Bugfixes:
* Fixed infinite loop triggered by OCSP URL parsing errors (thx to Richard Könning for reporting).
* Fixed OPENSSL_NO_OCSP build issues (thx to Dmitry Mostovoy for reporting).
* Fixed default curve selection in FIPS mode with OpenSSL 3.4+.
* Fixed tests with modern Python versions.
* Fixed tests with multiple OpenSSL versions installed.
Features:
* Added provider URI support for "cert" and "key" options.
* Added new "CAstore" service-level option (OpenSSL 3.0+).
* Added "provider" (OpenSSL 3.0+), "providerParameter" (OpenSSL 3.5+), and "setEnv" global options.
* Key file/URI path added to passphrase prompt on Unix.
* PKCS#11 provider installed on Windows.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Bugfixes:
* Fixed a stapling cache deallocation crash.
* Fixed "redirect" with protocol negotiation.
Features:
* "protocolHost" support for "socks" protocol clients.
* More detailed logs in OpenSSL 3.0 or later.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Bugfixes
* Fixed a memory leak while reloading stunnel.conf sections with
"client=yes" and "delay=no".
* Fixed TIMEOUTocsp with values greater than 4.
* Fix the IPv6 test on a non-IPv6 machine.
Features
* HELO replaced with EHLO in the post-STARTTLS SMTP protocol negotiation
* OCSP stapling fetches moved away from server threads.
* improved client-side session resumption.
* Added support for the mimalloc allocator.
* Check for protocolHost moved to configuration file processing for the
client-side CONNECT protocol.
* Clarified some confusing OpenSSL's certificate verification error messages.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Automatically compute and substitute current values for all
$(AUTORELEASE) instances as this feature is deprecated and shouldn't be
used.
The following temporary change was made to the core:
diff --git a/rules.mk b/rules.mk
index 57d7995d4fa8..f16367de87a8 100644
--- a/rules.mk
+++ b/rules.mk
@@ -429,7 +429,7 @@ endef
abi_version_str = $(subst -,,$(subst _,,$(subst .,,$(1))))
COMMITCOUNT = $(if $(DUMP),0,$(call commitcount))
-AUTORELEASE = $(if $(DUMP),0,$(call commitcount,1))
+AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
all:
FORCE: ;
And this command used to fix affected packages:
for i in $(cd feeds/packages; git grep -l PKG_RELEASE:=.*AUTORELEASE | \
sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
make package/$i/download
done
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
The CONTRIBUTING.md requests an (or multiple) SPDX identifier for GPL
licenses. But a lot of packages did use a different, non-SPDX style with a
"+" at the end instead of "-or-later".
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Update to latest stable release 5.54
Add new options ticketKeySecret and ticketMacSecret to uci validation.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The reworked init script:
* Loads and validates options using uci_validate_section() (through
uci_load_validate())
* Allows service options be specified in the globals section
* Hard-codes less global options (debug, syslog), as their default
values already work
* Adds support for almost all options (up to the current package
version, 5.49)
* Moves the pid file into a subdirectory (/var/run/stunnel) so that it
can be created successfully when setuid is used
Certain options are omitted:
* chroot - requires more setup than the init script can manage
* fips, libwrap - disabled at compile-time
* iconActive, iconError, iconIdle, taskbar - gui/win32 only
* verify - obsolete, verifyChain and/or verifyPeer should be used
instead
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The registered URLs only point to the latest version. After adding the archive
URL we could now download older version again.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Add an enabled option for the service section, so you could keep your
configuration in place without apply this section on startup or service reload.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* 010_fix_getnameinfo.patch is no longer needed
* 011-cron-without-pthread-fix.patch added, fixes incorrect
ifdef when building without pthreads
Signed-off-by: Michael Haas <haas@computerlinguist.org>
From: Michael Haas <haas@computerlinguist.org>
* init script no longer creates certificates (consider client mode as use
case)
* patches/010_fix_getnameinfo.patch: Fix getnameinfo signature
* patches/011_disable_ssp_linking.patch: Disable -fstack-protector as it
is not always available in OpenWRT
* old patches (in oldpackages) no longer necessary
* remove libwrap dependency
* remove libpthread dependency
* respect CONFIG_IPV6
* init script uses procd
* sample stunnel.conf runs in client mode - prevents start failure,
does not require cert
Possible enhancement: automatically generate certificate as done in
uhttpd. However, as client mode is a possible use case, I'd rather not.
Additionally, stunnel may use several certs with user-defined locations
and we can't easily set a cert location via command-line args.
The package is based on
https://sites.google.com/site/twisteroidambassador/openwrt/stunnel
Signed-off-by: Michael Haas <haas@computerlinguist.org>
