SF.net SVN: gar:[25045] csw/mgar/pkg/stunnel/trunk
dmichelsen at users.sourceforge.net
dmichelsen at users.sourceforge.net
Mon Jun 1 22:16:13 CEST 2015
Revision: 25045
http://sourceforge.net/p/gar/code/25045
Author: dmichelsen
Date: 2015-06-01 20:16:13 +0000 (Mon, 01 Jun 2015)
Log Message:
-----------
stunnel/trunk: Update to 5.18, complete rework
Modified Paths:
--------------
csw/mgar/pkg/stunnel/trunk/Makefile
csw/mgar/pkg/stunnel/trunk/checksums
Added Paths:
-----------
csw/mgar/pkg/stunnel/trunk/files/cswstunnel.xml
Removed Paths:
-------------
csw/mgar/pkg/stunnel/trunk/files/0001-Honour-sysconfdir-bindir-and-localstatedir-everywher.patch
csw/mgar/pkg/stunnel/trunk/files/0001-Make-stunnel.conf-sample.in-honor-sysconfdir-localst.patch
csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.checkinstall
csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.cswstunnel
csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.postinstall
csw/mgar/pkg/stunnel/trunk/files/changelog.CSW
Modified: csw/mgar/pkg/stunnel/trunk/Makefile
===================================================================
--- csw/mgar/pkg/stunnel/trunk/Makefile 2015-06-01 16:22:31 UTC (rev 25044)
+++ csw/mgar/pkg/stunnel/trunk/Makefile 2015-06-01 20:16:13 UTC (rev 25045)
@@ -7,7 +7,8 @@
# Test on Solaris 8 / 9 for comparison
#
NAME = stunnel
-VERSION = 5.17
+VERSION = 5.18
+BETA = b4
GARTYPE = v2
DESCRIPTION = Universal SSL Wrapper
@@ -19,18 +20,14 @@
the daemon's code.
endef
-MASTER_SITES = ftp://ftp.stunnel.org/stunnel/
-DISTFILES = $(NAME)-$(VERSION).tar.gz
-DISTFILES += CSWstunnel.cswstunnel
-
-# Use patch until this is fixed:
-# https://github.com/dago/stunnel/compare/master...sysconfdir
-PATCHFILES += 0001-Honour-sysconfdir-bindir-and-localstatedir-everywher.patch
-
+MASTER_SITES += https://www.stunnel.org/downloads/
# Upstream moves versions to an obsolete/ subdir over time, consider it too
MAJOR_VER = $(firstword $(subst ., ,$(VERSION)))
-MASTER_SITES += ftp://ftp.stunnel.org/stunnel/obsolete/$(MAJOR_VER).x/
+MASTER_SITES += https://www.stunnel.org/downloads/archive/$(MAJOR_VER).x/
+MASTER_SITES += https://www.stunnel.org/downloads/beta/
+DISTFILES += $(DISTNAME)$(BETA).tar.gz
+
VENDOR_URL = http://www.stunnel.org
BUILD_DEP_PKGS += CSWlibssl-dev
@@ -42,69 +39,32 @@
RUNTIME_DEP_PKGS_CSWstunnel += CSWlibssl1-0-0
RUNTIME_DEP_PKGS_CSWstunnel += CSWlibwrap1
-# Make stunnel.conf-sample.in honor our $localstatedir. Issue description:
-# cf. http://marc.info/?l=stunnel-users&m=128035848632004&w=2
-# Not merged upstream as ./configure without arguments leads to expansions
-# that the config file doesn't understand, e.g. sysconfdir='${prefix}/etc'
-#PATCHFILES = 0001-Make-stunnel.conf-sample.in-honor-sysconfdir-localst.patch
-
-CONFIGURE_ARGS = $(DIRPATHS)
+CONFIGURE_ARGS += $(DIRPATHS)
CONFIGURE_ARGS += --with-ssl=$(prefix)
CONFIGURE_ARGS += --enable-ipv6
-##CONFIGURE_ARGS += --enable-dh
-CONFIGURE_ARGS += --localstatedir=$(localstatedir)
-# No test target available
-TEST_SCRIPTS =
+REINPLACEMENTS += capath
+REINPLACE_MATCH_capath = /etc/ssl/certs
+REINPLACE_WITH_capath = $(sysconfdir)/ssl/certs
+REINPLACE_FILES_capath += tools/stunnel.conf-sample
-# tools/Makefile references ssldir, but configure only defines SSLDIR, thus
-# we pass ssldir manually as a workaround (according to --with-ssl above).
-# Should be reported and fixed upstream. Observed with 4.44.
-INSTALL_ARGS = ssldir=$(prefix)
+PRESERVECONF += $(sysconfdir)/stunnel/stunnel.conf
-# Expand autoconf vars in our init script and mark it for SMF registration
-EXPANDVARS = CSWstunnel.cswstunnel
-INITSMF = $(sysconfdir)/init.d/cswstunnel
+# stunnel installs several random sample scripts, cgi scripts, and
+# a .spec file with unadjusted paths. Leave them out for now and
+# only include specific files
+EXTRA_MERGE_EXCLUDE_FILES += $(docdir)/stunnel/.*
-SAMPLECONF = $(sysconfdir)/stunnel.pem
-MIGRATE_FILES = stunnel # migrate the /opt/csw/etc/stunnel sub directory
+SSLCERT += $(sysconfdir)/stunnel/stunnel
-PROTOTYPE_MODIFIERS = restrict
-PROTOTYPE_FILES_restrict = $(localstatedir)/lib/stunnel.*
-PROTOTYPE_USER_restrict = nobody
-PROTOTYPE_GROUP_restrict = nobody
+PROTOTYPE_MODIFIERS += smf
+PROTOTYPE_FILES_smf += /var/opt/csw/svc/manifest/cswcarbon-cache.xml
+PROTOTYPE_CLASS_smf = manifest
-EXTRA_PAX_ARGS = -s ',ChangeLog$$,changelog,p'
-
-# Contains a historic reference to the default install locations
-CHECKPKG_OVERRIDES += file-with-bad-content|/usr/local|root/opt/csw/share/doc/stunnel/changelog
-
include gar/category.mk
-# 1) Suppress prompts for openssl sample cert generation (-batch)
-# 2) Disable creation of /dev/zero (needs root privs, moved to postinstall)
-pre-build-modulated:
- perl -pi -e '\
- s|\$$\(openssl\) req|\$$\(openssl\) req -batch|; \
- s|^|#| if (m|/dev/zero|);' \
- $(WORKSRC)/tools/Makefile
+post-install:
+ cd $(DESTDIR)$(sysconfdir)/stunnel && mv stunnel.conf-sample stunnel.conf
+ echo "# create /etc/opt/csw/stunnel/stunnel.(key|crt)" > $(DESTDIR)$(sysconfdir)/stunnel/stunnel
+ ginstall -D -m 0644 $(WORKDIR)/cswstunnel.xml $(DESTDIR)/var/opt/csw/svc/manifest/cswstunnel.xml
@$(MAKECOOKIE)
-
-post-install-modulated: DOCDEST=$(DESTDIR)$(docdir)/$(NAME)
-post-install-modulated: DOCS=AUTHORS BUGS CREDITS ChangeLog TODO
-post-install-modulated: DOCS+= doc/stunnel.*html
-post-install-modulated:
- ginstall -d $(DESTDIR)$(sysconfdir)/init.d
- ginstall -m 755 $(WORKDIR)/CSWstunnel.cswstunnel \
- $(DESTDIR)$(sysconfdir)/init.d/cswstunnel
-
- # create pidfile directory
- ginstall -d $(DESTDIR)$(localstatedir)/run/stunnel
-
- # stunnel installs several random sample scripts, cgi scripts, and
- # a .spec file with unadjusted paths. Leave them out for now and
- # only include specific files
- rm -rf $(DOCDEST)/*
- $(foreach D,$(DOCS),cp $(WORKSRC)/$(D) $(DOCDEST);)
- cp $(FILEDIR)/changelog.CSW $(DOCDEST)
- @$(MAKECOOKIE)
Modified: csw/mgar/pkg/stunnel/trunk/checksums
===================================================================
--- csw/mgar/pkg/stunnel/trunk/checksums 2015-06-01 16:22:31 UTC (rev 25044)
+++ csw/mgar/pkg/stunnel/trunk/checksums 2015-06-01 20:16:13 UTC (rev 25045)
@@ -1 +1 @@
-e70f001ee190105c5a10a74f4bd54901 stunnel-5.17.tar.gz
+cc1f067e80a5be2596be582204a42931 stunnel-5.18b4.tar.gz
Deleted: csw/mgar/pkg/stunnel/trunk/files/0001-Honour-sysconfdir-bindir-and-localstatedir-everywher.patch
===================================================================
--- csw/mgar/pkg/stunnel/trunk/files/0001-Honour-sysconfdir-bindir-and-localstatedir-everywher.patch 2015-06-01 16:22:31 UTC (rev 25044)
+++ csw/mgar/pkg/stunnel/trunk/files/0001-Honour-sysconfdir-bindir-and-localstatedir-everywher.patch 2015-06-01 20:16:13 UTC (rev 25045)
@@ -1,2992 +0,0 @@
-From e7e2f2cd0788d84653ea7ed9e69c02078a9ecece Mon Sep 17 00:00:00 2001
-From: Dagobert Michelsen <dam at opencsw.org>
-Date: Sun, 31 May 2015 22:16:27 +0200
-Subject: [PATCH] Honour sysconfdir, bindir and localstatedir everywhere
-
----
- configure.ac | 2 +-
- doc/Makefile.am | 8 +
- doc/stunnel.pod | 1365 ------------------------------------------
- doc/stunnel.pod.in | 1365 ++++++++++++++++++++++++++++++++++++++++++
- src/Makefile.am | 7 +
- src/stunnel3.in | 2 +-
- tools/Makefile.am | 14 +
- tools/stunnel.conf-sample.in | 20 +-
- tools/stunnel.init.in | 16 +-
- tools/stunnel.service.in | 2 +-
- 10 files changed, 1415 insertions(+), 1386 deletions(-)
- delete mode 100644 doc/stunnel.pod
- create mode 100644 doc/stunnel.pod.in
-
-diff --git a/configure.ac b/configure.ac
-index 1ee8860..519ed2a 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -441,7 +441,7 @@ CPPFLAGS="$valid_CPPFLAGS"
- LIBS="$valid_LIBS"
-
- AC_MSG_NOTICE([**************************************** write the results])
--AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service])
-+AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile])
- AC_OUTPUT
-
- AC_MSG_NOTICE([**************************************** success])
-diff --git a/doc/Makefile.am b/doc/Makefile.am
-index cb64b68..8d0060f 100644
---- a/doc/Makefile.am
-+++ b/doc/Makefile.am
-@@ -19,3 +19,11 @@ SUFFIXES = .pod .8 .html
- pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
- rm -f pod2htmd.tmp pod2htmi.tmp
-
-+edit = sed \
-+ -e 's|@bindir[@]|$(bindir)|g' \
-+ -e 's|@sysconfdir[@]|$(sysconfdir)|g'
-+
-+stunnel.pod: Makefile
-+ $(edit) '$(srcdir)/$@.in' >$@
-+
-+stunnel.pod: $(srcdir)/stunnel.pod
-diff --git a/doc/stunnel.pod b/doc/stunnel.pod
-deleted file mode 100644
-index 3fc3d4e..0000000
---- a/doc/stunnel.pod
-+++ /dev/null
-@@ -1,1365 +0,0 @@
--=head1 NAME
--
--=encoding utf8
--
--stunnel - TLS offloading and load-balancing proxy
--
--
--=head1 SYNOPSIS
--
--=over 4
--
--=item B<Unix:>
--
--B<stunnel> [S<FILE>] | S<-fd N> | S<-help> | S<-version> | S<-sockets> | S<-options>
--
--=item B<WIN32:>
--
--B<stunnel> [ [ S<-install> | S<-uninstall> | S<-start> | S<-stop> |
-- S<-reload> | S<-reopen> | S<-exit> ] [S<-quiet>] [S<FILE>] ] |
-- S<-help> | S<-version> | S<-sockets> | S<-options>
--
--=back
--
--
--=head1 DESCRIPTION
--
--The B<stunnel> program is designed to work as I<SSL> encryption wrapper
--between remote clients and local (I<inetd>-startable) or remote
--servers. The concept is that having non-SSL aware daemons running on
--your system you can easily set them up to communicate with clients over
--secure SSL channels.
--
--B<stunnel> can be used to add SSL functionality to commonly used I<Inetd>
--daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like
--NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without
--changes to the source code.
--
--This product includes cryptographic software written by
--Eric Young (eay at cryptsoft.com)
--
--
--=head1 OPTIONS
--
--=over 4
--
--=item B<FILE>
--
--Use specified configuration file
--
--=item B<-fd N> (Unix only)
--
--Read the config file from specified file descriptor
--
--=item B<-help>
--
--Print B<stunnel> help menu
--
--=item B<-version>
--
--Print B<stunnel> version and compile time defaults
--
--=item B<-sockets>
--
--Print default socket options
--
--=item B<-options>
--
--Print supported SSL options
--
--=item B<-install> (Windows NT and later only)
--
--Install NT Service
--
--=item B<-uninstall> (Windows NT and later only)
--
--Uninstall NT Service
--
--=item B<-start> (Windows NT and later only)
--
--Start NT Service
--
--=item B<-stop> (Windows NT and later only)
--
--Stop NT Service
--
--=item B<-reload> (Windows NT and later only)
--
--Reload configuration file of the running NT Service
--
--=item B<-reopen> (Windows NT and later only)
--
--Reopen log file of the running NT Service
--
--=item B<-exit> (Win32 only)
--
--Exit an already started stunnel
--
--=item B<-quiet> (Win32 only)
--
--Don't display any message boxes
--
--=back
--
--
--=head1 CONFIGURATION FILE
--
--Each line of the configuration file can be either:
--
--=over 4
--
--=item *
--
--An empty line (ignored).
--
--=item *
--
--A comment starting with ';' (ignored).
--
--=item *
--
--An 'option_name = option_value' pair.
--
--=item *
--
--'[service_name]' indicating a start of a service definition.
--
--=back
--
--An address parameter of an option may be either:
--
--=over 4
--
--=item *
--
--A port number.
--
--=item *
--
--A colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number.
--
--=item *
--
--A Unix socket path (Unix only).
--
--=back
--
--=head2 GLOBAL OPTIONS
--
--=over 4
--
--=item B<chroot> = DIRECTORY (Unix only)
--
--directory to chroot B<stunnel> process
--
--B<chroot> keeps B<stunnel> in chrooted jail. I<CApath>, I<CRLpath>, I<pid>
--and I<exec> are located inside the jail and the patches have to be relative
--to the directory specified with B<chroot>.
--
--Several functions of the operating system also need their files to be located within chroot jail, e.g.:
--
--=over 4
--
--=item *
--
--Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.
--
--=item *
--
--Local time in log files needs /etc/timezone.
--
--=item *
--
--Some other functions may need devices, e.g. /dev/zero or /dev/null.
--
--=back
--
--=item B<compression> = deflate | zlib
--
--select data compression algorithm
--
--default: no compression
--
--deflate is the standard compression method as described in RFC 1951.
--
--zlib compression of B<OpenSSL 0.9.8> or above is not backward compatible with
--B<OpenSSL 0.9.7>.
--
--=item B<debug> = [FACILITY.]LEVEL
--
--debugging level
--
--Level is a one of the syslog level names or numbers
--emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
--info (6), or debug (7). All logs for the specified level and
--all levels numerically less than it will be shown. Use I<debug = debug> or
--I<debug = 7> for greatest debugging output. The default is notice (5).
--
--The syslog facility 'daemon' will be used unless a facility name is supplied.
--(Facilities are not supported on Win32.)
--
--Case is ignored for both facilities and levels.
--
--=item B<EGD> = EGD_PATH (Unix only)
--
--path to Entropy Gathering Daemon socket
--
--Entropy Gathering Daemon socket to use to feed B<OpenSSL> random number
--generator. (Available only if compiled with B<OpenSSL 0.9.5a> or higher)
--
--=item B<engine> = auto | ENGINE_ID
--
--select hardware engine
--
--default: software-only cryptography
--
--Here is an example of advanced engine configuration to read private key from an
--OpenSC engine
--
-- engine=dynamic
-- engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
-- engineCtrl=ID:pkcs11
-- engineCtrl=LIST_ADD:1
-- engineCtrl=LOAD
-- engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
-- engineCtrl=INIT
--
-- [service]
-- engineNum=1
-- key=id_45
--
--=item B<engineCtrl> = COMMAND[:PARAMETER]
--
--control hardware engine
--
--Special commands "LOAD" and "INIT" can be used to load and initialize the
--engine cryptogaphic module.
--
--=item B<engineDefault> = TASK_LIST
--
--set OpenSSL tasks delegated to the current engine
--
--The parameter specifies a comma-separated list of task to be delegated to the
--current engine.
--
--The following tasks may be available, if supported by the engine: ALL, RSA,
--DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.
--
--=item B<fips> = yes | no
--
--Enable or disable FIPS 140-2 mode.
--
--This option allows to disable entering FIPS mode if B<stunnel> was compiled
--with FIPS 140-2 support.
--
--default: no (since version 5.00)
--
--=item B<foreground> = yes | no (Unix only)
--
--foreground mode
--
--Stay in foreground (don't fork) and log to stderr
--instead of via syslog (unless I<output> is specified).
--
--default: background in daemon mode
--
--=item B<iconActive> = ICON_FILE (GUI only)
--
--GUI icon to be displayed when there are established connections
--
--On Windows platform the parameter should be an .ico file containing a 16x16
--pixel image.
--
--=item B<iconError> = ICON_FILE (GUI only)
--
--GUI icon to be displayed when no valid configuration is loaded
--
--On Windows platform the parameter should be an .ico file containing a 16x16
--pixel image.
--
--=item B<iconIdle> = ICON_FILE (GUI only)
--
--GUI icon to be displayed when there are no established connections
--
--On Windows platform the parameter should be an .ico file containing a 16x16
--pixel image.
--
--=item B<log> = append | overwrite
--
--log file handling
--
--This option allows to choose whether the log file (specified with the I<output>
--option) is appended or overwritten when opened or re-opened.
--
--default: append
--
--=item B<output> = FILE
--
--append log messages to a file
--
--/dev/stdout device can be used to send log messages to the standard
--output (for example to log them with daemontools splogger).
--
--=item B<pid> = FILE (Unix only)
--
--pid file location
--
--If the argument is empty, then no pid file will be created.
--
--I<pid> path is relative to I<chroot> directory if specified.
--
--=item B<RNDbytes> = BYTES
--
--bytes to read from random seed files
--
--Number of bytes of data read from random seed files. With SSL versions less
--than B<0.9.5a>, also determines how many bytes of data are considered
--sufficient to seed the PRNG. More recent B<OpenSSL> versions have a builtin
--function to determine when sufficient randomness is available.
--
--=item B<RNDfile> = FILE
--
--path to file with random seed data
--
--The SSL library will use data from this file first to seed the random
--number generator.
--
--=item B<RNDoverwrite> = yes | no
--
--overwrite the random seed files with new random data
--
--default: yes
--
--=item B<service> = SERVICE (Unix only)
--
--stunnel service name
--
--The specified service name is used for syslog and as the I<inetd> mode service
--name for TCP Wrappers. While this option can technically be specified in the
--service sections, it is only useful in global options.
--
--default: stunnel
--
--=item B<setgid> = GROUP (Unix only)
--
--setgid() to the specified group in daemon mode and clear all other groups
--
--=item B<setuid> = USER (Unix only)
--
--setuid() to the specified user in daemon mode
--
--=item B<socket> = a|l|r:OPTION=VALUE[:VALUE]
--
--Set an option on accept/local/remote socket
--
--The values for linger option are l_onof:l_linger.
--The values for time are tv_sec:tv_usec.
--
--Examples:
--
-- socket = l:SO_LINGER=1:60
-- set one minute timeout for closing local socket
-- socket = r:SO_OOBINLINE=yes
-- place out-of-band data directly into the
-- receive data stream for remote sockets
-- socket = a:SO_REUSEADDR=no
-- disable address reuse (enabled by default)
-- socket = a:SO_BINDTODEVICE=lo
-- only accept connections on loopback interface
--
--=item B<syslog> = yes | no (Unix only)
--
--enable logging via syslog
--
--default: yes
--
--=item B<taskbar> = yes | no (WIN32 only)
--
--enable the taskbar icon
--
--default: yes
--
--=back
--
--
--=head2 SERVICE-LEVEL OPTIONS
--
--Each configuration section begins with service name in square brackets.
--The service name is used for libwrap (TCP Wrappers) access control and lets
--you distinguish B<stunnel> services in your log files.
--
--Note that if you wish to run B<stunnel> in I<inetd> mode (where it
--is provided a network socket by a server such as I<inetd>, I<xinetd>,
--or I<tcpserver>) then you should read the section entitled I<INETD MODE>
--below.
--
--
--=over 4
--
--=item B<accept> = [HOST:]PORT
--
--accept connections on specified address
--
--If no host specified, defaults to all IPv4 addresses for the local host.
--
--To listen on all IPv6 addresses use:
--
-- accept = :::PORT
--
--=item B<CApath> = DIRECTORY
--
--Certificate Authority directory
--
--This is the directory in which B<stunnel> will look for certificates when using
--the I<verify>. Note that the certificates in this directory should be named
--XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the
--cert.
--
--The hash algorithm has been changed in B<OpenSSL 1.0.0>. It is required to
--c_rehash the directory on upgrade from B<OpenSSL 0.x.x> to B<OpenSSL 1.x.x>.
--
--I<CApath> path is relative to I<chroot> directory if specified.
--
--=item B<CAfile> = CERT_FILE
--
--Certificate Authority file
--
--This file contains multiple CA certificates, used with the I<verify>.
--
--=item B<cert> = PEM_FILE
--
--certificate chain PEM file name
--
--The certificates must be in PEM format, and must be from the
--actual server/client certificate to the self-signed root CA certificate.
--
--A certificate is required in server mode, and optional in client mode.
--
--=item B<checkEmail> = EMAIL
--
--email address of the peer certificate subject
--
--Multiple I<checkEmail> options are allowed in a single service section.
--Certificates are accepted if no I<checkEmail> option was specified, or the
--email address of the peer certificate matches any of the email addresses
--specified with I<checkEmail>.
--
--=item B<checkHost> = HOST
--
--host of the peer certificate subject
--
--Multiple I<checkHost> options are allowed in a single service section.
--Certificates are accepted if no I<checkHost> option was specified, or the host
--name of the peer certificate matches any of the hosts specified with
--I<checkHost>.
--
--=item B<checkIP> = IP
--
--IP address of the peer certificate subject
--
--Multiple I<checkIP> options are allowed in a single service section.
--Certificates are accepted if no I<checkIP> option was specified, or the IP
--address of the peer certificate matches any of the IP addresses specified with
--I<checkIP>.
--
--=item B<ciphers> = CIPHER_LIST
--
--Select permitted SSL ciphers
--
--A colon delimited list of the ciphers to allow in the SSL connection,
--for example DES-CBC3-SHA:IDEA-CBC-MD5.
--
--=item B<client> = yes | no
--
--client mode (remote service uses SSL)
--
--default: no (server mode)
--
--=item B<connect> = [HOST:]PORT
--
--connect to a remote address
--
--If no host is specified, the host defaults to localhost.
--
--Multiple I<connect> options are allowed in a single service section.
--
--If host resolves to multiple addresses and/or if multiple I<connect>
--options are specified, then the remote address is chosen using a
--round-robin algorithm.
--
--=item B<CRLpath> = DIRECTORY
--
--Certificate Revocation Lists directory
--
--This is the directory in which B<stunnel> will look for CRLs when
--using the I<verify>. Note that the CRLs in this directory should
--be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL.
--
--The hash algorithm has been changed in B<OpenSSL 1.0.0>. It is required to
--c_rehash the directory on upgrade from B<OpenSSL 0.x.x> to B<OpenSSL 1.x.x>.
--
--I<CRLpath> path is relative to I<chroot> directory if specified.
--
--=item B<CRLfile> = CERT_FILE
--
--Certificate Revocation Lists file
--
--This file contains multiple CRLs, used with the I<verify>.
--
--=item B<curve> = NID
--
--specify ECDH curve name
--
--To get a list of supported cuves use:
--
-- openssl ecparam -list_curves
--
--default: prime256v1
--
--=item B<logId> = TYPE
--
--connection identifier type
--
--This identifier allows to distinguish log entries generated for each of the
--connections.
--
--Currently supported types:
--
--=over 4
--
--=item I<sequential>
--
--The numeric sequential identifier is only unique within a single instance of
--B<stunnel>, but very compact. It is most useful for manual log analysis.
--
--=item I<unique>
--
--This alphanumeric identifier is globally unique, but longer than the sequential
--number. It is most useful for automated log analysis.
--
--=item I<thread>
--
--The operating system thread identifier is neither unique (even within a single
--instance of B<stunnel>) nor short. It is most useful for debugging software
--or configuration issues.
--
--=back
--
--default: sequential
--
--=item B<debug> = LEVEL
--
--debugging level
--
--Level is a one of the syslog level names or numbers
--emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
--info (6), or debug (7). All logs for the specified level and
--all levels numerically less than it will be shown. Use I<debug = debug> or
--I<debug = 7> for greatest debugging output. The default is notice (5).
--
--=item B<delay> = yes | no
--
--delay DNS lookup for I<connect> option
--
--This option is useful for dynamic DNS, or when DNS is not available during
--B<stunnel> startup (road warrior VPN, dial-up configurations).
--
--Delayed resolver mode is automatically engaged when stunnel fails to resolve on
--startup any of the I<connect> targets for a service.
--
--Delayed resolver inflicts I<failover = prio>.
--
--default: no
--
--=item B<engineId> = ENGINE_ID
--
--select engine ID for the service
--
--=item B<engineNum> = ENGINE_NUMBER
--
--select engine number for the service
--
--The engines are numbered starting from 1.
--
--=item B<exec> = EXECUTABLE_PATH
--
--execute local inetd-type program
--
--I<exec> path is relative to I<chroot> directory if specified.
--
--The following environmental variables are set on Unix platform:
--REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN.
--
--=item B<execArgs> = $0 $1 $2 ...
--
--arguments for I<exec> including program name ($0)
--
--Quoting is currently not supported.
--Arguments are separated with arbitrary number of whitespaces.
--
--=item B<failover> = rr | prio
--
--Failover strategy for multiple "connect" targets.
--
-- rr (round robin) - fair load distribution
-- prio (priority) - use the order specified in config file
--
--default: rr
--
--=item B<ident> = USERNAME
--
--use IDENT (RFC 1413) username checking
--
--=item B<key> = KEY_FILE
--
--private key for certificate specified with I<cert> option
--
--Private key is needed to authenticate certificate owner.
--Since this file should be kept secret it should only be readable
--to its owner. On Unix systems you can use the following command:
--
-- chmod 600 keyfile
--
--default: value of I<cert> option
--
--=item B<libwrap> = yes | no
--
--Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
--
--default: no (since version 5.00)
--
--=item B<local> = HOST
--
--IP of the outgoing interface is used as source for remote connections.
--Use this option to bind a static local IP address, instead.
--
--=item B<sni> = SERVICE:SERVER_PATTERN (server mode)
--
--Use the service as a slave service (a name-based virtual server) for Server
--Name Indication TLS extension (RFC 3546).
--
--I<service_name> specifies the master service that accepts client connections
--with I<accept> option. I<server_name_pattern> specifies the host name to be
--redirected. The pattern may start with '*' character, e.g. '*.example.com'.
--Multiple slave services are normally specified for a single master service.
--I<sni> option can also be specified more than once within a single slave
--service.
--
--This service, as well as the master service, may not be configured in client
--mode.
--
--I<connect> option of the slave service is ignored when I<protocol> option is
--specified, as I<protocol> connects remote host before TLS handshake.
--
--Libwrap checks (Unix only) are performed twice: with master service name after
--TCP connection is accepted, and with slave service name during TLS handshake.
--
--Option I<sni> is only available when compiled with B<OpenSSL 1.0.0> and later.
--
--=item B<sni> = SERVER (client mode)
--
--Use the parameter as the value of TLS Server Name Indication (RFC 3546)
--extension.
--
--Option I<sni> is only available when compiled with B<OpenSSL 1.0.0> and later.
--
--=item B<OCSP> = URL
--
--select OCSP server for certificate verification
--
--=item B<OCSPaia> = yes | no
--
--validate certificates with their AIA OCSP responders
--
--This option enables I<stunnel> to validate certificates with the list of
--OCSP responder URLs retrieved from their AIA (Authority Information Access)
--extension.
--
--=item B<OCSPflag> = OCSP_FLAG
--
--specify OCSP server flag
--
--Several I<OCSPflag> can be used to specify multiple flags.
--
--currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
--NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME
--
--=item B<options> = SSL_OPTIONS
--
--B<OpenSSL> library options
--
--The parameter is the B<OpenSSL> option name as described in the
--I<SSL_CTX_set_options(3ssl)> manual, but without I<SSL_OP_> prefix.
--I<stunnel -options> lists the options found to be allowed in the
--current combination of I<stunnel> and the I<OpenSSL> library used
--to build it.
--
--Several I<options> can be used to specify multiple options.
--An option name can be prepended with a dash ("-") to disable the option.
--
--For example, for compatibility with the erroneous Eudora SSL
--implementation, the following option can be used:
--
-- options = DONT_INSERT_EMPTY_FRAGMENTS
--
--default:
--
-- options = NO_SSLv2
-- options = NO_SSLv3
--
--=item B<protocol> = PROTO
--
--application protocol to negotiate SSL
--
--This option enables initial, protocol-specific negotiation of the SSL/TLS
--encryption.
--I<protocol> option should not be used with SSL encryption on a separate port.
--
--Currently supported protocols:
--
--=over 4
--
--=item I<cifs>
--
--Proprietary (undocummented) extension of CIFS protocol implemented in Samba.
--Support for this extension was dropped in Samba 3.0.0.
--
--=item I<connect>
--
--Based on RFC 2817 - I<Upgrading to TLS Within HTTP/1.1>, section 5.2 - I<Requesting a Tunnel with CONNECT>
--
--This protocol is only supported in client mode.
--
--=item I<imap>
--
--Based on RFC 2595 - I<Using TLS with IMAP, POP3 and ACAP>
--
--=item I<nntp>
--
--Based on RFC 4642 - I<Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)>
--
--This protocol is only supported in client mode.
--
--=item I<pgsql>
--
--Based on
--F<http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982>
--
--=item I<pop3>
--
--Based on RFC 2449 - I<POP3 Extension Mechanism>
--
--=item I<proxy>
--
--Haproxy client IP address
--F<http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt>
--
--=item I<smtp>
--
--Based on RFC 2487 - I<SMTP Service Extension for Secure SMTP over TLS>
--
--=item I<socks>
--
--SOCKS versions 4, 4a, and 5 are supported. The SOCKS protocol itself
--is encapsulated within SSL/TLS encryption layer to protect the final
--destination address.
--
--F<http://www.openssh.com/txt/socks4.protocol>
--
--F<http://www.openssh.com/txt/socks4a.protocol>
--
--The BIND command of the SOCKS protocol is not supported.
--The USERID parameter is ignored.
--
--See Examples section for sample configuration files for VPN based on SOCKS
--encryption.
--
--=back
--
--=item B<protocolAuthentication> = basic | ntlm
--
--authentication type for protocol negotiations
--
--Currently authentication type only applies to the 'connect' protocol.
--
--default: basic
--
--=item B<protocolHost> = HOST:PORT
--
--destination address for protocol negotiations
--
--I<protocolHost> specifies the final SSL server to be connected by the proxy,
--and not the proxy server directly connected by B<stunnel>.
--The proxy server should be specified with the 'connect' option.
--
--Currently protocol destination address only applies to 'connect' protocol.
--
--=item B<protocolPassword> = PASSWORD
--
--password for protocol negotiations
--
--=item B<protocolUsername> = USERNAME
--
--username for protocol negotiations
--
--=item B<PSKidentity> = IDENTITY
--
--PSK identity for the PSK client
--
--I<PSKidentity> can be used on B<stunnel> clients to select the PSK identity
--used for authentication. This option is ignored in server sections.
--
--default: the first identity specified in the I<PSKsecrets> file.
--
--=item B<PSKsecrets> = FILE
--
--file with PSK identities and corresponding keys
--
--Each line of the file in the following format:
--
-- IDENTITY:KEY
--
--The key is required to be at least 20 characters long.
--The file should not be world-readable nor world-writable.
--
--=item B<pty> = yes | no (Unix only)
--
--allocate pseudoterminal for 'exec' option
--
--=item B<redirect> = [HOST:]PORT
--
--redirect SSL client connections on certificate-based authentication failures
--
--This option only works in server mode.
--Some protocol negotiations are also incompatible with the I<redirect> option.
--
--=item B<renegotiation> = yes | no
--
--support SSL renegotiation
--
--Applications of the SSL renegotiation include some authentication scenarios,
--or re-keying long lasting connections.
--
--On the other hand this feature can facilitate a trivial CPU-exhaustion
--DoS attack:
--
--F<http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html>
--
--Please note that disabling SSL renegotiation does not fully mitigate
--this issue.
--
--default: yes (if supported by B<OpenSSL>)
--
--=item B<reset> = yes | no
--
--attempt to use TCP RST flag to indicate an error
--
--This option is not supported on some platforms.
--
--default: yes
--
--=item B<retry> = yes | no
--
--reconnect a connect+exec section after it's disconnected
--
--default: no
--
--=item B<sessionCacheSize> = NUM_ENTRIES
--
--session cache size
--
--I<sessionCacheSize> specifies the maximum number of the internal session cache
--entries.
--
--The value of 0 can be used for unlimited size. It is not recommended
--for production use due to the risk of memory exhaustion DoS attack.
--
--=item B<sessionCacheTimeout> = TIMEOUT
--
--session cache timeout
--
--This is the number of seconds to keep cached SSL sessions.
--
--=item B<sessiond> = HOST:PORT
--
--address of sessiond SSL cache server
--
--=item B<sslVersion> = SSL_VERSION
--
--select the SSL protocol version
--
--Allowed values: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
--
--=item B<stack> = BYTES (except for FORK model)
--
--thread stack size
--
--=item B<TIMEOUTbusy> = SECONDS
--
--time to wait for expected data
--
--=item B<TIMEOUTclose> = SECONDS
--
--time to wait for close_notify (set to 0 for buggy MSIE)
--
--=item B<TIMEOUTconnect> = SECONDS
--
--time to wait to connect a remote host
--
--=item B<TIMEOUTidle> = SECONDS
--
--time to keep an idle connection
--
--=item B<transparent> = none | source | destination | both (Unix only)
--
--enable transparent proxy support on selected platforms
--
--Supported values:
--
--=over 4
--
--=item I<none>
--
--Disable transparent proxy support. This is the default.
--
--=item I<source>
--
--Re-write address to appear as if wrapped daemon is connecting
--from the SSL client machine instead of the machine running B<stunnel>.
--
--This option is currently available in:
--
--=over 4
--
--=item Remote mode (I<connect> option) on I<Linux E<gt>=2.6.28>
--
--This configuration requires B<stunnel> to be executed as root and without
--I<setuid> option.
--
--This configuration requires the following setup for iptables and routing
--(possibly in /etc/rc.local or equivalent file):
--
-- iptables -t mangle -N DIVERT
-- iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
-- iptables -t mangle -A DIVERT -j MARK --set-mark 1
-- iptables -t mangle -A DIVERT -j ACCEPT
-- ip rule add fwmark 1 lookup 100
-- ip route add local 0.0.0.0/0 dev lo table 100
-- echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
--
--B<stunnel> must also to be executed as root and without I<setuid> option.
--
--=item Remote mode (I<connect> option) on I<Linux 2.2.x>
--
--This configuration requires kernel to be compiled with I<transparent proxy>
--option.
--Connected service must be installed on a separate host.
--Routing towards the clients has to go through the B<stunnel> box.
--
--B<stunnel> must also to be executed as root and without I<setuid> option.
--
--=item Remote mode (I<connect> option) on I<FreeBSD E<gt>=8.0>
--
--This configuration requires additional firewall and routing setup.
--B<stunnel> must also to be executed as root and without I<setuid> option.
--
--=item Local mode (I<exec> option)
--
--This configuration works by pre-loading I<libstunnel.so> shared library.
--_RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on
--other platforms.
--
--=back
--
--=item I<destination>
--
--Original destination is used instead of I<connect> option.
--
--A service section for transparent destination may look like this:
--
-- [transparent]
-- client=yes
-- accept=<stunnel_port>
-- transparent=destination
--
--This configuration requires iptables setup to work,
--possibly in /etc/rc.local or equivalent file.
--
--For a connect target installed on the same host:
--
-- /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
-- -m ! --uid-owner <stunnel_user_id> \
-- -j DNAT --to-destination <local_ip>:<stunnel_port>
--
--For a connect target installed on a remote host:
--
-- /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
-- /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \
-- -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
--
--Transparent destination option is currently only supported on Linux.
--
--=item I<both>
--
--Use both I<source> and I<destination> transparent proxy.
--
--=back
--
--Two legacy options are also supported for backward compatibility:
--
--=over 4
--
--=item I<yes>
--
--This options has been renamed to I<source>.
--
--=item I<no>
--
--This options has been renamed to I<none>.
--
--=back
--
--
--=item B<verify> = LEVEL
--
--verify peer certificate
--
--=over 4
--
--=item level 0
--
--Request and ignore peer certificate.
--
--=item level 1
--
--Verify peer certificate if present.
--
--=item level 2
--
--Verify peer certificate.
--
--=item level 3
--
--Verify peer with locally installed certificate.
--
--=item level 4
--
--Ignore CA chain and only verify peer certificate.
--
--=item default
--
--No verify.
--
--=back
--
--It is important to understand, that this option was solely designed for access
--control and not for authorization. Specifically for level 2 every non-revoked
--certificate is accepted regardless of its Common Name. For this reason a
--dedicated CA should be used with level 2, and not a generic CA commonly used
--for webservers. Level 3 is preferred for point-to-point connections.
--
--=back
--
--
--=head1 RETURN VALUE
--
--B<stunnel> returns zero on success, non-zero on error.
--
--
--=head1 SIGNALS
--
--The following signals can be used to control B<stunnel> in Unix environment:
--
--=over 4
--
--=item SIGHUP
--
--Force a reload of the configuration file.
--
--Some global options will not be reloaded:
--
--=over 4
--
--=item *
--
--chroot
--
--=item *
--
--foreground
--
--=item *
--
--pid
--
--=item *
--
--setgid
--
--=item *
--
--setuid
--
--=back
--
--The use of 'setuid' option will also prevent B<stunnel> from binding privileged
--(<1024) ports during configuration reloading.
--
--When 'chroot' option is used, B<stunnel> will look for all its files (including
--configuration file, certificates, log file and pid file) within the chroot
--jail.
--
--=item SIGUSR1
--
--Close and reopen B<stunnel> log file.
--This function can be used for log rotation.
--
--=item SIGTERM, SIGQUIT, SIGINT
--
--Shut B<stunnel> down.
--
--=back
--
--The result of sending any other signals to the server is undefined.
--
--
--=head1 EXAMPLES
--
--In order to provide SSL encapsulation to your local I<imapd> service, use:
--
-- [imapd]
-- accept = 993
-- exec = /usr/sbin/imapd
-- execArgs = imapd
--
--or in remote mode:
--
-- [imapd]
-- accept = 993
-- connect = 143
--
--In order to let your local e-mail client connect to an SSL-enabled I<imapd>
--service on another server, configure the e-mail client to connect to localhost
--on port 119 and use:
--
-- [imap]
-- client = yes
-- accept = 143
-- connect = servername:993
--
--If you want to provide tunneling to your I<pppd> daemon on port 2020,
--use something like:
--
-- [vpn]
-- accept = 2020
-- exec = /usr/sbin/pppd
-- execArgs = pppd local
-- pty = yes
--
--If you want to use B<stunnel> in I<inetd> mode to launch your imapd
--process, you'd use this I<stunnel.conf>.
--Note there must be no I<[service_name]> section.
--
-- exec = /usr/sbin/imapd
-- execArgs = imapd
--
--To setup SOCKS VPN configure the following client service:
--
-- [socks_client]
-- client = yes
-- accept = 127.0.0.1:1080
-- connect = vpn_server:9080
-- verify = 4
-- CAfile = stunnel.pem
--
--The corresponding configuration on the vpn_server host:
--
-- [socks_server]
-- protocol = socks
-- accept = 9080
-- cert = stunnel.pem
-- key = stunnel.key
--
--Now test your configuration on the client machine with:
--
-- curl --socks4a localhost http://www.example.com/
--
--=head1 NOTES
--
--=head2 RESTRICTIONS
--
--B<stunnel> cannot be used for the FTP daemon because of the nature
--of the FTP protocol which utilizes multiple ports for data transfers.
--There are available SSL-enabled versions of FTP and telnet daemons, however.
--
--
--=head2 INETD MODE
--
--The most common use of B<stunnel> is to listen on a network
--port and establish communication with either a new port
--via the connect option, or a new program via the I<exec> option.
--However there is a special case when you wish to have
--some other program accept incoming connections and
--launch B<stunnel>, for example with I<inetd>, I<xinetd>,
--or I<tcpserver>.
--
--For example, if you have the following line in I<inetd.conf>:
--
-- imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
--
--In these cases, the I<inetd>-style program is responsible
--for binding a network socket (I<imaps> above) and handing
--it to B<stunnel> when a connection is received.
--Thus you do not want B<stunnel> to have any I<accept> option.
--All the I<Service Level Options> should be placed in the
--global options section, and no I<[service_name]> section
--will be present. See the I<EXAMPLES> section for example
--configurations.
--
--=head2 CERTIFICATES
--
--Each SSL-enabled daemon needs to present a valid X.509 certificate
--to the peer. It also needs a private key to decrypt the incoming
--data. The easiest way to obtain a certificate and a key is to
--generate them with the free B<OpenSSL> package. You can find more
--information on certificates generation on pages listed below.
--
--The order of contents of the I<.pem> file is important. It should contain the
--unencrypted private key first, then a signed certificate (not certificate
--request). There should be also empty lines after certificate and private key.
--Plaintext certificate information appended on the top of generated certificate
--should be discarded. So the file should look like this:
--
-- -----BEGIN RSA PRIVATE KEY-----
-- [encoded key]
-- -----END RSA PRIVATE KEY-----
-- [empty line]
-- -----BEGIN CERTIFICATE-----
-- [encoded certificate]
-- -----END CERTIFICATE-----
-- [empty line]
--
--=head2 RANDOMNESS
--
--B<stunnel> needs to seed the PRNG (pseudo random number generator) in
--order for SSL to use good randomness. The following sources are loaded
--in order until sufficient random data has been gathered:
--
--=over 4
--
--=item *
--
--The file specified with the I<RNDfile> flag.
--
--=item *
--
--The file specified by the RANDFILE environment variable, if set.
--
--=item *
--
--The file .rnd in your home directory, if RANDFILE not set.
--
--=item *
--
--The file specified with '--with-random' at compile time.
--
--=item *
--
--The contents of the screen if running on Windows.
--
--=item *
--
--The egd socket specified with the I<EGD> flag.
--
--=item *
--
--The egd socket specified with '--with-egd-sock' at compile time.
--
--=item *
--
--The /dev/urandom device.
--
--=back
--
--With recent (B<OpenSSL 0.9.5a> or later) version of SSL it will stop loading
--random data automatically when sufficient entropy has been gathered. With
--previous versions it will continue to gather from all the above sources since
--no SSL function exists to tell when enough data is available.
--
--Note that on Windows machines that do not have console user interaction
--(mouse movements, creating windows, etc.) the screen contents are not
--variable enough to be sufficient, and you should provide a random file
--for use with the I<RNDfile> flag.
--
--Note that the file specified with the I<RNDfile> flag should contain
--random data -- that means it should contain different information
--each time B<stunnel> is run. This is handled automatically
--unless the I<RNDoverwrite> flag is used. If you wish to update this file
--manually, the I<openssl rand> command in recent versions of B<OpenSSL>,
--would be useful.
--
--Important note: If /dev/urandom is available, B<OpenSSL> often seeds the PRNG
--with it while checking the random state. On systems with /dev/urandom
--B<OpenSSL> is likely to use it even though it is listed at the very bottom of
--the list above. This is the behaviour of B<OpenSSL> and not B<stunnel>.
--
--=head2 DH PARAMETERS
--
--Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters.
--
--It is also possible to specify DH parameters in the certificate file:
--
-- openssl dhparam 2048 >> stunnel.pem
--
--DH parameter generation may take several minutes.
--
--
--=head1 FILES
--
--=over 4
--
--=item F<stunnel.conf>
--
--B<stunnel> configuration file
--
--=back
--
--
--=head1 BUGS
--
--Option I<execArgs> and Win32 command line does not support quoting.
--
--
--=head1 SEE ALSO
--
--=over 4
--
--=item L<tcpd(8)>
--
--access control facility for internet services
--
--=item L<inetd(8)>
--
--internet 'super-server'
--
--=item F<http://www.stunnel.org/>
--
--B<stunnel> homepage
--
--=item F<http://www.openssl.org/>
--
--B<OpenSSL> project website
--
--=back
--
--
--=head1 AUTHOR
--
--=over 4
--
--=item Michał Trojnara
--
--<F<Michal.Trojnara at mirt.net>>
--
--=back
--
-diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
-new file mode 100644
-index 0000000..fa166f2
---- /dev/null
-+++ b/doc/stunnel.pod.in
-@@ -0,0 +1,1365 @@
-+=head1 NAME
-+
-+=encoding utf8
-+
-+stunnel - TLS offloading and load-balancing proxy
-+
-+
-+=head1 SYNOPSIS
-+
-+=over 4
-+
-+=item B<Unix:>
-+
-+B<stunnel> [S<FILE>] | S<-fd N> | S<-help> | S<-version> | S<-sockets> | S<-options>
-+
-+=item B<WIN32:>
-+
-+B<stunnel> [ [ S<-install> | S<-uninstall> | S<-start> | S<-stop> |
-+ S<-reload> | S<-reopen> | S<-exit> ] [S<-quiet>] [S<FILE>] ] |
-+ S<-help> | S<-version> | S<-sockets> | S<-options>
-+
-+=back
-+
-+
-+=head1 DESCRIPTION
-+
-+The B<stunnel> program is designed to work as I<SSL> encryption wrapper
-+between remote clients and local (I<inetd>-startable) or remote
-+servers. The concept is that having non-SSL aware daemons running on
-+your system you can easily set them up to communicate with clients over
-+secure SSL channels.
-+
-+B<stunnel> can be used to add SSL functionality to commonly used I<Inetd>
-+daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like
-+NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without
-+changes to the source code.
-+
-+This product includes cryptographic software written by
-+Eric Young (eay at cryptsoft.com)
-+
-+
-+=head1 OPTIONS
-+
-+=over 4
-+
-+=item B<FILE>
-+
-+Use specified configuration file
-+
-+=item B<-fd N> (Unix only)
-+
-+Read the config file from specified file descriptor
-+
-+=item B<-help>
-+
-+Print B<stunnel> help menu
-+
-+=item B<-version>
-+
-+Print B<stunnel> version and compile time defaults
-+
-+=item B<-sockets>
-+
-+Print default socket options
-+
-+=item B<-options>
-+
-+Print supported SSL options
-+
-+=item B<-install> (Windows NT and later only)
-+
-+Install NT Service
-+
-+=item B<-uninstall> (Windows NT and later only)
-+
-+Uninstall NT Service
-+
-+=item B<-start> (Windows NT and later only)
-+
-+Start NT Service
-+
-+=item B<-stop> (Windows NT and later only)
-+
-+Stop NT Service
-+
-+=item B<-reload> (Windows NT and later only)
-+
-+Reload configuration file of the running NT Service
-+
-+=item B<-reopen> (Windows NT and later only)
-+
-+Reopen log file of the running NT Service
-+
-+=item B<-exit> (Win32 only)
-+
-+Exit an already started stunnel
-+
-+=item B<-quiet> (Win32 only)
-+
-+Don't display any message boxes
-+
-+=back
-+
-+
-+=head1 CONFIGURATION FILE
-+
-+Each line of the configuration file can be either:
-+
-+=over 4
-+
-+=item *
-+
-+An empty line (ignored).
-+
-+=item *
-+
-+A comment starting with ';' (ignored).
-+
-+=item *
-+
-+An 'option_name = option_value' pair.
-+
-+=item *
-+
-+'[service_name]' indicating a start of a service definition.
-+
-+=back
-+
-+An address parameter of an option may be either:
-+
-+=over 4
-+
-+=item *
-+
-+A port number.
-+
-+=item *
-+
-+A colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number.
-+
-+=item *
-+
-+A Unix socket path (Unix only).
-+
-+=back
-+
-+=head2 GLOBAL OPTIONS
-+
-+=over 4
-+
-+=item B<chroot> = DIRECTORY (Unix only)
-+
-+directory to chroot B<stunnel> process
-+
-+B<chroot> keeps B<stunnel> in chrooted jail. I<CApath>, I<CRLpath>, I<pid>
-+and I<exec> are located inside the jail and the patches have to be relative
-+to the directory specified with B<chroot>.
-+
-+Several functions of the operating system also need their files to be located within chroot jail, e.g.:
-+
-+=over 4
-+
-+=item *
-+
-+Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.
-+
-+=item *
-+
-+Local time in log files needs /etc/timezone.
-+
-+=item *
-+
-+Some other functions may need devices, e.g. /dev/zero or /dev/null.
-+
-+=back
-+
-+=item B<compression> = deflate | zlib
-+
-+select data compression algorithm
-+
-+default: no compression
-+
-+deflate is the standard compression method as described in RFC 1951.
-+
-+zlib compression of B<OpenSSL 0.9.8> or above is not backward compatible with
-+B<OpenSSL 0.9.7>.
-+
-+=item B<debug> = [FACILITY.]LEVEL
-+
-+debugging level
-+
-+Level is a one of the syslog level names or numbers
-+emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
-+info (6), or debug (7). All logs for the specified level and
-+all levels numerically less than it will be shown. Use I<debug = debug> or
-+I<debug = 7> for greatest debugging output. The default is notice (5).
-+
-+The syslog facility 'daemon' will be used unless a facility name is supplied.
-+(Facilities are not supported on Win32.)
-+
-+Case is ignored for both facilities and levels.
-+
-+=item B<EGD> = EGD_PATH (Unix only)
-+
-+path to Entropy Gathering Daemon socket
-+
-+Entropy Gathering Daemon socket to use to feed B<OpenSSL> random number
-+generator. (Available only if compiled with B<OpenSSL 0.9.5a> or higher)
-+
-+=item B<engine> = auto | ENGINE_ID
-+
-+select hardware engine
-+
-+default: software-only cryptography
-+
-+Here is an example of advanced engine configuration to read private key from an
-+OpenSC engine
-+
-+ engine=dynamic
-+ engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
-+ engineCtrl=ID:pkcs11
-+ engineCtrl=LIST_ADD:1
-+ engineCtrl=LOAD
-+ engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
-+ engineCtrl=INIT
-+
-+ [service]
-+ engineNum=1
-+ key=id_45
-+
-+=item B<engineCtrl> = COMMAND[:PARAMETER]
-+
-+control hardware engine
-+
-+Special commands "LOAD" and "INIT" can be used to load and initialize the
-+engine cryptogaphic module.
-+
-+=item B<engineDefault> = TASK_LIST
-+
-+set OpenSSL tasks delegated to the current engine
-+
-+The parameter specifies a comma-separated list of task to be delegated to the
-+current engine.
-+
-+The following tasks may be available, if supported by the engine: ALL, RSA,
-+DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.
-+
-+=item B<fips> = yes | no
-+
-+Enable or disable FIPS 140-2 mode.
-+
-+This option allows to disable entering FIPS mode if B<stunnel> was compiled
-+with FIPS 140-2 support.
-+
-+default: no (since version 5.00)
-+
-+=item B<foreground> = yes | no (Unix only)
-+
-+foreground mode
-+
-+Stay in foreground (don't fork) and log to stderr
-+instead of via syslog (unless I<output> is specified).
-+
-+default: background in daemon mode
-+
-+=item B<iconActive> = ICON_FILE (GUI only)
-+
-+GUI icon to be displayed when there are established connections
-+
-+On Windows platform the parameter should be an .ico file containing a 16x16
-+pixel image.
-+
-+=item B<iconError> = ICON_FILE (GUI only)
-+
-+GUI icon to be displayed when no valid configuration is loaded
-+
-+On Windows platform the parameter should be an .ico file containing a 16x16
-+pixel image.
-+
-+=item B<iconIdle> = ICON_FILE (GUI only)
-+
-+GUI icon to be displayed when there are no established connections
-+
-+On Windows platform the parameter should be an .ico file containing a 16x16
-+pixel image.
-+
-+=item B<log> = append | overwrite
-+
-+log file handling
-+
-+This option allows to choose whether the log file (specified with the I<output>
-+option) is appended or overwritten when opened or re-opened.
-+
-+default: append
-+
-+=item B<output> = FILE
-+
-+append log messages to a file
-+
-+/dev/stdout device can be used to send log messages to the standard
-+output (for example to log them with daemontools splogger).
-+
-+=item B<pid> = FILE (Unix only)
-+
-+pid file location
-+
-+If the argument is empty, then no pid file will be created.
-+
-+I<pid> path is relative to I<chroot> directory if specified.
-+
-+=item B<RNDbytes> = BYTES
-+
-+bytes to read from random seed files
-+
-+Number of bytes of data read from random seed files. With SSL versions less
-+than B<0.9.5a>, also determines how many bytes of data are considered
-+sufficient to seed the PRNG. More recent B<OpenSSL> versions have a builtin
-+function to determine when sufficient randomness is available.
-+
-+=item B<RNDfile> = FILE
-+
-+path to file with random seed data
-+
-+The SSL library will use data from this file first to seed the random
-+number generator.
-+
-+=item B<RNDoverwrite> = yes | no
-+
-+overwrite the random seed files with new random data
-+
-+default: yes
-+
-+=item B<service> = SERVICE (Unix only)
-+
-+stunnel service name
-+
-+The specified service name is used for syslog and as the I<inetd> mode service
-+name for TCP Wrappers. While this option can technically be specified in the
-+service sections, it is only useful in global options.
-+
-+default: stunnel
-+
-+=item B<setgid> = GROUP (Unix only)
-+
-+setgid() to the specified group in daemon mode and clear all other groups
-+
-+=item B<setuid> = USER (Unix only)
-+
-+setuid() to the specified user in daemon mode
-+
-+=item B<socket> = a|l|r:OPTION=VALUE[:VALUE]
-+
-+Set an option on accept/local/remote socket
-+
-+The values for linger option are l_onof:l_linger.
-+The values for time are tv_sec:tv_usec.
-+
-+Examples:
-+
-+ socket = l:SO_LINGER=1:60
-+ set one minute timeout for closing local socket
-+ socket = r:SO_OOBINLINE=yes
-+ place out-of-band data directly into the
-+ receive data stream for remote sockets
-+ socket = a:SO_REUSEADDR=no
-+ disable address reuse (enabled by default)
-+ socket = a:SO_BINDTODEVICE=lo
-+ only accept connections on loopback interface
-+
-+=item B<syslog> = yes | no (Unix only)
-+
-+enable logging via syslog
-+
-+default: yes
-+
-+=item B<taskbar> = yes | no (WIN32 only)
-+
-+enable the taskbar icon
-+
-+default: yes
-+
-+=back
-+
-+
-+=head2 SERVICE-LEVEL OPTIONS
-+
-+Each configuration section begins with service name in square brackets.
-+The service name is used for libwrap (TCP Wrappers) access control and lets
-+you distinguish B<stunnel> services in your log files.
-+
-+Note that if you wish to run B<stunnel> in I<inetd> mode (where it
-+is provided a network socket by a server such as I<inetd>, I<xinetd>,
-+or I<tcpserver>) then you should read the section entitled I<INETD MODE>
-+below.
-+
-+
-+=over 4
-+
-+=item B<accept> = [HOST:]PORT
-+
-+accept connections on specified address
-+
-+If no host specified, defaults to all IPv4 addresses for the local host.
-+
-+To listen on all IPv6 addresses use:
-+
-+ accept = :::PORT
-+
-+=item B<CApath> = DIRECTORY
-+
-+Certificate Authority directory
-+
-+This is the directory in which B<stunnel> will look for certificates when using
-+the I<verify>. Note that the certificates in this directory should be named
-+XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the
-+cert.
-+
-+The hash algorithm has been changed in B<OpenSSL 1.0.0>. It is required to
-+c_rehash the directory on upgrade from B<OpenSSL 0.x.x> to B<OpenSSL 1.x.x>.
-+
-+I<CApath> path is relative to I<chroot> directory if specified.
-+
-+=item B<CAfile> = CERT_FILE
-+
-+Certificate Authority file
-+
-+This file contains multiple CA certificates, used with the I<verify>.
-+
-+=item B<cert> = PEM_FILE
-+
-+certificate chain PEM file name
-+
-+The certificates must be in PEM format, and must be from the
-+actual server/client certificate to the self-signed root CA certificate.
-+
-+A certificate is required in server mode, and optional in client mode.
-+
-+=item B<checkEmail> = EMAIL
-+
-+email address of the peer certificate subject
-+
-+Multiple I<checkEmail> options are allowed in a single service section.
-+Certificates are accepted if no I<checkEmail> option was specified, or the
-+email address of the peer certificate matches any of the email addresses
-+specified with I<checkEmail>.
-+
-+=item B<checkHost> = HOST
-+
-+host of the peer certificate subject
-+
-+Multiple I<checkHost> options are allowed in a single service section.
-+Certificates are accepted if no I<checkHost> option was specified, or the host
-+name of the peer certificate matches any of the hosts specified with
-+I<checkHost>.
-+
-+=item B<checkIP> = IP
-+
-+IP address of the peer certificate subject
-+
-+Multiple I<checkIP> options are allowed in a single service section.
-+Certificates are accepted if no I<checkIP> option was specified, or the IP
-+address of the peer certificate matches any of the IP addresses specified with
-+I<checkIP>.
-+
-+=item B<ciphers> = CIPHER_LIST
-+
-+Select permitted SSL ciphers
-+
-+A colon delimited list of the ciphers to allow in the SSL connection,
-+for example DES-CBC3-SHA:IDEA-CBC-MD5.
-+
-+=item B<client> = yes | no
-+
-+client mode (remote service uses SSL)
-+
-+default: no (server mode)
-+
-+=item B<connect> = [HOST:]PORT
-+
-+connect to a remote address
-+
-+If no host is specified, the host defaults to localhost.
-+
-+Multiple I<connect> options are allowed in a single service section.
-+
-+If host resolves to multiple addresses and/or if multiple I<connect>
-+options are specified, then the remote address is chosen using a
-+round-robin algorithm.
-+
-+=item B<CRLpath> = DIRECTORY
-+
-+Certificate Revocation Lists directory
-+
-+This is the directory in which B<stunnel> will look for CRLs when
-+using the I<verify>. Note that the CRLs in this directory should
-+be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL.
-+
-+The hash algorithm has been changed in B<OpenSSL 1.0.0>. It is required to
-+c_rehash the directory on upgrade from B<OpenSSL 0.x.x> to B<OpenSSL 1.x.x>.
-+
-+I<CRLpath> path is relative to I<chroot> directory if specified.
-+
-+=item B<CRLfile> = CERT_FILE
-+
-+Certificate Revocation Lists file
-+
-+This file contains multiple CRLs, used with the I<verify>.
-+
-+=item B<curve> = NID
-+
-+specify ECDH curve name
-+
-+To get a list of supported cuves use:
-+
-+ openssl ecparam -list_curves
-+
-+default: prime256v1
-+
-+=item B<logId> = TYPE
-+
-+connection identifier type
-+
-+This identifier allows to distinguish log entries generated for each of the
-+connections.
-+
-+Currently supported types:
-+
-+=over 4
-+
-+=item I<sequential>
-+
-+The numeric sequential identifier is only unique within a single instance of
-+B<stunnel>, but very compact. It is most useful for manual log analysis.
-+
-+=item I<unique>
-+
-+This alphanumeric identifier is globally unique, but longer than the sequential
-+number. It is most useful for automated log analysis.
-+
-+=item I<thread>
-+
-+The operating system thread identifier is neither unique (even within a single
-+instance of B<stunnel>) nor short. It is most useful for debugging software
-+or configuration issues.
-+
-+=back
-+
-+default: sequential
-+
-+=item B<debug> = LEVEL
-+
-+debugging level
-+
-+Level is a one of the syslog level names or numbers
-+emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
-+info (6), or debug (7). All logs for the specified level and
-+all levels numerically less than it will be shown. Use I<debug = debug> or
-+I<debug = 7> for greatest debugging output. The default is notice (5).
-+
-+=item B<delay> = yes | no
-+
-+delay DNS lookup for I<connect> option
-+
-+This option is useful for dynamic DNS, or when DNS is not available during
-+B<stunnel> startup (road warrior VPN, dial-up configurations).
-+
-+Delayed resolver mode is automatically engaged when stunnel fails to resolve on
-+startup any of the I<connect> targets for a service.
-+
-+Delayed resolver inflicts I<failover = prio>.
-+
-+default: no
-+
-+=item B<engineId> = ENGINE_ID
-+
-+select engine ID for the service
-+
-+=item B<engineNum> = ENGINE_NUMBER
-+
-+select engine number for the service
-+
-+The engines are numbered starting from 1.
-+
-+=item B<exec> = EXECUTABLE_PATH
-+
-+execute local inetd-type program
-+
-+I<exec> path is relative to I<chroot> directory if specified.
-+
-+The following environmental variables are set on Unix platform:
-+REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN.
-+
-+=item B<execArgs> = $0 $1 $2 ...
-+
-+arguments for I<exec> including program name ($0)
-+
-+Quoting is currently not supported.
-+Arguments are separated with arbitrary number of whitespaces.
-+
-+=item B<failover> = rr | prio
-+
-+Failover strategy for multiple "connect" targets.
-+
-+ rr (round robin) - fair load distribution
-+ prio (priority) - use the order specified in config file
-+
-+default: rr
-+
-+=item B<ident> = USERNAME
-+
-+use IDENT (RFC 1413) username checking
-+
-+=item B<key> = KEY_FILE
-+
-+private key for certificate specified with I<cert> option
-+
-+Private key is needed to authenticate certificate owner.
-+Since this file should be kept secret it should only be readable
-+to its owner. On Unix systems you can use the following command:
-+
-+ chmod 600 keyfile
-+
-+default: value of I<cert> option
-+
-+=item B<libwrap> = yes | no
-+
-+Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
-+
-+default: no (since version 5.00)
-+
-+=item B<local> = HOST
-+
-+IP of the outgoing interface is used as source for remote connections.
-+Use this option to bind a static local IP address, instead.
-+
-+=item B<sni> = SERVICE:SERVER_PATTERN (server mode)
-+
-+Use the service as a slave service (a name-based virtual server) for Server
-+Name Indication TLS extension (RFC 3546).
-+
-+I<service_name> specifies the master service that accepts client connections
-+with I<accept> option. I<server_name_pattern> specifies the host name to be
-+redirected. The pattern may start with '*' character, e.g. '*.example.com'.
-+Multiple slave services are normally specified for a single master service.
-+I<sni> option can also be specified more than once within a single slave
-+service.
-+
-+This service, as well as the master service, may not be configured in client
-+mode.
-+
-+I<connect> option of the slave service is ignored when I<protocol> option is
-+specified, as I<protocol> connects remote host before TLS handshake.
-+
-+Libwrap checks (Unix only) are performed twice: with master service name after
-+TCP connection is accepted, and with slave service name during TLS handshake.
-+
-+Option I<sni> is only available when compiled with B<OpenSSL 1.0.0> and later.
-+
-+=item B<sni> = SERVER (client mode)
-+
-+Use the parameter as the value of TLS Server Name Indication (RFC 3546)
-+extension.
-+
-+Option I<sni> is only available when compiled with B<OpenSSL 1.0.0> and later.
-+
-+=item B<OCSP> = URL
-+
-+select OCSP server for certificate verification
-+
-+=item B<OCSPaia> = yes | no
-+
-+validate certificates with their AIA OCSP responders
-+
-+This option enables I<stunnel> to validate certificates with the list of
-+OCSP responder URLs retrieved from their AIA (Authority Information Access)
-+extension.
-+
-+=item B<OCSPflag> = OCSP_FLAG
-+
-+specify OCSP server flag
-+
-+Several I<OCSPflag> can be used to specify multiple flags.
-+
-+currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
-+NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME
-+
-+=item B<options> = SSL_OPTIONS
-+
-+B<OpenSSL> library options
-+
-+The parameter is the B<OpenSSL> option name as described in the
-+I<SSL_CTX_set_options(3ssl)> manual, but without I<SSL_OP_> prefix.
-+I<stunnel -options> lists the options found to be allowed in the
-+current combination of I<stunnel> and the I<OpenSSL> library used
-+to build it.
-+
-+Several I<options> can be used to specify multiple options.
-+An option name can be prepended with a dash ("-") to disable the option.
-+
-+For example, for compatibility with the erroneous Eudora SSL
-+implementation, the following option can be used:
-+
-+ options = DONT_INSERT_EMPTY_FRAGMENTS
-+
-+default:
-+
-+ options = NO_SSLv2
-+ options = NO_SSLv3
-+
-+=item B<protocol> = PROTO
-+
-+application protocol to negotiate SSL
-+
-+This option enables initial, protocol-specific negotiation of the SSL/TLS
-+encryption.
-+I<protocol> option should not be used with SSL encryption on a separate port.
-+
-+Currently supported protocols:
-+
-+=over 4
-+
-+=item I<cifs>
-+
-+Proprietary (undocummented) extension of CIFS protocol implemented in Samba.
-+Support for this extension was dropped in Samba 3.0.0.
-+
-+=item I<connect>
-+
-+Based on RFC 2817 - I<Upgrading to TLS Within HTTP/1.1>, section 5.2 - I<Requesting a Tunnel with CONNECT>
-+
-+This protocol is only supported in client mode.
-+
-+=item I<imap>
-+
-+Based on RFC 2595 - I<Using TLS with IMAP, POP3 and ACAP>
-+
-+=item I<nntp>
-+
-+Based on RFC 4642 - I<Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)>
-+
-+This protocol is only supported in client mode.
-+
-+=item I<pgsql>
-+
-+Based on
-+F<http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982>
-+
-+=item I<pop3>
-+
-+Based on RFC 2449 - I<POP3 Extension Mechanism>
-+
-+=item I<proxy>
-+
-+Haproxy client IP address
-+F<http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt>
-+
-+=item I<smtp>
-+
-+Based on RFC 2487 - I<SMTP Service Extension for Secure SMTP over TLS>
-+
-+=item I<socks>
-+
-+SOCKS versions 4, 4a, and 5 are supported. The SOCKS protocol itself
-+is encapsulated within SSL/TLS encryption layer to protect the final
-+destination address.
-+
-+F<http://www.openssh.com/txt/socks4.protocol>
-+
-+F<http://www.openssh.com/txt/socks4a.protocol>
-+
-+The BIND command of the SOCKS protocol is not supported.
-+The USERID parameter is ignored.
-+
-+See Examples section for sample configuration files for VPN based on SOCKS
-+encryption.
-+
-+=back
-+
-+=item B<protocolAuthentication> = basic | ntlm
-+
-+authentication type for protocol negotiations
-+
-+Currently authentication type only applies to the 'connect' protocol.
-+
-+default: basic
-+
-+=item B<protocolHost> = HOST:PORT
-+
-+destination address for protocol negotiations
-+
-+I<protocolHost> specifies the final SSL server to be connected by the proxy,
-+and not the proxy server directly connected by B<stunnel>.
-+The proxy server should be specified with the 'connect' option.
-+
-+Currently protocol destination address only applies to 'connect' protocol.
-+
-+=item B<protocolPassword> = PASSWORD
-+
-+password for protocol negotiations
-+
-+=item B<protocolUsername> = USERNAME
-+
-+username for protocol negotiations
-+
-+=item B<PSKidentity> = IDENTITY
-+
-+PSK identity for the PSK client
-+
-+I<PSKidentity> can be used on B<stunnel> clients to select the PSK identity
-+used for authentication. This option is ignored in server sections.
-+
-+default: the first identity specified in the I<PSKsecrets> file.
-+
-+=item B<PSKsecrets> = FILE
-+
-+file with PSK identities and corresponding keys
-+
-+Each line of the file in the following format:
-+
-+ IDENTITY:KEY
-+
-+The key is required to be at least 20 characters long.
-+The file should not be world-readable nor world-writable.
-+
-+=item B<pty> = yes | no (Unix only)
-+
-+allocate pseudoterminal for 'exec' option
-+
-+=item B<redirect> = [HOST:]PORT
-+
-+redirect SSL client connections on certificate-based authentication failures
-+
-+This option only works in server mode.
-+Some protocol negotiations are also incompatible with the I<redirect> option.
-+
-+=item B<renegotiation> = yes | no
-+
-+support SSL renegotiation
-+
-+Applications of the SSL renegotiation include some authentication scenarios,
-+or re-keying long lasting connections.
-+
-+On the other hand this feature can facilitate a trivial CPU-exhaustion
-+DoS attack:
-+
-+F<http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html>
-+
-+Please note that disabling SSL renegotiation does not fully mitigate
-+this issue.
-+
-+default: yes (if supported by B<OpenSSL>)
-+
-+=item B<reset> = yes | no
-+
-+attempt to use TCP RST flag to indicate an error
-+
-+This option is not supported on some platforms.
-+
-+default: yes
-+
-+=item B<retry> = yes | no
-+
-+reconnect a connect+exec section after it's disconnected
-+
-+default: no
-+
-+=item B<sessionCacheSize> = NUM_ENTRIES
-+
-+session cache size
-+
-+I<sessionCacheSize> specifies the maximum number of the internal session cache
-+entries.
-+
-+The value of 0 can be used for unlimited size. It is not recommended
-+for production use due to the risk of memory exhaustion DoS attack.
-+
-+=item B<sessionCacheTimeout> = TIMEOUT
-+
-+session cache timeout
-+
-+This is the number of seconds to keep cached SSL sessions.
-+
-+=item B<sessiond> = HOST:PORT
-+
-+address of sessiond SSL cache server
-+
-+=item B<sslVersion> = SSL_VERSION
-+
-+select the SSL protocol version
-+
-+Allowed values: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
-+
-+=item B<stack> = BYTES (except for FORK model)
-+
-+thread stack size
-+
-+=item B<TIMEOUTbusy> = SECONDS
-+
-+time to wait for expected data
-+
-+=item B<TIMEOUTclose> = SECONDS
-+
-+time to wait for close_notify (set to 0 for buggy MSIE)
-+
-+=item B<TIMEOUTconnect> = SECONDS
-+
-+time to wait to connect a remote host
-+
-+=item B<TIMEOUTidle> = SECONDS
-+
-+time to keep an idle connection
-+
-+=item B<transparent> = none | source | destination | both (Unix only)
-+
-+enable transparent proxy support on selected platforms
-+
-+Supported values:
-+
-+=over 4
-+
-+=item I<none>
-+
-+Disable transparent proxy support. This is the default.
-+
-+=item I<source>
-+
-+Re-write address to appear as if wrapped daemon is connecting
-+from the SSL client machine instead of the machine running B<stunnel>.
-+
-+This option is currently available in:
-+
-+=over 4
-+
-+=item Remote mode (I<connect> option) on I<Linux E<gt>=2.6.28>
-+
-+This configuration requires B<stunnel> to be executed as root and without
-+I<setuid> option.
-+
-+This configuration requires the following setup for iptables and routing
-+(possibly in /etc/rc.local or equivalent file):
-+
-+ iptables -t mangle -N DIVERT
-+ iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
-+ iptables -t mangle -A DIVERT -j MARK --set-mark 1
-+ iptables -t mangle -A DIVERT -j ACCEPT
-+ ip rule add fwmark 1 lookup 100
-+ ip route add local 0.0.0.0/0 dev lo table 100
-+ echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
-+
-+B<stunnel> must also to be executed as root and without I<setuid> option.
-+
-+=item Remote mode (I<connect> option) on I<Linux 2.2.x>
-+
-+This configuration requires kernel to be compiled with I<transparent proxy>
-+option.
-+Connected service must be installed on a separate host.
-+Routing towards the clients has to go through the B<stunnel> box.
-+
-+B<stunnel> must also to be executed as root and without I<setuid> option.
-+
-+=item Remote mode (I<connect> option) on I<FreeBSD E<gt>=8.0>
-+
-+This configuration requires additional firewall and routing setup.
-+B<stunnel> must also to be executed as root and without I<setuid> option.
-+
-+=item Local mode (I<exec> option)
-+
-+This configuration works by pre-loading I<libstunnel.so> shared library.
-+_RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on
-+other platforms.
-+
-+=back
-+
-+=item I<destination>
-+
-+Original destination is used instead of I<connect> option.
-+
-+A service section for transparent destination may look like this:
-+
-+ [transparent]
-+ client=yes
-+ accept=<stunnel_port>
-+ transparent=destination
-+
-+This configuration requires iptables setup to work,
-+possibly in /etc/rc.local or equivalent file.
-+
-+For a connect target installed on the same host:
-+
-+ /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
-+ -m ! --uid-owner <stunnel_user_id> \
-+ -j DNAT --to-destination <local_ip>:<stunnel_port>
-+
-+For a connect target installed on a remote host:
-+
-+ /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
-+ /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \
-+ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
-+
-+Transparent destination option is currently only supported on Linux.
-+
-+=item I<both>
-+
-+Use both I<source> and I<destination> transparent proxy.
-+
-+=back
-+
-+Two legacy options are also supported for backward compatibility:
-+
-+=over 4
-+
-+=item I<yes>
-+
-+This options has been renamed to I<source>.
-+
-+=item I<no>
-+
-+This options has been renamed to I<none>.
-+
-+=back
-+
-+
-+=item B<verify> = LEVEL
-+
-+verify peer certificate
-+
-+=over 4
-+
-+=item level 0
-+
-+Request and ignore peer certificate.
-+
-+=item level 1
-+
-+Verify peer certificate if present.
-+
-+=item level 2
-+
-+Verify peer certificate.
-+
-+=item level 3
-+
-+Verify peer with locally installed certificate.
-+
-+=item level 4
-+
-+Ignore CA chain and only verify peer certificate.
-+
-+=item default
-+
-+No verify.
-+
-+=back
-+
-+It is important to understand, that this option was solely designed for access
-+control and not for authorization. Specifically for level 2 every non-revoked
-+certificate is accepted regardless of its Common Name. For this reason a
-+dedicated CA should be used with level 2, and not a generic CA commonly used
-+for webservers. Level 3 is preferred for point-to-point connections.
-+
-+=back
-+
-+
-+=head1 RETURN VALUE
-+
-+B<stunnel> returns zero on success, non-zero on error.
-+
-+
-+=head1 SIGNALS
-+
-+The following signals can be used to control B<stunnel> in Unix environment:
-+
-+=over 4
-+
-+=item SIGHUP
-+
-+Force a reload of the configuration file.
-+
-+Some global options will not be reloaded:
-+
-+=over 4
-+
-+=item *
-+
-+chroot
-+
-+=item *
-+
-+foreground
-+
-+=item *
-+
-+pid
-+
-+=item *
-+
-+setgid
-+
-+=item *
-+
-+setuid
-+
-+=back
-+
-+The use of 'setuid' option will also prevent B<stunnel> from binding privileged
-+(<1024) ports during configuration reloading.
-+
-+When 'chroot' option is used, B<stunnel> will look for all its files (including
-+configuration file, certificates, log file and pid file) within the chroot
-+jail.
-+
-+=item SIGUSR1
-+
-+Close and reopen B<stunnel> log file.
-+This function can be used for log rotation.
-+
-+=item SIGTERM, SIGQUIT, SIGINT
-+
-+Shut B<stunnel> down.
-+
-+=back
-+
-+The result of sending any other signals to the server is undefined.
-+
-+
-+=head1 EXAMPLES
-+
-+In order to provide SSL encapsulation to your local I<imapd> service, use:
-+
-+ [imapd]
-+ accept = 993
-+ exec = /usr/sbin/imapd
-+ execArgs = imapd
-+
-+or in remote mode:
-+
-+ [imapd]
-+ accept = 993
-+ connect = 143
-+
-+In order to let your local e-mail client connect to an SSL-enabled I<imapd>
-+service on another server, configure the e-mail client to connect to localhost
-+on port 119 and use:
-+
-+ [imap]
-+ client = yes
-+ accept = 143
-+ connect = servername:993
-+
-+If you want to provide tunneling to your I<pppd> daemon on port 2020,
-+use something like:
-+
-+ [vpn]
-+ accept = 2020
-+ exec = /usr/sbin/pppd
-+ execArgs = pppd local
-+ pty = yes
-+
-+If you want to use B<stunnel> in I<inetd> mode to launch your imapd
-+process, you'd use this I<stunnel.conf>.
-+Note there must be no I<[service_name]> section.
-+
-+ exec = /usr/sbin/imapd
-+ execArgs = imapd
-+
-+To setup SOCKS VPN configure the following client service:
-+
-+ [socks_client]
-+ client = yes
-+ accept = 127.0.0.1:1080
-+ connect = vpn_server:9080
-+ verify = 4
-+ CAfile = stunnel.pem
-+
-+The corresponding configuration on the vpn_server host:
-+
-+ [socks_server]
-+ protocol = socks
-+ accept = 9080
-+ cert = stunnel.pem
-+ key = stunnel.key
-+
-+Now test your configuration on the client machine with:
-+
-+ curl --socks4a localhost http://www.example.com/
-+
-+=head1 NOTES
-+
-+=head2 RESTRICTIONS
-+
-+B<stunnel> cannot be used for the FTP daemon because of the nature
-+of the FTP protocol which utilizes multiple ports for data transfers.
-+There are available SSL-enabled versions of FTP and telnet daemons, however.
-+
-+
-+=head2 INETD MODE
-+
-+The most common use of B<stunnel> is to listen on a network
-+port and establish communication with either a new port
-+via the connect option, or a new program via the I<exec> option.
-+However there is a special case when you wish to have
-+some other program accept incoming connections and
-+launch B<stunnel>, for example with I<inetd>, I<xinetd>,
-+or I<tcpserver>.
-+
-+For example, if you have the following line in I<inetd.conf>:
-+
-+ imaps stream tcp nowait root @bindir@/stunnel stunnel @sysconfdir@/stunnel/imaps.conf
-+
-+In these cases, the I<inetd>-style program is responsible
-+for binding a network socket (I<imaps> above) and handing
-+it to B<stunnel> when a connection is received.
-+Thus you do not want B<stunnel> to have any I<accept> option.
-+All the I<Service Level Options> should be placed in the
-+global options section, and no I<[service_name]> section
-+will be present. See the I<EXAMPLES> section for example
-+configurations.
-+
-+=head2 CERTIFICATES
-+
-+Each SSL-enabled daemon needs to present a valid X.509 certificate
-+to the peer. It also needs a private key to decrypt the incoming
-+data. The easiest way to obtain a certificate and a key is to
-+generate them with the free B<OpenSSL> package. You can find more
-+information on certificates generation on pages listed below.
-+
-+The order of contents of the I<.pem> file is important. It should contain the
-+unencrypted private key first, then a signed certificate (not certificate
-+request). There should be also empty lines after certificate and private key.
-+Plaintext certificate information appended on the top of generated certificate
-+should be discarded. So the file should look like this:
-+
-+ -----BEGIN RSA PRIVATE KEY-----
-+ [encoded key]
-+ -----END RSA PRIVATE KEY-----
-+ [empty line]
-+ -----BEGIN CERTIFICATE-----
-+ [encoded certificate]
-+ -----END CERTIFICATE-----
-+ [empty line]
-+
-+=head2 RANDOMNESS
-+
-+B<stunnel> needs to seed the PRNG (pseudo random number generator) in
-+order for SSL to use good randomness. The following sources are loaded
-+in order until sufficient random data has been gathered:
-+
-+=over 4
-+
-+=item *
-+
-+The file specified with the I<RNDfile> flag.
-+
-+=item *
-+
-+The file specified by the RANDFILE environment variable, if set.
-+
-+=item *
-+
-+The file .rnd in your home directory, if RANDFILE not set.
-+
-+=item *
-+
-+The file specified with '--with-random' at compile time.
-+
-+=item *
-+
-+The contents of the screen if running on Windows.
-+
-+=item *
-+
-+The egd socket specified with the I<EGD> flag.
-+
-+=item *
-+
-+The egd socket specified with '--with-egd-sock' at compile time.
-+
-+=item *
-+
-+The /dev/urandom device.
-+
-+=back
-+
-+With recent (B<OpenSSL 0.9.5a> or later) version of SSL it will stop loading
-+random data automatically when sufficient entropy has been gathered. With
-+previous versions it will continue to gather from all the above sources since
-+no SSL function exists to tell when enough data is available.
-+
-+Note that on Windows machines that do not have console user interaction
-+(mouse movements, creating windows, etc.) the screen contents are not
-+variable enough to be sufficient, and you should provide a random file
-+for use with the I<RNDfile> flag.
-+
-+Note that the file specified with the I<RNDfile> flag should contain
-+random data -- that means it should contain different information
-+each time B<stunnel> is run. This is handled automatically
-+unless the I<RNDoverwrite> flag is used. If you wish to update this file
-+manually, the I<openssl rand> command in recent versions of B<OpenSSL>,
-+would be useful.
-+
-+Important note: If /dev/urandom is available, B<OpenSSL> often seeds the PRNG
-+with it while checking the random state. On systems with /dev/urandom
-+B<OpenSSL> is likely to use it even though it is listed at the very bottom of
-+the list above. This is the behaviour of B<OpenSSL> and not B<stunnel>.
-+
-+=head2 DH PARAMETERS
-+
-+Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters.
-+
-+It is also possible to specify DH parameters in the certificate file:
-+
-+ openssl dhparam 2048 >> stunnel.pem
-+
-+DH parameter generation may take several minutes.
-+
-+
-+=head1 FILES
-+
-+=over 4
-+
-+=item F<@sysconfdir@/stunnel/stunnel.conf>
-+
-+B<stunnel> configuration file
-+
-+=back
-+
-+
-+=head1 BUGS
-+
-+Option I<execArgs> and Win32 command line does not support quoting.
-+
-+
-+=head1 SEE ALSO
-+
-+=over 4
-+
-+=item L<tcpd(8)>
-+
-+access control facility for internet services
-+
-+=item L<inetd(8)>
-+
-+internet 'super-server'
-+
-+=item F<http://www.stunnel.org/>
-+
-+B<stunnel> homepage
-+
-+=item F<http://www.openssl.org/>
-+
-+B<OpenSSL> project website
-+
-+=back
-+
-+
-+=head1 AUTHOR
-+
-+=over 4
-+
-+=item Michał Trojnara
-+
-+<F<Michal.Trojnara at mirt.net>>
-+
-+=back
-+
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 8fc3fe6..3bcbdfd 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -90,3 +90,10 @@ resources.obj: resources.rc resources.h version.h
- mostlyclean-local:
- -rm -f *.obj
-
-+edit = sed \
-+ -e 's|@bindir[@]|$(bindir)|g'
-+
-+stunnel3: Makefile
-+ $(edit) '$(srcdir)/$@.in' >$@
-+
-+stunnel3: $(srcdir)/stunnel3.in
-diff --git a/src/stunnel3.in b/src/stunnel3.in
-index db2bce0..eebbdcd 100755
---- a/src/stunnel3.in
-+++ b/src/stunnel3.in
-@@ -22,7 +22,7 @@ use POSIX;
- use Getopt::Std;
-
- # Configuration - path to stunnel (version >=4.05)
--$stunnel_bin='@prefix@/bin/stunnel';
-+$stunnel_bin='@bindir@/stunnel';
-
- # stunnel3 script body begins here
- ($read_fd, $write_fd)=POSIX::pipe();
-diff --git a/tools/Makefile.am b/tools/Makefile.am
-index 79ef010..375cf91 100644
---- a/tools/Makefile.am
-+++ b/tools/Makefile.am
-@@ -37,3 +37,17 @@ cert:
- rm -f stunnel.rnd; \
- fi
-
-+edit = sed \
-+ -e 's|@prefix[@]|$(prefix)|g' \
-+ -e 's|@bindir[@]|$(bindir)|g' \
-+ -e 's|@localstatedir[@]|$(localstatedir)|g' \
-+ -e 's|@sysconfdir[@]|$(sysconfdir)|g' \
-+ -e 's|@DEFAULT_GROUP[@]|$(DEFAULT_GROUP)|g'
-+
-+stunnel.conf-sample stunnel.init stunnel.service: Makefile
-+ $(edit) '$(srcdir)/$@.in' >$@
-+
-+stunnel.conf-sample: $(srcdir)/stunnel.conf-sample.in
-+stunnel.init: $(srcdir)/stunnel.init.in
-+stunnel.service: $(srcdir)/stunnel.service.in
-+
-diff --git a/tools/stunnel.conf-sample.in b/tools/stunnel.conf-sample.in
-index c8f65dc..716c229 100644
---- a/tools/stunnel.conf-sample.in
-+++ b/tools/stunnel.conf-sample.in
-@@ -12,7 +12,7 @@
- ;setgid = @DEFAULT_GROUP@
-
- ; PID file is created inside the chroot jail (if enabled)
--;pid = @prefix@/var/run/stunnel.pid
-+;pid = @localstatedir@/run/stunnel.pid
-
- ; Debugging stuff (may be useful for troubleshooting)
- ;foreground = yes
-@@ -44,7 +44,7 @@ client = yes
- accept = 127.0.0.1:110
- connect = pop.gmail.com:995
- verify = 2
--CApath = /etc/ssl/certs
-+CApath = @sysconfdir@/ssl/certs
- checkHost = pop.gmail.com
-
- [gmail-imap]
-@@ -52,7 +52,7 @@ client = yes
- accept = 127.0.0.1:143
- connect = imap.gmail.com:993
- verify = 2
--CApath = /etc/ssl/certs
-+CApath = @sysconfdir@/ssl/certs
- checkHost = imap.gmail.com
-
- [gmail-smtp]
-@@ -60,7 +60,7 @@ client = yes
- accept = 127.0.0.1:25
- connect = smtp.gmail.com:465
- verify = 2
--CApath = /etc/ssl/certs
-+CApath = @sysconfdir@/ssl/certs
- checkHost = smtp.gmail.com
-
- ; ***************************************** Example TLS server mode services
-@@ -68,34 +68,34 @@ checkHost = smtp.gmail.com
- ;[pop3s]
- ;accept = 995
- ;connect = 110
--;cert = @prefix@/etc/stunnel/stunnel.pem
-+;cert = @sysconfdir@/stunnel/stunnel.pem
-
- ;[imaps]
- ;accept = 993
- ;connect = 143
--;cert = @prefix@/etc/stunnel/stunnel.pem
-+;cert = @sysconfdir@/stunnel/stunnel.pem
-
- ;[ssmtp]
- ;accept = 465
- ;connect = 25
--;cert = @prefix@/etc/stunnel/stunnel.pem
-+;cert = @sysconfdir@/stunnel/stunnel.pem
-
- ; TLS front-end to a web server
- ;[https]
- ;accept = 443
- ;connect = 80
--;cert = @prefix@/etc/stunnel/stunnel.pem
-+;cert = @sysconfdir@/stunnel/stunnel.pem
- ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
- ; Microsoft implementations do not use TLS close-notify alert and thus they
- ; are vulnerable to truncation attacks
- ;TIMEOUTclose = 0
-
- ; Remote shell protected with PSK-authenticated TLS
--; Create "@prefix@/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs
-+; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
- ;[shell]
- ;accept = 1337
- ;exec = /bin/sh
- ;execArgs = sh -i
--;PSKsecrets = @prefix@/etc/stunnel/secrets.txt
-+;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
-
- ; vim:ft=dosini
-diff --git a/tools/stunnel.init.in b/tools/stunnel.init.in
-index 32a3e64..aa46e9f 100644
---- a/tools/stunnel.init.in
-+++ b/tools/stunnel.init.in
-@@ -15,7 +15,7 @@
- ### END INIT INFO
-
- DEFAULTPIDFILE="/var/run/stunnel.pid"
--DAEMON=@prefix@/bin/stunnel
-+DAEMON=@bindir@/stunnel
- NAME=stunnel
- DESC="SSL tunnels"
- OPTIONS=""
-@@ -100,9 +100,9 @@ if [ "x$OPTIONS" != "x" ]; then
- OPTIONS="-- $OPTIONS"
- fi
-
--[ -f /etc/default/stunnel ] && . /etc/default/stunnel
-+[ -f @sysconfdir@/default/stunnel ] && . /etc/default/stunnel
- if [ "$ENABLED" = "0" ] ; then
-- echo "$DESC disabled, see /etc/default/stunnel"
-+ echo "$DESC disabled, see @sysconfdir@/default/stunnel"
- exit 0
- fi
-
-@@ -110,15 +110,15 @@ fi
- # is in $2. Otherwise, respect /etc/default/stunnel4 setting. If no
- # setting there, use /etc/stunnel/*.conf
- if [ -n "${2:-}" ]; then
-- if [ -e "/etc/stunnel/$2.conf" ]; then
-- FILES="/etc/stunnel/$2.conf"
-+ if [ -e "@sysconfdir@/stunnel/$2.conf" ]; then
-+ FILES="@sysconfdir@/stunnel/$2.conf"
- else
-- echo >&2 "/etc/stunnel/$2.conf does not exist."
-+ echo >&2 "@sysconfdir@/stunnel/$2.conf does not exist."
- exit 1
- fi
- else
- if [ -z "$FILES" ]; then
-- FILES="/etc/stunnel/*.conf"
-+ FILES="@sysconfdir@/stunnel/*.conf"
- fi
- fi
-
-@@ -158,7 +158,7 @@ case "$1" in
- querydaemons
- ;;
- *)
-- N=/etc/init.d/$NAME
-+ N=@sysconfdir@/init.d/$NAME
- echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2
- exit 1
- ;;
-diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
-index 0f7adfa..7776364 100644
---- a/tools/stunnel.service.in
-+++ b/tools/stunnel.service.in
-@@ -3,7 +3,7 @@ Description=SSL tunnel for network daemons
- After=syslog.target
-
- [Service]
--ExecStart=@prefix@/bin/stunnel
-+ExecStart=@bindir@/stunnel
- Type=forking
-
- [Install]
---
-2.3.3
-
Deleted: csw/mgar/pkg/stunnel/trunk/files/0001-Make-stunnel.conf-sample.in-honor-sysconfdir-localst.patch
===================================================================
--- csw/mgar/pkg/stunnel/trunk/files/0001-Make-stunnel.conf-sample.in-honor-sysconfdir-localst.patch 2015-06-01 16:22:31 UTC (rev 25044)
+++ csw/mgar/pkg/stunnel/trunk/files/0001-Make-stunnel.conf-sample.in-honor-sysconfdir-localst.patch 2015-06-01 20:16:13 UTC (rev 25045)
@@ -1,53 +0,0 @@
-From 3eec5691ed3376ab91601c7d98a122ae7cf3f252 Mon Sep 17 00:00:00 2001
-From: Ben Walton <bwalton at opencsw.org>
-Date: Fri, 22 Jun 2012 02:55:14 +0200
-Subject: [PATCH] make stunnel.conf-sample.in honour sysconfdir and
- localstatedir
-
-Signed-off-by: Ben Walton <bwalton at opencsw.org>
----
- tools/stunnel.conf-sample.in | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/tools/stunnel.conf-sample.in b/tools/stunnel.conf-sample.in
-index 15dc2d9..b4c3946 100644
---- a/tools/stunnel.conf-sample.in
-+++ b/tools/stunnel.conf-sample.in
-@@ -9,7 +9,7 @@
-
- ; A copy of some devices and system files is needed within the chroot jail
- ; Chroot conflicts with configuration file reload and many other features
--chroot = @prefix@/var/lib/stunnel/
-+chroot = @localstatedir@/lib/stunnel/
- ; Chroot jail can be escaped if setuid option is not used
- setuid = nobody
- setgid = @DEFAULT_GROUP@
-@@ -26,8 +26,8 @@ pid = /stunnel.pid
- ; **************************************************************************
-
- ; Certificate/key is needed in server mode and optional in client mode
--cert = @prefix@/etc/stunnel/mail.pem
--;key = @prefix@/etc/stunnel/mail.pem
-+cert = @sysconfdir@/stunnel/mail.pem
-+;key = @sysconfdir@/stunnel/mail.pem
-
- ; Authentication stuff needs to be configured to prevent MITM attacks
- ; It is not enabled by default!
-@@ -36,12 +36,12 @@ cert = @prefix@/etc/stunnel/mail.pem
- ; CApath is located inside chroot jail
- ;CApath = /certs
- ; It's often easier to use CAfile
--;CAfile = @prefix@/etc/stunnel/certs.pem
-+;CAfile = @sysconfdir@/stunnel/certs.pem
- ; Don't forget to c_rehash CRLpath
- ; CRLpath is located inside chroot jail
- ;CRLpath = /crls
- ; Alternatively CRLfile can be used
--;CRLfile = @prefix@/etc/stunnel/crls.pem
-+;CRLfile = @sysconfdir@/stunnel/crls.pem
-
- ; Disable support for insecure SSLv2 protocol
- options = NO_SSLv2
---
-1.7.10.3
-
Deleted: csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.checkinstall
===================================================================
--- csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.checkinstall 2015-06-01 16:22:31 UTC (rev 25044)
+++ csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.checkinstall 2015-06-01 20:16:13 UTC (rev 25045)
@@ -1,17 +0,0 @@
-#!/bin/sh
-#
-# Make sure we use at least cswclassutils 1.15 (this is where AUTOENABLE
-# support was introduced). pkgutil should take care of this sometime, but
-# as we don't know whether the system has a recent pkgutil, we do it here
-# for now.
-
-# Use the REV stamp as it is guaranteed to go up and is easier to compare
-# than the version field
-R=`/bin/pkgparam CSWcswclassutils VERSION | cut -d= -f2 | tr -d .`
-
-[ "0$R" -ge 20090602 ] && exit 0
-
-echo "Please install cswclassutils >= REV=2009-06-02 first." >&2
-echo "Aborting installation." >&2
-
-exit 1
Deleted: csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.cswstunnel
===================================================================
--- csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.cswstunnel 2015-06-01 16:22:31 UTC (rev 25044)
+++ csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.cswstunnel 2015-06-01 20:16:13 UTC (rev 25045)
@@ -1,53 +0,0 @@
-#!/bin/sh
-# Based on Sample stunnel SysV startup file
-# Copyright by Michal Trojnara 2002,2007,2008
-#
-# Modified for CSW by Sebastian Kayser
-#
-# Don't enable SMF service right away
-#AUTOENABLE no
-#
-# For SMF exit codes: see PAGER='less +/exit\ status' man smf_method
-
-PATH=@sbindir@:@bindir@:/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=@bindir@/stunnel
-DEFAULTPIDFILE=@localstatedir@/run/stunnel/stunnel.pid
-CONFIG=@sysconfdir@/stunnel/stunnel.conf
-
-test -f $DAEMON || { echo "ERROR: Couldn't find stunnel binary."; exit 95; }
-test -f $CONFIG || { echo "ERROR: Couldn't find stunnel.conf."; exit 96; }
-
-CHROOT=`grep '^chroot' $CONFIG | sed 's/.*= *//'`
-PIDFILE=`grep '^pid' $CONFIG | sed 's/.*= *//'`
-
-test -z "$DEFAULTPIDFILE" && PIDFILE = $DEFAULTPIDFILE
-
-case "$1" in
- start)
- printf "Starting universal SSL tunnel: cswstunnel"
- $DAEMON $CONFIG || printf " failed"
- echo "."
- ;;
- stop)
- printf "Stopping universal SSL tunnel: cswstunnel"
- if test -r $CHROOT/$PIDFILE; then
- kill `cat $CHROOT/$PIDFILE` 2> /dev/null || printf " failed"
- else
- printf " no PID file"
- fi
- echo "."
- ;;
- restart|force-reload)
- echo "Restarting universal SSL tunnel: cswstunnel"
- $0 stop
- sleep 1
- $0 start
- echo "done."
- ;;
- *)
- echo "Usage: /etc/opt/csw/init.d/cswstunnel {start|stop|restart|force-reload}" >&2
- exit 1
- ;;
-esac
-
-exit 0
Deleted: csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.postinstall
===================================================================
--- csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.postinstall 2015-06-01 16:22:31 UTC (rev 25044)
+++ csw/mgar/pkg/stunnel/trunk/files/CSWstunnel.postinstall 2015-06-01 20:16:13 UTC (rev 25045)
@@ -1,9 +0,0 @@
-#!/bin/sh
-#
-# Create required /dev/zero in stunnel chroot directory
-#
-# Taken from stunnel Makefile. mknod can only be run as root and thus needs
-# to be run from postinstall (packaging is done as non-root user).
-#
-/usr/sbin/mknod /var/opt/csw/lib/stunnel/dev/zero c 13 12
-chmod 666 /var/opt/csw/lib/stunnel/dev/zero
Deleted: csw/mgar/pkg/stunnel/trunk/files/changelog.CSW
===================================================================
--- csw/mgar/pkg/stunnel/trunk/files/changelog.CSW 2015-06-01 16:22:31 UTC (rev 25044)
+++ csw/mgar/pkg/stunnel/trunk/files/changelog.CSW 2015-06-01 20:16:13 UTC (rev 25045)
@@ -1,13 +0,0 @@
-stunnel (4.44,REV=2011.09.27)
-
- * Updated to 4.44 (Closes: #4817, #4606)
- * Changed $(sysconfdir) from /opt/csw/etc/stunnel to /etc/opt/csw/stunnel.
-
- -- Sebastian Kayser <skayser at opencsw.org> Tue, 27 Sep 2011 16:55:08 +0200
-
-stunnel (4,27,REV=2009.06.18)
-
- * Package adopted and updated to 4.27.
- * Built with --localstatedir=/var/opt/csw. (Closes: #3029)
-
- -- Sebastian Kayser <skayser at opencsw.org> Thu, 18 Jun 2009 22:48:30 +0200
Copied: csw/mgar/pkg/stunnel/trunk/files/cswstunnel.xml (from rev 25026, csw/mgar/pkg/lang-python/carbon/trunk/files/cswcarbon-cache.xml)
===================================================================
(Binary files differ)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
More information about the devel
mailing list