydDEQMA4GA1UEAwwHQ0FfY2VydDEi -MCAGCSqGSIb3DQEJARYTQ0FfY2VydEBleGFtcGxlLmNvbRcNMTcwNTI5MTQxMTAw -WhcNMjcwNjI4MTQxMTAwWjA8MDoCAQMXDTE3MDQyNjE5MDAxM1owJjAYBgNVHRgE -ERgPMjAxNzA0MjYxOTAwMDBaMAoGA1UdFQQDCgEGoA4wDDAKBgNVHRQEAwIBAjAN -BgkqhkiG9w0BAQUFAAOCAQEAKzIVMH126DHmfgLmm7jPBi4L6xs0N75zIiay8f2S -2/XjD7xU3r8vA0Qd06wEUhSe63tqEb+qForNEZwNJpKxM2OW0Z8fTM40793/8WY4 -m6b5IE2SH8mrCUP4ASmB3Jo/uyFPJ+zXhI7Oj59noN+nu/T6DUloJcVMHh0rYeUR -QpXwdsllJgVVDnqvD4jOVPSVr2NHuMBPk1cw07HZe+V2/xbI/jFNRIKf+KVWE2h8 -4hpiWRONQF9c0eLRskLCqcfyDulpk62hZJV61c4ckGeUyq7aG2N+Ypmm/stnRWGG -NkSLu99WGPRPjVGderIjBD9I6SNe0LbvUn6t2+DfFoBn4w== +MIIB7TCB1gIBATANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJQTDEbMBkGA1UE +CgwSU3R1bm5lbCBEZXZlbG9wZXJzMRAwDgYDVQQLDAdSb290IENBMQswCQYDVQQD +DAJDQTEdMBsGCSqGSIb3DQEJARYOQ0FAZXhhbXBsZS5jb20XDTE4MTAwOTE0NDkz +OVoXDTIyMTAwOTE0NDkzOVowFTATAgIQABcNMTgxMDA5MTQ0OTM5WqAjMCEwHwYD +VR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQELBQADggEB +AE9wjD43V31VT6MkVISh9VHmKY4Ah/lR5LI8FprLKuga9Rr1RMNGb43bpWRLvhMA +dRrXx+uQdm6dZOscAjnIERj2JkkJXG1ydELftzJNc3OGJtUCD07h8qLa7wA+7uzh +FtgmmNPdzpx+1YoqsqIh+TqAu+RwWG01vfXRI5VWmAdjzgv21eeI1i9ZBYeWqTbB +V1e2NiAM6DVprzmddIcr6VXmC21M2XYfhzTORrJf9FO5Y3JisYl3kKl2nPa0q9EH ++4887dUXmzFPUjDQtFkhcho2DBOcUZy4XGrSWvOru0X7AbgjpJ/GrXQnoGcBHESm +zYNNznz/O97dVwkMssW8LxY= -----END X509 CRL----- diff -Nru stunnel4-5.44/tests/certs/CACert.pem stunnel4-5.50/tests/certs/CACert.pem --- stunnel4-5.44/tests/certs/CACert.pem 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/CACert.pem 2018-10-09 14:49:40.000000000 +0000 @@ -1,20 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDWTCCAkGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJwbDEQ -MA4GA1UECgwHQ0FfY2VydDEQMA4GA1UECwwHQ0FfY2VydDEQMA4GA1UEAwwHQ0Ff -Y2VydDEiMCAGCSqGSIb3DQEJARYTQ0FfY2VydEBleGFtcGxlLmNvbTAeFw0xNzA0 -MjYxODQxMDBaFw0xODA0MTMxNTQ1MDBaMGcxCzAJBgNVBAYTAnBsMRAwDgYDVQQK -DAdDQV9jZXJ0MRAwDgYDVQQLDAdDQV9jZXJ0MRAwDgYDVQQDDAdDQV9jZXJ0MSIw -IAYJKoZIhvcNAQkBFhNDQV9jZXJ0QGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAr8xh9XMrSTxiwLDWGw9eMtFJSAGyNTaoBKPgfuQd -+cv+EQrDLrE+h0ywctdzBLooxyu0ZxMOXQV/Z726f8WJsEjWIUvoOnCs3OT1Q8PJ -V39z8Tuw5aWQRJ9uwyr1q+YV897NRCNeT8LrRFls9XZGsHz8Wd8glwwPQ67fR/bS -eP3GvhHPJqGNh3QvybUbK52klUQMVN4MEtSNFFcxp6hwEWhuID12ychFUNVOL/Fu -eCUjBUVufREqs+iIbmgpLKLCPc9BULXhUY+O9DYP9ahjXikdtP5xQ9AqviossWLG -ubxNlYBOYOzpeZIZMZyyAHQ7oYBXtCJFyNMap0/2ABI1twIDAQABoxAwDjAMBgNV -HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCXA7LBokSKKpwdPMthpvm8f08h -/GnY8zF7S+UrNEIZAxpAr/p+GJOZqHjLMhUjdW5Jbazuyl7W0mlatUoTzXx35PJt -oC1jL2K1viTuEtciPt3SVgeBysTPTCw2ZDJSsXZ2X8dFhrk0Gsc3DDjOiyCLcKEz -oOE97ZomwATnNcVBq735zBCNEj967rOjmDUJsuVfqiIWfhjfYaw9MEj3d0FcJb1v -3FPQ89fMM/Z3NpkL5I8+g+TKOlhvc1WDbqcBsiG/CVQo4+ClT73XZqL4woFvDaq6 -b32pz28GqKKxWzv5e4m/9cTt8F7PZIc5hJBsyeBdtFSup2zntCop/qtiT5HQ +MIIDtjCCAp6gAwIBAgIJAKCwzlHufIcDMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV +BAYTAlBMMRswGQYDVQQKDBJTdHVubmVsIERldmVsb3BlcnMxEDAOBgNVBAsMB1Jv +b3QgQ0ExCzAJBgNVBAMMAkNBMR0wGwYJKoZIhvcNAQkBFg5DQUBleGFtcGxlLmNv +bTAeFw0xODEwMDkxNDQ5MzlaFw0yMjEwMDkxNDQ5MzlaMGgxCzAJBgNVBAYTAlBM +MRswGQYDVQQKDBJTdHVubmVsIERldmVsb3BlcnMxEDAOBgNVBAsMB1Jvb3QgQ0Ex +CzAJBgNVBAMMAkNBMR0wGwYJKoZIhvcNAQkBFg5DQUBleGFtcGxlLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuQxz8urfZRBvBj8K6+29NpbXZE +qsCxq60ZkBrNwbxb/V07eRk87pvfZfQ+cPN5SaJ6S9r35uoJNDdW42kQXNer9NOo +QeqBUBGLjnJZ6wcplLc+0/PXsgmIzSmlNTx+k9FuuEg06Fw0AG+Lirlnzt6VtILW +FF9vOoy13UOnySAjzkLQMNThuqerL6d91/9BOYyDUbXPfGbBoVusGX3R2qWxzgsH +MLvvCX/h6TJD4YDoaefWNswfjS3u40D7WlOXEKvltwyb2C5vfIV/eZZmoc1jza6t +nvcqtpo9c7QXR7MxIl2IA80Wykmyv4anGZ2yGB02/gZFzmBRcioKKIUJpVsCAwEA +AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUMrsPuqQ8kOHXNhiDndXE +GCYNvBowHwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDgYDVR0PAQH/ +BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAosqQoiY+OM4ZWE3W6gHWEBNvYioCK +M0a7faso0ice5AxlzOrMyOP7AwWJ5Abeho6j7xFYVEREIGpViEJLp4QSJyDiPUGh +I9CwtJd0Pp3wzpXzvG7awZVef3uWiUEXQlPWm+a/Z2aJlF0jPx7GQhW/vCxgesnz +Z75kVYP9eAlka/6bbPQOwvx2D/4hS9829RLKkCLEBj1D9GHK7DhJJAlmokowtq+8 +CfTeLSkJb0lnK/KSsZWFnJiBw/yq4XF7VQEAVhYTmnn78Ew7YACvGAoVPploArfS +Mf22wB95jYzuqxjXY9mxjKmwsoisAqcdh9nZoqrK9l33wPWwAmsof4Fi -----END CERTIFICATE----- diff -Nru stunnel4-5.44/tests/certs/cafile.pem stunnel4-5.50/tests/certs/cafile.pem --- stunnel4-5.44/tests/certs/cafile.pem 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/cafile.pem 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID5TCCAs2gAwIBAgIJAJoOR3t6TXSbMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2Fsb2Zvcm5pYTESMBAGA1UEBwwJU2FjcmFtZXRv -MRgwFgYDVQQKDA9FeGFtcGxlIENvbXBhbnkxHDAaBgNVBAsME1RlY2hub2xvZ3kg -RGl2aXNpb24xGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNjA5MjkwODI5 -MjNaFw0xNzA5MjkwODI5MjNaMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs -b2Zvcm5pYTESMBAGA1UEBwwJU2FjcmFtZXRvMRgwFgYDVQQKDA9FeGFtcGxlIENv -bXBhbnkxHDAaBgNVBAsME1RlY2hub2xvZ3kgRGl2aXNpb24xGDAWBgNVBAMMD3d3 -dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKi0 -nOJAoZIimJkLQ3A6osD2ZgX635Esqwb819plRyDOc9Lyt2CKiVrLyHNXrZQE7FRC -6Uq5evb1EQYie0eTxzp8n0lOw/R4goapksLk+yLiVJXt76/ivLjATTC2B5uxUyiO -euZDFiVO9jjfTGeG0ASdkrL69Ngw6EdkzjvvFc1XCDMLy5UZ59d9x6PNncIUJk7l -FcxCGSh5qlggj3lHTc/9nHpz5gZpLbq4DFdsGMOfNSkjyes2dFbnHKAQrq6s49ns -7X3iYCmJF2mfVDCtca3+NYgvujdBGGO2FaX1P9VTtBUTomO9NGcphJGGayRwtpf6 -14F4aY1KRjoq9Ln4fHkCAwEAAaNQME4wHQYDVR0OBBYEFA0sd/zjLicJm3nWXEqU -IPMpNB2VMB8GA1UdIwQYMBaAFA0sd/zjLicJm3nWXEqUIPMpNB2VMAwGA1UdEwQF -MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAH+NDRfE44vMKv8Wfx8PZ08QlSTsyUt5 -vvEnxum6j3Hj+LDiAEXzlZ5oxX/zNEVHPAkwcvhs7dgRFNJ8+SlebGzk+u//53rW -iOqMD1YKiFxmzVa+KlQIHBE/yO24/XG/pe7PVtZV8pF2w8Wi1ppTrZt1pzCRPiCM -ga7ijgizp+972wt33YRWnX486XuolYc3gMLIha9vADodRH+tYtkEY6TnCga+tz4u -LGY5eMbTTUIOEK4rGxr78FruEYOBZPKq0CtSwlGT2MMVngYg+ah51rIU6V0DXA+W -B9YmCA2mrCMtCVaUbiQ3Zc+dHTtmameVNtv7RQGnCDY7zWPyXjmZ1oU= ------END CERTIFICATE----- diff -Nru stunnel4-5.44/tests/certs/client_cert.pem stunnel4-5.50/tests/certs/client_cert.pem --- stunnel4-5.44/tests/certs/client_cert.pem 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/client_cert.pem 2018-10-09 14:49:40.000000000 +0000 @@ -1,48 +1,49 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA2aO1hQpGK5z3OsLeyRbqb0B0cjt+cO3sTQ4+KU05BNWjGXso -3KwN9Bx7Nx0Tu73Ub2CeeUKmbeCWYzuvbx/dUeH1NcOPIk07aHqx79aaTuOhnogG -Kjmq2UcdAtmhLo8OSBm9MSq+UYEIC3S4dMaIDHFIVEIcjUVYgLYKv2k7JSH9oVVV -rm0PxKkpnBZXx5OE3jpq5Zy+1yMQs+FJzVf98FrezAQQiqlKCDCpVqknbGiJk0X2 -lDWcIl8nqmmSvSevr2U6Ggnu1d47N6gEX5BnEBsRABbb1sdrf18cbFP+Dq285yl1 -wFDmq2c7KzCocQAETULJZ9QblG6qkrvMrlmq+QIDAQABAoIBACtVfloMDqa2bT+E -94kAiBM4uTbZg7aGmQtKr7PXjWfaBcyYCi3OEEUvupThtEEobfjzOvqX+71a/3ao -tqigppecLw/SbVh+GjsWWwGPMFBO4KpJGTklHFCA6VTc8kvr7gMLJPF6OkTONUTa -q7OMqCAaGjW0qCy0xwdxt7gfAsjEmtLNH7rLocQFk56y0Nz68jWLIMjnRxAq3NaQ -ZgGE0NRwxUPhgbYl0s3MmhDPulth8+FLryZ8pmIZkKphtIvSXSPQBivdLAUkkhFx -elUu9xHHXbqHhnCGjPjwK4CUGGp2m6mlCev/OlcHkzKWcBOJZKaAoWAQMGqCg0bu -OS0T79UCgYEA7279C7IW7EgI9co4exxZl41gMuZxEcQzXAaHwx2m//9sPm6CczZt -5OIAsenFU7b8hWCO5hJro7hhbp2YBTqtfQNM6KaY33W8iH6k7JcO+HfpLGHcNz1P -S4+31Kj4k5dnz1us90uv8A77Jji1OSTJTBCgyrgmfGhPzqQnbNWNV+8CgYEA6LKw -cYmzBUL//H2Y5HYafqOYlsC5YVGZTm//mp7DpGXdi2twmATskcnQ8BR5WtZ5Ca+2 -VHEoEAUTRLbX+CoUKeE34mnIXTIEU0dzRmw3CMK4DZVRPnIYaqckJH6GLxwCEMZE -zlI8Hks+OrCSVgKYsKqMiOdTDdNoX4/9WaQ9A5cCgYEA6r8IfXUHoHUnw8OWCK3M -8Rd9H6prZR3VtP36EUR7PTYx7Cvw3gCZUfR69fPasa8Qebwnnk6lFglqDUeZilbz -TUP1HYxpCX2ncLOqAwQ/e0AlbowrmkUT/2NSur9Hp3ykHNsnA/ZC8rvdZKXol7QH -X/pViyttIEAtLs4mkT/2qiUCgYBJfbXQBecuMDzcp2YUMWCowk48vl1N6RF7/k9B -rAap8yoHEEWdHWEBojWEvVKeZ8IOVxpEjQBUHuY4+242CEQZ/fFCZppLJLLNAnHb -ue2frK+oSpJAIJSpimQVyofidPwKBDRS3RHzl1vt+ToeQ++pTBPaYQSQB0add8JR -/1btvQKBgG2uNFimmJ29DKSt8nRXm7wUkdQNORTZa0wygZbDaQgHxyiHOY9TgfhF -PQHI/7abb/9PrMhchTWjV7w/e0E6q9Sc4kG1tz5MV9pWreXY7Uolg532zUsYqZVW -0tQbWQR2fk+3ZoN9qHYZqYE/coqNdbtpLUIVWh3Yrh3V6L9Xw0us ------END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDZjCCAk6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJwbDEQ -MA4GA1UECgwHQ0FfY2VydDEQMA4GA1UECwwHQ0FfY2VydDEQMA4GA1UEAwwHQ0Ff -Y2VydDEiMCAGCSqGSIb3DQEJARYTQ0FfY2VydEBleGFtcGxlLmNvbTAeFw0xNzA0 -MjYxODQ1MDBaFw0xODA0MTMxNTQ1MDBaMIGFMQswCQYDVQQGEwJwbDEPMA0GA1UE -CBMGY2xpZW50MQ8wDQYDVQQHEwZjbGllbnQxDzANBgNVBAoTBmNsaWVudDEPMA0G -A1UECxMGY2xpZW50MQ8wDQYDVQQDEwZjbGllbnQxITAfBgkqhkiG9w0BCQEWEmNs -aWVudEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -ANmjtYUKRiuc9zrC3skW6m9AdHI7fnDt7E0OPilNOQTVoxl7KNysDfQcezcdE7u9 -1G9gnnlCpm3glmM7r28f3VHh9TXDjyJNO2h6se/Wmk7joZ6IBio5qtlHHQLZoS6P -DkgZvTEqvlGBCAt0uHTGiAxxSFRCHI1FWIC2Cr9pOyUh/aFVVa5tD8SpKZwWV8eT -hN46auWcvtcjELPhSc1X/fBa3swEEIqpSggwqVapJ2xoiZNF9pQ1nCJfJ6ppkr0n -r69lOhoJ7tXeOzeoBF+QZxAbEQAW29bHa39fHGxT/g6tvOcpdcBQ5qtnOyswqHEA -BE1CyWfUG5RuqpK7zK5ZqvkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAZO2G+h4X -UUMB0uVIiz/+iX9b/EifbLwLs87zEAzfYlWCr0pq2DGMxhEUq+vSxr3j3YV1I6Rz -y2Ao2CyWI/2NoS0Jvf2MpyX+lmGV1diFJWOl4BFf5MzTU1Smc0ryulVV2uOadbkt -ekwHYaoohAg9aQe1DXFJV7ZSwoM3KfaJmaGV+BlOSqD6TGs75jmUwG11GyTEebg9 -DxXm39mEczVnxLIZNIv4zv0DYIof4sAzMhnGqSesqoUjJeSUUVysp7Mwmk4E48WA -wCiubahEe0boWHlrT2is5tF88Fwkjjcwqw2jQX1+LeWiB/RA3kNxU4WTx0BFLvyH -lfwzVP+lAnWMng== +MIIDoDCCAoigAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUEwx +GzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHUm9vdCBDQTEL +MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE4 +MTAwOTE0NDk0MFoXDTIyMTAwOTE0NDk0MFowbzELMAkGA1UEBhMCUEwxGzAZBgNV +BAoMElN0dW5uZWwgRGV2ZWxvcGVyczEPMA0GA1UECwwGY2xpZW50MQ8wDQYDVQQD +DAZjbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPOsVd02IKUGn2+RMaxEjy+4M5k +IulcufKLK61NvOTsghPYkpuLieNlLQL5DnxTIll9AXoN5Gg9HVp5l7d1Xst9rd5/ +HhBLpJxsfoLCJmQUybGaxBfkGPUriZLTjZJgvAhtHD4q2KjtQIZq/KXvvlDmr/CN +f+cblpBQdAolGRX7xGIO+5ygTSZ0D4qghUXBmYSplWDvVpZMCHeXG/hlqlxaOSmq +VNDgHRMO2ocyHwRtc5bPI6iPLP9V0bKFfLPcsd5IWuPlx1BD3rRPWUWM2BFiMmUN +rnyEknRs3phgdGlCA4Sg1pNcNEzxfQJhgMdDX7rH7xEM9ucv5jVzBEGY/ZsCAwEA +AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUvw7F5zODR/W7L2kuYkKS8MK0ad8w +HwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQELBQAD +ggEBAHPHEPqacyq4XnMAURVUDydWoLf6h1rK8cnZI7hNydaigO20R30rkSpQcfHk +susDGO822ozCzTMd0nUOCe2y/a6tLOpQXXX2zgo4C6utqGJCRwwTjqvUfeLnPkGD +eJoBighsfcGWwoZBOOPgdJ2hhsamF2h7TBIneochNovPW0mH6w/G3Hjy2VHeEq29 +mDTA3NRic2R9iazHQIBW8U+o0CYtwgzB0ZrbL8ak/uH3yPhCuhlrYH4eXiou5kzb +nOuS3VonBp8lFLhfE040rf1Y6piwsl4FYE5udyRXli1A6D4g62/O2KXjoKzz7T6E +YAJGZqVcWZrLJgJaONqlYDEL9ZE= -----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAs86xV3TYgpQafb5ExrESPL7gzmQi6Vy58osrrU285OyCE9iS +m4uJ42UtAvkOfFMiWX0Beg3kaD0dWnmXt3Vey32t3n8eEEuknGx+gsImZBTJsZrE +F+QY9SuJktONkmC8CG0cPirYqO1Ahmr8pe++UOav8I1/5xuWkFB0CiUZFfvEYg77 +nKBNJnQPiqCFRcGZhKmVYO9WlkwId5cb+GWqXFo5KapU0OAdEw7ahzIfBG1zls8j +qI8s/1XRsoV8s9yx3kha4+XHUEPetE9ZRYzYEWIyZQ2ufISSdGzemGB0aUIDhKDW +k1w0TPF9AmGAx0NfusfvEQz25y/mNXMEQZj9mwIDAQABAoIBABhj/1Z3uS7tXDKW +bsntFyY6VlBo8Ptq4qZuDnyxwN/k3ThH9os3AHtiLBrtIfPnaw9sj5i47bTeJW8y +c0wllbhQ0hcOc0uOl0PIy9h88aw9zaZT8imzfVc0krLiE6A5kwgplN0x/rXbiRcy +yBbSUKS0xkUBTMpSybfF0hfWNHLwu69vxmvucmkirlERrqMgMgY30Ac7G4PZGARd +SOM5kdNz6iATU9ccUm8Yl5YB4TNXvh1QF3inBJKgFpw9NBAjd8sXhebWEZVG8Zng +glkCxcXEwyIYJxmxPA3M1OZCKLjEDI0APdQkHSn9oniqghYithUTpJ1hN9R15F96 +b88q0LECgYEA58ncXPezCsy6Wf/gAXf1C7srJDY1GaMYZ7q4Zgp5at7t54kFLfn9 +ecTpf89Q7bReSRwhuc6sOKabk5dFPz2Bmo9kO73G8KdakTdxR/CFuf3lrwZ9s8I6 +choLYff909HUHbqeVGthhMx7xQRJijKBCxV2403ttHipTe2K9au4BuUCgYEAxpbU +v12LV3EE4i8Bt+bxcA6q5Ygq+7o5kFbkqgzzwyzbtyn2TWn4/z142CNc+3xg598d +AXi2oV2alqy8WAgUQP0+g4XXLlW7bvuvAga6F+XqQlKLzF61FWFwcNifeYRYCDMJ +R827pDXpaMs2AUZaMlOZreoAhxd0FWP9CpC8Kn8CgYBn6dqOH0o4TEI7OPhvEB1e +rgGQUXEK1lCJqG8k6As4+0qC463bx9h4b+wSrZnlh1hBxIfmKh6RozfaOhYEXQmu +hhx0oAcBOrXipo11qAH7uTTwe6N9JFVZdA2oVSqJfOdwkIqM5Dsq8xWF5P8nIq8x +jeTn0LcBkpqsYhNLQjnVdQKBgQCplATpwJyLN6Re7JsACgJjmPLP/B4QRO6A1eJ/ +X34MTVL1rqx3YKXSdxCpKFFvIr+xYLFpH0Z8tuyZ+7j9RzDcaiQmtXSRSX47gEnq +Zgok/By1M73S75CcSE923VQYtS1jGwmyufigebTt2pEsN4Iv9XmGrAp1UU68MVzT +19IGSwKBgQCtE2zXTIs6FfjwJvExPGAX6jj//E5uGiLT/afQGUWpFLKikaJsrhUb +2H0TneIM31zvvtbyG6gHARUP8MFH4KZaFgSmRkn86WrN3nxO499kxqCQV+GZ7+M1 +OoKU++aVv9+0VlpUyCAEUJq2flSOCex+9V2gODPKQfu8h0U4IEptZA== +-----END RSA PRIVATE KEY----- diff -Nru stunnel4-5.44/tests/certs/Makefile.am stunnel4-5.50/tests/certs/Makefile.am --- stunnel4-5.44/tests/certs/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/certs/Makefile.am 2018-10-09 14:37:38.000000000 +0000 @@ -0,0 +1,14 @@ +## Process this file with automake to produce Makefile.in +# by Michal Trojnara 1998-2018 + +EXTRA_DIST = maketestcert.sh openssltest.cnf +EXTRA_DIST += CACertCRL.pem CACert.pem +EXTRA_DIST += server_cert.pem server_cert.p12 client_cert.pem +EXTRA_DIST += revoked_cert.pem stunnel.pem PeerCerts.pem +EXTRA_DIST += psk1.txt psk2.txt secrets.txt + +check-local: + $(srcdir)/maketestcert.sh + +dist-local: + $(srcdir)/maketestcert.sh diff -Nru stunnel4-5.44/tests/certs/Makefile.in stunnel4-5.50/tests/certs/Makefile.in --- stunnel4-5.44/tests/certs/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/certs/Makefile.in 2018-11-09 15:53:56.000000000 +0000 @@ -0,0 +1,457 @@ +# Makefile.in generated by automake 1.15 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2014 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# by Michal Trojnara 1998-2018 +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = tests/certs +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/src/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFAULT_GROUP = @DEFAULT_GROUP@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIBTOOL_DEPS = @LIBTOOL_DEPS@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PTHREAD_CC = @PTHREAD_CC@ +PTHREAD_CFLAGS = @PTHREAD_CFLAGS@ +PTHREAD_LIBS = @PTHREAD_LIBS@ +RANDOM_FILE = @RANDOM_FILE@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SSLDIR = @SSLDIR@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +ax_pthread_config = @ax_pthread_config@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +EXTRA_DIST = maketestcert.sh openssltest.cnf CACertCRL.pem CACert.pem \ + server_cert.pem server_cert.p12 client_cert.pem \ + revoked_cert.pem stunnel.pem PeerCerts.pem psk1.txt psk2.txt \ + secrets.txt +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tests/certs/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu tests/certs/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-local +check: check-am +all-am: Makefile +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: all all-am check check-am check-local clean clean-generic \ + clean-libtool cscopelist-am ctags-am distclean \ + distclean-generic distclean-libtool distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am + +.PRECIOUS: Makefile + + +check-local: + $(srcdir)/maketestcert.sh + +dist-local: + $(srcdir)/maketestcert.sh + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru stunnel4-5.44/tests/certs/maketestcert.sh stunnel4-5.50/tests/certs/maketestcert.sh --- stunnel4-5.44/tests/certs/maketestcert.sh 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/certs/maketestcert.sh 2018-10-23 11:19:35.000000000 +0000 @@ -0,0 +1,116 @@ +#!/bin/sh + +ddays=1461 + +result_path=$(pwd) +cd $(dirname "$0") +script_path=$(pwd) +cd "${result_path}" + +mkdir "tmp/" + +# create new psk secrets +gen_psk () { + tr -c -d 'A-Za-z0-9' > "maketestcert.log" | head -c 50 > tmp/psk.txt + if [ -s tmp/psk.txt ] + then + printf "test$1:" > tmp/psk$1.txt + cat tmp/psk.txt >> tmp/psk$1.txt 2>> "maketestcert.log" + printf "\n" >> tmp/psk$1.txt + fi + rm -f tmp/psk.txt +} + +export LC_ALL=C +gen_psk 1 +cat tmp/psk1.txt > tmp/secrets.txt 2>> "maketestcert.log" +gen_psk 2 +cat tmp/psk2.txt >> tmp/secrets.txt 2>> "maketestcert.log" +gen_psk 2 + +# OpenSSL settings +CONF="${script_path}/openssltest.cnf" + +if test -n "$1"; then + OPENSSL="$2/bin/openssl" + LD_LIBRARY_PATH="$2/lib" +else + OPENSSL=openssl +fi + +mkdir "demoCA/" +touch "demoCA/index.txt" +touch "demoCA/index.txt.attr" +echo 1000 > "demoCA/serial" + +# generate a self-signed certificate +$OPENSSL req -config $CONF -new -x509 -days $ddays -keyout tmp/stunnel.pem -out tmp/stunnel.pem \ + -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=Stunnel Developers/OU=Provisional CA/CN=localhost/emailAddress=stunnel@example.com" \ + 1>&2 2>> "maketestcert.log" + +# generate root CA certificate +$OPENSSL genrsa -out demoCA/CA.key 1>&2 2>> "maketestcert.log" +$OPENSSL req -config $CONF -new -x509 -days $ddays -key demoCA/CA.key -out tmp/CACert.pem \ + -subj "/C=PL/O=Stunnel Developers/OU=Root CA/CN=CA/emailAddress=CA@example.com" \ + 1>&2 2>> "maketestcert.log" + +# generate a certificate to revoke +$OPENSSL genrsa -out demoCA/revoked.key 1>&2 2>> "maketestcert.log" +$OPENSSL req -config $CONF -new -key demoCA/revoked.key -out demoCA/revoked.csr \ + -subj "/C=PL/O=Stunnel Developers/OU=revoked/CN=revoked/emailAddress=revoked@example.com" \ + 1>&2 2>> "maketestcert.log" + +$OPENSSL ca -config $CONF -batch -days $ddays -in demoCA/revoked.csr -out demoCA/revoked.cer 1>&2 2>> "maketestcert.log" + +$OPENSSL x509 -in demoCA/revoked.cer -out tmp/revoked_cert.pem 1>&2 2>> "maketestcert.log" +cat demoCA/revoked.key >> tmp/revoked_cert.pem 2>> "maketestcert.log" + +# revoke above certificate and generate CRL file +$OPENSSL ca -config $CONF -revoke demoCA/1000.pem 1>&2 2>> "maketestcert.log" +$OPENSSL ca -config $CONF -gencrl -crldays $ddays -out tmp/CACertCRL.pem 1>&2 2>> "maketestcert.log" + +# generate a client certificate +$OPENSSL genrsa -out demoCA/client.key 1>&2 2>> "maketestcert.log" +$OPENSSL req -config $CONF -new -key demoCA/client.key -out demoCA/client.csr \ + -subj "/C=PL/O=Stunnel Developers/OU=client/CN=client/emailAddress=client@example.com" \ + 1>&2 2>> "maketestcert.log" + +$OPENSSL ca -config $CONF -batch -days $ddays -in demoCA/client.csr -out demoCA/client.cer 1>&2 2>> "maketestcert.log" + +$OPENSSL x509 -in demoCA/client.cer -out tmp/client_cert.pem 1>&2 2>> "maketestcert.log" +cat tmp/client_cert.pem > tmp/PeerCerts.pem 2>> "maketestcert.log" +cat demoCA/client.key >> tmp/client_cert.pem 2>> "maketestcert.log" + +# generate a server certificate +$OPENSSL genrsa -out demoCA/server.key 1>&2 2>> "maketestcert.log" +$OPENSSL req -config $CONF -new -key demoCA/server.key -out demoCA/server.csr \ + -subj "/C=PL/O=Stunnel Developers/OU=server/CN=server/emailAddress=server@example.com" \ + 1>&2 2>> "maketestcert.log" + +$OPENSSL ca -config $CONF -batch -days $ddays -in demoCA/server.csr -out demoCA/server.cer 1>&2 2>> "maketestcert.log" + +$OPENSSL x509 -in demoCA/server.cer -out tmp/server_cert.pem 1>&2 2>> "maketestcert.log" +cat tmp/server_cert.pem >> tmp/PeerCerts.pem 2>> "maketestcert.log" +cat demoCA/server.key >> tmp/server_cert.pem 2>> "maketestcert.log" + +# create a PKCS#12 file with a server certificate +$OPENSSL pkcs12 -export -in tmp/server_cert.pem -out tmp/server_cert.p12 -passout pass: 1>&2 2>> "maketestcert.log" + +# copy new files +if [ -s tmp/stunnel.pem ] && [ -s tmp/CACert.pem ] && [ -s tmp/CACertCRL.pem ] && \ + [ -s tmp/revoked_cert.pem ] && [ -s tmp/client_cert.pem ] && [ -s tmp/server_cert.pem ] && \ + [ -s tmp/PeerCerts.pem ] && [ -s tmp/server_cert.p12 ] && \ + [ -s tmp/psk1.txt ] && [ -s tmp/psk2.txt ] && [ -s tmp/secrets.txt ] + then + cp tmp/* ./ + printf "%s\n" "keys & certificates successfully generated" + printf "%s\n" "./maketestcert.sh finished" + rm -f "maketestcert.log" + else + printf "%s\n" "./maketestcert.sh failed" + printf "%s\n" "error logs ${result_path}/maketestcert.log" + fi + +# remove the working directory +rm -rf "demoCA/" +rm -rf "tmp/" diff -Nru stunnel4-5.44/tests/certs/openssltest.cnf stunnel4-5.50/tests/certs/openssltest.cnf --- stunnel4-5.44/tests/certs/openssltest.cnf 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/certs/openssltest.cnf 2018-10-23 11:19:35.000000000 +0000 @@ -0,0 +1,58 @@ +# OpenSSL root CA configuration file + +[ ca ] +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = . +certs = $dir/demoCA +crl_dir = $dir/demoCA +new_certs_dir = $dir/demoCA +database = $dir/demoCA/index.txt +serial = $dir/demoCA/serial +crl_extensions = crl_ext +default_md = sha256 +preserve = no +policy = policy_match +x509_extensions = usr_cert +private_key = $dir/demoCA/CA.key +certificate = $dir/tmp/CACert.pem + +[ req ] +encrypt_key = no +default_bits = 2048 +default_md = sha256 +string_mask = utf8only +x509_extensions = ca_extensions +distinguished_name = req_distinguished_name + +[ crl_ext ] +authorityKeyIdentifier = keyid:always + +[ usr_cert ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer + +[ ca_extensions ] +basicConstraints = critical, CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ policy_match ] +countryName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address diff -Nru stunnel4-5.44/tests/certs/PeerCerts.pem stunnel4-5.50/tests/certs/PeerCerts.pem --- stunnel4-5.44/tests/certs/PeerCerts.pem 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/PeerCerts.pem 2018-10-09 14:49:40.000000000 +0000 @@ -1,41 +1,44 @@ -----BEGIN CERTIFICATE----- -MIIDZjCCAk6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJwbDEQ -MA4GA1UECgwHQ0FfY2VydDEQMA4GA1UECwwHQ0FfY2VydDEQMA4GA1UEAwwHQ0Ff -Y2VydDEiMCAGCSqGSIb3DQEJARYTQ0FfY2VydEBleGFtcGxlLmNvbTAeFw0xNzA0 -MjYxODQ1MDBaFw0xODA0MTMxNTQ1MDBaMIGFMQswCQYDVQQGEwJwbDEPMA0GA1UE -CBMGY2xpZW50MQ8wDQYDVQQHEwZjbGllbnQxDzANBgNVBAoTBmNsaWVudDEPMA0G -A1UECxMGY2xpZW50MQ8wDQYDVQQDEwZjbGllbnQxITAfBgkqhkiG9w0BCQEWEmNs -aWVudEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -ANmjtYUKRiuc9zrC3skW6m9AdHI7fnDt7E0OPilNOQTVoxl7KNysDfQcezcdE7u9 -1G9gnnlCpm3glmM7r28f3VHh9TXDjyJNO2h6se/Wmk7joZ6IBio5qtlHHQLZoS6P -DkgZvTEqvlGBCAt0uHTGiAxxSFRCHI1FWIC2Cr9pOyUh/aFVVa5tD8SpKZwWV8eT -hN46auWcvtcjELPhSc1X/fBa3swEEIqpSggwqVapJ2xoiZNF9pQ1nCJfJ6ppkr0n -r69lOhoJ7tXeOzeoBF+QZxAbEQAW29bHa39fHGxT/g6tvOcpdcBQ5qtnOyswqHEA -BE1CyWfUG5RuqpK7zK5ZqvkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAZO2G+h4X -UUMB0uVIiz/+iX9b/EifbLwLs87zEAzfYlWCr0pq2DGMxhEUq+vSxr3j3YV1I6Rz -y2Ao2CyWI/2NoS0Jvf2MpyX+lmGV1diFJWOl4BFf5MzTU1Smc0ryulVV2uOadbkt -ekwHYaoohAg9aQe1DXFJV7ZSwoM3KfaJmaGV+BlOSqD6TGs75jmUwG11GyTEebg9 -DxXm39mEczVnxLIZNIv4zv0DYIof4sAzMhnGqSesqoUjJeSUUVysp7Mwmk4E48WA -wCiubahEe0boWHlrT2is5tF88Fwkjjcwqw2jQX1+LeWiB/RA3kNxU4WTx0BFLvyH -lfwzVP+lAnWMng== +MIIDoDCCAoigAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUEwx +GzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHUm9vdCBDQTEL +MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE4 +MTAwOTE0NDk0MFoXDTIyMTAwOTE0NDk0MFowbzELMAkGA1UEBhMCUEwxGzAZBgNV +BAoMElN0dW5uZWwgRGV2ZWxvcGVyczEPMA0GA1UECwwGY2xpZW50MQ8wDQYDVQQD +DAZjbGllbnQxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPOsVd02IKUGn2+RMaxEjy+4M5k +IulcufKLK61NvOTsghPYkpuLieNlLQL5DnxTIll9AXoN5Gg9HVp5l7d1Xst9rd5/ +HhBLpJxsfoLCJmQUybGaxBfkGPUriZLTjZJgvAhtHD4q2KjtQIZq/KXvvlDmr/CN +f+cblpBQdAolGRX7xGIO+5ygTSZ0D4qghUXBmYSplWDvVpZMCHeXG/hlqlxaOSmq +VNDgHRMO2ocyHwRtc5bPI6iPLP9V0bKFfLPcsd5IWuPlx1BD3rRPWUWM2BFiMmUN +rnyEknRs3phgdGlCA4Sg1pNcNEzxfQJhgMdDX7rH7xEM9ucv5jVzBEGY/ZsCAwEA +AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUvw7F5zODR/W7L2kuYkKS8MK0ad8w +HwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQELBQAD +ggEBAHPHEPqacyq4XnMAURVUDydWoLf6h1rK8cnZI7hNydaigO20R30rkSpQcfHk +susDGO822ozCzTMd0nUOCe2y/a6tLOpQXXX2zgo4C6utqGJCRwwTjqvUfeLnPkGD +eJoBighsfcGWwoZBOOPgdJ2hhsamF2h7TBIneochNovPW0mH6w/G3Hjy2VHeEq29 +mDTA3NRic2R9iazHQIBW8U+o0CYtwgzB0ZrbL8ak/uH3yPhCuhlrYH4eXiou5kzb +nOuS3VonBp8lFLhfE040rf1Y6piwsl4FYE5udyRXli1A6D4g62/O2KXjoKzz7T6E +YAJGZqVcWZrLJgJaONqlYDEL9ZE= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDVDCCAjygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJwbDEQ -MA4GA1UECgwHQ0FfY2VydDEQMA4GA1UECwwHQ0FfY2VydDEQMA4GA1UEAwwHQ0Ff -Y2VydDEiMCAGCSqGSIb3DQEJARYTQ0FfY2VydEBleGFtcGxlLmNvbTAeFw0xNzA0 -MjYxODQzMDBaFw0xODA0MTMxNTQ1MDBaMHQxCzAJBgNVBAYTAnBsMQ8wDQYDVQQI -EwZzZXJ2ZXIxDzANBgNVBAoTBnNlcnZlcjEPMA0GA1UECxMGc2VydmVyMQ8wDQYD -VQQDEwZzZXJ2ZXIxITAfBgkqhkiG9w0BCQEWEnNlcnZlckBleGFtcGxlLmNvbTCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3S0m42/yBrStPI8A8eV0ig -fehupIp0sDft/zBAf0r7bg7A1rAuJLkupIfm6Dnc0/vK43/pO8rCTQu7Xf9hMXyQ -TL3Hr7CamjAITJQ3CSwTBXrWfvwzzr+h2SG2U6DKBh9eBhb7f3ndVcwLIc4WCjJy -45gv5caKF9RSYUYVSun1tRzRI7xEiSMmQPbLJN1WGsP9nICFd4P2jj/cKJpPzU1O -wEf4V6wm0sdZ2ECJ8hG5PqfKlxCy1UtSpzMaFR+wqKk1Rujx9hR9CycaROe+0Csk -97DnygirND6V651tzuTheIrcL5tWAIShVgwxdisi1ui8mxSVUv6Q6DHAPLcx7+0C -AwEAATANBgkqhkiG9w0BAQUFAAOCAQEAiPQrjJbTZ6NB+FO0lJtt5vEBLdepkl6x -mtopQRxHPZIuUqV8viP9EW2PlrrPkpdbYZtkD0AuCXiqGD9u31kIHKG05GiQYj8q -XPy55QuOntWfwJc4GEZ9uebYckHGSNLsyubdkneLeXlEZz2RbtCoZS5337nlaUCm -93Hp/bRCFZ7if9tiscxwTft92z2+Tc5bI4JGAJfex/VgyggpNRLSDDRibNvFrooO -1kSnDxySyCtysodXfonWpJFA9EAcUHXY6vlGvzLVJRfrqsS7vC/fuKOz684XDYIL -g/eJED4XR47T8gA85vM8LWl80lXvfFIYsirOnYmeQDSfTRDG9eZG6Q== +MIIDoDCCAoigAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUEwx +GzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHUm9vdCBDQTEL +MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE4 +MTAwOTE0NDk0MFoXDTIyMTAwOTE0NDk0MFowbzELMAkGA1UEBhMCUEwxGzAZBgNV +BAoMElN0dW5uZWwgRGV2ZWxvcGVyczEPMA0GA1UECwwGc2VydmVyMQ8wDQYDVQQD +DAZzZXJ2ZXIxITAfBgkqhkiG9w0BCQEWEnNlcnZlckBleGFtcGxlLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvRSOWnuJnrrnlt+qUaiY9CJOp0 +Lox6vCEzwgMH+ftMZQwP6m427b3LEfPrxH6WkYMLwpAXGjREXRj+yB0ZcPvQ94VI +OyHgvgWJ14t+yLcq3w6zsWzJx/SmWLG7ga67wODxhCHAAHPKsv+cC+6wgt3kWu+G +jUQ27X03rQO2wNpV5cxdp9Ax6JQVnKleQEIShfELYYjJpp4s6n5VY8R8jRwJHl7k +XCjp5+8LSD64MUcXzo7u6XL8SxEGjQU+drKfNdleFfyVgjtAeyaWBrY8ciM4yIqn +M37zs6jyjLcNO0PtD+64VO4jJPmFY4M0O33AJu0EtuR1G/NSj1D85nKBZYUCAwEA +AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUSLKfbW2zrTXPv2dTLXpT9jHEYLkw +HwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQELBQAD +ggEBABYai56PR5tsnmv8+mIxZM980x+oYLACVA6YaQEWxtdPQl+tGJIVnJergfRO +UrG4OjqBZp0DjMJRNIIiM50YTsEQdrVoL6HaP5AgDwqWoRJIEdVZUQWyTTTE7nBd +0k6qNKUsJVEM1Zvv+cseQYIpT75P0FPl5egSPQHVuPWSco7gGF/zF2gA4QfzRsLe +frgfzXzxEF712CuS+OXj5lab4N1L9A1GzfeQ+bNlrUky79R+vMPfjoayUJ/fTafl +wTd6YBZurwxdy6Ktql9eisuli0PRdxed1eOpUxZAbS7N3ZIDTEOcLnBrIhQY7E8P +YxSm0/qri7nS4z/DmzTe2z0ttqM= -----END CERTIFICATE----- diff -Nru stunnel4-5.44/tests/certs/psk1.txt stunnel4-5.50/tests/certs/psk1.txt --- stunnel4-5.44/tests/certs/psk1.txt 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/psk1.txt 2018-10-09 14:49:40.000000000 +0000 @@ -1 +1 @@ -test1:oaP4EishaeSaishei6rio6xeeph3az +test1:H9kpiYb8TWGo19hvd4txGMffBG6yzbJcz0FpPD4rB590vVFvyE diff -Nru stunnel4-5.44/tests/certs/psk2.txt stunnel4-5.50/tests/certs/psk2.txt --- stunnel4-5.44/tests/certs/psk2.txt 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/psk2.txt 2018-10-09 14:49:40.000000000 +0000 @@ -1 +1 @@ -test2:sah5uishaeSaishei6rio6r8iap3az +test2:gTcg0XYgwmBISqC8KpeHUQuGdGqkcTUJBZZLUefskgjXdc5cdL diff -Nru stunnel4-5.44/tests/certs/revoked_cert.pem stunnel4-5.50/tests/certs/revoked_cert.pem --- stunnel4-5.44/tests/certs/revoked_cert.pem 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/revoked_cert.pem 2018-10-09 14:49:40.000000000 +0000 @@ -1,48 +1,49 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEA7VkojMNX9wmcnIJsRHist/phM9XN5Y5E3yfPzuOYj2ZaA7yE -yMtl8qMngQJBjYEgkBGr3GD02Xz+j/CDAYD7XbicuyxnR0UH1eADsIQok9ATCAyp -LJMN7yHix60B62GvdiWUFQC18K8ldhR3497uDf7FVUxcKEnG+pz+jRV+njDUYqGl -CpoNAfON+9Kf87qdV+Mkxb+Rt+VvNKqzSjrktqtF9kjAs1sibOCuaQq55HdPNJDu -RATtknx1jwwRnjVANirdYAlgD5J0psLM568B/eBgVlv6wnV+SJClNupNshX3FQox -vuVENqGEA2d6fXHoyWBD/Dyz6sTwbHst14p9twIDAQABAoIBABL4S0tk2YT/GatQ -qUKXuoZB1r8D2Z79TffgALXybuEXNx6RVLOPvig0bhXbjk23AllBcFD+1tMDMH1k -pbPbETweYzh6hg6mL8giTWkwRuX5fWvpRyQu5LA2Lx/ybfLYLePtgPZkxiXkecQE -QsjNqo0nzbHRlpQJwYOKRLYV/7a43PP6PVszOOz/gxHl4A5o2a6sDY8YDRbJz9BX -w+PhuhtJMYaTIPnHYD+4zbi3szftkFH/AXyJmKWpusyBUuyAEh07fETAOA7FD7QQ -TEg7vmLr50uNBt7+luVbfFTC156ehriU+/0DkEgnPORNLPfbv65iRoxAd+T6JxVj -fbU76OECgYEA/ttZoE+5MyPO+drefjB5OC4sJI/rgf9v8xZdD9MoJNVl/ewst7Pk -0gkW+t9mD9ZKyi5ecylU2U4vb/MGkrSzkimxEXMxGMMudmhjFcRvoDMBBj7klfsd -EoQ0YVs5yyJkehGX3+8hSAyIbkrMLQtJrduPVy8qGV7qeupZfKIjCpkCgYEA7mm0 -D82FD2wl8ZqaTe44TNjkDQ6Nk6NmNPNprjwNeMSqNvHvF+irfLagSKAnQfkFs6vQ -XjGB+3mnBkg+/8BndB5iEYJ41nMkPSNMPy0FYznmLwMFf11p7E6ncqrCLwOEQ3vi -s3YONadV7ifv/MEBDlmJIgwq74QIAZo/QYu7zM8CgYBKPXWfWHn3pr+9Uv+rPM2j -Cvg68l3FcbaX1nTnjjhMeomKbYkdPl8yvAkgrYEare79dIJ5A5o+7yKsdtv8Un1Y -36JAFhFASGM5hPEQPzfRL+plel62Pf9bDH4BukRcozknwgY+6ncEePopPsq5eGdP -KP1ZhVi7KUYe5jOJNeYFSQKBgGgJ2pi2z+T+BcTb+ZAeb5UhZMtJ2YBe4sAipLBy -5lIYSEs34mVllEgVDfcDZH5GpDVWudQQ+K771GZKaquCk+K5S4RmkkLK9jpzx9cd -12cIoilLwT9mTU3guPOyDpEjkLk+O5yi3OqO/lGyPejndIWFjvE7rBTfYfsJC6eX -yblDAoGAWMZ3050vZXVOlaMJDVEBXT+TVm6lAS+GbAoW1A31Fv6fs+PSGgaRUz/l -tc1Da39UEBBbX/pudD5XVShnXhR1KeBG9nPRaP70NSXOQjHh0W1OzL9viSMvUx3f -EsK3y9WO1cr8C89e/9vNektU29irMzTwQQolb+tR9f9BIpae0XM= ------END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDbDCCAlSgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJwbDEQ -MA4GA1UECgwHQ0FfY2VydDEQMA4GA1UECwwHQ0FfY2VydDEQMA4GA1UEAwwHQ0Ff -Y2VydDEiMCAGCSqGSIb3DQEJARYTQ0FfY2VydEBleGFtcGxlLmNvbTAeFw0xNzA0 -MjYxODQ1MDBaFw0xODA0MTMxNTQ1MDBaMIGLMQswCQYDVQQGEwJwbDEQMA4GA1UE -CBMHcmV2b2tlZDEQMA4GA1UEBxMHcmV2b2tlZDEQMA4GA1UEChMHcmV2b2tlZDEQ -MA4GA1UECxMHcmV2b2tlZDEQMA4GA1UEAxMHcmV2b2tlZDEiMCAGCSqGSIb3DQEJ -ARYTcmV2b2tlZEBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBAO1ZKIzDV/cJnJyCbER4rLf6YTPVzeWORN8nz87jmI9mWgO8hMjLZfKj -J4ECQY2BIJARq9xg9Nl8/o/wgwGA+124nLssZ0dFB9XgA7CEKJPQEwgMqSyTDe8h -4setAethr3YllBUAtfCvJXYUd+Pe7g3+xVVMXChJxvqc/o0Vfp4w1GKhpQqaDQHz -jfvSn/O6nVfjJMW/kbflbzSqs0o65LarRfZIwLNbImzgrmkKueR3TzSQ7kQE7ZJ8 -dY8MEZ41QDYq3WAJYA+SdKbCzOevAf3gYFZb+sJ1fkiQpTbqTbIV9xUKMb7lRDah -hANnen1x6MlgQ/w8s+rE8Gx7LdeKfbcCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA -TFyPHPwb3CwDvPVlC6pgaowXbDEiQ5vU2Oecq/RwMxhC1FJ5ks+VIQ+KBrDRs9Ao -k7dF5kuGc3ZAFHgWnzpyUobAyeZchaykLYy8yslwW6xFEbWXW599mjI3D5/N9xcy -v8IHwqTTQRaxPPdcu3vjDtdpgJY89lFE2mzdPNz24Z/qsTPdLG1668L2CxoplGl2 -0THVrNHxpDF0QqINZpTc6TzsZgvROXmcAYzg2D4v5TmUzXQaLhnPTkcKWfwxpUu0 -XDlFJuNKr+YLS9GY+0lE1kNHpiTEusnfTPRXneDZipD3Hr6LsXX0ahRgbA3loyTJ -B9Kk23ftqSr4oePTJytIAA== +MIIDozCCAougAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUEwx +GzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHUm9vdCBDQTEL +MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE4 +MTAwOTE0NDkzOVoXDTIyMTAwOTE0NDkzOVowcjELMAkGA1UEBhMCUEwxGzAZBgNV +BAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHcmV2b2tlZDEQMA4GA1UE +AwwHcmV2b2tlZDEiMCAGCSqGSIb3DQEJARYTcmV2b2tlZEBleGFtcGxlLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPX7XgEBeUeMJc5Xkw0Fe39d +OB0kuJhPTTkK05F2Bwu1hCMc2LbSFY3ohzMRIocjWdcGb8idzkmxZmeoxAaVR9JA +OXKsmfbEU6hA5NcvH6QvJbZH5qIlvUk0AfSrtAbxXgq0JEKIHNQ63qTFUef28BfT +YsnOFxL1GX0RUzrLz8dcCkNPM8xZaShJxENxWWijI2m4Gc/eDqTrPJhYK+WRNfHp +7fLWt5y13drOyFG5sNIsykp1zMSiufG2NZ9IOxY0NOY0sc6kasvGlv30fqGu1+6Y +7PRRfmQcEP/kDZ0Kv1NEgHtizEArySpZEKzNaS5Q6oCvL+UHYfPmmSgBeYinDHkC +AwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUZED9hULxiuarUg6QXT3PAib8 +K88wHwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQEL +BQADggEBADb/u5h5l7LPo1rAyQUMVm1DfA6bjNAucIJbQeqnAynsQe7Qc6CCyJH8 +YZeJsq9oHE6h0PYfBWvZ4wK/ebG86p8Ovt2mCANgWzCcnxFaaWr6fCmPjsr4XOcq +PN7qiHRN8Yeski2/JMMKRY1LGwH8jpHjWH7JVK2UV8Y6053YgCf1UcQSjgBF6lKw +ZwHW23NrYJ06AKu6yAXQpX/LiVMbWVRwfeL26UoMK3C7FKwWWOjIxsX+ihxuJM3C +i7wgDrvBkTR/JKSL6qG/Q5TUVCU7YVCZjdP8uCUz+9ac3pgy2ax5xZaGCOavnkCn +OeQQWHFGnp97t/44yES505D9KGB0LXE= -----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEA9fteAQF5R4wlzleTDQV7f104HSS4mE9NOQrTkXYHC7WEIxzY +ttIVjeiHMxEihyNZ1wZvyJ3OSbFmZ6jEBpVH0kA5cqyZ9sRTqEDk1y8fpC8ltkfm +oiW9STQB9Ku0BvFeCrQkQogc1DrepMVR5/bwF9Niyc4XEvUZfRFTOsvPx1wKQ08z +zFlpKEnEQ3FZaKMjabgZz94OpOs8mFgr5ZE18ent8ta3nLXd2s7IUbmw0izKSnXM +xKK58bY1n0g7FjQ05jSxzqRqy8aW/fR+oa7X7pjs9FF+ZBwQ/+QNnQq/U0SAe2LM +QCvJKlkQrM1pLlDqgK8v5Qdh8+aZKAF5iKcMeQIDAQABAoIBAQC62ho7W1o8PjqN +trpufsakJjS09qr+j+bSOOYjreuGOnlIjuYUYhubc5IX+aEn1HOvQiVx2GXWVtq6 +TVmywn0POlgpQvGloNcHjVwIFbTMbEASaiXI8DAMRmRh7nhPedP8/4A3xdtYX+u2 +cGlacptJDfsR3upqLSMSfTGjDSUlgsjNkQ23ZUcabQ52KPD8Z4dFcuXZcfCGEYGd +YJmBSUiwMh67NwUsqwzcqcTRz82zLC599gU+ppf2a61Ue+dRaKS0FfDJETWa1lAB +8PIK8xKfEog1kFwyEN1Q5QqwPC61W4H6DeWHyx7awCO9gcWAg7SSQlxaL5TvSJUo +hqJzSK89AoGBAPwZtWQ9Rq8+8Csy8NrTEfZajBeIukuaYdfDep6jom7MA1H4lEsa +C1ER1FPc4pfpr9Q31pTvMNiAd/rQSnFjTKApTWhkzHpX+P9bqnUEYkUK2fqQpBL1 +YzC7QrRNz2vhkSiAhBcBUq0Y+RzYq8yGdLsNqMHe4Kqt/SsfjM5dVF4DAoGBAPnJ +bhBJvpR01vU5VcLU0KD0+d/6E/hQxoRgBUWLGpXghYsUBMP2V2vxS8c2wPpBQrSk +Ivk3q0lL6WXvtKEQCY5D3t1D7JEZHmZFgwJmez4WQMC+tCw54SDOL3ggQI+lyodW +eyJgmqMu1H2CyEeQdiQIlvt54SJ0gkR7iBYNfzDTAoGBAMV9LkhUaGcomuR8h4ol +B1FCJbTZ+3b2feeUzx4vejPpxkAUx7b9tBfSK892nlv7SS6qf4M0zcMNAPCO84JY +E9L0CBvbuwOsnvcMTEBXKtSDZ7eOT7o6WXX3fI3a1r7geeKMqu2Kr8XCZoReiFc0 +jYVrceROQRn0Kvv5P0j6e/kZAoGBAPXJ56vPZODgN8UFrgYRM1mutVJX2d62XSFU ++tr7jiV80OuRvz604EEvJsnYbvvRy7nE6UUiKkHtmLTdsnfqN/ztfBduBxKgDPHF +5Kwv+4WUkBMZlGEQcx68xKkH03+GPEwAJRomxQNdyWnXjwwccqPyb970hzxIOQb6 +J2bL0SRRAoGBAJjDixE61RuenxLeHXzicqfBincEmswKgpl5CM28ZF9W4id7EcND +4Vu7Y+QRexxbWMz637nVKLiYwfS/rra33i/igfhk6/Nb7dMG9KooCoS19PhM2V+I +h/XLqvSe93n2ocqviJO4ZahXJFotlXq2nK2/bF2g45mvRcbFPtENqgcb +-----END RSA PRIVATE KEY----- diff -Nru stunnel4-5.44/tests/certs/secrets.txt stunnel4-5.50/tests/certs/secrets.txt --- stunnel4-5.44/tests/certs/secrets.txt 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/secrets.txt 2018-10-09 14:49:40.000000000 +0000 @@ -1,2 +1,2 @@ -test1:oaP4EishaeSaishei6rio6xeeph3az -test2:yah5uS4aijooxilier8iaphuwah1Lo +test1:H9kpiYb8TWGo19hvd4txGMffBG6yzbJcz0FpPD4rB590vVFvyE +test2:xomqBFaKDSLSIZEFk4TxPvSdMTiOq7iwfN1Np06SThYetP2Jpm Binary files /tmp/tmpjcTEVz/mRy7sTzFtK/stunnel4-5.44/tests/certs/server_cert.p12 and /tmp/tmpjcTEVz/3j6jrSNFz8/stunnel4-5.50/tests/certs/server_cert.p12 differ diff -Nru stunnel4-5.44/tests/certs/server_cert.pem stunnel4-5.50/tests/certs/server_cert.pem --- stunnel4-5.44/tests/certs/server_cert.pem 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/server_cert.pem 2018-10-09 14:49:40.000000000 +0000 @@ -1,47 +1,49 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEArdLSbjb/IGtK08jwDx5XSKB96G6kinSwN+3/MEB/SvtuDsDW -sC4kuS6kh+boOdzT+8rjf+k7ysJNC7td/2ExfJBMvcevsJqaMAhMlDcJLBMFetZ+ -/DPOv6HZIbZToMoGH14GFvt/ed1VzAshzhYKMnLjmC/lxooX1FJhRhVK6fW1HNEj -vESJIyZA9ssk3VYaw/2cgIV3g/aOP9womk/NTU7AR/hXrCbSx1nYQInyEbk+p8qX -ELLVS1KnMxoVH7CoqTVG6PH2FH0LJxpE577QKyT3sOfKCKs0PpXrnW3O5OF4itwv -m1YAhKFWDDF2KyLW6LybFJVS/pDoMcA8tzHv7QIDAQABAoIBAAbCvWaGAxRKuAVW -umeMIY70lxEURJgSA8yZGCTTTWAoOVafj3oYwVrmgoW6qGufuCsB8ClIdAfl2MNN -DVHigN88aY+0FZRD3x1hJUFahqPNNZhagWPjy/XOILjb85K8aNKNgKUiMQoXXr/p -6u2uE8V0jH+d1U0Mj/K1JY1pRJmm4W7Tp366z3goibOK6tWwSbGGiPWXvfy8fZdz -8Hs/pG3oGEciof5hg55wSfJ+XF24iu850GaIKSNAf6pLUoU6S4zKj01qpSOEY1vN -Sv5r8/yd3VQzoxk6wVDQvo7qIS7zqvvUqw0iCf3JsWGnQmEGQqwWmLiT8yE1CxFy -H8veha0CgYEA3lffU6HSXw5zHW3o3Bx6/pGGkPlNzUDi/NbOd2kr/wBOZvmJOR2d -U0CKoqjJpBTs7CEnpvbSkz4Hit/Y00UgQS1Zvfqo5m1yhWl1jiiHqoe0Alc/P5fa -YMkkV+++eUUQFNJCiQKMRElkEEEITw21EmflWW86/ln9GAO8YZ1Ne0cCgYEAyCK9 -J4plfXEyTJpltg/7z/0DMuJwc3qRLMicaXcHHWK+C6ZSFOn6rzx/1GWa25Z3sXT8 -XAe98ZCYDK2+twCLtM6z2uKj/xCkZWH8AmaKKbLsMYCHXkOi38EpuxT1uiXosjVf -ArZoAL472X5d4Eg/szGsfeMmvPm52V7OM3tHbSsCgYBydtR/DqDp1NuIfAvUPUlI -gwy+18mo8E2rEr7qFJfUyIiUVMTDRa63rFNy1+gu86LhEVSDjS/tI5LoeML8SOsJ -Atrfhgqrzg6WBivByrXFIeWXCumByKBhEUwHhWIOtnJH9dLRDCHACfRctc4cPJdK -aXhWKYA6b4NveITj0AKSgwKBgDYFen1j1AVKOsOGoZHFOrlnmCdyC9x/5xPpip7F -LDx4XMgUOu++QJZwhCi2zFgdg215IG1PAaxk1UYG2AXZtdw2N0IMDyxYN6fODRIw -z3Z1/19VTDTbmOlA4JzJCZMXjHoeAelfhy88KjeI7poNpnQeImtQlzJHTi0odAxd -aGhFAoGAfxHh4GhsIpIwxQMKINUXvwQAI3rUph5gMv0MS3CAwoVAFNzKZeJQsRVW -IsI830HC+sPEpekiGcYFsRIbZv+Eh/f4j9TJ7eqUrkxVluleFU6YFHuFepbmcH4L -nZKr5bR+kg4g0g3iqNey5pJIfTj+GoLmnv6GakqQNUdFSBAJ98g= ------END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDVDCCAjygAwIBAgIBAjANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJwbDEQ -MA4GA1UECgwHQ0FfY2VydDEQMA4GA1UECwwHQ0FfY2VydDEQMA4GA1UEAwwHQ0Ff -Y2VydDEiMCAGCSqGSIb3DQEJARYTQ0FfY2VydEBleGFtcGxlLmNvbTAeFw0xNzA0 -MjYxODQzMDBaFw0xODA0MTMxNTQ1MDBaMHQxCzAJBgNVBAYTAnBsMQ8wDQYDVQQI -EwZzZXJ2ZXIxDzANBgNVBAoTBnNlcnZlcjEPMA0GA1UECxMGc2VydmVyMQ8wDQYD -VQQDEwZzZXJ2ZXIxITAfBgkqhkiG9w0BCQEWEnNlcnZlckBleGFtcGxlLmNvbTCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3S0m42/yBrStPI8A8eV0ig -fehupIp0sDft/zBAf0r7bg7A1rAuJLkupIfm6Dnc0/vK43/pO8rCTQu7Xf9hMXyQ -TL3Hr7CamjAITJQ3CSwTBXrWfvwzzr+h2SG2U6DKBh9eBhb7f3ndVcwLIc4WCjJy -45gv5caKF9RSYUYVSun1tRzRI7xEiSMmQPbLJN1WGsP9nICFd4P2jj/cKJpPzU1O -wEf4V6wm0sdZ2ECJ8hG5PqfKlxCy1UtSpzMaFR+wqKk1Rujx9hR9CycaROe+0Csk -97DnygirND6V651tzuTheIrcL5tWAIShVgwxdisi1ui8mxSVUv6Q6DHAPLcx7+0C -AwEAATANBgkqhkiG9w0BAQUFAAOCAQEAiPQrjJbTZ6NB+FO0lJtt5vEBLdepkl6x -mtopQRxHPZIuUqV8viP9EW2PlrrPkpdbYZtkD0AuCXiqGD9u31kIHKG05GiQYj8q -XPy55QuOntWfwJc4GEZ9uebYckHGSNLsyubdkneLeXlEZz2RbtCoZS5337nlaUCm -93Hp/bRCFZ7if9tiscxwTft92z2+Tc5bI4JGAJfex/VgyggpNRLSDDRibNvFrooO -1kSnDxySyCtysodXfonWpJFA9EAcUHXY6vlGvzLVJRfrqsS7vC/fuKOz684XDYIL -g/eJED4XR47T8gA85vM8LWl80lXvfFIYsirOnYmeQDSfTRDG9eZG6Q== +MIIDoDCCAoigAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUEwx +GzAZBgNVBAoMElN0dW5uZWwgRGV2ZWxvcGVyczEQMA4GA1UECwwHUm9vdCBDQTEL +MAkGA1UEAwwCQ0ExHTAbBgkqhkiG9w0BCQEWDkNBQGV4YW1wbGUuY29tMB4XDTE4 +MTAwOTE0NDk0MFoXDTIyMTAwOTE0NDk0MFowbzELMAkGA1UEBhMCUEwxGzAZBgNV +BAoMElN0dW5uZWwgRGV2ZWxvcGVyczEPMA0GA1UECwwGc2VydmVyMQ8wDQYDVQQD +DAZzZXJ2ZXIxITAfBgkqhkiG9w0BCQEWEnNlcnZlckBleGFtcGxlLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvRSOWnuJnrrnlt+qUaiY9CJOp0 +Lox6vCEzwgMH+ftMZQwP6m427b3LEfPrxH6WkYMLwpAXGjREXRj+yB0ZcPvQ94VI +OyHgvgWJ14t+yLcq3w6zsWzJx/SmWLG7ga67wODxhCHAAHPKsv+cC+6wgt3kWu+G +jUQ27X03rQO2wNpV5cxdp9Ax6JQVnKleQEIShfELYYjJpp4s6n5VY8R8jRwJHl7k +XCjp5+8LSD64MUcXzo7u6XL8SxEGjQU+drKfNdleFfyVgjtAeyaWBrY8ciM4yIqn +M37zs6jyjLcNO0PtD+64VO4jJPmFY4M0O33AJu0EtuR1G/NSj1D85nKBZYUCAwEA +AaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUSLKfbW2zrTXPv2dTLXpT9jHEYLkw +HwYDVR0jBBgwFoAUMrsPuqQ8kOHXNhiDndXEGCYNvBowDQYJKoZIhvcNAQELBQAD +ggEBABYai56PR5tsnmv8+mIxZM980x+oYLACVA6YaQEWxtdPQl+tGJIVnJergfRO +UrG4OjqBZp0DjMJRNIIiM50YTsEQdrVoL6HaP5AgDwqWoRJIEdVZUQWyTTTE7nBd +0k6qNKUsJVEM1Zvv+cseQYIpT75P0FPl5egSPQHVuPWSco7gGF/zF2gA4QfzRsLe +frgfzXzxEF712CuS+OXj5lab4N1L9A1GzfeQ+bNlrUky79R+vMPfjoayUJ/fTafl +wTd6YBZurwxdy6Ktql9eisuli0PRdxed1eOpUxZAbS7N3ZIDTEOcLnBrIhQY7E8P +YxSm0/qri7nS4z/DmzTe2z0ttqM= -----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAu9FI5ae4meuueW36pRqJj0Ik6nQujHq8ITPCAwf5+0xlDA/q +bjbtvcsR8+vEfpaRgwvCkBcaNERdGP7IHRlw+9D3hUg7IeC+BYnXi37ItyrfDrOx +bMnH9KZYsbuBrrvA4PGEIcAAc8qy/5wL7rCC3eRa74aNRDbtfTetA7bA2lXlzF2n +0DHolBWcqV5AQhKF8QthiMmmnizqflVjxHyNHAkeXuRcKOnn7wtIPrgxRxfOju7p +cvxLEQaNBT52sp812V4V/JWCO0B7JpYGtjxyIzjIiqczfvOzqPKMtw07Q+0P7rhU +7iMk+YVjgzQ7fcAm7QS25HUb81KPUPzmcoFlhQIDAQABAoIBAQCFhYh8c9sh2dJE +03Hv9Ei9Brn1z7jT9+FM/V29B+uowqvHgn0X84baecZ+kSs1D1fNQQwFodboN32z +6lVbkp2m9+0v3KTlNcABcfhBXFXXGexPqGHHREAZ5jSBzhqonSPHBwv3bmcj6oOM +gmRdQTEYDGK1jANb7myxq2YdkMvTqyqYB3VlOrtNQV0KCQ/lan/CnTymYJlEi3D6 +9q0oniOoOsRWFFPJgfiUBTtOWofvWtiD5sj1wXX9wmJVX+w9Zxu5ep+vU9RymAA7 +km1e81fnc69hmJpGtQuEgSNiYW3UKHObZyShokANUVUW4sNo27oEynT8S8vbI/aL +dclhkz91AoGBAO2N+3bIBZSlobWdYQUoqzvNUuOjYh1bz+ejwr4QLUhh6XtjI7Kn +WoLN2jHnOdv9+mpguTP5L9nlwlWghkotQpRzbA5ovcGsVnIe75lZ+wLPH1XSbvyy +LjOJOEQvgH+Y7XXu6KuEye/ABfbzF2fcg+tKiC2IHPYGyvTkJzJGMK5fAoGBAMpm +pdsBGzstobtHq9V5Oj/MS7UwzOAeEUPPG4G2gufJ+SYyI+VQ490Iiz3DMcqc6LWn ++uDzpoqiqDZn3c8HNBAd/c29yplq8D1aHutKIWKyj0rPhFIfeYwMvBHWsgCAWmbI +4JcrrAZMIiaOA7QhmCzXILpmzqqUu2tUEZXHxW6bAoGBAJ4IDDdyzTOcFD3LmpVh +/rfj2baSJF0/jMmeiZkDDfzPFhH9W+wnpPDLnNIB7t3I0eQewFYw+YJNdMCd73g9 +L8OuHT5gs4u56DA3IFG2KGQwAbqIKUl2B4JFUOcbarJ3u9DuxF4GEoiqB83G3dU8 +P44xoPIZUJri3fWYKfMp+oylAoGBAJoQtKMWHoJXY8rI7ZXbZ2l0uxQ7B1h5yq6R +EeEU6mRBq7NVa1l8z1ZK0KK82EPgWIseSKu/C8BvvBddzMtwMkMqcS2REIzjh+dL +mEmF7g/Q154chB528vCWKPpzMJ+NFEM1GTA5AALzJPOwGkWdZNaNEs6QvzO9b0Rt +g809eZ2NAoGBALAWTTy1GEHB5cEjV49WbinkEOHrBkhl/FOVDkZmZgKbtzpM0K06 +H9UnQ2rzGGpXaE6t5phk42EhQ64+LGydtehOvAJFLUayOnDSqX06znIVOX2mUYVc +5yqja4x7YSOQCQEwGSvZ6c3RbFly0dFu0qCfzS0uJDHjLUpx0cwmt6JO +-----END RSA PRIVATE KEY----- diff -Nru stunnel4-5.44/tests/certs/stunnel.pem stunnel4-5.50/tests/certs/stunnel.pem --- stunnel4-5.44/tests/certs/stunnel.pem 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/certs/stunnel.pem 2018-10-09 14:49:40.000000000 +0000 @@ -1,52 +1,53 @@ -----BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDOzXhuuDTB83n4 -5gy6buWIi4umz40Qdw11SuQQt3xV1MlZGFl+MuX+Py8/PmvvzzCdwYLG0oTGCrzK -zdO08tbr0z9y50Q6i+YXP33myS75kMvoB/jVHGx7cVZq/xjwCE8gFJNPI52HUEOH -Prtqg51a1shWy+208uYK96iROUaoTeIFhhJ8SScsiMWZIKgEqalWjdeSwBrSEEUa -EM3ORd3huJ2FElDMeZ86ucAlAaOqIhw37M9OpunkOqE37GagnYxQdU8bxKLOuNGr -ShT2eU8fDDqw9ypSfwCrordSz0oBV6sjUYAEAIOXOpWfTBDXlk0CO5hnSDjDaikp -lTax3ze7AgMBAAECggEBALryujV1JpRSs2fTJ5x91dgbNlLE++Pvi+YFnqiSBr9c -zexR+8z+3DV8Dw0gM9klNvDV15A/DTIu0L6RVRoWET48yPXppR88CvPnPLyeEG4h -fIO0eTjGKjdpnNK662NKT6VTlFuNecGySGmBx1Ehy+Urlw4H6kqS7mzpt6QY4AwS -Qr1CHx43tyc7XyAWjb+7d+VUhAhoJPKobkF4J83KxDFN1q+7/gLaX+2Twh78aM8A -PBxEOG37FcJx2l81EK5UpxNXoJPo15uPzUD8mH+1p4z203eNYo4qB1ruo4wNJhLB -cO6kA4z5M6xQkgB4UafQh5R2/CseNHvvGmhB61R6eOkCgYEA+Pa8UASeDcNrnF/l -ObtSETEnJbijBabObbxRYlLdhwF6hp+ASdLt0agQGOTnhJUP7goQyJr6ww9ODoA8 -dJw5utmIGGv1vBae5SwxEamBgMRkn3tSZy6MW06LfhHjPc7Ky1DMbuzGlIoYJzXs -W7ECAIGblgv2NFJHSRVJFB7aJccCgYEA1KWyXA2TGCLY4xY3QMjiprwbzQgcPRH/ -w6mmOzh44nrT3YhQrDC+55KjXPoml8NKc+smW6cR8Yv01fLFc6Ec0mBWZqpOQvwM -P58JAFf/us/L5ZcdKuYwYxVYHW1s/t4SXZPD/A5TdspLrJvF6Ib8NrzFfu1ym7z8 -N8Kg2uqxzm0CgYEAy8TnDHc7BfjUswCqFT6ERR399JnSlGWav6ZK1jcMqdtD9bvG -vKWvkNIFmtp/w7xddW83nXl7lPuJ38SFtsvHVG+HPLXgQzogg2JQJyydmk8kLIQ7 -RciLiJAZC+6IF6aRxSc0q/WP8zOz4SP5eHLAOLncJktUEC7nuaF6VsWJtzECgYAM -Yo4t0FiV2km5iCy1qD2TKneQDH3gjLDRy4qz/kkEH9VBHNReAwTLZf3/x04CHsyy -TarRQbzIzbb30wjvAB42nofJuPeP7TAlcHTMwVNSpRGiEJgRTJDa5H5aUGo9ud9l -9do/TvJLg+K+beAr99ius3XpO5kmOu6RrNNDjNHITQKBgQDr0V+awa944XZLUCmD -uxCiheqiUKJKe5uYX8/jBFQ4onQFHlzGRtd3wpTZ3JHPPLOGYkAVognXy0LqM9zG -E1nozTRsSqfy2qfSgSGiSmxktoPWTen7YpA0+J+d+T6UcBfvWVbAFvBmk+2n1nXa -040QCD05eHlIWVrTIMgGqfRrgQ== +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBisv4Ys8pVJZ6 +CHKDy4UAi38KJp28husfNmrrQWlGStYvjhyEusVrA6WDP3yz2X/56m+8KnvsM29L +jDWhyQmXMxTh1XKWoh1URAI3FA7SAZ0dv8D8kFB34F2kuC+6o7GLsgz4qOOk3DhY +NFzMefiRjrqLFt5OgOiATI1flYTKh+sHxXFF/xu+31ND+RTGHtGGxjyeXfSw7n3p +o6e4U2ihcT/tU68PcGZCrDrVktfq/KvE6lFslPDcgnCrDyoTG1P3vwVlBDMzUSEn +916f6Wq6J6kK0KbLDZ+LXJZe2I5CYiFZXAluprNo+dUEwWZ42vE9kq6yy580ibOF +iKBzMG9PAgMBAAECggEBAIk/r1OuZnBNzwQtN2AlFGWFhwqgxd0q5FPXGE1Krqgt +a+R/Z9PsSxGPnXEMtZco12tYB/KtQgIHm5Y8kM/xK/7wN4/K+R6/SgM200dRzwy4 +Hj45fFbe1GGeV2n3P8mgScjh8/bmdcC0drR+NYy/tjkquTjnd7C+E6LgJqUw9+FS +89NU70UR+1irf/RysAwHCPlTfIIZon3atsvCUkiUE8G+8Kz4233H3TmVY5B+Zjq4 +uRLq47fcaOQ+irBkeicW7S4AbkKbXZsM/XxZB5BIBMv0t6OoF/uHvhyUzSxhvwhb +LGGGMSrtGnYAeNXj329xyjrOnA4jmsMPVNiVc/rdTkECgYEA5NrvStXvybPY8ngd +6ka4idu0K5EDixxrgoRQ2wV3WZecSsTSfr6B09UKch46HOIga9hpWg27NUGYuKfL +NOfF1cBNxU5yV5+zKCgX5bYX0QdpfUM6mO0btUEkXf5xMYTyzHfnLE+L3Vcnq0qg +KfZdto2LtEg3cznmtoJMqP3viaECgYEA2H+Zwkj84bxIuPwux6QeHueQ7K7Re59s +KxymutuTQ6N0oCHK5KwQvuUELFRiTj0frEIgJfNMrTrzJ6rIu7ExDzUafhnPi194 +zKfQVf0gtfCJvrDBbF1VEqAtfcfW+x7jI+sylWhltBJSlGvsju9LTEcnp4c6wtDS +hpsaXNe9su8CgYBZq8tdSExnfRfBkf0uwb0nDzYeZ/i6dk1N26iO2Sp1qWktBsfv +r5fRN8WbB2r/zD6l4ysMhRrYeDZuDBkcRsCGy43thJpa6RFa57LNaDcWyU+1LDV2 +nFliAP9N8RfLLmuwYD7tZtHHzZGWlWwCZS09DWMzJaTMemCDHLUK9kz4YQKBgHrM +nbVC2xVbS9CJUitxHpie9mgZnL7HJX6qqLOyWixyaXNu13uvUWxF0IEod/4y02VM +uJluEF7t4f/s8iDsF4ytrVI7Z6qBQ66pvRUZF9W7ExZzgbLqmZeP/V2r3XfhBCta +e/2dEpr6DZccRDiq6IXikk6G+MCJ2+/3yBNDV9lHAoGAXluoghrraKwg23U8eT5d +HrafIW/5F3OoLNMjxd64HI8mmX/IwwEmcVKdxFrUlgzjSI3Yu7YH8bMT/neppVOQ +srRJRXlqt3TZcup8/w6PIxvrCo3FnEXpizKR8fu66Vv0K7NG1aIao4Vu8SHm5Bfm +Vo6H4riZvNeRY5wfvR7ySVo= -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIEAzCCAuugAwIBAgIJAIMM7qk8vX8HMA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD +MIIENjCCAx6gAwIBAgIJAMrjqfDZWkd2MA0GCSqGSIb3DQEBCwUAMIGnMQswCQYD VQQGEwJQTDEZMBcGA1UECAwQTWF6b3ZpYSBQcm92aW5jZTEPMA0GA1UEBwwGV2Fy c2F3MRswGQYDVQQKDBJTdHVubmVsIERldmVsb3BlcnMxFzAVBgNVBAsMDlByb3Zp -c2lvbmFsIENBMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTcwNDI3MTc1MzM5WhcN -MjEwNDI3MTc1MzM5WjCBgzELMAkGA1UEBhMCUEwxGTAXBgNVBAgMEE1hem92aWEg -UHJvdmluY2UxDzANBgNVBAcMBldhcnNhdzEbMBkGA1UECgwSU3R1bm5lbCBEZXZl -bG9wZXJzMRcwFQYDVQQLDA5Qcm92aXNpb25hbCBDQTESMBAGA1UEAwwJbG9jYWxo -b3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzs14brg0wfN5+OYM -um7liIuLps+NEHcNdUrkELd8VdTJWRhZfjLl/j8vPz5r788wncGCxtKExgq8ys3T -tPLW69M/cudEOovmFz995sku+ZDL6Af41Rxse3FWav8Y8AhPIBSTTyOdh1BDhz67 -aoOdWtbIVsvttPLmCveokTlGqE3iBYYSfEknLIjFmSCoBKmpVo3XksAa0hBFGhDN -zkXd4bidhRJQzHmfOrnAJQGjqiIcN+zPTqbp5DqhN+xmoJ2MUHVPG8SizrjRq0oU -9nlPHww6sPcqUn8Aq6K3Us9KAVerI1GABACDlzqVn0wQ15ZNAjuYZ0g4w2opKZU2 -sd83uwIDAQABo3gwdjARBglghkgBhvhCAQEEBAMCBkAwDwYDVR0TBAgwBgEB/wIB -ADALBgNVHQ8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwLgYJYIZIAYb4QgEN -BCEWH3N0dW5uZWwgc2VsZi1zaWduZWQgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQEF -BQADggEBAEVV6RJ4N+7Y4ImwrxalKnM+RX1c0tRXeX2NCLYeTypu1MNbyXJeWSrR -N7r49JuxrJSnIFHpTcZzGxOFI8flVeDXDFdt6hpvWX/p+RIVPj2TARNh0VrTni7O -imcTGlbakxiGk6whM9fh3I1Kxvz949DC6Y8prLuwnjBnQYsyHJC6WQsIKlT/+fnp -hyX1lRUVAWa6UHPAFq39RsUQLOA5w95A6fDkfXevx/PfjHEpymK0C6/C+amu5dhz -xNZQsGDEG749Ny+xI1azUG7pwOEZmXN+hZKMs8YPG6NpAf63xhNFBAYpjT4wlE1/ -96h/XIphwPJAiVbc7lxcHpTTlZfcQi8= +c2lvbmFsIENBMRIwEAYDVQQDDAlsb2NhbGhvc3QxIjAgBgkqhkiG9w0BCQEWE3N0 +dW5uZWxAZXhhbXBsZS5jb20wHhcNMTgxMDA5MTQ0OTM5WhcNMjIxMDA5MTQ0OTM5 +WjCBpzELMAkGA1UEBhMCUEwxGTAXBgNVBAgMEE1hem92aWEgUHJvdmluY2UxDzAN +BgNVBAcMBldhcnNhdzEbMBkGA1UECgwSU3R1bm5lbCBEZXZlbG9wZXJzMRcwFQYD +VQQLDA5Qcm92aXNpb25hbCBDQTESMBAGA1UEAwwJbG9jYWxob3N0MSIwIAYJKoZI +hvcNAQkBFhNzdHVubmVsQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAwYrL+GLPKVSWeghyg8uFAIt/CiadvIbrHzZq60FpRkrWL44c +hLrFawOlgz98s9l/+epvvCp77DNvS4w1ockJlzMU4dVylqIdVEQCNxQO0gGdHb/A +/JBQd+BdpLgvuqOxi7IM+KjjpNw4WDRczHn4kY66ixbeToDogEyNX5WEyofrB8Vx +Rf8bvt9TQ/kUxh7RhsY8nl30sO596aOnuFNooXE/7VOvD3BmQqw61ZLX6vyrxOpR +bJTw3IJwqw8qExtT978FZQQzM1EhJ/den+lquiepCtCmyw2fi1yWXtiOQmIhWVwJ +bqazaPnVBMFmeNrxPZKussufNImzhYigczBvTwIDAQABo2MwYTAPBgNVHRMBAf8E +BTADAQH/MB0GA1UdDgQWBBRseoi9wT0pV/YquSn6CXXEDHd6OzAfBgNVHSMEGDAW +gBRseoi9wT0pV/YquSn6CXXEDHd6OzAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN +AQELBQADggEBAI7stlWNcMCleOiS0YbR64BKOj/DhfVxR13OS3dfPfDKztu+tvjJ +p+HUN8ZryKWXDuR1qg4m63PdKLC7r1AhKhkYtWEJiijN6OEmCvK3LgtqY+jzPa82 +2YJdtQuMFbZJkCe7dqEqelhJ1VjYR0Vbl83dPLQStMgdGjiYSfLoo9pmy/MJv1f0 +I0n3AKFp/328ZYPfPG8WmU4aBI7HzUsWiJGC8wEUsakpAp882KLOXfVhpYwBVBtL +QDs6QrX1jquhfMNQX635YQcFhzTsG4KmCy6ueevwvyOtWLrvPkiuUGcvIlpJGI96 +4oSNsEzAchpxZ5tafzZ3ozP/Awi3m89KbbE= -----END CERTIFICATE----- diff -Nru stunnel4-5.44/tests/execute_read stunnel4-5.50/tests/execute_read --- stunnel4-5.44/tests/execute_read 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/execute_read 2018-04-06 14:29:30.000000000 +0000 @@ -0,0 +1,3 @@ +#!/bin/sh + +cat >> "$1" diff -Nru stunnel4-5.44/tests/execute_write stunnel4-5.50/tests/execute_write --- stunnel4-5.44/tests/execute_write 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/execute_write 2018-04-06 14:29:30.000000000 +0000 @@ -0,0 +1,3 @@ +#!/bin/sh + +echo "$@" > "$1" diff -Nru stunnel4-5.44/tests/Makefile.am stunnel4-5.50/tests/Makefile.am --- stunnel4-5.44/tests/Makefile.am 2017-08-23 05:03:13.000000000 +0000 +++ stunnel4-5.50/tests/Makefile.am 2018-10-09 14:37:38.000000000 +0000 @@ -1,7 +1,9 @@ ## Process this file with automake to produce Makefile.in -# by Michal Trojnara 2017 +# by Michal Trojnara 1998-2018 -EXTRA_DIST = make_test test_library recipes certs execute +SUBDIRS = certs + +EXTRA_DIST = make_test test_library recipes execute execute_read execute_write check-local: $(srcdir)/make_test diff -Nru stunnel4-5.44/tests/Makefile.in stunnel4-5.50/tests/Makefile.in --- stunnel4-5.44/tests/Makefile.in 2017-11-14 14:07:50.000000000 +0000 +++ stunnel4-5.50/tests/Makefile.in 2018-11-09 15:53:56.000000000 +0000 @@ -14,7 +14,7 @@ @SET_MAKE@ -# by Michal Trojnara 2017 +# by Michal Trojnara 1998-2018 VPATH = @srcdir@ am__is_gnu_make = { \ if test -z '$(MAKELEVEL)'; then \ @@ -116,14 +116,74 @@ am__v_at_1 = SOURCES = DIST_SOURCES = +RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ + ctags-recursive dvi-recursive html-recursive info-recursive \ + install-data-recursive install-dvi-recursive \ + install-exec-recursive install-html-recursive \ + install-info-recursive install-pdf-recursive \ + install-ps-recursive install-recursive installcheck-recursive \ + installdirs-recursive pdf-recursive ps-recursive \ + tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +am__recursive_targets = \ + $(RECURSIVE_TARGETS) \ + $(RECURSIVE_CLEAN_TARGETS) \ + $(am__extra_recursive_targets) +AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ + distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ @@ -248,8 +308,9 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -EXTRA_DIST = make_test test_library recipes certs execute -all: all-am +SUBDIRS = certs +EXTRA_DIST = make_test test_library recipes execute execute_read execute_write +all: all-recursive .SUFFIXES: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @@ -287,12 +348,105 @@ clean-libtool: -rm -rf .libs _libs -tags TAGS: -ctags CTAGS: +# This directory's subdirectories are mostly independent; you can cd +# into them and run 'make' without going through this Makefile. +# To change the values of 'make' variables: instead of editing Makefiles, +# (1) if the variable is set in 'config.status', edit 'config.status' +# (which will cause the Makefiles to be regenerated when you run 'make'); +# (2) otherwise, pass the desired values on the 'make' command line. +$(am__recursive_targets): + @fail=; \ + if $(am__make_keepgoing); then \ + failcom='fail=yes'; \ + else \ + failcom='exit 1'; \ + fi; \ + dot_seen=no; \ + target=`echo $@ | sed s/-recursive//`; \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + for subdir in $$list; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + dot_seen=yes; \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done; \ + if test "$$dot_seen" = "no"; then \ + $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ + fi; test -z "$$fail" + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-recursive +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ + include_option=--etags-include; \ + empty_fix=.; \ + else \ + include_option=--include; \ + empty_fix=; \ + fi; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test ! -f $$subdir/TAGS || \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ + fi; \ + done; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-recursive -cscope cscopelist: +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-recursive + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ @@ -324,20 +478,46 @@ || exit 1; \ fi; \ done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + $(am__make_dryrun) \ + || test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + am__skip_mode_fix=: \ + distdir) \ + || exit 1; \ + fi; \ + done check-am: all-am $(MAKE) $(AM_MAKEFLAGS) check-local -check: check-am +check: check-recursive all-am: Makefile -installdirs: -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am +installdirs: installdirs-recursive +installdirs-am: +install: install-recursive +install-exec: install-exec-recursive +install-data: install-data-recursive +uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am -installcheck: installcheck-am +installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ @@ -359,86 +539,88 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -clean: clean-am +clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am -distclean: distclean-am +distclean: distclean-recursive -rm -f Makefile -distclean-am: clean-am distclean-generic distclean-local +distclean-am: clean-am distclean-generic distclean-local \ + distclean-tags -dvi: dvi-am +dvi: dvi-recursive dvi-am: -html: html-am +html: html-recursive html-am: -info: info-am +info: info-recursive info-am: install-data-am: -install-dvi: install-dvi-am +install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: -install-html: install-html-am +install-html: install-html-recursive install-html-am: -install-info: install-info-am +install-info: install-info-recursive install-info-am: install-man: -install-pdf: install-pdf-am +install-pdf: install-pdf-recursive install-pdf-am: -install-ps: install-ps-am +install-ps: install-ps-recursive install-ps-am: installcheck-am: -maintainer-clean: maintainer-clean-am +maintainer-clean: maintainer-clean-recursive -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic -mostlyclean: mostlyclean-am +mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool -pdf: pdf-am +pdf: pdf-recursive pdf-am: -ps: ps-am +ps: ps-recursive ps-am: uninstall-am: -.MAKE: check-am install-am install-strip +.MAKE: $(am__recursive_targets) check-am install-am install-strip -.PHONY: all all-am check check-am check-local clean clean-generic \ - clean-libtool cscopelist-am ctags-am distclean \ - distclean-generic distclean-libtool distclean-local distdir \ - dvi dvi-am html html-am info info-am install install-am \ +.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ + check-am check-local clean clean-generic clean-libtool \ + cscopelist-am ctags ctags-am distclean distclean-generic \ + distclean-libtool distclean-local distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ install-data install-data-am install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ - uninstall-am + installcheck installcheck-am installdirs installdirs-am \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am .PRECIOUS: Makefile diff -Nru stunnel4-5.44/tests/make_test stunnel4-5.50/tests/make_test --- stunnel4-5.44/tests/make_test 2017-11-22 16:12:48.000000000 +0000 +++ stunnel4-5.50/tests/make_test 2018-06-20 12:08:04.000000000 +0000 @@ -11,16 +11,48 @@ cd "${result_path}" result_path="${result_path}/logs" -if [ -n "$(command -v ncat)" ] - then # ncat - mynetcat="ncat" - elif [ -n "$(command -v nc)" ] - then # nc - mynetcat="nc" - else # # netcat not found - mynetcat="null" +autodetection() { + + result=0 + if [ -n "$(command -v ncat)" ] + then # ncat + mynetcat="ncat" + elif [ -n "$(command -v nc)" ] + then # nc + mynetcat="nc" + else # netcat is required + printf "%s\n" "ncat / nc not found in \$PATH" + result=1 fi -if [ "$mynetcat" != "null" ] # netcat is required + + if [ -n "$(command -v netstat)" ] && ! netstat -a -n 2>&1 | grep -q -e "usage" -e "invalid" -e "illegal" -e "command not found" + then + mynetstat="netstat" + elif [ -n "$(command -v ss)" ] && ! ss -a -n -l 2>&1 | grep -q -e "usage" -e "invalid" -e "illegal" -e "command not found" + then + mynetstat="ss" + elif [ -n "$(command -v lsof)" ] && ! lsof -i -n -P 2>&1 | grep -q -e "usage" -e "invalid" -e "illegal" -e "command not found" + then + mynetstat="lsof" + else # netstat / ss / lsof is required + printf "%s\n" "netstat / ss / lsof not found in \$PATH or some option error" + result=1 + fi + + if [ -n "$(command -v stdbuf)" ] + then + mybuffer="stdbuf" + elif [ -n "$(command -v unbuffer)" ] + then + mybuffer="unbuffer" + else + mybuffer="" + fi + + return $result +} + +if autodetection then rm -rf "${result_path}" mkdir "${result_path}" @@ -29,31 +61,38 @@ ../../src/stunnel -version 2>> "results.log" printf "\n%s\n" "Testing..." >> "results.log" head -n5 "results.log" - for plik in ${script_path}/recipes/* - do - /bin/sh $plik $mynetcat - state=$? - if [ "$state" -eq 0 ] - then # $state=0 - count=$((count + 1)) - elif [ "$state" -eq 125 ] - then # $state=125 - skip=$((skip + 1)) - else # $state=1 - fail=$((fail + 1)) + if ! grep -q "solaris" "results.log" + then + for plik in ${script_path}/recipes/* + do + /bin/sh $plik "$mynetcat" "$mynetstat" "$mybuffer" + state=$? + if [ "$state" -eq 0 ] + then # $state=0 + count=$((count + 1)) + elif [ "$state" -eq 125 ] + then # $state=125 + skip=$((skip + 1)) + else # $state=1 + fail=$((fail + 1)) + result=1 + fi + done + if [ $count -eq 0 ] + then # no test was done result=1 fi - done - if [ $count -eq 0 ] - then # no test was done - result=1 + printf "%s\n" "summary: success $count, skip $skip, fail $fail" + printf "%s\n" "summary: success $count, skip $skip, fail $fail" >> "results.log" + printf "%s\n" "./make_test finished" + cd .. + else # skip make test for solaris + printf "%s\n" "./make_test skipped" + printf "%s\n" "./make_test skipped" >> "results.log" + #result=125 fi - printf "%s\n" "summary: success $count, skip $skip, fail $fail" - printf "%s\n" "summary: success $count, skip $skip, fail $fail" >> "results.log" - printf "%s\n" "./make_test finished" - cd .. else # netcat not found - printf "%s\n" "./make_test skipped: ncat (nc) not found in \$PATH" + printf "%s\n" "./make_test skipped" #result=125 fi exit $result diff -Nru stunnel4-5.44/tests/recipes/010_require_cert stunnel4-5.50/tests/recipes/010_require_cert --- stunnel4-5.44/tests/recipes/010_require_cert 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/010_require_cert 2018-10-11 09:19:45.000000000 +0000 @@ -8,21 +8,19 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} - cert = ${script_path}/certs/client_cert.pem + connect = 127.0.0.1:${https1} + cert = ../certs/client_cert.pem - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem requireCert = yes EOT } -check_ports "010_require_cert" -start 2> "error.log" -test_log_for "010_require_cert" "success" "$1" 2>> "stderr.log" +test_log_for "010_require_cert" "success" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/011_verify_peer stunnel4-5.50/tests/recipes/011_verify_peer --- stunnel4-5.44/tests/recipes/011_verify_peer 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/011_verify_peer 2018-10-11 09:19:45.000000000 +0000 @@ -8,22 +8,20 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} - cert = ${script_path}/certs/client_cert.pem + connect = 127.0.0.1:${https1} + cert = ../certs/client_cert.pem - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem verifyPeer = yes - CAfile = ${script_path}/certs/PeerCerts.pem + CAfile = ../certs/PeerCerts.pem EOT } -check_ports "011_verify_peer" -start 2> "error.log" -test_log_for "011_verify_peer" "success" "$1" 2>> "stderr.log" +test_log_for "011_verify_peer" "success" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/012_verify_chain stunnel4-5.50/tests/recipes/012_verify_chain --- stunnel4-5.44/tests/recipes/012_verify_chain 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/012_verify_chain 2018-10-11 09:19:45.000000000 +0000 @@ -8,21 +8,26 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} verifyChain = yes - CAfile = ${script_path}/certs/CACert.pem + CAfile = ../certs/CACert.pem - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem EOT } -check_ports "012_verify_chain" -start 2> "error.log" -test_log_for "012_verify_chain" "success" "$1" 2>> "stderr.log" -exit $? +if grep -q -e "OpenSSL 0.9.8" -e "OpenSSL 1" "results.log" + then + test_log_for "012_verify_chain" "success" "0" "$1" "$2" "$3" 2>> "stderr.log" + exit $? + else # older OpenSSL doesn't support sha256 + exit_logs "012_verify_chain" "skipped" + clean_logs + exit 125 + fi diff -Nru stunnel4-5.44/tests/recipes/013_CRL_file stunnel4-5.50/tests/recipes/013_CRL_file --- stunnel4-5.44/tests/recipes/013_CRL_file 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/013_CRL_file 2018-10-11 09:19:45.000000000 +0000 @@ -8,22 +8,27 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} verifyChain = yes - CAfile = ${script_path}/certs/CACert.pem - CRLfile = ${script_path}/certs/CACertCRL.pem + CAfile = ../certs/CACert.pem + CRLfile = ../certs/CACertCRL.pem - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem EOT } -check_ports "013_CRL_file" -start 2> "error.log" -test_log_for "013_CRL_file" "success" "$1" 2>> "stderr.log" -exit $? +if grep -q -e "OpenSSL 0.9.8" -e "OpenSSL 1" "results.log" + then + test_log_for "013_CRL_file" "success" "0" "$1" "$2" "$3" 2>> "stderr.log" + exit $? + else # older OpenSSL doesn't support sha256 + exit_logs "013_CRL_file" "skipped" + clean_logs + exit 125 + fi diff -Nru stunnel4-5.44/tests/recipes/014_PSK_secrets stunnel4-5.50/tests/recipes/014_PSK_secrets --- stunnel4-5.44/tests/recipes/014_PSK_secrets 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/014_PSK_secrets 2018-11-05 07:19:29.000000000 +0000 @@ -7,29 +7,26 @@ syslog = no pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - sslVersion = TLSv1 - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} - PSKsecrets = ${script_path}/certs/psk1.txt + connect = 127.0.0.1:${https1} + PSKsecrets = ../certs/psk1.txt - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - ciphers = PSK - PSKsecrets = ${script_path}/certs/secrets.txt + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + PSKsecrets = ../certs/secrets.txt EOT } -check_ports "014_PSK_secrets" if grep -q "OpenSSL 1" "results.log" then - start 2> "error.log" - test_log_for "014_PSK_secrets" "success" "$1" 2>> "stderr.log" + test_log_for "014_PSK_secrets" "success" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? else exit_logs "014_PSK_secrets" "skipped" + clean_logs exit 125 fi diff -Nru stunnel4-5.44/tests/recipes/015_p12_cert stunnel4-5.50/tests/recipes/015_p12_cert --- stunnel4-5.44/tests/recipes/015_p12_cert 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/015_p12_cert 2018-10-11 09:19:45.000000000 +0000 @@ -8,25 +8,24 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.p12 + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.p12 EOT } -check_ports "015_p12_cert" if grep -q "OpenSSL 1" "results.log" then - start 2> "error.log" - test_log_for "015_p12_cert" "success" "$1" 2>> "stderr.log" + test_log_for "015_p12_cert" "success" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? else exit_logs "015_p12_cert" "skipped" + clean_logs exit 125 fi diff -Nru stunnel4-5.44/tests/recipes/020_IPv6 stunnel4-5.50/tests/recipes/020_IPv6 --- stunnel4-5.44/tests/recipes/020_IPv6 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/020_IPv6 2018-10-11 09:19:45.000000000 +0000 @@ -8,25 +8,27 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = :::${https} + connect = ::1:${https1} - [https server] - accept = :::${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/stunnel.pem + [server] + accept = ::1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem EOT } -check_ports "020_IPv6" -if grep -q "IPv6" "results.log" && PATH="${PATH}:/sbin:/usr/sbin" ifconfig | grep -q "inet6" && [ -n "$(command -v ncat)" ] # nc does not support IPv6 +# nc does not support IPv6 +if grep -q "IPv6" "results.log" && [ -n "$(command -v ncat)" ] && \ + (([ -n "$(command -v ip)" ] && PATH="${PATH}:/sbin:/usr/sbin" ip address | grep -q "inet6") || \ + ([ -n "$(command -v ifconfig)" ] && PATH="${PATH}:/sbin:/usr/sbin" ifconfig | grep -q "inet6")) then - start 2> "error.log" - test_log_for "020_IPv6" "success" "$1" 2>> "stderr.log" + test_log_for "020_IPv6" "success" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? else exit_logs "020_IPv6" "skipped" + clean_logs exit 125 fi diff -Nru stunnel4-5.44/tests/recipes/021_FIPS stunnel4-5.50/tests/recipes/021_FIPS --- stunnel4-5.44/tests/recipes/021_FIPS 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/021_FIPS 2018-10-11 09:19:45.000000000 +0000 @@ -9,25 +9,24 @@ output = ${result_path}/stunnel.log fips = yes - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/stunnel.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem EOT } -check_ports "021_FIPS" if grep -q "FIPS" results.log && grep -q "\-fips" results.log then - start 2> "error.log" - test_log_for "021_FIPS" "success" "$1" 2>> "stderr.log" + test_log_for "021_FIPS" "success" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? else exit_logs "021_FIPS" "skipped" + clean_logs exit 125 fi diff -Nru stunnel4-5.44/tests/recipes/022_bind stunnel4-5.50/tests/recipes/022_bind --- stunnel4-5.44/tests/recipes/022_bind 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/recipes/022_bind 2018-10-11 09:19:45.000000000 +0000 @@ -0,0 +1,25 @@ +#!/bin/sh +. $(dirname $0)/../test_library + +start() { + ../../src/stunnel -fd 0 <> "stderr.log" +exit $? diff -Nru stunnel4-5.44/tests/recipes/030_simple_execute stunnel4-5.50/tests/recipes/030_simple_execute --- stunnel4-5.44/tests/recipes/030_simple_execute 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/030_simple_execute 2018-10-11 09:19:45.000000000 +0000 @@ -8,20 +8,18 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} - [https server] - accept = 127.0.0.1:${https} + [server] + accept = 127.0.0.1:${https1} exec = ${script_path}/execute execArgs = execute 030_simple_execute - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem EOT } -check_ports "030_simple_execute" -start 2> "error.log" -test_log_for "030_simple_execute" "execute" "$1" 2>> "stderr.log" +test_log_for "030_simple_execute" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/031_redirect stunnel4-5.50/tests/recipes/031_redirect --- stunnel4-5.44/tests/recipes/031_redirect 2017-11-17 18:13:10.000000000 +0000 +++ stunnel4-5.50/tests/recipes/031_redirect 2018-10-11 09:19:45.000000000 +0000 @@ -8,13 +8,13 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client_1] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} - ;cert = ${script_path}/certs/client_cert.pem + connect = 127.0.0.1:${https1} + ;cert = ../certs/client_cert.pem ;wrong certificate - cert = ${script_path}/certs/stunnel.pem + cert = ../certs/stunnel.pem [client_2] client = yes @@ -26,29 +26,27 @@ accept = 127.0.0.1:${http3} connect = 127.0.0.1:${https3} - [https server] - accept = 127.0.0.1:${https} + [server_1] + accept = 127.0.0.1:${https1} connect = 127.0.0.1:${http2} redirect = ${http3} - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem verifyPeer = yes - CAfile = ${script_path}/certs/PeerCerts.pem + CAfile = ../certs/PeerCerts.pem [server_2] accept = 127.0.0.1:${https2} - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem exec = ${script_path}/execute execArgs = execute 031_redirect_error [server_3] accept = 127.0.0.1:${https3} - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem exec = ${script_path}/execute execArgs = execute 031_redirect EOT } -check_ports "031_redirect" -start 2> "error.log" -test_log_for "031_redirect" "execute" "$1" 2>> "stderr.log" +test_log_for "031_redirect" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/032_no_redirect stunnel4-5.50/tests/recipes/032_no_redirect --- stunnel4-5.44/tests/recipes/032_no_redirect 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/032_no_redirect 2018-10-11 09:19:45.000000000 +0000 @@ -8,12 +8,12 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client_1] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} ;correct certificate - cert = ${script_path}/certs/client_cert.pem + cert = ../certs/client_cert.pem [client_2] client = yes @@ -25,29 +25,27 @@ accept = 127.0.0.1:${http3} connect = 127.0.0.1:${https3} - [https server] - accept = 127.0.0.1:${https} + [server_1] + accept = 127.0.0.1:${https1} connect = 127.0.0.1:${http2} redirect = ${http3} - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem verifyPeer = yes - CAfile = ${script_path}/certs/PeerCerts.pem + CAfile = ../certs/PeerCerts.pem [server_2] accept = 127.0.0.1:${https2} - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem exec = ${script_path}/execute execArgs = execute 032_no_redirect [server_3] accept = 127.0.0.1:${https3} - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem exec = ${script_path}/execute execArgs = execute 032_no_redirect_error EOT } -check_ports "032_no_redirect" -start 2> "error.log" -test_log_for "032_no_redirect" "execute" "$1" 2>> "stderr.log" +test_log_for "032_no_redirect" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/033_redirect_exec stunnel4-5.50/tests/recipes/033_redirect_exec --- stunnel4-5.44/tests/recipes/033_redirect_exec 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/033_redirect_exec 2018-10-11 09:19:45.000000000 +0000 @@ -8,37 +8,35 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client_1] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} - ;cert = ${script_path}/certs/client_cert.pem + connect = 127.0.0.1:${https1} + ;cert = ../certs/client_cert.pem ;wrong certificate - cert = ${script_path}/certs/stunnel.pem + cert = ../certs/stunnel.pem [client_2] client = yes accept = 127.0.0.1:${http2} connect = 127.0.0.1:${https2} - [https server] - accept = 127.0.0.1:${https} + [server_1] + accept = 127.0.0.1:${https1} exec = ${script_path}/execute execArgs = execute 033_redirect_exec_error redirect = ${http2} - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem verifyPeer = yes - CAfile = ${script_path}/certs/PeerCerts.pem + CAfile = ../certs/PeerCerts.pem [server_2] accept = 127.0.0.1:${https2} - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem exec = ${script_path}/execute execArgs = execute 033_redirect_exec EOT } -check_ports "033_redirect_exec" -start 2> "error.log" -test_log_for "033_redirect_exec" "execute" "$1" 2>> "stderr.log" +test_log_for "033_redirect_exec" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/034_no_redirect_exec stunnel4-5.50/tests/recipes/034_no_redirect_exec --- stunnel4-5.44/tests/recipes/034_no_redirect_exec 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/034_no_redirect_exec 2018-10-11 09:19:45.000000000 +0000 @@ -8,36 +8,34 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client_1] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} ;correct certificate - cert = ${script_path}/certs/client_cert.pem + cert = ../certs/client_cert.pem [client_2] client = yes accept = 127.0.0.1:${http2} connect = 127.0.0.1:${https2} - [https server] - accept = 127.0.0.1:${https} + [server_1] + accept = 127.0.0.1:${https1} exec = ${script_path}/execute execArgs = execute 034_no_redirect_exec redirect = ${http2} - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem verifyPeer = yes - CAfile = ${script_path}/certs/PeerCerts.pem + CAfile = ../certs/PeerCerts.pem [server_2] accept = 127.0.0.1:${https2} - cert = ${script_path}/certs/server_cert.pem + cert = ../certs/server_cert.pem exec = ${script_path}/execute execArgs = execute 034_no_redirect_exec_error EOT } -check_ports "034_no_redirect_exec" -start 2> "error.log" -test_log_for "034_no_redirect_exec" "execute" "$1" 2>> "stderr.log" +test_log_for "034_no_redirect_exec" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/035_SNI stunnel4-5.50/tests/recipes/035_SNI --- stunnel4-5.44/tests/recipes/035_SNI 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/035_SNI 2018-10-11 09:19:45.000000000 +0000 @@ -8,36 +8,35 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} sni = sni.mydomain.com - cert = ${script_path}/certs/client_cert.pem + cert = ../certs/client_cert.pem - [virtual] - accept = 127.0.0.1:${https} - cert = ${script_path}/certs/server_cert.pem + [server_virtual] + accept = 127.0.0.1:${https1} + cert = ../certs/server_cert.pem exec = ${script_path}/execute execArgs = execute 035_SNI_error [sni] - sni = virtual:sni.mydomain.com - cert = ${script_path}/certs/server_cert.pem + sni = server_virtual:*.mydomain.com + cert = ../certs/server_cert.pem exec = ${script_path}/execute execArgs = execute 035_SNI verifyPeer = yes - CAfile = ${script_path}/certs/PeerCerts.pem + CAfile = ../certs/PeerCerts.pem EOT } -check_ports "035_SNI" if grep -q "OpenSSL 1" "results.log" then - start 2> "error.log" - test_log_for "035_SNI" "execute" "$1" 2>> "stderr.log" + test_log_for "035_SNI" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? else exit_logs "035_SNI" "skipped" + clean_logs exit 125 fi diff -Nru stunnel4-5.44/tests/recipes/036_no_SNI stunnel4-5.50/tests/recipes/036_no_SNI --- stunnel4-5.44/tests/recipes/036_no_SNI 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/036_no_SNI 2018-10-11 09:19:45.000000000 +0000 @@ -8,33 +8,32 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} ;sni = sni.mydomain.com - [virtual] - accept = 127.0.0.1:${https} - cert = ${script_path}/certs/server_cert.pem + [server_virtual] + accept = 127.0.0.1:${https1} + cert = ../certs/server_cert.pem exec = ${script_path}/execute execArgs = execute 036_no_SNI [sni] - sni = virtual:sni.mydomain.com - cert = ${script_path}/certs/server_cert.pem + sni = server_virtual:sni.mydomain.com + cert = ../certs/server_cert.pem exec = ${script_path}/execute execArgs = execute 036_no_SNI_error EOT } -check_ports "036_no_SNI" if grep -q "OpenSSL 1" "results.log" then - start 2> "error.log" - test_log_for "036_no_SNI" "execute" "$1" 2>> "stderr.log" + test_log_for "036_no_SNI" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? else exit_logs "036_no_SNI" "skipped" + clean_logs exit 125 fi diff -Nru stunnel4-5.44/tests/recipes/037_failover_prio1 stunnel4-5.50/tests/recipes/037_failover_prio1 --- stunnel4-5.44/tests/recipes/037_failover_prio1 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/037_failover_prio1 2018-10-11 09:19:45.000000000 +0000 @@ -8,25 +8,24 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes failover = prio accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} connect = 127.0.0.1:${https2} - [https server_1] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + [server_1] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem - [https server_2] + [server_2] accept = 127.0.0.1:${https2} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem EOT } -check_ports "037_failover_prio1" -test_log_for "037_failover_prio1" "prio" "$1" 2>> "stderr.log" +test_log_for "037_failover_prio1" "prio" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/038_failover_prio2 stunnel4-5.50/tests/recipes/038_failover_prio2 --- stunnel4-5.44/tests/recipes/038_failover_prio2 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/038_failover_prio2 2018-10-11 09:19:45.000000000 +0000 @@ -8,25 +8,24 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes failover = prio accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https_free} connect = 127.0.0.1:${https2} - ;[https server_1] - ;accept = 127.0.0.1:${https} - ;connect = 127.0.0.1:${http2} - ;cert = ${script_path}/certs/server_cert.pem + ;[server_1] + ;accept = 127.0.0.1:${https_free} + ;connect = 127.0.0.1:${http_nc} + ;cert = ../certs/server_cert.pem - [https server_2] + [server_2] accept = 127.0.0.1:${https2} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem EOT } -check_ports "038_failover_prio2" -test_log_for "038_failover_prio2" "prio" "$1" 2>> "stderr.log" +test_log_for "038_failover_prio2" "prio" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/039_failover_rr stunnel4-5.50/tests/recipes/039_failover_rr --- stunnel4-5.44/tests/recipes/039_failover_rr 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/039_failover_rr 2018-10-11 09:19:45.000000000 +0000 @@ -8,31 +8,30 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes failover = rr accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} connect = 127.0.0.1:${https2} connect = 127.0.0.1:${https3} - [https server_1] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + [server_1] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem - [https server_2] + [server_2] accept = 127.0.0.1:${https2} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem - [https server_3] + [server_3] accept = 127.0.0.1:${https3} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem EOT } -check_ports "039_failover_rr" -test_log_for "039_failover_rr" "rr" "$1" 2>> "stderr.log" +test_log_for "039_failover_rr" "rr" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/040_reload stunnel4-5.50/tests/recipes/040_reload --- stunnel4-5.44/tests/recipes/040_reload 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/040_reload 2018-10-11 09:19:45.000000000 +0000 @@ -1,43 +1,51 @@ #!/bin/sh . $(dirname $0)/../test_library -check_ports "040_reload" - -echo " +set_config() { + echo " debug = debug syslog = no pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client_1] client = yes - accept = 127.0.0.1:${http3} - connect = 127.0.0.1:${https} - - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem" > "stunnel.conf" + accept = 127.0.0.1:${http2} + connect = 127.0.0.1:${https1} -../../src/stunnel stunnel.conf 2> "error.log" - -# accept = 127.0.0.1:${http3} -> accept = 127.0.0.1:${http1} -echo " + [server_1] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem" > "stunnel.conf" +} + +change_config() { +# accept = 127.0.0.1:${http2} -> accept = 127.0.0.1:${http1} + echo " debug = debug syslog = no pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client_2] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem" > "stunnel.conf" + [server_2] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem" > "stunnel.conf" +} + +start() { + set_config + ../../src/stunnel stunnel.conf +} -reload_stunnel -test_log_for "040_reload" "success" "$1" 2>> "stderr.log" +myglobal "$1" "$2" "$3" +check_ports "040_reload" +start_stunnel "040_reload" 2> "error.log" +reload_stunnel "040_reload" 2>> "error.log" +test_log_for "040_reload" "success" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/041_exec_connect stunnel4-5.50/tests/recipes/041_exec_connect --- stunnel4-5.44/tests/recipes/041_exec_connect 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/recipes/041_exec_connect 2018-10-11 09:19:45.000000000 +0000 @@ -0,0 +1,26 @@ +#!/bin/sh +. $(dirname $0)/../test_library + +start() { + ../../src/stunnel -fd 0 <> "stderr.log" +exit $? diff -Nru stunnel4-5.44/tests/recipes/042_inetd stunnel4-5.50/tests/recipes/042_inetd --- stunnel4-5.44/tests/recipes/042_inetd 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/recipes/042_inetd 2018-10-11 09:19:45.000000000 +0000 @@ -0,0 +1,31 @@ +#!/bin/sh +. $(dirname $0)/../test_library + +start() { + ../../src/stunnel -fd 0 <> "stderr.log" +exit $? diff -Nru stunnel4-5.44/tests/recipes/043_session_delay stunnel4-5.50/tests/recipes/043_session_delay --- stunnel4-5.44/tests/recipes/043_session_delay 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/recipes/043_session_delay 2018-11-05 07:19:29.000000000 +0000 @@ -0,0 +1,35 @@ +#!/bin/sh +. $(dirname $0)/../test_library + +start() { + ../../src/stunnel -fd 0 <> "stderr.log" + exit $? + else + exit_logs "043_session_delay" "skipped" + exit 125 + fi +exit $? diff -Nru stunnel4-5.44/tests/recipes/044_session_nodelay stunnel4-5.50/tests/recipes/044_session_nodelay --- stunnel4-5.44/tests/recipes/044_session_nodelay 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/recipes/044_session_nodelay 2018-11-05 07:19:29.000000000 +0000 @@ -0,0 +1,42 @@ +#!/bin/sh +. $(dirname $0)/../test_library + +start() { + ../../src/stunnel -fd 0 <> "stderr.log" + exit $? + else + exit_logs "044_session_nodelay" "skipped" + exit 125 + fi +exit $? diff -Nru stunnel4-5.44/tests/recipes/045_include stunnel4-5.50/tests/recipes/045_include --- stunnel4-5.44/tests/recipes/045_include 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/recipes/045_include 2018-10-11 09:19:45.000000000 +0000 @@ -0,0 +1,36 @@ +#!/bin/sh +. $(dirname $0)/../test_library + +set_config() { + mkdir -p "${result_path}/conf.d" + echo " + debug = debug + syslog = no + pid = ${result_path}/stunnel.pid + output = ${result_path}/stunnel.log" > "${result_path}/conf.d/00-global.conf" + echo " + [client] + client = yes + accept = 127.0.0.1:${http1} + connect = 127.0.0.1:${https1}" > "${result_path}/conf.d/01-service.conf" + echo " + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem" > "${result_path}/conf.d/02-service.conf" +} + +start() { + set_config + ../../src/stunnel -fd 0 <> "stderr.log" +result=$? +if [ $result -eq 0 ] + then + rm -f -r "${result_path}/conf.d" + fi +exit $result diff -Nru stunnel4-5.44/tests/recipes/046_resume_PSK stunnel4-5.50/tests/recipes/046_resume_PSK --- stunnel4-5.44/tests/recipes/046_resume_PSK 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tests/recipes/046_resume_PSK 2018-11-05 07:19:29.000000000 +0000 @@ -0,0 +1,36 @@ +#!/bin/sh +. $(dirname $0)/../test_library + +start() { + ../../src/stunnel -fd 0 <> "stderr.log" + exit $? + else + exit_logs "046_resume_PSK" "skipped" + exit 125 + fi +exit $? diff -Nru stunnel4-5.44/tests/recipes/110_failure_require_cert stunnel4-5.50/tests/recipes/110_failure_require_cert --- stunnel4-5.44/tests/recipes/110_failure_require_cert 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/110_failure_require_cert 2018-10-11 09:19:45.000000000 +0000 @@ -8,21 +8,19 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} - ;cert = ${script_path}/certs/client_cert.pem + connect = 127.0.0.1:${https1} + ;cert = ../certs/client_cert.pem - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem requireCert = yes EOT } -check_ports "110_failure_require_cert" -start 2> "error.log" -test_log_for "110_failure_require_cert" "failure" "$1" 2>> "stderr.log" +test_log_for "110_failure_require_cert" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/111_failure_verify_peer stunnel4-5.50/tests/recipes/111_failure_verify_peer --- stunnel4-5.44/tests/recipes/111_failure_verify_peer 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/111_failure_verify_peer 2018-10-11 09:19:45.000000000 +0000 @@ -8,22 +8,20 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} - cert = ${script_path}/certs/stunnel.pem + connect = 127.0.0.1:${https1} + cert = ../certs/stunnel.pem - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem verifyPeer = yes - CAfile = ${script_path}/certs/CACert.pem + CAfile = ../certs/CACert.pem EOT } -check_ports "111_failure_verify_peer" -start 2> "error.log" -test_log_for "111_failure_verify_peer" "failure" "$1" 2>> "stderr.log" +test_log_for "111_failure_verify_peer" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/112_failure_verify_chain stunnel4-5.50/tests/recipes/112_failure_verify_chain --- stunnel4-5.44/tests/recipes/112_failure_verify_chain 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/112_failure_verify_chain 2018-10-11 09:19:45.000000000 +0000 @@ -8,21 +8,19 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} verifyChain = yes - CAfile = ${script_path}/certs/CACert.pem + CAfile = ../certs/CACert.pem - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/stunnel.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/stunnel.pem EOT } -check_ports "112_failure_verify_chain" -start 2> "error.log" -test_log_for "112_failure_verify_chain" "failure" "$1" 2>> "stderr.log" +test_log_for "112_failure_verify_chain" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/113_failure_CRL_file stunnel4-5.50/tests/recipes/113_failure_CRL_file --- stunnel4-5.44/tests/recipes/113_failure_CRL_file 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/113_failure_CRL_file 2018-10-11 09:19:45.000000000 +0000 @@ -8,22 +8,20 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} verifyChain = yes - CAfile = ${script_path}/certs/CACert.pem - CRLfile = ${script_path}/certs/CACertCRL.pem + CAfile = ../certs/CACert.pem + CRLfile = ../certs/CACertCRL.pem - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/revoked_cert.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/revoked_cert.pem EOT } -check_ports "113_failure_CRL_file" -start 2> "error.log" -test_log_for "113_failure_CRL_file" "failure" "$1" 2>> "stderr.log" +test_log_for "113_failure_CRL_file" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/114_failure_PSK_secrets stunnel4-5.50/tests/recipes/114_failure_PSK_secrets --- stunnel4-5.44/tests/recipes/114_failure_PSK_secrets 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/114_failure_PSK_secrets 2018-10-11 09:19:45.000000000 +0000 @@ -7,27 +7,24 @@ syslog = no pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - sslVersion = TLSv1 - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} - PSKsecrets = ${script_path}/certs/psk2.txt + connect = 127.0.0.1:${https1} + PSKsecrets = ../certs/psk2.txt - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} ciphers = PSK - PSKsecrets = ${script_path}/certs/secrets.txt + PSKsecrets = ../certs/secrets.txt EOT } -check_ports "114_failure_PSK_secrets" if grep -q "OpenSSL 1" "results.log" then - start 2> "error.log" - test_log_for "114_failure_PSK_secrets" "failure" "$1" 2>> "stderr.log" + test_log_for "114_failure_PSK_secrets" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? else exit_logs "114_failure_PSK_secrets" "skipped" "error" diff -Nru stunnel4-5.44/tests/recipes/120_failure_no_cert stunnel4-5.50/tests/recipes/120_failure_no_cert --- stunnel4-5.44/tests/recipes/120_failure_no_cert 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/120_failure_no_cert 2018-10-11 09:19:45.000000000 +0000 @@ -8,21 +8,19 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} - connect = 127.0.0.1:${https} + connect = 127.0.0.1:${https1} - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem ;*** error*** requireCert = yes EOT } -check_ports "120_failure_no_cert" -start 2> "error.log" -test_log_for "120_failure_no_cert" "failure" "$1" 2>> "stderr.log" +test_log_for "120_failure_no_cert" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/recipes/121_failure_wrong_config stunnel4-5.50/tests/recipes/121_failure_wrong_config --- stunnel4-5.44/tests/recipes/121_failure_wrong_config 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/recipes/121_failure_wrong_config 2018-10-11 09:19:45.000000000 +0000 @@ -8,23 +8,21 @@ pid = ${result_path}/stunnel.pid output = ${result_path}/stunnel.log - [https client] + [client] client = yes accept = 127.0.0.1:${http1} ;*** error*** - ;connect = 127.0.0.1:${https} - cert = ${script_path}/certs/client_cert.pem + ;connect = 127.0.0.1:${https1} + cert = ../certs/client_cert.pem - [https server] - accept = 127.0.0.1:${https} - connect = 127.0.0.1:${http2} - cert = ${script_path}/certs/server_cert.pem + [server] + accept = 127.0.0.1:${https1} + connect = 127.0.0.1:${http_nc} + cert = ../certs/server_cert.pem EOT } -check_ports "121_failure_wrong_config" -start 2> "error.log" -test_log_for "121_failure_wrong_config" "failure" "$1" 2>> "stderr.log" +test_log_for "121_failure_wrong_config" "failure" "0" "$1" "$2" "$3" 2>> "stderr.log" exit $? diff -Nru stunnel4-5.44/tests/test_library stunnel4-5.50/tests/test_library --- stunnel4-5.44/tests/test_library 2017-11-26 21:50:09.000000000 +0000 +++ stunnel4-5.50/tests/test_library 2018-08-09 05:43:52.000000000 +0000 @@ -8,7 +8,7 @@ result_logs() { # $1 = test name # $2 = status: "ok" / "failed" / "configuration failed" / "expected error" - # "skipped" / "ncat (nc) failed" / "shouldn't work" + # "skipped" / "netcat failed" / "shouldn't work" # $3 = file name: "stunnel" / "error" if [ "$2" = "expected error" ] @@ -17,7 +17,7 @@ else printf "%-35s\t%s\n" "test $1" "$2" fi - if [ "$2" != "ok" ] && [ "$2" != "ncat (nc) failed" ] + if [ "$2" != "ok" ] then printf "%-35s\t%s\n" "test $1" "$2" >> "results.log" fi @@ -26,7 +26,11 @@ printf "%-35s\t%s\n" "error logs" "logs/$1.log" cat "$3.log" > "$1.log" else - cat "temp.log" >> "results.log" 2>> "stderr_nc.log" + cat "temp.log" 2>> "stderr_nc.log" | head -n1 >> "results.log" + fi + if [ "$2" = "netcat failed" ] + then + printf "\n%s\n" "Netcat failed" >> "stderr_nc.log" fi return 0 } @@ -41,112 +45,345 @@ "configuration failed") result_logs "$1" "configuration failed" "error";; "expected error") result_logs "$1" "expected error" "UNUSED PATTERN";; "skipped") result_logs "$1" "skipped" "error";; - "ncat (nc) failed") result_logs "$1" "failed" "stunnel";; + "netcat failed") result_logs "$1" "netcat failed" "stunnel";; "shouldn't work") result_logs "$1" "shouldn't work" "stunnel";; + *) echo "$1 exit_logs error" esac return 0 } clean_logs() { + cat "stderr_nc.log" >> "stderr.log" + rm -f "stderr_nc.log" rm -f "stunnel.log" rm -f "temp.log" rm -f "error.log" - rm -f "stderr_nc.log" rm -f "stunnel.conf" + rm -f "nodata" return 0 } +finding_text() { + # $1 = to find (yes) or not to find (no) + # $2 = pattern + # $3 = file 1 + # $4 = file 2 + + local result=0 + if grep -q "$2" "$3" "$4" + then + if [ $1 = "yes" ] + then # to find + exit_code="ok" + else # not to find + exit_code="failed" + result=1 + fi + else # no matching + if [ $1 = "yes" ] + then # to find + exit_code="failed" + result=1 + fi + fi + return $result +} + +no_file() { + # $1 = file + + local result=0 + if [ -s "$1" ] + then + exit_code="configuration failed" + result=1 + fi + return $result +} + waiting_for() { - # waiting for strings ($2 or $3 or $4) to appear in the file $1.log + # waiting for string $2 to appear in the file $1.log - mkfifo "fifo" + mkfifo "fifo" 2>> "stderr_nc.log" (cat "$1.log"; tail -f "$1.log") > "fifo" 2>> "stderr_nc.log" & pid_tail=$! (sleep 3; echo "TIMEOUT") > "fifo" & pid_timeout=$! - grep -q -e "$2" -e "$3" -e "$4" -e "TIMEOUT" "fifo" + grep -q -e "$2" -e "TIMEOUT" "fifo" pid_children=$(ps -o pid,ppid | \ awk -v ppid1="${pid_tail}" -v ppid2="${pid_timeout}" \ '{if ($2==ppid1 || $2==ppid2) print $1}') - kill ${pid_tail} ${pid_timeout} ${pid_children} 2>> "stderr_nc.log" + kill -TERM ${pid_tail} ${pid_timeout} ${pid_children} 2>> "stderr_nc.log" wait ${pid_tail} ${pid_timeout} 2>> "stderr_nc.log" rm -f "fifo" return 0 } -connecting_ncat() { +find_free() { + # finding a free port + # $1 = mynetstat name: "netstat -a -n" / "ss -a -n -l" / "lsof -i -n -P" + + while $mynetstat $opt_net | grep "$http_find" | grep "LISTEN" >> "stderr_nc.log" + do + http_find=$((http_find+1)) + done + return 0 +} + +check_ports() { + # seting the initial ports # $1 = test name - # $2 = string to send - # $3 = netcat name: "ncat" / "nc" result=0 - mkfifo "nodata" - printf "\n%s\n" "test $1" > "stderr_nc.log" - cat "nodata" | "$3" -l -p "$http2" -vvv >"temp.log" 2>> "stderr_nc.log" & - pid_nc=$! - waiting_for "stderr_nc" "Listening" "listening" "QUITTING" - if grep -q "istening" "stderr_nc.log" - then # Listening or listening - if [ "$3" = "ncat" ] + printf "\n%s\n" "test $1" >> "stderr_nc.log" + http_find=8080 + find_free + http_nc=$http_find + http_find=4567 + find_free + https_free=$http_find + + http1=$((http_nc+1)) + http2=$((http_nc+2)) + http3=$((http_nc+3)) + https1=4433 + https2=4434 + https3=4435 + return 0 +} + +bind_http_ports(){ + grep "Binding service \[client.*to" "error.log" >> "stderr_nc.log" + grep "Binding service \[client.*failed" "error.log" >> "stderr_nc.log" + while [ -s "error.log" ] && grep -q "Binding service \[client.*failed" "error.log" + do + if [ $http_bind -eq $http1 ] then - printf "%-35s\t%s\n" "test $1" "$2" | "$3" 127.0.0.1 "$http1" -vv 2>> "stderr_nc.log" + http1=$((http1+1)) + http2=$((http2+1)) + http3=$((http3+1)) + elif [ $http_bind -eq $http2 ] + then + http2=$((http2+1)) + http3=$((http3+1)) else - printf "%-35s\t%s\n" "test $1" "$2" | "$3" 127.0.0.1 "$http1" -vv 2>> "stderr_nc.log" & + http3=$((http3+1)) fi - else # ncat (nc) failed + http_bind=$((http_bind+1)) + start 2> "error.log" + grep "Binding service \[client.*to" "error.log" >> "stderr_nc.log" + grep "Binding service \[client.*failed" "error.log" >> "stderr_nc.log" + done + return 0 +} + +bind_https_ports(){ + grep "Binding service \[server.*to" "error.log" >> "stderr_nc.log" + grep "Binding service \[server.*failed" "error.log" >> "stderr_nc.log" + while [ -s "error.log" ] && grep -q "Binding service \[server.*failed" "error.log" + do + if [ $https_bind -eq $https1 ] + then + https1=$((https1+1)) + https2=$((https2+1)) + https3=$((https3+1)) + elif [ $https_bind -eq $https2 ] + then + https2=$((https2+1)) + https3=$((https3+1)) + else + https3=$((https3+1)) + fi + https_bind=$((https_bind+1)) + start 2> "error.log" + grep "Binding service \[server.*to" "error.log" >> "stderr_nc.log" + grep "Binding service \[server.*failed" "error.log" >> "stderr_nc.log" + done + return 0 +} + +start_stunnel() { + # running stunnel until to bind free ports + # $1 = test name + + start 2> "error.log" + http_bind=$http1 + bind_http_ports + http_bind=$http2 + bind_http_ports + http_bind=$http3 + bind_http_ports + + https_bind=$https1 + bind_https_ports + https_bind=$https2 + bind_https_ports + https_bind=$https3 + bind_https_ports + + printf "\n%s %s %s %s %s %s %s\n" "test $1 ports: $http_nc $http1 $http2 $http3 $https1 $https2 $https3 $https_free" >> "stderr_nc.log" + return 0 +} + +killing_stunnel() { + + local result=0 + if kill -TERM $(tail "stunnel.pid") 2>> "stderr_nc.log" + then + waiting_for "stunnel" "Removed pid file" + else + exit_code="failed" result=1 fi - if [ "$3" = ncat ] + return $result +} + +reload_stunnel() { + # $1 = test name + + local result=0 + printf "\n%s\n" "test $1 - reload stunnel" >> "stderr_nc.log" + if [ ! -s "error.log" ] then - waiting_for "stderr_nc" "Closing" "Connection reset by peer" "UNUSED PATTERN" + change_config + waiting_for "stunnel" "stunnel.pid" + kill -HUP $(tail "stunnel.pid") 2>> "stderr_nc.log" + waiting_for "stunnel" "127.0.0.1:$http1" + grep "Binding service \[client.*$http1" "stunnel.log" >> "stderr_nc.log" + grep "Binding service \[client.*failed" "stunnel.log" >> "stderr_nc.log" + while ! grep -q "Service \[client.*bound to.*$http1" "stunnel.log" + do + http1=$((http1+1)) + change_config + kill -HUP $(tail "stunnel.pid") 2>> "stderr_nc.log" + waiting_for "stunnel" "127.0.0.1:$http1" + grep "Binding service \[client.*$http1" "stunnel.log" >> "stderr_nc.log" + done + printf "\n%s\n" "test $1 - accept port: $http1" >> "stderr_nc.log" else - waiting_for "stderr_nc" "accepted" "from localhost" "Connection reset by peer" - fi - kill -TERM ${pid_nc} 2>> "stderr_nc.log" - cat "stderr_nc.log" >> "stderr.log" - echo "somedata" > "nodata" - rm -f "nodata" + printf "\n%s" "$1 error: failed to reload the configuration file" >> "error.log" + result=1 + fi return $result } -killing_stunnel() { - waiting_for "$1" "Service .* finished" "Sent socket write shutdown" "UNUSED PATTERN" - kill -TERM $(tail "stunnel.pid") 2>> "stderr.log" - waiting_for "stunnel" "removing pid file" "UNUSED PATTERN" "UNUSED PATTERN" - return 0 +check_listening() { + # waiting for netcat listening on port + # $1 = port number + + result=0 + while [ $result -eq 0 ] && ! $mynetstat $opt_net | grep "$1" | grep "LISTEN" >> "stderr_nc.log" + do + printf "\n%s\n" "waiting for netcat listening on $1" >> "stderr_nc.log" + if grep -q -e "failed:" -e "usage" -e "QUITTING" -e "invalid" -e "command not found" "stderr_nc.log" + then + result=1 + fi + done + return $result } -reload_stunnel() { - waiting_for "stunnel" "stunnel.pid" "UNUSED PATTERN" "UNUSED PATTERN" - kill -HUP $(tail "stunnel.pid") 2>> "stderr.log" - waiting_for "stunnel" "127.0.0.1:${http1}" "UNUSED PATTERN" "UNUSED PATTERN" +connecting_ncat() { + # $1 = test name + # $2 = string to send + + local result=0 + mkfifo "nodata" 2>> "stderr_nc.log" + printf "\n%s\n" "test $1 - netcat connection" >> "stderr_nc.log" + if [ "$mynetcat" = "nc" ] + then # nc + if man "$mynetcat" | grep -q "error to use this option in conjunction" + then # BSD nc + cat "nodata" | $mybuffer $opt_buf $mynetcat -l "$http_nc" -vvv > "temp.log" 2>> "stderr_nc.log" & + else # traditional nc + cat "nodata" | $mybuffer $opt_buf $mynetcat -l -p "$http_nc" -vvv > "temp.log" 2>> "stderr_nc.log" & + fi + pid_nc=$! + if check_listening "$http_nc" + then + printf "%-35s\t%s\n" "test $1" "$2" | $mynetcat 127.0.0.1 "$http1" -vv 1>&2 2>> "stderr_nc.log" & + pid_nce=$! + if [ "$2" = "shouldn't work" ] + then + waiting_for "stunnel" "Service .* finished" + else + waiting_for "temp" "test $1" + fi + else # nc failed + exit_code="netcat failed" + result=1 + fi + else # ncat + cat "nodata" | $mybuffer $opt_buf $mynetcat -l -p $http_nc -vvv > temp.log 2>> stderr_nc.log & + pid_nc=$! + if check_listening "$http_nc" + then + if ncat --version 2>&1 | grep -q -e 'Version [0-5]\.' -e 'Version [6]\.[0-1]' -e 'Version [6]\.[2][0-4]' + then # ncat version < 6.25 + printf "%-35s\t%s\n" "test $1" "$2" | "$mynetcat" 127.0.0.1 "$http1" -vv 1>&2 2>> "stderr_nc.log" & + else # ncat version >= 6.25 + printf "%-35s\t%s\n" "test $1" "$2" | "$mynetcat" 127.0.0.1 "$http1" -vv 1>&2 2>> "stderr_nc.log" + fi + pid_nce=$! + if [ "$2" = "shouldn't work" ] + then + waiting_for "stunnel" "Service .* finished" + else + waiting_for "temp" "test $1" + fi + else # ncat failed + exit_code="netcat failed" + result=1 + fi + fi + kill -TERM ${pid_nc} ${pid_nce} 2>> "stderr_nc.log" + echo "somedata" > "nodata" 2>> "stderr_nc.log" + rm -f "nodata" + return $result +} + +sending_ncat() { + # starting netcat for execute tests + # $1 = test name + + mkfifo "nodata" 2>> "stderr_nc.log" + cat "nodata" | $mybuffer $opt_buf $mynetcat 127.0.0.1 "$http1" -vv >"temp.log" 2>> "stderr_nc.log" & + pid_nce=$(pgrep -P $!) + waiting_for "temp" "test $1" + kill -TERM ${pid_nce} 2>> "stderr_nc.log" + echo "somedata" > "nodata" 2>> "stderr_nc.log" + rm -f "nodata" return 0 } expected_success() { - # expects to send the s using stunnel + # expects to send the message using stunnel # $1 = test name - # $2 = netcat name: "ncat" / "nc" - result=0 - if [ ! -s "error.log" ] + local result=0 + if [ "$1" != "040_reload" ] then - if connecting_ncat "$1" "success" "$2" + check_ports "$1" + start_stunnel "$1" + fi + if no_file "error.log" + then + if connecting_ncat "$1" "success" then - if grep -q "test $1.*success" "temp.log" - then - exit_code="ok" - else # test failed - exit_code="failed" - result=1 - fi + finding_text "yes" "test $1.*success" "temp.log" "UNUSED PATTERN" + result=$? else # ncat (nc) failed - exit_code="ncat (nc) failed" result=1 fi - killing_stunnel stunnel + if ! killing_stunnel + then + result=1 + fi else # configuration failed - exit_code="configuration failed" + result=1 + fi + if ! finding_text "no" "INTERNAL ERROR" "stunnel.log" "error.log" + then result=1 fi exit_logs "$1" "$exit_code" @@ -155,14 +392,15 @@ expected_failure() { # $1 = test name - # $2 = netcat name: "ncat" / "nc" - result=0 - if [ ! -s "error.log" ] + local result=0 + check_ports "$1" + start_stunnel "$1" + if no_file "error.log" then - if connecting_ncat "$1" "shouldn't work" "$2" + if connecting_ncat "$1" "shouldn't work" then - if grep -q "test $1.*shouldn't work" "temp.log" + if ! finding_text "no" "test $1.*shouldn't work" "temp.log" "UNUSED PATTERN" then # ops...stunnel works exit_code="shouldn't work" result=1 @@ -170,117 +408,158 @@ exit_code="expected error" fi else # ncat (nc) failed - exit_code="ncat (nc) failed" result=1 fi - killing_stunnel stunnel + if ! killing_stunnel + then + result=1 + fi else # configuration failed, but it is ok exit_code="expected error" fi + if ! finding_text "no" "INTERNAL ERROR" "stunnel.log" "error.log" + then + result=1 + fi exit_logs "$1" "$exit_code" return $result } execute_program() { # $1 = test name - # $2 = netcat name: "ncat" / "nc" - result=0 - mkfifo "nodata" - if [ ! -s "error.log" ] + local result=0 + check_ports "$1" + start_stunnel "$1" + if no_file "error.log" then - cat "nodata" | "$2" 127.0.0.1 "$http1" -vv > "temp.log" 2>>"stderr.log" & - pid_nce=$! - killing_stunnel stunnel - kill -TERM ${pid_nce} 2>> "stderr.log" - echo "somedata" > "nodata" 2>> "stderr.log" - rm -f "nodata" - if grep -q "test $1.*success" "temp.log" + sending_ncat "$1" + if ! killing_stunnel then - if grep -q "$1_error" "temp.log" - then # only for redirect tests - exit_code="failed" - result=1 + result=1 + fi + if [ $result -eq 0 ] + then + if finding_text "yes" "test $1.*success" "temp.log" "UNUSED PATTERN" + then + finding_text "no" "$1_error" "temp.log" "UNUSED PATTERN" + result=$? else - exit_code="ok" - fi - else # test failed - exit_code="failed" + result=1 + fi + fi + else # configuration failed + result=1 + fi + if ! finding_text "no" "INTERNAL ERROR" "stunnel.log" "error.log" + then + result=1 + fi + exit_logs "$1" "$exit_code" + return $result +} + +execute_connect() { + # $1 = test name + + local result=0 + check_ports "$1" + start_stunnel "$1" + if [ "$1" = "042_inetd" ] + then # inetd test + mkfifo "nodata" 2>> "stderr_nc.log" + cat "nodata" | start_inetd > "temp.log" 2>> "error.log" & + fi + if no_file "error.log" + then + waiting_for "stunnel" "Service .* finished" + if [ $1 = "042_inetd" ] + then # inetd test + waiting_for "stunnel_0" "Service .* finished" + echo "somedata" > "nodata" 2>> "stderr_nc.log" + rm -f "nodata" + fi + finding_text "yes" "test $1.*success" "temp.log" "UNUSED PATTERN" + result=$? + if [ "$1" = "042_inetd" ] + then # inetd test + printf "%s\n" "*** inetd mode ***" >> "stunnel.log" + cat "stunnel_0.log" >> "stunnel.log" + fi + if ! killing_stunnel + then result=1 fi else # configuration failed - exit_code="configuration failed" result=1 fi + if ! finding_text "no" "INTERNAL ERROR" "stunnel.log" "error.log" + then + result=1 + fi + rm -f "stunnel_0.log" exit_logs "$1" "$exit_code" return $result } loop_prio() { # $1 = test name - # $2 = netcat name: "ncat" / "nc" - result=0 - i=1 - max=12 - start $i 2> "error.log" - if [ ! -s "error.log" ] + local result=0 + local i=1 + local max=12 + if [ $1 = "037_failover_prio1" ] then - waiting_for "stunnel" "Created pid file" "UNUSED PATTERN" "UNUSED PATTERN" + local serv="server_2\] accepted connection" + else + local serv="server_1\] accepted connection" + fi + check_ports "$1" + start_stunnel "$1" + if no_file "error.log" + then + waiting_for "stunnel" "Created pid file" mv "stunnel.log" "stunnel_0.log" - kill -USR1 $(tail "stunnel.pid") 2>> "stderr.log" + kill -USR1 $(tail "stunnel.pid") 2>> "stderr_nc.log" while [ $i -le $max ] && [ $result -eq 0 ] do - if connecting_ncat "$1" "success" "$2" + if connecting_ncat "$1" "success" then - waiting_for "stunnel" "Service .* finished" "Sent socket write shutdown" "UNUSED PATTERN" - if grep -q "test $1.*success" "temp.log" - then - if [ $1 = "037_failover_prio1" ] - then - serv="server_2\] accepted connection" - else - serv="server_1\] accepted connection" - fi - if ! grep -q "$serv" "stunnel.log" - then # second server doesn't accept any client - if [ $i -eq $max ] - then # last successed turn of the loop - exit_code="ok" - fi - else # error - second server accepts a client - exit_code="failed" - result=1 - fi - else # stunnel doesn't work - exit_code="failed" - result=1 + finding_text "yes" "test $1.*success" "temp.log" "UNUSED PATTERN" + result=$? + if [ $result -eq 0 ] && ! finding_text "no" "$serv" "stunnel.log" "UNUSED PATTERN" + then # error - second server accepts a client + result=1 fi else # ncat (nc) failed - exit_code="ncat (nc) failed" result=1 fi - waiting_for "stunnel" "Service .* finished" "Sent socket write shutdown" "UNUSED PATTERN" mv "stunnel.log" "stunnel_$i.log" - kill -USR1 $(tail "stunnel.pid") 2>> "stderr.log" + kill -USR1 $(tail "stunnel.pid") 2>> "stderr_nc.log" i=$((i + 1)) done cat "stunnel_0.log" > "stunnel_all.log" rm -f "stunnel_0.log" - j=1 + local j=1 while [ $j -lt $i ] do - printf "%s\n" "connection $j" >> "stunnel_all.log" + printf "%s\n" "*** connection $j ***" >> "stunnel_all.log" cat "stunnel_$j.log" >> "stunnel_all.log" rm -f "stunnel_$j.log" j=$((j + 1)) done - killing_stunnel stunnel_all + if ! killing_stunnel + then + result=1 + fi cat "stunnel.log" >> "stunnel_all.log" cat "stunnel_all.log" > "stunnel.log" rm -f "stunnel_all.log" else # configuration failed - exit_code="configuration failed" + result=1 + fi + if ! finding_text "no" "INTERNAL ERROR" "stunnel.log" "error.log" + then result=1 fi exit_logs "$1" "$exit_code" @@ -289,37 +568,31 @@ loop_rr() { # $1 = test name - # $2 = netcat name: "ncat" / "nc" - result=0 - i=1 - max=3 - first=0 - second=0 - third=0 - start $i 2> "error.log" - if [ ! -s "error.log" ] + local result=0 + local i=1 + local max=3 + local first=0 + local second=0 + local third=0 + check_ports "$1" + start_stunnel "$1" + if no_file "error.log" then - waiting_for "stunnel" "Created pid file" "UNUSED PATTERN" "UNUSED PATTERN" + waiting_for "stunnel" "Created pid file" mv "stunnel.log" "stunnel_0.log" - kill -USR1 $(tail "stunnel.pid") 2>> "stderr.log" + kill -USR1 $(tail "stunnel.pid") 2>> "stderr_nc.log" while [ $i -le $max ] && [ $result -eq 0 ] do - if connecting_ncat "$1" "success" "$2" + if connecting_ncat "$1" "success" then - waiting_for "stunnel" "Service .* finished" "Sent socket write shutdown" "UNUSED PATTERN" - if ! grep -q "test $1.*success" "temp.log" - then # stunnel doesn't work - exit_code="failed" - result=1 - fi + finding_text "yes" "test $1.*success" "temp.log" "UNUSED PATTERN" + result=$? else # ncat (nc) failed - exit_code="ncat (nc) failed" result=1 fi - waiting_for "stunnel" "Service .* finished" "Sent socket write shutdown" "UNUSED PATTERN" mv "stunnel.log" "stunnel_$i.log" - kill -USR1 $(tail "stunnel.pid") 2>> "stderr.log" + kill -USR1 $(tail "stunnel.pid") 2>> "stderr_nc.log" i=$((i + 1)) done cat "stunnel_0.log" > "stunnel_all.log" @@ -327,83 +600,124 @@ j=1 while [ $j -lt $i ] do - printf "%s\n" "connection $j" >> "stunnel_all.log" + printf "%s\n" "*** connection $j ***" >> "stunnel_all.log" cat "stunnel_$j.log" >> "stunnel_all.log" rm -f "stunnel_$j.log" j=$((j + 1)) done - killing_stunnel stunnel_all + if ! killing_stunnel + then + result=1 + fi cat "stunnel.log" >> "stunnel_all.log" cat "stunnel_all.log" > "stunnel.log" rm -f "stunnel_all.log" - first=$(grep -c "server_1\] accepted connection" "stunnel.log") - second=$(grep -c "server_2\] accepted connection" "stunnel.log") - third=$(grep -c "server_3\] accepted connection" "stunnel.log") + if [ $result -eq 0 ] + then + first=$(grep -c "server_1\] accepted connection" "stunnel.log") + second=$(grep -c "server_2\] accepted connection" "stunnel.log") + third=$(grep -c "server_3\] accepted connection" "stunnel.log") + product=$((first * second * third)) + if [ $product -ne 0 ] + then # round robin + printf "%-35s\t%s\n" "test $1: $first x $second x $third" "success" > "temp.log" + else + printf "%-35s\t%s\n" "test $1: $first x $second x $third" "failed" > "temp.log" + exit_code="failed" + result=1 + fi + fi else # configuration failed - exit_code="configuration failed" result=1 fi - if [ $result -eq 0 ] - then - product=$((first * second * third)) - if [ $product -ne 0 ] - then # round robin - printf "%-35s\t%s\n" "test $1: $first x $second x $third" "success" > "temp.log" - exit_code="ok" - else - printf "%-35s\t%s\n" "test $1: $first x $second x $third" "failed" > "temp.log" - exit_code="failed" - result=1 - fi - fi + if ! finding_text "no" "INTERNAL ERROR" "stunnel.log" "error.log" + then + result=1 + fi exit_logs "$1" "$exit_code" return $result } -test_log_for() { +loop_session() { # $1 = test name - # $2 = function name - # $3 = netcat name: "ncat" / "nc" + # $2 = number of connections - case "$2" in - "success") expected_success "$1" "$3";; - "failure") expected_failure "$1" "$3";; - "execute") execute_program "$1" "$3";; - "prio") loop_prio "$1" "$3";; - "rr") loop_rr "$1" "$3";; - esac - result=$? - clean_logs + local result=0 + local i=0 + local j=0 + local max=$((2*$2)) + check_ports "$1" + start_stunnel "$1" + if no_file "error.log" + then + waiting_for "stunnel" "Created pid file" + while [ $i -lt $max ] + do + i=$(grep -c "Retrying an exec+connect section" "stunnel.log") + done + if ! killing_stunnel stunnel + then + result=1 + fi + finding_text "yes" "test $1.*success" "temp.log" "UNUSED PATTERN" + result=$? + j=$(grep -c "accepted: new session negotiated" "stunnel.log") + if [ $result -eq 0 ] && [ $j -ne $2 ] + then + exit_code="failed" + result=1 + fi + else # configuration failed + result=1 + fi + if ! finding_text "no" "INTERNAL ERROR" "stunnel.log" "error.log" + then + result=1 + fi + exit_logs "$1" "$exit_code" return $result } -set_port() { - port=$((port+1)) - while netstat -an 2>> "stderr.log" | grep $port | grep -q LISTEN - do - port=$((port+1)) - done +myglobal() { + # $1 = mynetcat name: "ncat" / "nc" + # $2 = mynetstat name: "netstat" / "ss" / "lsof" + # $3 = mybuffer name: "stdbuf" / "unbuffer" / "" + + mynetcat="$1" + mynetstat="$2" + mybuffer="$3" + + case "$mynetstat" in + "netstat") opt_net="-a -n";; + "ss" ) opt_net="-a -n -l";; + "lsof" ) opt_net="-i -n -P";; + esac + + case "$mybuffer" in + "stdbuf") opt_buf="-o0";; + esac return 0 } -check_ports() { - port=8079 - set_port $port - http1=$port - set_port $port - http2=$port - set_port $port - http3=$port - - port=4432 - set_port $port - https=$port - set_port $port - https2=$port - set_port $port - https3=$port +test_log_for() { + # $1 = test name + # $2 = function name + # $3 = number of connections for loop_session + # $4 = mynetcat name: "ncat" / "nc" + # $5 = mynetstat name: "netstat" / "ss" / "lsof" + # $6 = mybuffer name: "stdbuf" / "unbuffer" / "" - printf "\n%s\n" "test $1" >> "stderr.log" - printf "%s\n" "ports: $http1 $http2 $http3 $https $https2 $https3" >> "stderr.log" - return 0 + myglobal "$4" "$5" "$6" + case "$2" in + "success") expected_success "$1";; + "failure") expected_failure "$1";; + "execute") execute_program "$1";; + "exe_con") execute_connect "$1";; + "prio") loop_prio "$1";; + "rr") loop_rr "$1";; + "session") loop_session "$1" "$3";; + esac + result=$? + clean_logs + return $result } diff -Nru stunnel4-5.44/TODO stunnel4-5.50/TODO --- stunnel4-5.44/TODO 2017-01-16 20:10:16.000000000 +0000 +++ stunnel4-5.50/TODO 2018-06-08 17:30:06.000000000 +0000 @@ -3,25 +3,18 @@ High priority features. They will likely be supported some day. A sponsor could allocate my time to get them faster. +* Extend session tickets and/or sessiond to also serialize application + data ("redirect" state and session persistence). * Add client certificate autoselection based on the list of accepted issuers: SSL_CTX_set_client_cert_cb(), SSL_get_client_CA_list(). * Add an Apparmor profile. * Optional line-buffering of the log file. * Log rotation on Windows. * Configuration file option to limit the number of concurrent connections. -* Implement reference counting of the SERVICE_OPTIONS structure - - Add 'leastconn' failover strategy to order defined 'connect' targets - by the number of active connections. - - Add '-status' command line option reporting the number of clients - connected to each service. - - Deallocate SERVICE_OPTIONS structure when the configuration file - is reloaded *and* old connections are closed. * Command-line server control interface on both Unix and Windows. * Separate GUI process running as the current user on Windows. * An Android GUI. * OCSP stapling (tlsext_status). -* Extend session tickets and/or sessiond to also serialize application - data ("redirect" state and session persistence). * Indirect CRL support (RFC 3280, section 5). * Provide 64-bit Windows builds (besides 32-bit builds). This requires either Microsoft Visual Studio Standard Edition or Microsoft @@ -38,6 +31,10 @@ * Logging to NT EventLog on Windows. * Internationalization of logged messages (i18n). * Generic scripting engine instead or static protocol.c. +* Add 'leastconn' failover strategy to order defined 'connect' targets + by the number of active connections. +* Add '-status' command line option reporting the number of clients + connected to each service. Features I won't support, unless convinced otherwise by a wealthy sponsor. * Support for adding X-Forwarded-For to HTTP request headers. diff -Nru stunnel4-5.44/tools/ca-certs.pem stunnel4-5.50/tools/ca-certs.pem --- stunnel4-5.44/tools/ca-certs.pem 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/ca-certs.pem 2018-07-02 21:30:10.000000000 +0000 @@ -0,0 +1,3311 @@ +## +## Bundle of CA Root Certificates +## +## Certificate data from Mozilla as of: Sat Jun 23 03:45:55 2018 +## Conversion done with mk-ca-bundle.pl version 1.25. +## SHA1: 0df975deabcd0cd443b08e597700eafcbebeeb26 +## +## This is a bundle of X.509 certificates of public Certificate Authorities +## (CA). These were automatically extracted from Mozilla's root certificates +## file (certdata.txt), which can be found in the Mozilla source tree: +## http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt +## +## This bundle is *only* supposed to be used with the "checkHost" option. +## Otherwise, stunnel will accept any certificate signed by a trusted CA. +## + + +GlobalSign Root CA +================== +-----BEGIN CERTIFICATE----- +MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx +GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds +b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV +BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD +VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa +DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc +THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb +Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP +c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX +gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF +AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj +Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG +j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH +hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC +X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== +-----END CERTIFICATE----- + +GlobalSign Root CA - R2 +======================= +-----BEGIN CERTIFICATE----- +MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4GA1UECxMXR2xv +YmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2Jh +bFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxT +aWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2ln +bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6 +ErPLv4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8eoLrvozp +s6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklqtTleiDTsvHgMCJiEbKjN +S7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzdC9XZzPnqJworc5HGnRusyMvo4KD0L5CL +TfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pazq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6C +ygPCm48CAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E +FgQUm+IHV2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9i +YWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG3lm0mi3f3BmGLjAN +BgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4GsJ0/WwbgcQ3izDJr86iw8bmEbTUsp +9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu +01yiPqFbQfXf5WRDLenVOavSot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG7 +9G+dwfCMNYxdAfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 +TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== +-----END CERTIFICATE----- + +Verisign Class 3 Public Primary Certification Authority - G3 +============================================================ +-----BEGIN CERTIFICATE----- +MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJV +UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv +cmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl +IG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNh +dGlvbiBBdXRob3JpdHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQsw +CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy +dXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhv +cml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkg +Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMu6nFL8eB8aHm8bN3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1 +EUGO+i2tKmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGukxUc +cLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBmCC+Vk7+qRy+oRpfw +EuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJXwzw3sJ2zq/3avL6QaaiMxTJ5Xpj +055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWuimi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA +ERSWwauSCPc/L8my/uRan2Te2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5f +j267Cz3qWhMeDGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC +/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565pF4ErWjfJXir0 +xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGtTxzhT5yvDwyd93gN2PQ1VoDa +t20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ== +-----END CERTIFICATE----- + +Entrust.net Premium 2048 Secure Server CA +========================================= +-----BEGIN CERTIFICATE----- +MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChMLRW50cnVzdC5u +ZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAuIGJ5IHJlZi4gKGxp +bWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNV +BAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQx +NzUwNTFaFw0yOTA3MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3 +d3d3LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl +MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5u +ZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEArU1LqRKGsuqjIAcVFmQqK0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOL +Gp18EzoOH1u3Hs/lJBQesYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSr +hRSGlVuXMlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVTXTzW +nLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/HoZdenoVve8AjhUi +VBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH4QIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJ +KoZIhvcNAQEFBQADggEBADubj1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPy +T/4xmf3IDExoU8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf +zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5bu/8j72gZyxKT +J1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+bYQLCIt+jerXmCHG8+c8eS9e +nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE= +-----END CERTIFICATE----- + +Baltimore CyberTrust Root +========================= +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJRTESMBAGA1UE +ChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3li +ZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoXDTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMC +SUUxEjAQBgNVBAoTCUJhbHRpbW9yZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFs +dGltb3JlIEN5YmVyVHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKME +uyKrmD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjrIZ3AQSsB +UnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeKmpYcqWe4PwzV9/lSEy/C +G9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSuXmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9 +XbIGevOF6uvUA65ehD5f/xXtabz5OTZydc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjpr +l3RjM71oGDHweI12v/yejl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoI +VDaGezq1BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEB +BQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT929hkTI7gQCvlYpNRh +cL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3WgxjkzSswF07r51XgdIGn9w/xZchMB5 +hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsa +Y71k5h+3zvDyny67G7fyUIhzksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9H +RCwBXbsdtTLSR9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp +-----END CERTIFICATE----- + +AddTrust External Root +====================== +-----BEGIN CERTIFICATE----- +MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEUMBIGA1UEChML +QWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYD +VQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEw +NDgzOFowbzELMAkGA1UEBhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRU +cnVzdCBFeHRlcm5hbCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0Eg +Um9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvtH7xsD821 ++iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9uMq/NzgtHj6RQa1wVsfw +Tz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzXmk6vBbOmcZSccbNQYArHE504B4YCqOmo +aSYYkKtMsE8jqzpPhNjfzp/haW+710LXa0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy +2xSoRcRdKn23tNbE7qzNE0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv7 +7+ldU9U0WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYDVR0P +BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0Jvf6xCZU7wO94CTL +VBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRk +VHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENB +IFJvb3SCAQEwDQYJKoZIhvcNAQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZl +j7DYd7usQWxHYINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 +6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvCNr4TDea9Y355 +e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEXc4g/VhsxOBi0cQ+azcgOno4u +G+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5amnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= +-----END CERTIFICATE----- + +Entrust Root Certification Authority +==================================== +-----BEGIN CERTIFICATE----- +MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNV +BAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jw +b3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsG +A1UEAxMkRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0 +MloXDTI2MTEyNzIwNTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMu +MTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZlcmVu +Y2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNVBAMTJEVudHJ1c3QgUm9v +dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALaVtkNC+sZtKm9I35RMOVcF7sN5EUFoNu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYsz +A9u3g3s+IIRe7bJWKKf44LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOww +Cj0Yzfv9KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGIrb68 +j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi94DkZfs0Nw4pgHBN +rziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOBsDCBrTAOBgNVHQ8BAf8EBAMCAQYw +DwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAigA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1 +MzQyWjAfBgNVHSMEGDAWgBRokORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DH +hmak8fdLQ/uEvW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA +A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9tO1KzKtvn1ISM +Y/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6ZuaAGAT/3B+XxFNSRuzFVJ7yVTa +v52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTS +W3iDVuycNsMm4hH2Z0kdkquM++v/eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0 +tHuu2guQOHXvgR1m0vdXcDazv/wor3ElhVsT/h5/WrQ8 +-----END CERTIFICATE----- + +GeoTrust Global CA +================== +-----BEGIN CERTIFICATE----- +MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQK +Ew1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMDIwNTIxMDQw +MDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5j +LjEbMBkGA1UEAxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjo +BbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet +8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+Vc +T4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagU +vTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTAD +AQH/MB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVk +DBF9qn1luMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKInZ57Q +zxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfStQWVYrmm3ok9Nns4 +d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcFPseKUgzbFbS9bZvlxrFUaKnjaZC2 +mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Unhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6p +XE0zX5IJL4hmXXeXxx12E6nV5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvm +Mw== +-----END CERTIFICATE----- + +GeoTrust Universal CA +===================== +-----BEGIN CERTIFICATE----- +MIIFaDCCA1CgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzEWMBQGA1UEChMN +R2VvVHJ1c3QgSW5jLjEeMBwGA1UEAxMVR2VvVHJ1c3QgVW5pdmVyc2FsIENBMB4XDTA0MDMwNDA1 +MDAwMFoXDTI5MDMwNDA1MDAwMFowRTELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IElu +Yy4xHjAcBgNVBAMTFUdlb1RydXN0IFVuaXZlcnNhbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIP +ADCCAgoCggIBAKYVVaCjxuAfjJ0hUNfBvitbtaSeodlyWL0AG0y/YckUHUWCq8YdgNY96xCcOq9t +JPi8cQGeBvV8Xx7BDlXKg5pZMK4ZyzBIle0iN430SppyZj6tlcDgFgDgEB8rMQ7XlFTTQjOgNB0e +RXbdT8oYN+yFFXoZCPzVx5zw8qkuEKmS5j1YPakWaDwvdSEYfyh3peFhF7em6fgemdtzbvQKoiFs +7tqqhZJmr/Z6a4LauiIINQ/PQvE1+mrufislzDoR5G2vc7J2Ha3QsnhnGqQ5HFELZ1aD/ThdDc7d +8Lsrlh/eezJS/R27tQahsiFepdaVaH/wmZ7cRQg+59IJDTWU3YBOU5fXtQlEIGQWFwMCTFMNaN7V +qnJNk22CDtucvc+081xdVHppCZbW2xHBjXWotM85yM48vCR85mLK4b19p71XZQvk/iXttmkQ3Cga +Rr0BHdCXteGYO8A3ZNY9lO4L4fUorgtWv3GLIylBjobFS1J72HGrH4oVpjuDWtdYAVHGTEHZf9hB +Z3KiKN9gg6meyHv8U3NyWfWTehd2Ds735VzZC1U0oqpbtWpU5xPKV+yXbfReBi9Fi1jUIxaS5BZu +KGNZMN9QAZxjiRqf2xeUgnA3wySemkfWWspOqGmJch+RbNt+nhutxx9z3SxPGWX9f5NAEC7S8O08 +ni4oPmkmM8V7AgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNq7LqqwDLiIJlF0 +XG0D08DYj3rWMB8GA1UdIwQYMBaAFNq7LqqwDLiIJlF0XG0D08DYj3rWMA4GA1UdDwEB/wQEAwIB +hjANBgkqhkiG9w0BAQUFAAOCAgEAMXjmx7XfuJRAyXHEqDXsRh3ChfMoWIawC/yOsjmPRFWrZIRc +aanQmjg8+uUfNeVE44B5lGiku8SfPeE0zTBGi1QrlaXv9z+ZhP015s8xxtxqv6fXIwjhmF7DWgh2 +qaavdy+3YL1ERmrvl/9zlcGO6JP7/TG37FcREUWbMPEaiDnBTzynANXH/KttgCJwpQzgXQQpAvvL +oJHRfNbDflDVnVi+QTjruXU8FdmbyUqDWcDaU/0zuzYYm4UPFd3uLax2k7nZAY1IEKj79TiG8dsK +xr2EoyNB3tZ3b4XUhRxQ4K5RirqNPnbiucon8l+f725ZDQbYKxek0nxru18UGkiPGkzns0ccjkxF +KyDuSN/n3QmOGKjaQI2SJhFTYXNd673nxE0pN2HrrDktZy4W1vUAg4WhzH92xH3kt0tm7wNFYGm2 +DFKWkoRepqO1pD4r2czYG0eq8kTaT/kD6PAUyz/zg97QwVTjt+gKN02LIFkDMBmhLMi9ER/frslK +xfMnZmaGrGiR/9nmUxwPi1xpZQomyB40w11Re9epnAahNt3ViZS82eQtDF4JbAiXfKM9fJP/P6EU +p8+1Xevb2xzEdt+Iub1FBZUbrvxGakyvSOPOrg/SfuvmbJxPgWp6ZKy7PtXny3YuxadIwVyQD8vI +P/rmMuGNG2+k5o7Y+SlIis5z/iw= +-----END CERTIFICATE----- + +GeoTrust Universal CA 2 +======================= +-----BEGIN CERTIFICATE----- +MIIFbDCCA1SgAwIBAgIBATANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJVUzEWMBQGA1UEChMN +R2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXR2VvVHJ1c3QgVW5pdmVyc2FsIENBIDIwHhcNMDQwMzA0 +MDUwMDAwWhcNMjkwMzA0MDUwMDAwWjBHMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3Qg +SW5jLjEgMB4GA1UEAxMXR2VvVHJ1c3QgVW5pdmVyc2FsIENBIDIwggIiMA0GCSqGSIb3DQEBAQUA +A4ICDwAwggIKAoICAQCzVFLByT7y2dyxUxpZKeexw0Uo5dfR7cXFS6GqdHtXr0om/Nj1XqduGdt0 +DE81WzILAePb63p3NeqqWuDW6KFXlPCQo3RWlEQwAx5cTiuFJnSCegx2oG9NzkEtoBUGFF+3Qs17 +j1hhNNwqCPkuwwGmIkQcTAeC5lvO0Ep8BNMZcyfwqph/Lq9O64ceJHdqXbboW0W63MOhBW9Wjo8Q +JqVJwy7XQYci4E+GymC16qFjwAGXEHm9ADwSbSsVsaxLse4YuU6W3Nx2/zu+z18DwPw76L5GG//a +QMJS9/7jOvdqdzXQ2o3rXhhqMcceujwbKNZrVMaqW9eiLBsZzKIC9ptZvTdrhrVtgrrY6slWvKk2 +WP0+GfPtDCapkzj4T8FdIgbQl+rhrcZV4IErKIM6+vR7IVEAvlI4zs1meaj0gVbi0IMJR1FbUGrP +20gaXT73y/Zl92zxlfgCOzJWgjl6W70viRu/obTo/3+NjN8D8WBOWBFM66M/ECuDmgFz2ZRthAAn +ZqzwcEAJQpKtT5MNYQlRJNiS1QuUYbKHsu3/mjX/hVTK7URDrBs8FmtISgocQIgfksILAAX/8sgC +SqSqqcyZlpwvWOB94b67B9xfBHJcMTTD7F8t4D1kkCLm0ey4Lt1ZrtmhN79UNdxzMk+MBB4zsslG +8dhcyFVQyWi9qLo2CQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR281Xh+qQ2 ++/CfXGJx7Tz0RzgQKzAfBgNVHSMEGDAWgBR281Xh+qQ2+/CfXGJx7Tz0RzgQKzAOBgNVHQ8BAf8E +BAMCAYYwDQYJKoZIhvcNAQEFBQADggIBAGbBxiPz2eAubl/oz66wsCVNK/g7WJtAJDday6sWSf+z +dXkzoS9tcBc0kf5nfo/sm+VegqlVHy/c1FEHEv6sFj4sNcZj/NwQ6w2jqtB8zNHQL1EuxBRa3ugZ +4T7GzKQp5y6EqgYweHZUcyiYWTjgAA1i00J9IZ+uPTqM1fp3DRgrFg5fNuH8KrUwJM/gYwx7WBr+ +mbpCErGR9Hxo4sjoryzqyX6uuyo9DRXcNJW2GHSoag/HtPQTxORb7QrSpJdMKu0vbBKJPfEncKpq +A1Ihn0CoZ1Dy81of398j9tx4TuaYT1U6U+Pv8vSfx3zYWK8pIpe44L2RLrB27FcRz+8pRPPphXpg +Y+RdM4kX2TGq2tbzGDVyz4crL2MjhF2EjD9XoIj8mZEoJmmZ1I+XRL6O1UixpCgp8RW04eWe3fiP +pm8m1wk8OhwRDqZsN/etRIcsKMfYdIKz0G9KV7s1KSegi+ghp4dkNl3M2Basx7InQJJVOCiNUW7d +FGdTbHFcJoRNdVq2fmBWqU2t+5sel/MN2dKXVHfaPRK34B7vCAas+YWH6aLcr34YEoP9VhdBLtUp +gn2Z9DH2canPLAEnpQW5qrJITirvn5NSUZU8UnOOVkwXQMAJKOSLakhT2+zNVVXxxvjpoixMptEm +X36vWkzaH6byHCx+rgIW0lbQL1dTR+iS +-----END CERTIFICATE----- + +Visa eCommerce Root +=================== +-----BEGIN CERTIFICATE----- +MIIDojCCAoqgAwIBAgIQE4Y1TR0/BvLB+WUF1ZAcYjANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQG +EwJVUzENMAsGA1UEChMEVklTQTEvMC0GA1UECxMmVmlzYSBJbnRlcm5hdGlvbmFsIFNlcnZpY2Ug +QXNzb2NpYXRpb24xHDAaBgNVBAMTE1Zpc2EgZUNvbW1lcmNlIFJvb3QwHhcNMDIwNjI2MDIxODM2 +WhcNMjIwNjI0MDAxNjEyWjBrMQswCQYDVQQGEwJVUzENMAsGA1UEChMEVklTQTEvMC0GA1UECxMm +VmlzYSBJbnRlcm5hdGlvbmFsIFNlcnZpY2UgQXNzb2NpYXRpb24xHDAaBgNVBAMTE1Zpc2EgZUNv +bW1lcmNlIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvV95WHm6h2mCxlCfL +F9sHP4CFT8icttD0b0/Pmdjh28JIXDqsOTPHH2qLJj0rNfVIsZHBAk4ElpF7sDPwsRROEW+1QK8b +RaVK7362rPKgH1g/EkZgPI2h4H3PVz4zHvtH8aoVlwdVZqW1LS7YgFmypw23RuwhY/81q6UCzyr0 +TP579ZRdhE2o8mCP2w4lPJ9zcc+U30rq299yOIzzlr3xF7zSujtFWsan9sYXiwGd/BmoKoMWuDpI +/k4+oKsGGelT84ATB+0tvz8KPFUgOSwsAGl0lUq8ILKpeeUYiZGo3BxN77t+Nwtd/jmliFKMAGzs +GHxBvfaLdXe6YJ2E5/4tAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG +MB0GA1UdDgQWBBQVOIMPPyw/cDMezUb+B4wg4NfDtzANBgkqhkiG9w0BAQUFAAOCAQEAX/FBfXxc +CLkr4NWSR/pnXKUTwwMhmytMiUbPWU3J/qVAtmPN3XEolWcRzCSs00Rsca4BIGsDoo8Ytyk6feUW +YFN4PMCvFYP3j1IzJL1kk5fui/fbGKhtcbP3LBfQdCVp9/5rPJS+TUtBjE7ic9DjkCJzQ83z7+pz +zkWKsKZJ/0x9nXGIxHYdkFsd7v3M9+79YKWxehZx0RbQfBI8bGmX265fOZpwLwU8GUYEmSA20GBu +YQa7FkKMcPcw++DbZqMAAb3mLNqRX6BGi01qnD093QVG/na/oAo85ADmJ7f/hC3euiInlhBx6yLt +398znM/jra6O1I7mT1GvFpLgXPYHDw== +-----END CERTIFICATE----- + +Comodo AAA Services root +======================== +-----BEGIN CERTIFICATE----- +MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwS +R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0Eg +TGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAw +MFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hl +c3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNV +BAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQuaBtDFcCLNSS1UY8y2bmhG +C1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe3M/vg4aijJRPn2jymJBGhCfHdr/jzDUs +i14HZGWCwEiwqJH5YZ92IFCokcdmtet4YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszW +Y19zjNoFmag4qMsXeDZRrOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjH +Ypy+g8cmez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEK +Iz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0f +BHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNl +cy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2Vz +LmNybDANBgkqhkiG9w0BAQUFAAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm +7l3sAg9g1o1QGE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz +Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2G9w84FoVxp7Z +8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsil2D4kF501KKaU73yqWjgom7C +12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== +-----END CERTIFICATE----- + +QuoVadis Root CA +================ +-----BEGIN CERTIFICATE----- +MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJCTTEZMBcGA1UE +ChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 +eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAz +MTkxODMzMzNaFw0yMTAzMTcxODMzMzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRp +cyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQD +EyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Ypli4kVEAkOPcahdxYTMuk +J0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2DrOpm2RgbaIr1VxqYuvXtdj182d6UajtL +F8HVj71lODqV0D1VNk7feVcxKh7YWWVJWCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeL +YzcS19Dsw3sgQUSj7cugF+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWen +AScOospUxbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCCAk4w +PQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVvdmFkaXNvZmZzaG9y +ZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREwggENMIIBCQYJKwYBBAG+WAABMIH7 +MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNlIG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmlj +YXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJs +ZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh +Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYIKwYBBQUHAgEW +Fmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3TKbkGGew5Oanwl4Rqy+/fMIGu +BgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rqy+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkw +FwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5MS4wLAYDVQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6 +tlCLMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSkfnIYj9lo +fFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf87C9TqnN7Az10buYWnuul +LsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1RcHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2x +gI4JVrmcGmD+XcHXetwReNDWXcG31a0ymQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi +5upZIof4l/UO/erMkqQWxFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi +5nrQNiOKSnQ2+Q== +-----END CERTIFICATE----- + +QuoVadis Root CA 2 +================== +-----BEGIN CERTIFICATE----- +MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoT +EFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAeFw0wNjExMjQx +ODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM +aW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQCaGMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6 +XJxgFyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55JWpzmM+Yk +lvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bBrrcCaoF6qUWD4gXmuVbB +lDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp+ARz8un+XJiM9XOva7R+zdRcAitMOeGy +lZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt +66/3FsvbzSUr5R/7mp/iUcw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1Jdxn +wQ5hYIizPtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og/zOh +D7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UHoycR7hYQe7xFSkyy +BNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuIyV77zGHcizN300QyNQliBJIWENie +J0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1Ud +DgQWBBQahGK8SEwzJQTU7tD2A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGU +a6FJpEcwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT +ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2fBluornFdLwUv +Z+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzng/iN/Ae42l9NLmeyhP3ZRPx3 +UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2BlfF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodm +VjB3pjd4M1IQWK4/YY7yarHvGH5KWWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK ++JDSV6IZUaUtl0HaB0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrW +IozchLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPRTUIZ3Ph1 +WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWDmbA4CD/pXvk1B+TJYm5X +f6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0ZohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II +4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8 +VCLAAVBpQ570su9t+Oza8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u +-----END CERTIFICATE----- + +QuoVadis Root CA 3 +================== +-----BEGIN CERTIFICATE----- +MIIGnTCCBIWgAwIBAgICBcYwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoT +EFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMzAeFw0wNjExMjQx +OTExMjNaFw0zMTExMjQxOTA2NDRaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM +aW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDMwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQDMV0IWVJzmmNPTTe7+7cefQzlKZbPoFog02w1ZkXTPkrgEQK0CSzGrvI2RaNgg +DhoB4hp7Thdd4oq3P5kazethq8Jlph+3t723j/z9cI8LoGe+AaJZz3HmDyl2/7FWeUUrH556VOij +KTVopAFPD6QuN+8bv+OPEKhyq1hX51SGyMnzW9os2l2ObjyjPtr7guXd8lyyBTNvijbO0BNO/79K +DDRMpsMhvVAEVeuxu537RR5kFd5VAYwCdrXLoT9CabwvvWhDFlaJKjdhkf2mrk7AyxRllDdLkgbv +BNDInIjbC3uBr7E9KsRlOni27tyAsdLTmZw67mtaa7ONt9XOnMK+pUsvFrGeaDsGb659n/je7Mwp +p5ijJUMv7/FfJuGITfhebtfZFG4ZM2mnO4SJk8RTVROhUXhA+LjJou57ulJCg54U7QVSWllWp5f8 +nT8KKdjcT5EOE7zelaTfi5m+rJsziO+1ga8bxiJTyPbH7pcUsMV8eFLI8M5ud2CEpukqdiDtWAEX +MJPpGovgc2PZapKUSU60rUqFxKMiMPwJ7Wgic6aIDFUhWMXhOp8q3crhkODZc6tsgLjoC2SToJyM +Gf+z0gzskSaHirOi4XCPLArlzW1oUevaPwV/izLmE1xr/l9A4iLItLRkT9a6fUg+qGkM17uGcclz +uD87nSVL2v9A6wIDAQABo4IBlTCCAZEwDwYDVR0TAQH/BAUwAwEB/zCB4QYDVR0gBIHZMIHWMIHT +BgkrBgEEAb5YAAMwgcUwgZMGCCsGAQUFBwICMIGGGoGDQW55IHVzZSBvZiB0aGlzIENlcnRpZmlj +YXRlIGNvbnN0aXR1dGVzIGFjY2VwdGFuY2Ugb2YgdGhlIFF1b1ZhZGlzIFJvb3QgQ0EgMyBDZXJ0 +aWZpY2F0ZSBQb2xpY3kgLyBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudC4wLQYIKwYB +BQUHAgEWIWh0dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL2NwczALBgNVHQ8EBAMCAQYwHQYD +VR0OBBYEFPLAE+CCQz777i9nMpY1XNu4ywLQMG4GA1UdIwRnMGWAFPLAE+CCQz777i9nMpY1XNu4 +ywLQoUmkRzBFMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEbMBkGA1UE +AxMSUXVvVmFkaXMgUm9vdCBDQSAzggIFxjANBgkqhkiG9w0BAQUFAAOCAgEAT62gLEz6wPJv92ZV +qyM07ucp2sNbtrCD2dDQ4iH782CnO11gUyeim/YIIirnv6By5ZwkajGxkHon24QRiSemd1o417+s +hvzuXYO8BsbRd2sPbSQvS3pspweWyuOEn62Iix2rFo1bZhfZFvSLgNLd+LJ2w/w4E6oM3kJpK27z +POuAJ9v1pkQNn1pVWQvVDVJIxa6f8i+AxeoyUDUSly7B4f/xI4hROJ/yZlZ25w9Rl6VSDE1JUZU2 +Pb+iSwwQHYaZTKrzchGT5Or2m9qoXadNt54CrnMAyNojA+j56hl0YgCUyyIgvpSnWbWCar6ZeXqp +8kokUvd0/bpO5qgdAm6xDYBEwa7TIzdfu4V8K5Iu6H6li92Z4b8nby1dqnuH/grdS/yO9SbkbnBC +bjPsMZ57k8HkyWkaPcBrTiJt7qtYTcbQQcEr6k8Sh17rRdhs9ZgC06DYVYoGmRmioHfRMJ6szHXu +g/WwYjnPbFfiTNKRCw51KBuav/0aQ/HKd/s7j2G4aSgWQgRecCocIdiP4b0jWy10QJLZYxkNc91p +vGJHvOB0K7Lrfb5BG7XARsWhIstfTsEokt4YutUqKLsRixeTmJlglFwjz1onl14LBQaTNx47aTbr +qZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK4SVhM7JZG+Ju1zdXtg2pEto= +-----END CERTIFICATE----- + +Security Communication Root CA +============================== +-----BEGIN CERTIFICATE----- +MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMP +U0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEw +HhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMP +U0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw +8yl89f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJDKaVv0uM +DPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9Ms+k2Y7CI9eNqPPYJayX +5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/NQV3Is00qVUarH9oe4kA92819uZKAnDfd +DJZkndwi92SL32HeFZRSFaB9UslLqCHJxrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2 +JChzAgMBAAGjPzA9MB0GA1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYw +DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vGkl3g +0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfrUj94nK9NrvjVT8+a +mCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5Bw+SUEmK3TGXX8npN6o7WWWXlDLJ +s58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJUJRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ +6rBK+1YWc26sTfcioU+tHXotRSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAi +FL39vmwLAw== +-----END CERTIFICATE----- + +Sonera Class 2 Root CA +====================== +-----BEGIN CERTIFICATE----- +MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEPMA0GA1UEChMG +U29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAxMDQwNjA3Mjk0MFoXDTIxMDQw +NjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNVBAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJh +IENsYXNzMiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3 +/Ei9vX+ALTU74W+oZ6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybT +dXnt5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s3TmVToMG +f+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2EjvOr7nQKV0ba5cTppCD8P +tOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu8nYybieDwnPz3BjotJPqdURrBGAgcVeH +nfO+oJAjPYok4doh28MCAwEAAaMzMDEwDwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITT +XjwwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt +0jSv9zilzqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/3DEI +cbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvDFNr450kkkdAdavph +Oe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6Tk6ezAyNlNzZRZxe7EJQY670XcSx +EtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLH +llpwrN9M +-----END CERTIFICATE----- + +XRamp Global CA Root +==================== +-----BEGIN CERTIFICATE----- +MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UE +BhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2Vj +dXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkwHhcNMDQxMTAxMTcxNDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMx +HjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkg +U2VydmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3Jp +dHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS638eMpSe2OAtp87ZOqCwu +IR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCPKZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMx +foArtYzAQDsRhtDLooY2YKTVMIJt2W7QDxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FE +zG+gSqmUsE3a56k0enI4qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqs +AxcZZPRaJSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNViPvry +xS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud +EwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASsjVy16bYbMDYGA1UdHwQvMC0wK6Ap +oCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMC +AQEwDQYJKoZIhvcNAQEFBQADggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc +/Kh4ZzXxHfARvbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt +qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLaIR9NmXmd4c8n +nxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSyi6mx5O+aGtA9aZnuqCij4Tyz +8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQO+7ETPTsJ3xCwnR8gooJybQDJbw= +-----END CERTIFICATE----- + +Go Daddy Class 2 CA +=================== +-----BEGIN CERTIFICATE----- +MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMY +VGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRp +ZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkG +A1UEBhMCVVMxITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g +RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQAD +ggENADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCAPVYYYwhv +2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6wwdhFJ2+qN1j3hybX2C32 +qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXiEqITLdiOr18SPaAIBQi2XKVlOARFmR6j +YGB0xUGlcmIbYsUfb18aQr4CUWWoriMYavx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmY +vLEHZ6IVDd2gWMZEewo+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0O +BBYEFNLEsNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h/t2o +atTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMu +MTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwG +A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wim +PQoZ+YeAEW5p5JYXMP80kWNyOO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKt +I3lpjbi2Tc7PTMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ +HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mERdEr/VxqHD3VI +Ls9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5CufReYNnyicsbkqWletNw+vHX/b +vZ8= +-----END CERTIFICATE----- + +Starfield Class 2 CA +==================== +-----BEGIN CERTIFICATE----- +MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzElMCMGA1UEChMc +U3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZpZWxkIENsYXNzIDIg +Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBo +MQswCQYDVQQGEwJVUzElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAG +A1UECxMpU3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqG +SIb3DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf8MOh2tTY +bitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN+lq2cwQlZut3f+dZxkqZ +JRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVm +epsZGD3/cVE8MC5fvj13c7JdBmzDI1aaK4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSN +F4Azbl5KXZnJHoe0nRrA1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HF +MIHCMB0GA1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fRzt0f +hvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNo +bm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBDbGFzcyAyIENlcnRpZmljYXRpb24g +QXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGs +afPzWdqbAYcaT1epoXkJKtv3L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLM +PUxA2IGvd56Deruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl +xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynpVSJYACPq4xJD +KVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEYWQPJIrSPnNVeKtelttQKbfi3 +QBFGmh95DmK/D5fs4C8fF5Q= +-----END CERTIFICATE----- + +Taiwan GRCA +=========== +-----BEGIN CERTIFICATE----- +MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQG +EwJUVzEwMC4GA1UECgwnR292ZXJubWVudCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X +DTAyMTIwNTEzMjMzM1oXDTMyMTIwNTEzMjMzM1owPzELMAkGA1UEBhMCVFcxMDAuBgNVBAoMJ0dv +dmVybm1lbnQgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAJoluOzMonWoe/fOW1mKydGGEghU7Jzy50b2iPN86aXfTEc2pBsBHH8eV4qN +w8XRIePaJD9IK/ufLqGU5ywck9G/GwGHU5nOp/UKIXZ3/6m3xnOUT0b3EEk3+qhZSV1qgQdW8or5 +BtD3cCJNtLdBuTK4sfCxw5w/cP1T3YGq2GN49thTbqGsaoQkclSGxtKyyhwOeYHWtXBiCAEuTk8O +1RGvqa/lmr/czIdtJuTJV6L7lvnM4T9TjGxMfptTCAtsF/tnyMKtsc2AtJfcdgEWFelq16TheEfO +htX7MfP6Mb40qij7cEwdScevLJ1tZqa2jWR+tSBqnTuBto9AAGdLiYa4zGX+FVPpBMHWXx1E1wov +J5pGfaENda1UhhXcSTvxls4Pm6Dso3pdvtUqdULle96ltqqvKKyskKw4t9VoNSZ63Pc78/1Fm9G7 +Q3hub/FCVGqY8A2tl+lSXunVanLeavcbYBT0peS2cWeqH+riTcFCQP5nRhc4L0c/cZyu5SHKYS1t +B6iEfC3uUSXxY5Ce/eFXiGvviiNtsea9P63RPZYLhY3Naye7twWb7LuRqQoHEgKXTiCQ8P8NHuJB +O9NAOueNXdpm5AKwB1KYXA6OM5zCppX7VRluTI6uSw+9wThNXo+EHWbNxWCWtFJaBYmOlXqYwZE8 +lSOyDvR5tMl8wUohAgMBAAGjajBoMB0GA1UdDgQWBBTMzO/MKWCkO7GStjz6MmKPrCUVOzAMBgNV +HRMEBTADAQH/MDkGBGcqBwAEMTAvMC0CAQAwCQYFKw4DAhoFADAHBgVnKgMAAAQUA5vwIhP/lSg2 +09yewDL7MTqKUWUwDQYJKoZIhvcNAQEFBQADggIBAECASvomyc5eMN1PhnR2WPWus4MzeKR6dBcZ +TulStbngCnRiqmjKeKBMmo4sIy7VahIkv9Ro04rQ2JyftB8M3jh+Vzj8jeJPXgyfqzvS/3WXy6Tj +Zwj/5cAWtUgBfen5Cv8b5Wppv3ghqMKnI6mGq3ZW6A4M9hPdKmaKZEk9GhiHkASfQlK3T8v+R0F2 +Ne//AHY2RTKbxkaFXeIksB7jSJaYV0eUVXoPQbFEJPPB/hprv4j9wabak2BegUqZIJxIZhm1AHlU +D7gsL0u8qV1bYH+Mh6XgUmMqvtg7hUAV/h62ZT/FS9p+tXo1KaMuephgIqP0fSdOLeq0dDzpD6Qz +DxARvBMB1uUO07+1EqLhRSPAzAhuYbeJq4PjJB7mXQfnHyA+z2fI56wwbSdLaG5LKlwCCDTb+Hbk +Z6MmnD+iMsJKxYEYMRBWqoTvLQr/uB930r+lWKBi5NdLkXWNiYCYfm3LU05er/ayl4WXudpVBrkk +7tfGOB5jGxI7leFYrPLfhNVfmS8NVVvmONsuP3LpSIXLuykTjx44VbnzssQwmSNOXfJIoRIM3BKQ +CZBUkQM8R+XVyWXgt0t97EfTsws+rZ7QdAAO671RrcDeLMDDav7v3Aun+kbfYNucpllQdSNpc5Oy ++fwC00fmcc4QAu4njIT/rEUNE1yDMuAlpYYsfPQS +-----END CERTIFICATE----- + +DigiCert Assured ID Root CA +=========================== +-----BEGIN CERTIFICATE----- +MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQG +EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQw +IgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzEx +MTEwMDAwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQL +ExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0Ew +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7cJpSIqvTO +9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYPmDI2dsze3Tyoou9q+yHy +UmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW +/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpy +oeb6pNnVFzF1roV9Iq4/AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whf +GHdPAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRF +66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq +hkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRCdWKuh+vy1dneVrOfzM4UKLkNl2Bc +EkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTffwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38Fn +SbNd67IJKusm7Xi+fT8r87cmNW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i +8b5QZ7dsvfPxH2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe ++o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g== +-----END CERTIFICATE----- + +DigiCert Global Root CA +======================= +-----BEGIN CERTIFICATE----- +MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQG +EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAw +HgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAw +MDAwMDBaMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3 +dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsBCSDMAZOn +TjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97nh6Vfe63SKMI2tavegw5 +BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt43C/dxC//AH2hdmoRBBYMql1GNXRor5H +4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7PT19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y +7vrTC0LUq7dBMtoM1O/4gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQAB +o2MwYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbRTLtm +8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEF +BQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/EsrhMAtudXH/vTBH1jLuG2cenTnmCmr +EbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIt +tep3Sp+dWOIrWcBAI+0tKIJFPnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886 +UAb3LujEV0lsYSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk +CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4= +-----END CERTIFICATE----- + +DigiCert High Assurance EV Root CA +================================== +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQG +EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSsw +KQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAw +MFoXDTMxMTExMDAwMDAwMFowbDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZ +MBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFu +Y2UgRVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm+9S75S0t +Mqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTWPNt0OKRKzE0lgvdKpVMS +OO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEMxChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3 +MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFBIk5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQ +NAQTXKFx01p8VdteZOE3hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUe +h10aUAsgEsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMB +Af8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaAFLE+w2kD+L9HAdSY +JhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3NecnzyIZgYIVyHbIUf4KmeqvxgydkAQ +V8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6zeM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFp +myPInngiK3BD41VHMWEZ71jFhS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkK +mNEVX58Svnw2Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe +vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K +-----END CERTIFICATE----- + +Certplus Class 2 Primary CA +=========================== +-----BEGIN CERTIFICATE----- +MIIDkjCCAnqgAwIBAgIRAIW9S/PY2uNp9pTXX8OlRCMwDQYJKoZIhvcNAQEFBQAwPTELMAkGA1UE +BhMCRlIxETAPBgNVBAoTCENlcnRwbHVzMRswGQYDVQQDExJDbGFzcyAyIFByaW1hcnkgQ0EwHhcN +OTkwNzA3MTcwNTAwWhcNMTkwNzA2MjM1OTU5WjA9MQswCQYDVQQGEwJGUjERMA8GA1UEChMIQ2Vy +dHBsdXMxGzAZBgNVBAMTEkNsYXNzIDIgUHJpbWFyeSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBANxQltAS+DXSCHh6tlJw/W/uz7kRy1134ezpfgSN1sxvc0NXYKwzCkTsA18cgCSR +5aiRVhKC9+Ar9NuuYS6JEI1rbLqzAr3VNsVINyPi8Fo3UjMXEuLRYE2+L0ER4/YXJQyLkcAbmXuZ +Vg2v7tK8R1fjeUl7NIknJITesezpWE7+Tt9avkGtrAjFGA7v0lPubNCdEgETjdyAYveVqUSISnFO +YFWe2yMZeVYHDD9jC1yw4r5+FfyUM1hBOHTE4Y+L3yasH7WLO7dDWWuwJKZtkIvEcupdM5i3y95e +e++U8Rs+yskhwcWYAqqi9lt3m/V+llU0HGdpwPFC40es/CgcZlUCAwEAAaOBjDCBiTAPBgNVHRME +CDAGAQH/AgEKMAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU43Mt38sOKAze3bOkynm4jrvoMIkwEQYJ +YIZIAYb4QgEBBAQDAgEGMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly93d3cuY2VydHBsdXMuY29t +L0NSTC9jbGFzczIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCnVM+IRBnL39R/AN9WM2K191EBkOvD +P9GIROkkXe/nFL0gt5o8AP5tn9uQ3Nf0YtaLcF3n5QRIqWh8yfFC82x/xXp8HVGIutIKPidd3i1R +TtMTZGnkLuPT55sJmabglZvOGtd/vjzOUrMRFcEPF80Du5wlFbqidon8BvEY0JNLDnyCt6X09l/+ +7UCmnYR0ObncHoUW2ikbhiMAybuJfm6AiB4vFLQDJKgybwOaRywwvlbGp0ICcBvqQNi6BQNwB6SW +//1IMwrh3KWBkJtN3X3n57LNXMhqlfil9o3EXXgIvnsG1knPGTZQIy4I5p4FTUcY1Rbpsda2ENW7 +l7+ijrRU +-----END CERTIFICATE----- + +DST Root CA X3 +============== +-----BEGIN CERTIFICATE----- +MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQK +ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X +DTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1 +cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmT +rE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9 +UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRy +xXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40d +utolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0T +AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQ +MA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikug +dB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjE +GB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bw +RLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubS +fZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ +-----END CERTIFICATE----- + +SwissSign Gold CA - G2 +====================== +-----BEGIN CERTIFICATE----- +MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkNIMRUw +EwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2lnbiBHb2xkIENBIC0gRzIwHhcN +MDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBFMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dp +c3NTaWduIEFHMR8wHQYDVQQDExZTd2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAr+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUq +t2/876LQwB8CJEoTlo8jE+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+bbqBHH5C +jCA12UNNhPqE21Is8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c6bM8K8vzARO/Ws/BtQpg +vd21mWRTuKCWs2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqEemA8atufK+ze3gE/bk3lUIbLtK/tREDF +ylqM2tIrfKjuvqblCqoOpd8FUrdVxyJdMmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvR +AiTysybUa9oEVeXBCsdtMDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuend +jIj3o02yMszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69yFGkO +peUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPiaG59je883WX0XaxR +7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxMgI93e2CaHt+28kgeDrpOVG2Y4OGi +GqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw +AwEB/zAdBgNVHQ4EFgQUWyV7lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0jBBgwFoAUWyV7lqRlUX64 +OfPAeGZe6Drn8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAsBggrBgEFBQcCARYgaHR0cDov +L3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBACe645R88a7A3hfm +5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5+OlgzczOUYrHUDFu4Up+GC9pWbY9ZIEr +44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOf +Mke6UiI0HTJ6CVanfCU2qT1L2sCCbwq7EsiHSycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6m +Gu6uLftIdxf+u+yvGPUqUfA5hJeVbG4bwyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxp +mo/a77KwPJ+HbBIrZXAVUjEaJM9vMSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCChdiDyyJk +vC24JdVUorgG6q2SpCSgwYa1ShNqR88uC1aVVMvOmttqtKay20EIhid392qgQmwLOM7XdVAyksLf +KzAiSNDVQTglXaTpXZ/GlHXQRf0wl0OPkKsKx4ZzYEppLd6leNcG2mqeSz53OiATIgHQv2ieY2Br +NU0LbbqhPcCT4H8js1WtciVORvnSFu+wZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6Lqj +viOvrv1vA+ACOzB2+httQc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ +-----END CERTIFICATE----- + +SwissSign Silver CA - G2 +======================== +-----BEGIN CERTIFICATE----- +MIIFvTCCA6WgAwIBAgIITxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ0gxFTAT +BgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMB4X +DTA2MTAyNTA4MzI0NloXDTM2MTAyNTA4MzI0NlowRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3 +aXNzU2lnbiBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644 +N0MvFz0fyM5oEMF4rhkDKxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7brYT7QbNHm ++/pe7R20nqA1W6GSy/BJkv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieFnbAVlDLaYQ1HTWBCrpJH +6INaUFjpiou5XaHc3ZlKHzZnu0jkg7Y360g6rw9njxcH6ATK72oxh9TAtvmUcXtnZLi2kUpCe2Uu +MGoM9ZDulebyzYLs2aFK7PayS+VFheZteJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5h +qAaEuSh6XzjZG6k4sIN/c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5 +FZGkECwJMoBgs5PAKrYYC51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRHHTBs +ROopN4WSaGa8gzj+ezku01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTfjNFusB3hB48IHpmc +celM2KX3RxIfdNFRnobzwqIjQAtz20um53MGjMGg6cFZrEb65i/4z3GcRm25xBWNOHkDRUjvxF3X +CO6HOSKGsg0PWEP3calILv3q1h8CAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/ +BAUwAwEB/zAdBgNVHQ4EFgQUF6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRB +tjpbO8tFnb0cwpj6hlgwRgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0 +cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBAHPGgeAn0i0P +4JUw4ppBf1AsX19iYamGamkYDHRJ1l2E6kFSGG9YrVBWIGrGvShpWJHckRE1qTodvBqlYJ7YH39F +kWnZfrt4csEGDyrOj4VwYaygzQu4OSlWhDJOhrs9xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L +3XWgwF15kIwb4FDm3jH+mHtwX6WQ2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx +/uNncqCxv1yL5PqZIseEuRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFa +DGi8aRl5xB9+lwW/xekkUV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2Xem1ZqSqP +e97Dh4kQmUlzeMg9vVE1dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQRdAtq/gsD/KNVV4n+Ssuu +WxcFyPKNIzFTONItaj+CuY0IavdeQXRuwxF+B6wpYJE/OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJ +DIm6uNO5wJOKMPqN5ZprFQFOZ6raYlY+hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ub +DgEj8Z+7fNzcbBGXJbLytGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5u +-----END CERTIFICATE----- + +GeoTrust Primary Certification Authority +======================================== +-----BEGIN CERTIFICATE----- +MIIDfDCCAmSgAwIBAgIQGKy1av1pthU6Y2yv2vrEoTANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQG +EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjExMC8GA1UEAxMoR2VvVHJ1c3QgUHJpbWFyeSBD +ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMjcwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMFgx +CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTEwLwYDVQQDEyhHZW9UcnVzdCBQ +cmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAvrgVe//UfH1nrYNke8hCUy3f9oQIIGHWAVlqnEQRr+92/ZV+zmEwu3qDXwK9AWbK7hWN +b6EwnL2hhZ6UOvNWiAAxz9juapYC2e0DjPt1befquFUWBRaa9OBesYjAZIVcFU2Ix7e64HXprQU9 +nceJSOC7KMgD4TCTZF5SwFlwIjVXiIrxlQqD17wxcwE07e9GceBrAqg1cmuXm2bgyxx5X9gaBGge +RwLmnWDiNpcB3841kt++Z8dtd1k7j53WkBWUvEI0EME5+bEnPn7WinXFsq+W06Lem+SYvn3h6YGt +tm/81w7a4DSwDRp35+MImO9Y+pyEtzavwt+s0vQQBnBxNQIDAQABo0IwQDAPBgNVHRMBAf8EBTAD +AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQULNVQQZcVi/CPNmFbSvtr2ZnJM5IwDQYJKoZI +hvcNAQEFBQADggEBAFpwfyzdtzRP9YZRqSa+S7iq8XEN3GHHoOo0Hnp3DwQ16CePbJC/kRYkRj5K +Ts4rFtULUh38H2eiAkUxT87z+gOneZ1TatnaYzr4gNfTmeGl4b7UVXGYNTq+k+qurUKykG/g/CFN +NWMziUnWm07Kx+dOCQD32sfvmWKZd7aVIl6KoKv0uHiYyjgZmclynnjNS6yvGaBzEi38wkG6gZHa +Floxt/m0cYASSJlyc1pZU8FjUjPtp8nSOQJw+uCxQmYpqptR7TBUIhRf2asdweSU8Pj1K/fqynhG +1riR/aYNKxoUAT6A8EKglQdebc3MS6RFjasS6LPeWuWgfOgPIh1a6Vk= +-----END CERTIFICATE----- + +thawte Primary Root CA +====================== +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UE +BhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2 +aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhv +cml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3 +MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwg +SW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMv +KGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMT +FnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCs +oPD7gFnUnMekz52hWXMJEEUMDSxuaPFsW0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ +1CRfBsDMRJSUjQJib+ta3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGc +q/gcfomk6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6Sk/K +aAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94JNqR32HuHUETVPm4p +afs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYD +VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUF +AAOCAQEAeRHAS7ORtvzw6WfUDW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeE +uzLlQRHAd9mzYJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX +xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2/qxAeeWsEG89 +jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/LHbTY5xZ3Y+m4Q6gLkH3LpVH +z7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7jVaMaA== +-----END CERTIFICATE----- + +VeriSign Class 3 Public Primary Certification Authority - G5 +============================================================ +-----BEGIN CERTIFICATE----- +MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE +BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO +ZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVk +IHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRp +ZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCB +yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln +biBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBh +dXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmlt +YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKz +j/i5Vbext0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhD +Y2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ +Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNHiDxpg8v+R70r +fk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/ +BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2Uv +Z2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy +aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKvMzEzMA0GCSqG +SIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzEp6B4Eq1iDkVwZMXnl2YtmAl+ +X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKE +KQsTb47bDN0lAtukixlE0kF6BWlKWE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiC +Km0oHw0LxOXnGiYZ4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vE +ZV8NhnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq +-----END CERTIFICATE----- + +SecureTrust CA +============== +-----BEGIN CERTIFICATE----- +MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQG +EwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xFzAVBgNVBAMTDlNlY3VyZVRy +dXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIzMTE5NDA1NVowSDELMAkGA1UEBhMCVVMxIDAe +BgNVBAoTF1NlY3VyZVRydXN0IENvcnBvcmF0aW9uMRcwFQYDVQQDEw5TZWN1cmVUcnVzdCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2FI7CT8rU4niVWJxB4Q2ZQCQX +OZEzZum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjGnx29vo6pQT64lO0pGtSO0gMdA+9t +DWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLIXgGZbf2IzIaowW8xQmxSPmjL8xk037uH +GFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2pHGj7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b +01k/unK8RCSc43Oz969XL0Imnal0ugBS8kvNU3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmH +ursCAwEAAaOBnTCBmjATBgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/ +BAUwAwEB/zAdBgNVHQ4EFgQUQjK2FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCegJYYj +aHR0cDovL2NybC5zZWN1cmV0cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJ +KoZIhvcNAQEFBQADggEBADDtT0rhWDpSclu1pqNlGKa7UTt36Z3q059c4EVlew3KW+JwULKUBRSu +SceNQQcSc5R+DCMh/bwQf2AQWnL1mA6s7Ll/3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHf +mbx8IVQr5Fiiu1cprp6poxkmD5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZ +nMUFdAvnZyPSCPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR +3ItHuuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jE= +-----END CERTIFICATE----- + +Secure Global CA +================ +-----BEGIN CERTIFICATE----- +MIIDvDCCAqSgAwIBAgIQB1YipOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQG +EwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBH +bG9iYWwgQ0EwHhcNMDYxMTA3MTk0MjI4WhcNMjkxMjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEg +MB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwg +Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jx +YDiJiQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa/FHtaMbQ +bqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJjnIFHovdRIWCQtBJwB1g +8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnIHmX5k/Wq8VLcmZg9pYYaDDUz+kulBAYV +HDGA76oYa8J719rO+TMg1fW9ajMtgQT7sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgbEplJL4hL/VBi +0XPnj3pDAgMBAAGjgZ0wgZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud +EwEB/wQFMAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmkMDQGA1UdHwQtMCswKaAn +oCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3JsMBAGCSsGAQQBgjcVAQQDAgEA +MA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0LURYD7xh8yOOvaliTFGCRsoTciE6+ +OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXOH0jOZvQ8QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cn +CDpOGR86p1hcF895P4vkp9MmI50mD1hp/Ed+stCNi5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/5 +3CYNv6ZHdAbYiNE6KTCEztI5gGIbqMdXSbxqVVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xc +f8LDmBxrThaA63p4ZUWiABqvDA1VZDRIuJK58bRQKfJPIx/abKwfROHdI3hRW8cW +-----END CERTIFICATE----- + +COMODO Certification Authority +============================== +-----BEGIN CERTIFICATE----- +MIIEHTCCAwWgAwIBAgIQToEtioJl4AsC7j41AkblPTANBgkqhkiG9w0BAQUFADCBgTELMAkGA1UE +BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG +A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNVBAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1 +dGhvcml0eTAeFw0wNjEyMDEwMDAwMDBaFw0yOTEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEb +MBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFD +T01PRE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3UcEbVASY06m/weaKXTuH ++7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI2GqGd0S7WWaXUF601CxwRM/aN5VCaTww +xHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV +4EajcNxo2f8ESIl33rXp+2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA +1KGzqSX+DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5OnKVI +rLsm9wIDAQABo4GOMIGLMB0GA1UdDgQWBBQLWOWLxkwVN6RAqTCpIb5HNlpW/zAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLmNvbW9k +b2NhLmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDANBgkqhkiG9w0BAQUFAAOC +AQEAPpiem/Yb6dc5t3iuHXIYSdOH5EOC6z/JqvWote9VfCFSZfnVDeFs9D6Mk3ORLgLETgdxb8CP +OGEIqB6BCsAvIC9Bi5HcSEW88cbeunZrM8gALTFGTO3nnc+IlP8zwFboJIYmuNg4ON8qa90SzMc/ +RxdMosIGlgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmc +IGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5ddBA6+C4OmF4O5MBKgxTMVBbkN ++8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IBZQ== +-----END CERTIFICATE----- + +Network Solutions Certificate Authority +======================================= +-----BEGIN CERTIFICATE----- +MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQG +EwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydOZXR3b3Jr +IFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMx +MjM1OTU5WjBiMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu +MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwzc7MEL7xx +jOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPPOCwGJgl6cvf6UDL4wpPT +aaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rlmGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXT +crA/vGp97Eh/jcOrqnErU2lBUzS1sLnFBgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc +/Qzpf14Dl847ABSHJ3A4qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMB +AAGjgZcwgZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIBBjAP +BgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwubmV0c29sc3NsLmNv +bS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3JpdHkuY3JsMA0GCSqGSIb3DQEBBQUA +A4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc86fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q +4LqILPxFzBiwmZVRDuwduIj/h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/ +GGUsyfJj4akH/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv +wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHNpGxlaKFJdlxD +ydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey +-----END CERTIFICATE----- + +COMODO ECC Certification Authority +================================== +-----BEGIN CERTIFICATE----- +MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTELMAkGA1UEBhMC +R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE +ChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkwHhcNMDgwMzA2MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0Ix +GzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR +Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRo +b3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSRFtSrYpn1PlILBs5BAH+X +4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0JcfRK9ChQtP6IHG4/bC8vCVlbpVsLM5ni +wz2J+Wos77LTBumjQjBAMB0GA1UdDgQWBBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA7wNbeqy3eApyt4jf/7VG +FAkK+qDmfQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8SaczepBGR7NjfRObTrdvGDeA +U/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdY= +-----END CERTIFICATE----- + +OISTE WISeKey Global Root GA CA +=============================== +-----BEGIN CERTIFICATE----- +MIID8TCCAtmgAwIBAgIQQT1yx/RrH4FDffHSKFTfmjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UE +BhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxGzAZBgNVBAsTEkNvcHlyaWdodCAoYykgMjAwNTEiMCAG +A1UECxMZT0lTVEUgRm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBH +bG9iYWwgUm9vdCBHQSBDQTAeFw0wNTEyMTExNjAzNDRaFw0zNzEyMTExNjA5NTFaMIGKMQswCQYD +VQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEbMBkGA1UECxMSQ29weXJpZ2h0IChjKSAyMDA1MSIw +IAYDVQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5 +IEdsb2JhbCBSb290IEdBIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy0+zAJs9 +Nt350UlqaxBJH+zYK7LG+DKBKUOVTJoZIyEVRd7jyBxRVVuuk+g3/ytr6dTqvirdqFEr12bDYVxg +Asj1znJ7O7jyTmUIms2kahnBAbtzptf2w93NvKSLtZlhuAGio9RN1AU9ka34tAhxZK9w8RxrfvbD +d50kc3vkDIzh2TbhmYsFmQvtRTEJysIA2/dyoJaqlYfQjse2YXMNdmaM3Bu0Y6Kff5MTMPGhJ9vZ +/yxViJGg4E8HsChWjBgbl0SOid3gF27nKu+POQoxhILYQBRJLnpB5Kf+42TMwVlxSywhp1t94B3R +LoGbw9ho972WG6xwsRYUC9tguSYBBQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw +AwEB/zAdBgNVHQ4EFgQUswN+rja8sHnR3JQmthG+IbJphpQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJ +KoZIhvcNAQEFBQADggEBAEuh/wuHbrP5wUOxSPMowB0uyQlB+pQAHKSkq0lPjz0e701vvbyk9vIm +MMkQyh2I+3QZH4VFvbBsUfk2ftv1TDI6QU9bR8/oCy22xBmddMVHxjtqD6wU2zz0c5ypBd8A3HR4 ++vg1YFkCExh8vPtNsCBtQ7tgMHpnM1zFmdH4LTlSc/uMqpclXHLZCB6rTjzjgTGfA6b7wP4piFXa +hNVQA7bihKOmNqoROgHhGEvWRGizPflTdISzRpFGlgC3gCy24eMQ4tui5yiPAZZiFj4A4xylNoEY +okxSdsARo27mHbrjWr42U8U+dY+GaSlYU7Wcu2+fXMUY7N0v4ZjJ/L7fCg0= +-----END CERTIFICATE----- + +Certigna +======== +-----BEGIN CERTIFICATE----- +MIIDqDCCApCgAwIBAgIJAP7c4wEPyUj/MA0GCSqGSIb3DQEBBQUAMDQxCzAJBgNVBAYTAkZSMRIw +EAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hMB4XDTA3MDYyOTE1MTMwNVoXDTI3 +MDYyOTE1MTMwNVowNDELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURoaW15b3RpczERMA8GA1UEAwwI +Q2VydGlnbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIaPHJ1tazNHUmgh7stL7q +XOEm7RFHYeGifBZ4QCHkYJ5ayGPhxLGWkv8YbWkj4Sti993iNi+RB7lIzw7sebYs5zRLcAglozyH +GxnygQcPOJAZ0xH+hrTy0V4eHpbNgGzOOzGTtvKg0KmVEn2lmsxryIRWijOp5yIVUxbwzBfsV1/p +ogqYCd7jX5xv3EjjhQsVWqa6n6xI4wmy9/Qy3l40vhx4XUJbzg4ij02Q130yGLMLLGq/jj8UEYkg +DncUtT2UCIf3JR7VsmAA7G8qKCVuKj4YYxclPz5EIBb2JsglrgVKtOdjLPOMFlN+XPsRGgjBRmKf +Irjxwo1p3Po6WAbfAgMBAAGjgbwwgbkwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUGu3+QTmQ +tCRZvgHyUtVF9lo53BEwZAYDVR0jBF0wW4AUGu3+QTmQtCRZvgHyUtVF9lo53BGhOKQ2MDQxCzAJ +BgNVBAYTAkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAPBgNVBAMMCENlcnRpZ25hggkA/tzjAQ/J +SP8wDgYDVR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzANBgkqhkiG9w0BAQUFAAOCAQEA +hQMeknH2Qq/ho2Ge6/PAD/Kl1NqV5ta+aDY9fm4fTIrv0Q8hbV6lUmPOEvjvKtpv6zf+EwLHyzs+ +ImvaYS5/1HI93TDhHkxAGYwP15zRgzB7mFncfca5DClMoTOi62c6ZYTTluLtdkVwj7Ur3vkj1klu +PBS1xp81HlDQwY9qcEQCYsuuHWhBp6pX6FOqB9IG9tUUBguRA3UsbHK1YZWaDYu5Def131TN3ubY +1gkIl2PlwS6wt0QmwCbAr1UwnjvVNioZBPRcHv/PLLf/0P2HQBHVESO7SMAhqaQoLf0V+LBOK/Qw +WyH8EZE0vkHve52Xdf+XlcCWWC/qu0bXu+TZLg== +-----END CERTIFICATE----- + +Deutsche Telekom Root CA 2 +========================== +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEcMBoGA1UEChMT +RGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRydXN0IENlbnRlcjEjMCEG +A1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5 +MjM1OTAwWjBxMQswCQYDVQQGEwJERTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0G +A1UECxMWVC1UZWxlU2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBS +b290IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEUha88EOQ5 +bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhCQN/Po7qCWWqSG6wcmtoI +KyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1MjwrrFDa1sPeg5TKqAyZMg4ISFZbavva4VhY +AUlfckE8FQYBjl2tqriTtM2e66foai1SNNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aK +Se5TBY8ZTNXeWHmb0mocQqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTV +jlsB9WoHtxa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAPBgNV +HRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAlGRZrTlk5ynr +E/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756AbrsptJh6sTtU6zkXR34ajgv8HzFZMQSy +zhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpaIzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8 +rZ7/gFnkm0W09juwzTkZmDLl6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4G +dyd1Lx+4ivn+xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU +Cm26OWMohpLzGITY+9HPBVZkVw== +-----END CERTIFICATE----- + +Cybertrust Global Root +====================== +-----BEGIN CERTIFICATE----- +MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYGA1UEChMPQ3li +ZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2JhbCBSb290MB4XDTA2MTIxNTA4 +MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQD +ExZDeWJlcnRydXN0IEdsb2JhbCBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA ++Mi8vRRQZhP/8NN57CPytxrHjoXxEnOmGaoQ25yiZXRadz5RfVb23CO21O1fWLE3TdVJDm71aofW +0ozSJ8bi/zafmGWgE07GKmSb1ZASzxQG9Dvj1Ci+6A74q05IlG2OlTEQXO2iLb3VOm2yHLtgwEZL +AfVJrn5GitB0jaEMAs7u/OePuGtm839EAL9mJRQr3RAwHQeWP032a7iPt3sMpTjr3kfb1V05/Iin +89cqdPHoWqI7n1C6poxFNcJQZZXcY4Lv3b93TZxiyWNzFtApD0mpSPCzqrdsxacwOUBdrsTiXSZT +8M4cIwhhqJQZugRiQOwfOHB3EgZxpzAYXSUnpQIDAQABo4GlMIGiMA4GA1UdDwEB/wQEAwIBBjAP +BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS2CHsNesysIEyGVjJez6tuhS1wVzA/BgNVHR8EODA2 +MDSgMqAwhi5odHRwOi8vd3d3Mi5wdWJsaWMtdHJ1c3QuY29tL2NybC9jdC9jdHJvb3QuY3JsMB8G +A1UdIwQYMBaAFLYIew16zKwgTIZWMl7Pq26FLXBXMA0GCSqGSIb3DQEBBQUAA4IBAQBW7wojoFRO +lZfJ+InaRcHUowAl9B8Tq7ejhVhpwjCt2BWKLePJzYFa+HMjWqd8BfP9IjsO0QbE2zZMcwSO5bAi +5MXzLqXZI+O4Tkogp24CJJ8iYGd7ix1yCcUxXOl5n4BHPa2hCwcUPUf/A2kaDAtE52Mlp3+yybh2 +hO0j9n0Hq0V+09+zv+mKts2oomcrUtW3ZfA5TGOgkXmTUg9U3YO7n9GPp1Nzw8v/MOx8BLjYRB+T +X3EJIrduPuocA06dGiBh+4E37F78CkWr1+cXVdCg6mCbpvbjjFspwgZgFJ0tl0ypkxWdYcQBX0jW +WL1WMRJOEcgh4LMRkWXbtKaIOM5V +-----END CERTIFICATE----- + +ePKI Root Certification Authority +================================= +-----BEGIN CERTIFICATE----- +MIIFsDCCA5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQG +EwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0ZC4xKjAoBgNVBAsMIWVQS0kg +Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDEyMjAwMjMxMjdaFw0zNDEyMjAwMjMx +MjdaMF4xCzAJBgNVBAYTAlRXMSMwIQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEq +MCgGA1UECwwhZVBLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEhajfqhFAHSyZbCUNs +IZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrBp0xtInAhijHyl3SJCRImHJ7K2RKi +lTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2YWEtgvM3XDZoTM1PRYfl61dd4s5oz9wCGzh1NlDiv +qOx4UXCKXBCDUSH3ET00hl7lSM2XgYI1TBnsZfZrxQWh7kcT1rMhJ5QQCtkkO7q+RBNGMD+XPNjX +12ruOzjjK9SXDrkb5wdJfzcq+Xd4z1TtW0ado4AOkUPB1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0O +WQqraffAsgRFelQArr5T9rXn4fg8ozHSqf4hUmTFpmfwdQcGlBSBVcYn5AGPF8Fqcde+S/uUWH1+ +ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8iQkEeb5mKPtf5P0B6ebClAZLSnT0IFaUQAS2zMnao +lQ2zepr7BxB4EW/hj8e6DyUadCrlHJhBmd8hh+iVBmoKs2pHdmX2Os+PYhcZewoozRrSgx4hxyy/ +vv9haLdnG7t4TY3OZ+XkwY63I2binZB1NJipNiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXi +Zo1jDiVN1Rmy5nk3pyKdVDECAwEAAaNqMGgwHQYDVR0OBBYEFB4M97Zn8uGSJglFwFU5Lnc/Qkqi +MAwGA1UdEwQFMAMBAf8wOQYEZyoHAAQxMC8wLQIBADAJBgUrDgMCGgUAMAcGBWcqAwAABBRFsMLH +ClZ87lt4DJX5GFPBphzYEDANBgkqhkiG9w0BAQUFAAOCAgEACbODU1kBPpVJufGBuvl2ICO1J2B0 +1GqZNF5sAFPZn/KmsSQHRGoqxqWOeBLoR9lYGxMqXnmbnwoqZ6YlPwZpVnPDimZI+ymBV3QGypzq +KOg4ZyYr8dW1P2WT+DZdjo2NQCCHGervJ8A9tDkPJXtoUHRVnAxZfVo9QZQlUgjgRywVMRnVvwdV +xrsStZf0X4OFunHB2WyBEXYKCrC/gpf36j36+uwtqSiUO1bd0lEursC9CBWMd1I0ltabrNMdjmEP +NXubrjlpC2JgQCA2j6/7Nu4tCEoduL+bXPjqpRugc6bY+G7gMwRfaKonh+3ZwZCc7b3jajWvY9+r +GNm65ulK6lCKD2GTHuItGeIwlDWSXQ62B68ZgI9HkFFLLk3dheLSClIKF5r8GrBQAuUBo2M3IUxE +xJtRmREOc5wGj1QupyheRDmHVi03vYVElOEMSyycw5KFNGHLD7ibSkNS/jQ6fbjpKdx2qcgw+BRx +gMYeNkh0IkFch4LoGHGLQYlE535YW6i4jRPpp2zDR+2zGp1iro2C6pSe3VkQw63d4k3jMdXH7Ojy +sP6SHhYKGvzZ8/gntsm+HbRsZJB/9OTEW9c3rkIO3aQab3yIVMUWbuF6aC74Or8NpDyJO3inTmOD +BCEIZ43ygknQW/2xzQ+DhNQ+IIX3Sj0rnP0qCglN6oH4EZw= +-----END CERTIFICATE----- + +certSIGN ROOT CA +================ +-----BEGIN CERTIFICATE----- +MIIDODCCAiCgAwIBAgIGIAYFFnACMA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNVBAYTAlJPMREwDwYD +VQQKEwhjZXJ0U0lHTjEZMBcGA1UECxMQY2VydFNJR04gUk9PVCBDQTAeFw0wNjA3MDQxNzIwMDRa +Fw0zMTA3MDQxNzIwMDRaMDsxCzAJBgNVBAYTAlJPMREwDwYDVQQKEwhjZXJ0U0lHTjEZMBcGA1UE +CxMQY2VydFNJR04gUk9PVCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALczuX7I +JUqOtdu0KBuqV5Do0SLTZLrTk+jUrIZhQGpgV2hUhE28alQCBf/fm5oqrl0Hj0rDKH/v+yv6efHH +rfAQUySQi2bJqIirr1qjAOm+ukbuW3N7LBeCgV5iLKECZbO9xSsAfsT8AzNXDe3i+s5dRdY4zTW2 +ssHQnIFKquSyAVwdj1+ZxLGt24gh65AIgoDzMKND5pCCrlUoSe1b16kQOA7+j0xbm0bqQfWwCHTD +0IgztnzXdN/chNFDDnU5oSVAKOp4yw4sLjmdjItuFhwvJoIQ4uNllAoEwF73XVv4EOLQunpL+943 +AAAaWyjj0pxzPjKHmKHJUS/X3qwzs08CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B +Af8EBAMCAcYwHQYDVR0OBBYEFOCMm9slSbPxfIbWskKHC9BroNnkMA0GCSqGSIb3DQEBBQUAA4IB +AQA+0hyJLjX8+HXd5n9liPRyTMks1zJO890ZeUe9jjtbkw9QSSQTaxQGcu8J06Gh40CEyecYMnQ8 +SG4Pn0vU9x7Tk4ZkVJdjclDVVc/6IJMCopvDI5NOFlV2oHB5bc0hH88vLbwZ44gx+FkagQnIl6Z0 +x2DEW8xXjrJ1/RsCCdtZb3KTafcxQdaIOL+Hsr0Wefmq5L6IJd1hJyMctTEHBDa0GpC9oHRxUIlt +vBTjD4au8as+x6AJzKNI0eDbZOeStc+vckNwi/nDhDwTqn6Sm1dTk/pwwpEOMfmbZ13pljheX7Nz +TogVZ96edhBiIL5VaZVDADlN9u6wWk5JRFRYX0KD +-----END CERTIFICATE----- + +GeoTrust Primary Certification Authority - G3 +============================================= +-----BEGIN CERTIFICATE----- +MIID/jCCAuagAwIBAgIQFaxulBmyeUtB9iepwxgPHzANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UE +BhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA4IEdlb1RydXN0 +IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFy +eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA4MDQwMjAwMDAwMFoXDTM3MTIwMTIz +NTk1OVowgZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAo +YykgMjAwOCBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMT +LUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBANziXmJYHTNXOTIz+uvLh4yn1ErdBojqZI4xmKU4kB6Yzy5j +K/BGvESyiaHAKAxJcCGVn2TAppMSAmUmhsalifD614SgcK9PGpc/BkTVyetyEH3kMSj7HGHmKAdE +c5IiaacDiGydY8hS2pgn5whMcD60yRLBxWeDXTPzAxHsatBT4tG6NmCUgLthY2xbF37fQJQeqw3C +IShwiP/WJmxsYAQlTlV+fe+/lEjetx3dcI0FX4ilm/LC7urRQEFtYjgdVgbFA0dRIBn8exALDmKu +dlW/X3e+PkkBUz2YJQN2JFodtNuJ6nnltrM7P7pMKEF/BqxqjsHQ9gUdfeZChuOl1UcCAwEAAaNC +MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMR5yo6hTgMdHNxr +2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IBAQAtxRPPVoB7eni9n64smefv2t+UXglpp+duaIy9 +cr5HqQ6XErhK8WTTOd8lNNTBzU6B8A8ExCSzNJbGpqow32hhc9f5joWJ7w5elShKKiePEI4ufIbE +Ap7aDHdlDkQNkv39sxY2+hENHYwOB4lqKVb3cvTdFZx3NWZXqxNT2I7BQMXXExZacse3aQHEerGD +AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUHSJsMC8tJP33s +t/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2Gspki4cErx5z481+oghLrGREt +-----END CERTIFICATE----- + +thawte Primary Root CA - G2 +=========================== +-----BEGIN CERTIFICATE----- +MIICiDCCAg2gAwIBAgIQNfwmXNmET8k9Jj1Xm67XVjAKBggqhkjOPQQDAzCBhDELMAkGA1UEBhMC +VVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjE4MDYGA1UECxMvKGMpIDIwMDcgdGhhd3RlLCBJbmMu +IC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNVBAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3Qg +Q0EgLSBHMjAeFw0wNzExMDUwMDAwMDBaFw0zODAxMTgyMzU5NTlaMIGEMQswCQYDVQQGEwJVUzEV +MBMGA1UEChMMdGhhd3RlLCBJbmMuMTgwNgYDVQQLEy8oYykgMjAwNyB0aGF3dGUsIEluYy4gLSBG +b3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAt +IEcyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEotWcgnuVnfFSeIf+iha/BebfowJPDQfGAFG6DAJS +LSKkQjnE/o/qycG+1E3/n3qe4rF8mq2nhglzh9HnmuN6papu+7qzcMBniKI11KOasf2twu8x+qi5 +8/sIxpHR+ymVo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU +mtgAMADna3+FGO6Lts6KDPgR4bswCgYIKoZIzj0EAwMDaQAwZgIxAN344FdHW6fmCsO99YCKlzUN +G4k8VIZ3KMqh9HneteY4sPBlcIx/AlTCv//YoT7ZzwIxAMSNlPzcU9LcnXgWHxUzI1NS41oxXZ3K +rr0TKUQNJ1uo52icEvdYPy5yAlejj6EULg== +-----END CERTIFICATE----- + +thawte Primary Root CA - G3 +=========================== +-----BEGIN CERTIFICATE----- +MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UE +BhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2 +aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhv +cml6ZWQgdXNlIG9ubHkxJDAiBgNVBAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0w +ODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhh +d3RlLCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYD +VQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIG +A1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAsr8nLPvb2FvdeHsbnndmgcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2At +P0LMqmsywCPLLEHd5N/8YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC ++BsUa0Lfb1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS99irY +7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2SzhkGcuYMXDhpxwTW +vGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUkOQIDAQABo0IwQDAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJ +KoZIhvcNAQELBQADggEBABpA2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweK +A3rD6z8KLFIWoCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu +t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7cKUGRIjxpp7sC +8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fMm7v/OeZWYdMKp8RcTGB7BXcm +er/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZuMdRAGmI0Nj81Aa6sY6A= +-----END CERTIFICATE----- + +GeoTrust Primary Certification Authority - G2 +============================================= +-----BEGIN CERTIFICATE----- +MIICrjCCAjWgAwIBAgIQPLL0SAoA4v7rJDteYD7DazAKBggqhkjOPQQDAzCBmDELMAkGA1UEBhMC +VVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA3IEdlb1RydXN0IElu +Yy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBD +ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMB4XDTA3MTEwNTAwMDAwMFoXDTM4MDExODIzNTk1 +OVowgZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykg +MjAwNyBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMTLUdl +b1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjB2MBAGByqGSM49AgEG +BSuBBAAiA2IABBWx6P0DFUPlrOuHNxFi79KDNlJ9RVcLSo17VDs6bl8VAsBQps8lL33KSLjHUGMc +KiEIfJo22Av+0SbFWDEwKCXzXV2juLaltJLtbCyf691DiaI8S0iRHVDsJt/WYC69IaNCMEAwDwYD +VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBVfNVdRVfslsq0DafwBo/q+ +EVXVMAoGCCqGSM49BAMDA2cAMGQCMGSWWaboCd6LuvpaiIjwH5HTRqjySkwCY/tsXzjbLkGTqQ7m +ndwxHLKgpxgceeHHNgIwOlavmnRs9vuD4DPTCF+hnMJbn0bWtsuRBmOiBuczrD6ogRLQy7rQkgu2 +npaqBA+K +-----END CERTIFICATE----- + +VeriSign Universal Root Certification Authority +=============================================== +-----BEGIN CERTIFICATE----- +MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCBvTELMAkGA1UE +BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBO +ZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVk +IHVzZSBvbmx5MTgwNgYDVQQDEy9WZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9u +IEF1dGhvcml0eTAeFw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJV +UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv +cmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl +IG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNhbCBSb290IENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj +1mCOkdeQmIN65lgZOIzF9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGP +MiJhgsWHH26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+HLL72 +9fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN/BMReYTtXlT2NJ8I +AfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPTrJ9VAMf2CGqUuV/c4DPxhGD5WycR +tPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0G +CCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2O +a8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud +DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4sAPmLGd75JR3 +Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+seQxIcaBlVZaDrHC1LGmWazx +Y8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTx +P/jgdFcrGJ2BtMQo2pSXpXDrrB2+BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+P +wGZsY6rp2aQW9IHRlRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4 +mJO37M2CYfE45k+XmCpajQ== +-----END CERTIFICATE----- + +VeriSign Class 3 Public Primary Certification Authority - G4 +============================================================ +-----BEGIN CERTIFICATE----- +MIIDhDCCAwqgAwIBAgIQL4D+I4wOIg9IZxIokYesszAKBggqhkjOPQQDAzCByjELMAkGA1UEBhMC +VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3 +b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVz +ZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmlj +YXRpb24gQXV0aG9yaXR5IC0gRzQwHhcNMDcxMTA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCByjEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU +cnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRo +b3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5 +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASnVnp8 +Utpkmw4tXNherJI9/gHmGUo9FANL+mAnINmDiWn6VMaaGF5VKmTeBvaNSjutEDxlPZCIBIngMGGz +rl0Bp3vefLK+ymVhAIau2o970ImtTR1ZmkGxvEeA3J5iw/mjgbIwga8wDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEw +HzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24u +Y29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFLMWkf3upm7ktS5Jj4d4gYDs5bG1MAoGCCqGSM49BAMD +A2gAMGUCMGYhDBgmYFo4e1ZC4Kf8NoRRkSAsdk1DPcQdhCPQrNZ8NQbOzWm9kA3bbEhCHQ6qQgIx +AJw9SDkjOVgaFRJZap7v1VmyHVIsmXHNxynfGyphe3HR3vPA5Q06Sqotp9iGKt0uEA== +-----END CERTIFICATE----- + +NetLock Arany (Class Gold) Főtanúsítvány +============================================ +-----BEGIN CERTIFICATE----- +MIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYDVQQGEwJIVTERMA8G +A1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5ldExvY2sgS2Z0LjE3MDUGA1UECwwuVGFuw7pzw610 +dsOhbnlraWFkw7NrIChDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBB +cmFueSAoQ2xhc3MgR29sZCkgRsWRdGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgx +MjA2MTUwODIxWjCBpzELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxO +ZXRMb2NrIEtmdC4xNzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlmaWNhdGlv +biBTZXJ2aWNlcykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNzIEdvbGQpIEbFkXRhbsO6 +c8OtdHbDoW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCRec75LbRTDofTjl5Bu +0jBFHjzuZ9lk4BqKf8owyoPjIMHj9DrTlF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw +/HpYzY6b7cNGbIRwXdrzAZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaaeVtAk +H3B5r9s5VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8fxmRGILdw +fzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2BJtr+UBdADTHLpl1 +neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAGAQH/AgEEMA4GA1UdDwEB/wQEAwIB +BjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2MU9+D15YwDQYJKoZIhvcNAQELBQADggEBAKt/7hwW +qZw8UQCgwBEIBaeZ5m8BiFRhbvG5GK1Krf6BQCOUL/t1fC8oS2IkgYIL9WHxHG64YTjrgfpioTta +YtOUZcTh5m2C+C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY0fsFskZ1FSNqb4VjMIDw1Z4fKRzC +bLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+pRVjodSVh/GeufOJ8z2FuLjbvrW5Kfna +NwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2XjG4Kvte9nHfRCaexOYNkbQu +dZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E= +-----END CERTIFICATE----- + +Staat der Nederlanden Root CA - G2 +================================== +-----BEGIN CERTIFICATE----- +MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJOTDEeMBwGA1UE +CgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFhdCBkZXIgTmVkZXJsYW5kZW4g +Um9vdCBDQSAtIEcyMB4XDTA4MDMyNjExMTgxN1oXDTIwMDMyNTExMDMxMFowWjELMAkGA1UEBhMC +TkwxHjAcBgNVBAoMFVN0YWF0IGRlciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5l +ZGVybGFuZGVuIFJvb3QgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVZ +5291qj5LnLW4rJ4L5PnZyqtdj7U5EILXr1HgO+EASGrP2uEGQxGZqhQlEq0i6ABtQ8SpuOUfiUtn +vWFI7/3S4GCI5bkYYCjDdyutsDeqN95kWSpGV+RLufg3fNU254DBtvPUZ5uW6M7XxgpT0GtJlvOj +CwV3SPcl5XCsMBQgJeN/dVrlSPhOewMHBPqCYYdu8DvEpMfQ9XQ+pV0aCPKbJdL2rAQmPlU6Yiil +e7Iwr/g3wtG61jj99O9JMDeZJiFIhQGp5Rbn3JBV3w/oOM2ZNyFPXfUib2rFEhZgF1XyZWampzCR +OME4HYYEhLoaJXhena/MUGDWE4dS7WMfbWV9whUYdMrhfmQpjHLYFhN9C0lK8SgbIHRrxT3dsKpI +CT0ugpTNGmXZK4iambwYfp/ufWZ8Pr2UuIHOzZgweMFvZ9C+X+Bo7d7iscksWXiSqt8rYGPy5V65 +48r6f1CGPqI0GAwJaCgRHOThuVw+R7oyPxjMW4T182t0xHJ04eOLoEq9jWYv6q012iDTiIJh8BIi +trzQ1aTsr1SIJSQ8p22xcik/Plemf1WvbibG/ufMQFxRRIEKeN5KzlW/HdXZt1bv8Hb/C3m1r737 +qWmRRpdogBQ2HbN/uymYNqUg+oJgYjOk7Na6B6duxc8UpufWkjTYgfX8HV2qXB72o007uPc5AgMB +AAGjgZcwgZQwDwYDVR0TAQH/BAUwAwEB/zBSBgNVHSAESzBJMEcGBFUdIAAwPzA9BggrBgEFBQcC +ARYxaHR0cDovL3d3dy5wa2lvdmVyaGVpZC5ubC9wb2xpY2llcy9yb290LXBvbGljeS1HMjAOBgNV +HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJFoMocVHYnitfGsNig0jQt8YojrMA0GCSqGSIb3DQEBCwUA +A4ICAQCoQUpnKpKBglBu4dfYszk78wIVCVBR7y29JHuIhjv5tLySCZa59sCrI2AGeYwRTlHSeYAz ++51IvuxBQ4EffkdAHOV6CMqqi3WtFMTC6GY8ggen5ieCWxjmD27ZUD6KQhgpxrRW/FYQoAUXvQwj +f/ST7ZwaUb7dRUG/kSS0H4zpX897IZmflZ85OkYcbPnNe5yQzSipx6lVu6xiNGI1E0sUOlWDuYaN +kqbG9AclVMwWVxJKgnjIFNkXgiYtXSAfea7+1HAWFpWD2DU5/1JddRwWxRNVz0fMdWVSSt7wsKfk +CpYL+63C4iWEst3kvX5ZbJvw8NjnyvLplzh+ib7M+zkXYT9y2zqR2GUBGR2tUKRXCnxLvJxxcypF +URmFzI79R6d0lR2o0a9OF7FpJsKqeFdbxU2n5Z4FF5TKsl+gSRiNNOkmbEgeqmiSBeGCc1qb3Adb +CG19ndeNIdn8FCCqwkXfP+cAslHkwvgFuXkajDTznlvkN1trSt8sV4pAWja63XVECDdCcAz+3F4h +oKOKwJCcaNpQ5kUQR3i2TtJlycM33+FCY7BXN0Ute4qcvwXqZVUz9zkQxSgqIXobisQk+T8VyJoV +IPVVYpbtbZNQvOSqeK3Zywplh6ZmwcSBo3c6WB4L7oOLnR7SUqTMHW+wmG2UMbX4cQrcufx9MmDm +66+KAQ== +-----END CERTIFICATE----- + +Hongkong Post Root CA 1 +======================= +-----BEGIN CERTIFICATE----- +MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsxFjAUBgNVBAoT +DUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3QgUm9vdCBDQSAxMB4XDTAzMDUx +NTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkGA1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25n +IFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1 +ApzQjVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEnPzlTCeqr +auh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjhZY4bXSNmO7ilMlHIhqqh +qZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9nnV0ttgCXjqQesBCNnLsak3c78QA3xMY +V18meMjWCnl3v/evt3a5pQuEF10Q6m/hq5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNV +HRMBAf8ECDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7i +h9legYsCmEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI37pio +l7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clBoiMBdDhViw+5Lmei +IAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJsEhTkYY2sEJCehFC78JZvRZ+K88ps +T/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpOfMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilT +c4afU9hDDl3WY4JxHYB0yvbiAmvZWg== +-----END CERTIFICATE----- + +SecureSign RootCA11 +=================== +-----BEGIN CERTIFICATE----- +MIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBYMQswCQYDVQQGEwJKUDErMCkGA1UEChMi +SmFwYW4gQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcywgSW5jLjEcMBoGA1UEAxMTU2VjdXJlU2lnbiBS +b290Q0ExMTAeFw0wOTA0MDgwNDU2NDdaFw0yOTA0MDgwNDU2NDdaMFgxCzAJBgNVBAYTAkpQMSsw +KQYDVQQKEyJKYXBhbiBDZXJ0aWZpY2F0aW9uIFNlcnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1 +cmVTaWduIFJvb3RDQTExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/XeqpRyQBTvL +TJszi1oURaTnkBbR31fSIRCkF/3frNYfp+TbfPfs37gD2pRY/V1yfIw/XwFndBWW4wI8h9uuywGO +wvNmxoVF9ALGOrVisq/6nL+k5tSAMJjzDbaTj6nU2DbysPyKyiyhFTOVMdrAG/LuYpmGYz+/3ZMq +g6h2uRMft85OQoWPIucuGvKVCbIFtUROd6EgvanyTgp9UK31BQ1FT0Zx/Sg+U/sE2C3XZR1KG/rP +O7AxmjVuyIsG0wCR8pQIZUyxNAYAeoni8McDWc/V1uinMrPmmECGxc0nEovMe863ETxiYAcjPitA +bpSACW22s293bzUIUPsCh8U+iQIDAQABo0IwQDAdBgNVHQ4EFgQUW/hNT7KlhtQ60vFjmqC+CfZX +t94wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKCh +OBZmLqdWHyGcBvod7bkixTgm2E5P7KN/ed5GIaGHd48HCJqypMWvDzKYC3xmKbabfSVSSUOrTC4r +bnpwrxYO4wJs+0LmGJ1F2FXI6Dvd5+H0LgscNFxsWEr7jIhQX5Ucv+2rIrVls4W6ng+4reV6G4pQ +Oh29Dbx7VFALuUKvVaAYga1lme++5Jy/xIWrQbJUb9wlze144o4MjQlJ3WN7WmmWAiGovVJZ6X01 +y8hSyn+B/tlr0/cR7SXf+Of5pPpyl4RTDaXQMhhRdlkUbA/r7F+AjHVDg8OFmP9Mni0N5HeDk061 +lgeLKBObjBmNQSdJQO7e5iNEOdyhIta6A/I= +-----END CERTIFICATE----- + +Microsec e-Szigno Root CA 2009 +============================== +-----BEGIN CERTIFICATE----- +MIIECjCCAvKgAwIBAgIJAMJ+QwRORz8ZMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJIVTER +MA8GA1UEBwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0ZC4xJzAlBgNVBAMMHk1pY3Jv +c2VjIGUtU3ppZ25vIFJvb3QgQ0EgMjAwOTEfMB0GCSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5o +dTAeFw0wOTA2MTYxMTMwMThaFw0yOTEyMzAxMTMwMThaMIGCMQswCQYDVQQGEwJIVTERMA8GA1UE +BwwIQnVkYXBlc3QxFjAUBgNVBAoMDU1pY3Jvc2VjIEx0ZC4xJzAlBgNVBAMMHk1pY3Jvc2VjIGUt +U3ppZ25vIFJvb3QgQ0EgMjAwOTEfMB0GCSqGSIb3DQEJARYQaW5mb0BlLXN6aWduby5odTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOn4j/NjrdqG2KfgQvvPkd6mJviZpWNwrZuuyjNA +fW2WbqEORO7hE52UQlKavXWFdCyoDh2Tthi3jCyoz/tccbna7P7ofo/kLx2yqHWH2Leh5TvPmUpG +0IMZfcChEhyVbUr02MelTTMuhTlAdX4UfIASmFDHQWe4oIBhVKZsTh/gnQ4H6cm6M+f+wFUoLAKA +pxn1ntxVUwOXewdI/5n7N4okxFnMUBBjjqqpGrCEGob5X7uxUG6k0QrM1XF+H6cbfPVTbiJfyyvm +1HxdrtbCxkzlBQHZ7Vf8wSN5/PrIJIOV87VqUQHQd9bpEqH5GoP7ghu5sJf0dgYzQ0mg/wu1+rUC +AwEAAaOBgDB+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTLD8bf +QkPMPcu1SCOhGnqmKrs0aDAfBgNVHSMEGDAWgBTLD8bfQkPMPcu1SCOhGnqmKrs0aDAbBgNVHREE +FDASgRBpbmZvQGUtc3ppZ25vLmh1MA0GCSqGSIb3DQEBCwUAA4IBAQDJ0Q5eLtXMs3w+y/w9/w0o +lZMEyL/azXm4Q5DwpL7v8u8hmLzU1F0G9u5C7DBsoKqpyvGvivo/C3NqPuouQH4frlRheesuCDfX +I/OMn74dseGkddug4lQUsbocKaQY9hK6ohQU4zE1yED/t+AFdlfBHFny+L/k7SViXITwfn4fs775 +tyERzAMBVnCnEJIeGzSBHq2cGsMEPO0CYdYeBvNfOofyK/FFh+U9rNHHV4S9a67c2Pm2G2JwCz02 +yULyMtd6YebS2z3PyKnJm9zbWETXbzivf3jTo60adbocwTZ8jx5tHMN1Rq41Bab2XD0h7lbwyYIi +LXpUq3DDfSJlgnCW +-----END CERTIFICATE----- + +GlobalSign Root CA - R3 +======================= +-----BEGIN CERTIFICATE----- +MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xv +YmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2Jh +bFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxT +aWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2ln +bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWt +iHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsTgHeMCOFJ +0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmmKPZpO/bLyCiR5Z2KYVc3 +rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjl +OCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2 +xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE +FI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZURUm7 +lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMpjjM5RcOO5LlXbKr8 +EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV3XpYKBovHd7NADdBj+1E +bddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18 +YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7r +kpeDMdmztcpHWD9f +-----END CERTIFICATE----- + +Autoridad de Certificacion Firmaprofesional CIF A62634068 +========================================================= +-----BEGIN CERTIFICATE----- +MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UEBhMCRVMxQjBA +BgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1hcHJvZmVzaW9uYWwgQ0lGIEE2 +MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEyMzEwODM4MTVaMFExCzAJBgNVBAYTAkVTMUIw +QAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBB +NjI2MzQwNjgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDD +Utd9thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQMcas9UX4P +B99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefGL9ItWY16Ck6WaVICqjaY +7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15iNA9wBj4gGFrO93IbJWyTdBSTo3OxDqqH +ECNZXyAFGUftaI6SEspd/NYrspI8IM/hX68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyI +plD9amML9ZMWGxmPsu2bm8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctX +MbScyJCyZ/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirjaEbsX +LZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/TKI8xWVvTyQKmtFLK +bpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF6NkBiDkal4ZkQdU7hwxu+g/GvUgU +vzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVhOSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMBIGA1Ud +EwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlzeurNR4APn7VdMActHNH +DhpkLzCBpgYDVR0gBIGeMIGbMIGYBgRVHSAAMIGPMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmZp +cm1hcHJvZmVzaW9uYWwuY29tL2NwczBcBggrBgEFBQcCAjBQHk4AUABhAHMAZQBvACAAZABlACAA +bABhACAAQgBvAG4AYQBuAG8AdgBhACAANAA3ACAAQgBhAHIAYwBlAGwAbwBuAGEAIAAwADgAMAAx +ADcwDQYJKoZIhvcNAQEFBQADggIBABd9oPm03cXF661LJLWhAqvdpYhKsg9VSytXjDvlMd3+xDLx +51tkljYyGOylMnfX40S2wBEqgLk9am58m9Ot/MPWo+ZkKXzR4Tgegiv/J2Wv+xYVxC5xhOW1//qk +R71kMrv2JYSiJ0L1ILDCExARzRAVukKQKtJE4ZYm6zFIEv0q2skGz3QeqUvVhyj5eTSSPi5E6PaP +T481PyWzOdxjKpBrIF/EUhJOlywqrJ2X3kjyo2bbwtKDlaZmp54lD+kLM5FlClrD2VQS3a/DTg4f +Jl4N3LON7NWBcN7STyQF82xO9UxJZo3R/9ILJUFI/lGExkKvgATP0H5kSeTy36LssUzAKh3ntLFl +osS88Zj0qnAHY7S42jtM+kAiMFsRpvAFDsYCA0irhpuF3dvd6qJ2gHN99ZwExEWN57kci57q13XR +crHedUTnQn3iV2t93Jm8PYMo6oCTjcVMZcFwgbg4/EMxsvYDNEeyrPsiBsse3RdHHF9mudMaotoR +saS8I8nkvof/uZS2+F0gStRf571oe2XyFR7SOqkt6dhrJKyXWERHrVkY8SFlcN7ONGCoQPHzPKTD +KCOM/iczQ0CgFzzr6juwcqajuUpLXhZI9LK8yIySxZ2frHI2vDSANGupi5LAuBft7HZT9SQBjLMi +6Et8Vcad+qMUu2WFbm5PEn4KPJ2V +-----END CERTIFICATE----- + +Izenpe.com +========== +-----BEGIN CERTIFICATE----- +MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQG +EwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5jb20wHhcNMDcxMjEz +MTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMu +QS4xEzARBgNVBAMMCkl6ZW5wZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ +03rKDx6sp4boFmVqscIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAK +ClaOxdgmlOHZSOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6HLmYRY2xU ++zydcsC8Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFXuaOKmMPsOzTFlUFpfnXC +PCDFYbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQDyCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxT +OTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieFUCbK +F7jJeodWLBoBHmy+E60QrLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUbQc/hhqfK +0GqfvEyNBjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnvmfzAuU8Lhij+ +0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIBQFqNeb+Lz0vPqhbB +leStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+HMh3/1uaD7euBUbl8agW7EekFwID +AQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2luZm9AaXplbnBlLmNvbaSBkTCBjjFHMEUGA1UECgw+ +SVpFTlBFIFMuQS4gLSBDSUYgQTAxMzM3MjYwLVJNZXJjLlZpdG9yaWEtR2FzdGVpeiBUMTA1NSBG +NjIgUzgxQzBBBgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJyYW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAx +MCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O +BBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0GCSqGSIb3DQEBCwUAA4ICAQB4pgwWSp9MiDrAyw6l +Fn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHzP7MOeIWblaQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbga +kEyrkgPH7UIBzg/YsfqikuFgba56awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8q +hT/AQKM6WfxZSzwoJNu0FXWuDYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Cs +g1lwLDXWrzY0tM07+DKo7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCTVyvehQP5 +aTfLnnhqBbTFMXiJ7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGkLhObNA5me0mrZJfQRsN5 +nXJQY6aYWwa9SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJbUjWumDqtujWTI6cfSN01RpiyEGjkpTHC +ClguGYEQyVB1/OpaFs4R1+7vUIgtYf8/QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZo +Q0iy2+tzJOeRf1SktoA+naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1Z +WrOZyGlsQyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw== +-----END CERTIFICATE----- + +Chambers of Commerce Root - 2008 +================================ +-----BEGIN CERTIFICATE----- +MIIHTzCCBTegAwIBAgIJAKPaQn6ksa7aMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJFVTFD +MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv +bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu +QS4xKTAnBgNVBAMTIENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4MB4XDTA4MDgwMTEy +Mjk1MFoXDTM4MDczMTEyMjk1MFowga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNl +ZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQF +EwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJl +cnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQCvAMtwNyuAWko6bHiUfaN/Gh/2NdW928sNRHI+JrKQUrpjOyhYb6WzbZSm891kDFX29ufyIiKA +XuFixrYp4YFs8r/lfTJqVKAyGVn+H4vXPWCGhSRv4xGzdz4gljUha7MI2XAuZPeEklPWDrCQiorj +h40G072QDuKZoRuGDtqaCrsLYVAGUvGef3bsyw/QHg3PmTA9HMRFEFis1tPo1+XqxQEHd9ZR5gN/ +ikilTWh1uem8nk4ZcfUyS5xtYBkL+8ydddy/Js2Pk3g5eXNeJQ7KXOt3EgfLZEFHcpOrUMPrCXZk +NNI5t3YRCQ12RcSprj1qr7V9ZS+UWBDsXHyvfuK2GNnQm05aSd+pZgvMPMZ4fKecHePOjlO+Bd5g +D2vlGts/4+EhySnB8esHnFIbAURRPHsl18TlUlRdJQfKFiC4reRB7noI/plvg6aRArBsNlVq5331 +lubKgdaX8ZSD6e2wsWsSaR6s+12pxZjptFtYer49okQ6Y1nUCyXeG0+95QGezdIp1Z8XGQpvvwyQ +0wlf2eOKNcx5Wk0ZN5K3xMGtr/R5JJqyAQuxr1yW84Ay+1w9mPGgP0revq+ULtlVmhduYJ1jbLhj +ya6BXBg14JC7vjxPNyK5fuvPnnchpj04gftI2jE9K+OJ9dC1vX7gUMQSibMjmhAxhduub+84Mxh2 +EQIDAQABo4IBbDCCAWgwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNVHQ4EFgQU+SSsD7K1+HnA+mCI +G8TZTQKeFxkwgeMGA1UdIwSB2zCB2IAU+SSsD7K1+HnA+mCIG8TZTQKeFxmhgbSkgbEwga4xCzAJ +BgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNh +bWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENh +bWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDiC +CQCj2kJ+pLGu2jAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUH +AgEWHGh0dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAJASryI1 +wqM58C7e6bXpeHxIvj99RZJe6dqxGfwWPJ+0W2aeaufDuV2I6A+tzyMP3iU6XsxPpcG1Lawk0lgH +3qLPaYRgM+gQDROpI9CF5Y57pp49chNyM/WqfcZjHwj0/gF/JM8rLFQJ3uIrbZLGOU8W6jx+ekbU +RWpGqOt1glanq6B8aBMz9p0w8G8nOSQjKpD9kCk18pPfNKXG9/jvjA9iSnyu0/VU+I22mlaHFoI6 +M6taIgj3grrqLuBHmrS1RaMFO9ncLkVAO+rcf+g769HsJtg1pDDFOqxXnrN2pSB7+R5KBWIBpih1 +YJeSDW4+TTdDDZIVnBgizVGZoCkaPF+KMjNbMMeJL0eYD6MDxvbxrN8y8NmBGuScvfaAFPDRLLmF +9dijscilIeUcE5fuDr3fKanvNFNb0+RqE4QGtjICxFKuItLcsiFCGtpA8CnJ7AoMXOLQusxI0zcK +zBIKinmwPQN/aUv0NCB9szTqjktk9T79syNnFQ0EuPAtwQlRPLJsFfClI9eDdOTlLsn+mCdCxqvG +nrDQWzilm1DefhiYtUU79nm06PcaewaD+9CL2rvHvRirCG88gGtAPxkZumWK5r7VXNM21+9AUiRg +OGcEMeyP84LG3rlV8zsxkVrctQgVrXYlCg17LofiDKYGvCYQbTed7N14jHyAxfDZd0jQ +-----END CERTIFICATE----- + +Global Chambersign Root - 2008 +============================== +-----BEGIN CERTIFICATE----- +MIIHSTCCBTGgAwIBAgIJAMnN0+nVfSPOMA0GCSqGSIb3DQEBBQUAMIGsMQswCQYDVQQGEwJFVTFD +MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv +bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu +QS4xJzAlBgNVBAMTHkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwODAeFw0wODA4MDExMjMx +NDBaFw0zODA3MzExMjMxNDBaMIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUg +Y3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ +QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMTHkdsb2JhbCBD +aGFtYmVyc2lnbiBSb290IC0gMjAwODCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDf +VtPkOpt2RbQT2//BthmLN0EYlVJH6xedKYiONWwGMi5HYvNJBL99RDaxccy9Wglz1dmFRP+RVyXf +XjaOcNFccUMd2drvXNL7G706tcuto8xEpw2uIRU/uXpbknXYpBI4iRmKt4DS4jJvVpyR1ogQC7N0 +ZJJ0YPP2zxhPYLIj0Mc7zmFLmY/CDNBAspjcDahOo7kKrmCgrUVSY7pmvWjg+b4aqIG7HkF4ddPB +/gBVsIdU6CeQNR1MM62X/JcumIS/LMmjv9GYERTtY/jKmIhYF5ntRQOXfjyGHoiMvvKRhI9lNNgA +TH23MRdaKXoKGCQwoze1eqkBfSbW+Q6OWfH9GzO1KTsXO0G2Id3UwD2ln58fQ1DJu7xsepeY7s2M +H/ucUa6LcL0nn3HAa6x9kGbo1106DbDVwo3VyJ2dwW3Q0L9R5OP4wzg2rtandeavhENdk5IMagfe +Ox2YItaswTXbo6Al/3K1dh3ebeksZixShNBFks4c5eUzHdwHU1SjqoI7mjcv3N2gZOnm3b2u/GSF +HTynyQbehP9r6GsaPMWis0L7iwk+XwhSx2LE1AVxv8Rk5Pihg+g+EpuoHtQ2TS9x9o0o9oOpE9Jh +wZG7SMA0j0GMS0zbaRL/UJScIINZc+18ofLx/d33SdNDWKBWY8o9PeU1VlnpDsogzCtLkykPAgMB +AAGjggFqMIIBZjASBgNVHRMBAf8ECDAGAQH/AgEMMB0GA1UdDgQWBBS5CcqcHtvTbDprru1U8VuT +BjUuXjCB4QYDVR0jBIHZMIHWgBS5CcqcHtvTbDprru1U8VuTBjUuXqGBsqSBrzCBrDELMAkGA1UE +BhMCRVUxQzBBBgNVBAcTOk1hZHJpZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJm +aXJtYS5jb20vYWRkcmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJm +aXJtYSBTLkEuMScwJQYDVQQDEx5HbG9iYWwgQ2hhbWJlcnNpZ24gUm9vdCAtIDIwMDiCCQDJzdPp +1X0jzjAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0 +dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAICIf3DekijZBZRG +/5BXqfEv3xoNa/p8DhxJJHkn2EaqbylZUohwEurdPfWbU1Rv4WCiqAm57OtZfMY18dwY6fFn5a+6 +ReAJ3spED8IXDneRRXozX1+WLGiLwUePmJs9wOzL9dWCkoQ10b42OFZyMVtHLaoXpGNR6woBrX/s +dZ7LoR/xfxKxueRkf2fWIyr0uDldmOghp+G9PUIadJpwr2hsUF1Jz//7Dl3mLEfXgTpZALVza2Mg +9jFFCDkO9HB+QHBaP9BrQql0PSgvAm11cpUJjUhjxsYjV5KTXjXBjfkK9yydYhz2rXzdpjEetrHH +foUm+qRqtdpjMNHvkzeyZi99Bffnt0uYlDXA2TopwZ2yUDMdSqlapskD7+3056huirRXhOukP9Du +qqqHW2Pok+JrqNS4cnhrG+055F3Lm6qH1U9OAP7Zap88MQ8oAgF9mOinsKJknnn4SPIVqczmyETr +P3iZ8ntxPjzxmKfFGBI/5rsoM0LpRQp8bfKGeS/Fghl9CYl8slR2iK7ewfPM4W7bMdaTrpmg7yVq +c5iJWzouE4gev8CSlDQb4ye3ix5vQv/n6TebUB0tovkC7stYWDpxvGjjqsGvHCgfotwjZT+B6q6Z +09gwzxMNTxXJhLynSC34MCN32EZLeW32jO06f2ARePTpm67VVMB0gNELQp/B +-----END CERTIFICATE----- + +Go Daddy Root Certificate Authority - G2 +======================================== +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT +B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMu +MTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5 +MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6 +b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8G +A1UEAxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKDE6bFIEMBO4Tx5oVJnyfq +9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD ++qK+ihVqf94Lw7YZFAXK6sOoBJQ7RnwyDfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutd +fMh8+7ArU6SSYmlRJQVhGkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMl +NAJWJwGRtDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEAAaNC +MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9 +BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmXWWcDYfF+OwYxdS2hII5PZYe096ac +vNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r +5N9ss4UXnT3ZJE95kTXWXwTrgIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYV +N8Gb5DKj7Tjo2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO +LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI4uJEvlz36hz1 +-----END CERTIFICATE----- + +Starfield Root Certificate Authority - G2 +========================================= +-----BEGIN CERTIFICATE----- +MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT +B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9s +b2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVsZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0 +eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAw +DgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQg +VGVjaG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZpY2F0ZSBB +dXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3twQP89o/8ArFv +W59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMgnLRJdzIpVv257IzdIvpy3Cdhl+72WoTs +bhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNk +N3mSwOxGXn/hbVNMYq/NHwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7Nf +ZTD4p7dNdloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0HZbU +JtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0GCSqGSIb3DQEBCwUAA4IBAQARWfol +TwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjUsHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx +4mcujJUDJi5DnUox9g61DLu34jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUw +F5okxBDgBPfg8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K +pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1mMpYjn0q7pBZ +c2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0 +-----END CERTIFICATE----- + +Starfield Services Root Certificate Authority - G2 +================================================== +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT +B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9s +b2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRl +IEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgZgxCzAJBgNV +BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxT +dGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQDEzJTdGFyZmllbGQgU2VydmljZXMg +Um9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58gE20pOsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2 +h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm28xpWriu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4Pa +hHQUw2eeBGg6345AWh1KTs9DkTvnVtYAcMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLP +LJGmpufehRhJfGZOozptqbXuNC66DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk6mFB +rMnUVN+HL8cisibMn1lUaJ/8viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAwDwYDVR0TAQH/BAUw +AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMA0GCSqG +SIb3DQEBCwUAA4IBAQBLNqaEd2ndOxmfZyMIbw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPP +E95Dz+I0swSdHynVv/heyNXBve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTy +xQGjhdByPq1zqwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkd +iEDPfUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn0q23KXB56jza +YyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCNsSi6 +-----END CERTIFICATE----- + +AffirmTrust Commercial +====================== +-----BEGIN CERTIFICATE----- +MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UEBhMCVVMxFDAS +BgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVzdCBDb21tZXJjaWFsMB4XDTEw +MDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmly +bVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVzdCBDb21tZXJjaWFsMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA9htPZwcroRX1BiLLHwGy43NFBkRJLLtJJRTWzsO3qyxPxkEylFf6Eqdb +DuKPHx6GGaeqtS25Xw2Kwq+FNXkyLbscYjfysVtKPcrNcV/pQr6U6Mje+SJIZMblq8Yrba0F8PrV +C8+a5fBQpIs7R6UjW3p6+DM/uO+Zl+MgwdYoic+U+7lF7eNAFxHUdPALMeIrJmqbTFeurCA+ukV6 +BfO9m2kVrn1OIGPENXY6BwLJN/3HR+7o8XYdcxXyl6S1yHp52UKqK39c/s4mT6NmgTWvRLpUHhww +MmWd5jyTXlBOeuM61G7MGvv50jeuJCqrVwMiKA1JdX+3KNp1v47j3A55MQIDAQABo0IwQDAdBgNV +HQ4EFgQUnZPGU4teyq8/nx4P5ZmVvCT2lI8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AQYwDQYJKoZIhvcNAQELBQADggEBAFis9AQOzcAN/wr91LoWXym9e2iZWEnStB03TX8nfUYGXUPG +hi4+c7ImfU+TqbbEKpqrIZcUsd6M06uJFdhrJNTxFq7YpFzUf1GO7RgBsZNjvbz4YYCanrHOQnDi +qX0GJX0nof5v7LMeJNrjS1UaADs1tDvZ110w/YETifLCBivtZ8SOyUOyXGsViQK8YvxO8rUzqrJv +0wqiUOP2O+guRMLbZjipM1ZI8W0bM40NjD9gN53Tym1+NH4Nn3J2ixufcv1SNUFFApYvHLKac0kh +sUlHRUe072o0EclNmsxZt9YCnlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8= +-----END CERTIFICATE----- + +AffirmTrust Networking +====================== +-----BEGIN CERTIFICATE----- +MIIDTDCCAjSgAwIBAgIIfE8EORzUmS0wDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UEBhMCVVMxFDAS +BgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVzdCBOZXR3b3JraW5nMB4XDTEw +MDEyOTE0MDgyNFoXDTMwMTIzMTE0MDgyNFowRDELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmly +bVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVzdCBOZXR3b3JraW5nMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAtITMMxcua5Rsa2FSoOujz3mUTOWUgJnLVWREZY9nZOIG41w3SfYvm4SE +Hi3yYJ0wTsyEheIszx6e/jarM3c1RNg1lho9Nuh6DtjVR6FqaYvZ/Ls6rnla1fTWcbuakCNrmreI +dIcMHl+5ni36q1Mr3Lt2PpNMCAiMHqIjHNRqrSK6mQEubWXLviRmVSRLQESxG9fhwoXA3hA/Pe24 +/PHxI1Pcv2WXb9n5QHGNfb2V1M6+oF4nI979ptAmDgAp6zxG8D1gvz9Q0twmQVGeFDdCBKNwV6gb +h+0t+nvujArjqWaJGctB+d1ENmHP4ndGyH329JKBNv3bNPFyfvMMFr20FQIDAQABo0IwQDAdBgNV +HQ4EFgQUBx/S55zawm6iQLSwelAQUHTEyL0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AQYwDQYJKoZIhvcNAQEFBQADggEBAIlXshZ6qML91tmbmzTCnLQyFE2npN/svqe++EPbkTfOtDIu +UFUaNU52Q3Eg75N3ThVwLofDwR1t3Mu1J9QsVtFSUzpE0nPIxBsFZVpikpzuQY0x2+c06lkh1QF6 +12S4ZDnNye2v7UsDSKegmQGA3GWjNq5lWUhPgkvIZfFXHeVZLgo/bNjR9eUJtGxUAArgFU2HdW23 +WJZa3W3SAKD0m0i+wzekujbgfIeFlxoVot4uolu9rxj5kFDNcFn4J2dHy8egBzp90SxdbBk6ZrV9 +/ZFvgrG+CJPbFEfxojfHRZ48x3evZKiT3/Zpg4Jg8klCNO1aAFSFHBY2kgxc+qatv9s= +-----END CERTIFICATE----- + +AffirmTrust Premium +=================== +-----BEGIN CERTIFICATE----- +MIIFRjCCAy6gAwIBAgIIbYwURrGmCu4wDQYJKoZIhvcNAQEMBQAwQTELMAkGA1UEBhMCVVMxFDAS +BgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVzdCBQcmVtaXVtMB4XDTEwMDEy +OTE0MTAzNloXDTQwMTIzMTE0MTAzNlowQTELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRy +dXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVzdCBQcmVtaXVtMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEAxBLfqV/+Qd3d9Z+K4/as4Tx4mrzY8H96oDMq3I0gW64tb+eT2TZwamjPjlGjhVtn +BKAQJG9dKILBl1fYSCkTtuG+kU3fhQxTGJoeJKJPj/CihQvL9Cl/0qRY7iZNyaqoe5rZ+jjeRFcV +5fiMyNlI4g0WJx0eyIOFJbe6qlVBzAMiSy2RjYvmia9mx+n/K+k8rNrSs8PhaJyJ+HoAVt70VZVs ++7pk3WKL3wt3MutizCaam7uqYoNMtAZ6MMgpv+0GTZe5HMQxK9VfvFMSF5yZVylmd2EhMQcuJUmd +GPLu8ytxjLW6OQdJd/zvLpKQBY0tL3d770O/Nbua2Plzpyzy0FfuKE4mX4+QaAkvuPjcBukumj5R +p9EixAqnOEhss/n/fauGV+O61oV4d7pD6kh/9ti+I20ev9E2bFhc8e6kGVQa9QPSdubhjL08s9NI +S+LI+H+SqHZGnEJlPqQewQcDWkYtuJfzt9WyVSHvutxMAJf7FJUnM7/oQ0dG0giZFmA7mn7S5u04 +6uwBHjxIVkkJx0w3AJ6IDsBz4W9m6XJHMD4Q5QsDyZpCAGzFlH5hxIrff4IaC1nEWTJ3s7xgaVY5 +/bQGeyzWZDbZvUjthB9+pSKPKrhC9IK31FOQeE4tGv2Bb0TXOwF0lkLgAOIua+rF7nKsu7/+6qqo ++Nz2snmKtmcCAwEAAaNCMEAwHQYDVR0OBBYEFJ3AZ6YMItkm9UWrpmVSESfYRaxjMA8GA1UdEwEB +/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByv +MiPIs0laUZx2KI15qldGF9X1Uva3ROgIRL8YhNILgM3FEv0AVQVhh0HctSSePMTYyPtwni94loMg +Nt58D2kTiKV1NpgIpsbfrM7jWNa3Pt668+s0QNiigfV4Py/VpfzZotReBA4Xrf5B8OWycvpEgjNC +6C1Y91aMYj+6QrCcDFx+LmUmXFNPALJ4fqENmS2NuB2OosSw/WDQMKSOyARiqcTtNd56l+0OOF6S +L5Nwpamcb6d9Ex1+xghIsV5n61EIJenmJWtSKZGc0jlzCFfemQa0W50QBuHCAKi4HEoCChTQwUHK ++4w1IX2COPKpVJEZNZOUbWo6xbLQu4mGk+ibyQ86p3q4ofB4Rvr8Ny/lioTz3/4E2aFooC8k4gmV +BtWVyuEklut89pMFu+1z6S3RdTnX5yTb2E5fQ4+e0BQ5v1VwSJlXMbSc7kqYA5YwH2AG7hsj/oFg +IxpHYoWlzBk0gG+zrBrjn/B7SK3VAdlntqlyk+otZrWyuOQ9PLLvTIzq6we/qzWaVYa8GKa1qF60 +g2xraUDTn9zxw2lrueFtCfTxqlB2Cnp9ehehVZZCmTEJ3WARjQUwfuaORtGdFNrHF+QFlozEJLUb +zxQHskD4o55BhrwE0GuWyCqANP2/7waj3VjFhT0+j/6eKeC2uAloGRwYQw== +-----END CERTIFICATE----- + +AffirmTrust Premium ECC +======================= +-----BEGIN CERTIFICATE----- +MIIB/jCCAYWgAwIBAgIIdJclisc/elQwCgYIKoZIzj0EAwMwRTELMAkGA1UEBhMCVVMxFDASBgNV +BAoMC0FmZmlybVRydXN0MSAwHgYDVQQDDBdBZmZpcm1UcnVzdCBQcmVtaXVtIEVDQzAeFw0xMDAx +MjkxNDIwMjRaFw00MDEyMzExNDIwMjRaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1U +cnVzdDEgMB4GA1UEAwwXQWZmaXJtVHJ1c3QgUHJlbWl1bSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQA +IgNiAAQNMF4bFZ0D0KF5Nbc6PJJ6yhUczWLznCZcBz3lVPqj1swS6vQUX+iOGasvLkjmrBhDeKzQ +N8O9ss0s5kfiGuZjuD0uL3jET9v0D6RoTFVya5UdThhClXjMNzyR4ptlKymjQjBAMB0GA1UdDgQW +BBSaryl6wBE1NSZRMADDav5A1a7WPDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAK +BggqhkjOPQQDAwNnADBkAjAXCfOHiFBar8jAQr9HX/VsaobgxCd05DhT1wV/GzTjxi+zygk8N53X +57hG8f2h4nECMEJZh0PUUd+60wkyWs6Iflc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKM +eQ== +-----END CERTIFICATE----- + +Certum Trusted Network CA +========================= +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQK +ExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlv +biBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIy +MTIwNzM3WhcNMjkxMjMxMTIwNzM3WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBU +ZWNobm9sb2dpZXMgUy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +MSIwIAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rHUV+rpDKmYYe2bg+G0jAC +l/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LMTXPb865Px1bVWqeWifrzq2jUI4ZZJ88J +J7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVUBBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4 +fOQtf/WsX+sWn7Et0brMkUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0 +cvW0QM8xAcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNVHRMB +Af8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNVHQ8BAf8EBAMCAQYw +DQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15ysHhE49wcrwn9I0j6vSrEuVUEtRCj +jSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfLI9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1 +mS1FhIrlQgnXdAIv94nYmem8J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5aj +Zt3hrvJBW8qYVoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI +03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw= +-----END CERTIFICATE----- + +TWCA Root Certification Authority +================================= +-----BEGIN CERTIFICATE----- +MIIDezCCAmOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJUVzESMBAGA1UECgwJ +VEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NBIFJvb3QgQ2VydGlmaWNh +dGlvbiBBdXRob3JpdHkwHhcNMDgwODI4MDcyNDMzWhcNMzAxMjMxMTU1OTU5WjBfMQswCQYDVQQG +EwJUVzESMBAGA1UECgwJVEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NB +IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCwfnK4pAOU5qfeCTiRShFAh6d8WWQUe7UREN3+v9XAu1bihSX0NXIP+FPQQeFEAcK0HMMx +QhZHhTMidrIKbw/lJVBPhYa+v5guEGcevhEFhgWQxFnQfHgQsIBct+HHK3XLfJ+utdGdIzdjp9xC +oi2SBBtQwXu4PhvJVgSLL1KbralW6cH/ralYhzC2gfeXRfwZVzsrb+RH9JlF/h3x+JejiB03HFyP +4HYlmlD4oFT/RJB2I9IyxsOrBr/8+7/zrX2SYgJbKdM1o5OaQ2RgXbL6Mv87BK9NQGr5x+PvI/1r +y+UPizgN7gr8/g+YnzAx3WxSZfmLgb4i4RxYA7qRG4kHAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB +BjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqOFsmjd6LWvJPelSDGRjjCDWmujANBgkqhkiG +9w0BAQUFAAOCAQEAPNV3PdrfibqHDAhUaiBQkr6wQT25JmSDCi/oQMCXKCeCMErJk/9q56YAf4lC +mtYR5VPOL8zy2gXE/uJQxDqGfczafhAJO5I1KlOy/usrBdlsXebQ79NqZp4VKIV66IIArB6nCWlW +QtNoURi+VJq/REG6Sb4gumlc7rh3zc5sH62Dlhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVY +T0bf+215WfKEIlKuD8z7fDvnaspHYcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocny +Yh0igzyXxfkZYiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw== +-----END CERTIFICATE----- + +Security Communication RootCA2 +============================== +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJKUDElMCMGA1UEChMc +U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UECxMeU2VjdXJpdHkgQ29tbXVuaWNh +dGlvbiBSb290Q0EyMB4XDTA5MDUyOTA1MDAzOVoXDTI5MDUyOTA1MDAzOVowXTELMAkGA1UEBhMC +SlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xJzAlBgNVBAsTHlNlY3Vy +aXR5IENvbW11bmljYXRpb24gUm9vdENBMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANAVOVKxUrO6xVmCxF1SrjpDZYBLx/KWvNs2l9amZIyoXvDjChz335c9S672XewhtUGrzbl+dp++ ++T42NKA7wfYxEUV0kz1XgMX5iZnK5atq1LXaQZAQwdbWQonCv/Q4EpVMVAX3NuRFg3sUZdbcDE3R +3n4MqzvEFb46VqZab3ZpUql6ucjrappdUtAtCms1FgkQhNBqyjoGADdH5H5XTz+L62e4iKrFvlNV +spHEfbmwhRkGeC7bYRr6hfVKkaHnFtWOojnflLhwHyg/i/xAXmODPIMqGplrz95Zajv8bxbXH/1K +EOtOghY6rCcMU/Gt1SSwawNQwS08Ft1ENCcadfsCAwEAAaNCMEAwHQYDVR0OBBYEFAqFqXdlBZh8 +QIH4D5csOPEK7DzPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB +CwUAA4IBAQBMOqNErLlFsceTfsgLCkLfZOoc7llsCLqJX2rKSpWeeo8HxdpFcoJxDjrSzG+ntKEj +u/Ykn8sX/oymzsLS28yN/HH8AynBbF0zX2S2ZTuJbxh2ePXcokgfGT+Ok+vx+hfuzU7jBBJV1uXk +3fs+BXziHV7Gp7yXT2g69ekuCkO2r1dcYmh8t/2jioSgrGK+KwmHNPBqAbubKVY8/gA3zyNs8U6q +tnRGEmyR7jTV7JqR50S+kDFy1UkC9gLl9B/rfNmWVan/7Ir5mUf/NVoCqgTLiluHcSmRvaS0eg29 +mvVXIwAHIRc/SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03 +-----END CERTIFICATE----- + +EC-ACC +====== +-----BEGIN CERTIFICATE----- +MIIFVjCCBD6gAwIBAgIQ7is969Qh3hSoYqwE893EATANBgkqhkiG9w0BAQUFADCB8zELMAkGA1UE +BhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChOSUYgUS0w +ODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYD +VQQLEyxWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMGA1UE +CxMsSmVyYXJxdWlhIEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzANBgNVBAMT +BkVDLUFDQzAeFw0wMzAxMDcyMzAwMDBaFw0zMTAxMDcyMjU5NTlaMIHzMQswCQYDVQQGEwJFUzE7 +MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZpY2FjaW8gKE5JRiBRLTA4MDExNzYt +SSkxKDAmBgNVBAsTH1NlcnZlaXMgUHVibGljcyBkZSBDZXJ0aWZpY2FjaW8xNTAzBgNVBAsTLFZl +Z2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQubmV0L3ZlcmFycmVsIChjKTAzMTUwMwYDVQQLEyxKZXJh +cnF1aWEgRW50aXRhdHMgZGUgQ2VydGlmaWNhY2lvIENhdGFsYW5lczEPMA0GA1UEAxMGRUMtQUND +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyLHT+KXQpWIR4NA9h0X84NzJB5R85iK +w5K4/0CQBXCHYMkAqbWUZRkiFRfCQ2xmRJoNBD45b6VLeqpjt4pEndljkYRm4CgPukLjbo73FCeT +ae6RDqNfDrHrZqJyTxIThmV6PttPB/SnCWDaOkKZx7J/sxaVHMf5NLWUhdWZXqBIoH7nF2W4onW4 +HvPlQn2v7fOKSGRdghST2MDk/7NQcvJ29rNdQlB50JQ+awwAvthrDk4q7D7SzIKiGGUzE3eeml0a +E9jD2z3Il3rucO2n5nzbcc8tlGLfbdb1OL4/pYUKGbio2Al1QnDE6u/LDsg0qBIimAy4E5S2S+zw +0JDnJwIDAQABo4HjMIHgMB0GA1UdEQQWMBSBEmVjX2FjY0BjYXRjZXJ0Lm5ldDAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUoMOLRKo3pUW/l4Ba0fF4opvpXY0wfwYD +VR0gBHgwdjB0BgsrBgEEAfV4AQMBCjBlMCwGCCsGAQUFBwIBFiBodHRwczovL3d3dy5jYXRjZXJ0 +Lm5ldC92ZXJhcnJlbDA1BggrBgEFBQcCAjApGidWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5l +dC92ZXJhcnJlbCAwDQYJKoZIhvcNAQEFBQADggEBAKBIW4IB9k1IuDlVNZyAelOZ1Vr/sXE7zDkJ +lF7W2u++AVtd0x7Y/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPpqojlNcAZQmNa +Al6kSBg6hW/cnbw/nZzBh7h6YQjpdwt/cKt63dmXLGQehb+8dJahw3oS7AwaboMMPOhyRp/7SNVe +l+axofjk70YllJyJ22k4vuxcDlbHZVHlUIiIv0LVKz3l+bqeLrPK9HOSAgu+TGbrIP65y7WZf+a2 +E/rKS03Z7lNGBjvGTq2TWoF+bCpLagVFjPIhpDGQh2xlnJ2lYJU6Un/10asIbvPuW/mIPX64b24D +5EI= +-----END CERTIFICATE----- + +Hellenic Academic and Research Institutions RootCA 2011 +======================================================= +-----BEGIN CERTIFICATE----- +MIIEMTCCAxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1IxRDBCBgNVBAoT +O0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9y +aXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25z +IFJvb3RDQSAyMDExMB4XDTExMTIwNjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJBgNVBAYT +AkdSMUQwQgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25z +IENlcnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNo +IEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPzdYmNUeTDN9KKiE15HrcS3UN4SoqS5tdI +1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJfel3r+0ae50X+bOdOFAPplp5kYCvN66m0zH7tSYJnTxa +71HFK9+WXesyHgLacEnsbgzImjeN9/E2YEsmLIKe0HjzDQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u +8yBRQlqD75O6aRXxYp2fmTmCobd0LovUxQt7L/DICto9eQqakxylKHJzkUOap9FNhYS5qXSPFEDH +3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyNh+UCAwEAAaOBiTCBhjAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUppFC/RNhSiOeCKQp5dgTBCPuQSUwRwYDVR0eBEAwPqA8 +MAWCAy5ncjAFggMuZXUwBoIELmVkdTAGggQub3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQu +b3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVt +XdMiKahsog2p6z0GW5k6x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8 +TqBTnbI6nOulnJEWtk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7dIsXRSZMFpGD +/md9zU1jZ/rzAxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8AcysNnq/onN694/BtZqhFLKPM58N +7yLcZnuEvUUXBj08yrl3NI/K6s8/MT7jiOOASSXIl7WdmplNsDz4SgCbZN2fOUvRJ9e4 +-----END CERTIFICATE----- + +Actalis Authentication Root CA +============================== +-----BEGIN CERTIFICATE----- +MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCSVQxDjAM +BgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UE +AwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDky +MjExMjIwMlowazELMAkGA1UEBhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlz +IFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290 +IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNvUTufClrJ +wkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX4ay8IMKx4INRimlNAJZa +by/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9KK3giq0itFZljoZUj5NDKd45RnijMCO6 +zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/gCczWw63igxdBzcIy2zSekciRDXFzMwujt0q7bd9Zg1f +YVEiVRvjRuPjPdA1YprbrxTIW6HMiRvhMCb8oJsfgadHHwTrozmSBp+Z07/T6k9QnBn+locePGX2 +oxgkg4YQ51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqEguNTVHnd25zS8gebLra8Pu2Fbe8l +EfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeICrHuS0E4UT1lF9gxeKF+w6D9Fz8+vm2/7 +hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1fEwZtN4Fv6MGn8i1zeQf1xcGDXqVdFUNaBr8 +EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbnfpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5 +jF66CyCU3nuDuP/jVo23Eek7jPKxwV2dpAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLY +iDrIn3hm7YnzezhwlMkCAjbQMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbt +ifN7OHCUyQICNtAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQALe3KHwGCmSUyI +WOYdiPcUZEim2FgKDk8TNd81HdTtBjHIgT5q1d07GjLukD0R0i70jsNjLiNmsGe+b7bAEzlgqqI0 +JZN1Ut6nna0Oh4lScWoWPBkdg/iaKWW+9D+a2fDzWochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKx +K3JCaKygvU5a2hi/a5iB0P2avl4VSM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+ +Xlff1ANATIGk0k9jpwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC +4yyXX04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+OkfcvHlXHo +2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7RK4X9p2jIugErsWx0Hbhz +lefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btUZCzJJ7VLkn5l/9Mt4blOvH+kQSGQQXem +OR/qnuOf0GZvBeyqdn6/axag67XH/JJULysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9 +vwGYT7JZVEc+NHt4bVaTLnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg== +-----END CERTIFICATE----- + +Trustis FPS Root CA +=================== +-----BEGIN CERTIFICATE----- +MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQG +EwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQLExNUcnVzdGlzIEZQUyBSb290 +IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTExMzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNV +BAoTD1RydXN0aXMgTGltaXRlZDEcMBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQ +RUN+AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihHiTHcDnlk +H5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjjvSkCqPoc4Vu5g6hBSLwa +cY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zt +o3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlBOrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEA +AaNTMFEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAd +BgNVHQ4EFgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01GX2c +GE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmWzaD+vkAMXBJV+JOC +yinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP41BIy+Q7DsdwyhEQsb8tGD+pmQQ9P +8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZEf1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHV +l/9D7S3B2l0pKoU/rGXuhg8FjZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYl +iB6XzCGcKQENZetX2fNXlrtIzYE= +-----END CERTIFICATE----- + +Buypass Class 2 Root CA +======================= +-----BEGIN CERTIFICATE----- +MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEdMBsGA1UECgwU +QnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3MgQ2xhc3MgMiBSb290IENBMB4X +DTEwMTAyNjA4MzgwM1oXDTQwMTAyNjA4MzgwM1owTjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1 +eXBhc3MgQVMtOTgzMTYzMzI3MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDIgUm9vdCBDQTCCAiIw +DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANfHXvfBB9R3+0Mh9PT1aeTuMgHbo4Yf5FkNuud1 +g1Lr6hxhFUi7HQfKjK6w3Jad6sNgkoaCKHOcVgb/S2TwDCo3SbXlzwx87vFKu3MwZfPVL4O2fuPn +9Z6rYPnT8Z2SdIrkHJasW4DptfQxh6NR/Md+oW+OU3fUl8FVM5I+GC911K2GScuVr1QGbNgGE41b +/+EmGVnAJLqBcXmQRFBoJJRfuLMR8SlBYaNByyM21cHxMlAQTn/0hpPshNOOvEu/XAFOBz3cFIqU +CqTqc/sLUegTBxj6DvEr0VQVfTzh97QZQmdiXnfgolXsttlpF9U6r0TtSsWe5HonfOV116rLJeff +awrbD02TTqigzXsu8lkBarcNuAeBfos4GzjmCleZPe4h6KP1DBbdi+w0jpwqHAAVF41og9JwnxgI +zRFo1clrUs3ERo/ctfPYV3Me6ZQ5BL/T3jjetFPsaRyifsSP5BtwrfKi+fv3FmRmaZ9JUaLiFRhn +Bkp/1Wy1TbMz4GHrXb7pmA8y1x1LPC5aAVKRCfLf6o3YBkBjqhHk/sM3nhRSP/TizPJhk9H9Z2vX +Uq6/aKtAQ6BXNVN48FP4YUIHZMbXb5tMOA1jrGKvNouicwoN9SG9dKpN6nIDSdvHXx1iY8f93ZHs +M+71bbRuMGjeyNYmsHVee7QHIJihdjK4TWxPAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYD +VR0OBBYEFMmAd+BikoL1RpzzuvdMw964o605MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsF +AAOCAgEAU18h9bqwOlI5LJKwbADJ784g7wbylp7ppHR/ehb8t/W2+xUbP6umwHJdELFx7rxP462s +A20ucS6vxOOto70MEae0/0qyexAQH6dXQbLArvQsWdZHEIjzIVEpMMpghq9Gqx3tOluwlN5E40EI +osHsHdb9T7bWR9AUC8rmyrV7d35BH16Dx7aMOZawP5aBQW9gkOLo+fsicdl9sz1Gv7SEr5AcD48S +aq/v7h56rgJKihcrdv6sVIkkLE8/trKnToyokZf7KcZ7XC25y2a2t6hbElGFtQl+Ynhw/qlqYLYd +DnkM/crqJIByw5c/8nerQyIKx+u2DISCLIBrQYoIwOula9+ZEsuK1V6ADJHgJgg2SMX6OBE1/yWD +LfJ6v9r9jv6ly0UsH8SIU653DtmadsWOLB2jutXsMq7Aqqz30XpN69QH4kj3Io6wpJ9qzo6ysmD0 +oyLQI+uUWnpp3Q+/QFesa1lQ2aOZ4W7+jQF5JyMV3pKdewlNWudLSDBaGOYKbeaP4NK75t98biGC +wWg5TbSYWGZizEqQXsP6JwSxeRV0mcy+rSDeJmAc61ZRpqPq5KM/p/9h3PFaTWwyI0PurKju7koS +CTxdccK+efrCh2gdC/1cacwG0Jp9VJkqyTkaGa9LKkPzY11aWOIv4x3kqdbQCtCev9eBCfHJxyYN +rJgWVqA= +-----END CERTIFICATE----- + +Buypass Class 3 Root CA +======================= +-----BEGIN CERTIFICATE----- +MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEdMBsGA1UECgwU +QnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3MgQ2xhc3MgMyBSb290IENBMB4X +DTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFowTjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1 +eXBhc3MgQVMtOTgzMTYzMzI3MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIw +DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRH +sJ8YZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3EN3coTRiR +5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9tznDDgFHmV0ST9tD+leh +7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX0DJq1l1sDPGzbjniazEuOQAnFN44wOwZ +ZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH +2xc519woe2v1n/MuwU8XKhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV +/afmiSTYzIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvSO1UQ +RwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D34xFMFbG02SrZvPA +Xpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgPK9Dx2hzLabjKSWJtyNBjYt1gD1iq +j6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYD +VR0OBBYEFEe4zf/lb+74suwvTg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsF +AAOCAgEAACAjQTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV +cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXSIGrs/CIBKM+G +uIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2HJLw5QY33KbmkJs4j1xrG0aG +Q0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsaO5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8 +ZORK15FTAaggiG6cX0S5y2CBNOxv033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2 +KSb12tjE8nVhz36udmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz +6MkEkbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg413OEMXbug +UZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvDu79leNKGef9JOxqDDPDe +eOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq4/g7u9xN12TyUb7mqqta6THuBrxzvxNi +Cp/HuZc= +-----END CERTIFICATE----- + +T-TeleSec GlobalRoot Class 3 +============================ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoM +IlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBU +cnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMwHhcNMDgx +MDAxMTAyOTU2WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lz +dGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBD +ZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC9dZPwYiJvJK7genasfb3ZJNW4t/zN8ELg63iIVl6bmlQdTQyK +9tPPcPRStdiTBONGhnFBSivwKixVA9ZIw+A5OO3yXDw/RLyTPWGrTs0NvvAgJ1gORH8EGoel15YU +NpDQSXuhdfsaa3Ox+M6pCSzyU9XDFES4hqX2iys52qMzVNn6chr3IhUciJFrf2blw2qAsCTz34ZF +iP0Zf3WHHx+xGwpzJFu5ZeAsVMhg02YXP+HMVDNzkQI6pn97djmiH5a2OK61yJN0HZ65tOVgnS9W +0eDrXltMEnAMbEQgqxHY9Bn20pxSN+f6tsIxO0rUFJmtxxr1XV/6B7h8DR/Wgx6zAgMBAAGjQjBA +MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS1A/d2O2GCahKqGFPr +AyGUv/7OyjANBgkqhkiG9w0BAQsFAAOCAQEAVj3vlNW92nOyWL6ukK2YJ5f+AbGwUgC4TeQbIXQb +fsDuXmkqJa9c1h3a0nnJ85cp4IaH3gRZD/FZ1GSFS5mvJQQeyUapl96Cshtwn5z2r3Ex3XsFpSzT +ucpH9sry9uetuUg/vBa3wW306gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7h +P0HHRwA11fXT91Q+gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuIml +e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4pTpPDpFQUWw== +-----END CERTIFICATE----- + +EE Certification Centre Root CA +=============================== +-----BEGIN CERTIFICATE----- +MIIEAzCCAuugAwIBAgIQVID5oHPtPwBMyonY43HmSjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQG +EwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEoMCYGA1UEAwwfRUUgQ2Vy +dGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMCIYDzIw +MTAxMDMwMTAxMDMwWhgPMjAzMDEyMTcyMzU5NTlaMHUxCzAJBgNVBAYTAkVFMSIwIAYDVQQKDBlB +UyBTZXJ0aWZpdHNlZXJpbWlza2Vza3VzMSgwJgYDVQQDDB9FRSBDZXJ0aWZpY2F0aW9uIENlbnRy +ZSBSb290IENBMRgwFgYJKoZIhvcNAQkBFglwa2lAc2suZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDIIMDs4MVLqwd4lfNE7vsLDP90jmG7sWLqI9iroWUyeuuOF0+W2Ap7kaJjbMeM +TC55v6kF/GlclY1i+blw7cNRfdCT5mzrMEvhvH2/UpvObntl8jixwKIy72KyaOBhU8E2lf/slLo2 +rpwcpzIP5Xy0xm90/XsY6KxX7QYgSzIwWFv9zajmofxwvI6Sc9uXp3whrj3B9UiHbCe9nyV0gVWw +93X2PaRka9ZP585ArQ/dMtO8ihJTmMmJ+xAdTX7Nfh9WDSFwhfYggx/2uh8Ej+p3iDXE/+pOoYtN +P2MbRMNE1CV2yreN1x5KZmTNXMWcg+HCCIia7E6j8T4cLNlsHaFLAgMBAAGjgYowgYcwDwYDVR0T +AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBLyWj7qVhy/zQas8fElyalL1BSZ +MEUGA1UdJQQ+MDwGCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEF +BQcDCAYIKwYBBQUHAwkwDQYJKoZIhvcNAQEFBQADggEBAHv25MANqhlHt01Xo/6tu7Fq1Q+e2+Rj +xY6hUFaTlrg4wCQiZrxTFGGVv9DHKpY5P30osxBAIWrEr7BSdxjhlthWXePdNl4dp1BUoMUq5KqM +lIpPnTX/dqQGE5Gion0ARD9V04I8GtVbvFZMIi5GQ4okQC3zErg7cBqklrkar4dBGmoYDQZPxz5u +uSlNDUmJEYcyW+ZLBMjkXOZ0c5RdFpgTlf7727FE5TpwrDdr5rMzcijJs1eg9gIWiAYLtqZLICjU +3j2LrTcFU3T+bsy8QxdxXvnFzBqpYe73dgzzcvRyrc9yAjYHR8/vGVCJYMzpJJUPwssd8m92kMfM +dcGWxZ0= +-----END CERTIFICATE----- + +D-TRUST Root Class 3 CA 2 2009 +============================== +-----BEGIN CERTIFICATE----- +MIIEMzCCAxugAwIBAgIDCYPzMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkRFMRUwEwYDVQQK +DAxELVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgMjAwOTAe +Fw0wOTExMDUwODM1NThaFw0yOTExMDUwODM1NThaME0xCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxE +LVRydXN0IEdtYkgxJzAlBgNVBAMMHkQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgMjAwOTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANOySs96R+91myP6Oi/WUEWJNTrGa9v+2wBoqOAD +ER03UAifTUpolDWzU9GUY6cgVq/eUXjsKj3zSEhQPgrfRlWLJ23DEE0NkVJD2IfgXU42tSHKXzlA +BF9bfsyjxiupQB7ZNoTWSPOSHjRGICTBpFGOShrvUD9pXRl/RcPHAY9RySPocq60vFYJfxLLHLGv +KZAKyVXMD9O0Gu1HNVpK7ZxzBCHQqr0ME7UAyiZsxGsMlFqVlNpQmvH/pStmMaTJOKDfHR+4CS7z +p+hnUquVH+BGPtikw8paxTGA6Eian5Rp/hnd2HN8gcqW3o7tszIFZYQ05ub9VxC1X3a/L7AQDcUC +AwEAAaOCARowggEWMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP3aFMSfMN4hvR5COfyrYyNJ +4PGEMA4GA1UdDwEB/wQEAwIBBjCB0wYDVR0fBIHLMIHIMIGAoH6gfIZ6bGRhcDovL2RpcmVjdG9y +eS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwUm9vdCUyMENsYXNzJTIwMyUyMENBJTIwMiUyMDIw +MDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwQ6BBoD+G +PWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3Rfcm9vdF9jbGFzc18zX2NhXzJfMjAw +OS5jcmwwDQYJKoZIhvcNAQELBQADggEBAH+X2zDI36ScfSF6gHDOFBJpiBSVYEQBrLLpME+bUMJm +2H6NMLVwMeniacfzcNsgFYbQDfC+rAF1hM5+n02/t2A7nPPKHeJeaNijnZflQGDSNiH+0LS4F9p0 +o3/U37CYAqxva2ssJSRyoWXuJVrl5jLn8t+rSfrzkGkj2wTZ51xY/GXUl77M/C4KzCUqNQT4YJEV +dT1B/yMfGchs64JTBKbkTCJNjYy6zltz7GRUUG3RnFX7acM2w4y8PIWmawomDeCTmGCufsYkl4ph +X5GOZpIJhzbNi5stPvZR1FDUWSi9g/LMKHtThm3YJohw1+qRzT65ysCQblrGXnRl11z+o+I= +-----END CERTIFICATE----- + +D-TRUST Root Class 3 CA 2 EV 2009 +================================= +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQK +DAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAw +OTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUwNDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQK +DAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAw +OTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfS +egpnljgJ9hBOlSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM03TP1YtHh +zRnp7hhPTFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6ZqQTMFexgaDbtCHu39b+T +7WYxg4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lRp75mpoo6Kr3HGrHhFPC+Oh25z1uxav60 +sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pure35 +11H3a6UCAwEAAaOCASQwggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxiEyoZLsyv +cop9NteaHNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGBhn9sZGFwOi8v +ZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xhc3MlMjAzJTIwQ0El +MjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1ERT9jZXJ0aWZpY2F0ZXJldm9jYXRp +b25saXN0MEagRKBChkBodHRwOi8vd3d3LmQtdHJ1c3QubmV0L2NybC9kLXRydXN0X3Jvb3RfY2xh +c3NfM19jYV8yX2V2XzIwMDkuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA07XtaPKSUiO8aEXUHL7P+ +PPoeUSbrh/Yp3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt77JLvyAoJUnRpjZ3NOhk31KxEcdzes05 +nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23Pb0iUMkZv53GMoKaEGTcH8gNFCSuGdXzfX2lX +ANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR10M9p9OB0/DJT7naxpeG0ILD5EJt/rDiZE4OJudA +NCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqXKVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVv +w9y4AyHqnxbxLFS1 +-----END CERTIFICATE----- + +CA Disig Root R2 +================ +-----BEGIN CERTIFICATE----- +MIIFaTCCA1GgAwIBAgIJAJK4iNuwisFjMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNVBAYTAlNLMRMw +EQYDVQQHEwpCcmF0aXNsYXZhMRMwEQYDVQQKEwpEaXNpZyBhLnMuMRkwFwYDVQQDExBDQSBEaXNp +ZyBSb290IFIyMB4XDTEyMDcxOTA5MTUzMFoXDTQyMDcxOTA5MTUzMFowUjELMAkGA1UEBhMCU0sx +EzARBgNVBAcTCkJyYXRpc2xhdmExEzARBgNVBAoTCkRpc2lnIGEucy4xGTAXBgNVBAMTEENBIERp +c2lnIFJvb3QgUjIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCio8QACdaFXS1tFPbC +w3OeNcJxVX6B+6tGUODBfEl45qt5WDza/3wcn9iXAng+a0EE6UG9vgMsRfYvZNSrXaNHPWSb6Wia +xswbP7q+sos0Ai6YVRn8jG+qX9pMzk0DIaPY0jSTVpbLTAwAFjxfGs3Ix2ymrdMxp7zo5eFm1tL7 +A7RBZckQrg4FY8aAamkw/dLukO8NJ9+flXP04SXabBbeQTg06ov80egEFGEtQX6sx3dOy1FU+16S +GBsEWmjGycT6txOgmLcRK7fWV8x8nhfRyyX+hk4kLlYMeE2eARKmK6cBZW58Yh2EhN/qwGu1pSqV +g8NTEQxzHQuyRpDRQjrOQG6Vrf/GlK1ul4SOfW+eioANSW1z4nuSHsPzwfPrLgVv2RvPN3YEyLRa +5Beny912H9AZdugsBbPWnDTYltxhh5EF5EQIM8HauQhl1K6yNg3ruji6DOWbnuuNZt2Zz9aJQfYE +koopKW1rOhzndX0CcQ7zwOe9yxndnWCywmZgtrEE7snmhrmaZkCo5xHtgUUDi/ZnWejBBhG93c+A +Ak9lQHhcR1DIm+YfgXvkRKhbhZri3lrVx/k6RGZL5DJUfORsnLMOPReisjQS1n6yqEm70XooQL6i +Fh/f5DcfEXP7kAplQ6INfPgGAVUzfbANuPT1rqVCV3w2EYx7XsQDnYx5nQIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUtZn4r7CU9eMg1gqtzk5WpC5u +Qu0wDQYJKoZIhvcNAQELBQADggIBACYGXnDnZTPIgm7ZnBc6G3pmsgH2eDtpXi/q/075KMOYKmFM +tCQSin1tERT3nLXK5ryeJ45MGcipvXrA1zYObYVybqjGom32+nNjf7xueQgcnYqfGopTpti72TVV +sRHFqQOzVju5hJMiXn7B9hJSi+osZ7z+Nkz1uM/Rs0mSO9MpDpkblvdhuDvEK7Z4bLQjb/D907Je +dR+Zlais9trhxTF7+9FGs9K8Z7RiVLoJ92Owk6Ka+elSLotgEqv89WBW7xBci8QaQtyDW2QOy7W8 +1k/BfDxujRNt+3vrMNDcTa/F1balTFtxyegxvug4BkihGuLq0t4SOVga/4AOgnXmt8kHbA7v/zjx +mHHEt38OFdAlab0inSvtBfZGR6ztwPDUO+Ls7pZbkBNOHlY667DvlruWIxG68kOGdGSVyCh13x01 +utI3gzhTODY7z2zp+WsO0PsE6E9312UBeIYMej4hYvF/Y3EMyZ9E26gnonW+boE+18DrG5gPcFw0 +sorMwIUY6256s/daoQe/qUKS82Ail+QUoQebTnbAjn39pCXHR+3/H3OszMOl6W8KjptlwlCFtaOg +UxLMVYdh84GuEEZhvUQhuMI9dM9+JDX6HAcOmz0iyu8xL4ysEr3vQCj8KWefshNPZiTEUxnpHikV +7+ZtsH8tZ/3zbBt1RqPlShfppNcL +-----END CERTIFICATE----- + +ACCVRAIZ1 +========= +-----BEGIN CERTIFICATE----- +MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UEAwwJQUNDVlJB +SVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQswCQYDVQQGEwJFUzAeFw0xMTA1 +MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQBgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwH +UEtJQUNDVjENMAsGA1UECgwEQUNDVjELMAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQCbqau/YUqXry+XZpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gM +jmoYHtiP2Ra8EEg2XPBjs5BaXCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWoG2ioPej0 +RGy9ocLLA76MPhMAhN9KSMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpAlHPrzg5XPAOBOp0KoVdD +aaxXbXmQeOW1tDvYvEyNKKGno6e6Ak4l0Squ7a4DIrhrIA8wKFSVf+DuzgpmndFALW4ir50awQUZ +0m/A8p/4e7MCQvtQqR0tkw8jq8bBD5L/0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDG +WuzndN9wrqODJerWx5eHk6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs7 +8yM2x/474KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMOm3WR +5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpacXpkatcnYGMN285J +9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPluUsXQA+xtrn13k/c4LOsOxFwYIRK +Q26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYIKwYBBQUHAQEEcTBvMEwGCCsGAQUFBzAChkBodHRw +Oi8vd3d3LmFjY3YuZXMvZmlsZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRvcy9yYWl6YWNjdjEu +Y3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1UdDgQWBBTSh7Tj3zcnk1X2 +VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNKHtOPfNyeTVfZW6oHlNsyM +Hj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCCASIGCCsGAQUFBwICMIIBFB6CARAA +QQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUAcgB0AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBh +AO0AegAgAGQAZQAgAGwAYQAgAEEAQwBDAFYAIAAoAEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUA +YwBuAG8AbABvAGcA7QBhACAAeQAgAEMAZQByAHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBj +AHQAcgDzAG4AaQBjAGEALAAgAEMASQBGACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAAQwBQAFMA +IABlAG4AIABoAHQAdABwADoALwAvAHcAdwB3AC4AYQBjAGMAdgAuAGUAczAwBggrBgEFBQcCARYk +aHR0cDovL3d3dy5hY2N2LmVzL2xlZ2lzbGFjaW9uX2MuaHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0 +dHA6Ly93d3cuYWNjdi5lcy9maWxlYWRtaW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2 +MV9kZXIuY3JsMA4GA1UdDwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZI +hvcNAQEFBQADggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdpD70E +R9m+27Up2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gUJyCpZET/LtZ1qmxN +YEAZSUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+mAM/EKXMRNt6GGT6d7hmKG9Ww7Y49 +nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepDvV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt3OAJ +TS+xJlsndQAJxGJ3KQhfnlmstn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4nQeit2hW3 +sCPdK6jT2iWH7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBgvgW1m54ERL5h +I6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG7szAh1xA2syVP1Xg +Nce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xFd3+YJ5oyXSrjhO7FmGYvliAd +3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2HpPVWQxaZLPSkVrQ0uGE3ycJYgBugl6H8WY3p +EfbRD0tVNEYqi4Y7 +-----END CERTIFICATE----- + +TWCA Global Root CA +=================== +-----BEGIN CERTIFICATE----- +MIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVFcxEjAQBgNVBAoT +CVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMTVFdDQSBHbG9iYWwgUm9vdCBD +QTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5NTlaMFExCzAJBgNVBAYTAlRXMRIwEAYDVQQK +EwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jvb3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3Qg +Q0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwBdvI64zEbooh745NnHEKH1Jw7W2C +nJfF10xORUnLQEK1EjRsGcJ0pDFfhQKX7EMzClPSnIyOt7h52yvVavKOZsTuKwEHktSz0ALfUPZV +r2YOy+BHYC8rMjk1Ujoog/h7FsYYuGLWRyWRzvAZEk2tY/XTP3VfKfChMBwqoJimFb3u/Rk28OKR +Q4/6ytYQJ0lM793B8YVwm8rqqFpD/G2Gb3PpN0Wp8DbHzIh1HrtsBv+baz4X7GGqcXzGHaL3SekV +tTzWoWH1EfcFbx39Eb7QMAfCKbAJTibc46KokWofwpFFiFzlmLhxpRUZyXx1EcxwdE8tmx2RRP1W +KKD+u4ZqyPpcC1jcxkt2yKsi2XMPpfRaAok/T54igu6idFMqPVMnaR1sjjIsZAAmY2E2TqNGtz99 +sy2sbZCilaLOz9qC5wc0GZbpuCGqKX6mOL6OKUohZnkfs8O1CWfe1tQHRvMq2uYiN2DLgbYPoA/p +yJV/v1WRBXrPPRXAb94JlAGD1zQbzECl8LibZ9WYkTunhHiVJqRaCPgrdLQABDzfuBSO6N+pjWxn +kjMdwLfS7JLIvgm/LCkFbwJrnu+8vyq8W8BQj0FwcYeyTbcEqYSjMq+u7msXi7Kx/mzhkIyIqJdI +zshNy/MGz19qCkKxHh53L46g5pIOBvwFItIm4TFRfTLcDwIDAQABoyMwITAOBgNVHQ8BAf8EBAMC +AQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAXzSBdu+WHdXltdkCY4QWwa6g +cFGn90xHNcgL1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt+i0trEfJdLjbDorMjupWkEmQqSpqsn +LhpNgb+E1HAerUf+/UqdM+DyucRFCCEK2mlpc3INvjT+lIutwx4116KD7+U4x6WFH6vPNOw/KP4M +8VeGTslV9xzU2KV9Bnpv1d8Q34FOIWWxtuEXeZVFBs5fzNxGiWNoRI2T9GRwoD2dKAXDOXC4Ynsg +/eTb6QihuJ49CcdP+yz4k3ZB3lLg4VfSnQO8d57+nile98FRYB/e2guyLXW3Q0iT5/Z5xoRdgFlg +lPx4mI88k1HtQJAH32RjJMtOcQWh15QaiDLxInQirqWm2BJpTGCjAu4r7NRjkgtevi92a6O2JryP +A9gK8kxkRr05YuWW6zRjESjMlfGt7+/cgFhI6Uu46mWs6fyAtbXIRfmswZ/ZuepiiI7E8UuDEq3m +i4TWnsLrgxifarsbJGAzcMzs9zLzXNl5fe+epP7JI8Mk7hWSsT2RTyaGvWZzJBPqpK5jwa19hAM8 +EHiGG3njxPPyBJUgriOCxLM6AGK/5jYk4Ve6xx6QddVfP5VhK8E7zeWzaGHQRiapIVJpLesux+t3 +zqY6tQMzT3bR51xUAV3LePTJDL/PEo4XLSNolOer/qmyKwbQBM0= +-----END CERTIFICATE----- + +TeliaSonera Root CA v1 +====================== +-----BEGIN CERTIFICATE----- +MIIFODCCAyCgAwIBAgIRAJW+FqD3LkbxezmCcvqLzZYwDQYJKoZIhvcNAQEFBQAwNzEUMBIGA1UE +CgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlhU29uZXJhIFJvb3QgQ0EgdjEwHhcNMDcxMDE4 +MTIwMDUwWhcNMzIxMDE4MTIwMDUwWjA3MRQwEgYDVQQKDAtUZWxpYVNvbmVyYTEfMB0GA1UEAwwW +VGVsaWFTb25lcmEgUm9vdCBDQSB2MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMK+ +6yfwIaPzaSZVfp3FVRaRXP3vIb9TgHot0pGMYzHw7CTww6XScnwQbfQ3t+XmfHnqjLWCi65ItqwA +3GV17CpNX8GH9SBlK4GoRz6JI5UwFpB/6FcHSOcZrr9FZ7E3GwYq/t75rH2D+1665I+XZ75Ljo1k +B1c4VWk0Nj0TSO9P4tNmHqTPGrdeNjPUtAa9GAH9d4RQAEX1jF3oI7x+/jXh7VB7qTCNGdMJjmhn +Xb88lxhTuylixcpecsHHltTbLaC0H2kD7OriUPEMPPCs81Mt8Bz17Ww5OXOAFshSsCPN4D7c3TxH +oLs1iuKYaIu+5b9y7tL6pe0S7fyYGKkmdtwoSxAgHNN/Fnct7W+A90m7UwW7XWjH1Mh1Fj+JWov3 +F0fUTPHSiXk+TT2YqGHeOh7S+F4D4MHJHIzTjU3TlTazN19jY5szFPAtJmtTfImMMsJu7D0hADnJ +oWjiUIMusDor8zagrC/kb2HCUQk5PotTubtn2txTuXZZNp1D5SDgPTJghSJRt8czu90VL6R4pgd7 +gUY2BIbdeTXHlSw7sKMXNeVzH7RcWe/a6hBle3rQf5+ztCo3O3CLm1u5K7fsslESl1MpWtTwEhDc +TwK7EpIvYtQ/aUN8Ddb8WHUBiJ1YFkveupD/RwGJBmr2X7KQarMCpgKIv7NHfirZ1fpoeDVNAgMB +AAGjPzA9MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBTwj1k4ALP1j5qW +DNXr+nuqF+gTEjANBgkqhkiG9w0BAQUFAAOCAgEAvuRcYk4k9AwI//DTDGjkk0kiP0Qnb7tt3oNm +zqjMDfz1mgbldxSR651Be5kqhOX//CHBXfDkH1e3damhXwIm/9fH907eT/j3HEbAek9ALCI18Bmx +0GtnLLCo4MBANzX2hFxc469CeP6nyQ1Q6g2EdvZR74NTxnr/DlZJLo961gzmJ1TjTQpgcmLNkQfW +pb/ImWvtxBnmq0wROMVvMeJuScg/doAmAyYp4Db29iBT4xdwNBedY2gea+zDTYa4EzAvXUYNR0PV +G6pZDrlcjQZIrXSHX8f8MVRBE+LHIQ6e4B4N4cB7Q4WQxYpYxmUKeFfyxiMPAdkgS94P+5KFdSpc +c41teyWRyu5FrgZLAMzTsVlQ2jqIOylDRl6XK1TOU2+NSueW+r9xDkKLfP0ooNBIytrEgUy7onOT +JsjrDNYmiLbAJM+7vVvrdX3pCI6GMyx5dwlppYn8s3CQh3aP0yK7Qs69cwsgJirQmz1wHiRszYd2 +qReWt88NkvuOGKmYSdGe/mBEciG5Ge3C9THxOUiIkCR1VBatzvT4aRRkOfujuLpwQMcnHL/EVlP6 +Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVxSK236thZiNSQvxaz2ems +WWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY= +-----END CERTIFICATE----- + +E-Tugra Certification Authority +=============================== +-----BEGIN CERTIFICATE----- +MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNVBAYTAlRSMQ8w +DQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamls +ZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN +ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMw +NTEyMDk0OFoXDTIzMDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmEx +QDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxl +cmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQD +DB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEA4vU/kwVRHoViVF56C/UYB4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vd +hQd2h8y/L5VMzH2nPbxHD5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5K +CKpbknSFQ9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEoq1+g +ElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3Dk14opz8n8Y4e0ypQ +BaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcHfC425lAcP9tDJMW/hkd5s3kc91r0 +E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsutdEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gz +rt48Ue7LE3wBf4QOXVGUnhMMti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAq +jqFGOjGY5RH8zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn +rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUXU8u3Zg5mTPj5 +dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6Jyr+zE7S6E5UMA8GA1UdEwEB +/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEG +MA0GCSqGSIb3DQEBCwUAA4ICAQAFNzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAK +kEh47U6YA5n+KGCRHTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jO +XKqYGwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c77NCR807 +VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3+GbHeJAAFS6LrVE1Uweo +a2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WKvJUawSg5TB9D0pH0clmKuVb8P7Sd2nCc +dlqMQ1DujjByTd//SffGqWfZbawCEeI6FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEV +KV0jq9BgoRJP3vQXzTLlyb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gT +Dx4JnW2PAJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpDy4Q0 +8ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8dNL/+I5c30jn6PQ0G +C7TbO6Orb1wdtn7os4I07QZcJA== +-----END CERTIFICATE----- + +T-TeleSec GlobalRoot Class 2 +============================ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoM +IlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBU +cnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgx +MDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lz +dGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBD +ZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nzHoqvNK38DcLZ +SBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/F +vudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx970 +2cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGV +WOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGjQjBA +MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXy +YdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4 +r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNf +vNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR +3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN +9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6Fuwg== +-----END CERTIFICATE----- + +Atos TrustedRoot 2011 +===================== +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIIXDPLYixfszIwDQYJKoZIhvcNAQELBQAwPDEeMBwGA1UEAwwVQXRvcyBU +cnVzdGVkUm9vdCAyMDExMQ0wCwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0xMTA3MDcxNDU4 +MzBaFw0zMDEyMzEyMzU5NTlaMDwxHjAcBgNVBAMMFUF0b3MgVHJ1c3RlZFJvb3QgMjAxMTENMAsG +A1UECgwEQXRvczELMAkGA1UEBhMCREUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCV +hTuXbyo7LjvPpvMpNb7PGKw+qtn4TaA+Gke5vJrf8v7MPkfoepbCJI419KkM/IL9bcFyYie96mvr +54rMVD6QUM+A1JX76LWC1BTFtqlVJVfbsVD2sGBkWXppzwO3bw2+yj5vdHLqqjAqc2K+SZFhyBH+ +DgMq92og3AIVDV4VavzjgsG1xZ1kCWyjWZgHJ8cblithdHFsQ/H3NYkQ4J7sVaE3IqKHBAUsR320 +HLliKWYoyrfhk/WklAOZuXCFteZI6o1Q/NnezG8HDt0Lcp2AMBYHlT8oDv3FdU9T1nSatCQujgKR +z3bFmx5VdJx4IbHwLfELn8LVlhgf8FQieowHAgMBAAGjfTB7MB0GA1UdDgQWBBSnpQaxLKYJYO7R +l+lwrrw7GWzbITAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFKelBrEspglg7tGX6XCuvDsZ +bNshMBgGA1UdIAQRMA8wDQYLKwYBBAGwLQMEAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQAmdzTblEiGKkGdLD4GkGDEjKwLVLgfuXvTBznk+j57sj1O7Z8jvZfza1zv7v1Apt+h +k6EKhqzvINB5Ab149xnYJDE0BAGmuhWawyfc2E8PzBhj/5kPDpFrdRbhIfzYJsdHt6bPWHJxfrrh +TZVHO8mvbaG0weyJ9rQPOLXiZNwlz6bb65pcmaHFCN795trV1lpFDMS3wrUU77QR/w4VtfX128a9 +61qn8FYiqTxlVMYVqL2Gns2Dlmh6cYGJ4Qvh6hEbaAjMaZ7snkGeRDImeuKHCnE96+RapNLbxc3G +3mB/ufNPRJLvKrcYPqcZ2Qt9sTdBQrC6YB3y/gkRsPCHe6ed +-----END CERTIFICATE----- + +QuoVadis Root CA 1 G3 +===================== +-----BEGIN CERTIFICATE----- +MIIFYDCCA0igAwIBAgIUeFhfLq0sGUvjNwc1NBMotZbUZZMwDQYJKoZIhvcNAQELBQAwSDELMAkG +A1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlzIFJv +b3QgQ0EgMSBHMzAeFw0xMjAxMTIxNzI3NDRaFw00MjAxMTIxNzI3NDRaMEgxCzAJBgNVBAYTAkJN +MRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDEg +RzMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCgvlAQjunybEC0BJyFuTHK3C3kEakE +PBtVwedYMB0ktMPvhd6MLOHBPd+C5k+tR4ds7FtJwUrVu4/sh6x/gpqG7D0DmVIB0jWerNrwU8lm +PNSsAgHaJNM7qAJGr6Qc4/hzWHa39g6QDbXwz8z6+cZM5cOGMAqNF34168Xfuw6cwI2H44g4hWf6 +Pser4BOcBRiYz5P1sZK0/CPTz9XEJ0ngnjybCKOLXSoh4Pw5qlPafX7PGglTvF0FBM+hSo+LdoIN +ofjSxxR3W5A2B4GbPgb6Ul5jxaYA/qXpUhtStZI5cgMJYr2wYBZupt0lwgNm3fME0UDiTouG9G/l +g6AnhF4EwfWQvTA9xO+oabw4m6SkltFi2mnAAZauy8RRNOoMqv8hjlmPSlzkYZqn0ukqeI1RPToV +7qJZjqlc3sX5kCLliEVx3ZGZbHqfPT2YfF72vhZooF6uCyP8Wg+qInYtyaEQHeTTRCOQiJ/GKubX +9ZqzWB4vMIkIG1SitZgj7Ah3HJVdYdHLiZxfokqRmu8hqkkWCKi9YSgxyXSthfbZxbGL0eUQMk1f +iyA6PEkfM4VZDdvLCXVDaXP7a3F98N/ETH3Goy7IlXnLc6KOTk0k+17kBL5yG6YnLUlamXrXXAkg +t3+UuU/xDRxeiEIbEbfnkduebPRq34wGmAOtzCjvpUfzUwIDAQABo0IwQDAPBgNVHRMBAf8EBTAD +AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUo5fW816iEOGrRZ88F2Q87gFwnMwwDQYJKoZI +hvcNAQELBQADggIBABj6W3X8PnrHX3fHyt/PX8MSxEBd1DKquGrX1RUVRpgjpeaQWxiZTOOtQqOC +MTaIzen7xASWSIsBx40Bz1szBpZGZnQdT+3Btrm0DWHMY37XLneMlhwqI2hrhVd2cDMT/uFPpiN3 +GPoajOi9ZcnPP/TJF9zrx7zABC4tRi9pZsMbj/7sPtPKlL92CiUNqXsCHKnQO18LwIE6PWThv6ct +Tr1NxNgpxiIY0MWscgKCP6o6ojoilzHdCGPDdRS5YCgtW2jgFqlmgiNR9etT2DGbe+m3nUvriBbP ++V04ikkwj+3x6xn0dxoxGE1nVGwvb2X52z3sIexe9PSLymBlVNFxZPT5pqOBMzYzcfCkeF9OrYMh +3jRJjehZrJ3ydlo28hP0r+AJx2EqbPfgna67hkooby7utHnNkDPDs3b69fBsnQGQ+p6Q9pxyz0fa +wx/kNSBT8lTR32GDpgLiJTjehTItXnOQUl1CxM49S+H5GYQd1aJQzEH7QRTDvdbJWqNjZgKAvQU6 +O0ec7AAmTPWIUb+oI38YB7AL7YsmoWTTYUrrXJ/es69nA7Mf3W1daWhpq1467HxpvMc7hU6eFbm0 +FU/DlXpY18ls6Wy58yljXrQs8C097Vpl4KlbQMJImYFtnh8GKjwStIsPm6Ik8KaN1nrgS7ZklmOV +hMJKzRwuJIczYOXD +-----END CERTIFICATE----- + +QuoVadis Root CA 2 G3 +===================== +-----BEGIN CERTIFICATE----- +MIIFYDCCA0igAwIBAgIURFc0JFuBiZs18s64KztbpybwdSgwDQYJKoZIhvcNAQELBQAwSDELMAkG +A1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlzIFJv +b3QgQ0EgMiBHMzAeFw0xMjAxMTIxODU5MzJaFw00MjAxMTIxODU5MzJaMEgxCzAJBgNVBAYTAkJN +MRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDIg +RzMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChriWyARjcV4g/Ruv5r+LrI3HimtFh +ZiFfqq8nUeVuGxbULX1QsFN3vXg6YOJkApt8hpvWGo6t/x8Vf9WVHhLL5hSEBMHfNrMWn4rjyduY +NM7YMxcoRvynyfDStNVNCXJJ+fKH46nafaF9a7I6JaltUkSs+L5u+9ymc5GQYaYDFCDy54ejiK2t +oIz/pgslUiXnFgHVy7g1gQyjO/Dh4fxaXc6AcW34Sas+O7q414AB+6XrW7PFXmAqMaCvN+ggOp+o +MiwMzAkd056OXbxMmO7FGmh77FOm6RQ1o9/NgJ8MSPsc9PG/Srj61YxxSscfrf5BmrODXfKEVu+l +V0POKa2Mq1W/xPtbAd0jIaFYAI7D0GoT7RPjEiuA3GfmlbLNHiJuKvhB1PLKFAeNilUSxmn1uIZo +L1NesNKqIcGY5jDjZ1XHm26sGahVpkUG0CM62+tlXSoREfA7T8pt9DTEceT/AFr2XK4jYIVz8eQQ +sSWu1ZK7E8EM4DnatDlXtas1qnIhO4M15zHfeiFuuDIIfR0ykRVKYnLP43ehvNURG3YBZwjgQQvD +6xVu+KQZ2aKrr+InUlYrAoosFCT5v0ICvybIxo/gbjh9Uy3l7ZizlWNof/k19N+IxWA1ksB8aRxh +lRbQ694Lrz4EEEVlWFA4r0jyWbYW8jwNkALGcC4BrTwV1wIDAQABo0IwQDAPBgNVHRMBAf8EBTAD +AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU7edvdlq/YOxJW8ald7tyFnGbxD0wDQYJKoZI +hvcNAQELBQADggIBAJHfgD9DCX5xwvfrs4iP4VGyvD11+ShdyLyZm3tdquXK4Qr36LLTn91nMX66 +AarHakE7kNQIXLJgapDwyM4DYvmL7ftuKtwGTTwpD4kWilhMSA/ohGHqPHKmd+RCroijQ1h5fq7K +pVMNqT1wvSAZYaRsOPxDMuHBR//47PERIjKWnML2W2mWeyAMQ0GaW/ZZGYjeVYg3UQt4XAoeo0L9 +x52ID8DyeAIkVJOviYeIyUqAHerQbj5hLja7NQ4nlv1mNDthcnPxFlxHBlRJAHpYErAK74X9sbgz +dWqTHBLmYF5vHX/JHyPLhGGfHoJE+V+tYlUkmlKY7VHnoX6XOuYvHxHaU4AshZ6rNRDbIl9qxV6X +U/IyAgkwo1jwDQHVcsaxfGl7w/U2Rcxhbl5MlMVerugOXou/983g7aEOGzPuVBj+D77vfoRrQ+Nw +mNtddbINWQeFFSM51vHfqSYP1kjHs6Yi9TM3WpVHn3u6GBVv/9YUZINJ0gpnIdsPNWNgKCLjsZWD +zYWm3S8P52dSbrsvhXz1SnPnxT7AvSESBT/8twNJAlvIJebiVDj1eYeMHVOyToV7BjjHLPj4sHKN +JeV3UvQDHEimUF+IIDBu8oJDqz2XhOdT+yHBTw8imoa4WSr2Rz0ZiC3oheGe7IUIarFsNMkd7Egr +O3jtZsSOeWmD3n+M +-----END CERTIFICATE----- + +QuoVadis Root CA 3 G3 +===================== +-----BEGIN CERTIFICATE----- +MIIFYDCCA0igAwIBAgIULvWbAiin23r/1aOp7r0DoM8Sah0wDQYJKoZIhvcNAQELBQAwSDELMAkG +A1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlzIFJv +b3QgQ0EgMyBHMzAeFw0xMjAxMTIyMDI2MzJaFw00MjAxMTIyMDI2MzJaMEgxCzAJBgNVBAYTAkJN +MRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDMg +RzMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCzyw4QZ47qFJenMioKVjZ/aEzHs286 +IxSR/xl/pcqs7rN2nXrpixurazHb+gtTTK/FpRp5PIpM/6zfJd5O2YIyC0TeytuMrKNuFoM7pmRL +Mon7FhY4futD4tN0SsJiCnMK3UmzV9KwCoWdcTzeo8vAMvMBOSBDGzXRU7Ox7sWTaYI+FrUoRqHe +6okJ7UO4BUaKhvVZR74bbwEhELn9qdIoyhA5CcoTNs+cra1AdHkrAj80//ogaX3T7mH1urPnMNA3 +I4ZyYUUpSFlob3emLoG+B01vr87ERRORFHAGjx+f+IdpsQ7vw4kZ6+ocYfx6bIrc1gMLnia6Et3U +VDmrJqMz6nWB2i3ND0/kA9HvFZcba5DFApCTZgIhsUfei5pKgLlVj7WiL8DWM2fafsSntARE60f7 +5li59wzweyuxwHApw0BiLTtIadwjPEjrewl5qW3aqDCYz4ByA4imW0aucnl8CAMhZa634RylsSqi +Md5mBPfAdOhx3v89WcyWJhKLhZVXGqtrdQtEPREoPHtht+KPZ0/l7DxMYIBpVzgeAVuNVejH38DM +dyM0SXV89pgR6y3e7UEuFAUCf+D+IOs15xGsIs5XPd7JMG0QA4XN8f+MFrXBsj6IbGB/kE+V9/Yt +rQE5BwT6dYB9v0lQ7e/JxHwc64B+27bQ3RP+ydOc17KXqQIDAQABo0IwQDAPBgNVHRMBAf8EBTAD +AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUxhfQvKjqAkPyGwaZXSuQILnXnOQwDQYJKoZI +hvcNAQELBQADggIBADRh2Va1EodVTd2jNTFGu6QHcrxfYWLopfsLN7E8trP6KZ1/AvWkyaiTt3px +KGmPc+FSkNrVvjrlt3ZqVoAh313m6Tqe5T72omnHKgqwGEfcIHB9UqM+WXzBusnIFUBhynLWcKzS +t/Ac5IYp8M7vaGPQtSCKFWGafoaYtMnCdvvMujAWzKNhxnQT5WvvoxXqA/4Ti2Tk08HS6IT7SdEQ +TXlm66r99I0xHnAUrdzeZxNMgRVhvLfZkXdxGYFgu/BYpbWcC/ePIlUnwEsBbTuZDdQdm2NnL9Du +DcpmvJRPpq3t/O5jrFc/ZSXPsoaP0Aj/uHYUbt7lJ+yreLVTubY/6CD50qi+YUbKh4yE8/nxoGib +Ih6BJpsQBJFxwAYf3KDTuVan45gtf4Od34wrnDKOMpTwATwiKp9Dwi7DmDkHOHv8XgBCH/MyJnmD +hPbl8MFREsALHgQjDFSlTC9JxUrRtm5gDWv8a4uFJGS3iQ6rJUdbPM9+Sb3H6QrG2vd+DhcI00iX +0HGS8A85PjRqHH3Y8iKuu2n0M7SmSFXRDw4m6Oy2Cy2nhTXN/VnIn9HNPlopNLk9hM6xZdRZkZFW +dSHBd575euFgndOtBBj0fOtek49TSiIp+EgrPk2GrFt/ywaZWWDYWGWVjUTR939+J399roD1B0y2 +PpxxVJkES/1Y+Zj0 +-----END CERTIFICATE----- + +DigiCert Assured ID Root G2 +=========================== +-----BEGIN CERTIFICATE----- +MIIDljCCAn6gAwIBAgIQC5McOtY5Z+pnI7/Dr5r0SzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQG +EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQw +IgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzIwHhcNMTMwODAxMTIwMDAwWhcNMzgw +MTE1MTIwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQL +ExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzIw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ5ygvUj82ckmIkzTz+GoeMVSAn61UQbVH +35ao1K+ALbkKz3X9iaV9JPrjIgwrvJUXCzO/GU1BBpAAvQxNEP4HteccbiJVMWWXvdMX0h5i89vq +bFCMP4QMls+3ywPgym2hFEwbid3tALBSfK+RbLE4E9HpEgjAALAcKxHad3A2m67OeYfcgnDmCXRw +VWmvo2ifv922ebPynXApVfSr/5Vh88lAbx3RvpO704gqu52/clpWcTs/1PPRCv4o76Pu2ZmvA9OP +YLfykqGxvYmJHzDNw6YuYjOuFgJ3RFrngQo8p0Quebg/BLxcoIfhG69Rjs3sLPr4/m3wOnyqi+Rn +lTGNAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTO +w0q5mVXyuNtgv6l+vVa1lzan1jANBgkqhkiG9w0BAQsFAAOCAQEAyqVVjOPIQW5pJ6d1Ee88hjZv +0p3GeDgdaZaikmkuOGybfQTUiaWxMTeKySHMq2zNixya1r9I0jJmwYrA8y8678Dj1JGG0VDjA9tz +d29KOVPt3ibHtX2vK0LRdWLjSisCx1BL4GnilmwORGYQRI+tBev4eaymG+g3NJ1TyWGqolKvSnAW +hsI6yLETcDbYz+70CjTVW0z9B5yiutkBclzzTcHdDrEcDcRjvq30FPuJ7KJBDkzMyFdA0G4Dqs0M +jomZmWzwPDCvON9vvKO+KSAnq3T/EyJ43pdSVR6DtVQgA+6uwE9W3jfMw3+qBCe703e4YtsXfJwo +IhNzbM8m9Yop5w== +-----END CERTIFICATE----- + +DigiCert Assured ID Root G3 +=========================== +-----BEGIN CERTIFICATE----- +MIICRjCCAc2gAwIBAgIQC6Fa+h3foLVJRK/NJKBs7DAKBggqhkjOPQQDAzBlMQswCQYDVQQGEwJV +UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYD +VQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzMwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1 +MTIwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzMwdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAQZ57ysRGXtzbg/WPuNsVepRC0FFfLvC/8QdJ+1YlJfZn4f5dwb +RXkLzMZTCp2NXQLZqVneAlr2lSoOjThKiknGvMYDOAdfVdp+CW7if17QRSAPWXYQ1qAk8C3eNvJs +KTmjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTL0L2p4ZgF +UaFNN6KDec6NHSrkhDAKBggqhkjOPQQDAwNnADBkAjAlpIFFAmsSS3V0T8gj43DydXLefInwz5Fy +YZ5eEJJZVrmDxxDnOOlYJjZ91eQ0hjkCMHw2U/Aw5WJjOpnitqM7mzT6HtoQknFekROn3aRukswy +1vUhZscv6pZjamVFkpUBtA== +-----END CERTIFICATE----- + +DigiCert Global Root G2 +======================= +-----BEGIN CERTIFICATE----- +MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQG +EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAw +HgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUx +MjAwMDBaMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3 +dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI2/Ou8jqJ +kTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx1x7e/dfgy5SDN67sH0NO +3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQq2EGnI/yuum06ZIya7XzV+hdG82MHauV +BJVJ8zUtluNJbd134/tJS7SsVQepj5WztCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyM +UNGPHgm+F6HmIcr9g+UQvIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQAB +o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV5uNu +5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY1Yl9PMWLSn/pvtsr +F9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4NeF22d+mQrvHRAiGfzZ0JFrabA0U +WTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NGFdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBH +QRFXGU7Aj64GxJUTFy8bJZ918rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/ +iyK5S9kJRaTepLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl +MrY= +-----END CERTIFICATE----- + +DigiCert Global Root G3 +======================= +-----BEGIN CERTIFICATE----- +MIICPzCCAcWgAwIBAgIQBVVWvPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQswCQYDVQQGEwJV +UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYD +VQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAw +MDBaMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5k +aWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0C +AQYFK4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FGfp4tn+6O +YwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPOZ9wj/wMco+I+o0IwQDAP +BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUs9tIpPmhxdiuNkHMEWNp +Yim8S8YwCgYIKoZIzj0EAwMDaAAwZQIxAK288mw/EkrRLTnDCgmXc/SINoyIJ7vmiI1Qhadj+Z4y +3maTD/HMsQmP3Wyr+mt/oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9OjIgrqJqpisXRAL34 +VOKa5Vt8sycX +-----END CERTIFICATE----- + +DigiCert Trusted Root G4 +======================== +-----BEGIN CERTIFICATE----- +MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBiMQswCQYDVQQG +EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSEw +HwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1 +MTIwMDAwWjBiMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0G +CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3yithZwuEp +pz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1Ifxp4VpX6+n6lXFllVcq9o +k3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDVySAdYyktzuxeTsiT+CFhmzTrBcZe7Fsa +vOvJz82sNEBfsXpm7nfISKhmV1efVFiODCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGY +QJB5w3jHtrHEtWoYOAMQjdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6 +MUSaM0C/CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCiEhtm +mnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADMfRyVw4/3IbKyEbe7 +f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QYuKZ3AeEPlAwhHbJUKSWJbOUOUlFH +dL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXKchYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8 +oR7FwI+isX4KJpn15GkvmB0t9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud +DwEB/wQEAwIBhjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD +ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2SV1EY+CtnJYY +ZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd+SeuMIW59mdNOj6PWTkiU0Tr +yF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWcfFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy +7zBZLq7gcfJW5GqXb5JQbZaNaHqasjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iah +ixTXTBmyUEFxPT9NcCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN +5r5N0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie4u1Ki7wb +/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mIr/OSmbaz5mEP0oUA51Aa +5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1/YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tK +G48BtieVU+i2iW1bvGjUI+iLUaJW+fCmgKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP +82Z+ +-----END CERTIFICATE----- + +COMODO RSA Certification Authority +================================== +-----BEGIN CERTIFICATE----- +MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCBhTELMAkGA1UE +BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG +A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlv +biBBdXRob3JpdHkwHhcNMTAwMTE5MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMC +R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE +ChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR6FSS0gpWsawNJN3Fz0Rn +dJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8Xpz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZ +FGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+ +5eNu/Nio5JIk2kNrYrhV/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pG +x8cgoLEfZd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z+pUX +2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7wqP/0uK3pN/u6uPQL +OvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZahSL0896+1DSJMwBGB7FY79tOi4lu3 +sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVICu9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+C +GCe01a60y1Dma/RMhnEw6abfFobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5 +WdYgGq/yapiqcrxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E +FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w +DQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvlwFTPoCWOAvn9sKIN9SCYPBMt +rFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+ +nq6PK7o9mfjYcwlYRm6mnPTXJ9OV2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSg +tZx8jb8uk2IntznaFxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwW +sRqZCuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiKboHGhfKp +pC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmckejkk9u+UJueBPSZI9FoJA +zMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yLS0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHq +ZJx64SIDqZxubw5lT2yHh17zbqD5daWbQOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk52 +7RH89elWsn2/x20Kk4yl0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7I +LaZRfyHBNVOFBkpdn627G190 +-----END CERTIFICATE----- + +USERTrust RSA Certification Authority +===================================== +-----BEGIN CERTIFICATE----- +MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCBiDELMAkGA1UE +BhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQK +ExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNh +dGlvbiBBdXRob3JpdHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UE +BhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQK +ExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNh +dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCAEmUXNg7D2wiz +0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2j +Y0K2dvKpOyuR+OJv0OwWIJAJPuLodMkYtJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFn +RghRy4YUVD+8M/5+bJz/Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O ++T23LLb2VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT79uq +/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6c0Plfg6lZrEpfDKE +Y1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmTYo61Zs8liM2EuLE/pDkP2QKe6xJM +lXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97lc6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8 +yexDJtC/QV9AqURE9JnnV4eeUB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+ +eLf8ZxXhyVeEHg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd +BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPFUp/L+M+ZBn8b2kMVn54CVVeW +FPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KOVWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ +7l8wXEskEVX/JJpuXior7gtNn3/3ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQ +Eg9zKC7F4iRO/Fjs8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM +8WcRiQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYzeSf7dNXGi +FSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZXHlKYC6SQK5MNyosycdi +yA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9c +J2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRBVXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGw +sAvgnEzDHNb842m1R0aBL6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gx +Q+6IHdfGjjxDah2nGN59PRbxYvnKkKj9 +-----END CERTIFICATE----- + +USERTrust ECC Certification Authority +===================================== +-----BEGIN CERTIFICATE----- +MIICjzCCAhWgAwIBAgIQXIuZxVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDELMAkGA1UEBhMC +VVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU +aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlv +biBBdXRob3JpdHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMC +VVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU +aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlv +biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqfloI+d61SRvU8Za2EurxtW2 +0eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinngo4N+LZfQYcTxmdwlkWOrfzCjtHDix6Ez +nPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAOBgNV +HQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjA2Z6EWCNzklwBB +HU6+4WMBzzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDpKmFHjFJKS04YcPbWRNZu +9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1Xahg= +-----END CERTIFICATE----- + +GlobalSign ECC Root CA - R4 +=========================== +-----BEGIN CERTIFICATE----- +MIIB4TCCAYegAwIBAgIRKjikHJYKBN5CsiilC+g0mAIwCgYIKoZIzj0EAwIwUDEkMCIGA1UECxMb +R2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI0MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQD +EwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoXDTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMb +R2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI0MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQD +EwpHbG9iYWxTaWduMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuMZ5049sJQ6fLjkZHAOkrprl +OQcJFspjsbmG+IpXwVfOQvpzofdlQv8ewQCybnMO/8ch5RikqtlxP6jUuc6MHaNCMEAwDgYDVR0P +AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFSwe61FuOJAf/sKbvu+M8k8o4TV +MAoGCCqGSM49BAMCA0gAMEUCIQDckqGgE6bPA7DmxCGXkPoUVy0D7O48027KqGx2vKLeuwIgJ6iF +JzWbVsaj8kfSt24bAgAXqmemFZHe+pTsewv4n4Q= +-----END CERTIFICATE----- + +GlobalSign ECC Root CA - R5 +=========================== +-----BEGIN CERTIFICATE----- +MIICHjCCAaSgAwIBAgIRYFlJ4CYuu1X5CneKcflK2GwwCgYIKoZIzj0EAwMwUDEkMCIGA1UECxMb +R2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQD +EwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoXDTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMb +R2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQD +EwpHbG9iYWxTaWduMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER0UOlvt9Xb/pOdEh+J8LttV7HpI6 +SFkc8GIxLcB6KP4ap1yztsyX50XUWPrRd21DosCHZTQKH3rd6zwzocWdTaRvQZU4f8kehOvRnkmS +h5SHDDqFSmafnVmTTZdhBoZKo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAd +BgNVHQ4EFgQUPeYpSJvqB8ohREom3m7e0oPQn1kwCgYIKoZIzj0EAwMDaAAwZQIxAOVpEslu28Yx +uglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg515dTguDnFt2KaAJJiFqYgIwcdK1j1zqO+F4CYWodZI7 +yFz9SO8NdCKoCOJuxUnOxwy8p2Fp8fc74SrL+SvzZpA3 +-----END CERTIFICATE----- + +Staat der Nederlanden Root CA - G3 +================================== +-----BEGIN CERTIFICATE----- +MIIFdDCCA1ygAwIBAgIEAJiiOTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJOTDEeMBwGA1UE +CgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSswKQYDVQQDDCJTdGFhdCBkZXIgTmVkZXJsYW5kZW4g +Um9vdCBDQSAtIEczMB4XDTEzMTExNDExMjg0MloXDTI4MTExMzIzMDAwMFowWjELMAkGA1UEBhMC +TkwxHjAcBgNVBAoMFVN0YWF0IGRlciBOZWRlcmxhbmRlbjErMCkGA1UEAwwiU3RhYXQgZGVyIE5l +ZGVybGFuZGVuIFJvb3QgQ0EgLSBHMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL4y +olQPcPssXFnrbMSkUeiFKrPMSjTysF/zDsccPVMeiAho2G89rcKezIJnByeHaHE6n3WWIkYFsO2t +x1ueKt6c/DrGlaf1F2cY5y9JCAxcz+bMNO14+1Cx3Gsy8KL+tjzk7FqXxz8ecAgwoNzFs21v0IJy +EavSgWhZghe3eJJg+szeP4TrjTgzkApyI/o1zCZxMdFyKJLZWyNtZrVtB0LrpjPOktvA9mxjeM3K +Tj215VKb8b475lRgsGYeCasH/lSJEULR9yS6YHgamPfJEf0WwTUaVHXvQ9Plrk7O53vDxk5hUUur +mkVLoR9BvUhTFXFkC4az5S6+zqQbwSmEorXLCCN2QyIkHxcE1G6cxvx/K2Ya7Irl1s9N9WMJtxU5 +1nus6+N86U78dULI7ViVDAZCopz35HCz33JvWjdAidiFpNfxC95DGdRKWCyMijmev4SH8RY7Ngzp +07TKbBlBUgmhHbBqv4LvcFEhMtwFdozL92TkA1CvjJFnq8Xy7ljY3r735zHPbMk7ccHViLVlvMDo +FxcHErVc0qsgk7TmgoNwNsXNo42ti+yjwUOH5kPiNL6VizXtBznaqB16nzaeErAMZRKQFWDZJkBE +41ZgpRDUajz9QdwOWke275dhdU/Z/seyHdTtXUmzqWrLZoQT1Vyg3N9udwbRcXXIV2+vD3dbAgMB +AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRUrfrHkleu +yjWcLhL75LpdINyUVzANBgkqhkiG9w0BAQsFAAOCAgEAMJmdBTLIXg47mAE6iqTnB/d6+Oea31BD +U5cqPco8R5gu4RV78ZLzYdqQJRZlwJ9UXQ4DO1t3ApyEtg2YXzTdO2PCwyiBwpwpLiniyMMB8jPq +KqrMCQj3ZWfGzd/TtiunvczRDnBfuCPRy5FOCvTIeuXZYzbB1N/8Ipf3YF3qKS9Ysr1YvY2WTxB1 +v0h7PVGHoTx0IsL8B3+A3MSs/mrBcDCw6Y5p4ixpgZQJut3+TcCDjJRYwEYgr5wfAvg1VUkvRtTA +8KCWAg8zxXHzniN9lLf9OtMJgwYh/WA9rjLA0u6NpvDntIJ8CsxwyXmA+P5M9zWEGYox+wrZ13+b +8KKaa8MFSu1BYBQw0aoRQm7TIwIEC8Zl3d1Sd9qBa7Ko+gE4uZbqKmxnl4mUnrzhVNXkanjvSr0r +mj1AfsbAddJu+2gw7OyLnflJNZoaLNmzlTnVHpL3prllL+U9bTpITAjc5CgSKL59NVzq4BZ+Extq +1z7XnvwtdbLBFNUjA9tbbws+eC8N3jONFrdI54OagQ97wUNNVQQXOEpR1VmiiXTTn74eS9fGbbeI +JG9gkaSChVtWQbzQRKtqE77RLFi3EjNYsjdj3BP1lB0/QFH1T/U67cjF68IeHRaVesd+QnGTbksV +tzDfqu1XhUisHWrdOWnk4Xl4vs4Fv6EM94B7IWcnMFk= +-----END CERTIFICATE----- + +Staat der Nederlanden EV Root CA +================================ +-----BEGIN CERTIFICATE----- +MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJOTDEeMBwGA1UE +CgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFhdCBkZXIgTmVkZXJsYW5kZW4g +RVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0yMjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5M +MR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRl +cmxhbmRlbiBFViBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkk +SzrSM4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nCUiY4iKTW +O0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3dZ//BYY1jTw+bbRcwJu+r +0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46prfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8 +Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13lpJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gV +XJrm0w912fxBmJc+qiXbj5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr +08C+eKxCKFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS/ZbV +0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0XcgOPvZuM5l5Tnrmd +74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH1vI4gnPah1vlPNOePqc7nvQDs/nx +fRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrPpx9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNC +MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwa +ivsnuL8wbqg7MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI +eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u2dfOWBfoqSmu +c0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHSv4ilf0X8rLiltTMMgsT7B/Zq +5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTCwPTxGfARKbalGAKb12NMcIxHowNDXLldRqAN +b/9Zjr7dn3LDWyvfjFvO5QxGbJKyCqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tN +f1zuacpzEPuKqf2evTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi +5Dp6Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIaGl6I6lD4 +WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeLeG9QgkRQP2YGiqtDhFZK +DyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGy +eUN51q1veieQA6TqJIc/2b3Z6fJfUEkc7uzXLg== +-----END CERTIFICATE----- + +IdenTrust Commercial Root CA 1 +============================== +-----BEGIN CERTIFICATE----- +MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQG +EwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBS +b290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQwMTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzES +MBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENB +IDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ld +hNlT3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU+ehcCuz/ +mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gpS0l4PJNgiCL8mdo2yMKi +1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1bVoE/c40yiTcdCMbXTMTEl3EASX2MN0C +XZ/g1Ue9tOsbobtJSdifWwLziuQkkORiT0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl +3ZBWzvurpWCdxJ35UrCLvYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzy +NeVJSQjKVsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZKdHzV +WYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHTc+XvvqDtMwt0viAg +xGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hvl7yTmvmcEpB4eoCHFddydJxVdHix +uuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5NiGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMC +AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZI +hvcNAQELBQADggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH +6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwtLRvM7Kqas6pg +ghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93nAbowacYXVKV7cndJZ5t+qnt +ozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmV +YjzlVYA211QC//G5Xc7UI2/YRYRKW2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUX +feu+h1sXIFRRk0pTAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/ro +kTLql1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG4iZZRHUe +2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZmUlO+KWA2yUPHGNiiskz +Z2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7R +cGzM7vRX+Bi6hG6H +-----END CERTIFICATE----- + +IdenTrust Public Sector Root CA 1 +================================= +-----BEGIN CERTIFICATE----- +MIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAAAjANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQG +EwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3Rv +ciBSb290IENBIDEwHhcNMTQwMTE2MTc1MzMyWhcNMzQwMTE2MTc1MzMyWjBNMQswCQYDVQQGEwJV +UzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBS +b290IENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2IpT8pEiv6EdrCvsnduTy +P4o7ekosMSqMjbCpwzFrqHd2hCa2rIFCDQjrVVi7evi8ZX3yoG2LqEfpYnYeEe4IFNGyRBb06tD6 +Hi9e28tzQa68ALBKK0CyrOE7S8ItneShm+waOh7wCLPQ5CQ1B5+ctMlSbdsHyo+1W/CD80/HLaXI +rcuVIKQxKFdYWuSNG5qrng0M8gozOSI5Cpcu81N3uURF/YTLNiCBWS2ab21ISGHKTN9T0a9SvESf +qy9rg3LvdYDaBjMbXcjaY8ZNzaxmMc3R3j6HEDbhuaR672BQssvKplbgN6+rNBM5Jeg5ZuSYeqoS +mJxZZoY+rfGwyj4GD3vwEUs3oERte8uojHH01bWRNszwFcYr3lEXsZdMUD2xlVl8BX0tIdUAvwFn +ol57plzy9yLxkA2T26pEUWbMfXYD62qoKjgZl3YNa4ph+bz27nb9cCvdKTz4Ch5bQhyLVi9VGxyh +LrXHFub4qjySjmm2AcG1hp2JDws4lFTo6tyePSW8Uybt1as5qsVATFSrsrTZ2fjXctscvG29ZV/v +iDUqZi/u9rNl8DONfJhBaUYPQxxp+pu10GFqzcpL2UyQRqsVWaFHVCkugyhfHMKiq3IXAAaOReyL +4jM9f9oZRORicsPfIsbyVtTdX5Vy7W1f90gDW/3FKqD2cyOEEBsB5wIDAQABo0IwQDAOBgNVHQ8B +Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU43HgntinQtnbcZFrlJPrw6PRFKMw +DQYJKoZIhvcNAQELBQADggIBAEf63QqwEZE4rU1d9+UOl1QZgkiHVIyqZJnYWv6IAcVYpZmxI1Qj +t2odIFflAWJBF9MJ23XLblSQdf4an4EKwt3X9wnQW3IV5B4Jaj0z8yGa5hV+rVHVDRDtfULAj+7A +mgjVQdZcDiFpboBhDhXAuM/FSRJSzL46zNQuOAXeNf0fb7iAaJg9TaDKQGXSc3z1i9kKlT/YPyNt +GtEqJBnZhbMX73huqVjRI9PHE+1yJX9dsXNw0H8GlwmEKYBhHfpe/3OsoOOJuBxxFcbeMX8S3OFt +m6/n6J91eEyrRjuazr8FGF1NFTwWmhlQBJqymm9li1JfPFgEKCXAZmExfrngdbkaqIHWchezxQMx +NRF4eKLg6TCMf4DfWN88uieW4oA0beOY02QnrEh+KHdcxiVhJfiFDGX6xDIvpZgF5PgLZxYWxoK4 +Mhn5+bl53B/N66+rDt0b20XkeucC4pVd/GnwU2lhlXV5C15V5jgclKlZM57IcXR5f1GJtshquDDI +ajjDbp7hNxbqBWJMWxJH7ae0s1hWx0nzfxJoCTFx8G34Tkf71oXuxVhAGaQdp/lLQzfcaFpPz+vC +ZHTetBXZ9FRUGi8c15dxVJCO2SCdUyt/q4/i6jC8UDfv8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ +3Wl9af0AVqW3rLatt8o+Ae+c +-----END CERTIFICATE----- + +Entrust Root Certification Authority - G2 +========================================= +-----BEGIN CERTIFICATE----- +MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMCVVMxFjAUBgNV +BAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVy +bXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ug +b25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIw +HhcNMDkwNzA3MTcyNTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoT +DUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMx +OTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25s +eTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP +/vaCeb9zYQYKpSfYs1/TRU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXz +HHfV1IWNcCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hWwcKU +s/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1U1+cPvQXLOZprE4y +TGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0jaWvYkxN4FisZDQSA/i2jZRjJKRx +AgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ6 +0B7vfec7aVHUbI2fkBJmqzANBgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5Z +iXMRrEPR9RP/jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ +Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v1fN2D807iDgi +nWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4RnAuknZoh8/CbCzB428Hch0P+ +vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmHVHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xO +e4pIb4tF9g== +-----END CERTIFICATE----- + +Entrust Root Certification Authority - EC1 +========================================== +-----BEGIN CERTIFICATE----- +MIIC+TCCAoCgAwIBAgINAKaLeSkAAAAAUNCR+TAKBggqhkjOPQQDAzCBvzELMAkGA1UEBhMCVVMx +FjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVn +YWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXpl +ZCB1c2Ugb25seTEzMDEGA1UEAxMqRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +IC0gRUMxMB4XDTEyMTIxODE1MjUzNloXDTM3MTIxODE1NTUzNlowgb8xCzAJBgNVBAYTAlVTMRYw +FAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2Fs +LXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQg +dXNlIG9ubHkxMzAxBgNVBAMTKkVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAt +IEVDMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABIQTydC6bUF74mzQ61VfZgIaJPRbiWlH47jCffHy +AsWfoPZb1YsGGYZPUxBtByQnoaD41UcZYUx9ypMn6nQM72+WCf5j7HBdNq1nd67JnXxVRDqiY1Ef +9eNi1KlHBz7MIKNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE +FLdj5xrdjekIplWDpOBqUEFlEUJJMAoGCCqGSM49BAMDA2cAMGQCMGF52OVCR98crlOZF7ZvHH3h +vxGU0QOIdeSNiaSKd0bebWHvAvX7td/M/k7//qnmpwIwW5nXhTcGtXsI/esni0qU+eH6p44mCOh8 +kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G +-----END CERTIFICATE----- + +CFCA EV ROOT +============ +-----BEGIN CERTIFICATE----- +MIIFjTCCA3WgAwIBAgIEGErM1jANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDTjEwMC4GA1UE +CgwnQ2hpbmEgRmluYW5jaWFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxDRkNB +IEVWIFJPT1QwHhcNMTIwODA4MDMwNzAxWhcNMjkxMjMxMDMwNzAxWjBWMQswCQYDVQQGEwJDTjEw +MC4GA1UECgwnQ2hpbmEgRmluYW5jaWFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQD +DAxDRkNBIEVWIFJPT1QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXXWvNED8fBVnV +BU03sQ7smCuOFR36k0sXgiFxEFLXUWRwFsJVaU2OFW2fvwwbwuCjZ9YMrM8irq93VCpLTIpTUnrD +7i7es3ElweldPe6hL6P3KjzJIx1qqx2hp/Hz7KDVRM8Vz3IvHWOX6Jn5/ZOkVIBMUtRSqy5J35DN +uF++P96hyk0g1CXohClTt7GIH//62pCfCqktQT+x8Rgp7hZZLDRJGqgG16iI0gNyejLi6mhNbiyW +ZXvKWfry4t3uMCz7zEasxGPrb382KzRzEpR/38wmnvFyXVBlWY9ps4deMm/DGIq1lY+wejfeWkU7 +xzbh72fROdOXW3NiGUgthxwG+3SYIElz8AXSG7Ggo7cbcNOIabla1jj0Ytwli3i/+Oh+uFzJlU9f +py25IGvPa931DfSCt/SyZi4QKPaXWnuWFo8BGS1sbn85WAZkgwGDg8NNkt0yxoekN+kWzqotaK8K +gWU6cMGbrU1tVMoqLUuFG7OA5nBFDWteNfB/O7ic5ARwiRIlk9oKmSJgamNgTnYGmE69g60dWIol +hdLHZR4tjsbftsbhf4oEIRUpdPA+nJCdDC7xij5aqgwJHsfVPKPtl8MeNPo4+QgO48BdK4PRVmrJ +tqhUUy54Mmc9gn900PvhtgVguXDbjgv5E1hvcWAQUhC5wUEJ73IfZzF4/5YFjQIDAQABo2MwYTAf +BgNVHSMEGDAWgBTj/i39KNALtbq2osS/BqoFjJP7LzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB +/wQEAwIBBjAdBgNVHQ4EFgQU4/4t/SjQC7W6tqLEvwaqBYyT+y8wDQYJKoZIhvcNAQELBQADggIB +ACXGumvrh8vegjmWPfBEp2uEcwPenStPuiB/vHiyz5ewG5zz13ku9Ui20vsXiObTej/tUxPQ4i9q +ecsAIyjmHjdXNYmEwnZPNDatZ8POQQaIxffu2Bq41gt/UP+TqhdLjOztUmCypAbqTuv0axn96/Ua +4CUqmtzHQTb3yHQFhDmVOdYLO6Qn+gjYXB74BGBSESgoA//vU2YApUo0FmZ8/Qmkrp5nGm9BC2sG +E5uPhnEFtC+NiWYzKXZUmhH4J/qyP5Hgzg0b8zAarb8iXRvTvyUFTeGSGn+ZnzxEk8rUQElsgIfX +BDrDMlI1Dlb4pd19xIsNER9Tyx6yF7Zod1rg1MvIB671Oi6ON7fQAUtDKXeMOZePglr4UeWJoBjn +aH9dCi77o0cOPaYjesYBx4/IXr9tgFa+iiS6M+qf4TIRnvHST4D2G0CvOJ4RUHlzEhLN5mydLIhy +PDCBBpEi6lmt2hkuIsKNuYyH4Ga8cyNfIWRjgEj1oDwYPZTISEEdQLpe/v5WOaHIz16eGWRGENoX +kbcFgKyLmZJ956LYBws2J+dIeWCKw9cTXPhyQN9Ky8+ZAAoACxGV2lZFA4gKn2fQ1XmxqI1AbQ3C +ekD6819kR5LLU7m7Wc5P/dAVUwHY3+vZ5nbv0CO7O6l5s9UCKc2Jo5YPSjXnTkLAdc0Hz+Ys63su +-----END CERTIFICATE----- + +Certinomis - Root CA +==================== +-----BEGIN CERTIFICATE----- +MIIFkjCCA3qgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJGUjETMBEGA1UEChMK +Q2VydGlub21pczEXMBUGA1UECxMOMDAwMiA0MzM5OTg5MDMxHTAbBgNVBAMTFENlcnRpbm9taXMg +LSBSb290IENBMB4XDTEzMTAyMTA5MTcxOFoXDTMzMTAyMTA5MTcxOFowWjELMAkGA1UEBhMCRlIx +EzARBgNVBAoTCkNlcnRpbm9taXMxFzAVBgNVBAsTDjAwMDIgNDMzOTk4OTAzMR0wGwYDVQQDExRD +ZXJ0aW5vbWlzIC0gUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANTMCQos +P5L2fxSeC5yaah1AMGT9qt8OHgZbn1CF6s2Nq0Nn3rD6foCWnoR4kkjW4znuzuRZWJflLieY6pOo +d5tK8O90gC3rMB+12ceAnGInkYjwSond3IjmFPnVAy//ldu9n+ws+hQVWZUKxkd8aRi5pwP5ynap +z8dvtF4F/u7BUrJ1Mofs7SlmO/NKFoL21prbcpjp3vDFTKWrteoB4owuZH9kb/2jJZOLyKIOSY00 +8B/sWEUuNKqEUL3nskoTuLAPrjhdsKkb5nPJWqHZZkCqqU2mNAKthH6yI8H7KsZn9DS2sJVqM09x +RLWtwHkziOC/7aOgFLScCbAK42C++PhmiM1b8XcF4LVzbsF9Ri6OSyemzTUK/eVNfaoqoynHWmgE +6OXWk6RiwsXm9E/G+Z8ajYJJGYrKWUM66A0ywfRMEwNvbqY/kXPLynNvEiCL7sCCeN5LLsJJwx3t +FvYk9CcbXFcx3FXuqB5vbKziRcxXV4p1VxngtViZSTYxPDMBbRZKzbgqg4SGm/lg0h9tkQPTYKbV +PZrdd5A9NaSfD171UkRpucC63M9933zZxKyGIjK8e2uR73r4F2iw4lNVYC2vPsKD2NkJK/DAZNuH +i5HMkesE/Xa0lZrmFAYb1TQdvtj/dBxThZngWVJKYe2InmtJiUZ+IFrZ50rlau7SZRFDAgMBAAGj +YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTvkUz1pcMw6C8I +6tNxIqSSaHh02TAfBgNVHSMEGDAWgBTvkUz1pcMw6C8I6tNxIqSSaHh02TANBgkqhkiG9w0BAQsF +AAOCAgEAfj1U2iJdGlg+O1QnurrMyOMaauo++RLrVl89UM7g6kgmJs95Vn6RHJk/0KGRHCwPT5iV +WVO90CLYiF2cN/z7ZMF4jIuaYAnq1fohX9B0ZedQxb8uuQsLrbWwF6YSjNRieOpWauwK0kDDPAUw +Pk2Ut59KA9N9J0u2/kTO+hkzGm2kQtHdzMjI1xZSg081lLMSVX3l4kLr5JyTCcBMWwerx20RoFAX +lCOotQqSD7J6wWAsOMwaplv/8gzjqh8c3LigkyfeY+N/IZ865Z764BNqdeuWXGKRlI5nU7aJ+BIJ +y29SWwNyhlCVCNSNh4YVH5Uk2KRvms6knZtt0rJ2BobGVgjF6wnaNsIbW0G+YSrjcOa4pvi2WsS9 +Iff/ql+hbHY5ZtbqTFXhADObE5hjyW/QASAJN1LnDE8+zbz1X5YnpyACleAu6AdBBR8Vbtaw5Bng +DwKTACdyxYvRVB9dSsNAl35VpnzBMwQUAR1JIGkLGZOdblgi90AMRgwjY/M50n92Uaf0yKHxDHYi +I0ZSKS3io0EHVmmY0gUJvGnHWmHNj4FgFU2A3ZDifcRQ8ow7bkrHxuaAKzyBvBGAFhAn1/DNP3nM +cyrDflOR1m749fPH0FFNjkulW+YZFzvWgQncItzujrnEj1PhZ7szuIgVRs/taTX/dQ1G885x4cVr +hkIGuUE= +-----END CERTIFICATE----- + +OISTE WISeKey Global Root GB CA +=============================== +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIQdrEgUnTwhYdGs/gjGvbCwDANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQG +EwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUgRm91bmRhdGlvbiBFbmRvcnNl +ZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9iYWwgUm9vdCBHQiBDQTAeFw0xNDEyMDExNTAw +MzJaFw0zOTEyMDExNTEwMzFaMG0xCzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYD +VQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEds +b2JhbCBSb290IEdCIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Be3HEokKtaX +scriHvt9OO+Y9bI5mE4nuBFde9IllIiCFSZqGzG7qFshISvYD06fWvGxWuR51jIjK+FTzJlFXHtP +rby/h0oLS5daqPZI7H17Dc0hBt+eFf1Biki3IPShehtX1F1Q/7pn2COZH8g/497/b1t3sWtuuMlk +9+HKQUYOKXHQuSP8yYFfTvdv37+ErXNku7dCjmn21HYdfp2nuFeKUWdy19SouJVUQHMD9ur06/4o +Qnc/nSMbsrY9gBQHTC5P99UKFg29ZkM3fiNDecNAhvVMKdqOmq0NpQSHiB6F4+lT1ZvIiwNjeOvg +GUpuuy9rM2RYk61pv48b74JIxwIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQUNQ/INmNe4qPs+TtmFc5RUuORmj0wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZI +hvcNAQELBQADggEBAEBM+4eymYGQfp3FsLAmzYh7KzKNbrghcViXfa43FK8+5/ea4n32cZiZBKpD +dHij40lhPnOMTZTg+XHEthYOU3gf1qKHLwI5gSk8rxWYITD+KJAAjNHhy/peyP34EEY7onhCkRd0 +VQreUGdNZtGn//3ZwLWoo4rOZvUPQ82nK1d7Y0Zqqi5S2PTt4W2tKZB4SLrhI6qjiey1q5bAtEui +HZeeevJuQHHfaPFlTc58Bd9TZaml8LGXBHAVRgOY1NK/VLSgWH1Sb9pWJmLU2NuJMW8c8CLC02Ic +Nc1MaRVUGpCY3useX8p3x8uOPUNpnJpY0CQ73xtAln41rYHHTnG6iBM= +-----END CERTIFICATE----- + +SZAFIR ROOT CA2 +=============== +-----BEGIN CERTIFICATE----- +MIIDcjCCAlqgAwIBAgIUPopdB+xV0jLVt+O2XwHrLdzk1uQwDQYJKoZIhvcNAQELBQAwUTELMAkG +A1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpiYSBSb3psaWN6ZW5pb3dhIFMuQS4xGDAWBgNV +BAMMD1NaQUZJUiBST09UIENBMjAeFw0xNTEwMTkwNzQzMzBaFw0zNTEwMTkwNzQzMzBaMFExCzAJ +BgNVBAYTAlBMMSgwJgYDVQQKDB9LcmFqb3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMRgwFgYD +VQQDDA9TWkFGSVIgUk9PVCBDQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3vD5Q +qEvNQLXOYeeWyrSh2gwisPq1e3YAd4wLz32ohswmUeQgPYUM1ljj5/QqGJ3a0a4m7utT3PSQ1hNK +DJA8w/Ta0o4NkjrcsbH/ON7Dui1fgLkCvUqdGw+0w8LBZwPd3BucPbOw3gAeqDRHu5rr/gsUvTaE +2g0gv/pby6kWIK05YO4vdbbnl5z5Pv1+TW9NL++IDWr63fE9biCloBK0TXC5ztdyO4mTp4CEHCdJ +ckm1/zuVnsHMyAHs6A6KCpbns6aH5db5BSsNl0BwPLqsdVqc1U2dAgrSS5tmS0YHF2Wtn2yIANwi +ieDhZNRnvDF5YTy7ykHNXGoAyDw4jlivAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P +AQH/BAQDAgEGMB0GA1UdDgQWBBQuFqlKGLXLzPVvUPMjX/hd56zwyDANBgkqhkiG9w0BAQsFAAOC +AQEAtXP4A9xZWx126aMqe5Aosk3AM0+qmrHUuOQn/6mWmc5G4G18TKI4pAZw8PRBEew/R40/cof5 +O/2kbytTAOD/OblqBw7rHRz2onKQy4I9EYKL0rufKq8h5mOGnXkZ7/e7DDWQw4rtTw/1zBLZpD67 +oPwglV9PJi8RI4NOdQcPv5vRtB3pEAT+ymCPoky4rc/hkA/NrgrHXXu3UNLUYfrVFdvXn4dRVOul +4+vJhaAlIDf7js4MNIThPIGyd05DpYhfhmehPea0XGG2Ptv+tyjFogeutcrKjSoS75ftwjCkySp6 ++/NNIxuZMzSgLvWpCz/UXeHPhJ/iGcJfitYgHuNztw== +-----END CERTIFICATE----- + +Certum Trusted Network CA 2 +=========================== +-----BEGIN CERTIFICATE----- +MIIF0jCCA7qgAwIBAgIQIdbQSk8lD8kyN/yqXhKN6TANBgkqhkiG9w0BAQ0FADCBgDELMAkGA1UE +BhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVzIFMuQS4xJzAlBgNVBAsTHkNlcnR1 +bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEkMCIGA1UEAxMbQ2VydHVtIFRydXN0ZWQgTmV0d29y +ayBDQSAyMCIYDzIwMTExMDA2MDgzOTU2WhgPMjA0NjEwMDYwODM5NTZaMIGAMQswCQYDVQQGEwJQ +TDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjEnMCUGA1UECxMeQ2VydHVtIENl +cnRpZmljYXRpb24gQXV0aG9yaXR5MSQwIgYDVQQDExtDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENB +IDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9+Xj45tWADGSdhhuWZGc/IjoedQF9 +7/tcZ4zJzFxrqZHmuULlIEub2pt7uZld2ZuAS9eEQCsn0+i6MLs+CRqnSZXvK0AkwpfHp+6bJe+o +CgCXhVqqndwpyeI1B+twTUrWwbNWuKFBOJvR+zF/j+Bf4bE/D44WSWDXBo0Y+aomEKsq09DRZ40b +Rr5HMNUuctHFY9rnY3lEfktjJImGLjQ/KUxSiyqnwOKRKIm5wFv5HdnnJ63/mgKXwcZQkpsCLL2p +uTRZCr+ESv/f/rOf69me4Jgj7KZrdxYq28ytOxykh9xGc14ZYmhFV+SQgkK7QtbwYeDBoz1mo130 +GO6IyY0XRSmZMnUCMe4pJshrAua1YkV/NxVaI2iJ1D7eTiew8EAMvE0Xy02isx7QBlrd9pPPV3WZ +9fqGGmd4s7+W/jTcvedSVuWz5XV710GRBdxdaeOVDUO5/IOWOZV7bIBaTxNyxtd9KXpEulKkKtVB +Rgkg/iKgtlswjbyJDNXXcPiHUv3a76xRLgezTv7QCdpw75j6VuZt27VXS9zlLCUVyJ4ueE742pye +hizKV/Ma5ciSixqClnrDvFASadgOWkaLOusm+iPJtrCBvkIApPjW/jAux9JG9uWOdf3yzLnQh1vM +BhBgu4M1t15n3kfsmUjxpKEV/q2MYo45VU85FrmxY53/twIDAQABo0IwQDAPBgNVHRMBAf8EBTAD +AQH/MB0GA1UdDgQWBBS2oVQ5AsOgP46KvPrU+Bym0ToO/TAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZI +hvcNAQENBQADggIBAHGlDs7k6b8/ONWJWsQCYftMxRQXLYtPU2sQF/xlhMcQSZDe28cmk4gmb3DW +Al45oPePq5a1pRNcgRRtDoGCERuKTsZPpd1iHkTfCVn0W3cLN+mLIMb4Ck4uWBzrM9DPhmDJ2vuA +L55MYIR4PSFk1vtBHxgP58l1cb29XN40hz5BsA72udY/CROWFC/emh1auVbONTqwX3BNXuMp8SMo +clm2q8KMZiYcdywmdjWLKKdpoPk79SPdhRB0yZADVpHnr7pH1BKXESLjokmUbOe3lEu6LaTaM4tM +pkT/WjzGHWTYtTHkpjx6qFcL2+1hGsvxznN3Y6SHb0xRONbkX8eftoEq5IVIeVheO/jbAoJnwTnb +w3RLPTYe+SmTiGhbqEQZIfCn6IENLOiTNrQ3ssqwGyZ6miUfmpqAnksqP/ujmv5zMnHCnsZy4Ypo +J/HkD7TETKVhk/iXEAcqMCWpuchxuO9ozC1+9eB+D4Kob7a6bINDd82Kkhehnlt4Fj1F4jNy3eFm +ypnTycUm/Q1oBEauttmbjL4ZvrHG8hnjXALKLNhvSgfZyTXaQHXyxKcZb55CEJh15pWLYLztxRLX +is7VmFxWlgPF7ncGNf/P5O4/E2Hu29othfDNrp2yGAlFw5Khchf8R7agCyzxxN5DaAhqXzvwdmP7 +zAYspsbiDrW5viSP +-----END CERTIFICATE----- + +Hellenic Academic and Research Institutions RootCA 2015 +======================================================= +-----BEGIN CERTIFICATE----- +MIIGCzCCA/OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UEBhMCR1IxDzANBgNVBAcT +BkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0 +aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNl +YXJjaCBJbnN0aXR1dGlvbnMgUm9vdENBIDIwMTUwHhcNMTUwNzA3MTAxMTIxWhcNNDAwNjMwMTAx +MTIxWjCBpjELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMg +QWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNV +BAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENBIDIw +MTUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDC+Kk/G4n8PDwEXT2QNrCROnk8Zlrv +bTkBSRq0t89/TSNTt5AA4xMqKKYx8ZEA4yjsriFBzh/a/X0SWwGDD7mwX5nh8hKDgE0GPt+sr+eh +iGsxr/CL0BgzuNtFajT0AoAkKAoCFZVedioNmToUW/bLy1O8E00BiDeUJRtCvCLYjqOWXjrZMts+ +6PAQZe104S+nfK8nNLspfZu2zwnI5dMK/IhlZXQK3HMcXM1AsRzUtoSMTFDPaI6oWa7CJ06CojXd +FPQf/7J31Ycvqm59JCfnxssm5uX+Zwdj2EUN3TpZZTlYepKZcj2chF6IIbjV9Cz82XBST3i4vTwr +i5WY9bPRaM8gFH5MXF/ni+X1NYEZN9cRCLdmvtNKzoNXADrDgfgXy5I2XdGj2HUb4Ysn6npIQf1F +GQatJ5lOwXBH3bWfgVMS5bGMSF0xQxfjjMZ6Y5ZLKTBOhE5iGV48zpeQpX8B653g+IuJ3SWYPZK2 +fu/Z8VFRfS0myGlZYeCsargqNhEEelC9MoS+L9xy1dcdFkfkR2YgP/SWxa+OAXqlD3pk9Q0Yh9mu +iNX6hME6wGkoLfINaFGq46V3xqSQDqE3izEjR8EJCOtu93ib14L8hCCZSRm2Ekax+0VVFqmjZayc +Bw/qa9wfLgZy7IaIEuQt218FL+TwA9MmM+eAws1CoRc0CwIDAQABo0IwQDAPBgNVHRMBAf8EBTAD +AQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJvXVdctA4GGqd83EkVAswDQYJKoZI +hvcNAQELBQADggIBAHW7bVRLqhBYRjTyYtcWNl0IXtVsyIe9tC5G8jH4fOpCtZMWVdyhDBKg2mF+ +D1hYc2Ryx+hFjtyp8iY/xnmMsVMIM4GwVhO+5lFc2JsKT0ucVlMC6U/2DWDqTUJV6HwbISHTGzrM +d/K4kPFox/la/vot9L/J9UUbzjgQKjeKeaO04wlshYaT/4mWJ3iBj2fjRnRUjtkNaeJK9E10A/+y +d+2VZ5fkscWrv2oj6NSU4kQoYsRL4vDY4ilrGnB+JGGTe08DMiUNRSQrlrRGar9KC/eaj8GsGsVn +82800vpzY4zvFrCopEYq+OsS7HK07/grfoxSwIuEVPkvPuNVqNxmsdnhX9izjFk0WaSrT2y7Hxjb +davYy5LNlDhhDgcGH0tGEPEVvo2FXDtKK4F5D7Rpn0lQl033DlZdwJVqwjbDG2jJ9SrcR5q+ss7F +Jej6A7na+RZukYT1HCjI/CbM1xyQVqdfbzoEvM14iQuODy+jqk+iGxI9FghAD/FGTNeqewjBCvVt +J94Cj8rDtSvK6evIIVM4pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGa +JI7ZjnHKe7iG2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0vm9q +p/UsQu0yrbYhnr68 +-----END CERTIFICATE----- + +Hellenic Academic and Research Institutions ECC RootCA 2015 +=========================================================== +-----BEGIN CERTIFICATE----- +MIICwzCCAkqgAwIBAgIBADAKBggqhkjOPQQDAjCBqjELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0 +aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9u +cyBDZXJ0LiBBdXRob3JpdHkxRDBCBgNVBAMTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJj +aCBJbnN0aXR1dGlvbnMgRUNDIFJvb3RDQSAyMDE1MB4XDTE1MDcwNzEwMzcxMloXDTQwMDYzMDEw +MzcxMlowgaoxCzAJBgNVBAYTAkdSMQ8wDQYDVQQHEwZBdGhlbnMxRDBCBgNVBAoTO0hlbGxlbmlj +IEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUQwQgYD +VQQDEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIEVDQyBSb290 +Q0EgMjAxNTB2MBAGByqGSM49AgEGBSuBBAAiA2IABJKgQehLgoRc4vgxEZmGZE4JJS+dQS8KrjVP +dJWyUWRrjWvmP3CV8AVER6ZyOFB2lQJajq4onvktTpnvLEhvTCUp6NFxW98dwXU3tNf6e3pCnGoK +Vlp8aQuqgAkkbH7BRqNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O +BBYEFLQiC4KZJAEOnLvkDv2/+5cgk5kqMAoGCCqGSM49BAMCA2cAMGQCMGfOFmI4oqxiRaeplSTA +GiecMjvAwNW6qef4BENThe5SId6d9SWDPp5YSy/XZxMOIQIwBeF1Ad5o7SofTUwJCA3sS61kFyjn +dc5FZXIhF8siQQ6ME5g4mlRtm8rifOoCWCKR +-----END CERTIFICATE----- + +Certplus Root CA G1 +=================== +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgISESBVg+QtPlRWhS2DN7cs3EYRMA0GCSqGSIb3DQEBDQUAMD4xCzAJBgNV +BAYTAkZSMREwDwYDVQQKDAhDZXJ0cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMTAe +Fw0xNDA1MjYwMDAwMDBaFw0zODAxMTUwMDAwMDBaMD4xCzAJBgNVBAYTAkZSMREwDwYDVQQKDAhD +ZXJ0cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMTCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBANpQh7bauKk+nWT6VjOaVj0W5QOVsjQcmm1iBdTYj+eJZJ+622SLZOZ5KmHN +r49aiZFluVj8tANfkT8tEBXgfs+8/H9DZ6itXjYj2JizTfNDnjl8KvzsiNWI7nC9hRYt6kuJPKNx +Qv4c/dMcLRC4hlTqQ7jbxofaqK6AJc96Jh2qkbBIb6613p7Y1/oA/caP0FG7Yn2ksYyy/yARujVj +BYZHYEMzkPZHogNPlk2dT8Hq6pyi/jQu3rfKG3akt62f6ajUeD94/vI4CTYd0hYCyOwqaK/1jpTv +LRN6HkJKHRUxrgwEV/xhc/MxVoYxgKDEEW4wduOU8F8ExKyHcomYxZ3MVwia9Az8fXoFOvpHgDm2 +z4QTd28n6v+WZxcIbekN1iNQMLAVdBM+5S//Ds3EC0pd8NgAM0lm66EYfFkuPSi5YXHLtaW6uOrc +4nBvCGrch2c0798wct3zyT8j/zXhviEpIDCB5BmlIOklynMxdCm+4kLV87ImZsdo/Rmz5yCTmehd +4F6H50boJZwKKSTUzViGUkAksnsPmBIgJPaQbEfIDbsYIC7Z/fyL8inqh3SV4EJQeIQEQWGw9CEj +jy3LKCHyamz0GqbFFLQ3ZU+V/YDI+HLlJWvEYLF7bY5KinPOWftwenMGE9nTdDckQQoRb5fc5+R+ +ob0V8rqHDz1oihYHAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G +A1UdDgQWBBSowcCbkahDFXxdBie0KlHYlwuBsTAfBgNVHSMEGDAWgBSowcCbkahDFXxdBie0KlHY +lwuBsTANBgkqhkiG9w0BAQ0FAAOCAgEAnFZvAX7RvUz1isbwJh/k4DgYzDLDKTudQSk0YcbX8ACh +66Ryj5QXvBMsdbRX7gp8CXrc1cqh0DQT+Hern+X+2B50ioUHj3/MeXrKls3N/U/7/SMNkPX0XtPG +YX2eEeAC7gkE2Qfdpoq3DIMku4NQkv5gdRE+2J2winq14J2by5BSS7CTKtQ+FjPlnsZlFT5kOwQ/ +2wyPX1wdaR+v8+khjPPvl/aatxm2hHSco1S1cE5j2FddUyGbQJJD+tZ3VTNPZNX70Cxqjm0lpu+F +6ALEUz65noe8zDUa3qHpimOHZR4RKttjd5cUvpoUmRGywO6wT/gUITJDT5+rosuoD6o7BlXGEilX +CNQ314cnrUlZp5GrRHpejXDbl85IULFzk/bwg2D5zfHhMf1bfHEhYxQUqq/F3pN+aLHsIqKqkHWe +tUNy6mSjhEv9DKgma3GX7lZjZuhCVPnHHd/Qj1vfyDBviP4NxDMcU6ij/UgQ8uQKTuEVV/xuZDDC +VRHc6qnNSlSsKWNEz0pAoNZoWRsz+e86i9sgktxChL8Bq4fA1SCC28a5g4VCXA9DO2pJNdWY9BW/ ++mGBDAkgGNLQFwzLSABQ6XaCjGTXOqAHVcweMcDvOrRl++O/QmueD6i9a5jc2NvLi6Td11n0bt3+ +qsOR0C5CB8AMTVPNJLFMWx5R9N/pkvo= +-----END CERTIFICATE----- + +Certplus Root CA G2 +=================== +-----BEGIN CERTIFICATE----- +MIICHDCCAaKgAwIBAgISESDZkc6uo+jF5//pAq/Pc7xVMAoGCCqGSM49BAMDMD4xCzAJBgNVBAYT +AkZSMREwDwYDVQQKDAhDZXJ0cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMjAeFw0x +NDA1MjYwMDAwMDBaFw0zODAxMTUwMDAwMDBaMD4xCzAJBgNVBAYTAkZSMREwDwYDVQQKDAhDZXJ0 +cGx1czEcMBoGA1UEAwwTQ2VydHBsdXMgUm9vdCBDQSBHMjB2MBAGByqGSM49AgEGBSuBBAAiA2IA +BM0PW1aC3/BFGtat93nwHcmsltaeTpwftEIRyoa/bfuFo8XlGVzX7qY/aWfYeOKmycTbLXku54uN +Am8xIk0G42ByRZ0OQneezs/lf4WbGOT8zC5y0xaTTsqZY1yhBSpsBqNjMGEwDgYDVR0PAQH/BAQD +AgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNqDYwJ5jtpMxjwjFNiPwyCrKGBZMB8GA1Ud +IwQYMBaAFNqDYwJ5jtpMxjwjFNiPwyCrKGBZMAoGCCqGSM49BAMDA2gAMGUCMHD+sAvZ94OX7PNV +HdTcswYO/jOYnYs5kGuUIe22113WTNchp+e/IQ8rzfcq3IUHnQIxAIYUFuXcsGXCwI4Un78kFmjl +vPl5adytRSv3tjFzzAalU5ORGpOucGpnutee5WEaXw== +-----END CERTIFICATE----- + +OpenTrust Root CA G1 +==================== +-----BEGIN CERTIFICATE----- +MIIFbzCCA1egAwIBAgISESCzkFU5fX82bWTCp59rY45nMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV +BAYTAkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9wZW5UcnVzdCBSb290IENBIEcx +MB4XDTE0MDUyNjA4NDU1MFoXDTM4MDExNTAwMDAwMFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoM +CU9wZW5UcnVzdDEdMBsGA1UEAwwUT3BlblRydXN0IFJvb3QgQ0EgRzEwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQD4eUbalsUwXopxAy1wpLuwxQjczeY1wICkES3d5oeuXT2R0odsN7fa +Yp6bwiTXj/HbpqbfRm9RpnHLPhsxZ2L3EVs0J9V5ToybWL0iEA1cJwzdMOWo010hOHQX/uMftk87 +ay3bfWAfjH1MBcLrARYVmBSO0ZB3Ij/swjm4eTrwSSTilZHcYTSSjFR077F9jAHiOH3BX2pfJLKO +YheteSCtqx234LSWSE9mQxAGFiQD4eCcjsZGT44ameGPuY4zbGneWK2gDqdkVBFpRGZPTBKnjix9 +xNRbxQA0MMHZmf4yzgeEtE7NCv82TWLxp2NX5Ntqp66/K7nJ5rInieV+mhxNaMbBGN4zK1FGSxyO +9z0M+Yo0FMT7MzUj8czxKselu7Cizv5Ta01BG2Yospb6p64KTrk5M0ScdMGTHPjgniQlQ/GbI4Kq +3ywgsNw2TgOzfALU5nsaqocTvz6hdLubDuHAk5/XpGbKuxs74zD0M1mKB3IDVedzagMxbm+WG+Oi +n6+Sx+31QrclTDsTBM8clq8cIqPQqwWyTBIjUtz9GVsnnB47ev1CI9sjgBPwvFEVVJSmdz7QdFG9 +URQIOTfLHzSpMJ1ShC5VkLG631UAC9hWLbFJSXKAqWLXwPYYEQRVzXR7z2FwefR7LFxckvzluFqr +TJOVoSfupb7PcSNCupt2LQIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQUl0YhVyE12jZVx/PxN3DlCPaTKbYwHwYDVR0jBBgwFoAUl0YhVyE12jZVx/Px +N3DlCPaTKbYwDQYJKoZIhvcNAQELBQADggIBAB3dAmB84DWn5ph76kTOZ0BP8pNuZtQ5iSas000E +PLuHIT839HEl2ku6q5aCgZG27dmxpGWX4m9kWaSW7mDKHyP7Rbr/jyTwyqkxf3kfgLMtMrpkZ2Cv +uVnN35pJ06iCsfmYlIrM4LvgBBuZYLFGZdwIorJGnkSI6pN+VxbSFXJfLkur1J1juONI5f6ELlgK +n0Md/rcYkoZDSw6cMoYsYPXpSOqV7XAp8dUv/TW0V8/bhUiZucJvbI/NeJWsZCj9VrDDb8O+WVLh +X4SPgPL0DTatdrOjteFkdjpY3H1PXlZs5VVZV6Xf8YpmMIzUUmI4d7S+KNfKNsSbBfD4Fdvb8e80 +nR14SohWZ25g/4/Ii+GOvUKpMwpZQhISKvqxnUOOBZuZ2mKtVzazHbYNeS2WuOvyDEsMpZTGMKcm +GS3tTAZQMPH9WD25SxdfGbRqhFS0OE85og2WaMMolP3tLR9Ka0OWLpABEPs4poEL0L9109S5zvE/ +bw4cHjdx5RiHdRk/ULlepEU0rbDK5uUTdg8xFKmOLZTW1YVNcxVPS/KyPu1svf0OnWZzsD2097+o +4BGkxK51CUpjAEggpsadCwmKtODmzj7HPiY46SvepghJAwSQiumPv+i2tCqjI40cHLI5kqiPAlxA +OXXUc0ECd97N4EOH1uS6SsNsEn/+KuYj1oxx +-----END CERTIFICATE----- + +OpenTrust Root CA G2 +==================== +-----BEGIN CERTIFICATE----- +MIIFbzCCA1egAwIBAgISESChaRu/vbm9UpaPI+hIvyYRMA0GCSqGSIb3DQEBDQUAMEAxCzAJBgNV +BAYTAkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9wZW5UcnVzdCBSb290IENBIEcy +MB4XDTE0MDUyNjAwMDAwMFoXDTM4MDExNTAwMDAwMFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoM +CU9wZW5UcnVzdDEdMBsGA1UEAwwUT3BlblRydXN0IFJvb3QgQ0EgRzIwggIiMA0GCSqGSIb3DQEB +AQUAA4ICDwAwggIKAoICAQDMtlelM5QQgTJT32F+D3Y5z1zCU3UdSXqWON2ic2rxb95eolq5cSG+ +Ntmh/LzubKh8NBpxGuga2F8ORAbtp+Dz0mEL4DKiltE48MLaARf85KxP6O6JHnSrT78eCbY2albz +4e6WiWYkBuTNQjpK3eCasMSCRbP+yatcfD7J6xcvDH1urqWPyKwlCm/61UWY0jUJ9gNDlP7ZvyCV +eYCYitmJNbtRG6Q3ffyZO6v/v6wNj0OxmXsWEH4db0fEFY8ElggGQgT4hNYdvJGmQr5J1WqIP7wt +UdGejeBSzFfdNTVY27SPJIjki9/ca1TSgSuyzpJLHB9G+h3Ykst2Z7UJmQnlrBcUVXDGPKBWCgOz +3GIZ38i1MH/1PCZ1Eb3XG7OHngevZXHloM8apwkQHZOJZlvoPGIytbU6bumFAYueQ4xncyhZW+vj +3CzMpSZyYhK05pyDRPZRpOLAeiRXyg6lPzq1O4vldu5w5pLeFlwoW5cZJ5L+epJUzpM5ChaHvGOz +9bGTXOBut9Dq+WIyiET7vycotjCVXRIouZW+j1MY5aIYFuJWpLIsEPUdN6b4t/bQWVyJ98LVtZR0 +0dX+G7bw5tYee9I8y6jj9RjzIR9u701oBnstXW5DiabA+aC/gh7PU3+06yzbXfZqfUAkBXKJOAGT +y3HCOV0GEfZvePg3DTmEJwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB +/zAdBgNVHQ4EFgQUajn6QiL35okATV59M4PLuG53hq8wHwYDVR0jBBgwFoAUajn6QiL35okATV59 +M4PLuG53hq8wDQYJKoZIhvcNAQENBQADggIBAJjLq0A85TMCl38th6aP1F5Kr7ge57tx+4BkJamz +Gj5oXScmp7oq4fBXgwpkTx4idBvpkF/wrM//T2h6OKQQbA2xx6R3gBi2oihEdqc0nXGEL8pZ0keI +mUEiyTCYYW49qKgFbdEfwFFEVn8nNQLdXpgKQuswv42hm1GqO+qTRmTFAHneIWv2V6CG1wZy7HBG +S4tz3aAhdT7cHcCP009zHIXZ/n9iyJVvttN7jLpTwm+bREx50B1ws9efAvSyB7DH5fitIw6mVskp +EndI2S9G/Tvw/HRwkqWOOAgfZDC2t0v7NqwQjqBSM2OdAzVWxWm9xiNaJ5T2pBL4LTM8oValX9YZ +6e18CL13zSdkzJTaTkZQh+D5wVOAHrut+0dSixv9ovneDiK3PTNZbNTe9ZUGMg1RGUFcPk8G97kr +gCf2o6p6fAbhQ8MTOWIaNr3gKC6UAuQpLmBVrkA9sHSSXvAgZJY/X0VdiLWK2gKgW0VU3jg9CcCo +SmVGFvyqv1ROTVu+OEO3KMqLM6oaJbolXCkvW0pujOotnCr2BXbgd5eAiN1nE28daCSLT7d0geX0 +YJ96Vdc+N9oWaz53rK4YcJUIeSkDiv7BO7M/Gg+kO14fWKGVyasvc0rQLW6aWQ9VGHgtPFGml4vm +u7JwqkwR3v98KzfUetF3NI/n+UL3PIEMS1IK +-----END CERTIFICATE----- + +OpenTrust Root CA G3 +==================== +-----BEGIN CERTIFICATE----- +MIICITCCAaagAwIBAgISESDm+Ez8JLC+BUCs2oMbNGA/MAoGCCqGSM49BAMDMEAxCzAJBgNVBAYT +AkZSMRIwEAYDVQQKDAlPcGVuVHJ1c3QxHTAbBgNVBAMMFE9wZW5UcnVzdCBSb290IENBIEczMB4X +DTE0MDUyNjAwMDAwMFoXDTM4MDExNTAwMDAwMFowQDELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCU9w +ZW5UcnVzdDEdMBsGA1UEAwwUT3BlblRydXN0IFJvb3QgQ0EgRzMwdjAQBgcqhkjOPQIBBgUrgQQA +IgNiAARK7liuTcpm3gY6oxH84Bjwbhy6LTAMidnW7ptzg6kjFYwvWYpa3RTqnVkrQ7cG7DK2uu5B +ta1doYXM6h0UZqNnfkbilPPntlahFVmhTzeXuSIevRHr9LIfXsMUmuXZl5mjYzBhMA4GA1UdDwEB +/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRHd8MUi2I5DMlv4VBN0BBY3JWIbTAf +BgNVHSMEGDAWgBRHd8MUi2I5DMlv4VBN0BBY3JWIbTAKBggqhkjOPQQDAwNpADBmAjEAj6jcnboM +BBf6Fek9LykBl7+BFjNAk2z8+e2AcG+qj9uEwov1NcoG3GRvaBbhj5G5AjEA2Euly8LQCGzpGPta +3U1fJAuwACEl74+nBCZx4nxp5V2a+EEfOzmTk51V6s2N8fvB +-----END CERTIFICATE----- + +ISRG Root X1 +============ +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UE +BhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQD +EwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQG +EwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMT +DElTUkcgUm9vdCBYMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54r +Vygch77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+0TM8ukj1 +3Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6UA5/TR5d8mUgjU+g4rk8K +b4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sWT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCN +Aymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyHB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ +4Q7e2RCOFvu396j3x+UCB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf +1b0SHzUvKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWnOlFu +hjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTnjh8BCNAw1FtxNrQH +usEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbwqHyGO0aoSCqI3Haadr8faqU9GY/r +OPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CIrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4G +A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY +9umbbjANBgkqhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ3BebYhtF8GaV +0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KKNFtY2PwByVS5uCbMiogziUwt +hDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJw +TdwJx4nLCgdNbOhdjsnvzqvHu7UrTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nx +e5AW0wdeRlN8NwdCjNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZA +JzVcoyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq4RgqsahD +YVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPAmRGunUHBcnWEvgJBQl9n +JEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57demyPxgcYxn/eR44/KJ4EBs+lVDR3veyJ +m+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE----- + +AC RAIZ FNMT-RCM +================ +-----BEGIN CERTIFICATE----- +MIIFgzCCA2ugAwIBAgIPXZONMGc2yAYdGsdUhGkHMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNVBAYT +AkVTMREwDwYDVQQKDAhGTk1ULVJDTTEZMBcGA1UECwwQQUMgUkFJWiBGTk1ULVJDTTAeFw0wODEw +MjkxNTU5NTZaFw0zMDAxMDEwMDAwMDBaMDsxCzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJD +TTEZMBcGA1UECwwQQUMgUkFJWiBGTk1ULVJDTTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBALpxgHpMhm5/yBNtwMZ9HACXjywMI7sQmkCpGreHiPibVmr75nuOi5KOpyVdWRHbNi63URcf +qQgfBBckWKo3Shjf5TnUV/3XwSyRAZHiItQDwFj8d0fsjz50Q7qsNI1NOHZnjrDIbzAzWHFctPVr +btQBULgTfmxKo0nRIBnuvMApGGWn3v7v3QqQIecaZ5JCEJhfTzC8PhxFtBDXaEAUwED653cXeuYL +j2VbPNmaUtu1vZ5Gzz3rkQUCwJaydkxNEJY7kvqcfw+Z374jNUUeAlz+taibmSXaXvMiwzn15Cou +08YfxGyqxRxqAQVKL9LFwag0Jl1mpdICIfkYtwb1TplvqKtMUejPUBjFd8g5CSxJkjKZqLsXF3mw +WsXmo8RZZUc1g16p6DULmbvkzSDGm0oGObVo/CK67lWMK07q87Hj/LaZmtVC+nFNCM+HHmpxffnT +tOmlcYF7wk5HlqX2doWjKI/pgG6BU6VtX7hI+cL5NqYuSf+4lsKMB7ObiFj86xsc3i1w4peSMKGJ +47xVqCfWS+2QrYv6YyVZLag13cqXM7zlzced0ezvXg5KkAYmY6252TUtB7p2ZSysV4999AeU14EC +ll2jB0nVetBX+RvnU0Z1qrB5QstocQjpYL05ac70r8NWQMetUqIJ5G+GR4of6ygnXYMgrwTJbFaa +i0b1AgMBAAGjgYMwgYAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE +FPd9xf3E6Jobd2Sn9R2gzL+HYJptMD4GA1UdIAQ3MDUwMwYEVR0gADArMCkGCCsGAQUFBwIBFh1o +dHRwOi8vd3d3LmNlcnQuZm5tdC5lcy9kcGNzLzANBgkqhkiG9w0BAQsFAAOCAgEAB5BK3/MjTvDD +nFFlm5wioooMhfNzKWtN/gHiqQxjAb8EZ6WdmF/9ARP67Jpi6Yb+tmLSbkyU+8B1RXxlDPiyN8+s +D8+Nb/kZ94/sHvJwnvDKuO+3/3Y3dlv2bojzr2IyIpMNOmqOFGYMLVN0V2Ue1bLdI4E7pWYjJ2cJ +j+F3qkPNZVEI7VFY/uY5+ctHhKQV8Xa7pO6kO8Rf77IzlhEYt8llvhjho6Tc+hj507wTmzl6NLrT +Qfv6MooqtyuGC2mDOL7Nii4LcK2NJpLuHvUBKwrZ1pebbuCoGRw6IYsMHkCtA+fdZn71uSANA+iW ++YJF1DngoABd15jmfZ5nc8OaKveri6E6FO80vFIOiZiaBECEHX5FaZNXzuvO+FB8TxxuBEOb+dY7 +Ixjp6o7RTUaN8Tvkasq6+yO3m/qZASlaWFot4/nUbQ4mrcFuNLwy+AwF+mWj2zs3gyLp1txyM/1d +8iC9djwj2ij3+RvrWWTV3F9yfiD8zYm1kGdNYno/Tq0dwzn+evQoFt9B9kiABdcPUXmsEKvU7ANm +5mqwujGSQkBqvjrTcuFqN1W8rB2Vt2lh8kORdOag0wokRqEIr9baRRmW1FMdW4R58MD3R++Lj8UG +rp1MYp3/RgT408m2ECVAdf4WqslKYIYvuu8wd+RU4riEmViAqhOLUTpPSPaLtrM= +-----END CERTIFICATE----- + +Amazon Root CA 1 +================ +-----BEGIN CERTIFICATE----- +MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsFADA5MQswCQYD +VQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMB4XDTE1 +MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpv +bjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALJ4gHHKeNXjca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgH +FzZM9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qwIFAGbHrQ +gLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6VOujw5H5SNz/0egwLX0t +dHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L93FcXmn/6pUCyziKrlA4b9v7LWIbxcce +VOF34GfID5yHI9Y/QCB/IIDEgEw+OyQmjgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB +/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3 +DQEBCwUAA4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDIU5PM +CCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUsN+gDS63pYaACbvXy +8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vvo/ufQJVtMVT8QtPHRh8jrdkPSHCa +2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2 +xJNDd2ZhwLnoQdeXeGADbkpyrqXRfboQnoZsG4q5WTP468SQvvG5 +-----END CERTIFICATE----- + +Amazon Root CA 2 +================ +-----BEGIN CERTIFICATE----- +MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwFADA5MQswCQYD +VQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAyMB4XDTE1 +MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpv +bjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAK2Wny2cSkxKgXlRmeyKy2tgURO8TW0G/LAIjd0ZEGrHJgw12MBvIITplLGbhQPDW9tK6Mj4 +kHbZW0/jTOgGNk3Mmqw9DJArktQGGWCsN0R5hYGCrVo34A3MnaZMUnbqQ523BNFQ9lXg1dKmSYXp +N+nKfq5clU1Imj+uIFptiJXZNLhSGkOQsL9sBbm2eLfq0OQ6PBJTYv9K8nu+NQWpEjTj82R0Yiw9 +AElaKP4yRLuH3WUnAnE72kr3H9rN9yFVkE8P7K6C4Z9r2UXTu/Bfh+08LDmG2j/e7HJV63mjrdvd +fLC6HM783k81ds8P+HgfajZRRidhW+mez/CiVX18JYpvL7TFz4QuK/0NURBs+18bvBt+xa47mAEx +kv8LV/SasrlX6avvDXbR8O70zoan4G7ptGmh32n2M8ZpLpcTnqWHsFcQgTfJU7O7f/aS0ZzQGPSS +btqDT6ZjmUyl+17vIWR6IF9sZIUVyzfpYgwLKhbcAS4y2j5L9Z469hdAlO+ekQiG+r5jqFoz7Mt0 +Q5X5bGlSNscpb/xVA1wf+5+9R+vnSUeVC06JIglJ4PVhHvG/LopyboBZ/1c6+XUyo05f7O0oYtlN +c/LMgRdg7c3r3NunysV+Ar3yVAhU/bQtCSwXVEqY0VThUWcI0u1ufm8/0i2BWSlmy5A5lREedCf+ +3euvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSw +DPBMMPQFWAJI/TPlUq9LhONmUjANBgkqhkiG9w0BAQwFAAOCAgEAqqiAjw54o+Ci1M3m9Zh6O+oA +A7CXDpO8Wqj2LIxyh6mx/H9z/WNxeKWHWc8w4Q0QshNabYL1auaAn6AFC2jkR2vHat+2/XcycuUY ++gn0oJMsXdKMdYV2ZZAMA3m3MSNjrXiDCYZohMr/+c8mmpJ5581LxedhpxfL86kSk5Nrp+gvU5LE +YFiwzAJRGFuFjWJZY7attN6a+yb3ACfAXVU3dJnJUH/jWS5E4ywl7uxMMne0nxrpS10gxdr9HIcW +xkPo1LsmmkVwXqkLN1PiRnsn/eBG8om3zEK2yygmbtmlyTrIQRNg91CMFa6ybRoVGld45pIq2WWQ +gj9sAq+uEjonljYE1x2igGOpm/HlurR8FLBOybEfdF849lHqm/osohHUqS0nGkWxr7JOcQ3AWEbW +aQbLU8uz/mtBzUF+fUwPfHJ5elnNXkoOrJupmHN5fLT0zLm4BwyydFy4x2+IoZCn9Kr5v2c69BoV +Yh63n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE76KlXIx3 +KadowGuuQNKotOrN8I1LOJwZmhsoVLiJkO/KdYE+HvJkJMcYr07/R54H9jVlpNMKVv/1F2Rs76gi +JUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT4PsJYGw= +-----END CERTIFICATE----- + +Amazon Root CA 3 +================ +-----BEGIN CERTIFICATE----- +MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5MQswCQYDVQQG +EwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAzMB4XDTE1MDUy +NjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZ +MBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZB +f8ANm+gBG1bG8lKlui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjr +Zt6jQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSrttvXBp43 +rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkrBqWTrBqYaGFy+uGh0Psc +eGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteMYyRIHN8wfdVoOw== +-----END CERTIFICATE----- + +Amazon Root CA 4 +================ +-----BEGIN CERTIFICATE----- +MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5MQswCQYDVQQG +EwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSA0MB4XDTE1MDUy +NjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZ +MBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN +/sGKe0uoe0ZLY7Bi9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri +83BkM6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WBMAoGCCqGSM49BAMDA2gA +MGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlwCkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1 +AE47xDqUEpHJWEadIRNyp4iciuRMStuW1KyLa2tJElMzrdfkviT8tQp21KW8EA== +-----END CERTIFICATE----- + +LuxTrust Global Root 2 +====================== +-----BEGIN CERTIFICATE----- +MIIFwzCCA6ugAwIBAgIUCn6m30tEntpqJIWe5rgV0xZ/u7EwDQYJKoZIhvcNAQELBQAwRjELMAkG +A1UEBhMCTFUxFjAUBgNVBAoMDUx1eFRydXN0IFMuQS4xHzAdBgNVBAMMFkx1eFRydXN0IEdsb2Jh +bCBSb290IDIwHhcNMTUwMzA1MTMyMTU3WhcNMzUwMzA1MTMyMTU3WjBGMQswCQYDVQQGEwJMVTEW +MBQGA1UECgwNTHV4VHJ1c3QgUy5BLjEfMB0GA1UEAwwWTHV4VHJ1c3QgR2xvYmFsIFJvb3QgMjCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANeFl78RmOnwYoNMPIf5U2o3C/IPPIfOb9wm +Kb3FibrJgz337spbxm1Jc7TJRqMbNBM/wYlFV/TZsfs2ZUv7COJIcRHIbjuend+JZTemhfY7RBi2 +xjcwYkSSl2l9QjAk5A0MiWtj3sXh306pFGxT4GHO9hcvHTy95iJMHZP1EMShduxq3sVs35a0VkBC +wGKSMKEtFZSg0iAGCW5qbeXrt77U8PEVfIvmTroTzEsnXpk8F12PgX8zPU/TPxvsXD/wPEx1bvKm +1Z3aLQdjAsZy6ZS8TEmVT4hSyNvoaYL4zDRbIvCGp4m9SAptZoFtyMhk+wHh9OHe2Z7d21vUKpkm +FRseTJIpgp7VkoGSQXAZ96Tlk0u8d2cx3Rz9MXANF5kM+Qw5GSoXtTBxVdUPrljhPS80m8+f9niF +wpN6cj5mj5wWEWCPnolvZ77gR1o7DJpni89Gxq44o/KnvObWhWszJHAiS8sIm7vI+AIpHb4gDEa/ +a4ebsypmQjVGbKq6rfmYe+lQVRQxv7HaLe2ArWgk+2mr2HETMOZns4dA/Yl+8kPREd8vZS9kzl8U +ubG/Mb2HeFpZZYiq/FkySIbWTLkpS5XTdvN3JW1CHDiDTf2jX5t/Lax5Gw5CMZdjpPuKadUiDTSQ +MC6otOBttpSsvItO13D8xTiOZCXhTTmQzsmHhFhxAgMBAAGjgagwgaUwDwYDVR0TAQH/BAUwAwEB +/zBCBgNVHSAEOzA5MDcGByuBKwEBAQowLDAqBggrBgEFBQcCARYeaHR0cHM6Ly9yZXBvc2l0b3J5 +Lmx1eHRydXN0Lmx1MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBT/GCh2+UgFLKGu8SsbK7JT ++Et8szAdBgNVHQ4EFgQU/xgodvlIBSyhrvErGyuyU/hLfLMwDQYJKoZIhvcNAQELBQADggIBAGoZ +FO1uecEsh9QNcH7X9njJCwROxLHOk3D+sFTAMs2ZMGQXvw/l4jP9BzZAcg4atmpZ1gDlaCDdLnIN +H2pkMSCEfUmmWjfrRcmF9dTHF5kH5ptV5AzoqbTOjFu1EVzPig4N1qx3gf4ynCSecs5U89BvolbW +7MM3LGVYvlcAGvI1+ut7MV3CwRI9loGIlonBWVx65n9wNOeD4rHh4bhY79SV5GCc8JaXcozrhAIu +ZY+kt9J/Z93I055cqqmkoCUUBpvsT34tC38ddfEz2O3OuHVtPlu5mB0xDVbYQw8wkbIEa91WvpWA +VWe+2M2D2RjuLg+GLZKecBPs3lHJQ3gCpU3I+V/EkVhGFndadKpAvAefMLmx9xIX3eP/JEAdemrR +TxgKqpAd60Ae36EeRJIQmvKN4dFLRp7oRUKX6kWZ8+xm1QL68qZKJKrezrnK+T+Tb/mjuuqlPpmt +/f97mfVl7vBZKGfXkJWkE4SphMHozs51k2MavDzq1WQfLSoSOcbDWjLtR5EWDrw4wVDej8oqkDQc +7kGUnF4ZLvhFSZl0kbAEb+MEWrGrKqv+x9CWttrhSmQGbmBNvUJO/3jaJMobtNeWOWyu8Q6qp31I +iyBMz2TWuJdGsE7RKlY6oJO9r4Ak4Ap+58rVyuiFVdw2KuGUaJPHZnJED4AhMmwlxyOAgwrr +-----END CERTIFICATE----- + +TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 +============================================= +-----BEGIN CERTIFICATE----- +MIIEYzCCA0ugAwIBAgIBATANBgkqhkiG9w0BAQsFADCB0jELMAkGA1UEBhMCVFIxGDAWBgNVBAcT +D0dlYnplIC0gS29jYWVsaTFCMEAGA1UEChM5VHVya2l5ZSBCaWxpbXNlbCB2ZSBUZWtub2xvamlr +IEFyYXN0aXJtYSBLdXJ1bXUgLSBUVUJJVEFLMS0wKwYDVQQLEyRLYW11IFNlcnRpZmlrYXN5b24g +TWVya2V6aSAtIEthbXUgU00xNjA0BgNVBAMTLVRVQklUQUsgS2FtdSBTTSBTU0wgS29rIFNlcnRp +ZmlrYXNpIC0gU3VydW0gMTAeFw0xMzExMjUwODI1NTVaFw00MzEwMjUwODI1NTVaMIHSMQswCQYD +VQQGEwJUUjEYMBYGA1UEBxMPR2ViemUgLSBLb2NhZWxpMUIwQAYDVQQKEzlUdXJraXllIEJpbGlt +c2VsIHZlIFRla25vbG9qaWsgQXJhc3Rpcm1hIEt1cnVtdSAtIFRVQklUQUsxLTArBgNVBAsTJEth +bXUgU2VydGlmaWthc3lvbiBNZXJrZXppIC0gS2FtdSBTTTE2MDQGA1UEAxMtVFVCSVRBSyBLYW11 +IFNNIFNTTCBLb2sgU2VydGlmaWthc2kgLSBTdXJ1bSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAr3UwM6q7a9OZLBI3hNmNe5eA027n/5tQlT6QlVZC1xl8JoSNkvoBHToP4mQ4t4y8 +6Ij5iySrLqP1N+RAjhgleYN1Hzv/bKjFxlb4tO2KRKOrbEz8HdDc72i9z+SqzvBV96I01INrN3wc +wv61A+xXzry0tcXtAA9TNypN9E8Mg/uGz8v+jE69h/mniyFXnHrfA2eJLJ2XYacQuFWQfw4tJzh0 +3+f92k4S400VIgLI4OD8D62K18lUUMw7D8oWgITQUVbDjlZ/iSIzL+aFCr2lqBs23tPcLG07xxO9 +WSMs5uWk99gL7eqQQESolbuT1dCANLZGeA4fAJNG4e7p+exPFwIDAQABo0IwQDAdBgNVHQ4EFgQU +ZT/HiobGPN08VFw1+DrtUgxHV8gwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBACo/4fEyjq7hmFxLXs9rHmoJ0iKpEsdeV31zVmSAhHqT5Am5EM2fKifh +AHe+SMg1qIGf5LgsyX8OsNJLN13qudULXjS99HMpw+0mFZx+CFOKWI3QSyjfwbPfIPP54+M638yc +lNhOT8NrF7f3cuitZjO1JVOr4PhMqZ398g26rrnZqsZr+ZO7rqu4lzwDGrpDxpa5RXI4s6ehlj2R +e37AIVNMh+3yC1SVUZPVIqUNivGTDj5UDrDYyU7c8jEyVupk+eq1nRZmQnLzf9OxMUP8pI4X8W0j +q5Rm+K37DwhuJi1/FwcJsoz7UMCflo3Ptv0AnVoUmr8CRPXBwp8iXqIPoeM= +-----END CERTIFICATE----- + +GDCA TrustAUTH R5 ROOT +====================== +-----BEGIN CERTIFICATE----- +MIIFiDCCA3CgAwIBAgIIfQmX/vBH6nowDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCQ04xMjAw +BgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQuMR8wHQYDVQQD +DBZHRENBIFRydXN0QVVUSCBSNSBST09UMB4XDTE0MTEyNjA1MTMxNVoXDTQwMTIzMTE1NTk1OVow +YjELMAkGA1UEBhMCQ04xMjAwBgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZ +IENPLixMVEQuMR8wHQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEA2aMW8Mh0dHeb7zMNOwZ+Vfy1YI92hhJCfVZmPoiC7XJjDp6L3TQs +AlFRwxn9WVSEyfFrs0yw6ehGXTjGoqcuEVe6ghWinI9tsJlKCvLriXBjTnnEt1u9ol2x8kECK62p +OqPseQrsXzrj/e+APK00mxqriCZ7VqKChh/rNYmDf1+uKU49tm7srsHwJ5uu4/Ts765/94Y9cnrr +pftZTqfrlYwiOXnhLQiPzLyRuEH3FMEjqcOtmkVEs7LXLM3GKeJQEK5cy4KOFxg2fZfmiJqwTTQJ +9Cy5WmYqsBebnh52nUpmMUHfP/vFBu8btn4aRjb3ZGM74zkYI+dndRTVdVeSN72+ahsmUPI2JgaQ +xXABZG12ZuGR224HwGGALrIuL4xwp9E7PLOR5G62xDtw8mySlwnNR30YwPO7ng/Wi64HtloPzgsM +R6flPri9fcebNaBhlzpBdRfMK5Z3KpIhHtmVdiBnaM8Nvd/WHwlqmuLMc3GkL30SgLdTMEZeS1SZ +D2fJpcjyIMGC7J0R38IC+xo70e0gmu9lZJIQDSri3nDxGGeCjGHeuLzRL5z7D9Ar7Rt2ueQ5Vfj4 +oR24qoAATILnsn8JuLwwoC8N9VKejveSswoAHQBUlwbgsQfZxw9cZX08bVlX5O2ljelAU58VS6Bx +9hoh49pwBiFYFIeFd3mqgnkCAwEAAaNCMEAwHQYDVR0OBBYEFOLJQJ9NzuiaoXzPDj9lxSmIahlR +MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDRSVfg +p8xoWLoBDysZzY2wYUWsEe1jUGn4H3++Fo/9nesLqjJHdtJnJO29fDMylyrHBYZmDRd9FBUb1Ov9 +H5r2XpdptxolpAqzkT9fNqyL7FeoPueBihhXOYV0GkLH6VsTX4/5COmSdI31R9KrO9b7eGZONn35 +6ZLpBN79SWP8bfsUcZNnL0dKt7n/HipzcEYwv1ryL3ml4Y0M2fmyYzeMN2WFcGpcWwlyua1jPLHd ++PwyvzeG5LuOmCd+uh8W4XAR8gPfJWIyJyYYMoSf/wA6E7qaTfRPuBRwIrHKK5DOKcFw9C+df/KQ +HtZa37dG/OaG+svgIHZ6uqbL9XzeYqWxi+7egmaKTjowHz+Ay60nugxe19CxVsp3cbK1daFQqUBD +F8Io2c9Si1vIY9RCPqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV09tL7ECQ +8s1uV9JiDnxXk7Gnbc2dg7sq5+W2O3FYrf3RRbxake5TFW/TRQl1brqQXR4EzzffHqhmsYzmIGrv +/EhOdJhCrylvLmrH+33RZjEizIYAfmaDDEL0vTSSwxrqT8p+ck0LcIymSLumoRT2+1hEmRSuqguT +aaApJUqlyyvdimYHFngVV3Eb7PVHhPOeMTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g== +-----END CERTIFICATE----- + +TrustCor RootCert CA-1 +====================== +-----BEGIN CERTIFICATE----- +MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYDVQQGEwJQQTEP +MA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3Ig +U3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3Jp +dHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0MTIzMjE2WhcNMjkx +MjMxMTcyMzE2WjCBpDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFtYTEUMBIGA1UEBwwLUGFu +YW1hIENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4gZGUgUi5MLjEnMCUGA1UECwwe +VHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYDVQQDDBZUcnVzdENvciBSb290Q2Vy +dCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv463leLCJhJrMxnHQFgKq1mq +jQCj/IDHUHuO1CAmujIS2CNUSSUQIpidRtLByZ5OGy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4 +pQa81QBeCQryJ3pS/C3Vseq0iWEk8xoT26nPUu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0 +JEsq1pme9J7+wH5COucLlVPat2gOkEz7cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CVEY4h +gLW9oHPY0LJ3xEXqWib7ZnZ2+AYfYW0PVcWDtxBWcgYHpfOxGgMFZA6dWorWhnAbJN7+KIor0Gqw +/Hqi3LJ5DotlDwIDAQABo2MwYTAdBgNVHQ4EFgQU7mtJPHo/DeOxCbeKyKsZn3MzUOcwHwYDVR0j +BBgwFoAU7mtJPHo/DeOxCbeKyKsZn3MzUOcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwDQYJKoZIhvcNAQELBQADggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5 +mDo4Nvu7Zp5I/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yf +ke+Ri7fc7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZyonnMlo2HD6C +qFqTvsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djtsL1Ac59v2Z3kf9YKVmgenFK+P +3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdNzl/HHk484IkzlQsPpTLWPFp5LBk= +-----END CERTIFICATE----- + +TrustCor RootCert CA-2 +====================== +-----BEGIN CERTIFICATE----- +MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNVBAYTAlBBMQ8w +DQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVzdENvciBT +eXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0 +eTEfMB0GA1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEy +MzExNzI2MzlaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5h +bWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0 +IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnIG7CKqJiJJWQdsg4foDSq8Gb +ZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+QVqedd2NyuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9Nk +RvRUqdw6VC0xK5mC8tkq1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1 +oYxOdqHp2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nKDOOb +XUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFapRBF37120Hapeaz6LMvYHL1cEksr1 +/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTCHWKF3wP+TfSvPd9cW436cOGlfifHhi5q +jxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQP +eSghYA2FFn3XVDjxklb9tTNMg9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+Ctg +rKAmrhQhJ8Z3mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh +8N0JqSDIvgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAdBgNVHQ4EFgQU +2f4hQG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6UnrybPZx9mCAZ5YwwYrIwDwYD +VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/h +Osh80QA9z+LqBrWyOrsGS2h60COXdKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnp +kpfbsEZC89NiqpX+MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv +2wnL/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RXCI/hOWB3 +S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYaZH9bDTMJBzN7Bj8RpFxw +PIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW2dCFmU2Umw9Lje4AWkcdEQOsQRivh7dv +DDqPys/cA8GiCcjl/YBeyGBCARsaU1q7N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JMLiI+h2IYU +RpFHmygk71dSTlxCnKr3Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8hAs/hCBcNANE +xdqtvArBAs8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQguLvqcAFLTxWYp5KeX +RKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/D1Fu1uwJ +-----END CERTIFICATE----- + +TrustCor ECA-1 +============== +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYDVQQGEwJQQTEP +MA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3Ig +U3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3Jp +dHkxFzAVBgNVBAMMDlRydXN0Q29yIEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3Mjgw +N1owgZwxCzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5 +MSQwIgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29y +IENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3IgRUNBLTEwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb3w9U73NjKYKtR8aja+3+XzP4Q1HpGjOR +MRegdMTUpwHmspI+ap3tDvl0mEDTPwOABoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23 +xFUfJ3zSCNV2HykVh0A53ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmc +p0yJF4OuowReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/wZ0+ +fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZFZtS6mFjBAgMBAAGj +YzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAfBgNVHSMEGDAWgBREnkj1zG1I1KBL +f/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF +AAOCAQEABT41XBVwm8nHc2FvcivUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u +/ukZMjgDfxT2AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F +hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50soIipX1TH0Xs +J5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BIWJZpTdwHjFGTot+fDz2LYLSC +jaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1WitJ/X5g== +-----END CERTIFICATE----- + +SSL.com Root Certification Authority RSA +======================================== +-----BEGIN CERTIFICATE----- +MIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxDjAM +BgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24x +MTAvBgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBSU0EwHhcNMTYw +MjEyMTczOTM5WhcNNDEwMjEyMTczOTM5WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMx +EDAOBgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NM +LmNvbSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFJTQTCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAPkP3aMrfcvQKv7sZ4Wm5y4bunfh4/WvpOz6Sl2RxFdHaxh3a3by/ZPkPQ/C +Fp4LZsNWlJ4Xg4XOVu/yFv0AYvUiCVToZRdOQbngT0aXqhvIuG5iXmmxX9sqAn78bMrzQdjt0Oj8 +P2FI7bADFB0QDksZ4LtO7IZl/zbzXmcCC52GVWH9ejjt/uIZALdvoVBidXQ8oPrIJZK0bnoix/ge +oeOy3ZExqysdBP+lSgQ36YWkMyv94tZVNHwZpEpox7Ko07fKoZOI68GXvIz5HdkihCR0xwQ9aqkp +k8zruFvh/l8lqjRYyMEjVJ0bmBHDOJx+PYZspQ9AhnwC9FwCTyjLrnGfDzrIM/4RJTXq/LrFYD3Z +fBjVsqnTdXgDciLKOsMf7yzlLqn6niy2UUb9rwPW6mBo6oUWNmuF6R7As93EJNyAKoFBbZQ+yODJ +gUEAnl6/f8UImKIYLEJAs/lvOCdLToD0PYFH4Ih86hzOtXVcUS4cK38acijnALXRdMbX5J+tB5O2 +UzU1/Dfkw/ZdFr4hc96SCvigY2q8lpJqPvi8ZVWb3vUNiSYE/CUapiVpy8JtynziWV+XrOvvLsi8 +1xtZPCvM8hnIk2snYxnP/Okm+Mpxm3+T/jRnhE6Z6/yzeAkzcLpmpnbtG3PrGqUNxCITIJRWCk4s +bE6x/c+cCbqiM+2HAgMBAAGjYzBhMB0GA1UdDgQWBBTdBAkHovV6fVJTEpKV7jiAJQ2mWTAPBgNV +HRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFN0ECQei9Xp9UlMSkpXuOIAlDaZZMA4GA1UdDwEB/wQE +AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAIBgRlCn7Jp0cHh5wYfGVcpNxJK1ok1iOMq8bs3AD/CUr +dIWQPXhq9LmLpZc7tRiRux6n+UBbkflVma8eEdBcHadm47GUBwwyOabqG7B52B2ccETjit3E+ZUf +ijhDPwGFpUenPUayvOUiaPd7nNgsPgohyC0zrL/FgZkxdMF1ccW+sfAjRfSda/wZY52jvATGGAsl +u1OJD7OAUN5F7kR/q5R4ZJjT9ijdh9hwZXT7DrkT66cPYakylszeu+1jTBi7qUD3oFRuIIhxdRjq +erQ0cuAjJ3dctpDqhiVAq+8zD8ufgr6iIPv2tS0a5sKFsXQP+8hlAqRSAUfdSSLBv9jra6x+3uxj +MxW3IwiPxg+NQVrdjsW5j+VFP3jbutIbQLH+cU0/4IGiul607BXgk90IH37hVZkLId6Tngr75qNJ +vTYw/ud3sqB1l7UtgYgXZSD32pAAn8lSzDLKNXz1PQ/YK9f1JmzJBjSWFupwWRoyeXkLtoh/D1JI +Pb9s2KJELtFOt3JY04kTlf5Eq/jXixtunLwsoFvVagCvXzfh1foQC5ichucmj87w7G6KVwuA406y +wKBjYZC6VWg3dGq2ktufoYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NI +WuuA8ShYIc2wBlX7Jz9TkHCpBB5XJ7k= +-----END CERTIFICATE----- + +SSL.com Root Certification Authority ECC +======================================== +-----BEGIN CERTIFICATE----- +MIICjTCCAhSgAwIBAgIIdebfy8FoW6gwCgYIKoZIzj0EAwIwfDELMAkGA1UEBhMCVVMxDjAMBgNV +BAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xMTAv +BgNVBAMMKFNTTC5jb20gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEy +MTgxNDAzWhcNNDEwMjEyMTgxNDAzWjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAO +BgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNv +bSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuBBAAiA2IA +BEVuqVDEpiM2nl8ojRfLliJkP9x6jh3MCLOicSS6jkm5BBtHllirLZXI7Z4INcgn64mMU1jrYor+ +8FsPazFSY0E7ic3s7LaNGdM0B9y7xgZ/wkWV7Mt/qCPgCemB+vNH06NjMGEwHQYDVR0OBBYEFILR +hXMw5zUE044CkvvlpNHEIejNMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUgtGFczDnNQTT +jgKS++Wk0cQh6M0wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2cAMGQCMG/n61kRpGDPYbCW +e+0F+S8Tkdzt5fxQaxFGRrMcIQBiu77D5+jNB5n5DQtdcj7EqgIwH7y6C+IwJPt8bYBVCpk+gA0z +5Wajs6O7pdWLjwkspl1+4vAHCGht0nxpbl/f5Wpl +-----END CERTIFICATE----- + +SSL.com EV Root Certification Authority RSA R2 +============================================== +-----BEGIN CERTIFICATE----- +MIIF6zCCA9OgAwIBAgIIVrYpzTS8ePYwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNVBAYTAlVTMQ4w +DAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9u +MTcwNQYDVQQDDC5TU0wuY29tIEVWIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIy +MB4XDTE3MDUzMTE4MTQzN1oXDTQyMDUzMDE4MTQzN1owgYIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQI +DAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMTcwNQYD +VQQDDC5TU0wuY29tIEVWIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIyMIICIjAN +BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjzZlQOHWTcDXtOlG2mvqM0fNTPl9fb69LT3w23jh +hqXZuglXaO1XPqDQCEGD5yhBJB/jchXQARr7XnAjssufOePPxU7Gkm0mxnu7s9onnQqG6YE3Bf7w +cXHswxzpY6IXFJ3vG2fThVUCAtZJycxa4bH3bzKfydQ7iEGonL3Lq9ttewkfokxykNorCPzPPFTO +Zw+oz12WGQvE43LrrdF9HSfvkusQv1vrO6/PgN3B0pYEW3p+pKk8OHakYo6gOV7qd89dAFmPZiw+ +B6KjBSYRaZfqhbcPlgtLyEDhULouisv3D5oi53+aNxPN8k0TayHRwMwi8qFG9kRpnMphNQcAb9Zh +CBHqurj26bNg5U257J8UZslXWNvNh2n4ioYSA0e/ZhN2rHd9NCSFg83XqpyQGp8hLH94t2S42Oim +9HizVcuE0jLEeK6jj2HdzghTreyI/BXkmg3mnxp3zkyPuBQVPWKchjgGAGYS5Fl2WlPAApiiECto +RHuOec4zSnaqW4EWG7WK2NAAe15itAnWhmMOpgWVSbooi4iTsjQc2KRVbrcc0N6ZVTsj9CLg+Slm +JuwgUHfbSguPvuUCYHBBXtSuUDkiFCbLsjtzdFVHB3mBOagwE0TlBIqulhMlQg+5U8Sb/M3kHN48 ++qvWBkofZ6aYMBzdLNvcGJVXZsb/XItW9XcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNV +HSMEGDAWgBT5YLvU49U09rj1BoAlp3PbRmmonjAdBgNVHQ4EFgQU+WC71OPVNPa49QaAJadz20Zp +qJ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQBWs47LCp1Jjr+kxJG7ZhcFUZh1 +++VQLHqe8RT6q9OKPv+RKY9ji9i0qVQBDb6Thi/5Sm3HXvVX+cpVHBK+Rw82xd9qt9t1wkclf7nx +Y/hoLVUE0fKNsKTPvDxeH3jnpaAgcLAExbf3cqfeIg29MyVGjGSSJuM+LmOW2puMPfgYCdcDzH2G +guDKBAdRUNf/ktUM79qGn5nX67evaOI5JpS6aLe/g9Pqemc9YmeuJeVy6OLk7K4S9ksrPJ/psEDz +OFSz/bdoyNrGj1E8svuR3Bznm53htw1yj+KkxKl4+esUrMZDBcJlOSgYAsOCsp0FvmXtll9ldDz7 +CTUue5wT/RsPXcdtgTpWD8w74a8CLyKsRspGPKAcTNZEtF4uXBVmCeEmKf7GUmG6sXP/wwyc5Wxq +lD8UykAWlYTzWamsX0xhk23RO8yilQwipmdnRC652dKKQbNmC1r7fSOl8hqw/96bg5Qu0T/fkreR +rwU7ZcegbLHNYhLDkBvjJc40vG93drEQw/cFGsDWr3RiSBd3kmmQYRzelYB0VI8YHMPzA9C/pEN1 +hlMYegouCRw2n5H9gooiS9EOUCXdywMMF8mDAAhONU2Ki+3wApRmLER/y5UnlhetCTCstnEXbosX +9hwJ1C07mKVx01QT2WDz9UtmT/rx7iASjbSsV7FFY6GsdqnC+w== +-----END CERTIFICATE----- + +SSL.com EV Root Certification Authority ECC +=========================================== +-----BEGIN CERTIFICATE----- +MIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMCVVMxDjAMBgNV +BAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xNDAy +BgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYw +MjEyMTgxNTIzWhcNNDEwMjEyMTgxNTIzWjB/MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMx +EDAOBgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjE0MDIGA1UEAwwrU1NM +LmNvbSBFViBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuB +BAAiA2IABKoSR5CYG/vvw0AHgyBO8TCCogbR8pKGYfL2IWjKAMTH6kMAVIbc/R/fALhBYlzccBYy +3h+Z1MzFB8gIH2EWB1E9fVwHU+M1OIzfzZ/ZLg1KthkuWnBaBu2+8KGwytAJKaNjMGEwHQYDVR0O +BBYEFFvKXuXe0oGqzagtZFG22XKbl+ZPMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe +5d7SgarNqC1kUbbZcpuX5k8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUCMQCK5kCJ +N+vp1RPZytRrJPOwPYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZgh5Mm +m7I1HrrW9zzRHM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSg== +-----END CERTIFICATE----- diff -Nru stunnel4-5.44/tools/makecert.sh stunnel4-5.50/tools/makecert.sh --- stunnel4-5.44/tools/makecert.sh 2015-10-24 16:53:23.000000000 +0000 +++ stunnel4-5.50/tools/makecert.sh 2018-10-09 14:37:38.000000000 +0000 @@ -8,6 +8,7 @@ if test -n "$2"; then OPENSSL="$2/bin/openssl" + LD_LIBRARY_PATH="$2/lib" else OPENSSL=openssl fi diff -Nru stunnel4-5.44/tools/Makefile.am stunnel4-5.50/tools/Makefile.am --- stunnel4-5.44/tools/Makefile.am 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/tools/Makefile.am 2018-10-09 14:37:38.000000000 +0000 @@ -1,10 +1,11 @@ ## Process this file with automake to produce Makefile.in -# by Michal Trojnara 2015-2017 +# by Michal Trojnara 1998-2018 EXTRA_DIST = ca.html ca.pl importCA.html importCA.sh script.sh makecert.sh EXTRA_DIST += openssl.cnf stunnel.nsi stunnel.license stunnel.conf EXTRA_DIST += stunnel.conf-sample.in stunnel.init.in stunnel.service.in EXTRA_DIST += stunnel.logrotate stunnel.rh.init stunnel.spec +EXTRA_DIST += plugins ca-certs.pem confdir = $(sysconfdir)/stunnel conf_DATA = stunnel.conf-sample diff -Nru stunnel4-5.44/tools/Makefile.in stunnel4-5.50/tools/Makefile.in --- stunnel4-5.44/tools/Makefile.in 2017-11-14 14:07:50.000000000 +0000 +++ stunnel4-5.50/tools/Makefile.in 2018-11-09 15:53:56.000000000 +0000 @@ -14,7 +14,7 @@ @SET_MAKE@ -# by Michal Trojnara 2015-2017 +# by Michal Trojnara 1998-2018 VPATH = @srcdir@ am__is_gnu_make = { \ @@ -282,7 +282,7 @@ makecert.sh openssl.cnf stunnel.nsi stunnel.license \ stunnel.conf stunnel.conf-sample.in stunnel.init.in \ stunnel.service.in stunnel.logrotate stunnel.rh.init \ - stunnel.spec + stunnel.spec plugins ca-certs.pem confdir = $(sysconfdir)/stunnel conf_DATA = stunnel.conf-sample examplesdir = $(docdir)/examples diff -Nru stunnel4-5.44/tools/openssl.cnf stunnel4-5.50/tools/openssl.cnf --- stunnel4-5.44/tools/openssl.cnf 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/tools/openssl.cnf 2018-10-09 14:37:38.000000000 +0000 @@ -1,12 +1,12 @@ # OpenSSL configuration file to create a server certificate -# by Michal Trojnara 1998-2017 +# by Michal Trojnara 1998-2018 [ req ] # comment out the next line to protect the private key with a passphrase encrypt_key = no # the default key length is secure and quite fast - do not change it default_bits = 2048 -default_md = sha1 +default_md = sha256 x509_extensions = stunnel_extensions distinguished_name = stunnel_dn diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/build.bat stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/build.bat --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/build.bat 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/build.bat 2005-09-21 18:23:38.000000000 +0000 @@ -0,0 +1,9 @@ +@ECHO OFF +Set VCDIR=D:\Program Files\Microsoft Visual C++ Toolkit 2003 + +Set PATH=%VCDIR%\bin;%PATH% +Set INCLUDE=%VCDIR%\include;%INCLUDE% +Set LIB=%VCDIR%\lib;%LIB% + +cl /O1 ShellLink.cpp /LD /link kernel32.lib user32.lib uuid.lib ole32.lib /OPT:NOWIN98 /NODEFAULTLIB /ENTRY:DllMain +@PAUSE \ No newline at end of file diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_ansi/api.h stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_ansi/api.h --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_ansi/api.h 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_ansi/api.h 2009-02-01 14:44:30.000000000 +0000 @@ -0,0 +1,83 @@ +/* + * apih + * + * This file is a part of NSIS. + * + * Copyright (C) 1999-2009 Nullsoft and Contributors + * + * Licensed under the zlib/libpng license (the "License"); + * you may not use this file except in compliance with the License. + * + * Licence details can be found in the file COPYING. + * + * This software is provided 'as-is', without any express or implied + * warranty. + */ + +#ifndef _NSIS_EXEHEAD_API_H_ +#define _NSIS_EXEHEAD_API_H_ + +// Starting with NSIS 2.42, you can check the version of the plugin API in exec_flags->plugin_api_version +// The format is 0xXXXXYYYY where X is the major version and Y is the minor version (MAKELONG(y,x)) +// When doing version checks, always remember to use >=, ex: if (pX->exec_flags->plugin_api_version >= NSISPIAPIVER_1_0) {} + +#define NSISPIAPIVER_1_0 0x00010000 +#define NSISPIAPIVER_CURR NSISPIAPIVER_1_0 + +// NSIS Plug-In Callback Messages +enum NSPIM +{ + NSPIM_UNLOAD, // This is the last message a plugin gets, do final cleanup + NSPIM_GUIUNLOAD, // Called after .onGUIEnd +}; + +// Prototype for callbacks registered with extra_parameters->RegisterPluginCallback() +// Return NULL for unknown messages +// Should always be __cdecl for future expansion possibilities +typedef UINT_PTR (*NSISPLUGINCALLBACK)(enum NSPIM); + +// extra_parameters data structures containing other interesting stuff +// but the stack, variables and HWND passed on to plug-ins. +typedef struct +{ + int autoclose; + int all_user_var; + int exec_error; + int abort; + int exec_reboot; // NSIS_SUPPORT_REBOOT + int reboot_called; // NSIS_SUPPORT_REBOOT + int XXX_cur_insttype; // depreacted + int plugin_api_version; // see NSISPIAPIVER_CURR + // used to be XXX_insttype_changed + int silent; // NSIS_CONFIG_SILENT_SUPPORT + int instdir_error; + int rtl; + int errlvl; + int alter_reg_view; + int status_update; +} exec_flags_t; + +#ifndef NSISCALL +# define NSISCALL __stdcall +#endif + +typedef struct { + exec_flags_t *exec_flags; + int (NSISCALL *ExecuteCodeSegment)(int, HWND); + void (NSISCALL *validate_filename)(char *); + int (NSISCALL *RegisterPluginCallback)(HMODULE, NSISPLUGINCALLBACK); // returns 0 on success, 1 if already registered and < 0 on errors +} extra_parameters; + +// Definitions for page showing plug-ins +// See Ui.c to understand better how they're used + +// sent to the outer window to tell it to go to the next inner window +#define WM_NOTIFY_OUTER_NEXT (WM_USER+0x8) + +// custom pages should send this message to let NSIS know they're ready +#define WM_NOTIFY_CUSTOM_READY (WM_USER+0xd) + +// sent as wParam with WM_NOTIFY_OUTER_NEXT when user cancels - heed its warning +#define NOTIFY_BYE_BYE 'x' + +#endif /* _PLUGIN_H_ */ diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_ansi/pluginapi.h stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_ansi/pluginapi.h --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_ansi/pluginapi.h 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_ansi/pluginapi.h 2008-12-20 08:49:26.000000000 +0000 @@ -0,0 +1,74 @@ +#ifndef ___NSIS_PLUGIN__H___ +#define ___NSIS_PLUGIN__H___ + +#ifdef __cplusplus +extern "C" { +#endif + +#include "api.h" + +#ifndef NSISCALL +# define NSISCALL __stdcall +#endif + +#define EXDLL_INIT() { \ + g_stringsize=string_size; \ + g_stacktop=stacktop; \ + g_variables=variables; } + +typedef struct _stack_t { + struct _stack_t *next; + char text[1]; // this should be the length of string_size +} stack_t; + +enum +{ +INST_0, // $0 +INST_1, // $1 +INST_2, // $2 +INST_3, // $3 +INST_4, // $4 +INST_5, // $5 +INST_6, // $6 +INST_7, // $7 +INST_8, // $8 +INST_9, // $9 +INST_R0, // $R0 +INST_R1, // $R1 +INST_R2, // $R2 +INST_R3, // $R3 +INST_R4, // $R4 +INST_R5, // $R5 +INST_R6, // $R6 +INST_R7, // $R7 +INST_R8, // $R8 +INST_R9, // $R9 +INST_CMDLINE, // $CMDLINE +INST_INSTDIR, // $INSTDIR +INST_OUTDIR, // $OUTDIR +INST_EXEDIR, // $EXEDIR +INST_LANG, // $LANGUAGE +__INST_LAST +}; + +extern unsigned int g_stringsize; +extern stack_t **g_stacktop; +extern char *g_variables; + +int NSISCALL popstring(char *str); // 0 on success, 1 on empty stack +int NSISCALL popstringn(char *str, int maxlen); // with length limit, pass 0 for g_stringsize +int NSISCALL popint(); // pops an integer +int NSISCALL popint_or(); // with support for or'ing (2|4|8) +int NSISCALL myatoi(const char *s); // converts a string to an integer +unsigned NSISCALL myatou(const char *s); // converts a string to an unsigned integer, decimal only +int NSISCALL myatoi_or(const char *s); // with support for or'ing (2|4|8) +void NSISCALL pushstring(const char *str); +void NSISCALL pushint(int value); +char * NSISCALL getuservariable(const int varnum); +void NSISCALL setuservariable(const int varnum, const char *var); + +#ifdef __cplusplus +} +#endif + +#endif//!___NSIS_PLUGIN__H___ Binary files /tmp/tmpjcTEVz/mRy7sTzFtK/stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_ansi/pluginapi.lib and /tmp/tmpjcTEVz/3j6jrSNFz8/stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_ansi/pluginapi.lib differ diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/api.h stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/api.h --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/api.h 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/api.h 2009-09-08 15:33:04.000000000 +0000 @@ -0,0 +1,83 @@ +/* + * apih + * + * This file is a part of NSIS. + * + * Copyright (C) 1999-2009 Nullsoft and Contributors + * + * Licensed under the zlib/libpng license (the "License"); + * you may not use this file except in compliance with the License. + * + * Licence details can be found in the file COPYING. + * + * This software is provided 'as-is', without any express or implied + * warranty. + */ + +#ifndef _NSIS_EXEHEAD_API_H_ +#define _NSIS_EXEHEAD_API_H_ + +// Starting with NSIS 2.42, you can check the version of the plugin API in exec_flags->plugin_api_version +// The format is 0xXXXXYYYY where X is the major version and Y is the minor version (MAKELONG(y,x)) +// When doing version checks, always remember to use >=, ex: if (pX->exec_flags->plugin_api_version >= NSISPIAPIVER_1_0) {} + +#define NSISPIAPIVER_1_0 0x00010000 +#define NSISPIAPIVER_CURR NSISPIAPIVER_1_0 + +// NSIS Plug-In Callback Messages +enum NSPIM +{ + NSPIM_UNLOAD, // This is the last message a plugin gets, do final cleanup + NSPIM_GUIUNLOAD, // Called after .onGUIEnd +}; + +// Prototype for callbacks registered with extra_parameters->RegisterPluginCallback() +// Return NULL for unknown messages +// Should always be __cdecl for future expansion possibilities +typedef UINT_PTR (*NSISPLUGINCALLBACK)(enum NSPIM); + +// extra_parameters data structures containing other interesting stuff +// but the stack, variables and HWND passed on to plug-ins. +typedef struct +{ + int autoclose; + int all_user_var; + int exec_error; + int abort; + int exec_reboot; // NSIS_SUPPORT_REBOOT + int reboot_called; // NSIS_SUPPORT_REBOOT + int XXX_cur_insttype; // depreacted + int plugin_api_version; // see NSISPIAPIVER_CURR + // used to be XXX_insttype_changed + int silent; // NSIS_CONFIG_SILENT_SUPPORT + int instdir_error; + int rtl; + int errlvl; + int alter_reg_view; + int status_update; +} exec_flags_t; + +#ifndef NSISCALL +# define NSISCALL __stdcall +#endif + +typedef struct { + exec_flags_t *exec_flags; + int (NSISCALL *ExecuteCodeSegment)(int, HWND); + void (NSISCALL *validate_filename)(TCHAR *); + int (NSISCALL *RegisterPluginCallback)(HMODULE, NSISPLUGINCALLBACK); // returns 0 on success, 1 if already registered and < 0 on errors +} extra_parameters; + +// Definitions for page showing plug-ins +// See Ui.c to understand better how they're used + +// sent to the outer window to tell it to go to the next inner window +#define WM_NOTIFY_OUTER_NEXT (WM_USER+0x8) + +// custom pages should send this message to let NSIS know they're ready +#define WM_NOTIFY_CUSTOM_READY (WM_USER+0xd) + +// sent as wParam with WM_NOTIFY_OUTER_NEXT when user cancels - heed its warning +#define NOTIFY_BYE_BYE 'x' + +#endif /* _PLUGIN_H_ */ diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/nsis_tchar.h stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/nsis_tchar.h --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/nsis_tchar.h 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/nsis_tchar.h 2009-01-03 15:42:08.000000000 +0000 @@ -0,0 +1,214 @@ +/* + * nsis_tchar.h + * + * This file is a part of NSIS. + * + * Copyright (C) 1999-2007 Nullsoft and Contributors + * + * This software is provided 'as-is', without any express or implied + * warranty. + * + * For Unicode support by Jim Park -- 08/30/2007 + */ + +// Jim Park: Only those we use are listed here. + +#pragma once + +#ifdef _UNICODE + +#ifndef _T +#define __T(x) L ## x +#define _T(x) __T(x) +#define _TEXT(x) __T(x) +#endif +typedef wchar_t TCHAR; +typedef wchar_t _TUCHAR; + +// program +#define _tmain wmain +#define _tWinMain wWinMain +#define _tenviron _wenviron +#define __targv __wargv + +// printfs +#define _ftprintf fwprintf +#define _sntprintf _snwprintf +#define _stprintf _swprintf +#define _tprintf wprintf +#define _vftprintf vfwprintf +#define _vsntprintf _vsnwprintf +#define _vstprintf _vswprintf + +// scanfs +#define _tscanf wscanf +#define _stscanf swscanf + +// string manipulations +#define _tcscat wcscat +#define _tcschr wcschr +#define _tcsclen wcslen +#define _tcscpy wcscpy +#define _tcsdup _wcsdup +#define _tcslen wcslen +#define _tcsnccpy wcsncpy +#define _tcsncpy wcsncpy +#define _tcsrchr wcsrchr +#define _tcsstr wcsstr +#define _tcstok wcstok + +// string comparisons +#define _tcscmp wcscmp +#define _tcsicmp _wcsicmp +#define _tcsncicmp _wcsnicmp +#define _tcsncmp wcsncmp +#define _tcsnicmp _wcsnicmp + +// upper / lower +#define _tcslwr _wcslwr +#define _tcsupr _wcsupr +#define _totlower towlower +#define _totupper towupper + +// conversions to numbers +#define _tcstoi64 _wcstoi64 +#define _tcstol wcstol +#define _tcstoul wcstoul +#define _tstof _wtof +#define _tstoi _wtoi +#define _tstoi64 _wtoi64 +#define _ttoi _wtoi +#define _ttoi64 _wtoi64 +#define _ttol _wtol + +// conversion from numbers to strings +#define _itot _itow +#define _ltot _ltow +#define _i64tot _i64tow +#define _ui64tot _ui64tow + +// file manipulations +#define _tfopen _wfopen +#define _topen _wopen +#define _tremove _wremove +#define _tunlink _wunlink + +// reading and writing to i/o +#define _fgettc fgetwc +#define _fgetts fgetws +#define _fputts fputws +#define _gettchar getwchar + +// directory +#define _tchdir _wchdir + +// environment +#define _tgetenv _wgetenv +#define _tsystem _wsystem + +// time +#define _tcsftime wcsftime + +#else // ANSI + +#ifndef _T +#define _T(x) x +#define _TEXT(x) x +#endif +typedef char TCHAR; +typedef unsigned char _TUCHAR; + +// program +#define _tmain main +#define _tWinMain WinMain +#define _tenviron environ +#define __targv __argv + +// printfs +#define _ftprintf fprintf +#define _sntprintf _snprintf +#define _stprintf sprintf +#define _tprintf printf +#define _vftprintf vfprintf +#define _vsntprintf _vsnprintf +#define _vstprintf vsprintf + +// scanfs +#define _tscanf scanf +#define _stscanf sscanf + +// string manipulations +#define _tcscat strcat +#define _tcschr strchr +#define _tcsclen strlen +#define _tcscnlen strnlen +#define _tcscpy strcpy +#define _tcsdup _strdup +#define _tcslen strlen +#define _tcsnccpy strncpy +#define _tcsrchr strrchr +#define _tcsstr strstr +#define _tcstok strtok + +// string comparisons +#define _tcscmp strcmp +#define _tcsicmp _stricmp +#define _tcsncmp strncmp +#define _tcsncicmp _strnicmp +#define _tcsnicmp _strnicmp + +// upper / lower +#define _tcslwr _strlwr +#define _tcsupr _strupr + +#define _totupper toupper +#define _totlower tolower + +// conversions to numbers +#define _tcstol strtol +#define _tcstoul strtoul +#define _tstof atof +#define _tstoi atoi +#define _tstoi64 _atoi64 +#define _tstoi64 _atoi64 +#define _ttoi atoi +#define _ttoi64 _atoi64 +#define _ttol atol + +// conversion from numbers to strings +#define _i64tot _i64toa +#define _itot _itoa +#define _ltot _ltoa +#define _ui64tot _ui64toa + +// file manipulations +#define _tfopen fopen +#define _topen _open +#define _tremove remove +#define _tunlink _unlink + +// reading and writing to i/o +#define _fgettc fgetc +#define _fgetts fgets +#define _fputts fputs +#define _gettchar getchar + +// directory +#define _tchdir _chdir + +// environment +#define _tgetenv getenv +#define _tsystem system + +// time +#define _tcsftime strftime + +#endif + +// is functions (the same in Unicode / ANSI) +#define _istgraph isgraph +#define _istascii __isascii + +#define __TFILE__ _T(__FILE__) +#define __TDATE__ _T(__DATE__) +#define __TTIME__ _T(__TIME__) diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/pluginapi.h stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/pluginapi.h --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/pluginapi.h 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/pluginapi.h 2009-01-01 16:41:10.000000000 +0000 @@ -0,0 +1,101 @@ +#ifndef ___NSIS_PLUGIN__H___ +#define ___NSIS_PLUGIN__H___ + +#ifdef __cplusplus +extern "C" { +#endif + +#include "api.h" +#include "nsis_tchar.h" + +#ifndef NSISCALL +# define NSISCALL __stdcall +#endif + +#define EXDLL_INIT() { \ + g_stringsize=string_size; \ + g_stacktop=stacktop; \ + g_variables=variables; } + +typedef struct _stack_t { + struct _stack_t *next; + TCHAR text[1]; // this should be the length of string_size +} stack_t; + +enum +{ +INST_0, // $0 +INST_1, // $1 +INST_2, // $2 +INST_3, // $3 +INST_4, // $4 +INST_5, // $5 +INST_6, // $6 +INST_7, // $7 +INST_8, // $8 +INST_9, // $9 +INST_R0, // $R0 +INST_R1, // $R1 +INST_R2, // $R2 +INST_R3, // $R3 +INST_R4, // $R4 +INST_R5, // $R5 +INST_R6, // $R6 +INST_R7, // $R7 +INST_R8, // $R8 +INST_R9, // $R9 +INST_CMDLINE, // $CMDLINE +INST_INSTDIR, // $INSTDIR +INST_OUTDIR, // $OUTDIR +INST_EXEDIR, // $EXEDIR +INST_LANG, // $LANGUAGE +__INST_LAST +}; + +extern unsigned int g_stringsize; +extern stack_t **g_stacktop; +extern TCHAR *g_variables; + +int NSISCALL popstring(TCHAR *str); // 0 on success, 1 on empty stack +int NSISCALL popstringn(TCHAR *str, int maxlen); // with length limit, pass 0 for g_stringsize +int NSISCALL popint(); // pops an integer +int NSISCALL popint_or(); // with support for or'ing (2|4|8) +int NSISCALL myatoi(const TCHAR *s); // converts a string to an integer +unsigned NSISCALL myatou(const TCHAR *s); // converts a string to an unsigned integer, decimal only +int NSISCALL myatoi_or(const TCHAR *s); // with support for or'ing (2|4|8) +void NSISCALL pushstring(const TCHAR *str); +void NSISCALL pushint(int value); +TCHAR * NSISCALL getuservariable(const int varnum); +void NSISCALL setuservariable(const int varnum, const TCHAR *var); + +#ifdef _UNICODE +#define PopStringW(x) popstring(x) +#define PushStringW(x) pushstring(x) +#define SetUserVariableW(x,y) setuservariable(x,y) + +int NSISCALL PopStringA(char* ansiStr); +void NSISCALL PushStringA(const char* ansiStr); +void NSISCALL GetUserVariableW(const int varnum, wchar_t* wideStr); +void NSISCALL GetUserVariableA(const int varnum, char* ansiStr); +void NSISCALL SetUserVariableA(const int varnum, const char* ansiStr); + +#else +// ANSI defs + +#define PopStringA(x) popstring(x) +#define PushStringA(x) pushstring(x) +#define SetUserVariableA(x,y) setuservariable(x,y) + +int NSISCALL PopStringW(wchar_t* wideStr); +void NSISCALL PushStringW(wchar_t* wideStr); +void NSISCALL GetUserVariableW(const int varnum, wchar_t* wideStr); +void NSISCALL GetUserVariableA(const int varnum, char* ansiStr); +void NSISCALL SetUserVariableW(const int varnum, const wchar_t* wideStr); + +#endif + +#ifdef __cplusplus +} +#endif + +#endif//!___NSIS_PLUGIN__H___ Binary files /tmp/tmpjcTEVz/mRy7sTzFtK/stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/pluginapi.lib and /tmp/tmpjcTEVz/3j6jrSNFz8/stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/nsis_unicode/pluginapi.lib differ diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.cpp stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.cpp --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.cpp 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.cpp 2010-06-03 15:23:16.000000000 +0000 @@ -0,0 +1,341 @@ +/* +Module : ShellLink.cpp +Purpose: NSIS Plug-in for retriving shell link information +Created: 12/16/2003 +Last Update: 01/14/2004 + +Copyright (c) 2004 Angelo Mandato. +See ShellLink.html for more information + + +Modified: 21/09/2005 +Author: Shengalts Aleksander aka Instructor (Shengalts@mail.ru) +Changes: -code has been rewritten + -added functions to change shell link information + -reduced dll size 44Kb -> 4Kb +*/ + +// Uncomment for debugging message boxes +//#define SHELLLINK_DEBUG + +#include +#include + +#define xatoi +#include "ConvFunc.h" + +#ifdef UNICODE +#include "nsis_unicode\pluginapi.h" +#else +#include "nsis_ansi\pluginapi.h" +#endif + +#define NSISFUNC(name) extern "C" void __declspec(dllexport) name(HWND hWndParent, int string_size, TCHAR* variables, stack_t** stacktop, extra_parameters* extra) + +#define SHELLLINKTYPE_GETARGS 1 +#define SHELLLINKTYPE_GETDESC 2 +#define SHELLLINKTYPE_GETHOTKEY 3 +#define SHELLLINKTYPE_GETICONLOC 4 +#define SHELLLINKTYPE_GETICONINDEX 5 +#define SHELLLINKTYPE_GETPATH 6 +#define SHELLLINKTYPE_GETSHOWMODE 7 +#define SHELLLINKTYPE_GETWORKINGDIR 8 +#define SHELLLINKTYPE_SETARGS 9 +#define SHELLLINKTYPE_SETDESC 10 +#define SHELLLINKTYPE_SETHOTKEY 11 +#define SHELLLINKTYPE_SETICONLOC 12 +#define SHELLLINKTYPE_SETICONINDEX 13 +#define SHELLLINKTYPE_SETPATH 14 +#define SHELLLINKTYPE_SETSHOWMODE 15 +#define SHELLLINKTYPE_SETWORKINGDIR 16 +#define SHELLLINKTYPE_SETRUNASADMIN 17 + +void ShortCutData(int nType); + +//Get +NSISFUNC(GetShortCutArgs) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_GETARGS); +} + +NSISFUNC(GetShortCutDescription) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_GETDESC); +} + +NSISFUNC(GetShortCutHotkey) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_GETHOTKEY); +} + +NSISFUNC(GetShortCutIconLocation) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_GETICONLOC); +} + +NSISFUNC(GetShortCutIconIndex) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_GETICONINDEX); +} + +NSISFUNC(GetShortCutTarget) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_GETPATH); +} + +NSISFUNC(GetShortCutShowMode) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_GETSHOWMODE); +} + +NSISFUNC(GetShortCutWorkingDirectory) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_GETWORKINGDIR); +} + +//Set +NSISFUNC(SetShortCutArgs) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_SETARGS); +} + +NSISFUNC(SetShortCutDescription) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_SETDESC); +} + +NSISFUNC(SetShortCutHotkey) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_SETHOTKEY); +} + +NSISFUNC(SetShortCutIconLocation) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_SETICONLOC); +} + +NSISFUNC(SetShortCutIconIndex) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_SETICONINDEX); +} + +NSISFUNC(SetShortCutTarget) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_SETPATH); +} + +NSISFUNC(SetShortCutShowMode) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_SETSHOWMODE); +} + +NSISFUNC(SetShortCutWorkingDirectory) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_SETWORKINGDIR); +} + +NSISFUNC(SetRunAsAdministrator) +{ + EXDLL_INIT(); + ShortCutData(SHELLLINKTYPE_SETRUNASADMIN); +} + +void ShortCutData(int nType) +{ + HRESULT hRes; + IShellLink* psl; + IPersistFile* ppf; + + int nBuf; + WORD wHotkey; + TCHAR* szBuf = (TCHAR*)LocalAlloc(LPTR, sizeof(TCHAR)*MAX_PATH); + TCHAR* szBuf2 = (TCHAR*)LocalAlloc(LPTR, sizeof(TCHAR)*MAX_PATH); + + popstring(szBuf); + if (nType > SHELLLINKTYPE_GETWORKINGDIR) popstring(szBuf2); + + hRes=CoCreateInstance(CLSID_ShellLink, NULL, CLSCTX_INPROC_SERVER, IID_IShellLink, (LPVOID*) &psl); + if (hRes == S_OK) + { + hRes=psl->QueryInterface(IID_IPersistFile, (LPVOID*) &ppf); + if (hRes == S_OK) + { +#ifdef UNICODE + hRes=ppf->Load(szBuf, STGM_READWRITE); +#else + WCHAR* wszPath = (WCHAR*)LocalAlloc(LPTR, sizeof(WCHAR)*MAX_PATH); + MultiByteToWideChar(CP_ACP, 0, szBuf, -1, wszPath, MAX_PATH); + hRes=ppf->Load(wszPath, STGM_READWRITE); + LocalFree(wszPath); +#endif + if (hRes == S_OK) + { + if (nType <= SHELLLINKTYPE_GETWORKINGDIR) + { + //Get + switch(nType) + { + case SHELLLINKTYPE_GETARGS: + { + hRes=psl->GetArguments(szBuf, MAX_PATH); + if (hRes != S_OK) szBuf[0]='\0'; + }; break; + case SHELLLINKTYPE_GETDESC: + { + hRes=psl->GetDescription(szBuf, MAX_PATH); + if (hRes != S_OK) szBuf[0]='\0'; + }; break; + case SHELLLINKTYPE_GETHOTKEY: + { + hRes=psl->GetHotkey(&wHotkey); + if (hRes == S_OK) wsprintf(szBuf, TEXT("%d"), wHotkey); + else szBuf[0]='\0'; + }; break; + case SHELLLINKTYPE_GETICONLOC: + { + hRes=psl->GetIconLocation(szBuf, MAX_PATH, &nBuf); + if (hRes != S_OK) szBuf[0]='\0'; + }; break; + case SHELLLINKTYPE_GETICONINDEX: + { + hRes=psl->GetIconLocation(szBuf, MAX_PATH, &nBuf); + if (hRes == S_OK) wsprintf(szBuf, TEXT("%d"), nBuf); + else szBuf[0]='\0'; + }; break; + case SHELLLINKTYPE_GETPATH: + { + WIN32_FIND_DATA fd; + + hRes=psl->GetPath(szBuf, MAX_PATH, &fd, SLGP_UNCPRIORITY); + if (hRes != S_OK) szBuf[0]='\0'; + }; break; + case SHELLLINKTYPE_GETSHOWMODE: + { + hRes=psl->GetShowCmd(&nBuf); + if (hRes == S_OK) wsprintf(szBuf, TEXT("%d"), nBuf); + else szBuf[0]='\0'; + }; break; + case SHELLLINKTYPE_GETWORKINGDIR: + { + hRes=psl->GetWorkingDirectory(szBuf, MAX_PATH); + if (hRes != S_OK) szBuf[0]='\0'; + }; break; + } + } + else + { + //Set + switch(nType) + { + case SHELLLINKTYPE_SETARGS: + { + hRes=psl->SetArguments(szBuf2); + }; break; + case SHELLLINKTYPE_SETDESC: + { + hRes=psl->SetDescription(szBuf2); + }; break; + case SHELLLINKTYPE_SETHOTKEY: + { + wHotkey=(unsigned short)myatoi(szBuf2); + hRes=psl->SetHotkey(wHotkey); + }; break; + case SHELLLINKTYPE_SETICONLOC: + { + hRes=psl->GetIconLocation(szBuf, MAX_PATH, &nBuf); + if (hRes == S_OK) + hRes=psl->SetIconLocation(szBuf2, nBuf); + }; break; + case SHELLLINKTYPE_SETICONINDEX: + { + int nBuf2; + nBuf=myatoi(szBuf2); + + hRes=psl->GetIconLocation(szBuf, MAX_PATH, &nBuf2); + if (hRes == S_OK) + hRes=psl->SetIconLocation(szBuf, nBuf); + }; break; + case SHELLLINKTYPE_SETPATH: + { + hRes=psl->SetPath(szBuf2); + }; break; + case SHELLLINKTYPE_SETSHOWMODE: + { + nBuf=myatoi(szBuf2); + hRes=psl->SetShowCmd(nBuf); + }; break; + case SHELLLINKTYPE_SETWORKINGDIR: + { + hRes=psl->SetWorkingDirectory(szBuf2); + }; break; + case SHELLLINKTYPE_SETRUNASADMIN: + { + IShellLinkDataList* pdl; + hRes=psl->QueryInterface(IID_IShellLinkDataList, (void**)&pdl); + if (hRes == S_OK) + { + DWORD dwFlags = 0; + hRes=pdl->GetFlags(&dwFlags); + if (hRes == S_OK && (dwFlags & SLDF_RUNAS_USER) != SLDF_RUNAS_USER) + hRes=pdl->SetFlags(dwFlags | SLDF_RUNAS_USER); + pdl->Release(); + } + }; break; + } + if (hRes == S_OK) hRes=ppf->Save(NULL, FALSE); + #ifdef SHELLLINK_DEBUG + else MessageBox(hwndParent, TEXT("ERROR: Save()"), TEXT("ShellLink plug-in"), MB_OK); + #endif + } + } + #ifdef SHELLLINK_DEBUG + else MessageBox(hwndParent, TEXT("ERROR: Load()"), TEXT("ShellLink plug-in"), MB_OK); + #endif + } + #ifdef SHELLLINK_DEBUG + else MessageBox(hwndParent, TEXT("CShellLink::Initialise, Failed in call to QueryInterface for IPersistFile, HRESULT was %x\n"), TEXT("ShellLink plug-in"), MB_OK); + #endif + + // Cleanup: + if (ppf) ppf->Release(); + if (psl) psl->Release(); + } + #ifdef SHELLLINK_DEBUG + else MessageBox(hwndParent, TEXT("ERROR: CoCreateInstance()"), TEXT("ShellLink plug-in"), MB_OK); + #endif + + if (hRes == S_OK) + { + if (nType <= SHELLLINKTYPE_GETWORKINGDIR) pushstring(szBuf); + else pushstring(TEXT("0")); + } + else + { + if (nType <= SHELLLINKTYPE_GETWORKINGDIR) pushstring(TEXT("")); + else pushstring(TEXT("-1")); + } + + LocalFree(szBuf); + LocalFree(szBuf2); +} + +BOOL WINAPI DllMain(HANDLE hInst, ULONG ul_reason_for_call, LPVOID lpReserved) +{ + return TRUE; +} diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.dsp stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.dsp --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.dsp 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.dsp 2005-09-21 18:24:08.000000000 +0000 @@ -0,0 +1,108 @@ +# Microsoft Developer Studio Project File - Name="ShellLink" - Package Owner=<4> +# Microsoft Developer Studio Generated Build File, Format Version 6.00 +# ** DO NOT EDIT ** + +# TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 + +CFG=ShellLink - Win32 Debug +!MESSAGE This is not a valid makefile. To build this project using NMAKE, +!MESSAGE use the Export Makefile command and run +!MESSAGE +!MESSAGE NMAKE /f "ShellLink.mak". +!MESSAGE +!MESSAGE You can specify a configuration when running NMAKE +!MESSAGE by defining the macro CFG on the command line. For example: +!MESSAGE +!MESSAGE NMAKE /f "ShellLink.mak" CFG="ShellLink - Win32 Debug" +!MESSAGE +!MESSAGE Possible choices for configuration are: +!MESSAGE +!MESSAGE "ShellLink - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE "ShellLink - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") +!MESSAGE + +# Begin Project +# PROP AllowPerConfigDependencies 0 +# PROP Scc_ProjName "" +# PROP Scc_LocalPath "" +CPP=cl.exe +MTL=midl.exe +RSC=rc.exe + +!IF "$(CFG)" == "ShellLink - Win32 Release" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 0 +# PROP BASE Output_Dir "Release" +# PROP BASE Intermediate_Dir "Release" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 0 +# PROP Output_Dir "Release" +# PROP Intermediate_Dir "Release" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "ShellLink_EXPORTS" /YX /FD /c +# ADD CPP /nologo /MT /W3 /GX /O1 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "ShellLink_EXPORTS" /YX /FD /c +# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "NDEBUG" +# ADD RSC /l 0x409 /d "NDEBUG" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 +# ADD LINK32 kernel32.lib user32.lib uuid.lib ole32.lib /nologo /entry:"DllMain" /dll /machine:I386 /nodefaultlib /out:"ShellLink.dll" /opt:nowin98 +# SUBTRACT LINK32 /pdb:none + +!ELSEIF "$(CFG)" == "ShellLink - Win32 Debug" + +# PROP BASE Use_MFC 0 +# PROP BASE Use_Debug_Libraries 1 +# PROP BASE Output_Dir "Debug" +# PROP BASE Intermediate_Dir "Debug" +# PROP BASE Target_Dir "" +# PROP Use_MFC 0 +# PROP Use_Debug_Libraries 1 +# PROP Output_Dir "Debug" +# PROP Intermediate_Dir "Debug" +# PROP Ignore_Export_Lib 0 +# PROP Target_Dir "" +# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "ShellLink_EXPORTS" /YX /FD /GZ /c +# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "ShellLink_EXPORTS" /YX /FD /GZ /c +# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 +# ADD BASE RSC /l 0x409 /d "_DEBUG" +# ADD RSC /l 0x409 /d "_DEBUG" +BSC32=bscmake.exe +# ADD BASE BSC32 /nologo +# ADD BSC32 /nologo +LINK32=link.exe +# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept +# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept + +!ENDIF + +# Begin Target + +# Name "ShellLink - Win32 Release" +# Name "ShellLink - Win32 Debug" +# Begin Group "Source Files" + +# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" +# Begin Source File + +SOURCE=.\ShellLink.cpp +# End Source File +# End Group +# Begin Group "Header Files" + +# PROP Default_Filter "h;hpp;hxx;hm;inl" +# End Group +# Begin Group "Resource Files" + +# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" +# End Group +# End Target +# End Project diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.dsw stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.dsw --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.dsw 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.dsw 2005-09-21 00:19:20.000000000 +0000 @@ -0,0 +1,29 @@ +Microsoft Developer Studio Workspace File, Format Version 6.00 +# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE! + +############################################################################### + +Project: "ShellLink"=.\ShellLink.dsp - Package Owner=<4> + +Package=<5> +{{{ +}}} + +Package=<4> +{{{ +}}} + +############################################################################### + +Global: + +Package=<5> +{{{ +}}} + +Package=<3> +{{{ +}}} + +############################################################################### + diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.sln stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.sln --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.sln 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.sln 2010-06-03 10:44:26.000000000 +0000 @@ -0,0 +1,23 @@ + +Microsoft Visual Studio Solution File, Format Version 10.00 +# Visual Studio 2008 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ShellLink", "ShellLink.vcproj", "{30513246-84A4-47ED-8BCE-FFDDB6B607AE}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Release Unicode|Win32 = Release Unicode|Win32 + Release|Win32 = Release|Win32 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {30513246-84A4-47ED-8BCE-FFDDB6B607AE}.Debug|Win32.ActiveCfg = Debug|Win32 + {30513246-84A4-47ED-8BCE-FFDDB6B607AE}.Debug|Win32.Build.0 = Debug|Win32 + {30513246-84A4-47ED-8BCE-FFDDB6B607AE}.Release Unicode|Win32.ActiveCfg = Release Unicode|Win32 + {30513246-84A4-47ED-8BCE-FFDDB6B607AE}.Release Unicode|Win32.Build.0 = Release Unicode|Win32 + {30513246-84A4-47ED-8BCE-FFDDB6B607AE}.Release|Win32.ActiveCfg = Release|Win32 + {30513246-84A4-47ED-8BCE-FFDDB6B607AE}.Release|Win32.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.vcproj stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.vcproj --- stunnel4-5.44/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.vcproj 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Contrib/ShellLink/ShellLink.vcproj 2010-06-03 12:01:44.000000000 +0000 @@ -0,0 +1,359 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Docs/ShellLink/Readme.html stunnel4-5.50/tools/plugins/ShellLink/Docs/ShellLink/Readme.html --- stunnel4-5.44/tools/plugins/ShellLink/Docs/ShellLink/Readme.html 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Docs/ShellLink/Readme.html 2010-06-03 15:41:04.000000000 +0000 @@ -0,0 +1,240 @@ + +ShellLink + + + + + +
+ + + +
+ + + + + +
+

ShellLink

+
+

Introduction

+

ShellLink is a NSIS plugin that allows you to read and write shell link (.lnk) files.

+

How to use

+

Make sure you have a valid path (link.lnk) to the shell link file.

+ +

Get Shortcut Working Directory

+
ShellLink::GetShortCutWorkingDirectory link.lnk
+Pop $0
+
+$0=C:\Program Files\MyProgram
+
+

Get Shortcut Target

+
ShellLink::GetShortCutTarget link.lnk
+Pop $0
+
+$0=C:\Program Files\MyProgram\run.exe
+
+

Get Shortcut Arguments

+
ShellLink::GetShortCutArgs link.lnk
+Pop $0
+
+$0=/s /d=1
+
+

Get Shortcut Icon Location

+
ShellLink::GetShortCutIconLocation link.lnk
+Pop $0
+
+$0=C:\Program Files\MyProgram\run.dll
+
+

Get Shortcut Icon Index

+
ShellLink::GetShortCutIconIndex link.lnk
+Pop $0
+
+$0=3
+
+

Get Shortcut Show Mode

+
ShellLink::GetShortCutShowMode link.lnk
+Pop $0
+
+$0=0    (SW_HIDE)
+$0=1    (SW_SHOWNORMAL or SW_NORMAL)
+$0=2    (SW_SHOWMINIMIZED)
+$0=3    (SW_SHOWMAXIMIZED or SW_MAXIMIZE)
+$0=4    (SW_SHOWNOACTIVATE)
+$0=5    (SW_SHOW)
+$0=6    (SW_MINIMIZE)
+$0=7    (SW_SHOWMINNOACTIVE)
+$0=8    (SW_SHOWNA)
+$0=9    (SW_RESTORE)
+$0=10   (SW_SHOWDEFAULT)
+$0=11   (SW_FORCEMINIMIZE or SW_MAX)
+
+

Get Shortcut Hot Keys

+
ShellLink::GetShortCutHotkey link.lnk
+Pop $0
+
+$0=634
+
+

Get Shortcut Description

+
ShellLink::GetShortCutDescription link.lnk
+Pop $0
+
+$0=My Shortcut Description
+
+ +
+

Set Shortcut Working Directory

+
ShellLink::SetShortCutWorkingDirectory link.lnk directory
+Pop $0
+
+$0=0   -no errors
+$0=-1  -error
+
+

Set Shortcut Target

+
ShellLink::SetShortCutTarget link.lnk target.file
+Pop $0
+
+$0=0   -no errors
+$0=-1  -error
+
+

Set Shortcut Arguments

+
ShellLink::SetShortCutArgs link.lnk parameters
+Pop $0
+
+$0=0   -no errors
+$0=-1  -error
+
+

Set Shortcut Icon Location

+
ShellLink::SetShortCutIconLocation link.lnk icon.file
+Pop $0
+
+$0=0   -no errors
+$0=-1  -error
+
+

Set Shortcut Icon Index

+
ShellLink::SetShortCutIconIndex link.lnk icon_index_number
+Pop $0
+
+$0=0   -no errors
+$0=-1  -error
+
+

Set Shortcut Show Mode

+
ShellLink::SetShortCutShowMode link.lnk start_options
+Pop $0
+
+$0=0   -no errors
+$0=-1  -error
+
+

Set Shortcut Hot Keys

+
ShellLink::SetShortCutHotkey link.lnk keyboard_shortcut
+Pop $0
+
+$0=0   -no errors
+$0=-1  -error
+
+

Set Shortcut Description

+
ShellLink::SetShortCutDescription link.lnk description
+Pop $0
+
+$0=0   -no errors
+$0=-1  -error
+
+

Set Shortcut to Run As Administrator

+
ShellLink::SetRunAsAdministrator link.lnk
+Pop $0
+
+$0=0   -no errors
+$0=-1  -error
+
+ +

Source code

+

NSIS plug-in (C++)

+

A download link to the source and DLL of this NSIS plug-in +can be found below.

+

Version history

+
    +
  • 1.2 by Afrow UK +
         -added Unicode build +
         -added SetRunAsAdministrator +
         -cleaned up code
    • +
  • 1.1 by Shengalts Aleksander aka Instructor (Shengalts@mail.ru) +
         -code has been rewritten +
         -added functions to change shell link information +
         -reduced dll size 44Kb -> 4Kb +
         -documentation updated
    • +
  • 1.0 first release of ShellLink.
    • +
+

Credits

+

Written and documented by Angelo Mandato

+

License

+
© 2004 Angelo Mandato
+
+This software is provided 'as-is', without any express or implied
+warranty. In no event will the authors be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute
+it freely, subject to the following restrictions:
+
+1. The origin of this software must not be misrepresented; 
+   you must not claim that you wrote the original software.
+   If you use this software in a product, an acknowledgment in the
+   product documentation would be appreciated but is not required.
+2. Altered versions must be plainly marked as such,
+   and must not be misrepresented as being the original software.
+3. This notice may not be removed or altered from any distribution.
+
+

Download

+

Original link: http://www.spaceblue.com/downloads/shelllink.zip
NSIS Wiki: http://nsis.sourceforge.net/ShellLink_plug-in

+
diff -Nru stunnel4-5.44/tools/plugins/ShellLink/Examples/ShellLink.nsi stunnel4-5.50/tools/plugins/ShellLink/Examples/ShellLink.nsi --- stunnel4-5.44/tools/plugins/ShellLink/Examples/ShellLink.nsi 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/ShellLink/Examples/ShellLink.nsi 2010-06-03 15:30:26.000000000 +0000 @@ -0,0 +1,119 @@ +; ShellLink.nsi +; demonstrates how to use the ShellLink NSIS plugin. +; +; Created 12/16/2003 +; Last Update: 03/06/2010 +; Copyright (c) 2004 Angelo Mandato. +; +; 01/14/2004 - First version +; 21/09/2005 - Shengalts Aleksander aka Instructor (Shengalts@mail.ru) +; 03/06/2010 - Afrow UK + + +!define SHELLLINKTEST "$EXEDIR\ShellLinkTest.lnk" + +Name "Shell Link Example" +OutFile "ShellLink.exe" +ShowInstDetails show + +Section "Shell Link Test" + + ; Create test shortcut + SetOutPath "${NSISDIR}" + CreateShortCut "${SHELLLINKTEST}" "${NSISDIR}\makensisw.exe" \ + "/parameter1 /parameter2" "${NSISDIR}\makensisw.exe" 2 SW_SHOWNORMAL \ + "ALT|CTRL|SHIFT|F5" "a description" + DetailPrint "" + + ; Get Shortcut Working Directory + ShellLink::GetShortCutWorkingDirectory "${SHELLLINKTEST}" + Pop $0 + DetailPrint "GetWorkingDirectory: $0" + + ; Get Shortcut Target + ShellLink::GetShortCutTarget "${SHELLLINKTEST}" + Pop $0 + DetailPrint "GetTarget: $0" + + ; Get Shortcut Arguments + ShellLink::GetShortCutArgs "${SHELLLINKTEST}" + Pop $0 + DetailPrint "GetArgs: $0" + + ; Get Shortcut Icon Location + ShellLink::GetShortCutIconLocation "${SHELLLINKTEST}" + Pop $0 + DetailPrint "GetIconLocation: $0" + + ; Get Shortcut Icon Index + ShellLink::GetShortCutIconIndex "${SHELLLINKTEST}" + Pop $0 + DetailPrint "GetIconIndex: $0" + + ; Get Shortcut Show Mode + ShellLink::GetShortCutShowMode "${SHELLLINKTEST}" + Pop $0 + DetailPrint "GetShowMode: $0" + + ; Get Shortcut Hotkey(s) + ShellLink::GetShortCutHotkey "${SHELLLINKTEST}" + Pop $0 + DetailPrint "GetHotkey: $0" + + ; Get Shortcut Description + ShellLink::GetShortCutDescription "${SHELLLINKTEST}" + Pop $0 + DetailPrint "GetDescriptions: $0" + DetailPrint "" + + + ; Set Shortcut Working Directory + ShellLink::SetShortCutWorkingDirectory "${SHELLLINKTEST}" "$TEMP" + Pop $0 + DetailPrint "SetWorkingDirectory: $0" + + ; Set Shortcut Target + ShellLink::SetShortCutTarget "${SHELLLINKTEST}" "${NSISDIR}\NSIS.exe" + Pop $0 + DetailPrint "SetTarget: $0" + + ; Set Shortcut Arguments + ShellLink::SetShortCutArgs "${SHELLLINKTEST}" "-a -b -c" + Pop $0 + DetailPrint "SetArgs: $0" + + ; Set Shortcut Icon Location + ShellLink::SetShortCutIconLocation "${SHELLLINKTEST}" "$SYSDIR\shell32.dll" + Pop $0 + DetailPrint "SetIconLocation: $0" + + ; Set Shortcut Icon Index + ShellLink::SetShortCutIconIndex "${SHELLLINKTEST}" "41" + Pop $0 + DetailPrint "SetIconIndex: $0" + + ; Set Shortcut Show Mode + ShellLink::SetShortCutShowMode "${SHELLLINKTEST}" "7" + Pop $0 + DetailPrint "SetShowMode: $0" + + ; Set Shortcut Hotkey(s) + ShellLink::SetShortCutHotkey "${SHELLLINKTEST}" "634" + Pop $0 + DetailPrint "SetHotkey: $0" + + ; Set Shortcut Description + ShellLink::SetShortCutDescription "${SHELLLINKTEST}" "Some Description" + Pop $0 + DetailPrint "SetDescriptions: $0" + DetailPrint "" + + ; Set Shortcut to Run As Administrator + ShellLink::SetRunAsAdministrator "${SHELLLINKTEST}" + Pop $0 + DetailPrint "SetRunAsAdministrator: $0" + DetailPrint "" + +SectionEnd + +; eof \ No newline at end of file Binary files /tmp/tmpjcTEVz/mRy7sTzFtK/stunnel4-5.44/tools/plugins/ShellLink/Plugins/ShellLink.dll and /tmp/tmpjcTEVz/3j6jrSNFz8/stunnel4-5.50/tools/plugins/ShellLink/Plugins/ShellLink.dll differ Binary files /tmp/tmpjcTEVz/mRy7sTzFtK/stunnel4-5.44/tools/plugins/ShellLink/Unicode/Plugins/ShellLink.dll and /tmp/tmpjcTEVz/3j6jrSNFz8/stunnel4-5.50/tools/plugins/ShellLink/Unicode/Plugins/ShellLink.dll differ diff -Nru stunnel4-5.44/tools/plugins/SimpleFC/License.txt stunnel4-5.50/tools/plugins/SimpleFC/License.txt --- stunnel4-5.44/tools/plugins/SimpleFC/License.txt 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/SimpleFC/License.txt 2007-04-17 16:15:12.000000000 +0000 @@ -0,0 +1,27 @@ +SimpleFC - NSIS Firewall Control Plugin - License Agreement + +This plugin is subject to the Mozilla Public License Version 1.1 (the "License"); +You may not use this plugin except in compliance with the License. You may +obtain a copy of the License at http://www.mozilla.org/MPL. + +Alternatively, you may redistribute this library, use and/or modify it +under the terms of the GNU Lesser General Public License as published +by the Free Software Foundation; either version 2.1 of the License, +or (at your option) any later version. You may obtain a copy +of the LGPL at www.gnu.org/copyleft. + +Software distributed under the License is distributed on an "AS IS" basis, +WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +for the specific language governing rights and limitations under the License. + +Copyright + +Portions of this software are Copyright (C) 2001 - Peter Windridge, 2003 by +Bernhard Mayer, Fixed and formatted by Brett Dever http://editor.nfscheats.com/ + +The original code is FirewallControl.pas, released April 16, 2007. + +The initial developer of the original code is Rainer Budde (http://www.speed-soft.de). + +SimpleFC - NSIS Firewall Plugin is written, published and maintaned by +Rainer Budde (rainer@speed-soft.de). \ No newline at end of file diff -Nru stunnel4-5.44/tools/plugins/SimpleFC/Readme.txt stunnel4-5.50/tools/plugins/SimpleFC/Readme.txt --- stunnel4-5.44/tools/plugins/SimpleFC/Readme.txt 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/SimpleFC/Readme.txt 2012-07-16 19:05:20.000000000 +0000 @@ -0,0 +1,321 @@ +NSIS Simple Firewall Plugin + +This plugin can be used to configurate the windows firewall. +This plugin contains functions to enable, check, add or remove +programs or ports to the firewall exception list. It also contains +functions for checking the firewall status, enable or disable +the firewall and so on. + + + + +== Short Reference == + + +SimpleFC::EnableDisableFirewall [status] +SimpleFC::IsFirewallEnabled + +SimpleFC::AllowDisallowExceptionsNotAllowed [status] +SimpleFC::AreExceptionsNotAllowed + +SimpleFC::EnableDisableNotifications [status] +SimpleFC::AreNotificationsEnabled + +SimpleFC::StartStopFirewallService [status] +SimpleFC::IsFirewallServiceRunning + +SimpleFC::AddPort [port] [name] [protocol] [scope] [ip_version] [remote_addresses] [status] +SimpleFC::IsPortAdded [port] [protocol] +SimpleFC::RemovePort [port] [protocol] + +SimpleFC::IsPortEnabled [port] [protocol] +SimpleFC::EnableDisablePort [port] [protocol] + +SimpleFC::AddApplication [name] [path] [scope] [ip_version] [remote_addresses] [status] +SimpleFC::IsApplicationAdded [path] +SimpleFC::RemoveApplication [path] + +SimpleFC::IsApplicationEnabled [path] +SimpleFC::EnableDisableApplication [path] + +SimpleFC::RestoreDefaults + +SimpleFC::AllowDisallowIcmpOutboundDestinationUnreachable [status] +SimpleFC::AllowDisallowIcmpRedirect [status] +SimpleFC::AllowDisallowIcmpInboundEchoRequest [status] +SimpleFC::AllowDisallowIcmpOutboundTimeExceeded [status] +SimpleFC::AllowDisallowIcmpOutboundParameterProblem [status] +SimpleFC::AllowDisallowIcmpOutboundSourceQuench [status] +SimpleFC::AllowDisallowIcmpInboundRouterRequest [status] +SimpleFC::AllowDisallowIcmpInboundTimestampRequest [status] +SimpleFC::AllowDisallowIcmpInboundMaskRequest [status] +SimpleFC::AllowDisallowIcmpOutboundPacketTooBig [status] +SimpleFC::IsIcmpTypeAllowed [ip_version] [local_address] [icmp_type] + +SimpleFC::AdvAddRule [name] [description] [protocol] [direction] + [status] [profile] [action] [application] [icmp_types_and_codes] + [group] [local_ports] [remote_ports] [local_address] [remote_address] +SimpleFC::AdvRemoveRule [name] +SimpleFC::AdvExistsRule [name] + + +Parameters: + +port - TCP/UDP port which should be opened/closed +name - The name of the application/port/rule +description - Description of the rule +protocol - One of the following protocol + 1 - ICMPv4 + 6 - TCP + 17 - UDP + 58 - ICMPv6 + 256 - ANY +scope - one of the following scope + 0 - All networks + 1 - Only local subnets + 2 - Custom scope + 3 - Max + NOTE: if you use custom you must define remote_addresses +ip_version + 0 - IPv4 + 1 - IPv6 + 2 - Any version +icmp_type + 3 - Outbound Destination Unreachable (ICMPv4) + 4 - Outbound Source Quench (ICMPv4) + 5 - Redirect (ICMPv4) + 8 - Inbound Echo Request (ICMPv4) + 9 - Inbound Router Request (ICMPv4) + 11 - Outbound Time Exceeded (ICMPv4) + 12 - Outbound Parameter Problem (ICMPv4) + 13 - Inbound Timespamp Request (ICMPv4) + 17 - Inbound Mask Request (ICMPv4) + 1 - Outbound Destination Unreachable (ICMPv6) + 2 - Outbound Packet Too Big (ICMPv6) + 3 - Outbound Time Exceeded (ICMPv6) + 4 - Outbound Parameter Problem (ICMPv6) + 128 - Inbound Echo Request (ICMPv6) + 137 - Redirect (ICMPv6) +direction + 1 - In + 2 - Out +profile + 1 - Domain + 2 - Private + 4 - Public + 2147483647 - All profiles +action + 0 - Block + 1 - Allow +application - Path of the application (can be empty) +icmp_types_and_codes - Specified icmp types and codes (can be empty) +group - Put the rule in this specified group (can be empty) + Note: On Vista the group must the a resource string in a exe/dll e.g. "@C:\Program Files\My Application\myapp.exe,-10000". + On all other operating systems it can be a string value. +local_ports - Local ports (The protocol property must be set before - Otherwise can be empty) +remote_ports - Remote ports (The protocol property must be set before - Otherwise can be empty) +local_address - Local addresses from which the application can listen for traffic. (can be empty) +remote_addresses - Remote addresses from which the port can listen for traffic (can be empty) +status - Status of the port, application, rule, firewall or service for example enabled/disabled, start/stop or allow/disallow + 0 - Disabled, stop or disallow + 1 - Enabled, start, or allow + + + + +== The Sample Script == + + +; Add the port 37/TCP to the firewall exception list - All Networks - All IP Version - Enabled + SimpleFC::AddPort 37 "My Application" 6 0 2 "" 1 + Pop $0 ; return error(1)/success(0) + +; Check if the port 37/TCP is added to the firewall exception list + SimpleFC::IsPortAdded 37 6 + Pop $0 ; return error(1)/success(0) + Pop $1 ; return 1=Added/0=Not added + +; Remove the port 37/TCP from the firewall exception list + SimpleFC::RemovePort 37 6 + Pop $0 ; return error(1)/success(0) + +; Check if the port 37/TCP is enabled/disabled + SimpleFC::IsPortEnabled 37 6 + Pop $0 ; return error(1)/success(0) + Pop $1 ; return 1=Enabled/0=Not enabled + +; Disable the port 37/TCP + SimpleFC::EnableDisablePort 37 6 0 + Pop $0 ; return error(1)/success(0) + +; Enable the port 37/TCP + SimpleFC::EnableDisablePort 37 6 1 + Pop $0 ; return error(1)/success(0) + +; Check if an application is enabled/disabled + SimpleFC::IsApplicationEnabled "PathToApplication" + Pop $0 ; return error(1)/success(0) + Pop $1 ; return 1=Enabled/0=Not enabled + +; Disable the application + SimpleFC::EnableDisableApplication "PathToApplication" 0 + Pop $0 ; return error(1)/success(0) + +; Enable the application + SimpleFC::EnableDisableApplication "PathToApplication" 1 + Pop $0 ; return error(1)/success(0) + +; Add an application to the firewall exception list - All Networks - All IP Version - Enabled + SimpleFC::AddApplication "My Application" "PathToApplication" 0 2 "" 1 + Pop $0 ; return error(1)/success(0) + +; Check if the application is added to the firewall exception list + SimpleFC::IsApplicationAdded "PathToApplication" + Pop $0 ; return error(1)/success(0) + Pop $1 ; return 1=Added/0=Not added + +; Remove an application from the firewall exception list + SimpleFC::RemoveApplication "PathToApplication" + Pop $0 ; return error(1)/success(0) + +; Disable the windows firewall + SimpleFC::EnableDisableFirewall 0 + Pop $0 ; return error(1)/success(0) + +; Enable the windows firewall + SimpleFC::EnableDisableFirewall 1 + Pop $0 ; return error(1)/success(0) + +; Check if the firewall is enabled + SimpleFC::IsFirewallEnabled + Pop $0 ; return error(1)/success(0) + Pop $1 ; return 1=Enabled/0=Disabled + +; Enable exceptions are not allowed on the windows firewall + SimpleFC::AllowDisallowExceptionsNotAllowed 1 + Pop $0 ; return error(1)/success(0) + +; Disable exceptions are not allowed on the windows firewall + SimpleFC::AllowDisallowExceptionsNotAllowed 0 + Pop $0 ; return error(1)/success(0) + +; Check if exceptions are not allowed + SimpleFC::AreExceptionsNotAllowed + Pop $0 ; return error(1)/success(0) + Pop $1 ; return 1=Exceptions are not allowed is activated/0=Exception are not allowed is deactivated + +; Enable notifications on the windows firewall + SimpleFC::EnableDisableNotifications 1 + +; Disable notifications on the windows firewall + SimpleFC::EnableDisableNotifications 0 + Pop $0 ; return error(1)/success(0) + +; Check if notifications are enabled/disabled + SimpleFC::AreNotificationsEnabled + Pop $0 ; return error(1)/success(0) + Pop $1 ; return 1=Enabled/0=Disabled + +; Starts the windows firewall service + SimpleFC::StartStopFirewallService 1 + Pop $0 ; return error(1)/success(0) + +; Stops the windows firewall service + SimpleFC::StartStopFirewallService 0 + Pop $0 ; return error(1)/success(0) + +; Check if windows firewall service is running + SimpleFC::IsFirewallServiceRunning + Pop $0 ; return error(1)/success(0) + Pop $1 ; return 1=IsRunning/0=Not Running + +; Sets the windows firewall to default settings + SimpleFC::RestoreDefaults + Pop $0 ; return error(1)/success(0) + +; Enable ICMP outbound destination unreachable state + SimpleFC::AllowDisallowIcmpOutboundDestinationUnreachable 1 + Pop $0 ; return error(1)/success(0) + +; Enable ICMP redirect state + SimpleFC::AllowDisallowIcmpRedirect 1 + Pop $0 ; return error(1)/success(0) + +; Enable ICMP inbound echo request + SimpleFC::AllowDisallowIcmpInboundEchoRequest 1 + Pop $0 ; return error(1)/success(0) + +; Enable ICMP outbound time exceeded + SimpleFC::AllowDisallowIcmpOutboundTimeExceeded 1 + Pop $0 ; return error(1)/success(0) + +; Enable ICMP outbound parameter problem + SimpleFC::AllowDisallowIcmpOutboundParameterProblem 1 + Pop $0 ; return error(1)/success(0) + +; Enable ICMP outbound source quench + SimpleFC::AllowDisallowIcmpOutboundSourceQuench 1 + Pop $0 ; return error(1)/success(0) + +; Enable ICMP inbound router request + SimpleFC::AllowDisallowIcmpInboundRouterRequest 1 + Pop $0 ; return error(1)/success(0) + +; Enable ICMP inbound timestamp request + SimpleFC::AllowDisallowIcmpInboundTimestampRequest 1 + Pop $0 ; return error(1)/success(0) + +; Enable ICMP inbound mask request + SimpleFC::AllowDisallowIcmpInboundMaskRequest 1 + Pop $0 ; return error(1)/success(0) + +; Enable ICMP outbound packet too big + SimpleFC::AllowDisallowIcmpOutboundPacketTooBig 1 + Pop $0 ; return error(1)/success(0) + +; Check if ICMPv4 echo request is allowed + SimpleFC::IsIcmpTypeAllowed "0" "" "8" + Pop $0 ; return error(1)/success(0) + Pop $1 ; return 1=Restricted/0=Not restricted + Pop $2 ; return 1=Allowed/0=Not allowed + + +; Some example rules for the windows firewall with advanced security. +; Please note this functions are very powerful, so for a detailed +; description please read the windows firewall with advanced +; security api reference: +; http://msdn2.microsoft.com/en-us/library/aa365309.aspx + +; Adds an ICMPv4 rule to allow incoming echo reply messages (IcmpCodeAndType = 0:0) + SimpleFC::AdvAddRule "Echo-Reply (ICMPv4 incoming)" "Allows incoming Echo Replies messages." "1" "1" "1" "7" "1" "" "0:0" "@PathToApplication,-10000" "" "" "" "" + Pop $0 ; return error(1)/success(0) + +; Adds an ICMPv4 rule to allow incoming echo request messages (IcmpCodeAndType = 8:0) + SimpleFC::AdvAddRule "Echo-Request (ICMPv4 incoming)" "Allows incoming ICMP Echo messages." "1" "1" "1" "7" "1" "" "8:0" "@PathToApplication,-10000" "" "" "" "" + Pop $0 ; return error(1)/success(0) + +; Add an application rule to allow incoming TCP access on this application + SimpleFC::AdvAddRule "Incoming requests (TCP incoming)" "Allows incoming requests." "6" "1" "1" "7" "1" "PathToApplication" "" "@PathToApplication,-10000" "" "" "" "" + Pop $0 ; return error(1)/success(0) + +; Add an application rule to allow incoming UDP access on this application + SimpleFC::AdvAddRule "Incoming requests (UDP incoming)" "Allows incoming requests." "17" "1" "1" "7" "1" "PathToApplication" "" "@PathToApplication,-10000" "" "" "" "" + Pop $0 ; return error(1)/success(0) + +; Removes a firewall rule + SimpleFC::AdvRemoveRule "Incoming requests (UDP incoming)" + Pop $0 ; return error(1)/success(0) + +; Check if the firewall exists + SimpleFC::AdvExistsRule "Incoming requests (UDP incoming)" + Pop $0 ; return error(1)/success(0) + Pop $1 ; return 1=Exists/0=Doesnt exists + + + + +== Important Note == + +- This plugin is running with Windows XP SP2, Windows 2003 and Windows Vista. +- It is recommend to check for windows firewall service is running (SimpleFC::IsFirewallServiceRunning). +- All functions with the prefix "Adv" are only for Windows Firewall with Advanced Security (Windows Vista). \ No newline at end of file Binary files /tmp/tmpjcTEVz/mRy7sTzFtK/stunnel4-5.44/tools/plugins/SimpleFC/SimpleFC.dll and /tmp/tmpjcTEVz/3j6jrSNFz8/stunnel4-5.50/tools/plugins/SimpleFC/SimpleFC.dll differ diff -Nru stunnel4-5.44/tools/plugins/SimpleFC/Source/FirewallControl.pas stunnel4-5.50/tools/plugins/SimpleFC/Source/FirewallControl.pas --- stunnel4-5.44/tools/plugins/SimpleFC/Source/FirewallControl.pas 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/SimpleFC/Source/FirewallControl.pas 2009-08-22 08:16:36.000000000 +0000 @@ -0,0 +1,1240 @@ +{ +License Agreement + +This content is subject to the Mozilla Public License Version 1.1 (the "License"); +You may not use this plugin except in compliance with the License. You may +obtain a copy of the License at http://www.mozilla.org/MPL. + +Alternatively, you may redistribute this library, use and/or modify it +under the terms of the GNU Lesser General Public License as published +by the Free Software Foundation; either version 2.1 of the License, +or (at your option) any later version. You may obtain a copy +of the LGPL at www.gnu.org/copyleft. + +Software distributed under the License is distributed on an "AS IS" basis, +WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +for the specific language governing rights and limitations under the License. + +The original code is FirewallControl.pas, released April 16, 2007. + +The initial developer of the original code is Rainer Budde (http://www.speed-soft.de). + +SimpleFC - NSIS Firewall Control Plugin is written, published and maintaned by +Rainer Budde (rainer@speed-soft.de). +} +unit FirewallControl; + +interface + +uses + NetFwTypeLib_TLB, ComObj, ActiveX, Variants, SysUtils, ServiceControl; + +type + NET_FW_IP_VERSION = ( + NET_FW_IP_VERSION_V4 = $00000000, + NET_FW_IP_VERSION_V6 = $00000001, + NET_FW_IP_VERSION_ANY = $00000002, + NET_FW_IP_VERSION_MAX = $00000003 + ); + + NET_FW_IP_PROTOCOL = ( + NET_FW_IP_PROTOCOL_ICMP_V4 = $00000001, + NET_FW_IP_PROTOCOL_ICMP_V6 = $0000003A, + NET_FW_IP_PROTOCOL_TCP = $00000006, + NET_FW_IP_PROTOCOL_UDP = $00000011, + NET_FW_IP_PROTOCOL_ANY = $00000100 + ); + + NET_FW_ACTION = ( + NET_FW_ACTION_BLOCK = $00000000, + NET_FW_ACTION_ALLOW = $00000001, + NET_FW_ACTION_MAX = $00000002 + ); + + NET_FW_SCOPE = ( + NET_FW_SCOPE_ALL = $00000000, + NET_FW_SCOPE_LOCAL_SUBNET = $00000001, + NET_FW_SCOPE_CUSTOM = $00000002, + NET_FW_SCOPE_MAX = $00000003 + ); + + NET_FW_PROFILE_TYPE2 = ( + NET_FW_PROFILE2_DOMAIN = $00000001, + NET_FW_PROFILE2_PRIVATE = $00000002, + NET_FW_PROFILE2_PUBLIC = $00000004, + NET_FW_PROFILE2_ALL = $7FFFFFFF + ); + + NET_FW_RULE_DIRECTION = ( + NET_FW_RULE_DIR_IN = $00000001, + NET_FW_RULE_DIR_OUT = $00000002, + NET_FW_RULE_DIR_MAX = $00000003 + ); + + NET_FW_ICMP_TYPE = ( + NET_FW_ICMP_V4_OUTBOUND_DESTINATION_UNREACHABLE = $00000003, + NET_FW_ICMP_V4_OUTBOUND_SOURCE_QUENCH = $00000004, + NET_FW_ICMP_V4_REDIRECT = $00000005, + NET_FW_ICMP_V4_INBOUND_ECHO_REQUEST = $00000008, + NET_FW_ICMP_V4_INBOUND_ROUTER_REQUEST = $00000009, + NET_FW_ICMP_V4_OUTBOUND_TIME_EXCEEDED = $0000000B, + NET_FW_ICMP_V4_OUTBOUND_PARAMETER_PROBLEM = $0000000C, + NET_FW_ICMP_V4_INBOUND_TIMESTAMP_REQUEST = $0000000D, + NET_FW_ICMP_V4_INBOUND_MASK_REQUEST = $00000011, + NET_FW_ICMP_V6_OUTBOUND_DESTINATION_UNREACHABLE = $00000001, + NET_FW_ICMP_V6_OUTBOUND_PACKET_TOO_BIG = $00000002, + NET_FW_ICMP_V6_OUTBOUND_TIME_EXCEEDED = $00000003, + NET_FW_ICMP_V6_OUTBOUND_PARAMETER_PROBLEM = $00000004, + NET_FW_ICMP_V6_INBOUND_ECHO_REQUEST = $00000080, + NET_FW_ICMP_V6_REDIRECT = $00000089 + ); + + { Functions for Windows Firewall } + function AddPort(Port: Integer; Name: String; Protocol: NET_FW_IP_PROTOCOL; + Scope: NET_FW_SCOPE; IpVersion: NET_FW_IP_VERSION; RemoteAddresses: String; + Enabled: Boolean): HRESULT; + function RemovePort(Port: Integer; Protocol: NET_FW_IP_PROTOCOL): HRESULT; + function AddApplication(Name: String; BinaryPath: String; Scope: NET_FW_SCOPE; + IpVersion: NET_FW_IP_VERSION; RemoteAdresses: String; Enabled: Boolean): HRESULT; + function RemoveApplication(BinaryPath: String): HRESULT; + function IsPortAdded(Port: Integer; Protocol: NET_FW_IP_PROTOCOL; + var Added: Boolean): HRESULT; + function IsApplicationAdded(BinaryPath: String; var Added: Boolean): HRESULT; + function IsPortEnabled(Port: Integer; Protocol: NET_FW_IP_PROTOCOL; + var Enabled: Boolean): HRESULT; + function IsApplicationEnabled(BinaryPath: String; var Enabled: Boolean): HRESULT; + function EnableDisablePort(Port: Integer; Protocol: NET_FW_IP_PROTOCOL; + Enabled: Boolean): HRESULT; + function EnableDisableApplication(BinaryPath: String; Enabled: Boolean): HRESULT; + function IsFirewallEnabled(var Enabled: Boolean): HRESULT; + function EnableDisableFirewall(Enabled: Boolean): HRESULT; + function AllowDisallowExceptionsNotAllowed(NotAllowed: Boolean): HRESULT; + function AreExceptionsNotAllowed(var NotAllowed: Boolean): HRESULT; + function EnableDisableNotifications(Enabled: Boolean): HRESULT; + function AreNotificationsEnabled(var Enabled: Boolean): HRESULT; + function IsFirewallServiceRunning(var IsRunning: Boolean): Boolean; + function StartStopFirewallService(StartService: Boolean): Boolean; + function RestoreDefaults: HRESULT; + function AllowDisallowIcmpOutboundDestinationUnreachable(Allow: Boolean): HRESULT; + function AllowDisallowIcmpRedirect(Allow: Boolean): HRESULT; + function AllowDisallowIcmpInboundEchoRequest(Allow: Boolean): HRESULT; + function AllowDisallowIcmpOutboundTimeExceeded(Allow: Boolean): HRESULT; + function AllowDisallowIcmpOutboundParameterProblem(Allow: Boolean): HRESULT; + function AllowDisallowIcmpOutboundSourceQuench(Allow: Boolean): HRESULT; + function AllowDisallowIcmpInboundRouterRequest(Allow: Boolean): HRESULT; + function AllowDisallowIcmpInboundTimestampRequest(Allow: Boolean): HRESULT; + function AllowDisallowIcmpInboundMaskRequest(Allow: Boolean): HRESULT; + function AllowDisallowIcmpOutboundPacketTooBig(Allow: Boolean): HRESULT; + function IsIcmpTypeAllowed(IpVersion: NET_FW_IP_VERSION; LocalAddress: String; + IcmpType: NET_FW_ICMP_TYPE; var Allowed: Boolean; var Restricted: Boolean): HRESULT; + + { Functions for Windows Firewall with advanced security } + function AdvAddRule(Name: String; Description: String; + Protocol: NET_FW_IP_PROTOCOL; Direction: NET_FW_RULE_DIRECTION; + Enabled: Boolean; Profile: NET_FW_PROFILE_TYPE2; Action: NET_FW_ACTION; + ApplicationName: String; IcmpTypesAndCodes: String; Group: String; + LocalPorts: String; RemotePorts: String; + LocalAddress: String; RemoteAddress: String): HRESULT; + function AdvRemoveRule(Name: String): HRESULT; + function AdvExistsRule(Name: String; var Exists: Boolean): HRESULT; + +implementation + +const + FW_MGR_CLASS_NAME = 'HNetCfg.FwMgr'; + FW_OPENPORT_CLASS_NAME = 'HNetCfg.FwOpenPort'; + FW_AUTHORIZED_APPLICATION = 'HNetCfg.FwAuthorizedApplication'; + FW_POLICY2_NAME = 'HNetCfg.FwPolicy2'; + FW_RULE_NAME = 'HNetCfg.FWRule'; + FW_SERVICE_XP_WIN2003 = 'SharedAccess'; + FW_SERVICE_VISTA = 'MpsSvc'; + +function CreateWideString(Value: String): PWideChar; +var + WideValue: PWideChar; +begin + GetMem(WideValue, Length(Value) * SizeOf(WideChar) + 1); + StringToWideChar(Value, WideValue, Length(Value) * SizeOf(WideChar) + 1); + + Result := WideValue; +end; + +procedure FreeWideString(Value: PWideChar); +begin + FreeMem(Value); +end; + +function AdvAddRule(Name: String; Description: String; + Protocol: NET_FW_IP_PROTOCOL; Direction: NET_FW_RULE_DIRECTION; + Enabled: Boolean; Profile: NET_FW_PROFILE_TYPE2; Action: NET_FW_ACTION; + ApplicationName: String; IcmpTypesAndCodes: String; Group: String; + LocalPorts: String; RemotePorts: String; + LocalAddress: String; RemoteAddress: String): HRESULT; +const + NET_FW_GROUPING = '@firewallapi.dll,-23255'; +var + FwPolicy2Disp: IDispatch; + FwPolicy2: INetFwPolicy2; + FwRuleDisp: IDispatch; + FwRule: INetFwRule; +begin + Result := S_OK; + + try + FwPolicy2Disp := CreateOleObject(FW_POLICY2_NAME); + try + FwPolicy2 := INetFwPolicy2(FwPolicy2Disp); + + FwRuleDisp := CreateOleObject(FW_RULE_NAME); + try + FwRule := INetFwRule(FwRuleDisp); + FwRule.Name := Name; + FwRule.Description := Description; + FwRule.Protocol := Integer(Protocol); + FwRule.Direction := Integer(Direction); + FwRule.Enabled := Enabled; + FwRule.Profiles := Integer(Profile); + FwRule.Action := TOleEnum(Action); + + if ApplicationName <> '' then + FwRule.ApplicationName := ApplicationName; + + if IcmpTypesAndCodes <> '' then + FwRule.IcmpTypesAndCodes := IcmpTypesAndCodes; + + if Group <> '' then + FwRule.Grouping := Group + else + FwRule.Grouping := NET_FW_GROUPING; + + if LocalPorts <> '' then + FwRule.LocalPorts := LocalPorts; + + if RemotePorts <> '' then + FwRule.RemotePorts := RemotePorts; + + if LocalAddress <> '' then + FwRule.LocalAddresses := LocalAddress; + + if RemoteAddress <> '' then + FwRule.RemoteAddresses := RemoteAddress; + + FwPolicy2.Rules.Add(FwRule); + finally + FwRuleDisp := Unassigned; + end; + finally + FwPolicy2Disp := Unassigned; + end; + + except + on E:EOleSysError do + begin + Result := E.ErrorCode; + end; + end; +end; + +function AdvRemoveRule(Name: String): HRESULT; +var + FwPolicy2Disp: IDispatch; + FwPolicy2: INetFwPolicy2; +begin + Result := S_OK; + + try + FwPolicy2Disp := CreateOleObject(FW_POLICY2_NAME); + try + FwPolicy2 := INetFwPolicy2(FwPolicy2Disp); + FwPolicy2.Rules.Remove(Name); + finally + FwPolicy2Disp := Unassigned; + end; + + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AdvExistsRule(Name: String; var Exists: Boolean): HRESULT; +var + FwPolicy2Disp: IDispatch; + FwPolicy2: INetFwPolicy2; + FwRule: INetFwRule; + FwRuleInstances: IEnumVariant; + TempFwRuleObj: OleVariant; + TempObjValue: Cardinal; + EnumerateNext: Boolean; +begin + Result := S_OK; + EnumerateNext := True; + + try + FwPolicy2Disp := CreateOleObject(FW_POLICY2_NAME); + try + FwPolicy2 := INetFwPolicy2(FwPolicy2Disp); + + FwRuleInstances := FwPolicy2.Rules.Get__NewEnum as IEnumVariant; + + while EnumerateNext and not Exists do + if FwRuleInstances.Next(1, TempFwRuleObj, TempObjValue) <> 0 then + EnumerateNext := False + else + begin + FwRule := IUnknown(TempFwRuleObj) as INetFwRule; + + Exists := LowerCase(FwRule.Name) = LowerCase(Name); + end; + finally + FwPolicy2Disp := Unassigned; + end; + + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AddPort(Port: Integer; Name: String; Protocol: NET_FW_IP_PROTOCOL; + Scope: NET_FW_SCOPE; IpVersion: NET_FW_IP_VERSION; RemoteAddresses: String; + Enabled: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; + FwOpenPortDisp: IDispatch; + FwOpenPort: INetFwOpenPort; + RemoteAddressesW: PWideChar; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + + FwOpenPortDisp := CreateOleObject(FW_OPENPORT_CLASS_NAME); + try + FwOpenPort := INetFwOpenPort(FwOpenPortDisp); + + GetMem(RemoteAddressesW, Length(RemoteAddresses) * SizeOf(WideChar) + 1); + try + StringToWideChar(RemoteAddresses, RemoteAddressesW, Length(RemoteAddresses) * SizeOf(WideChar) + 1); + + FwOpenPort.Port := Port; + FwOpenPort.Name := Name; + FwOpenPort.Protocol := TOleEnum(Protocol); + + if (Scope = NET_FW_SCOPE_ALL) or (Scope = NET_FW_SCOPE_LOCAL_SUBNET) then + FwOpenPort.Scope := TOleEnum(Scope) + else + FwOpenPort.RemoteAddresses := RemoteAddressesW; + + FwOpenPort.IpVersion := TOleEnum(IpVersion); + FwOpenPort.Enabled := Enabled; + + FwProfile.GloballyOpenPorts.Add(FwOpenPort); + + finally + FreeMem(RemoteAddressesW); + end; + + finally + FwOpenPortDisp := Unassigned; + end; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function RemovePort(Port: Integer; Protocol: NET_FW_IP_PROTOCOL): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.GloballyOpenPorts.Remove(Port, TOleEnum(Protocol)); + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AddApplication(Name: String; BinaryPath: String; Scope: NET_FW_SCOPE; + IpVersion: NET_FW_IP_VERSION; RemoteAdresses: String; + Enabled: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; + FwAppDisp: IDispatch; + FwApp: INetFwAuthorizedApplication; + RemoteAddressesW: PWideChar; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + + FwAppDisp := CreateOleObject(FW_AUTHORIZED_APPLICATION); + try + FwApp := INetFwAuthorizedApplication(FwAppDisp); + + GetMem(RemoteAddressesW, Length(RemoteAdresses) * SizeOf(WideChar) + 1); + try + StringToWideChar(RemoteAdresses, RemoteAddressesW, Length(RemoteAdresses) * SizeOf(WideChar) + 1); + + FwApp.Name := Name; + FwApp.ProcessImageFileName := BinaryPath; + + if (Scope = NET_FW_SCOPE_ALL) or (Scope = NET_FW_SCOPE_LOCAL_SUBNET) then + FwApp.Scope := TOleEnum(Scope) + else + FwApp.RemoteAddresses := RemoteAddressesW; + + FwApp.IpVersion := TOleEnum(IpVersion); + FwApp.Enabled := Enabled; + + FwProfile.AuthorizedApplications.Add(FwApp); + + finally + FreeMem(RemoteAddressesW) + end; + finally + FwAppDisp := Unassigned; + end; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function RemoveApplication(BinaryPath: String): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.AuthorizedApplications.Remove(BinaryPath); + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function IsPortAdded(Port: Integer; Protocol: NET_FW_IP_PROTOCOL; + var Added: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; + FwOpenPort: INetFwOpenPort; + FwOpenPortInstances: IEnumVariant; + TempFwPortObj: OleVariant; + TempObjValue: Cardinal; + EnumerateNext: Boolean; +begin + Result := S_OK; + Added := False; + EnumerateNext := True; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwOpenPortInstances := FwProfile.GloballyOpenPorts.Get__NewEnum as IEnumVariant; + + while EnumerateNext and not Added do + if FwOpenPortInstances.Next(1, TempFwPortObj, TempObjValue) <> 0 then + EnumerateNext := False + else + begin + FwOpenPort := IUnknown(TempFwPortObj) as INetFwOpenPort; + + Added := (FwOpenPort.Port = Port) and (FwOpenPort.Protocol = TOleEnum(Protocol)) + end; + + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function IsApplicationAdded(BinaryPath: String; var Added: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; + FwApp: INetFwAuthorizedApplication; + FwAppInstances: IEnumVariant; + TempFwApp: OleVariant; + TempObjValue: Cardinal; + EnumerateNext: Boolean; +begin + Result := S_OK; + Added := False; + EnumerateNext := True; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwAppInstances := FwProfile.AuthorizedApplications.Get__NewEnum as IEnumVariant; + + while EnumerateNext and not Added do + if FwAppInstances.Next(1, TempFwApp, TempObjValue) <> 0 then + EnumerateNext := False + else + begin + FwApp := IUnknown(TempFwApp) as INetFwAuthorizedApplication; + + Added := LowerCase(FwApp.ProcessImageFileName) = LowerCase(BinaryPath) + end; + + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function IsPortEnabled(Port: Integer; Protocol: NET_FW_IP_PROTOCOL; + var Enabled: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; + FwOpenPort: INetFwOpenPort; + FwOpenPortInstances: IEnumVariant; + TempFwPortObj: OleVariant; + TempObjValue: Cardinal; + EnumerateNext: Boolean; +begin + Result := S_OK; + Enabled := False; + EnumerateNext := True; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwOpenPortInstances := FwProfile.GloballyOpenPorts.Get__NewEnum as IEnumVariant; + + while EnumerateNext do + if FwOpenPortInstances.Next(1, TempFwPortObj, TempObjValue) <> 0 then + EnumerateNext := False + else + begin + FwOpenPort := IUnknown(TempFwPortObj) as INetFwOpenPort; + + if (FwOpenPort.Port = Port) and (FwOpenPort.Protocol = TOleEnum(Protocol)) then + begin + Enabled := FwOpenPort.Enabled; + EnumerateNext := False; + end; + + end; + + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function IsApplicationEnabled(BinaryPath: String; + var Enabled: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; + FwApp: INetFwAuthorizedApplication; + FwAppInstances: IEnumVariant; + TempFwApp: OleVariant; + TempObjValue: Cardinal; + EnumerateNext: Boolean; +begin + Result := S_OK; + Enabled := False; + EnumerateNext := True; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwAppInstances := FwProfile.AuthorizedApplications.Get__NewEnum as IEnumVariant; + + while EnumerateNext do + if FwAppInstances.Next(1, TempFwApp, TempObjValue) <> 0 then + EnumerateNext := False + else + begin + FwApp := IUnknown(TempFwApp) as INetFwAuthorizedApplication; + + if LowerCase(FwApp.ProcessImageFileName) = LowerCase(BinaryPath) then + begin + Enabled := FwApp.Enabled; + EnumerateNext := False; + end; + + end; + + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function EnableDisablePort(Port: Integer; Protocol: NET_FW_IP_PROTOCOL; + Enabled: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; + FwOpenPort: INetFwOpenPort; + FwOpenPortInstances: IEnumVariant; + TempFwPortObj: OleVariant; + TempObjValue: Cardinal; + EnumerateNext: Boolean; +begin + Result := S_FALSE; + EnumerateNext := True; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwOpenPortInstances := FwProfile.GloballyOpenPorts.Get__NewEnum as IEnumVariant; + + while EnumerateNext do + if FwOpenPortInstances.Next(1, TempFwPortObj, TempObjValue) <> 0 then + EnumerateNext := False + else + begin + FwOpenPort := IUnknown(TempFwPortObj) as INetFwOpenPort; + + if (FwOpenPort.Port = Port) and (FwOpenPort.Protocol = TOleEnum(Protocol)) then + begin + FwOpenPort.Enabled := Enabled; + EnumerateNext := False; + Result := S_OK; + end; + end; + + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function EnableDisableApplication(BinaryPath: String; Enabled: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; + FwApp: INetFwAuthorizedApplication; + FwAppInstances: IEnumVariant; + TempFwApp: OleVariant; + TempObjValue: Cardinal; + EnumerateNext: Boolean; +begin + Result := S_FALSE; + EnumerateNext := True; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwAppInstances := FwProfile.AuthorizedApplications.Get__NewEnum as IEnumVariant; + + while EnumerateNext do + if FwAppInstances.Next(1, TempFwApp, TempObjValue) <> 0 then + EnumerateNext := False + else + begin + FwApp := IUnknown(TempFwApp) as INetFwAuthorizedApplication; + + if LowerCase(FwApp.ProcessImageFileName) = LowerCase(BinaryPath) then + begin + FwApp.Enabled := Enabled; + EnumerateNext := False; + Result := S_OK; + end; + + end; + + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function IsFirewallEnabled(var Enabled: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + Enabled := FwProfile.FirewallEnabled + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function EnableDisableFirewall(Enabled: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.FirewallEnabled := Enabled; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowExceptionsNotAllowed(NotAllowed: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.ExceptionsNotAllowed := NotAllowed; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AreExceptionsNotAllowed(var NotAllowed: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + NotAllowed := FwProfile.ExceptionsNotAllowed; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function EnableDisableNotifications(Enabled: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.NotificationsDisabled := not Enabled; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AreNotificationsEnabled(var Enabled: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + Enabled := not FwProfile.NotificationsDisabled; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function IsFirewallServiceRunning(var IsRunning: Boolean): Boolean; +begin + IsRunning := False; + + try + if ServiceControl.ExistsService(FW_SERVICE_VISTA) = 0 then + if ServiceControl.ServiceIsRunning(FW_SERVICE_VISTA, IsRunning) = 0 then + begin + Result := True; + Exit; + end; + + if ServiceControl.ExistsService(FW_SERVICE_XP_WIN2003) = 0 then + if ServiceControl.ServiceIsRunning(FW_SERVICE_XP_WIN2003, IsRunning) = 0 then + begin + Result := True; + Exit; + end; + + Result := True; + except + Result := False; + end; +end; + +function StartStopFirewallService(StartService: Boolean): Boolean; +begin + Result := False; + + try + if ServiceControl.ExistsService(FW_SERVICE_VISTA) = 0 then + begin + if StartService then + begin + if ServiceControl.StartService(FW_SERVICE_VISTA, '') = 0 then + begin + Result := True; + Exit; + end; + end + else + if ServiceControl.StopService(FW_SERVICE_VISTA) = 0 then + begin + Result := True; + Exit; + end; + end; + + if ServiceControl.ExistsService(FW_SERVICE_XP_WIN2003) = 0 then + begin + if StartService then + begin + if ServiceControl.StartService(FW_SERVICE_XP_WIN2003, '') = 0 then + begin + Result := True; + Exit; + end; + end + else + if ServiceControl.StopService(FW_SERVICE_XP_WIN2003) = 0 then + begin + Result := True; + Exit; + end; + end; + + except + Result := False; + end; + +end; + +function RestoreDefaults: HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + FwMgr.RestoreDefaults; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowIcmpOutboundDestinationUnreachable(Allow: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.IcmpSettings.AllowOutboundDestinationUnreachable := Allow; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowIcmpRedirect(Allow: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.IcmpSettings.AllowRedirect := Allow; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowIcmpInboundEchoRequest(Allow: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.IcmpSettings.AllowInboundEchoRequest := Allow; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowIcmpOutboundTimeExceeded(Allow: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.IcmpSettings.AllowOutboundTimeExceeded := Allow; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowIcmpOutboundParameterProblem(Allow: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.IcmpSettings.AllowOutboundParameterProblem := Allow; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowIcmpOutboundSourceQuench(Allow: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.IcmpSettings.AllowOutboundSourceQuench := Allow; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowIcmpInboundRouterRequest(Allow: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.IcmpSettings.AllowInboundRouterRequest := Allow; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowIcmpInboundTimestampRequest(Allow: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.IcmpSettings.AllowInboundTimestampRequest := Allow; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowIcmpInboundMaskRequest(Allow: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.IcmpSettings.AllowInboundMaskRequest := Allow; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function AllowDisallowIcmpOutboundPacketTooBig(Allow: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + FwProfile: INetFwProfile; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + + FwProfile := FwMgr.LocalPolicy.CurrentProfile; + FwProfile.IcmpSettings.AllowOutboundPacketTooBig := Allow; + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +function IsIcmpTypeAllowed(IpVersion: NET_FW_IP_VERSION; LocalAddress: String; + IcmpType: NET_FW_ICMP_TYPE; var Allowed: Boolean; var Restricted: Boolean): HRESULT; +var + FwMgrDisp: IDispatch; + FwMgr: INetFwMgr; + TempAllowed: OleVariant; + Temprestricted: OleVariant; +begin + Result := S_OK; + + try + FwMgrDisp := CreateOleObject(FW_MGR_CLASS_NAME); + try + FwMgr := INetFwMgr(FwMgrDisp); + FwMgr.IsIcmpTypeAllowed(TOleEnum(IpVersion), LocalAddress, Byte(IcmpType), TempAllowed, TempRestricted); + + Allowed := Boolean(TempAllowed); + Restricted := Boolean(TempRestricted); + finally + FwMgrDisp := Unassigned; + end; + except + on E:EOleSysError do + Result := E.ErrorCode; + end; +end; + +end. Binary files /tmp/tmpjcTEVz/mRy7sTzFtK/stunnel4-5.44/tools/plugins/SimpleFC/Source/NetFwTypeLib_TLB.dcr and /tmp/tmpjcTEVz/3j6jrSNFz8/stunnel4-5.50/tools/plugins/SimpleFC/Source/NetFwTypeLib_TLB.dcr differ diff -Nru stunnel4-5.44/tools/plugins/SimpleFC/Source/NetFwTypeLib_TLB.pas stunnel4-5.50/tools/plugins/SimpleFC/Source/NetFwTypeLib_TLB.pas --- stunnel4-5.44/tools/plugins/SimpleFC/Source/NetFwTypeLib_TLB.pas 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/SimpleFC/Source/NetFwTypeLib_TLB.pas 2007-05-20 14:34:08.000000000 +0000 @@ -0,0 +1,850 @@ +unit NetFwTypeLib_TLB; + +// ************************************************************************ // +// WARNUNG +// ------- +// Die in dieser Datei deklarierten Typen wurden aus Daten einer Typbibliothek +// generiert. Wenn diese Typbibliothek explizit oder indirekt (ber eine +// andere Typbibliothek) reimportiert wird oder wenn die Anweisung +// 'Aktualisieren' im Typbibliotheks-Editor whrend des Bearbeitens der +// Typbibliothek aktiviert ist, wird der Inhalt dieser Datei neu generiert und +// alle manuell vorgenommenen nderungen gehen verloren. +// ************************************************************************ // + +// PASTLWTR : $Revision: 1.130.1.0.1.0.1.6 $ +// Datei generiert am 20.05.2007 16:34:09 aus der unten beschriebenen Typbibliothek. + +// ************************************************************************ // +// Type Lib: FirewallAPI.dll (1) +// LIBID: {58FBCF7C-E7A9-467C-80B3-FC65E8FCCA08} +// LCID: 0 +// Helpfile: +// DepndLst: +// (1) v2.0 stdole, (C:\WINDOWS\system32\stdole2.tlb) +// (2) v4.0 StdVCL, (C:\WINDOWS\system32\stdvcl40.dll) +// Fehler +// Hinweis: Element 'Type' von 'INetFwService' gendert in 'Type_' +// Hinweis: Parameter 'Type' im INetFwService.Type gendert in 'Type_' +// Hinweis: Element 'Type' von 'INetFwProfile' gendert in 'Type_' +// Hinweis: Parameter 'Type' im INetFwProfile.Type gendert in 'Type_' +// Hinweis: Parameter 'Type' im INetFwMgr.IsIcmpTypeAllowed gendert in 'Type_' +// Hinweis: Element 'Type' von 'INetFwService' gendert in 'Type_' +// Hinweis: Element 'Type' von 'INetFwProfile' gendert in 'Type_' +// ************************************************************************ // +// *************************************************************************// +// HINWEIS: +// Von $IFDEF_LIVE_SERVER_AT_DESIGN_TIME berwachte Eintrge, werden von +// Eigenschaften verwendet, die Objekte zurckgeben, die explizit mit einen Funktionsaufruf +// vor dem Zugriff ber die Eigenschaft erzeugt werden mssen. Diese Eintrge wurden deaktiviert, +// um deren unbeabsichtigte Benutzung im Objektinspektor zu verhindern. Sie knnen sie +// aktivieren, indem Sie LIVE_SERVER_AT_DESIGN_TIME definieren oder sie selektiv +// aus den $IFDEF-Blcken entfernen. Solche Eintrge mssen jedoch programmseitig +// mit einer Methode der geeigneten CoClass vor der Verwendung +// erzeugt werden. +{$TYPEDADDRESS OFF} // Unit mu ohne Typberprfung fr Zeiger compiliert werden. +{$WARN SYMBOL_PLATFORM OFF} +{$WRITEABLECONST ON} +{$VARPROPSETTER ON} +interface + +uses Windows, ActiveX, Classes, Graphics, StdVCL, Variants; + + +// *********************************************************************// +// In dieser Typbibliothek deklarierte GUIDS . Es werden folgende +// Prfixe verwendet: +// Typbibliotheken : LIBID_xxxx +// CoClasses : CLASS_xxxx +// DISPInterfaces : DIID_xxxx +// Nicht-DISP-Schnittstellen: IID_xxxx +// *********************************************************************// +const + // Haupt- und Nebenversionen der Typbibliothek + NetFwTypeLibMajorVersion = 1; + NetFwTypeLibMinorVersion = 0; + + LIBID_NetFwTypeLib: TGUID = '{58FBCF7C-E7A9-467C-80B3-FC65E8FCCA08}'; + + IID_INetFwRemoteAdminSettings: TGUID = '{D4BECDDF-6F73-4A83-B832-9C66874CD20E}'; + IID_INetFwIcmpSettings: TGUID = '{A6207B2E-7CDD-426A-951E-5E1CBC5AFEAD}'; + IID_INetFwOpenPort: TGUID = '{E0483BA0-47FF-4D9C-A6D6-7741D0B195F7}'; + IID_INetFwOpenPorts: TGUID = '{C0E9D7FA-E07E-430A-B19A-090CE82D92E2}'; + IID_INetFwService: TGUID = '{79FD57C8-908E-4A36-9888-D5B3F0A444CF}'; + IID_INetFwServices: TGUID = '{79649BB4-903E-421B-94C9-79848E79F6EE}'; + IID_INetFwAuthorizedApplication: TGUID = '{B5E64FFA-C2C5-444E-A301-FB5E00018050}'; + IID_INetFwAuthorizedApplications: TGUID = '{644EFD52-CCF9-486C-97A2-39F352570B30}'; + IID_INetFwServiceRestriction: TGUID = '{8267BBE3-F890-491C-B7B6-2DB1EF0E5D2B}'; + IID_INetFwRules: TGUID = '{9C4C6277-5027-441E-AFAE-CA1F542DA009}'; + IID_INetFwRule: TGUID = '{AF230D27-BABA-4E42-ACED-F524F22CFCE2}'; + IID_INetFwProfile: TGUID = '{174A0DDA-E9F9-449D-993B-21AB667CA456}'; + IID_INetFwPolicy: TGUID = '{D46D2478-9AC9-4008-9DC7-5563CE5536CC}'; + IID_INetFwPolicy2: TGUID = '{98325047-C671-4174-8D81-DEFCD3F03186}'; + IID_INetFwMgr: TGUID = '{F7898AF5-CAC4-4632-A2EC-DA06E5111AF2}'; + +// *********************************************************************// +// Deklaration von in der Typbibliothek definierten Enumerationen +// *********************************************************************// +// Konstanten fr enum NET_FW_IP_VERSION_ +type + NET_FW_IP_VERSION_ = TOleEnum; +const + NET_FW_IP_VERSION_V4 = $00000000; + NET_FW_IP_VERSION_V6 = $00000001; + NET_FW_IP_VERSION_ANY = $00000002; + NET_FW_IP_VERSION_MAX = $00000003; + +// Konstanten fr enum NET_FW_SCOPE_ +type + NET_FW_SCOPE_ = TOleEnum; +const + NET_FW_SCOPE_ALL = $00000000; + NET_FW_SCOPE_LOCAL_SUBNET = $00000001; + NET_FW_SCOPE_CUSTOM = $00000002; + NET_FW_SCOPE_MAX = $00000003; + +// Konstanten fr enum NET_FW_IP_PROTOCOL_ +type + NET_FW_IP_PROTOCOL_ = TOleEnum; +const + NET_FW_IP_PROTOCOL_TCP = $00000006; + NET_FW_IP_PROTOCOL_UDP = $00000011; + NET_FW_IP_PROTOCOL_ANY = $00000100; + +// Konstanten fr enum NET_FW_SERVICE_TYPE_ +type + NET_FW_SERVICE_TYPE_ = TOleEnum; +const + NET_FW_SERVICE_FILE_AND_PRINT = $00000000; + NET_FW_SERVICE_UPNP = $00000001; + NET_FW_SERVICE_REMOTE_DESKTOP = $00000002; + NET_FW_SERVICE_NONE = $00000003; + NET_FW_SERVICE_TYPE_MAX = $00000004; + +// Konstanten fr enum NET_FW_RULE_DIRECTION_ +type + NET_FW_RULE_DIRECTION_ = TOleEnum; +const + NET_FW_RULE_DIR_IN = $00000001; + NET_FW_RULE_DIR_OUT = $00000002; + NET_FW_RULE_DIR_MAX = $00000003; + +// Konstanten fr enum NET_FW_ACTION_ +type + NET_FW_ACTION_ = TOleEnum; +const + NET_FW_ACTION_BLOCK = $00000000; + NET_FW_ACTION_ALLOW = $00000001; + NET_FW_ACTION_MAX = $00000002; + +// Konstanten fr enum NET_FW_PROFILE_TYPE_ +type + NET_FW_PROFILE_TYPE_ = TOleEnum; +const + NET_FW_PROFILE_DOMAIN = $00000000; + NET_FW_PROFILE_STANDARD = $00000001; + NET_FW_PROFILE_CURRENT = $00000002; + NET_FW_PROFILE_TYPE_MAX = $00000003; + +// Konstanten fr enum NET_FW_PROFILE_TYPE2_ +type + NET_FW_PROFILE_TYPE2_ = TOleEnum; +const + NET_FW_PROFILE2_DOMAIN = $00000001; + NET_FW_PROFILE2_PRIVATE = $00000002; + NET_FW_PROFILE2_PUBLIC = $00000004; + NET_FW_PROFILE2_ALL = $7FFFFFFF; + +// Konstanten fr enum NET_FW_MODIFY_STATE_ +type + NET_FW_MODIFY_STATE_ = TOleEnum; +const + NET_FW_MODIFY_STATE_OK = $00000000; + NET_FW_MODIFY_STATE_GP_OVERRIDE = $00000001; + NET_FW_MODIFY_STATE_INBOUND_BLOCKED = $00000002; + +type + +// *********************************************************************// +// Forward-Deklaration von in der Typbibliothek definierten Typen +// *********************************************************************// + INetFwRemoteAdminSettings = interface; + INetFwRemoteAdminSettingsDisp = dispinterface; + INetFwIcmpSettings = interface; + INetFwIcmpSettingsDisp = dispinterface; + INetFwOpenPort = interface; + INetFwOpenPortDisp = dispinterface; + INetFwOpenPorts = interface; + INetFwOpenPortsDisp = dispinterface; + INetFwService = interface; + INetFwServiceDisp = dispinterface; + INetFwServices = interface; + INetFwServicesDisp = dispinterface; + INetFwAuthorizedApplication = interface; + INetFwAuthorizedApplicationDisp = dispinterface; + INetFwAuthorizedApplications = interface; + INetFwAuthorizedApplicationsDisp = dispinterface; + INetFwServiceRestriction = interface; + INetFwServiceRestrictionDisp = dispinterface; + INetFwRules = interface; + INetFwRulesDisp = dispinterface; + INetFwRule = interface; + INetFwRuleDisp = dispinterface; + INetFwProfile = interface; + INetFwProfileDisp = dispinterface; + INetFwPolicy = interface; + INetFwPolicyDisp = dispinterface; + INetFwPolicy2 = interface; + INetFwPolicy2Disp = dispinterface; + INetFwMgr = interface; + INetFwMgrDisp = dispinterface; + +// *********************************************************************// +// Schnittstelle: INetFwRemoteAdminSettings +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {D4BECDDF-6F73-4A83-B832-9C66874CD20E} +// *********************************************************************// + INetFwRemoteAdminSettings = interface(IDispatch) + ['{D4BECDDF-6F73-4A83-B832-9C66874CD20E}'] + function Get_IpVersion: NET_FW_IP_VERSION_; safecall; + procedure Set_IpVersion(IpVersion: NET_FW_IP_VERSION_); safecall; + function Get_Scope: NET_FW_SCOPE_; safecall; + procedure Set_Scope(Scope: NET_FW_SCOPE_); safecall; + function Get_RemoteAddresses: WideString; safecall; + procedure Set_RemoteAddresses(const remoteAddrs: WideString); safecall; + function Get_Enabled: WordBool; safecall; + procedure Set_Enabled(Enabled: WordBool); safecall; + property IpVersion: NET_FW_IP_VERSION_ read Get_IpVersion write Set_IpVersion; + property Scope: NET_FW_SCOPE_ read Get_Scope write Set_Scope; + property RemoteAddresses: WideString read Get_RemoteAddresses write Set_RemoteAddresses; + property Enabled: WordBool read Get_Enabled write Set_Enabled; + end; + +// *********************************************************************// +// DispIntf: INetFwRemoteAdminSettingsDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {D4BECDDF-6F73-4A83-B832-9C66874CD20E} +// *********************************************************************// + INetFwRemoteAdminSettingsDisp = dispinterface + ['{D4BECDDF-6F73-4A83-B832-9C66874CD20E}'] + property IpVersion: NET_FW_IP_VERSION_ dispid 1; + property Scope: NET_FW_SCOPE_ dispid 2; + property RemoteAddresses: WideString dispid 3; + property Enabled: WordBool dispid 4; + end; + +// *********************************************************************// +// Schnittstelle: INetFwIcmpSettings +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {A6207B2E-7CDD-426A-951E-5E1CBC5AFEAD} +// *********************************************************************// + INetFwIcmpSettings = interface(IDispatch) + ['{A6207B2E-7CDD-426A-951E-5E1CBC5AFEAD}'] + function Get_AllowOutboundDestinationUnreachable: WordBool; safecall; + procedure Set_AllowOutboundDestinationUnreachable(allow: WordBool); safecall; + function Get_AllowRedirect: WordBool; safecall; + procedure Set_AllowRedirect(allow: WordBool); safecall; + function Get_AllowInboundEchoRequest: WordBool; safecall; + procedure Set_AllowInboundEchoRequest(allow: WordBool); safecall; + function Get_AllowOutboundTimeExceeded: WordBool; safecall; + procedure Set_AllowOutboundTimeExceeded(allow: WordBool); safecall; + function Get_AllowOutboundParameterProblem: WordBool; safecall; + procedure Set_AllowOutboundParameterProblem(allow: WordBool); safecall; + function Get_AllowOutboundSourceQuench: WordBool; safecall; + procedure Set_AllowOutboundSourceQuench(allow: WordBool); safecall; + function Get_AllowInboundRouterRequest: WordBool; safecall; + procedure Set_AllowInboundRouterRequest(allow: WordBool); safecall; + function Get_AllowInboundTimestampRequest: WordBool; safecall; + procedure Set_AllowInboundTimestampRequest(allow: WordBool); safecall; + function Get_AllowInboundMaskRequest: WordBool; safecall; + procedure Set_AllowInboundMaskRequest(allow: WordBool); safecall; + function Get_AllowOutboundPacketTooBig: WordBool; safecall; + procedure Set_AllowOutboundPacketTooBig(allow: WordBool); safecall; + property AllowOutboundDestinationUnreachable: WordBool read Get_AllowOutboundDestinationUnreachable write Set_AllowOutboundDestinationUnreachable; + property AllowRedirect: WordBool read Get_AllowRedirect write Set_AllowRedirect; + property AllowInboundEchoRequest: WordBool read Get_AllowInboundEchoRequest write Set_AllowInboundEchoRequest; + property AllowOutboundTimeExceeded: WordBool read Get_AllowOutboundTimeExceeded write Set_AllowOutboundTimeExceeded; + property AllowOutboundParameterProblem: WordBool read Get_AllowOutboundParameterProblem write Set_AllowOutboundParameterProblem; + property AllowOutboundSourceQuench: WordBool read Get_AllowOutboundSourceQuench write Set_AllowOutboundSourceQuench; + property AllowInboundRouterRequest: WordBool read Get_AllowInboundRouterRequest write Set_AllowInboundRouterRequest; + property AllowInboundTimestampRequest: WordBool read Get_AllowInboundTimestampRequest write Set_AllowInboundTimestampRequest; + property AllowInboundMaskRequest: WordBool read Get_AllowInboundMaskRequest write Set_AllowInboundMaskRequest; + property AllowOutboundPacketTooBig: WordBool read Get_AllowOutboundPacketTooBig write Set_AllowOutboundPacketTooBig; + end; + +// *********************************************************************// +// DispIntf: INetFwIcmpSettingsDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {A6207B2E-7CDD-426A-951E-5E1CBC5AFEAD} +// *********************************************************************// + INetFwIcmpSettingsDisp = dispinterface + ['{A6207B2E-7CDD-426A-951E-5E1CBC5AFEAD}'] + property AllowOutboundDestinationUnreachable: WordBool dispid 1; + property AllowRedirect: WordBool dispid 2; + property AllowInboundEchoRequest: WordBool dispid 3; + property AllowOutboundTimeExceeded: WordBool dispid 4; + property AllowOutboundParameterProblem: WordBool dispid 5; + property AllowOutboundSourceQuench: WordBool dispid 6; + property AllowInboundRouterRequest: WordBool dispid 7; + property AllowInboundTimestampRequest: WordBool dispid 8; + property AllowInboundMaskRequest: WordBool dispid 9; + property AllowOutboundPacketTooBig: WordBool dispid 10; + end; + +// *********************************************************************// +// Schnittstelle: INetFwOpenPort +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {E0483BA0-47FF-4D9C-A6D6-7741D0B195F7} +// *********************************************************************// + INetFwOpenPort = interface(IDispatch) + ['{E0483BA0-47FF-4D9C-A6D6-7741D0B195F7}'] + function Get_Name: WideString; safecall; + procedure Set_Name(const Name: WideString); safecall; + function Get_IpVersion: NET_FW_IP_VERSION_; safecall; + procedure Set_IpVersion(IpVersion: NET_FW_IP_VERSION_); safecall; + function Get_Protocol: NET_FW_IP_PROTOCOL_; safecall; + procedure Set_Protocol(ipProtocol: NET_FW_IP_PROTOCOL_); safecall; + function Get_Port: Integer; safecall; + procedure Set_Port(portNumber: Integer); safecall; + function Get_Scope: NET_FW_SCOPE_; safecall; + procedure Set_Scope(Scope: NET_FW_SCOPE_); safecall; + function Get_RemoteAddresses: WideString; safecall; + procedure Set_RemoteAddresses(const remoteAddrs: WideString); safecall; + function Get_Enabled: WordBool; safecall; + procedure Set_Enabled(Enabled: WordBool); safecall; + function Get_BuiltIn: WordBool; safecall; + property Name: WideString read Get_Name write Set_Name; + property IpVersion: NET_FW_IP_VERSION_ read Get_IpVersion write Set_IpVersion; + property Protocol: NET_FW_IP_PROTOCOL_ read Get_Protocol write Set_Protocol; + property Port: Integer read Get_Port write Set_Port; + property Scope: NET_FW_SCOPE_ read Get_Scope write Set_Scope; + property RemoteAddresses: WideString read Get_RemoteAddresses write Set_RemoteAddresses; + property Enabled: WordBool read Get_Enabled write Set_Enabled; + property BuiltIn: WordBool read Get_BuiltIn; + end; + +// *********************************************************************// +// DispIntf: INetFwOpenPortDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {E0483BA0-47FF-4D9C-A6D6-7741D0B195F7} +// *********************************************************************// + INetFwOpenPortDisp = dispinterface + ['{E0483BA0-47FF-4D9C-A6D6-7741D0B195F7}'] + property Name: WideString dispid 1; + property IpVersion: NET_FW_IP_VERSION_ dispid 2; + property Protocol: NET_FW_IP_PROTOCOL_ dispid 3; + property Port: Integer dispid 4; + property Scope: NET_FW_SCOPE_ dispid 5; + property RemoteAddresses: WideString dispid 6; + property Enabled: WordBool dispid 7; + property BuiltIn: WordBool readonly dispid 8; + end; + +// *********************************************************************// +// Schnittstelle: INetFwOpenPorts +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {C0E9D7FA-E07E-430A-B19A-090CE82D92E2} +// *********************************************************************// + INetFwOpenPorts = interface(IDispatch) + ['{C0E9D7FA-E07E-430A-B19A-090CE82D92E2}'] + function Get_Count: Integer; safecall; + procedure Add(const Port: INetFwOpenPort); safecall; + procedure Remove(portNumber: Integer; ipProtocol: NET_FW_IP_PROTOCOL_); safecall; + function Item(portNumber: Integer; ipProtocol: NET_FW_IP_PROTOCOL_): INetFwOpenPort; safecall; + function Get__NewEnum: IUnknown; safecall; + property Count: Integer read Get_Count; + property _NewEnum: IUnknown read Get__NewEnum; + end; + +// *********************************************************************// +// DispIntf: INetFwOpenPortsDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {C0E9D7FA-E07E-430A-B19A-090CE82D92E2} +// *********************************************************************// + INetFwOpenPortsDisp = dispinterface + ['{C0E9D7FA-E07E-430A-B19A-090CE82D92E2}'] + property Count: Integer readonly dispid 1; + procedure Add(const Port: INetFwOpenPort); dispid 2; + procedure Remove(portNumber: Integer; ipProtocol: NET_FW_IP_PROTOCOL_); dispid 3; + function Item(portNumber: Integer; ipProtocol: NET_FW_IP_PROTOCOL_): INetFwOpenPort; dispid 4; + property _NewEnum: IUnknown readonly dispid -4; + end; + +// *********************************************************************// +// Schnittstelle: INetFwService +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {79FD57C8-908E-4A36-9888-D5B3F0A444CF} +// *********************************************************************// + INetFwService = interface(IDispatch) + ['{79FD57C8-908E-4A36-9888-D5B3F0A444CF}'] + function Get_Name: WideString; safecall; + function Get_Type_: NET_FW_SERVICE_TYPE_; safecall; + function Get_Customized: WordBool; safecall; + function Get_IpVersion: NET_FW_IP_VERSION_; safecall; + procedure Set_IpVersion(IpVersion: NET_FW_IP_VERSION_); safecall; + function Get_Scope: NET_FW_SCOPE_; safecall; + procedure Set_Scope(Scope: NET_FW_SCOPE_); safecall; + function Get_RemoteAddresses: WideString; safecall; + procedure Set_RemoteAddresses(const remoteAddrs: WideString); safecall; + function Get_Enabled: WordBool; safecall; + procedure Set_Enabled(Enabled: WordBool); safecall; + function Get_GloballyOpenPorts: INetFwOpenPorts; safecall; + property Name: WideString read Get_Name; + property Type_: NET_FW_SERVICE_TYPE_ read Get_Type_; + property Customized: WordBool read Get_Customized; + property IpVersion: NET_FW_IP_VERSION_ read Get_IpVersion write Set_IpVersion; + property Scope: NET_FW_SCOPE_ read Get_Scope write Set_Scope; + property RemoteAddresses: WideString read Get_RemoteAddresses write Set_RemoteAddresses; + property Enabled: WordBool read Get_Enabled write Set_Enabled; + property GloballyOpenPorts: INetFwOpenPorts read Get_GloballyOpenPorts; + end; + +// *********************************************************************// +// DispIntf: INetFwServiceDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {79FD57C8-908E-4A36-9888-D5B3F0A444CF} +// *********************************************************************// + INetFwServiceDisp = dispinterface + ['{79FD57C8-908E-4A36-9888-D5B3F0A444CF}'] + property Name: WideString readonly dispid 1; + property Type_: NET_FW_SERVICE_TYPE_ readonly dispid 2; + property Customized: WordBool readonly dispid 3; + property IpVersion: NET_FW_IP_VERSION_ dispid 4; + property Scope: NET_FW_SCOPE_ dispid 5; + property RemoteAddresses: WideString dispid 6; + property Enabled: WordBool dispid 7; + property GloballyOpenPorts: INetFwOpenPorts readonly dispid 8; + end; + +// *********************************************************************// +// Schnittstelle: INetFwServices +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {79649BB4-903E-421B-94C9-79848E79F6EE} +// *********************************************************************// + INetFwServices = interface(IDispatch) + ['{79649BB4-903E-421B-94C9-79848E79F6EE}'] + function Get_Count: Integer; safecall; + function Item(svcType: NET_FW_SERVICE_TYPE_): INetFwService; safecall; + function Get__NewEnum: IUnknown; safecall; + property Count: Integer read Get_Count; + property _NewEnum: IUnknown read Get__NewEnum; + end; + +// *********************************************************************// +// DispIntf: INetFwServicesDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {79649BB4-903E-421B-94C9-79848E79F6EE} +// *********************************************************************// + INetFwServicesDisp = dispinterface + ['{79649BB4-903E-421B-94C9-79848E79F6EE}'] + property Count: Integer readonly dispid 1; + function Item(svcType: NET_FW_SERVICE_TYPE_): INetFwService; dispid 2; + property _NewEnum: IUnknown readonly dispid -4; + end; + +// *********************************************************************// +// Schnittstelle: INetFwAuthorizedApplication +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {B5E64FFA-C2C5-444E-A301-FB5E00018050} +// *********************************************************************// + INetFwAuthorizedApplication = interface(IDispatch) + ['{B5E64FFA-C2C5-444E-A301-FB5E00018050}'] + function Get_Name: WideString; safecall; + procedure Set_Name(const Name: WideString); safecall; + function Get_ProcessImageFileName: WideString; safecall; + procedure Set_ProcessImageFileName(const imageFileName: WideString); safecall; + function Get_IpVersion: NET_FW_IP_VERSION_; safecall; + procedure Set_IpVersion(IpVersion: NET_FW_IP_VERSION_); safecall; + function Get_Scope: NET_FW_SCOPE_; safecall; + procedure Set_Scope(Scope: NET_FW_SCOPE_); safecall; + function Get_RemoteAddresses: WideString; safecall; + procedure Set_RemoteAddresses(const remoteAddrs: WideString); safecall; + function Get_Enabled: WordBool; safecall; + procedure Set_Enabled(Enabled: WordBool); safecall; + property Name: WideString read Get_Name write Set_Name; + property ProcessImageFileName: WideString read Get_ProcessImageFileName write Set_ProcessImageFileName; + property IpVersion: NET_FW_IP_VERSION_ read Get_IpVersion write Set_IpVersion; + property Scope: NET_FW_SCOPE_ read Get_Scope write Set_Scope; + property RemoteAddresses: WideString read Get_RemoteAddresses write Set_RemoteAddresses; + property Enabled: WordBool read Get_Enabled write Set_Enabled; + end; + +// *********************************************************************// +// DispIntf: INetFwAuthorizedApplicationDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {B5E64FFA-C2C5-444E-A301-FB5E00018050} +// *********************************************************************// + INetFwAuthorizedApplicationDisp = dispinterface + ['{B5E64FFA-C2C5-444E-A301-FB5E00018050}'] + property Name: WideString dispid 1; + property ProcessImageFileName: WideString dispid 2; + property IpVersion: NET_FW_IP_VERSION_ dispid 3; + property Scope: NET_FW_SCOPE_ dispid 4; + property RemoteAddresses: WideString dispid 5; + property Enabled: WordBool dispid 6; + end; + +// *********************************************************************// +// Schnittstelle: INetFwAuthorizedApplications +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {644EFD52-CCF9-486C-97A2-39F352570B30} +// *********************************************************************// + INetFwAuthorizedApplications = interface(IDispatch) + ['{644EFD52-CCF9-486C-97A2-39F352570B30}'] + function Get_Count: Integer; safecall; + procedure Add(const app: INetFwAuthorizedApplication); safecall; + procedure Remove(const imageFileName: WideString); safecall; + function Item(const imageFileName: WideString): INetFwAuthorizedApplication; safecall; + function Get__NewEnum: IUnknown; safecall; + property Count: Integer read Get_Count; + property _NewEnum: IUnknown read Get__NewEnum; + end; + +// *********************************************************************// +// DispIntf: INetFwAuthorizedApplicationsDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {644EFD52-CCF9-486C-97A2-39F352570B30} +// *********************************************************************// + INetFwAuthorizedApplicationsDisp = dispinterface + ['{644EFD52-CCF9-486C-97A2-39F352570B30}'] + property Count: Integer readonly dispid 1; + procedure Add(const app: INetFwAuthorizedApplication); dispid 2; + procedure Remove(const imageFileName: WideString); dispid 3; + function Item(const imageFileName: WideString): INetFwAuthorizedApplication; dispid 4; + property _NewEnum: IUnknown readonly dispid -4; + end; + +// *********************************************************************// +// Schnittstelle: INetFwServiceRestriction +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {8267BBE3-F890-491C-B7B6-2DB1EF0E5D2B} +// *********************************************************************// + INetFwServiceRestriction = interface(IDispatch) + ['{8267BBE3-F890-491C-B7B6-2DB1EF0E5D2B}'] + procedure RestrictService(const serviceName: WideString; const appName: WideString; + RestrictService: WordBool; serviceSidRestricted: WordBool); safecall; + function ServiceRestricted(const serviceName: WideString; const appName: WideString): WordBool; safecall; + function Get_Rules: INetFwRules; safecall; + property Rules: INetFwRules read Get_Rules; + end; + +// *********************************************************************// +// DispIntf: INetFwServiceRestrictionDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {8267BBE3-F890-491C-B7B6-2DB1EF0E5D2B} +// *********************************************************************// + INetFwServiceRestrictionDisp = dispinterface + ['{8267BBE3-F890-491C-B7B6-2DB1EF0E5D2B}'] + procedure RestrictService(const serviceName: WideString; const appName: WideString; + RestrictService: WordBool; serviceSidRestricted: WordBool); dispid 1; + function ServiceRestricted(const serviceName: WideString; const appName: WideString): WordBool; dispid 2; + property Rules: INetFwRules readonly dispid 3; + end; + +// *********************************************************************// +// Schnittstelle: INetFwRules +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {9C4C6277-5027-441E-AFAE-CA1F542DA009} +// *********************************************************************// + INetFwRules = interface(IDispatch) + ['{9C4C6277-5027-441E-AFAE-CA1F542DA009}'] + function Get_Count: Integer; safecall; + procedure Add(const rule: INetFwRule); safecall; + procedure Remove(const Name: WideString); safecall; + function Item(const Name: WideString): INetFwRule; safecall; + function Get__NewEnum: IUnknown; safecall; + property Count: Integer read Get_Count; + property _NewEnum: IUnknown read Get__NewEnum; + end; + +// *********************************************************************// +// DispIntf: INetFwRulesDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {9C4C6277-5027-441E-AFAE-CA1F542DA009} +// *********************************************************************// + INetFwRulesDisp = dispinterface + ['{9C4C6277-5027-441E-AFAE-CA1F542DA009}'] + property Count: Integer readonly dispid 1; + procedure Add(const rule: INetFwRule); dispid 2; + procedure Remove(const Name: WideString); dispid 3; + function Item(const Name: WideString): INetFwRule; dispid 4; + property _NewEnum: IUnknown readonly dispid -4; + end; + +// *********************************************************************// +// Schnittstelle: INetFwRule +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {AF230D27-BABA-4E42-ACED-F524F22CFCE2} +// *********************************************************************// + INetFwRule = interface(IDispatch) + ['{AF230D27-BABA-4E42-ACED-F524F22CFCE2}'] + function Get_Name: WideString; safecall; + procedure Set_Name(const Name: WideString); safecall; + function Get_Description: WideString; safecall; + procedure Set_Description(const desc: WideString); safecall; + function Get_ApplicationName: WideString; safecall; + procedure Set_ApplicationName(const imageFileName: WideString); safecall; + function Get_serviceName: WideString; safecall; + procedure Set_serviceName(const serviceName: WideString); safecall; + function Get_Protocol: Integer; safecall; + procedure Set_Protocol(Protocol: Integer); safecall; + function Get_LocalPorts: WideString; safecall; + procedure Set_LocalPorts(const portNumbers: WideString); safecall; + function Get_RemotePorts: WideString; safecall; + procedure Set_RemotePorts(const portNumbers: WideString); safecall; + function Get_LocalAddresses: WideString; safecall; + procedure Set_LocalAddresses(const localAddrs: WideString); safecall; + function Get_RemoteAddresses: WideString; safecall; + procedure Set_RemoteAddresses(const remoteAddrs: WideString); safecall; + function Get_IcmpTypesAndCodes: WideString; safecall; + procedure Set_IcmpTypesAndCodes(const IcmpTypesAndCodes: WideString); safecall; + function Get_Direction: NET_FW_RULE_DIRECTION_; safecall; + procedure Set_Direction(dir: NET_FW_RULE_DIRECTION_); safecall; + function Get_Interfaces: OleVariant; safecall; + procedure Set_Interfaces(Interfaces: OleVariant); safecall; + function Get_InterfaceTypes: WideString; safecall; + procedure Set_InterfaceTypes(const InterfaceTypes: WideString); safecall; + function Get_Enabled: WordBool; safecall; + procedure Set_Enabled(Enabled: WordBool); safecall; + function Get_Grouping: WideString; safecall; + procedure Set_Grouping(const context: WideString); safecall; + function Get_Profiles: Integer; safecall; + procedure Set_Profiles(profileTypesBitmask: Integer); safecall; + function Get_EdgeTraversal: WordBool; safecall; + procedure Set_EdgeTraversal(Enabled: WordBool); safecall; + function Get_Action: NET_FW_ACTION_; safecall; + procedure Set_Action(Action: NET_FW_ACTION_); safecall; + property Name: WideString read Get_Name write Set_Name; + property Description: WideString read Get_Description write Set_Description; + property ApplicationName: WideString read Get_ApplicationName write Set_ApplicationName; + property serviceName: WideString read Get_serviceName write Set_serviceName; + property Protocol: Integer read Get_Protocol write Set_Protocol; + property LocalPorts: WideString read Get_LocalPorts write Set_LocalPorts; + property RemotePorts: WideString read Get_RemotePorts write Set_RemotePorts; + property LocalAddresses: WideString read Get_LocalAddresses write Set_LocalAddresses; + property RemoteAddresses: WideString read Get_RemoteAddresses write Set_RemoteAddresses; + property IcmpTypesAndCodes: WideString read Get_IcmpTypesAndCodes write Set_IcmpTypesAndCodes; + property Direction: NET_FW_RULE_DIRECTION_ read Get_Direction write Set_Direction; + property Interfaces: OleVariant read Get_Interfaces write Set_Interfaces; + property InterfaceTypes: WideString read Get_InterfaceTypes write Set_InterfaceTypes; + property Enabled: WordBool read Get_Enabled write Set_Enabled; + property Grouping: WideString read Get_Grouping write Set_Grouping; + property Profiles: Integer read Get_Profiles write Set_Profiles; + property EdgeTraversal: WordBool read Get_EdgeTraversal write Set_EdgeTraversal; + property Action: NET_FW_ACTION_ read Get_Action write Set_Action; + end; + +// *********************************************************************// +// DispIntf: INetFwRuleDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {AF230D27-BABA-4E42-ACED-F524F22CFCE2} +// *********************************************************************// + INetFwRuleDisp = dispinterface + ['{AF230D27-BABA-4E42-ACED-F524F22CFCE2}'] + property Name: WideString dispid 1; + property Description: WideString dispid 2; + property ApplicationName: WideString dispid 3; + property serviceName: WideString dispid 4; + property Protocol: Integer dispid 5; + property LocalPorts: WideString dispid 6; + property RemotePorts: WideString dispid 7; + property LocalAddresses: WideString dispid 8; + property RemoteAddresses: WideString dispid 9; + property IcmpTypesAndCodes: WideString dispid 10; + property Direction: NET_FW_RULE_DIRECTION_ dispid 11; + property Interfaces: OleVariant dispid 12; + property InterfaceTypes: WideString dispid 13; + property Enabled: WordBool dispid 14; + property Grouping: WideString dispid 15; + property Profiles: Integer dispid 16; + property EdgeTraversal: WordBool dispid 17; + property Action: NET_FW_ACTION_ dispid 18; + end; + +// *********************************************************************// +// Schnittstelle: INetFwProfile +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {174A0DDA-E9F9-449D-993B-21AB667CA456} +// *********************************************************************// + INetFwProfile = interface(IDispatch) + ['{174A0DDA-E9F9-449D-993B-21AB667CA456}'] + function Get_Type_: NET_FW_PROFILE_TYPE_; safecall; + function Get_FirewallEnabled: WordBool; safecall; + procedure Set_FirewallEnabled(Enabled: WordBool); safecall; + function Get_ExceptionsNotAllowed: WordBool; safecall; + procedure Set_ExceptionsNotAllowed(notAllowed: WordBool); safecall; + function Get_NotificationsDisabled: WordBool; safecall; + procedure Set_NotificationsDisabled(disabled: WordBool); safecall; + function Get_UnicastResponsesToMulticastBroadcastDisabled: WordBool; safecall; + procedure Set_UnicastResponsesToMulticastBroadcastDisabled(disabled: WordBool); safecall; + function Get_RemoteAdminSettings: INetFwRemoteAdminSettings; safecall; + function Get_IcmpSettings: INetFwIcmpSettings; safecall; + function Get_GloballyOpenPorts: INetFwOpenPorts; safecall; + function Get_Services: INetFwServices; safecall; + function Get_AuthorizedApplications: INetFwAuthorizedApplications; safecall; + property Type_: NET_FW_PROFILE_TYPE_ read Get_Type_; + property FirewallEnabled: WordBool read Get_FirewallEnabled write Set_FirewallEnabled; + property ExceptionsNotAllowed: WordBool read Get_ExceptionsNotAllowed write Set_ExceptionsNotAllowed; + property NotificationsDisabled: WordBool read Get_NotificationsDisabled write Set_NotificationsDisabled; + property UnicastResponsesToMulticastBroadcastDisabled: WordBool read Get_UnicastResponsesToMulticastBroadcastDisabled write Set_UnicastResponsesToMulticastBroadcastDisabled; + property RemoteAdminSettings: INetFwRemoteAdminSettings read Get_RemoteAdminSettings; + property IcmpSettings: INetFwIcmpSettings read Get_IcmpSettings; + property GloballyOpenPorts: INetFwOpenPorts read Get_GloballyOpenPorts; + property Services: INetFwServices read Get_Services; + property AuthorizedApplications: INetFwAuthorizedApplications read Get_AuthorizedApplications; + end; + +// *********************************************************************// +// DispIntf: INetFwProfileDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {174A0DDA-E9F9-449D-993B-21AB667CA456} +// *********************************************************************// + INetFwProfileDisp = dispinterface + ['{174A0DDA-E9F9-449D-993B-21AB667CA456}'] + property Type_: NET_FW_PROFILE_TYPE_ readonly dispid 1; + property FirewallEnabled: WordBool dispid 2; + property ExceptionsNotAllowed: WordBool dispid 3; + property NotificationsDisabled: WordBool dispid 4; + property UnicastResponsesToMulticastBroadcastDisabled: WordBool dispid 5; + property RemoteAdminSettings: INetFwRemoteAdminSettings readonly dispid 6; + property IcmpSettings: INetFwIcmpSettings readonly dispid 7; + property GloballyOpenPorts: INetFwOpenPorts readonly dispid 8; + property Services: INetFwServices readonly dispid 9; + property AuthorizedApplications: INetFwAuthorizedApplications readonly dispid 10; + end; + +// *********************************************************************// +// Schnittstelle: INetFwPolicy +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {D46D2478-9AC9-4008-9DC7-5563CE5536CC} +// *********************************************************************// + INetFwPolicy = interface(IDispatch) + ['{D46D2478-9AC9-4008-9DC7-5563CE5536CC}'] + function Get_CurrentProfile: INetFwProfile; safecall; + function GetProfileByType(profileType: NET_FW_PROFILE_TYPE_): INetFwProfile; safecall; + property CurrentProfile: INetFwProfile read Get_CurrentProfile; + end; + +// *********************************************************************// +// DispIntf: INetFwPolicyDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {D46D2478-9AC9-4008-9DC7-5563CE5536CC} +// *********************************************************************// + INetFwPolicyDisp = dispinterface + ['{D46D2478-9AC9-4008-9DC7-5563CE5536CC}'] + property CurrentProfile: INetFwProfile readonly dispid 1; + function GetProfileByType(profileType: NET_FW_PROFILE_TYPE_): INetFwProfile; dispid 2; + end; + +// *********************************************************************// +// Schnittstelle: INetFwPolicy2 +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {98325047-C671-4174-8D81-DEFCD3F03186} +// *********************************************************************// + INetFwPolicy2 = interface(IDispatch) + ['{98325047-C671-4174-8D81-DEFCD3F03186}'] + function Get_CurrentProfileTypes: Integer; safecall; + function Get_FirewallEnabled(profileType: NET_FW_PROFILE_TYPE2_): WordBool; safecall; + procedure Set_FirewallEnabled(profileType: NET_FW_PROFILE_TYPE2_; Enabled: WordBool); safecall; + function Get_ExcludedInterfaces(profileType: NET_FW_PROFILE_TYPE2_): OleVariant; safecall; + procedure Set_ExcludedInterfaces(profileType: NET_FW_PROFILE_TYPE2_; Interfaces: OleVariant); safecall; + function Get_BlockAllInboundTraffic(profileType: NET_FW_PROFILE_TYPE2_): WordBool; safecall; + procedure Set_BlockAllInboundTraffic(profileType: NET_FW_PROFILE_TYPE2_; Block: WordBool); safecall; + function Get_NotificationsDisabled(profileType: NET_FW_PROFILE_TYPE2_): WordBool; safecall; + procedure Set_NotificationsDisabled(profileType: NET_FW_PROFILE_TYPE2_; disabled: WordBool); safecall; + function Get_UnicastResponsesToMulticastBroadcastDisabled(profileType: NET_FW_PROFILE_TYPE2_): WordBool; safecall; + procedure Set_UnicastResponsesToMulticastBroadcastDisabled(profileType: NET_FW_PROFILE_TYPE2_; + disabled: WordBool); safecall; + function Get_Rules: INetFwRules; safecall; + function Get_ServiceRestriction: INetFwServiceRestriction; safecall; + procedure EnableRuleGroup(profileTypesBitmask: Integer; const group: WideString; + enable: WordBool); safecall; + function IsRuleGroupEnabled(profileTypesBitmask: Integer; const group: WideString): WordBool; safecall; + procedure RestoreLocalFirewallDefaults; safecall; + function Get_DefaultInboundAction(profileType: NET_FW_PROFILE_TYPE2_): NET_FW_ACTION_; safecall; + procedure Set_DefaultInboundAction(profileType: NET_FW_PROFILE_TYPE2_; Action: NET_FW_ACTION_); safecall; + function Get_DefaultOutboundAction(profileType: NET_FW_PROFILE_TYPE2_): NET_FW_ACTION_; safecall; + procedure Set_DefaultOutboundAction(profileType: NET_FW_PROFILE_TYPE2_; Action: NET_FW_ACTION_); safecall; + function Get_IsRuleGroupCurrentlyEnabled(const group: WideString): WordBool; safecall; + function Get_LocalPolicyModifyState: NET_FW_MODIFY_STATE_; safecall; + property CurrentProfileTypes: Integer read Get_CurrentProfileTypes; + property FirewallEnabled[profileType: NET_FW_PROFILE_TYPE2_]: WordBool read Get_FirewallEnabled write Set_FirewallEnabled; + property ExcludedInterfaces[profileType: NET_FW_PROFILE_TYPE2_]: OleVariant read Get_ExcludedInterfaces write Set_ExcludedInterfaces; + property BlockAllInboundTraffic[profileType: NET_FW_PROFILE_TYPE2_]: WordBool read Get_BlockAllInboundTraffic write Set_BlockAllInboundTraffic; + property NotificationsDisabled[profileType: NET_FW_PROFILE_TYPE2_]: WordBool read Get_NotificationsDisabled write Set_NotificationsDisabled; + property UnicastResponsesToMulticastBroadcastDisabled[profileType: NET_FW_PROFILE_TYPE2_]: WordBool read Get_UnicastResponsesToMulticastBroadcastDisabled write Set_UnicastResponsesToMulticastBroadcastDisabled; + property Rules: INetFwRules read Get_Rules; + property ServiceRestriction: INetFwServiceRestriction read Get_ServiceRestriction; + property DefaultInboundAction[profileType: NET_FW_PROFILE_TYPE2_]: NET_FW_ACTION_ read Get_DefaultInboundAction write Set_DefaultInboundAction; + property DefaultOutboundAction[profileType: NET_FW_PROFILE_TYPE2_]: NET_FW_ACTION_ read Get_DefaultOutboundAction write Set_DefaultOutboundAction; + property IsRuleGroupCurrentlyEnabled[const group: WideString]: WordBool read Get_IsRuleGroupCurrentlyEnabled; + property LocalPolicyModifyState: NET_FW_MODIFY_STATE_ read Get_LocalPolicyModifyState; + end; + +// *********************************************************************// +// DispIntf: INetFwPolicy2Disp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {98325047-C671-4174-8D81-DEFCD3F03186} +// *********************************************************************// + INetFwPolicy2Disp = dispinterface + ['{98325047-C671-4174-8D81-DEFCD3F03186}'] + property CurrentProfileTypes: Integer readonly dispid 1; + property FirewallEnabled[profileType: NET_FW_PROFILE_TYPE2_]: WordBool dispid 2; + property ExcludedInterfaces[profileType: NET_FW_PROFILE_TYPE2_]: OleVariant dispid 3; + property BlockAllInboundTraffic[profileType: NET_FW_PROFILE_TYPE2_]: WordBool dispid 4; + property NotificationsDisabled[profileType: NET_FW_PROFILE_TYPE2_]: WordBool dispid 5; + property UnicastResponsesToMulticastBroadcastDisabled[profileType: NET_FW_PROFILE_TYPE2_]: WordBool dispid 6; + property Rules: INetFwRules readonly dispid 7; + property ServiceRestriction: INetFwServiceRestriction readonly dispid 8; + procedure EnableRuleGroup(profileTypesBitmask: Integer; const group: WideString; + enable: WordBool); dispid 9; + function IsRuleGroupEnabled(profileTypesBitmask: Integer; const group: WideString): WordBool; dispid 10; + procedure RestoreLocalFirewallDefaults; dispid 11; + property DefaultInboundAction[profileType: NET_FW_PROFILE_TYPE2_]: NET_FW_ACTION_ dispid 12; + property DefaultOutboundAction[profileType: NET_FW_PROFILE_TYPE2_]: NET_FW_ACTION_ dispid 13; + property IsRuleGroupCurrentlyEnabled[const group: WideString]: WordBool readonly dispid 14; + property LocalPolicyModifyState: NET_FW_MODIFY_STATE_ readonly dispid 15; + end; + +// *********************************************************************// +// Schnittstelle: INetFwMgr +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {F7898AF5-CAC4-4632-A2EC-DA06E5111AF2} +// *********************************************************************// + INetFwMgr = interface(IDispatch) + ['{F7898AF5-CAC4-4632-A2EC-DA06E5111AF2}'] + function Get_LocalPolicy: INetFwPolicy; safecall; + function Get_CurrentProfileType: NET_FW_PROFILE_TYPE_; safecall; + procedure RestoreDefaults; safecall; + procedure IsPortAllowed(const imageFileName: WideString; IpVersion: NET_FW_IP_VERSION_; + portNumber: Integer; const localAddress: WideString; + ipProtocol: NET_FW_IP_PROTOCOL_; out allowed: OleVariant; + out restricted: OleVariant); safecall; + procedure IsIcmpTypeAllowed(IpVersion: NET_FW_IP_VERSION_; const localAddress: WideString; + Type_: Byte; out allowed: OleVariant; out restricted: OleVariant); safecall; + property LocalPolicy: INetFwPolicy read Get_LocalPolicy; + property CurrentProfileType: NET_FW_PROFILE_TYPE_ read Get_CurrentProfileType; + end; + +// *********************************************************************// +// DispIntf: INetFwMgrDisp +// Flags: (4416) Dual OleAutomation Dispatchable +// GUID: {F7898AF5-CAC4-4632-A2EC-DA06E5111AF2} +// *********************************************************************// + INetFwMgrDisp = dispinterface + ['{F7898AF5-CAC4-4632-A2EC-DA06E5111AF2}'] + property LocalPolicy: INetFwPolicy readonly dispid 1; + property CurrentProfileType: NET_FW_PROFILE_TYPE_ readonly dispid 2; + procedure RestoreDefaults; dispid 3; + procedure IsPortAllowed(const imageFileName: WideString; IpVersion: NET_FW_IP_VERSION_; + portNumber: Integer; const localAddress: WideString; + ipProtocol: NET_FW_IP_PROTOCOL_; out allowed: OleVariant; + out restricted: OleVariant); dispid 4; + procedure IsIcmpTypeAllowed(IpVersion: NET_FW_IP_VERSION_; const localAddress: WideString; + Type_: Byte; out allowed: OleVariant; out restricted: OleVariant); dispid 5; + end; + +implementation + +uses ComObj; + +end. diff -Nru stunnel4-5.44/tools/plugins/SimpleFC/Source/NSIS.pas stunnel4-5.50/tools/plugins/SimpleFC/Source/NSIS.pas --- stunnel4-5.44/tools/plugins/SimpleFC/Source/NSIS.pas 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/SimpleFC/Source/NSIS.pas 2007-04-16 18:25:02.000000000 +0000 @@ -0,0 +1,126 @@ +{ + Original Code from + (C) 2001 - Peter Windridge + + Code in seperate unit and some changes + 2003 by Bernhard Mayer + + Fixed and formatted by Brett Dever + http://editor.nfscheats.com/ + + simply include this unit in your plugin project and export + functions as needed +} + + +unit nsis; + +interface + +uses + windows; + +type + VarConstants = ( + INST_0, // $0 + INST_1, // $1 + INST_2, // $2 + INST_3, // $3 + INST_4, // $4 + INST_5, // $5 + INST_6, // $6 + INST_7, // $7 + INST_8, // $8 + INST_9, // $9 + INST_R0, // $R0 + INST_R1, // $R1 + INST_R2, // $R2 + INST_R3, // $R3 + INST_R4, // $R4 + INST_R5, // $R5 + INST_R6, // $R6 + INST_R7, // $R7 + INST_R8, // $R8 + INST_R9, // $R9 + INST_CMDLINE, // $CMDLINE + INST_INSTDIR, // $INSTDIR + INST_OUTDIR, // $OUTDIR + INST_EXEDIR, // $EXEDIR + INST_LANG, // $LANGUAGE + __INST_LAST + ); + TVariableList = INST_0..__INST_LAST; + pstack_t = ^stack_t; + stack_t = record + next: pstack_t; + text: PChar; + end; + +var + g_stringsize: integer; + g_stacktop: ^pstack_t; + g_variables: PChar; + g_hwndParent: HWND; + +procedure Init(const hwndParent: HWND; const string_size: integer; const variables: PChar; const stacktop: pointer); +function PopString(): string; +procedure PushString(const str: string=''); +function GetUserVariable(const varnum: TVariableList): string; +procedure SetUserVariable(const varnum: TVariableList; const value: string); +procedure NSISDialog(const text, caption: string; const buttons: integer); + +implementation + +procedure Init(const hwndParent: HWND; const string_size: integer; const variables: PChar; const stacktop: pointer); +begin + g_stringsize := string_size; + g_hwndParent := hwndParent; + g_stacktop := stacktop; + g_variables := variables; +end; + +function PopString(): string; +var + th: pstack_t; +begin + if integer(g_stacktop^) <> 0 then begin + th := g_stacktop^; + Result := PChar(@th.text); + g_stacktop^ := th.next; + GlobalFree(HGLOBAL(th)); + end; +end; + +procedure PushString(const str: string=''); +var + th: pstack_t; +begin + if integer(g_stacktop) <> 0 then begin + th := pstack_t(GlobalAlloc(GPTR, SizeOf(stack_t) + g_stringsize)); + lstrcpyn(@th.text, PChar(str), g_stringsize); + th.next := g_stacktop^; + g_stacktop^ := th; + end; +end; + +function GetUserVariable(const varnum: TVariableList): string; +begin + if (integer(varnum) >= 0) and (integer(varnum) < integer(__INST_LAST)) then + Result := g_variables + integer(varnum) * g_stringsize + else + Result := ''; +end; + +procedure SetUserVariable(const varnum: TVariableList; const value: string); +begin + if (value <> '') and (integer(varnum) >= 0) and (integer(varnum) < integer(__INST_LAST)) then + lstrcpy(g_variables + integer(varnum) * g_stringsize, PChar(value)) +end; + +procedure NSISDialog(const text, caption: string; const buttons: integer); +begin + MessageBox(g_hwndParent, PChar(text), PChar(caption), buttons); +end; + +begin +end. diff -Nru stunnel4-5.44/tools/plugins/SimpleFC/Source/ServiceControl.pas stunnel4-5.50/tools/plugins/SimpleFC/Source/ServiceControl.pas --- stunnel4-5.44/tools/plugins/SimpleFC/Source/ServiceControl.pas 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/SimpleFC/Source/ServiceControl.pas 2009-05-21 19:57:28.000000000 +0000 @@ -0,0 +1,987 @@ +{ +License Agreement + +This content is subject to the Mozilla Public License Version 1.1 (the "License"); +You may not use this plugin except in compliance with the License. You may +obtain a copy of the License at http://www.mozilla.org/MPL. + +Alternatively, you may redistribute this library, use and/or modify it +under the terms of the GNU Lesser General Public License as published +by the Free Software Foundation; either version 2.1 of the License, +or (at your option) any later version. You may obtain a copy +of the LGPL at www.gnu.org/copyleft. + +Software distributed under the License is distributed on an "AS IS" basis, +WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +for the specific language governing rights and limitations under the License. + +The original code is ServiceControl.pas, released April 16, 2007. + +The initial developer of the original code is Rainer Budde (http://www.speed-soft.de). + +SimpleSC - NSIS Service Control Plugin is written, published and maintaned by +Rainer Budde (rainer@speed-soft.de). +} +unit ServiceControl; + +interface + +uses + Windows, SysUtils, WinSvc; + + function InstallService(ServiceName, DisplayName: String; ServiceType: DWORD; StartType: DWORD; BinaryPathName: String; Dependencies: String; Username: String; Password: String): Integer; + function RemoveService(ServiceName: String): Integer; + function GetServiceName(DisplayName: String; var Name: String): Integer; + function GetServiceDisplayName(ServiceName: String; var Name: String): Integer; + function GetServiceStatus(ServiceName: String; var Status: DWORD): Integer; + function GetServiceBinaryPath(ServiceName: String; var BinaryPath: String): Integer; + function GetServiceStartType(ServiceName: String; var StartType: DWORD): Integer; + function GetServiceDescription(ServiceName: String; var Description: String): Integer; + function GetServiceLogon(ServiceName: String; var Username: String): Integer; + function SetServiceStartType(ServiceName: String; StartType: DWORD): Integer; + function SetServiceDescription(ServiceName: String; Description: String): Integer; + function SetServiceLogon(ServiceName: String; Username: String; Password: String): Integer; + function SetServiceBinaryPath(ServiceName: String; BinaryPath: String): Integer; + function ServiceIsRunning(ServiceName: String; var IsRunning: Boolean): Integer; + function ServiceIsStopped(ServiceName: String; var IsStopped: Boolean): Integer; + function ServiceIsPaused(ServiceName: String; var IsPaused: Boolean): Integer; + function StartService(ServiceName: String; ServiceArguments: String): Integer; + function StopService(ServiceName: String): Integer; + function PauseService(ServiceName: String): Integer; + function ContinueService(ServiceName: String): Integer; + function RestartService(ServiceName: String; ServiceArguments: String): Integer; + function ExistsService(ServiceName: String): Integer; + function GetErrorMessage(ErrorCode: Integer): String; + +implementation + +function WaitForStatus(ServiceName: String; Status: DWord): Integer; +var + CurrentStatus: DWord; + StatusResult: Integer; + StatusReached: Boolean; + TimeOutReached: Boolean; + StartTickCount: Cardinal; +const + STATUS_TIMEOUT = 30000; + WAIT_TIMEOUT = 250; +begin + Result := 0; + + StatusReached := False; + TimeOutReached := False; + + StartTickCount := GetTickCount; + + while not StatusReached and not TimeOutReached do + begin + StatusResult := GetServiceStatus(ServiceName, CurrentStatus); + + if StatusResult = 0 then + begin + if Status = CurrentStatus then + StatusReached := True + else + Sleep(WAIT_TIMEOUT); + end + else + Result := StatusResult; + + if (StartTickCount + STATUS_TIMEOUT) < GetTickCount then + begin + TimeOutReached := True; + Result := ERROR_SERVICE_REQUEST_TIMEOUT; + end; + end; + +end; + +function ExistsService(ServiceName: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; +begin + Result := 0; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_QUERY_CONFIG); + + if ServiceHandle > 0 then + CloseServiceHandle(ServiceHandle) + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function StartService(ServiceName: String; ServiceArguments: String): Integer; +type + TArguments = Array of PChar; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + ServiceArgVectors: TArguments; + NumServiceArgs: DWORD; +const + ArgDelimitterQuote: String = '"'; + ArgDelimitterWhiteSpace: String = ' '; + + procedure GetServiceArguments(ServiceArguments: String; var NumServiceArgs: DWORD; var ServiceArgVectors: TArguments); + var + Param: String; + Split: Boolean; + Quoted: Boolean; + CharIsDelimitter: Boolean; + begin + ServiceArgVectors := nil; + NumServiceArgs := 0; + + Quoted := False; + + while Length(ServiceArguments) > 0 do + begin + Split := False; + CharIsDelimitter := False; + + if ServiceArguments[1] = ' ' then + if not Quoted then + begin + CharIsDelimitter := True; + Split := True; + end; + + if ServiceArguments[1] = '"' then + begin + Quoted := not Quoted; + CharIsDelimitter := True; + + if not Quoted then + Split := True; + end; + + if not CharIsDelimitter then + Param := Param + ServiceArguments[1]; + + if Split or (Length(ServiceArguments) = 1) then + begin + SetLength(ServiceArgVectors, Length(ServiceArgVectors) + 1); + GetMem(ServiceArgVectors[Length(ServiceArgVectors) -1], Length(Param) + 1); + StrPCopy(ServiceArgVectors[Length(ServiceArgVectors) -1], Param); + + Param := ''; + + Delete(ServiceArguments, 1, 1); + ServiceArguments := Trim(ServiceArguments); + end + else + Delete(ServiceArguments, 1, 1); + + end; + + if Length(ServiceArgVectors) > 0 then + NumServiceArgs := Length(ServiceArgVectors); + end; + + procedure FreeServiceArguments(ServiceArgVectors: TArguments); + var + i: Integer; + begin + if Length(ServiceArgVectors) > 0 then + for i := 0 to Length(ServiceArgVectors) -1 do + FreeMem(ServiceArgVectors[i]); + end; + +begin + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_START); + + if ServiceHandle > 0 then + begin + GetServiceArguments(ServiceArguments, NumServiceArgs, ServiceArgVectors); + + if WinSvc.StartService(ServiceHandle, NumServiceArgs, ServiceArgVectors[0]) then + Result := WaitForStatus(ServiceName, SERVICE_RUNNING) + else + Result := System.GetLastError; + + FreeServiceArguments(ServiceArgVectors); + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function StopService(ServiceName: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + ServiceStatus: TServiceStatus; + Dependencies: PEnumServiceStatus; + BytesNeeded: Cardinal; + ServicesReturned: Cardinal; + ServicesEnumerated: Boolean; + EnumerationSuccess: Boolean; + i: Cardinal; +begin + Result := 0; + + BytesNeeded := 0; + ServicesReturned := 0; + + Dependencies := nil; + ServicesEnumerated := False; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT or SC_MANAGER_ENUMERATE_SERVICE); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_STOP or SERVICE_ENUMERATE_DEPENDENTS); + + if ServiceHandle > 0 then + begin + if not EnumDependentServices(ServiceHandle, SERVICE_ACTIVE, Dependencies^, 0, BytesNeeded, ServicesReturned) then + begin + ServicesEnumerated := True; + GetMem(Dependencies, BytesNeeded); + + EnumerationSuccess := EnumDependentServices(ServiceHandle, SERVICE_ACTIVE, Dependencies^, BytesNeeded, BytesNeeded, ServicesReturned); + + if EnumerationSuccess and (ServicesReturned > 0) then + begin + for i := 1 to ServicesReturned do + begin + Result := StopService(Dependencies.lpServiceName); + + if Result <> 0 then + Break; + + Inc(Dependencies); + end; + end + else + Result := System.GetLastError; + end; + + if (ServicesEnumerated and (Result = 0)) or not ServicesEnumerated then + begin + if ControlService(ServiceHandle, SERVICE_CONTROL_STOP, ServiceStatus) then + Result := WaitForStatus(ServiceName, SERVICE_STOPPED) + else + Result := System.GetLastError + end; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function PauseService(ServiceName: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + ServiceStatus: TServiceStatus; +begin + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_PAUSE_CONTINUE); + + if ServiceHandle > 0 then + begin + + if ControlService(ServiceHandle, SERVICE_CONTROL_PAUSE, ServiceStatus) then + Result := WaitForStatus(ServiceName, SERVICE_PAUSED) + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function ContinueService(ServiceName: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + ServiceStatus: TServiceStatus; +begin + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_PAUSE_CONTINUE); + + if ServiceHandle > 0 then + begin + + if ControlService(ServiceHandle, SERVICE_CONTROL_CONTINUE, ServiceStatus) then + Result := WaitForStatus(ServiceName, SERVICE_RUNNING) + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function GetServiceName(DisplayName: String; var Name: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceName: PChar; + ServiceBuffer: Cardinal; +begin + Result := 0; + + ServiceBuffer := 255; + ServiceName := StrAlloc(ServiceBuffer+1); + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT); + + if ManagerHandle > 0 then + begin + if WinSvc.GetServiceKeyName(ManagerHandle, PChar(DisplayName), ServiceName, ServiceBuffer) then + Name := ServiceName + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function GetServiceDisplayName(ServiceName: String; var Name: String): Integer; +var + ManagerHandle: SC_HANDLE; + DisplayName: PChar; + ServiceBuffer: Cardinal; +begin + Result := 0; + + ServiceBuffer := 255; + DisplayName := StrAlloc(ServiceBuffer+1); + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT); + + if ManagerHandle > 0 then + begin + if WinSvc.GetServiceDisplayName(ManagerHandle, PChar(ServiceName), DisplayName, ServiceBuffer) then + Name := DisplayName + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function GetServiceStatus(ServiceName: String; var Status: DWORD): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + ServiceStatus: TServiceStatus; +begin + Result := 0; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_QUERY_STATUS); + + if ServiceHandle > 0 then + begin + if QueryServiceStatus(ServiceHandle, ServiceStatus) then + Status := ServiceStatus.dwCurrentState + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function GetServiceBinaryPath(ServiceName: String; var BinaryPath: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + BytesNeeded: DWORD; + ServiceConfig: PQueryServiceConfig; +begin + Result := 0; + ServiceConfig := nil; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_QUERY_CONFIG); + + if ServiceHandle > 0 then + begin + + if not QueryServiceConfig(ServiceHandle, ServiceConfig, 0, BytesNeeded) and (System.GetLastError = ERROR_INSUFFICIENT_BUFFER) then + begin + GetMem(ServiceConfig, BytesNeeded); + + if QueryServiceConfig(ServiceHandle, ServiceConfig, BytesNeeded, BytesNeeded) then + BinaryPath := ServiceConfig^.lpBinaryPathName + else + Result := System.GetLastError; + + FreeMem(ServiceConfig); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function GetServiceStartType(ServiceName: String; var StartType: DWORD): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + BytesNeeded: DWORD; + ServiceConfig: PQueryServiceConfig; +begin + Result := 0; + ServiceConfig := nil; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_QUERY_CONFIG); + + if ServiceHandle > 0 then + begin + + if not QueryServiceConfig(ServiceHandle, ServiceConfig, 0, BytesNeeded) and (System.GetLastError = ERROR_INSUFFICIENT_BUFFER) then + begin + GetMem(ServiceConfig, BytesNeeded); + + if QueryServiceConfig(ServiceHandle, ServiceConfig, BytesNeeded, BytesNeeded) then + StartType := ServiceConfig^.dwStartType + else + Result := System.GetLastError; + + FreeMem(ServiceConfig); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function GetServiceDescription(ServiceName: String; var Description: String): Integer; +const + SERVICE_CONFIG_DESCRIPTION = 1; +type + TServiceDescription = record + lpDescription: PAnsiChar; + end; + PServiceDescription = ^TServiceDescription; +var + QueryServiceConfig2: function(hService: SC_HANDLE; dwInfoLevel: DWORD; pBuffer: Pointer; cbBufSize: DWORD; var cbBytesNeeded: Cardinal): BOOL; stdcall; + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + LockHandle: SC_LOCK; + ServiceDescription: PServiceDescription; + BytesNeeded: Cardinal; +begin + Result := 0; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_LOCK); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_QUERY_CONFIG); + + if ServiceHandle > 0 then + begin + LockHandle := LockServiceDatabase(ManagerHandle); + + if LockHandle <> nil then + begin + @QueryServiceConfig2 := GetProcAddress(GetModuleHandle(advapi32), 'QueryServiceConfig2A'); + + if Assigned(@QueryServiceConfig2) then + begin + + if not QueryServiceConfig2(ServiceHandle, SERVICE_CONFIG_DESCRIPTION, nil, 0, BytesNeeded) and (System.GetLastError = ERROR_INSUFFICIENT_BUFFER) then + begin + GetMem(ServiceDescription, BytesNeeded); + + if QueryServiceConfig2(ServiceHandle, SERVICE_CONFIG_DESCRIPTION, ServiceDescription, BytesNeeded, BytesNeeded) then + Description := ServiceDescription.lpDescription + else + Result := System.GetLastError; + + FreeMem(ServiceDescription); + end + else + Result := System.GetLastError; + + end + else + Result := System.GetLastError; + + UnlockServiceDatabase(LockHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function GetServiceLogon(ServiceName: String; var Username: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + BytesNeeded: DWORD; + ServiceConfig: PQueryServiceConfig; +begin + Result := 0; + ServiceConfig := nil; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_CONNECT); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_QUERY_CONFIG); + + if ServiceHandle > 0 then + begin + + if not QueryServiceConfig(ServiceHandle, ServiceConfig, 0, BytesNeeded) and (System.GetLastError = ERROR_INSUFFICIENT_BUFFER) then + begin + GetMem(ServiceConfig, BytesNeeded); + + if QueryServiceConfig(ServiceHandle, ServiceConfig, BytesNeeded, BytesNeeded) then + Username := ServiceConfig^.lpServiceStartName + else + Result := System.GetLastError; + + FreeMem(ServiceConfig); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function SetServiceDescription(ServiceName: String; Description: String): Integer; +const + SERVICE_CONFIG_DESCRIPTION = 1; +var + ChangeServiceConfig2: function(hService: SC_HANDLE; dwInfoLevel: DWORD; lpInfo: Pointer): BOOL; stdcall; + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + LockHandle: SC_LOCK; +begin + Result := 0; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_LOCK); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_CHANGE_CONFIG); + + if ServiceHandle > 0 then + begin + LockHandle := LockServiceDatabase(ManagerHandle); + + if LockHandle <> nil then + begin + @ChangeServiceConfig2 := GetProcAddress(GetModuleHandle(advapi32), 'ChangeServiceConfig2A'); + + if Assigned(@ChangeServiceConfig2) then + begin + if not ChangeServiceConfig2(ServiceHandle, SERVICE_CONFIG_DESCRIPTION, @Description) then + Result := System.GetLastError; + end + else + Result := System.GetLastError; + + UnlockServiceDatabase(LockHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function SetServiceStartType(ServiceName: String; StartType: DWORD): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + LockHandle: SC_LOCK; +begin + Result := 0; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_LOCK); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_CHANGE_CONFIG); + + if ServiceHandle > 0 then + begin + LockHandle := LockServiceDatabase(ManagerHandle); + + if LockHandle <> nil then + begin + if not ChangeServiceConfig(ServiceHandle, SERVICE_NO_CHANGE, StartType, SERVICE_NO_CHANGE, nil, nil, nil, nil, nil, nil, nil) then + Result := System.GetLastError; + + UnlockServiceDatabase(LockHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function SetServiceLogon(ServiceName: String; Username: String; Password: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + LockHandle: SC_LOCK; +begin + Result := 0; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_LOCK); + + if Pos('\', Username) = 0 then + Username := '.\' + Username; + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_CHANGE_CONFIG); + + if ServiceHandle > 0 then + begin + LockHandle := LockServiceDatabase(ManagerHandle); + + if LockHandle <> nil then + begin + if not ChangeServiceConfig(ServiceHandle, SERVICE_NO_CHANGE, SERVICE_NO_CHANGE, SERVICE_NO_CHANGE, nil, nil, nil, nil, PChar(Username), PChar(Password), nil) then + Result := System.GetLastError; + + UnlockServiceDatabase(LockHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function SetServiceBinaryPath(ServiceName: String; BinaryPath: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + LockHandle: SC_LOCK; +begin + Result := 0; + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_LOCK); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_CHANGE_CONFIG); + + if ServiceHandle > 0 then + begin + LockHandle := LockServiceDatabase(ManagerHandle); + + if LockHandle <> nil then + begin + if not ChangeServiceConfig(ServiceHandle, SERVICE_NO_CHANGE, SERVICE_NO_CHANGE, SERVICE_NO_CHANGE, PChar(BinaryPath), nil, nil, nil, nil, nil, nil) then + Result := System.GetLastError; + + UnlockServiceDatabase(LockHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function ServiceIsRunning(ServiceName: String; var IsRunning: Boolean): Integer; +var + Status: DWORD; +begin + Result := GetServiceStatus(ServiceName, Status); + + if Result = 0 then + IsRunning := Status = SERVICE_RUNNING + else + IsRunning := False; +end; + +function ServiceIsStopped(ServiceName: String; var IsStopped: Boolean): Integer; +var + Status: DWORD; +begin + Result := GetServiceStatus(ServiceName, Status); + + if Result = 0 then + IsStopped := Status = SERVICE_STOPPED + else + IsStopped := False; +end; + +function ServiceIsPaused(ServiceName: String; var IsPaused: Boolean): Integer; +var + Status: DWORD; +begin + Result := GetServiceStatus(ServiceName, Status); + + if Result = 0 then + IsPaused := Status = SERVICE_PAUSED + else + IsPaused := False; +end; + +function RestartService(ServiceName: String; ServiceArguments: String): Integer; +begin + Result := StopService(ServiceName); + + if Result = 0 then + Result := StartService(ServiceName, ServiceArguments); +end; + +function InstallService(ServiceName, DisplayName: String; ServiceType: DWORD; + StartType: DWORD; BinaryPathName: String; Dependencies: String; + Username: String; Password: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + PDependencies: PChar; + PUsername: PChar; + PPassword: PChar; +const + ReplaceDelimitter: String = '/'; + + function Replace(Value: String): String; + begin + while Pos(ReplaceDelimitter, Value) <> 0 do + begin + Result := Result + Copy(Value, 1, Pos(ReplaceDelimitter, Value) -1) + Chr(0); + Delete(Value, 1, Pos(ReplaceDelimitter, Value)); + end; + + Result := Result + Value + Chr(0) + Chr(0); + end; + +begin + Result := 0; + + if Dependencies = '' then + PDependencies := nil + else + PDependencies := PChar(Replace(Dependencies)); + + if UserName = '' then + PUsername := nil + else + PUsername := PChar(Username); + + if Password = '' then + PPassword := nil + else + PPassword := PChar(Password); + + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_ALL_ACCESS); + + if ManagerHandle > 0 then + begin + ServiceHandle := CreateService(ManagerHandle, + PChar(ServiceName), + PChar(DisplayName), + SERVICE_START or SERVICE_QUERY_STATUS or _DELETE, + ServiceType, + StartType, + SERVICE_ERROR_NORMAL, + PChar(BinaryPathName), + nil, + nil, + PDependencies, + PUsername, + PPassword); + + if ServiceHandle <> 0 then + CloseServiceHandle(ServiceHandle) + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; +end; + +function RemoveService(ServiceName: String): Integer; +var + ManagerHandle: SC_HANDLE; + ServiceHandle: SC_HANDLE; + LockHandle: SC_LOCK; + IsStopped: Boolean; + Deleted: Boolean; +begin + IsStopped := False; + + Result := ServiceIsStopped(ServiceName, IsStopped); + + if Result = 0 then + if not IsStopped then + Result := StopService(ServiceName); + + if Result = 0 then + begin + ManagerHandle := OpenSCManager('', nil, SC_MANAGER_ALL_ACCESS); + + if ManagerHandle > 0 then + begin + ServiceHandle := OpenService(ManagerHandle, PChar(ServiceName), SERVICE_ALL_ACCESS); + + if ServiceHandle > 0 then + begin + LockHandle := LockServiceDatabase(ManagerHandle); + + if LockHandle <> nil then + begin + Deleted := DeleteService(ServiceHandle); + + if not Deleted then + Result := System.GetLastError; + + UnlockServiceDatabase(LockHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ServiceHandle); + end + else + Result := System.GetLastError; + + CloseServiceHandle(ManagerHandle); + end + else + Result := System.GetLastError; + end; +end; + +function GetErrorMessage(ErrorCode: Integer): String; +begin + Result := SysErrorMessage(ErrorCode); +end; + +end. diff -Nru stunnel4-5.44/tools/plugins/SimpleFC/Source/SimpleFC.cfg stunnel4-5.50/tools/plugins/SimpleFC/Source/SimpleFC.cfg --- stunnel4-5.44/tools/plugins/SimpleFC/Source/SimpleFC.cfg 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/SimpleFC/Source/SimpleFC.cfg 2007-08-02 19:19:12.000000000 +0000 @@ -0,0 +1,35 @@ +-$A8 +-$B- +-$C+ +-$D+ +-$E- +-$F- +-$G+ +-$H+ +-$I+ +-$J- +-$K- +-$L+ +-$M- +-$N+ +-$O- +-$P+ +-$Q- +-$R- +-$S- +-$T- +-$U- +-$V+ +-$W- +-$X+ +-$YD +-$Z1 +-cg +-AWinTypes=Windows;WinProcs=Windows;DbiTypes=BDE;DbiProcs=BDE;DbiErrs=BDE; +-H+ +-W+ +-M +-$M16384,1048576 +-K$00400000 +-LE"c:\programme\borland\delphi6\Projects\Bpl" +-LN"c:\programme\borland\delphi6\Projects\Bpl" diff -Nru stunnel4-5.44/tools/plugins/SimpleFC/Source/SimpleFC.dof stunnel4-5.50/tools/plugins/SimpleFC/Source/SimpleFC.dof --- stunnel4-5.44/tools/plugins/SimpleFC/Source/SimpleFC.dof 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/SimpleFC/Source/SimpleFC.dof 2007-08-02 19:19:12.000000000 +0000 @@ -0,0 +1,90 @@ +[FileVersion] +Version=6.0 +[Compiler] +A=8 +B=0 +C=1 +D=1 +E=0 +F=0 +G=1 +H=1 +I=1 +J=0 +K=0 +L=1 +M=0 +N=1 +O=0 +P=1 +Q=0 +R=0 +S=0 +T=0 +U=0 +V=1 +W=0 +X=1 +Y=1 +Z=1 +ShowHints=1 +ShowWarnings=1 +UnitAliases=WinTypes=Windows;WinProcs=Windows;DbiTypes=BDE;DbiProcs=BDE;DbiErrs=BDE; +[Linker] +MapFile=0 +OutputObjs=0 +ConsoleApp=1 +DebugInfo=0 +RemoteSymbols=0 +MinStackSize=16384 +MaxStackSize=1048576 +ImageBase=4194304 +ExeDescription= +[Directories] +OutputDir= +UnitOutputDir= +PackageDLLOutputDir= +PackageDCPOutputDir= +SearchPath= +Packages=vcl;rtl;vclx;VclSmp;vclshlctrls;dbrtl;adortl;vcldb;qrpt;bdertl;vcldbx;dsnap;cds;bdecds;teeui;teedb;tee;teeqr;ibxpress;visualclx;visualdbclx;vclie;xmlrtl;inet;inetdbbde;inetdbxpress;inetdb;nmfast;dbexpress;dbxcds;dclOffice2k;soaprtl;Jcl;VirtualTreesD6;VirtualShellToolsD6;VirtualExplorerListviewExD6;ThemeManagerD6;JclVcl;JvCoreD6R;JvSystemD6R;JvStdCtrlsD6R;JvAppFrmD6R;JvBandsD6R;JvDBD6R;JvDlgsD6R;JvBDED6R;JvCmpD6R;JvCryptD6R;JvCtrlsD6R;JvCustomD6R;JvDockingD6R;JvDotNetCtrlsD6R;JvEDID6R;JvGlobusD6R;JvHMID6R;JvInterpreterD6R;JvJansD6R;JvManagedThreadsD6R;JvMMD6R;JvNetD6R;JvPageCompsD6R;JvPluginD6R;JvPrintPreviewD6R;JvRuntimeDesignD6R;JvTimeFrameworkD6R;JvUIBD6R;JvValidatorsD6R;JvWizardD6R;JvXPCtrlsD6R;FModPackage;NetBrowserPackage;ThreadCopyPackage;TMSMenusD6;DSPack_D6;SNTPServer +Conditionals= +DebugSourceDirs= +UsePackages=0 +[Parameters] +RunParams= +HostApplication= +Launcher= +UseLauncher=0 +DebugCWD= +[Language] +ActiveLang= +ProjectLang= +RootDir= +[Version Info] +IncludeVerInfo=0 +AutoIncBuild=0 +MajorVer=1 +MinorVer=0 +Release=0 +Build=0 +Debug=0 +PreRelease=0 +Special=0 +Private=0 +DLL=0 +Locale=1031 +CodePage=1252 +[Version Info Keys] +CompanyName= +FileDescription= +FileVersion=1.0.0.0 +InternalName= +LegalCopyright= +LegalTrademarks= +OriginalFilename= +ProductName= +ProductVersion=1.0.0.0 +Comments= +[HistoryLists\hlUnitAliases] +Count=1 +Item0=WinTypes=Windows;WinProcs=Windows;DbiTypes=BDE;DbiProcs=BDE;DbiErrs=BDE; diff -Nru stunnel4-5.44/tools/plugins/SimpleFC/Source/SimpleFC.dpr stunnel4-5.50/tools/plugins/SimpleFC/Source/SimpleFC.dpr --- stunnel4-5.44/tools/plugins/SimpleFC/Source/SimpleFC.dpr 1970-01-01 00:00:00.000000000 +0000 +++ stunnel4-5.50/tools/plugins/SimpleFC/Source/SimpleFC.dpr 2007-08-02 19:19:14.000000000 +0000 @@ -0,0 +1,626 @@ +library SimpleFC; + +uses + NSIS, Windows, FirewallControl, SysUtils; + +function ResultToStr(Value: Boolean): String; +begin + if Value then + result := '0' + else + result := '1'; +end; + +function BoolToStr(Value: Boolean): String; +begin + if Value then + result := '1' + else + result := '0'; +end; + +function StrToBool(Value: String): Boolean; +begin + if Value = '1' then + result := True + else + result := False; +end; + +procedure AddPort(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Port: Integer; + Name: String; + Protocol: NET_FW_IP_PROTOCOL; + Scope: NET_FW_SCOPE; + Enabled: Boolean; + IpVersion: NET_FW_IP_VERSION; + RemoteAddresses: String; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Port := StrToInt(PopString); + Name := PopString; + Protocol := NET_FW_IP_PROTOCOL(StrToInt(PopString)); + Scope := NET_FW_SCOPE(StrToInt(PopString)); + IpVersion := NET_FW_IP_VERSION(StrToInt(PopString)); + RemoteAddresses := PopString; + Enabled := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AddPort(Port, + Name, + Protocol, + Scope, + IpVersion, + RemoteAddresses, + Enabled) = 0); + PushString(FirewallResult); +end; + +procedure RemovePort(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Port: Integer; + Protocol: NET_FW_IP_PROTOCOL; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Port := StrToInt(PopString); + Protocol := NET_FW_IP_PROTOCOL(StrToInt(PopString)); + + FirewallResult := ResultToStr(FirewallControl.RemovePort(Port, Protocol) = 0); + PushString(FirewallResult); +end; + +procedure AddApplication(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Name: String; + BinaryPath: String; + IpVersion: NET_FW_IP_VERSION; + Scope: NET_FW_SCOPE; + RemoteAdresses: String; + Enabled: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Name := PopString; + BinaryPath := PopString; + Scope := NET_FW_SCOPE(StrToInt(PopString)); + IpVersion := NET_FW_IP_VERSION(StrToInt(PopString)); + RemoteAdresses := PopString; + Enabled := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AddApplication(Name, + BinaryPath, + Scope, + IpVersion, + RemoteAdresses, + Enabled) = 0); + PushString(FirewallResult); +end; + +procedure RemoveApplication(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + BinaryPath: String; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + BinaryPath := PopString; + + FirewallResult := ResultToStr(FirewallControl.RemoveApplication(BinaryPath) = 0); + PushString(FirewallResult); +end; + +procedure IsPortAdded(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Port: Integer; + Protocol: NET_FW_IP_PROTOCOL; + Added: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Port := StrToInt(PopString); + Protocol := NET_FW_IP_PROTOCOL(StrToInt(PopString)); + + FirewallResult := ResultToStr(FirewallControl.IsPortAdded(Port, Protocol, Added) = 0); + PushString(BoolToStr(Added)); + PushString(FirewallResult); +end; + +procedure IsApplicationAdded(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + BinaryPath: String; + Added: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + BinaryPath := PopString; + + FirewallResult := ResultToStr(FirewallControl.IsApplicationAdded(BinaryPath, Added) = 0); + PushString(BoolToStr(Added)); + PushString(FirewallResult); +end; + +procedure IsPortEnabled(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Port: Integer; + Protocol: NET_FW_IP_PROTOCOL; + Enabled: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Port := StrToInt(PopString); + Protocol := NET_FW_IP_PROTOCOL(StrToInt(PopString)); + + FirewallResult := ResultToStr(FirewallControl.IsPortEnabled(Port, Protocol, Enabled) = 0); + PushString(BoolToStr(Enabled)); + PushString(FirewallResult); +end; + +procedure IsApplicationEnabled(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + BinaryPath: String; + Enabled: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + BinaryPath := PopString; + + FirewallResult := ResultToStr(FirewallControl.IsApplicationEnabled(BinaryPath, Enabled) = 0); + PushString(BoolToStr(Enabled)); + PushString(FirewallResult); +end; + +procedure EnableDisablePort(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Port: Integer; + Protocol: NET_FW_IP_PROTOCOL; + Enabled: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Port := StrToInt(PopString); + Protocol := NET_FW_IP_PROTOCOL(StrToInt(PopString)); + Enabled := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.EnableDisablePort(Port, Protocol, Enabled) = 0); + PushString(FirewallResult); +end; + +procedure EnableDisableApplication(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + BinaryPath: String; + Enabled: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + BinaryPath := PopString; + Enabled := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.EnableDisableApplication(BinaryPath, Enabled) = 0); + PushString(FirewallResult); +end; + +procedure IsFirewallEnabled(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Enabled: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + FirewallResult := ResultToStr(FirewallControl.IsFirewallEnabled(Enabled) = 0); + PushString(BoolToStr(Enabled)); + PushString(FirewallResult); +end; + +procedure EnableDisableFirewall(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Enabled: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Enabled := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.EnableDisableFirewall(Enabled) = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowExceptionsNotAllowed(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + NotAllowed: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + NotAllowed := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowExceptionsNotAllowed(NotAllowed) = 0); + PushString(FirewallResult); +end; + +procedure AreExceptionsNotAllowed(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + NotAllowed: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + FirewallResult := ResultToStr(FirewallControl.AreExceptionsNotAllowed(NotAllowed) = 0); + PushString(BoolToStr(NotAllowed)); + PushString(FirewallResult); +end; + +procedure EnableDisableNotifications(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Enabled: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Enabled := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.EnableDisableNotifications(Enabled) = 0); + PushString(BoolToStr(Enabled)); + PushString(FirewallResult); +end; + +procedure AreNotificationsEnabled(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Enabled: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + FirewallResult := ResultToStr(FirewallControl.AreNotificationsEnabled(Enabled) = 0); + PushString(BoolToStr(Enabled)); + PushString(FirewallResult); +end; + +procedure StartStopFirewallService(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Enabled: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Enabled := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.StartStopFirewallService(Enabled)); + PushString(FirewallResult); +end; + +procedure IsFirewallServiceRunning(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + IsRunning: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + FirewallResult := ResultToStr(FirewallControl.IsFirewallServiceRunning(IsRunning)); + PushString(BoolToStr(IsRunning)); + PushString(FirewallResult); +end; + +procedure RestoreDefaults(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + FirewallResult := ResultToStr(FirewallControl.RestoreDefaults = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowIcmpOutboundDestinationUnreachable(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Allow: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Allow := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowIcmpOutboundDestinationUnreachable(Allow) = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowIcmpRedirect(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Allow: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Allow := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowIcmpRedirect(Allow) = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowIcmpInboundEchoRequest(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Allow: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Allow := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowIcmpInboundEchoRequest(Allow) = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowIcmpOutboundTimeExceeded(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Allow: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Allow := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowIcmpOutboundTimeExceeded(Allow) = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowIcmpOutboundParameterProblem(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Allow: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Allow := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowIcmpOutboundParameterProblem(Allow) = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowIcmpOutboundSourceQuench(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Allow: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Allow := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowIcmpOutboundSourceQuench(Allow) = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowIcmpInboundRouterRequest(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Allow: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Allow := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowIcmpInboundRouterRequest(Allow) = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowIcmpInboundTimestampRequest(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Allow: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Allow := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowIcmpInboundTimestampRequest(Allow) = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowIcmpInboundMaskRequest(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Allow: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Allow := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowIcmpInboundMaskRequest(Allow) = 0); + PushString(FirewallResult); +end; + +procedure AllowDisallowIcmpOutboundPacketTooBig(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Allow: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Allow := StrToBool(PopString); + + FirewallResult := ResultToStr(FirewallControl.AllowDisallowIcmpOutboundPacketTooBig(Allow) = 0); + PushString(FirewallResult); +end; + +procedure IsIcmpTypeAllowed(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + IpVersion: NET_FW_IP_VERSION; + LocalAddress: String; + IcmpType: NET_FW_ICMP_TYPE; + Allowed: Boolean; + Restricted: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + IpVersion := NET_FW_IP_VERSION(StrToInt(PopString)); + LocalAddress := PopString; + IcmpType := NET_FW_ICMP_TYPE(StrToInt(PopString)); + + FirewallResult := ResultToStr(FirewallControl.IsIcmpTypeAllowed(IpVersion, + LocalAddress, + IcmpType, + Allowed, + Restricted) = 0); + PushString(BoolToStr(Allowed)); + PushString(BoolToStr(Restricted)); + PushString(FirewallResult); +end; + +procedure AdvAddRule(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Name: String; + Description: String; + Protocol: NET_FW_IP_PROTOCOL; + IcmpTypesAndCodes: String; + ApplicationName: String; + Direction: NET_FW_RULE_DIRECTION; + Enabled: Boolean; + Group: String; + Profile: NET_FW_PROFILE_TYPE2; + Action: NET_FW_ACTION; + LocalPorts: String; + RemotePorts: String; + LocalAddress: String; + RemoteAddress: String; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Name := PopString; + Description := PopString; + Protocol := NET_FW_IP_PROTOCOL(StrToInt(PopString)); + Direction := NET_FW_RULE_DIRECTION(StrToInt(PopString)); + Enabled := StrToBool(PopString); + Profile := NET_FW_PROFILE_TYPE2(StrToInt(PopString)); + Action := NET_FW_ACTION(StrToInt(PopString)); + ApplicationName := PopString; + IcmpTypesAndCodes := PopString; + Group := PopString; + LocalPorts := PopString; + RemotePorts := PopString; + LocalAddress := PopString; + RemoteAddress := PopString; + + FirewallResult := ResultToStr(FirewallControl.AdvAddRule(Name, + Description, + Protocol, + Direction, + Enabled, + Profile, + Action, + ApplicationName, + IcmpTypesAndCodes, + Group, + LocalPorts, + RemotePorts, + LocalAddress, + RemoteAddress) = 0); + PushString(FirewallResult); +end; + +procedure AdvRemoveRule(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Name: String; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Name := PopString; + + FirewallResult := ResultToStr(FirewallControl.AdvRemoveRule(Name) = 0); + PushString(FirewallResult); +end; + +procedure AdvExistsRule(const hwndParent: HWND; const string_size: integer; + const variables: PChar; const stacktop: pointer); cdecl; +var + Name: String; + Exists: Boolean; + FirewallResult: String; +begin + Init(hwndParent, string_size, variables, stacktop); + + Name := PopString; + + FirewallResult := ResultToStr(FirewallControl.AdvExistsRule(Name, Exists) = 0); + PushString(BoolToStr(Exists)); + PushString(FirewallResult); +end; + +exports AddPort; +exports RemovePort; +exports AddApplication; +exports RemoveApplication; +exports IsPortAdded; +exports IsApplicationAdded; +exports IsPortEnabled; +exports IsApplicationEnabled; +exports EnableDisablePort; +exports EnableDisableApplication; +exports IsFirewallEnabled; +exports EnableDisableFirewall; +exports AllowDisallowExceptionsNotAllowed; +exports AreExceptionsNotAllowed; +exports EnableDisableNotifications; +exports AreNotificationsEnabled; +exports StartStopFirewallService; +exports IsFirewallServiceRunning; +exports RestoreDefaults; +exports AllowDisallowIcmpOutboundDestinationUnreachable; +exports AllowDisallowIcmpRedirect; +exports AllowDisallowIcmpInboundEchoRequest; +exports AllowDisallowIcmpOutboundTimeExceeded; +exports AllowDisallowIcmpOutboundParameterProblem; +exports AllowDisallowIcmpOutboundSourceQuench; +exports AllowDisallowIcmpInboundRouterRequest; +exports AllowDisallowIcmpInboundTimestampRequest; +exports AllowDisallowIcmpInboundMaskRequest; +exports AllowDisallowIcmpOutboundPacketTooBig; +exports IsIcmpTypeAllowed; +exports AdvAddRule; +exports AdvRemoveRule; +exports AdvExistsRule; + +end. diff -Nru stunnel4-5.44/tools/stunnel.conf stunnel4-5.50/tools/stunnel.conf --- stunnel4-5.44/tools/stunnel.conf 2017-01-19 08:51:32.000000000 +0000 +++ stunnel4-5.50/tools/stunnel.conf 2018-12-02 22:47:18.000000000 +0000 @@ -1,4 +1,4 @@ -; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2017 +; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2018 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options @@ -108,6 +108,9 @@ ;connect = 143 ;cert = stunnel.pem +; Either only expose this service to trusted networks, or require +; authentication when relaying emails originated from loopback. +; Otherwise the following configuration creates an open relay. ;[ssmtp] ;accept = 465 ;connect = 25 @@ -129,7 +132,6 @@ ;accept = 1337 ;exec = c:\windows\system32\cmd.exe ;execArgs = cmd.exe -;ciphers = PSK ;PSKsecrets = secrets.txt ; vim:ft=dosini diff -Nru stunnel4-5.44/tools/stunnel.conf-sample.in stunnel4-5.50/tools/stunnel.conf-sample.in --- stunnel4-5.44/tools/stunnel.conf-sample.in 2017-01-19 08:51:32.000000000 +0000 +++ stunnel4-5.50/tools/stunnel.conf-sample.in 2018-12-02 22:47:18.000000000 +0000 @@ -1,4 +1,4 @@ -; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2017 +; Sample stunnel configuration file for Unix by Michal Trojnara 1998-2018 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options @@ -108,6 +108,9 @@ ;connect = 143 ;cert = @sysconfdir@/stunnel/stunnel.pem +; Either only expose this service to trusted networks, or require +; authentication when relaying emails originated from loopback. +; Otherwise the following configuration creates an open relay. ;[ssmtp] ;accept = 465 ;connect = 25 @@ -129,7 +132,6 @@ ;accept = 1337 ;exec = /bin/sh ;execArgs = sh -i -;ciphers = PSK ;PSKsecrets = @sysconfdir@/stunnel/secrets.txt ; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket diff -Nru stunnel4-5.44/tools/stunnel.init.in stunnel4-5.50/tools/stunnel.init.in --- stunnel4-5.44/tools/stunnel.init.in 2016-12-13 11:28:35.000000000 +0000 +++ stunnel4-5.50/tools/stunnel.init.in 2018-10-09 14:37:38.000000000 +0000 @@ -26,7 +26,6 @@ NAME=stunnel DESC="TLS tunnels" OPTIONS="" -ENABLED=0 get_opt() { sed -e "s;^[[:space:]]*;;" -e "s;[[:space:]]*$;;" \ @@ -86,7 +85,7 @@ { local sig file pidfile status - sig=${1:-TERM} + sig=$1 res=0 for file in $FILES; do echo -n " $file: " @@ -95,7 +94,7 @@ echo -n "no pid file" else status=0 - killproc -p "$pidfile" "$DAEMON" "$sig" || status=$? + killproc -p "$pidfile" "$DAEMON" ${sig:+"$sig"} || status=$? if [ "$status" -eq 0 ]; then echo -n 'stopped' else @@ -137,15 +136,52 @@ exit "$res" } +restartrunningdaemons() +{ + local res file pidfile status args + + res=0 + for file in $FILES; do + echo -n " $file: " + pidfile=`get_pidfile "$file"` + if [ ! -e "$pidfile" ]; then + echo -n 'no pid file' + else + status=0 + pidofproc -p "$pidfile" "$DAEMON" >/dev/null || status="$?" + if [ "$status" = 0 ]; then + echo -n 'stopping' + killproc -p "$pidfile" "$DAEMON" "$sig" || status="$?" + if [ "$status" -eq 0 ]; then + echo -n ' starting' + args="$file $OPTIONS" + start_daemon -p "$pidfile" "$DAEMON" $args || status="$?" + if [ "$status" -eq 0 ]; then + echo -n ' started' + else + echo ' failed' + res=1 + fi + else + echo -n ' failed' + res=1 + fi + elif [ "$status" = 4 ]; then + echo "cannot access the pid file $pidfile" + else + echo -n 'stopped' + fi + fi + done + echo '' + exit "$res" +} + if [ "x$OPTIONS" != "x" ]; then OPTIONS="-- $OPTIONS" fi [ -f @sysconfdir@/default/stunnel ] && . @sysconfdir@/default/stunnel -if [ "$ENABLED" = "0" ] ; then - echo "$DESC disabled, see @sysconfdir@/default/stunnel" - exit 0 -fi # If the user want to manage a single tunnel, the conf file's name # is in $2. Otherwise, respect @sysconfdir@/default/stunnel4 setting. @@ -194,6 +230,11 @@ killdaemons && startdaemons res=$? ;; + try-restart) + echo -n "Restarting $DESC if running:" + restartrunningdaemons + res=$? + ;; status) echo -n "$DESC status:" querydaemons @@ -201,7 +242,7 @@ ;; *) N=@sysconfdir@/init.d/$NAME - echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} []" >&2 + echo "Usage: $N {start|stop|status|reload|reopen-logs|restart|try-restart} []" >&2 res=1 ;; esac diff -Nru stunnel4-5.44/tools/stunnel.license stunnel4-5.50/tools/stunnel.license --- stunnel4-5.44/tools/stunnel.license 2017-01-02 14:27:26.000000000 +0000 +++ stunnel4-5.50/tools/stunnel.license 2018-04-06 14:25:10.000000000 +0000 @@ -1,4 +1,4 @@ -Copyright (C) 1998-2017 Michal Trojnara +Copyright (C) 1998-2018 Michal Trojnara This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. diff -Nru stunnel4-5.44/tools/stunnel.nsi stunnel4-5.50/tools/stunnel.nsi --- stunnel4-5.44/tools/stunnel.nsi 2017-11-26 21:50:16.000000000 +0000 +++ stunnel4-5.50/tools/stunnel.nsi 2018-10-09 14:37:38.000000000 +0000 @@ -1,4 +1,4 @@ -# NSIS stunnel installer by Michal Trojnara 1998-2017 +# NSIS stunnel installer by Michal Trojnara 1998-2018 !define /ifndef VERSION testing !define /ifndef ARCH win32 @@ -30,18 +30,17 @@ !include "MUI2.nsh" # define SF_SELECTED !include "Sections.nsh" -# additional plugins -!addplugindir "plugins/SimpleFC" -!addplugindir "plugins/ShellLink/Plugins" !define /ifndef ROOT_DIR \devel !define /ifndef STUNNEL_DIR ${ROOT_DIR}\src\stunnel -!define /ifndef STUNNEL_BIN_DIR ${STUNNEL_DIR}\bin\${ARCH} !define /ifndef STUNNEL_TOOLS_DIR ${STUNNEL_DIR}\tools -!define /ifndef STUNNEL_DOC_DIR ${STUNNEL_DIR}\doc !define /ifndef STUNNEL_SRC_DIR ${STUNNEL_DIR}\src +!define /ifndef DEST_DIR ${STUNNEL_DIR} +!define /ifndef STUNNEL_BIN_DIR ${DEST_DIR}\bin\${ARCH} +!define /ifndef STUNNEL_DOC_DIR ${DEST_DIR}\doc + !define /ifndef BIN_DIR ${ROOT_DIR}\${ARCH} !define /ifndef OPENSSL_DIR ${BIN_DIR}\openssl !define /ifndef OPENSSL_BIN_DIR ${OPENSSL_DIR}\bin @@ -53,9 +52,13 @@ !define /ifndef ZLIB_DIR ${BIN_DIR}\zlib !define /ifndef REDIST_DIR ${BIN_DIR}\redist +# additional plugins +!addplugindir "${STUNNEL_TOOLS_DIR}/plugins/SimpleFC" +!addplugindir "${STUNNEL_TOOLS_DIR}/plugins/ShellLink/Plugins" + !define MUI_ICON ${STUNNEL_SRC_DIR}\stunnel.ico -!insertmacro MUI_PAGE_LICENSE "stunnel.license" +!insertmacro MUI_PAGE_LICENSE "${STUNNEL_TOOLS_DIR}\stunnel.license" !insertmacro MULTIUSER_PAGE_INSTALLMODE !insertmacro MUI_PAGE_COMPONENTS !insertmacro MUI_PAGE_DIRECTORY @@ -173,6 +176,11 @@ Delete "$INSTDIR\bin\zlib1.pdb" Delete "$INSTDIR\bin\msvcr90.dll" Delete "$INSTDIR\bin\Microsoft.VC90.CRT.Manifest" + Delete "$INSTDIR\bin\libcrypto-1_1-x64.dll" + Delete "$INSTDIR\bin\libcrypto-1_1-x64.pdb" + Delete "$INSTDIR\bin\libssl-1_1-x64.dll" + Delete "$INSTDIR\bin\libssl-1_1-x64.pdb" + Delete "$INSTDIR\bin\vcruntime140.dll" RMDir "$INSTDIR\bin" Delete "$INSTDIR\engines\4758cca.dll" @@ -316,6 +324,7 @@ File "${STUNNEL_TOOLS_DIR}\ca-certs.pem" # write new executables/libraries files + # we assume Visual C++ 2008 for win32, and MinGW for win64 SetOutPath "$INSTDIR\bin" File "${STUNNEL_BIN_DIR}\stunnel.exe" !if ${ARCH} == win32 @@ -323,11 +332,20 @@ File "${OPENSSL_BIN_DIR}\ssleay32.dll" File "${REDIST_DIR}\msvcr90.dll" File "${REDIST_DIR}\Microsoft.VC90.CRT.Manifest" - # MINGW builds requires libssp-0.dll instead of msvcr90.dll !else File "${OPENSSL_BIN_DIR}\libcrypto-1_1-x64.dll" File "${OPENSSL_BIN_DIR}\libssl-1_1-x64.dll" - File "${REDIST_DIR}\vcruntime140.dll" + # TODO: add libssp-0.dll when -fstack-protector is fixed + #SetOutPath "$INSTDIR" + #ReadRegStr $0 HKLM "SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64" "Installed" + #${If} $0 == 1 + # DetailPrint "VC 2017 Redistributable already installed" + #${Else} + # DetailPrint "Installing VC 2017 Redistributable" + # File "${REDIST_DIR}\VC_redist.x64.exe" + # ExecWait '"$INSTDIR\VC_redist.x64.exe" /quiet' + # Delete "$INSTDIR\VC_redist.x64.exe" + #${EndIf} !endif # write new engine libraries @@ -473,6 +491,7 @@ SectionGroupEnd +/* Section /o "Debugging Symbols" sectionDEBUG SetOutPath "$INSTDIR\bin" @@ -483,8 +502,8 @@ File "${OPENSSL_BIN_DIR}\ssleay32.pdb" File "${ZLIB_DIR}\zlib1.pdb" !else - File "${OPENSSL_BIN_DIR}\libcrypto-1_1-x64.dll" - File "${OPENSSL_BIN_DIR}\libssl-1_1-x64.dll" + File "${OPENSSL_BIN_DIR}\libcrypto-1_1-x64.pdb" + File "${OPENSSL_BIN_DIR}\libssl-1_1-x64.pdb" !endif # optional tstunnel.exe @@ -505,9 +524,10 @@ SetOutPath "$INSTDIR\engines" File "${OPENSSL_ENGINES_DIR}\capi.pdb" File "${OPENSSL_ENGINES_DIR}\padlock.pdb" - # File "${OPENSSL_ENGINES_DIR}\pkcs11.pdb" + File "${OPENSSL_ENGINES_DIR}\pkcs11.pdb" SetOutPath "$INSTDIR" SectionEnd +*/ Section !insertmacro RestartStunnel @@ -545,8 +565,10 @@ "Installs the Start Menu shortcuts for managing stunnel." LangString DESC_sectionDESKTOP ${LANG_ENGLISH} \ "Installs the Desktop shortcut for stunnel." +/* LangString DESC_sectionDEBUG ${LANG_ENGLISH} \ "Installs the .PDB (program database) files for the executables and libraries." +*/ LangString DESC_groupTOOLS ${LANG_ENGLISH} \ "Installs optional (but useful) tools." LangString DESC_groupSHORTCUTS ${LANG_ENGLISH} \ @@ -558,7 +580,9 @@ !insertmacro MUI_DESCRIPTION_TEXT ${sectionTSTUNNEL} $(DESC_sectionTSTUNNEL) !insertmacro MUI_DESCRIPTION_TEXT ${sectionMENU} $(DESC_sectionMENU) !insertmacro MUI_DESCRIPTION_TEXT ${sectionDESKTOP} $(DESC_sectionDESKTOP) +/* !insertmacro MUI_DESCRIPTION_TEXT ${sectionDEBUG} $(DESC_sectionDEBUG) +*/ !insertmacro MUI_DESCRIPTION_TEXT ${groupTOOLS} $(DESC_groupTOOLS) !insertmacro MUI_DESCRIPTION_TEXT ${groupSHORTCUTS} $(DESC_groupSHORTCUTS) !insertmacro MUI_FUNCTION_DESCRIPTION_END diff -Nru stunnel4-5.44/tools/stunnel.service.in stunnel4-5.50/tools/stunnel.service.in --- stunnel4-5.44/tools/stunnel.service.in 2016-12-13 11:28:35.000000000 +0000 +++ stunnel4-5.50/tools/stunnel.service.in 2018-10-09 14:37:38.000000000 +0000 @@ -1,6 +1,6 @@ [Unit] Description=TLS tunnel for network daemons -After=syslog.target +After=syslog.target network.target [Service] ExecStart=@bindir@/stunnel diff -Nru stunnel4-5.44/tools/stunnel.spec stunnel4-5.50/tools/stunnel.spec --- stunnel4-5.44/tools/stunnel.spec 2017-11-14 14:01:47.000000000 +0000 +++ stunnel4-5.50/tools/stunnel.spec 2018-10-09 14:37:38.000000000 +0000 @@ -1,5 +1,5 @@ Name: stunnel -Version: 5.44 +Version: 5.50 Release: 1%{?dist} Summary: An TLS-encrypting socket wrapper Group: Applications/Internet diff -Nru stunnel4-5.44/.travis.yml stunnel4-5.50/.travis.yml --- stunnel4-5.44/.travis.yml 2017-10-16 18:44:02.000000000 +0000 +++ stunnel4-5.50/.travis.yml 2018-06-20 12:08:04.000000000 +0000 @@ -25,7 +25,7 @@ - nmap before_script: - - if [ "$TRAVIS_OS_NAME" == "osx" ]; then brew update; brew install autoconf-archive nmap; fi; true + - if [ "$TRAVIS_OS_NAME" == "osx" ]; then brew update; brew install openssl autoconf-archive nmap expect; fi; true - autoreconf -fvi && touch src/dhparam.c script: