--- stunnel4-4.20.orig/src/Makefile.in +++ stunnel4-4.20/src/Makefile.in @@ -221,7 +221,7 @@ INCLUDES = -I/usr/kerberos/include # Additional compiler flags -AM_CPPFLAGS = -DLIBDIR='"$(libdir)"' -DCONFDIR='"$(sysconfdir)/stunnel"' -DPIDFILE='"$(prefix)/var/run/stunnel/stunnel.pid"' +AM_CPPFLAGS = -DLIBDIR='"$(libdir)"' -DCONFDIR='"/etc/stunnel"' -DPIDFILE='"/var/run/stunnel4.pid"' # Win32 executable EXTRA_DIST = stunnel.exe make.bat mingw.mak makece.bat evc.mak vc.mak nogui.c os2.mak --- stunnel4-4.20.orig/src/stunnel3.in +++ stunnel4-4.20/src/stunnel3.in @@ -27,7 +27,7 @@ use Getopt::Std; # Configuration - path to stunnel (version >=4.05) -$stunnel_bin='@prefix@/sbin/stunnel'; +$stunnel_bin='/usr/bin/stunnel4'; # stunnel3 script body begins here ($read_fd, $write_fd)=POSIX::pipe(); --- stunnel4-4.20.orig/tools/stunnel.conf-sample.in +++ stunnel4-4.20/tools/stunnel.conf-sample.in @@ -3,18 +3,18 @@ ; Please make sure you understand them (especially the effect of chroot jail) ; Certificate/key is needed in server mode and optional in client mode -cert = @prefix@/etc/stunnel/mail.pem -;key = @prefix@/etc/stunnel/mail.pem +cert = /etc/stunnel/mail.pem +;key = /etc/stunnel/mail.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3 ; Some security enhancements for UNIX systems - comment them out on Win32 -chroot = @prefix@/var/lib/stunnel/ -setuid = nobody -setgid = @DEFAULT_GROUP@ +chroot = /var/lib/stunnel4/ +setuid = stunnel4 +setgid = stunnel4 ; PID is created inside chroot jail -pid = /stunnel.pid +pid = /stunnel4.pid ; Some performance tunings socket = l:TCP_NODELAY=1 @@ -30,16 +30,16 @@ ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile -;CAfile = @prefix@/etc/stunnel/certs.pem +;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile -;CRLfile = @prefix@/etc/stunnel/crls.pem +;CRLfile = /etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting ;debug = 7 -;output = stunnel.log +;output = /var/log/stunnel4/stunnel.log ; Use it for client mode ;client = yes --- stunnel4-4.20.orig/tools/stunnel.init.in +++ stunnel4-4.20/tools/stunnel.init.in @@ -4,7 +4,7 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin PREFIX=@prefix@ -DAEMON=$PREFIX/sbin/stunnel +DAEMON=$PREFIX/bin/stunnel PIDFILE=$PREFIX/var/stunnel/stunnel.pid test -f $DAEMON || exit 0 --- stunnel4-4.20.orig/tools/script.sh +++ stunnel4-4.20/tools/script.sh @@ -2,7 +2,7 @@ REMOTE_HOST="www.mirt.net:443" echo "client script connecting $REMOTE_HOST" -/usr/local/sbin/stunnel -fd 10 \ +/usr/local/bin/stunnel -fd 10 \ 11<&0 < +# September 2003 + +# Change to one to enable stunnel +ENABLED=0 +FILES="/etc/stunnel/*.conf" +OPTIONS="" + +# Change to one to enable ppp restart scripts +PPP_RESTART=0 --- stunnel4-4.20.orig/debian/compat +++ stunnel4-4.20/debian/compat @@ -0,0 +1 @@ +4 --- stunnel4-4.20.orig/debian/README.Debian +++ stunnel4-4.20/debian/README.Debian @@ -0,0 +1,53 @@ +stunnel4 package for Debian. + +WARNING: Since stunnel >= 4.140-6, stunnel/stunnel4 binaries are located in /usr/bin instead of /usr/sbin in order to be FHS compliant (they can be used by normal user). You need to update your script to refer to this new location + +"Sergio Rua" made a perl front-end for the stunnel +configuration. It is very simple and only includes a couple of configuration +options. This script is located in : +/usr/share/doc/stunnel4/StunnelConf-0.1.pl +Requirements are libgnome2-perl and libgtk2-perl. + +After installation, you should : + - edit /etc/default/stunnel and set ENABLE=1 + - edit /etc/stunnel/stunnel.conf + - generate a certificate for use with stunnel if you want to use server mode : + +The certificates default directory is /etc/ssl/certs, so cd into that dir +and issue the command: + +openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem + +Fill in the info requested. Note: change 'stunnel.pem' to the name of the +certificate you need to create: stunnel.pem will be used by default by stunnel, +but you want to create different certificates for different services you run +with stunnel. +Make sure only root can read the file (or only the user that needs to read it, +if stunnel is run as that user): + +chmod 600 stunnel.pem + +Now you need to append the DH parameters to the certificate. +First you need to generate some amount of random data: + +dd if=/dev/urandom of=temp_file count=2 + +Use /dev/random if you want a more secure source of data, but make sure you have +enough entropy on you system (the output file should be at least 512 bytes long). + +And now make openssl generate the DH parameters and append them to the certificate file: + +openssl dhparam -rand temp_file 512 >> stunnel.pem + +You also want to link the certificate to its hash name so that openssl +can find it also by that means: + +ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0 + +Read the manual page for openssl for more info on the various options. + +Julien LEMOINE +speedblue@debian.org + + + -- Julien Lemoine , Sun, 12 Mar 2006 21:36:35 +0100 --- stunnel4-4.20.orig/debian/copyright +++ stunnel4-4.20/debian/copyright @@ -0,0 +1,22 @@ +This package was dowloaded from http://www.stunnel.org/ +and debianized by Paolo Molaro . + +It was downloaded from http://www.stunnel.org/download/source.html + +Upstream author: Michal Trojnara + +Copyright: +You are free to distribute this software under the terms of +the GNU General Public License. +On Debian systems, the complete text of the GNU General Public +License can be found in /usr/share/common-licenses/GPL file. + +In addition, as a special exception, Michal Trojnara gives +permission to link the code of this program with the OpenSSL +library (or with modified versions of OpenSSL that use the same +license as OpenSSL), and distribute linked combinations including +the two. You must obey the GNU General Public License in all +respects for all of the code used other than OpenSSL. If you modify +this file, you may extend this exception to your version of the +file, but you are not obligated to do so. If you do not wish to +do so, delete this exception statement from your version. --- stunnel4-4.20.orig/debian/stunnel4.init +++ stunnel4-4.20/debian/stunnel4.init @@ -0,0 +1,98 @@ +#! /bin/sh -e +### BEGIN INIT INFO +# Provides: stunnel4 +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Should-Start: $syslog +# Should-Stop: $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons) +### END INIT INFO + +DEFAULTPIDFILE="/var/run/stunnel4.pid" +DAEMON=/usr/bin/stunnel4 +NAME=stunnel +DESC="SSL tunnels" +FILES="/etc/stunnel/*.conf" +OPTIONS="" +ENABLED=0 + +startdaemons() { + if ! [ -d /var/run/stunnel4 ]; then + rm -rf /var/run/stunnel4 + install -d -o stunnel4 -g stunnel4 /var/run/stunnel4 + fi + for file in $FILES; do + if test -f $file; then + ARGS="$file $OPTIONS" + if $DAEMON $ARGS; then + echo -n "[Started: $file] " + else + echo "[Failed: $file]" + echo "You should check that you have specified the pid= in you configuration file" + exit 1 + fi + fi + done; +} + +killdaemons() +{ + for file in $FILES; do + if test -f $file; then + CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"` + PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"` + if [ "$PIDFILE" = "" ]; then + PIDFILE=$DEFAULTPIDFILE + fi + if test -f $CHROOT/$PIDFILE; then + PROCLIST=`cat $CHROOT/$PIDFILE` + if [ "$PROCLIST" ] && kill -0 $PROCLIST 2>/dev/null; then + kill $PROCLIST + echo -n "[stopped: $file] " + fi + fi + fi + done +} + +if [ "x$OPTIONS" != "x" ]; then + OPTIONS="-- $OPTIONS" +fi + +test -f /etc/default/stunnel4 && . /etc/default/stunnel4 +test "$ENABLED" != "0" || exit 0 + +test -x $DAEMON || exit 0 + +set -e + +case "$1" in + start) + echo -n "Starting $DESC: " + startdaemons + echo "$NAME." + ;; + stop) + echo -n "Stopping $DESC: " + killdaemons + echo "$NAME." + ;; +#force-reload does not send a SIGHUP, since SIGHUP is interpreted as a +#quit signal by stunnel. I reported this problem to upstream authors. + force-reload|restart) + echo -n "Restarting $DESC: " + killdaemons + sleep 5 + startdaemons + echo "$NAME." + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|force-reload|restart}" >&2 + exit 1 + ;; +esac + +exit 0 --- stunnel4-4.20.orig/debian/doc-base +++ stunnel4-4.20/debian/doc-base @@ -0,0 +1,13 @@ +Document: stunnel4 +Title: Stunnel documentation +Author: Michal Trojnara +Abstract: This manual documents stunnel, a SSL-enhanced client and + server wrapper. +Section: Apps/Net + +Format: HTML +Index: /usr/share/doc/stunnel4/stunnel.html +Files: /usr/share/doc/stunnel4/stunnel*.html + +Format: text +Files: /usr/share/doc/stunnel4/transproxy.txt --- stunnel4-4.20.orig/debian/stunnel4.0stunnel4.ppp.ip-down +++ stunnel4-4.20/debian/stunnel4.0stunnel4.ppp.ip-down @@ -0,0 +1,9 @@ +#!/bin/sh +# if this script gets called, we assume that the machine has lost +# IPv4 connectivity -> restart stunnel (do not stop it, it is possible +# to have a eth connection) + +test -f /etc/default/stunnel4 && . /etc/default/stunnel4 +test "$PPP_RESTART" != "0" || exit 0 + +/etc/init.d/stunnel4 restart --- stunnel4-4.20.orig/debian/stunnel4.0stunnel4.ppp.ip-up +++ stunnel4-4.20/debian/stunnel4.0stunnel4.ppp.ip-up @@ -0,0 +1,7 @@ +#!/bin/sh + +test -f /etc/default/stunnel4 && . /etc/default/stunnel4 +test "$PPP_RESTART" != "0" || exit 0 + + +/etc/init.d/stunnel4 restart --- stunnel4-4.20.orig/debian/StunnelConf-0.1.pl +++ stunnel4-4.20/debian/StunnelConf-0.1.pl @@ -0,0 +1,477 @@ +#!/usr/bin/perl + +# Copyright (C) 2004 Sergio Rua + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA +# 02111-1307, USA. +# +# On Debian GNU/Linux systems, the complete text of the GNU General +# Public License can be found in `/usr/share/common-licenses/GPL'. + +use strict; +use Gtk2; +use Gnome2; +use Gtk2::SimpleList; + +use constant TRUE => 1; +use constant FALSE => 0; +# Please configure if necessary! +my $cfgfile = "/etc/stunnel/stunnel.conf"; +my $backup_cfg = 1; +my $base_cfg_dir = $cfgfile;$base_cfg_dir=~s/\/stunnel\.conf//g; + +# global variables +my $ekey; +my $ecert; +my $verify; +my $app; +my $elog; +my $clientmode; +my $debuglevel; +my $capath; +my $list; + + +sub mydie +{ + my ($msg)=@_; + + print "$msg\n"; + Gtk2->main_quit; + exit (-1); +} + + +sub sel_file +{ + my ($title,$entry,$isfile)=@_; + + my $fsel=Gtk2::FileSelection->new($title); + $fsel->ok_button->signal_connect("clicked",sub { + print "OK: ". $fsel->get_filename."\n"; + $entry->set_text($fsel->get_filename); + $fsel->destroy; + }); + $fsel->cancel_button->signal_connect("clicked",sub { $fsel->destroy; }); + + $fsel->show; +} + +sub add_connection +{ + my $win = new Gtk2::Window("toplevel"); + $win->set_position("center"); + + my $vbox = new Gtk2::VBox( 0, 2 ); + $win->add($vbox); + $vbox->show; + my $druid = new Gnome2::Druid; + $druid->signal_connect("cancel", sub { $win->destroy; } ); + $vbox->pack_start($druid,0,0,0); + my $druid_start = new Gnome2::DruidPageEdge("GNOME_EDGE_START"); + $druid_start->set_title("Connections setup"); + $druid_start->set_text("Please follow this configuration wizard to ". + "configure your connections\n"); +# $druid_start->set_watermark($logo); + $druid_start->show; + $druid->append_page($druid_start); + +# Second Step: accepting connections + my $druid_name = new Gnome2::DruidPageStandard(); + $druid_name->set_title("Connection name"); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $label=new Gtk2::Label("Enter this connection name"); + $dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0); + my $ename=new Gtk2::Entry(); + $dtable->attach($ename,1,2,0,1,["fill"],["fill"],0,0); + $druid_name->append_item("",$dvbox,""); + $druid_name->show_all; + # add page to the druid + $druid->append_page($druid_name); + + +# Second Step: accepting connections + my $druid_accept = new Gnome2::DruidPageStandard(); + $druid_accept->set_title("Accepting connections"); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $accept_error=new Gtk2::Label(""); + $dtable->attach($accept_error,0,1,0,1,["fill"],["fill"],0,0); + my $label=new Gtk2::Label("IP or hostname"); + $dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0); + my $eip=new Gtk2::Entry(); + $dtable->attach($eip,1,2,1,2,["fill"],["fill"],0,0); + + my $label=new Gtk2::Label("Port number"); + $dtable->attach($label,0,1,2,3,["fill"],["fill"],0,0); + my $eport=new Gtk2::Entry(); + $dtable->attach($eport,1,2,2,3,["fill"],["fill"],0,0); + + $druid_accept->append_item("",$dvbox,""); + $druid_accept->show_all; + # add page to the druid + $druid->append_page($druid_accept); + +# Third Step: connecting to... + my $druid_connect = new Gnome2::DruidPageStandard(); + $druid_connect->set_title("Connection To..."); + my $dvbox=new Gtk2::VBox(2,2); + my $dtable=new Gtk2::Table(2,2,FALSE); + $dvbox->pack_start($dtable,FALSE,FALSE,0); + + my $label=new Gtk2::Label("IP or hostname"); + $dtable->attach($label,0,1,0,1,["fill"],["fill"],0,0); + my $etoip=new Gtk2::Entry(); + $dtable->attach($etoip,1,2,0,1,["fill"],["fill"],0,0); + + my $label=new Gtk2::Label("Port number"); + $dtable->attach($label,0,1,1,2,["fill"],["fill"],0,0); + my $etoport=new Gtk2::Entry(); + $dtable->attach($etoport,1,2,1,2,["fill"],["fill"],0,0); + + $druid_connect->append_item("",$dvbox,""); + $druid_connect->show_all; + # add page to the druid + $druid->append_page($druid_connect); + + +# Finishing and adding connection + my $druid_finish = new Gnome2::DruidPageEdge("GNOME_EDGE_FINISH"); + $druid_finish->set_title("Configuration Finished."); + $druid_finish->set_text("The configuration has been finished. Click to either save or cancel"); +# $druid_finish->set_logo($logo2); + $druid_finish->signal_connect("finish", sub { + my $acip=$eip->get_text(); + my $acport=$eport->get_text(); + my $coip=$etoip->get_text(); + my $coport=$etoport->get_text(); + + my $dslist = $list->{data}; + push @$dslist, [ $ename->get_text(), $acip.":".$acport, $coip.":".$coport ]; + + + $win->destroy; + }); + $druid_finish->show; + $druid->append_page($druid_finish); + $druid->show; + $win->show; +} + +sub load_config_file +{ + my $con=$list->{data}; + my $name=""; + my $accept=""; + my $connect=""; + + if (! -s $cfgfile) { + print "Config file not found. Starting from scratch!\n"; + return (0); + } + + open F, "<$cfgfile" or die "$cfgfile: $!\n"; + + while () { + $_=~s/\n//g; + if ($_=~/^cert.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $ecert->set_text($value); + } elsif ($_=~/^key.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $ekey->set_text($value); + } elsif ($_=~/^verify.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + if ($value==1) { + $verify->entry->set_text("verify peer certificate if present"); + } elsif ($value==2) { + $verify->entry->set_text("verify peer certificate"); + } elsif ($value==3) { + $verify->entry->set_text("verify peer with locally installed certificate"); + } else { + $verify->entry->set_text("no verify"); + } + } elsif ($_=~/^client.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $clientmode->entry->set_text($value); + } elsif ($_=~/^(capath|CApath).*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $capath->set_text($value); + } elsif ($_=~/^debug.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $debuglevel->entry->set_text($value); + } elsif ($_=~/^output.*=.*/) { + (undef,my $value) = split "=",$_; + $value=~s/(\ |\t)//g; + $elog->set_text($value); + } elsif ($_=~/^\[.*/) { + $_=~s/\[//g; + $_=~s/\]//g; + $name=$_; + } elsif ($_=~/^accept.*=.*/) { + (undef,$accept) = split "=",$_; + $accept=~s/(\ |\t)//g; + } elsif ($_=~/^connect.*=.*/) { + (undef,$connect) = split "=",$_; + $connect=~s/(\ |\t)//g; + } + + # load connection + if (($accept) && ($name) && ($connect)) { + push @$con, [ $name, $accept, $connect ]; + $name=$connect=$accept=""; + } + } + close F; + +} + +sub save_config_file +{ + if ($backup_cfg) { + chdir ($base_cfg_dir); + rename($cfgfile,$cfgfile.".$$") or + print "Error at \n$cfgfile: $!\nNo backup made!\n"; + } + open O, ">$cfgfile" or + mydie "Cannot open config file: $!\n"; + + print "Saving $cfgfile\n\n\n"; + print O "# Configuration file created by \"stunnelconf\" by ". + "Sergio Rua \n\n"; + if ($ekey->get_text()) { + print O "key = ".$ekey->get_text()."\n"; + } + if ($ecert->get_text()) { + print O "cert = ".$ecert->get_text()."\n"; + } + print O "verify = ".$verify->entry->get_text()."\n"; + print O "output = ".$elog->get_text()."\n"; + print O "client = ".$clientmode->entry->get_text()."\n"; + print O "debug = ".$debuglevel->entry->get_text()."\n"; + print O "CApath = ".$capath->get_text()."\n"; + print O "\n\n"; # just some spaces + + my @rowref = @{$list->{data}}; + my $i=0; + + for $i (0 .. $#rowref) { + print O "[".$rowref[$i][0] . "]\n"; + # if no hostname, ugly ":" to be removed + $rowref[$i][1]=~s/^://g; + $rowref[$i][2]=~s/^://g; + print O "accept = ".$rowref[$i][1] . "\n"; + print O "connect = ".$rowref[$i][2] . "\n"; + print O "\n"; # just some spaces + } + + close O; + Gtk2->main_quit; + return 0; +} + + +sub create_main_win +{ + $app = Gnome2::App->new ("stunnel-conf"); + $app->set_default_size(470,410); + $app->signal_connect( 'destroy' => sub { Gtk2->main_quit; } ); + $app->set_title("Stunnel Configuration"); + + my $vbox=Gtk2::VBox->new(FALSE,0); + my $frame=Gtk2::Frame->new("Common options"); + $vbox->pack_start($frame,TRUE, TRUE, 0); + + my $table=Gtk2::Table->new(6, 2, FALSE); + $frame->add($table); + + my $label0=Gtk2::Label->new("Private Key"); + $table->attach($label0,0,1,0,1,["fill"],["fill"],0,0); + my $label1=Gtk2::Label->new("Certificate"); + $table->attach($label1,0,1,1,2,["fill"],["fill"],0,0); + my $label2=Gtk2::Label->new("Verify level"); + $table->attach($label2,0,1,2,3,["fill"],["fill"],0,0); + my $label3=Gtk2::Label->new("Log output"); + $table->attach($label3,0,1,3,4,["fill"],["fill"],0,0); + my $label4=Gtk2::Label->new("Client mode"); + $table->attach($label4,0,1,4,5,["fill"],["fill"],0,0); + my $label5=Gtk2::Label->new("Debug level"); + $table->attach($label5,0,1,5,6,["fill"],["fill"],0,0); + my $label6=Gtk2::Label->new("Certificates path"); + $table->attach($label6,0,1,6,7,["fill"],["fill"],0,0); + + # Private Key + my $hbox0=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox0,1,2,0,1,["fill"],["fill"],0,0); + + $ekey=Gtk2::Entry->new(); + $hbox0->pack_start($ekey,TRUE,TRUE,0); + + my $bkey=Gtk2::Button->new_from_stock("gtk-open"); + $bkey->signal_connect("clicked",sub { + sel_file("Select private key",$ekey); + }); + $hbox0->pack_start($bkey,FALSE,FALSE,0); + + # Certificate + my $hbox1=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox1,1,2,1,2,["fill"],["fill"],0,0); + + $ecert=Gtk2::Entry->new(); + $hbox1->pack_start($ecert,TRUE,TRUE,0); + + my $bcert=Gtk2::Button->new_from_stock("gtk-open"); + $bcert->signal_connect("clicked",sub { + sel_file("Select certificate",$ecert); + }); + $hbox1->pack_start($bcert,FALSE,FALSE,0); + + # Auth level - verify + $verify = Gtk2::Combo->new(); + $verify->entry->set_text("no verify"); + $verify->set_popdown_strings(("no verify", + "verify peer certificate if present", + "verify peer certificate", + "verify peer with locally installed certificate")); + $table->attach($verify,1,2,2,3,["fill"],["fill"],0,0); + + # Log output + my $hbox2=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox2,1,2,3,4,["fill"],["fill"],0,0); + + $elog=Gtk2::Entry->new(); + $hbox2->pack_start($elog,TRUE,TRUE,0); + + my $blog=Gtk2::Button->new_from_stock("gtk-open"); + $blog->signal_connect("clicked",sub { + sel_file("Select log file",$elog); + }); + $hbox2->pack_start($blog,FALSE,FALSE,0); + + # Client mode + $clientmode = Gtk2::Combo->new(); + $clientmode->entry->set_text("no verify"); + $clientmode->set_popdown_strings(("yes","no")); + $table->attach($clientmode,1,2,4,5,["fill"],["fill"],0,0); + + # Debug level + $debuglevel = Gtk2::Combo->new(); + $debuglevel->entry->set_text("no verify"); + $debuglevel->set_popdown_strings(("0","1","5","7")); + $table->attach($debuglevel,1,2,5,6,["fill"],["fill"],0,0); + + # CA path + my $hbox3=Gtk2::HBox->new(FALSE,0); + $table->attach($hbox3,1,2,6,7,["fill"],["fill"],0,0); + + $capath=Gtk2::Entry->new(); + $hbox3->pack_start($capath,TRUE,TRUE,0); + +# my $bcapath=Gtk2::Button->new_from_stock("gtk-open"); +# $bcapath->signal_connect("clicked",sub { +# sel_file("Select Certificates Path",$capath); +# }); +# $hbox3->pack_start($bcapath,FALSE,FALSE,0); + + # connections section + my $frame2=Gtk2::Frame->new("Connections"); + $vbox->pack_start($frame2,TRUE, TRUE, 0); + + my $hbox4=Gtk2::HBox->new(FALSE,0); + $list=Gtk2::SimpleList->new ( + 'Name' => 'text', + 'Accept' => 'text', + 'Connect' => 'text', + ); +# $list->get_selection->set_mode ('multiple'); + my $scwin = Gtk2::ScrolledWindow->new; + $scwin->set_policy (qw/automatic automatic/); + $scwin->add($list); + + $hbox4->pack_start($scwin,TRUE,TRUE,0); + + # list buttons + my $vbbox=Gtk2::VButtonBox->new(); + $vbbox->set_layout('spread'); + my $badd = Gtk2::Button->new_from_stock('gtk-add'); + $badd->signal_connect( 'clicked' => sub { add_connection; } ); + $vbbox->add($badd); + + +# my $bedit = Gtk2::Button->new_from_stock('gtk-properties'); +# $bedit->signal_connect( 'clicked' => sub { +# print "Edit\n"; +# } ); +# $vbbox->add($bedit); + + + my $brem = Gtk2::Button->new_from_stock('gtk-remove'); + $brem->signal_connect( 'clicked' => sub { + my @sel = $list->get_selected_indices; + print @sel; + foreach my $i (@sel) { + delete $list->{data}[$i]; + } + } ); + $vbbox->add($brem); + + $hbox4->pack_start($vbbox,FALSE,FALSE,0); + + # main buttons!!! + my $bbox=Gtk2::HButtonBox->new(); + $bbox->set_layout('spread'); + + my $bok = Gtk2::Button->new_from_stock('gtk-ok'); + $bok->signal_connect( 'clicked' => sub { save_config_file; } ); + $bbox->add($bok); + + my $bcancel = Gtk2::Button->new_from_stock('gtk-cancel'); + $bcancel->signal_connect( 'clicked' => sub { Gtk2->main_quit;} ); + $bbox->add($bcancel); + + $vbox->pack_start($bbox,FALSE,FALSE,0); + $frame2->add($hbox4); + + +# App contents and show them + $app->set_contents($vbox); + $app->show_all; +} + +# +# MAIN MAIN MAIN +# + + +# +Gnome2::Program->init ("stunnelconf", "0.1"); +$app=create_main_win; +load_config_file; + +Gtk2->main; + +exit 0; + --- stunnel4-4.20.orig/debian/stunnel4.logrotate +++ stunnel4-4.20/debian/stunnel4.logrotate @@ -0,0 +1,13 @@ +/var/log/stunnel4/*.log { + daily + missingok + rotate 356 + compress + delaycompress + notifempty + create 640 root adm + sharedscripts + postrotate + /etc/init.d/stunnel4 restart > /dev/null + endscript +} --- stunnel4-4.20.orig/debian/connect-proxy_dunbar.patch +++ stunnel4-4.20/debian/connect-proxy_dunbar.patch @@ -0,0 +1,399 @@ +diff -urN stunnel-4.05.orig/src/client.c stunnel-4.05/src/client.c +--- stunnel-4.05.orig/src/client.c 2004-02-10 19:17:54.000000000 +0000 ++++ stunnel-4.05/src/client.c 2004-03-08 18:39:51.000000000 +0000 +@@ -74,6 +74,7 @@ + #endif + static int connect_remote(CLI *c); + static void reset(int, char *); ++int connect_to_finaldest(CLI *c, int s); + + int max_clients; + #ifndef USE_WIN32 +@@ -911,7 +912,8 @@ + safe_ntoa(c->connecting_address, addr.sin_addr); + log(LOG_DEBUG, "%s connecting %s:%d", c->opt->servname, + c->connecting_address, ntohs(addr.sin_port)); +- if(!connect(s, (struct sockaddr *)&addr, sizeof(addr))) ++ if(!connect(s, (struct sockaddr *)&addr, sizeof(addr)) ++ && !connect_to_finaldest(c, s)) + return s; /* no error -> success */ + error=get_last_socket_error(); + switch(error) { +@@ -936,7 +938,8 @@ + } + + /* try to connect for the 2nd time */ +- if(!connect(s, (struct sockaddr *)&addr, sizeof(addr))) ++ if(!connect(s, (struct sockaddr *)&addr, sizeof(addr)) ++ && !connect_to_finaldest(c, s)) + return s; /* no error -> success */ + error=get_last_socket_error(); + switch(error) { +@@ -965,4 +968,245 @@ + log_error(LOG_DEBUG, get_last_socket_error(), txt); + } + ++/* ++ * Base 64 encoding algorithm from: Bob Deblier ++ * Modified by Daniel Savard to accept char * ++ */ ++static const char* to_b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; ++char* b64enc(const char* data) { ++ int div = strlen(data) / 3; ++ int rem = strlen(data) % 3; ++ int chars = div*4 + rem + 1; ++ char* string = (char*) malloc(chars + 1); ++ ++ if (string) { ++ register char* buf = string; ++ chars = 0; ++ while (div > 0) { ++ buf[0] = to_b64[ (data[0] >> 2) & 0x3f]; ++ buf[1] = to_b64[((data[0] << 4) & 0x30) + ((data[1] >> 4) & 0xf)]; ++ buf[2] = to_b64[((data[1] << 2) & 0x3c) + ((data[2] >> 6) & 0x3)]; ++ buf[3] = to_b64[ data[2] & 0x3f]; ++ data += 3; ++ buf += 4; ++ div--; ++ chars += 4; ++ } ++ ++ switch (rem) { ++ case 2: ++ buf[0] = to_b64[ (data[0] >> 2) & 0x3f]; ++ buf[1] = to_b64[((data[0] << 4) & 0x30) + ((data[1] >> 4) & 0xf)]; ++ buf[2] = to_b64[ (data[1] << 2) & 0x3c]; ++ buf[3] = '='; ++ buf += 4; ++ chars += 4; ++ break; ++ case 1: ++ buf[0] = to_b64[ (data[0] >> 2) & 0x3f]; ++ buf[1] = to_b64[ (data[0] << 4) & 0x30]; ++ buf[2] = '='; ++ buf[3] = '='; ++ buf += 4; ++ chars += 4; ++ break; ++ } ++ ++ *buf = '\0'; ++ } ++ ++return string; ++} ++ ++/* ++ * Base 64 decoding algorithm from: Bob Deblier ++ * Modified by Daniel Savard to return char * ++ */ ++char* b64dec(const char* string) ++{ ++ /* return a decoded char string, or a null pointer in case of failure */ ++ char* data = NULL; ++ ++ if (string) { ++ register int length = strlen(string); ++ ++ /* do a format verification first */ ++ if (length > 0) { ++ register int count = 0, rem = 0; ++ register const char* tmp = string; ++ ++ while (length > 0) { ++ register int skip = strspn(tmp, to_b64); ++ count += skip; ++ length -= skip; ++ tmp += skip; ++ if (length > 0) { ++ register int i, vrfy = strcspn(tmp, to_b64); ++ ++ for (i = 0; i < vrfy; i++) { ++ if (isspace(tmp[i])) ++ continue; ++ ++ if (tmp[i] == '=') { ++ /* we should check if we're close to the end of the string */ ++ rem = count % 4; ++ ++ /* rem must be either 2 or 3, otherwise no '=' should be here */ ++ if (rem < 2) ++ return NULL; ++ ++ /* end-of-message recognized */ ++ break; ++ } else { ++ /* Transmission error; RFC tells us to ignore this, but: ++ * - the rest of the message is going to even more corrupt since we're sliding bits out of place ++ * If a message is corrupt, it should be dropped. Period. ++ */ ++ return NULL; ++ } ++ } ++ ++ length -= vrfy; ++ tmp += vrfy; ++ } ++ } ++ ++ data = (unsigned char *)malloc((count / 4) * 3 + (rem ? (rem - 1) : 0)); ++ ++ if (data) { ++ if (count > 0) { ++ register int i, qw = 0, tw = 0; ++ ++ length = strlen(tmp = string); ++ ++ for (i = 0; i < length; i++) { ++ register char ch = string[i]; ++ register char bits = 0; ++ ++ if (isspace(ch)) ++ continue; ++ ++ if ((ch >= 'A') && (ch <= 'Z')) { ++ bits = (ch - 'A'); ++ } else if ((ch >= 'a') && (ch <= 'z')) { ++ bits = (ch - 'a' + 26); ++ } else if ((ch >= '0') && (ch <= '9')) { ++ bits = (ch - '0' + 52); ++ } else if (ch == '=') { ++ break; ++ } ++ ++ switch (qw++) { ++ case 0: ++ data[tw+0] = (bits << 2) & 0xfc; ++ break; ++ case 1: ++ data[tw+0] |= (bits >> 4) & 0x03; ++ data[tw+1] = (bits << 4) & 0xf0; ++ break; ++ case 2: ++ data[tw+1] |= (bits >> 2) & 0x0f; ++ data[tw+2] = (bits << 6) & 0xc0; ++ break; ++ case 3: ++ data[tw+2] |= bits & 0x3f; ++ break; ++ } ++ ++ if (qw == 4) { ++ qw = 0; ++ tw += 3; ++ } ++ } ++ ++ data[tw] = '\0'; ++ } ++ } ++ } ++ } ++ ++return data; ++} ++ ++/* ++ * Original https proxy algorithm from: Tan Swee Heng ++ * Modified by Daniel Savard to support basic authentication ++ */ ++int connect_to_finaldest(CLI *c, int s) { ++ char buff[STRLEN]; ++ int len, code; ++ char httpsproxy_auth[STRLEN] = ""; ++ char httpsproxy_useragent[STRLEN] = ""; ++ ++ if (!c->opt->option.httpsproxy) ++ return 0; ++ ++ if (c->opt->httpsproxy_auth != NULL) { ++ if (strchr(c->opt->httpsproxy_auth,':')) { ++ /* httpsproxy_auth in the form name:password' */ ++ char *base64_auth = b64enc(c->opt->httpsproxy_auth); ++ log(LOG_DEBUG,"proxy: authenticate with '%s' -> '%s'\n",c->opt->httpsproxy_auth,base64_auth); ++ sprintf(httpsproxy_auth,"Proxy-Authorization: Basic %s\r\n",base64_auth); ++ free(base64_auth); ++ } else { ++ /* httpsproxy_auth already base64 encoded */ ++ char *normal_auth = b64dec(c->opt->httpsproxy_auth); ++ log(LOG_DEBUG,"proxy: authenticate with '%s' -> '%s'\n",normal_auth,c->opt->httpsproxy_auth); ++ sprintf(httpsproxy_auth,"Proxy-Authorization: Basic %s\r\n",c->opt->httpsproxy_auth); ++ free(normal_auth); ++ } ++ } else { ++ log(LOG_DEBUG,"proxy: no authentication specified"); ++ } ++ ++ if (c->opt->httpsproxy_useragent != NULL) { ++ log(LOG_DEBUG,"proxy: useragent '%s' -> '%s'\n",c->opt->httpsproxy_useragent); ++ sprintf(httpsproxy_useragent,"User-Agent: %s\r\n",c->opt->httpsproxy_useragent); ++ } else { ++ log(LOG_DEBUG,"proxy: no useragent specified"); ++ } ++ ++#ifdef HAVE_SNPRINTF ++ len=snprintf(buff, STRLEN, ++#else ++ len=sprintf(buff, ++#endif ++ "CONNECT %s HTTP/1.0\r\n%s%s\r\n", ++ c->opt->httpsproxy_dest_address, ++ httpsproxy_auth, ++ httpsproxy_useragent); ++ ++ len=writesocket(s, buff, len); ++ if(len<0) { ++ sockerror("writesocket (httpsproxy)"); ++ closesocket(s); ++ return -1; ++ } ++ log(LOG_DEBUG, "me ---> proxy: %s", buff); ++ ++ waitforsocket(s, 0, c->opt->timeout_busy); ++ len=readsocket(s, buff, STRLEN-1); ++ ++ if(len<0) { ++ sockerror("readsocket (httpsproxy)"); ++ closesocket(s); ++ return -1; ++ } ++ buff[len]='\0'; ++ log(LOG_DEBUG, "proxy ---> me: %s", buff); ++ ++ code = 0; ++ if(sscanf(buff, "HTTP/%*s %d %*s", &code) != 1) { ++ log(LOG_ERR, "error: %s", buff); ++ return -1; ++ } ++ ++ if(code != 200) { ++ log(LOG_WARNING, "return code not 200: %s", buff); ++ return -1; ++ } ++ ++ return 0; ++} ++ + /* End of client.c */ +diff -urN stunnel-4.05.orig/src/options.c stunnel-4.05/src/options.c +--- stunnel-4.05.orig/src/options.c 2004-03-08 17:34:41.000000000 +0000 ++++ stunnel-4.05/src/options.c 2004-03-08 18:36:33.000000000 +0000 +@@ -770,6 +770,82 @@ + } + #endif + ++ /* Daniel Savard ++ * httpsproxy_auth ++ * Optional parameter to httpsproxy_dest to specify authentication ++ * credential to the https proxy. Value must be in form name:password ++ * or the base64 encoded value of the preceding form. ++ */ ++ switch(cmd) { ++ case CMD_INIT: ++ section->httpsproxy_auth=NULL; ++ break; ++ case CMD_EXEC: ++ if(strcasecmp(opt, "httpsproxy_auth")) ++ break; ++ section->httpsproxy_auth=stralloc(arg); ++ return NULL; /* OK */ ++ case CMD_DEFAULT: ++ break; ++ case CMD_HELP: ++ log_raw("%-15s = authentication for 'httpsproxy' must be userid:password", ++ "httpsproxy_auth"); ++ break; ++ } ++ ++ /* Daniel Savard ++ * httpsproxy_dest ++ * When specified, the connect parameter will specify the name of a https ++ * proxy server and this parameter will be the final destination. ++ */ ++ switch(cmd) { ++ case CMD_INIT: ++ section->option.httpsproxy=0; ++ section->httpsproxy_dest_address=NULL; ++ section->httpsproxy_dest_names=NULL; ++ section->httpsproxy_dest_port=0; ++ break; ++ case CMD_EXEC: ++ if(strcasecmp(opt, "httpsproxy_dest")) ++ break; ++ section->option.httpsproxy=1; ++ section->httpsproxy_dest_address=stralloc(arg); ++ if(!section->option.delayed_lookup && !name2nums(arg, "127.0.0.1", ++ §ion->httpsproxy_dest_names, §ion->httpsproxy_dest_port)) { ++ log_raw("Cannot resolve '%s' - delaying DNS lookup", arg); ++ section->option.delayed_lookup=1; ++ } ++ return NULL; /* OK */ ++ case CMD_DEFAULT: ++ break; ++ case CMD_HELP: ++ log_raw("%-15s = [host:]port https proxy connect destination host:port", ++ "httpsproxy_dest"); ++ break; ++ } ++ ++ /* Daniel Savard ++ * httpsproxy_useragent ++ * Optional parameter to httpsproxy_dest. When specified, the specified ++ * user-agent will be sent to the proxy ++ */ ++ switch(cmd) { ++ case CMD_INIT: ++ section->httpsproxy_useragent=NULL; ++ break; ++ case CMD_EXEC: ++ if(strcasecmp(opt, "httpsproxy_useragent")) ++ break; ++ section->httpsproxy_useragent=stralloc(arg); ++ return NULL; /* OK */ ++ case CMD_DEFAULT: ++ break; ++ case CMD_HELP: ++ log_raw("%-15s = useragent for 'httpsproxy'", ++ "httpsproxy_useragent"); ++ break; ++ } ++ + /* ident */ + switch(cmd) { + case CMD_INIT: +@@ -884,7 +960,7 @@ + else + return "Illegal close timeout"; + return NULL; /* OK */ +- case CMD_DEFAULT: ++ case CMD_DEFAULT: + log_raw("%-15s = %d seconds", "TIMEOUTclose", section->timeout_close); + break; + case CMD_HELP: +diff -urN stunnel-4.05.orig/src/prototypes.h stunnel-4.05/src/prototypes.h +--- stunnel-4.05.orig/src/prototypes.h 2004-03-08 17:34:41.000000000 +0000 ++++ stunnel-4.05/src/prototypes.h 2004-03-08 18:40:48.000000000 +0000 +@@ -161,12 +161,13 @@ + + /* service-specific data for client.c */ + int fd; /* file descriptor accepting connections for this service */ +- unsigned short localport, remoteport; ++ unsigned short localport, remoteport, httpsproxy_dest_port; + char *execname, **execargs; /* program name and arguments for local mode */ +- u32 *localnames, *remotenames; ++ u32 *localnames, *remotenames, *httpsproxy_dest_names; + u32 *local_ip; + char *username; + char *remote_address; ++ char *httpsproxy_dest_address, *httpsproxy_auth, *httpsproxy_useragent; + int timeout_busy; /* Maximum waiting for data time */ + int timeout_idle; /* Maximum idle connection time */ + int timeout_close; /* Maximum close_notify time */ +@@ -179,6 +180,7 @@ + unsigned int delayed_lookup:1; + unsigned int accept:1; + unsigned int remote:1; ++ unsigned int httpsproxy:1; + #ifndef USE_WIN32 + unsigned int program:1; + unsigned int pty:1; --- stunnel4-4.20.orig/debian/control +++ stunnel4-4.20/debian/control @@ -0,0 +1,28 @@ +Source: stunnel4 +Section: net +Priority: optional +Build-Depends: debhelper(>=4), libssl-dev (>= 0.9.8-1), openssl (>= 0.9.8-1), libwrap0-dev, sdf +Maintainer: Ubuntu MOTU +XSBC-Original-Maintainer: Debian QA Group +Standards-Version: 3.7.2 + +Package: stunnel4 +Architecture: any +Conflicts: stunnel +Depends: ${shlibs:Depends}, openssl, netbase, perl-modules +Pre-Depends: adduser +Provides: crywrap +Replaces: crywrap +Description: Universal SSL tunnel for network daemons + The stunnel program is designed to work as SSL encryption + wrapper between remote client and local (inetd-startable) or + remote server. The concept is that having non-SSL aware daemons + running on your system you can easily setup them to + communicate with clients over secure SSL channel. + . + stunnel can be used to add SSL functionality to commonly + used inetd daemons like POP-2, POP-3 and IMAP servers + without any changes in the programs' code. + . + This package is compatible with stunnel 3.x version (via a wrapper). + Stunnel 4.x is more actively maintained upstream. --- stunnel4-4.20.orig/debian/stunnel.8 +++ stunnel4-4.20/debian/stunnel.8 @@ -0,0 +1,524 @@ +.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13 +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "STUNNEL 1" +.TH STUNNEL 8 "2003-08-01" " " " " +.SH "NAME" +stunnel \- universal SSL tunnel +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O\ a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p\ pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a\ directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user] +[\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ dir/\ |\ filename\ |\ none\ }\ ] [\-B\ bytes] [\-R\ randfile] [\-W] [\-E\ socket] [\-I\ host] +[\-d\ [host:]port\ [\-f]\ ] [\ \-r\ [host:]port\ |\ {\ \-l\ |\ \-L\ }\ program\ [\-\-\ progname\ args]\ ] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption +wrapper between remote clients and local (\fIinetd\fR\-startable) or +remote servers. The concept is that having non-SSL aware daemons +running on your system you can easily set them up to communicate with +clients over secure \s-1SSL\s0 channels. +.PP +\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used +\&\fIinetd\fR daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone +daemons like \s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network +sockets without changes to the source code. +.PP +This product includes cryptographic software written by Eric Young +(eay@cryptsoft.com) +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-h\fR" 4 +.IX Item "-h" +Print stunnel help menu +.IP "\fB\-V\fR" 4 +.IX Item "-V" +Print stunnel version and compile time defaults +.IP "\fB\-D\fR level" 4 +.IX Item "-D level" +Debugging level +.Sp +Level is a one of the syslog level names or numbers emerg (0), alert +(1), crit (2), err (3), warning (4), notice (5), info (6), or debug +(7). All logs for the specified level and all levels numerically less +than it will be shown. Use \-D debug or \-D 7 for greatest debugging +output. The default is notice (5). +.Sp +The syslog facility 'daemon' will be used unless a facility name is +supplied. (Facilities are not supported on windows.) +.Sp +Case is ignored for both facilities and levels. +.IP "\fB\-O\fR a|l|r:option=value[:value]" 4 +.IX Item "-O a|l|r:option=value[:value]" +Set an option on accept/local/remote socket +.Sp +The values for linger option are l_onof:l_linger. The values for time +are tv_sec:tv_usec. +.Sp +\&\fBExamples:\fR +.Sp +\&\fB\-O l:SO_LINGER=1:60\fR \- set one minute timeout for closing local +socket +.Sp +\&\fB\-O r:TCP_NODELAY=1\fR \- turn off the Nagle algorithm for remote +sockets +.Sp +\&\fB\-O r:SO_OOBINLINE=1\fR \- place out-of-band data directly into the +receive data stream for remote sockets +.Sp +\&\fB\-O a:SO_REUSEADDR=0\fR \- disable address reuse (enabled by default) +.Sp +\&\fB\-O a:SO_BINDTODEVICE=lo\fR \- only accept connections on loopback +interface +.Sp +See 'stunnel \-V' for options supported on your system and their +default values. +.IP "\fB\-o\fR file" 4 +.IX Item "-o file" +Append log messages to a file. +.IP "\fB\-C\fR cipherlist" 4 +.IX Item "-C cipherlist" +Select permitted \s-1SSL\s0 ciphers +.Sp +A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection. +For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0 +.IP "\fB\-c\fR" 4 +.IX Item "-c" +client mode (remote service uses \s-1SSL\s0) +.Sp +default: server mode +.IP "\fB\-T\fR" 4 +.IX Item "-T" +transparent proxy mode +.Sp +Re-write address to appear as if wrapped daemon is connecting from the +\&\s-1SSL\s0 client machine instead of the machine running stunnel. Available +only on some operating systems (Linux only, we believe) and then only +in server mode. Note that this option will not combine with proxy mode +(\-r) unless the client's default route to the target machine lies +through the host running stunnel, which cannot be localhost. +.IP "\fB\-p\fR pemfile" 4 +.IX Item "-p pemfile" +private key and certificate chain \s-1PEM\s0 file name +.Sp +A \s-1PEM\s0 is always needed in server mode (see \fIstunnel \-V\fR output for +default). Specifying this flag in client mode will use this key and +certificate chain as a client side certificate chain. Using client +side certs is optional. The certificates must be in \s-1PEM\s0 format and +must be sorted starting with the certificate to the highest level +(root \s-1CA\s0). +.IP "\fB\-v\fR level" 4 +.IX Item "-v level" +verify peer certificate +.RS 4 +.IP "\(bu" 8 +level 1 \- verify peer certificate if present +.IP "\(bu" 8 +level 2 \- verify peer certificate +.IP "\(bu" 8 +level 3 \- verify peer with locally installed certificate +.IP "\(bu" 8 +default \- no verify +.RE +.RS 4 +.RE +.IP "\fB\-a\fR directory" 4 +.IX Item "-a directory" +client certificate directory +.Sp +This is the directory in which stunnel will look for certificates when +using the \fI\-v\fR options. Note that the certificates in this directory +should be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the +cert. This directory will override the stunnel compile-time default, +if any. +.Sp +See \fIstunnel \-V\fR output for default. +.IP "\fB\-A\fR certfile" 4 +.IX Item "-A certfile" +Certificate Authority file +.Sp +This file contains multiple \s-1CA\s0 certificates, used with the \fI\-v\fR +options. This file will override the stunnel compile-time default, if +any. +.Sp +See \fIstunnel \-V\fR output for default. +.IP "\fB\-S\fR sources" 4 +.IX Item "-S sources" +Certificate source defaults +.Sp +Both stunnel and the \s-1SSL\s0 library used to compile stunnel have default +locations to look for your certificate file (\fI\-A\fR option) and +certificate directories (\fI\-a\fR option). The \fB\-S\fR flag allows you to +control which of these default sources, if any, should be used. +.Sp +.Vb 4 +\& 0 = ignore all default sources +\& 1 = use ssl library defaults +\& 2 = use stunnel defaults +\& 3 = use both ssl library and stunnel defaults +.Ve +.Sp +(See \fIstunnel \-V\fR output for the default.) +.Sp +Note that the \fI\-A\fR and \fB\-a\fR flags overwrite, not supplement, the +stunnel defaults, whereas the ssl library defaults, if enabled, are +used in addition to the other sources. +.Sp +In general, to avoid hurting one's brain, use \fI\-S 0\fR and explicitly +set \fI\-A\fR and/or \fB\-a\fR as desired. +.IP "\fB\-t\fR timeout" 4 +.IX Item "-t timeout" +session cache timeout +.Sp +default: 300 seconds. +.IP "\fB\-N\fR servicename" 4 +.IX Item "-N servicename" +Service name to use for tcpwrappers. If not specified then a +tcpwrapper service name will be generated automatically for you. This +will also be used when auto-generating pid filenames. +.IP "\fB\-u\fR ident_username" 4 +.IX Item "-u ident_username" +Use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking +.IP "\fB\-n\fR proto" 4 +.IX Item "-n proto" +Negotiate \s-1SSL\s0 with specified protocol +.Sp +currently supported: smtp, pop3, nntp +.IP "\fB\-E\fR socket" 4 +.IX Item "-E socket" +Entropy Gathering Daemon socket to use to feed OpenSSL random number +generator. (Available only if compiled with OpenSSL 0.9.5a or higher) +.IP "\fB\-R\fR filename" 4 +.IX Item "-R filename" +File containing random input. The \s-1SSL\s0 library will use data from this +file first to seed the random number generator. +.IP "\fB\-W\fR" 4 +.IX Item "-W" +Do not overwrite the random seed files with new random data. +.IP "\fB\-B\fR bytes" 4 +.IX Item "-B bytes" +Number of bytes of data read from random seed files. With \s-1SSL\s0 +versions less than 0.9.5a, also determines how many bytes of data are +considered sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions +have a builtin function to determine when sufficient randomness is +available. +.IP "\fB\-I\fR host" 4 +.IX Item "-I host" +\&\s-1IP\s0 of the outgoing interface is used as source for remote connections. +Use this option to bind a static local \s-1IP\s0 address, instead. +.IP "\fB\-d\fR [host:]port" 4 +.IX Item "-d [host:]port" +daemon mode +.Sp +Listen for connections on [host:]port. If no host specified, defaults +to all \s-1IP\s0 addresses for the local host. +.Sp +default: inetd mode +.IP "\fB\-f\fR" 4 +.IX Item "-f" +foreground mode +.Sp +Stay in foreground (don't fork) and log to stderr instead of via +syslog (unless \-o is specified). +.Sp +default: background in daemon mode +.IP "\fB\-l\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4 +.IX Item "-l program [-- programname [arg1 arg2 arg3...] ]" +execute local inetd-type program. +.IP "\fB\-L\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4 +.IX Item "-L program [-- programname [arg1 arg2 arg3...] ]" +open local pty and execute program. +.IP "\fB\-s\fR username" 4 +.IX Item "-s username" +\&\fIsetuid()\fR to username in daemon mode +.IP "\fB\-g\fR groupname" 4 +.IX Item "-g groupname" +\&\fIsetgid()\fR to groupname in daemon mode. Clears all other groups. +.IP "\fB\-P\fR { dir/ | file | none }" 4 +.IX Item "-P { dir/ | file | none }" +Pid file location +.Sp +If the argument is a pathname ending in a slash, then a pid file named +"\fIstunnel.\fRservicename\fB.pid\fR" will be created in the specified +directory. If the argument is a filename (no trailing slash), then +that filename will be used for the pid. If the argument is 'none', +then no pid file will be created. +.IP "\fB\-r\fR [host:]port" 4 +.IX Item "-r [host:]port" +connect to remote service +.Sp +If no host specified, defaults to localhost. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service, +use +.PP +.Vb 1 +\& stunnel -d 993 -l /usr/sbin/imapd -- imapd +.Ve +.PP +If you want to provide tunneling to your \fIpppd\fR daemon on port 2020, +use something like +.PP +.Vb 1 +\& stunnel -d 2020 -L /usr/sbin/pppd -- pppd local +.Ve +.SH "ENVIRONMENT" +.IX Header "ENVIRONMENT" +If Stunnel is used to create local processes using the \fB\-l\fR or \fB\-L\fR +options, it will set the following environment variables +.IP "\s-1REMOTE_HOST\s0" 4 +.IX Item "REMOTE_HOST" +The \s-1IP\s0 address of the remote end of the connection. +.IP "\s-1SSL_CLIENT_DN\s0" 4 +.IX Item "SSL_CLIENT_DN" +The \s-1DN\s0 (Distinguished Name, aka subject name) of the peer certificate, +if a certificate was present and verified. +.IP "\s-1SSL_CLIENT_I_DN\s0" 4 +.IX Item "SSL_CLIENT_I_DN" +The Issuer's \s-1DN\s0 of the peer's certificate, if a certificate was +present and verified. +.SH "CERTIFICATES" +.IX Header "CERTIFICATES" +.IP "\(bu" 4 +Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to +the peer. It also needs a private key to decrypt the incoming data. +The easiest way to obtain a certificate and a key is to generate them +with the free \fIopenssl\fR package. You can find more information on +certificates generation on pages listed below. +.Sp +Two things are important when generating certificate-key pairs for +\&\fBstunnel\fR. The private key cannot be encrypted, because the server +has no way to obtain the password from the user. To produce an +unencrypted key add the \fI\-nodes\fR option when running the \fBreq\fR +command from the \fIopenssl\fR kit. +.Sp +The order of contents of the \fI.pem\fR file is also important. It should +contain the unencrypted private key first, then a signed certificate +(not certificate request). There should be also empty lines after +certificate and private key. Plaintext certificate information +appended on the top of generated certificate should be discarded. So +the file should look like this: +.Sp +.Vb 8 +\& -----BEGIN RSA PRIVATE KEY----- +\& [encoded key] +\& -----END RSA PRIVATE KEY----- +\& [empty line] +\& -----BEGIN CERTIFICATE----- +\& [encoded certificate] +\& -----END CERTIFICATE----- +\& [empty line] +.Ve +.SH "RANDOMNESS" +.IX Header "RANDOMNESS" +.IP "\(bu" 4 +\&\fIstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in +order for \s-1SSL\s0 to use good randomness. The following sources are +loaded in order until sufficient random data has been gathered: +.RS 4 +.IP "\(bu" 8 +The file specified with the \fI\-R\fR flag. +.IP "\(bu" 8 +The file specified by the \s-1RANDFILE\s0 environment variable, if set. +.IP "\(bu" 8 +The file .rnd in your home directory, if \s-1RANDFILE\s0 not set. +.IP "\(bu" 8 +The file specified with '\-\-with\-random' at compile time. +.IP "\(bu" 8 +The contents of the screen if running on Windows. +.IP "\(bu" 8 +The egd socket specified with the \fI\-E\fR flag. +.IP "\(bu" 8 +The egd socket specified with '\-\-with\-egd\-sock' at compile time. +.IP "\(bu" 8 +The /dev/urandom device. +.RE +.RS 4 +.Sp +With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading +random data automatically when sufficient entropy has been gathered. +With previous versions it will continue to gather from all the above +sources since no \s-1SSL\s0 function exists to tell when enough data is +available. +.Sp +Note that on Windows machines that do not have console user +interaction (mouse movements, creating windows, etc) the screen +contents are not variable enough to be sufficient, and you should +provide a random file for use with the \fI\-R\fR flag. +.Sp +Note that the file specified with the \fI\-R\fR flag should contain random +data \*(-- that means it should contain different information each time +\&\fIstunnel\fR is run. This is handled automatically unless the \fI\-W\fR +flag is used. If you wish to update this file manually, the \fIopenssl +rand\fR command in recent versions of OpenSSL, would be useful. +.Sp +One important note \*(-- if /dev/urandom is available, OpenSSL has a +habit of seeding the \s-1PRNG\s0 with it even when checking the random state, +so on systems with /dev/urandom you're likely to use it even though +it's listed at the very bottom of the list above. This isn't +stunnel's behaviour, it's OpenSSLs. +.RE +.SH "LIMITATIONS" +.IX Header "LIMITATIONS" +.IP "\(bu" 4 +\&\fIstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature of +the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers. +There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons, +however. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +.RS 4 +.IP "\fItcpd\fR\|(8)" 8 +.IX Item "tcpd" +access control facility for internet services +.IP "\fIinetd\fR\|(8)" 8 +.IX Item "inetd" +internet ``super\-server'' +.IP "\fIhttp://stunnel.mirt.net/\fR" 8 +.IX Item "http://stunnel.mirt.net/" +Stunnel homepage +.IP "\fIhttp://www.stunnel.org/\fR" 8 +.IX Item "http://www.stunnel.org/" +Stunnel Frequently Asked Questions +.IP "\fIhttp://www.openssl.org/\fR" 8 +.IX Item "http://www.openssl.org/" +OpenSSL project website +.RE +.RS 4 +.RE +.SH "AUTHOR" +.IX Header "AUTHOR" +.RS 4 +.IP "Michal Trojnara" 8 +.IX Item "Michal Trojnara" +<\fIMichal.Trojnara@mirt.net\fR> +.RE +.RS 4 +.RE --- stunnel4-4.20.orig/debian/rules +++ stunnel4-4.20/debian/rules @@ -0,0 +1,99 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# debian/rules file for the Debian/GNU Linux stunnel package +# Copyright 2003 by Julien LEMOINE + +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +PROXY_CONNECT = debian/connect-proxy_dunbar.patch +CFLAGS = -Wall -g +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +build: build-stamp +build-stamp: + dh_testdir + if grep stunnel_bin= src/stunnel3.in | grep "stunnel[']"; then \ + echo "invalid src/stunnel3.in"; \ + exit 1; \ + fi + if grep stunnel_bin= src/stunnel3.in | grep "sbin/stunnel"; then\ + echo "invalid src/stunnel3.in"; \ + exit 1; \ + fi +# cat $(PROXY_CONNECT) | patch -p1 +# touch patched + CFLAGS="$(CFLAGS)" ./configure --prefix=/usr \ + --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ + --localstatedir=/var --enable-ssllib-cs \ + --with-cert-dir=/etc/ssl/certs --with-pem-dir=/etc/ssl/certs \ + --enable-ipv6 --with-threads=pthread + cd src; $(MAKE) + cd doc; $(MAKE) + touch build-stamp + +clean: + dh_testdir + dh_testroot +# if test -f patched; then cat $(PROXY_CONNECT) | patch -p1 -R; fi + rm -rf build-stamp config.cache stunnel.rnd src/stunnel.exe \ + doc/stunnel4.8 config.log config.status src/stunnel src/.libs \ + src/*.o src/*.lo src/*.la src/Makefile doc/Makefile \ + tools/Makefile tools/stunnel.conf-sample tools/stunnel.init \ + Makefile libtool patched src/.deps src/stunnel3 + -$(MAKE) clean + -$(MAKE) distclean + dh_clean + +install: + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + cd src; $(MAKE) install prefix=$(CURDIR)/debian/stunnel4/usr + cd doc; $(MAKE) install prefix=$(CURDIR)/debian/stunnel4/usr + install -p -m 0644 tools/stunnel.conf-sample \ + $(CURDIR)/debian/stunnel4/etc/stunnel/stunnel.conf + rm -rf $(CURDIR)/debian/stunnel4/man + rm -rf $(CURDIR)/debian/stunnel4/usr/man + cp doc/stunnel.8 doc/stunnel4.8 + mv $(CURDIR)/debian/stunnel4/usr/sbin/stunnel \ + $(CURDIR)/debian/stunnel4/usr/bin/stunnel4 + mv $(CURDIR)/debian/stunnel4/usr/sbin/stunnel3 \ + $(CURDIR)/debian/stunnel4/usr/bin/stunnel + mv $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel/* \ + $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel4 + rm -rf $(CURDIR)/debian/stunnel4/usr/share/doc/stunnel + install -p -m 0644 $(CURDIR)/debian/lintian.overrides \ + $(CURDIR)/debian/stunnel4/usr/share/lintian/overrides/stunnel4 + +binary-indep: build install + +binary-arch: build install + dh_testdir + dh_testroot + dh_installdocs + dh_installexamples tools/ca.html tools/ca.pl tools/importCA.html\ + tools/importCA.sh tools/stunnel.cnf tools/stunnel.conf-sample \ + tools/stunnel.init + dh_installman doc/stunnel4.8 debian/stunnel.8 + dh_installchangelogs + dh_installinit -- defaults + dh_installppp --name=0stunnel4 + dh_installlogrotate + dh_link /usr/lib/libstunnel.so /usr/lib/libstunnel.so.4 + dh_strip + dh_compress + dh_fixperms + dh_makeshlibs -l debian/stunnel4/usr/lib + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- stunnel4-4.20.orig/debian/postinst +++ stunnel4-4.20/debian/postinst @@ -0,0 +1,78 @@ +#!/bin/sh + +set -e + +USER="stunnel4" +CHOWN="/bin/chown" +#USERDEL="/usr/sbin/userdel" +ADDUSER="/usr/sbin/adduser" +ID="/usr/bin/id" +GROUPMOD="/usr/sbin/groupmod" +#GROUPDEL="/usr/sbin/groupdel" + +### +# 1. get current stunnel uid and gid if user exists. +set -e +if $ID $USER > /dev/null 2>&1; then + IUID=`$ID --user $USER` + IGID=`$ID --group $USER` +else + IUID="NONE" + IGID="NONE" +fi + +### +# 2. Ensure that no standard account or group will remain before adding the +# new user +#if [ "$IUID" != "NONE" ]; then # remove existing user +# $USERDEL $USER +#fi + +#if $GROUPMOD $USER > /dev/null 2>&1; then +# $GROUPDEL $USER; +#fi + +if [ "$IUID" = "NONE" ]; then + $ADDUSER --system --disabled-password --disabled-login \ + --home /var/run/stunnel4 \ + --no-create-home --group $USER +fi + +# /var/run/stunnel4 is not a directory, create it... +if ! test -d /var/run/stunnel4; then + rm -rf /var/run/stunnel4; + mkdir /var/run/stunnel4 +fi +$CHOWN $USER:$USER /var/run/stunnel4 || /bin/true + +# /var/log/stunnel4 is not a directory, create it... +if ! test -d /var/log/stunnel4; then + rm -rf /var/log/stunnel4; + mkdir /var/log/stunnel4 +fi +$CHOWN -R $USER:$USER /var/log/stunnel4 + +# /var/lib/stunnel4 is not a directory, create it... +if ! test -d /var/lib/stunnel4; then + rm -rf /var/lib/stunnel4; + mkdir /var/lib/stunnel4 +fi +$CHOWN -R $USER:$USER /var/lib/stunnel4 + +if ! test -f /var/log/stunnel4/stunnel.log; then + touch /var/log/stunnel4/stunnel.log + $CHOWN -R $USER:$USER /var/log/stunnel4/stunnel.log +fi + +if [ -x "/etc/init.d/stunnel4" ]; then + if [ -x /usr/sbin/invoke-rc.d ] ; then + invoke-rc.d stunnel4 stop + else + /etc/init.d/stunnel4 stop + fi +fi +if [ "$1" = "configure" ]; then + ldconfig +fi + +#DEBHELPER# --- stunnel4-4.20.orig/debian/postrm +++ stunnel4-4.20/debian/postrm @@ -0,0 +1,13 @@ +#!/bin/sh + +set -e + +if [ x$1 = "xpurge" ]; then + echo You may want to delete the generated stunnel.pem file + echo in /etc/ssl/certs. +fi +if [ "$1" = "remove" ]; then + ldconfig +fi + +#DEBHELPER# --- stunnel4-4.20.orig/debian/stunnel4_openssl0.9.8.patch +++ stunnel4-4.20/debian/stunnel4_openssl0.9.8.patch @@ -0,0 +1,29 @@ +diff -bBdNrw -U5 stunnel-4.12/src/stunnel.c stunnel-4.12.modif/src/stunnel.c +--- stunnel-4.12/src/stunnel.c 2005-09-29 22:06:16.000000000 +0200 ++++ stunnel-4.12.modif/src/stunnel.c 2005-10-26 17:50:52.000000000 +0200 +@@ -79,10 +79,12 @@ + #endif + + void main_initialize(char *arg1, char *arg2) { + struct stat st; /* buffer for stat */ + ++ ssl_init(); /* initialize SSL library */ ++ context_init(); /* initialize global SSL context */ + sthreads_init(); /* initialize critical sections & SSL callbacks */ + parse_config(arg1, arg2); + log_open(); + s_log(LOG_NOTICE, "%s", stunnel_info()); + +@@ -100,12 +102,10 @@ + #endif /* defined USE_WIN32 */ + } + } + + void main_execute(void) { +- ssl_init(); /* initialize SSL library */ +- context_init(); /* initialize global SSL context */ + /* check if started from inetd */ + if(local_options.next) { /* there are service sections -> daemon mode */ + daemon_loop(); + } else { /* inetd mode */ + #if !defined (USE_WIN32) && !defined (__vms) --- stunnel4-4.20.orig/debian/NEWS.Debian +++ stunnel4-4.20/debian/NEWS.Debian @@ -0,0 +1 @@ +WARNING: Since stunnel >= 4.140-6, stunnel/stunnel4 binaries are located in /usr/bin instead of /usr/sbin in order to be FHS compliant (they can be used by normal user). You need to update your script to refer to this new location --- stunnel4-4.20.orig/debian/lintian.overrides +++ stunnel4-4.20/debian/lintian.overrides @@ -0,0 +1,2 @@ +stunnel4: no-shlibs-control-file usr/lib/libstunnel.so +stunnel4: package-name-doesnt-match-sonames libstunnel --- stunnel4-4.20.orig/debian/changelog +++ stunnel4-4.20/debian/changelog @@ -0,0 +1,551 @@ +stunnel4 (3:4.20-2ubuntu1) gutsy; urgency=low + + * Added Provides and Replaces to debian/control to replace obsolete package + crywrap. + + -- Marco Rodrigues Thu, 2 Aug 2007 16:43:00 +0100 + +stunnel4 (3:4.20-2) unstable; urgency=low + + * Orphan package + + -- Julien Lemoine Sat, 31 Mar 2007 20:07:55 +0200 + +stunnel4 (3:4.20-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Sat, 27 Jan 2007 21:43:19 +0100 + +stunnel4 (3:4.18-2) unstable; urgency=low + + * Updated chroot default path in configuration file + * Added LSB section in init script + + -- Julien Lemoine Tue, 7 Nov 2006 20:22:04 +0100 + +stunnel4 (3:4.18-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Wed, 27 Sep 2006 20:33:07 +0200 + +stunnel4 (3:4.17-2) unstable; urgency=low + + * Check if pids are valid before trying to use kill + (Closes: #388379) + + -- Julien Lemoine Wed, 20 Sep 2006 22:04:41 +0200 + +stunnel4 (3:4.17-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Mon, 11 Sep 2006 22:48:09 +0200 + +stunnel4 (3:4.16-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Fri, 1 Sep 2006 22:11:10 +0200 + +stunnel4 (2:4.150-7) unstable; urgency=low + + * Fixed a bug when pid is not given in configuration file : + init.d script was looking for /var/run/stunnel4/stunnel4.pid but + stunnel was creating /var/run/stunnel4.pid + (Closes: #384275) + * Added check during start to encourage users to fill the pid= section + of configuration file when start failed (for example if you use two + configuration files without pid= option) + + -- Julien Lemoine Thu, 24 Aug 2006 17:19:57 +0200 + +stunnel4 (2:4.150-6) unstable; urgency=low + + * Updated to debian policy 3.7.2 + * Fixed lintian warnings + + -- Julien Lemoine Tue, 22 Aug 2006 14:03:19 +0200 + +stunnel4 (2:4.150-5) unstable; urgency=low + + * Fixed typo in postinst : + /var/lib/stunnel4/stunnel.log instead of /var/log/stunnel4/stunnel.org + (Closes: #381127) + + -- Julien Lemoine Wed, 2 Aug 2006 21:19:49 +0200 + +stunnel4 (2:4.150-4) unstable; urgency=low + + * Create /var/lib/stunnel4 if it does not exist in postinst + (Closes: #377074) + + -- Julien Lemoine Sun, 16 Jul 2006 16:12:05 +0200 + +stunnel4 (2:4.150-3) unstable; urgency=low + + * Fixed another problem with stunnel3 compatibility script + (call to /usr/sbin/stunnel4 instead of /usr/bin/stunnel4) and added + a check in debian/rules (Closes: #340113) + + -- Julien Lemoine Mon, 1 May 2006 17:58:39 +0200 + +stunnel4 (2:4.150-2) unstable; urgency=low + + * Fixed stunnel3 compatibility script problem (infinite loop) + Thanks to "Martin Schwenke" for bug report. + * Added a check in debian/rules to ensure that stunnel3 compatibility script + does not contains infinite loop + + -- Julien Lemoine Mon, 27 Mar 2006 09:26:06 +0200 + +stunnel4 (2:4.150-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Sun, 12 Mar 2006 21:30:08 +0100 + +stunnel4 (2:4.140-6) unstable; urgency=low + + * Added check/creation of /var/run/stunnel4 directory in init.d script instead of + postinst in order to be FHS compliant when /var/run is cleared at startup + (note that /var/run/stunnel4 cleanup does not allow to have a chroot + in /var/run/stunnel4) + Thanks to Jim Helm : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343882;msg=25 + + -- Julien Lemoine Sun, 5 Mar 2006 18:18:58 +0100 + +stunnel4 (2:4.140-5) unstable; urgency=low + + * Move stunnel and stunnel-dsa from /usr/sbin to /usr/bin in order to be + compliant with FHS standard. The stunnel program is interesting for + "normal" users as well as administrator. + + -- Julien Lemoine Sun, 19 Feb 2006 17:47:55 +0100 + +stunnel4 (2:4.140-4) unstable; urgency=low + + * Fixed problem with default directory (/etc/stunnel for configuration + directory and /var/run/stunnel4.pid for pid file) (Closes: #343882) + + -- Julien Lemoine Thu, 22 Dec 2005 16:32:20 +0100 + +stunnel4 (2:4.140-3) unstable; urgency=low + + * Default configuration file is now filled with values for usage + in a chroot environment + (if you do not want chroot or want to use vserver, you need to edit it) + (Closes: #342507) + + -- Julien Lemoine Sat, 17 Dec 2005 10:00:40 +0100 + +stunnel4 (2:4.140-2) unstable; urgency=low + + * Fixed stunnel3 compatibility script + (wrong binary : stunnel instead of stunnel4) + (Closes: #340113) + + -- Julien Lemoine Mon, 21 Nov 2005 07:57:02 +0100 + +stunnel4 (2:4.140-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Wed, 2 Nov 2005 22:01:52 +0100 + +stunnel4 (2:4.120-1) unstable; urgency=low + + * New upstream release + * Applied patch from Kurt Roeckx to fix initialization + problem with openssl 0.9.8 (Closes: #334180) + + -- Julien Lemoine Wed, 26 Oct 2005 17:53:55 +0200 + +stunnel4 (2:4.110-2) unstable; urgency=low + + * Rebuild with openssl 0.9.8 + + -- Julien Lemoine Mon, 10 Oct 2005 19:41:33 +0200 + +stunnel4 (2:4.110-1) unstable; urgency=low + + * New upstream release + * Updated to Standards-Version 3.6.2 + + -- Julien Lemoine Sun, 24 Jul 2005 11:21:14 +0200 + +stunnel4 (2:4.090-1) unstable; urgency=low + + * New upstream release + * include better stunnel3 compability script from upstream, options + like -cd can now be use instead of -c -d ... + (closes: #305259) + * Added depends on perl-modules to allow use of stunnel3 compatibilty script + + -- Julien Lemoine Wed, 20 Apr 2005 21:07:50 +0200 + +stunnel4 (2:4.070-5) unstable; urgency=low + + * Renamed stunnel3 compatibility script (/usr/sbin/stunnel) to be compatible + with stunnel package + * Added conflict with stunnel package (compatible, does not break user + configuration) since stunnel 4.x is more actively maintained + than stunnel 3.x + + -- Julien Lemoine Tue, 29 Mar 2005 22:16:43 +0200 + +stunnel4 (2:4.070-4) unstable; urgency=low + + * Add an option (PPP_RESTART) in /etc/default/stunnel4 to enable/disable + restart scripts (closes: #298352) + + -- Julien Lemoine Mon, 7 Mar 2005 22:47:27 +0100 + +stunnel4 (2:4.070-3) unstable; urgency=low + + * Do not remove user and group if there already exist in postinst + script (Closes: #290374) + + -- Julien Lemoine Mon, 17 Jan 2005 23:33:56 +0100 + +stunnel4 (2:4.070-2) unstable; urgency=low + + * Fixed directory problem : + - confdir was /usr/etc/stunnel instead of /etc/stunnel (Closes: #289832) + - zlib compression was unable to start since /etc/stunnel/stunnel.conf + was not read (Closes: #289872) + + -- Julien Lemoine Tue, 11 Jan 2005 19:56:59 +0100 + +stunnel4 (2:4.070-1) unstable; urgency=low + + * New upstream release : Add IPV6 support + * Disable proxy-connect patch (does not apply on 4.07 sources) + + -- Julien Lemoine Thu, 6 Jan 2005 07:23:48 +0100 + +stunnel4 (2:4.050-4) unstable; urgency=low + + * Restart connection instead of stop when ppp is down. It is possible to + use stunnel for eth interfaces. (Closes: 271006) + + -- Julien Lemoine Sun, 26 Sep 2004 18:12:36 +0200 + +stunnel4 (2:4.050-3) unstable; urgency=low + + * Added proxy-connect patch (Closes: #267533) + * Create directory /var/log/stunnel in postinst (Closes: #267093) + * Create user and group stunnel4 (Closes: #266339) + * Uncomment some line in default configuration file : + o Use /var/log/stunnel4/stunnel.log as default log file + o Use stunnel4 user and group as default + o Use /var/run/stunnel4/stunnel.pid as default pid file + + -- Julien Lemoine Wed, 1 Sep 2004 22:19:28 +0200 + +stunnel4 (2:4.050-2) unstable; urgency=low + + * Fixed stoping problem in init.d script (Closes: #265449) + Thanks to Wilfried Goesgens + * Added stunnel4 in logrotate (Closes: #265437) + Thanks to Wilfried Goesgens + + -- Julien Lemoine Fri, 13 Aug 2004 21:42:23 +0200 + +stunnel4 (2:4.050-1) unstable; urgency=low + + * By default, store pidfile in /var/run/stunnel4/stunnel.pid with + /var/run/stunnel4 owned by nobody:nogroup + * Oops, stunnel4 was a debian native package + + -- Julien Lemoine Mon, 7 Jun 2004 21:23:37 +0200 + +stunnel4 (2:4.05-1) unstable; urgency=low + + * New upstream release + + -- Julien Lemoine Wed, 7 Apr 2004 22:08:42 +0200 + +stunnel4 (2:4.04.0-10) unstable; urgency=low + + * Shut down stunnel4 in postinst (Closes: #234498) + + -- Julien Lemoine Tue, 24 Feb 2004 21:50:03 +0100 + +stunnel4 (2:4.04.0-9) unstable; urgency=low + + * Added configuration script from "Sergio Rua" + + -- Julien Lemoine Sun, 22 Feb 2004 23:26:38 +0100 + +stunnel4 (2:4.04.0-8) unstable; urgency=low + + * Added ppp ip-up and ip-down scripts + (Closes: #227678) + + -- Julien Lemoine Sun, 22 Feb 2004 22:52:31 +0100 + +stunnel4 (2:4.04.0-7) unstable; urgency=low + + * Fix problem in init.d script (was not sh compatible) + (Closes: #214818, #214823) + + -- Julien Lemoine Fri, 10 Oct 2003 00:47:57 +0200 + +stunnel4 (2:4.04.0-6) unstable; urgency=low + + * Rewrite of /etc/init.d/stunnel4 : + o does not use kill -9, thus giving a chance to stunnel4 to clean up + puts common code in functions + o avoids calling ps twice + o uses fgrep + o does not print the conf file name if no processes exist for it + o corrects the `stoped' typo + Thanks to Francesco Potorti` (Closes: #214562) + + -- Julien Lemoine Tue, 7 Oct 2003 16:37:12 +0200 + +stunnel4 (2:4.04.0-5) unstable; urgency=low + + * /etc/init.d/stunnel4 can load more than one configuration file. + It loads /etc/stunnel/*.conf. You can have a configuration file for + server mode and one for client mode. (Closes: #211870) + + -- Julien Lemoine Thu, 25 Sep 2003 18:05:01 +0200 + +stunnel4 (2:4.04.0-4) unstable; urgency=low + + * Put stunnel.html in /usr/share/doc/stunnel4/ instead of + /usr/share/doc/stunnel + * Updated to Standards-Version 3.6.1 + + -- Julien Lemoine Thu, 4 Sep 2003 13:39:51 +0200 + +stunnel4 (2:4.04.0-3) unstable; urgency=low + + * Fixed wrong path search for stunnel.conf + (Closes: Bug#202931) + + -- Julien Lemoine Sat, 26 Jul 2003 11:00:46 +0200 + +stunnel4 (2:4.04.0-2) unstable; urgency=low + + * Fixed stunnel.conf problems, file must be commented by default. + (Closes: #202693) + + -- Julien Lemoine Fri, 25 Jul 2003 11:38:47 +0200 + +stunnel4 (2:4.04.0-1) unstable; urgency=low + + * Oops, stunnel4 is not a native package -> reupload it with a diff.gz + * Does not install stunnel.so since it is not used + * Updated clean rules to have a clean diff + * Updated to Standards-Version 3.6.0 + + -- Julien Lemoine Sat, 19 Jul 2003 20:12:51 +0200 + +stunnel4 (2:4.04-2) unstable; urgency=low + + * Fixed compilation errors (removed binary in clean rule) + * removed libstunnel.so since it is not used + + -- Julien Lemoine Sun, 13 Jul 2003 02:45:05 +0200 + +stunnel4 (2:4.04-1) unstable; urgency=low + + * Stunnel versions 4.x are now in stunnel4 package and stunnel versions 3.x + are in stunnel package to keep backward compatibility. + + -- Julien Lemoine Fri, 4 Jul 2003 18:24:21 +0200 + +stunnel (4.04-5) unstable; urgency=low + + * The "I need to sleep more to avoid making typos" release. + * Fixed typos in default/init file (ENABLED instead of ENABLE) + (Closes: #197958) + * Commented all stunnel.conf file, client=no is the default value + (Closes: #197961) + + -- Julien Lemoine Thu, 19 Jun 2003 00:40:28 +0200 + +stunnel (4.04-4) unstable; urgency=low + + * Added /etc/default/stunnel with a variable ENABLE. + ENABLE=0 by default since stunnel segv on some computer when all lines + are commented (Closes: #197663, #197615) + + -- Julien Lemoine Mon, 16 Jun 2003 22:04:17 +0200 + +stunnel (4.04-3) unstable; urgency=low + + * comment ldap sample (Closes: #197566) + + -- Julien Lemoine Mon, 9 Jun 2003 15:03:41 +0200 + +stunnel (4.04-2) unstable; urgency=low + + * Fixed typo in init.d script (Closes: #197499) + * Added a commented example in stunnel.conf from Craig Sanders + + -- Julien Lemoine Sun, 15 Jun 2003 18:06:07 +0200 + +stunnel (4.04-1) unstable; urgency=low + + * New upstream release (Closes: #177532, Closes: 188137) + * New maintainer + * Stunnel has no more -L option (Closes: #120265) + * Stunnel has no more -l option (Closes: #175844) + * Shutdown(1) problem was fixed (Closes: #111125) + * Problem with large data resolved (tested with a 5Mo file) + (Closes: #112287) + * Licence is now GPL version 2 with agreement to link with openssl + (Closes: #147665) + * stunnel can execute command (Closes: #147537) + * added a lintian overwrite for libstunnel.so since it is compiled with + -avoid-version + * Fixed problem with path (/etc/ instead of $(prefix)/etc, ...) + * Include default configuration file in /etc + * Upgraded to debian policy 3.5.10 + * Added init.d file + + -- Julien Lemoine Sat, 24 May 2003 02:30:20 +0200 + +stunnel (3.22-1) unstable; urgency=high + + * New upstream release (closes: bug#126627). + * Typo fix in postinst (closes: bug#120199, bug#121904) + + -- Paolo Molaro Sun, 30 Dec 2001 10:31:46 +0100 + +stunnel (3.21.c-1) unstable; urgency=low + + * New upstream release (Closes: bug#111139, bug#102834, bug#61427). + * Avoid generating automatically the initial stunnel.pem, openssl cannot be + reliably used in a non-interactive way (Closes: bug#60776, bug#98445). Info + on how to generate the certificate is now included in README.Debian. + * There is support for (re)setting OOB data handling in the new upstream + version (Closes: bug#107503). + * Include the sample /etc/iniy.d/stunnel file as an example in the package + (Closes: bug#114669). + + -- Paolo Molaro Sat, 17 Nov 2001 12:31:04 +0100 + +stunnel (3.14-1) unstable; urgency=low + + * New upstream release + * Actually compile it against the new libssl (Closes: #86916). + + -- Paolo Molaro Fri, 23 Feb 2001 18:57:18 +0100 + +stunnel (3.13-1) unstable; urgency=low + + * New upstream release. + * Recompile with and depend on libssl096 (Closes: #85000, #86385, #83857, #82500). + * Already fixed in previous aborted upload (Closes: #82105, #77227, #80079, #76576). + + -- Paolo Molaro Sun, 18 Feb 2001 21:30:50 +0100 + +stunnel (3.10-1) unstable; urgency=high + + * New upstream release. + + -- Paolo Molaro Wed, 20 Dec 2000 15:14:08 +0100 + +stunnel (3.10-0potato1) stable; urgency=high + + * New upstream release. + + -- Paolo Molaro Wed, 20 Dec 2000 13:07:35 +0100 + +stunnel (3.9-0potato1) stable; urgency=high + + * New upstream release: security fix (Closes: #80079, #76576). + * Use correct dir for pid (Closes: #77227). + + -- Paolo Molaro Wed, 20 Dec 2000 11:24:18 +0100 + +stunnel (3.8-1) unstable; urgency=low + + * New upstream version (Closes: #75117, #67010). + * Read 1k of random data in a temp file (Closes: #69808). + * Added a note in postrm about the stunnel.pem file that + is left in /etc/ssl/certs: it is safer if the user deals with + it since it may have been create by him and not stunnel (Closes: #57648). + + -- Paolo Molaro Wed, 5 Jul 2000 16:43:07 +0000 + +stunnel (3.4a-6) unstable; urgency=low + + * Depends on openssl 0.9.4 (closes: bug#53947). + + -- Paolo Molaro Tue, 4 Jan 2000 12:37:24 +0100 + +stunnel (3.4a-5) unstable; urgency=medium + + * Include upstream download info in copyright (closes: bug#53301). + * Include example from Steve Haslam to make stunnel run from a + init script (closes: bug#53300). + + -- Paolo Molaro Thu, 23 Dec 1999 16:49:38 +0100 + +stunnel (3.4a-4) unstable; urgency=medium + + * Depends on openssl instead of Suggests (Closes: bug#49238). + + -- Paolo Molaro Sat, 13 Nov 1999 12:44:35 +0100 + +stunnel (3.4a-3) unstable; urgency=high + + * Fixes security problem with the certificate. + + -- Paolo Molaro Thu, 4 Nov 1999 17:33:52 +0100 + +stunnel (3.4a-2) unstable; urgency=low + + * Suggest openssl instead of ssleay. (Closes: bug#47712) + + -- Paolo Molaro Wed, 27 Oct 1999 18:24:27 +0200 + +stunnel (3.4a-1) unstable; urgency=low + + * New upstream release. + * Put cert in /etc/ssl/certs (closes:#41099). I think this is + neither an openssl nor stunnel bug, but a dpkg one (other + similar bugs are already filed against dpkg). + + -- Paolo Molaro Thu, 22 Jul 1999 16:50:32 +0200 + +stunnel (3.3-1) unstable; urgency=low + + * New upstream release. + + -- Paolo Molaro Fri, 18 Jun 1999 16:43:05 +0200 + +stunnel (3.2-2) unstable; urgency=low + + * Fixed stupid coding error. + + -- Paolo Molaro Sat, 29 May 1999 13:01:17 +0200 + +stunnel (3.2-1) unstable; urgency=low + + * Recompilation with new ssl lib. + * New upstream release. + + -- Paolo Molaro Mon, 24 May 1999 12:09:58 +0200 + +stunnel (2.1-2) unstable; urgency=low + + * Added libwrap support (/etc/hosts.{allow,deny}). + * Recompilation with newer libc6. + * Better stunnel-config script. + + -- Paolo Molaro Fri, 11 Dec 1998 11:57:52 +0100 + +stunnel (2.1-1) unstable; urgency=low + + * Initial release. + + -- Paolo Molaro Mon, 30 Nov 1998 11:41:29 +0100 +