File stunnel.spec of Package stunnel
#
# spec file for package stunnel (Version 4.16)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
Name: stunnel
BuildRequires: openssl openssl-devel zlib-devel
%if 0%{?suse_version:1}
BuildRequires: tcpd-devel
%else
BuildRequires: gcc-c++ tcp_wrappers
%endif
Summary: Universal SSL Tunnel
License: GNU Library General Public License v. 2.0 and 2.1 (LGPL)
Version: 4.28
Release: 1.1
Group: Productivity/Networking/Security
URL: http://www.stunnel.org/
Autoreqprov: on
%if %{?suse_version:%suse_version}%{?!suse_version:0} > 800
PreReq: /usr/sbin/useradd fileutils textutils %insserv_prereq %fillup_prereq
%endif
Source: http://www.stunnel.org/download/stunnel/src/%{name}-%{version}.tar.gz
Source1: stunnel.conf
Source2: stunnel.README
Source3: sysconfig.syslog-stunnel
Source4: stunnel.rc
Patch1: execargs.patch
Patch2: openssl097d.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define VENDOR SUSE
%description
The stunnel program is designed to work as an SSL encryption wrapper
between a remote client and the local (inetd-startable) or remote
server. The concept is that by having non-SSL aware daemons running on
your system, you can easily set them to communicate with clients over a
secure SSL channel. Stunnel can be used to add SSL functionality to
commonly used inetd daemons, such as POP-2, POP-3, and IMAP servers,
without any changes to the program code.
%prep
%setup -q
%patch1
%patch2
%build
#autoreconf -fi
sed -i 's/-m 1770 -g nogroup//g' tools/Makefile.in
%if %{?suse_version:%suse_version}%{?!suse_version:99999} > 930
fPIE="-fPIE"
pie="-pie"
%endif
export CFLAGS="$RPM_OPT_FLAGS $fPIE"
%configure \
--with-tcp-wrappers \
--localstatedir=/var \
--with-pem-dir=%{_sysconfdir}/stunnel
echo -e ".\n.\n.\n.\n.\n" | make LDADD="$pie -Wl,-z,defs,-z,relro"
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/%{_sbindir}
mkdir -p $RPM_BUILD_ROOT/var/lib/stunnel/{etc,dev,bin,sbin,%_lib,var/run}
mkdir -p $RPM_BUILD_ROOT/var/lib/stunnel
mkdir -p $RPM_BUILD_ROOT/etc/init.d/
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
make \
confdir=%{_sysconfdir}/stunnel \
sbindir=%{_sbindir} \
libdir=%{_libdir} \
mandir=%{_mandir} \
docdir=%{_docdir}/%{name} \
DESTDIR=$RPM_BUILD_ROOT \
install
cp -p %{S:1} tools/stunnel.conf-sample
cp -p %{S:2} README.%VENDOR
cp -p %{S:3} $RPM_BUILD_ROOT/var/adm/fillup-templates/
install -m 744 $RPM_SOURCE_DIR/stunnel.rc $RPM_BUILD_ROOT/etc/init.d/stunnel
ln -s ../../etc/init.d/stunnel $RPM_BUILD_ROOT/usr/sbin/rcstunnel
ln -s stunnel3 $RPM_BUILD_ROOT/usr/sbin/stunnel3_wrapper
mv $RPM_BUILD_ROOT/%{_bindir}/* $RPM_BUILD_ROOT/%{_sbindir}
rm $RPM_BUILD_ROOT/%{_sysconfdir}/stunnel/stunnel.pem
rm $RPM_BUILD_ROOT/%{_sysconfdir}/stunnel/stunnel.conf-sample
rm -rf $RPM_BUILD_ROOT/usr/share/doc/stunnel
%clean
rm -rf $RPM_BUILD_ROOT
%pre
%if 0%{?suse_version} > 730
system_user=-r
%endif
/usr/sbin/useradd $system_user -g nogroup -s /bin/false -c "Daemon user for stunnel (universal SSL tunnel)" \
-d /var/lib/stunnel stunnel 2> /dev/null ||:
%post
%{fillup_and_insserv -f}
%{fillup_only -ans syslog stunnel}
%run_ldconfig
if ! test -s etc/stunnel/stunnel.conf; then
cp -p usr/share/doc/packages/stunnel/stunnel.conf-sample etc/stunnel/stunnel.conf
echo copying default config file to /etc/stunnel/stunnel.conf
fi
# first installation?
if [ ${FIRST_ARG:-0} = 1 ]; then
if ! test -f etc/stunnel/stunnel.pem; then
cat usr/share/doc/packages/stunnel/README.%VENDOR
fi
fi
%preun
%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820
%stop_on_removal stunnel
%endif
%postun
%if %{?suse_version:%suse_version}%{?!suse_version:0} > 820
%restart_on_update stunnel
%insserv_cleanup
%endif
%files
%defattr(-, root, root)
%doc AUTHORS BUGS COPYING COPYRIGHT.GPL CREDITS ChangeLog INSTALL NEWS PORTS README TODO
%doc README.%VENDOR
%doc doc/stunnel.html
%doc doc/stunnel.*.html
%doc doc/en/*
%doc doc/pl
%doc tools/ca.*
%doc tools/importCA.*
%doc tools/stunnel.cnf
%doc tools/stunnel.conf-sample
%{_sbindir}/*
%{_libdir}/stunnel
%{_mandir}/man8/*
%dir %attr(700,root,root) %{_sysconfdir}/stunnel
%dir %attr(755,root,root) /var/lib/stunnel
%dir %attr(755,root,root) /var/lib/stunnel/bin
%dir %attr(755,root,root) /var/lib/stunnel/etc
%dir %attr(755,root,root) /var/lib/stunnel/dev
%dir %attr(755,root,root) /var/lib/stunnel/%_lib
%dir %attr(755,root,root) /var/lib/stunnel/sbin
%dir %attr(755,root,root) /var/lib/stunnel/var
%dir %attr(755,stunnel,root) /var/lib/stunnel/var/run
/var/adm/fillup-templates/sysconfig.syslog-stunnel
%config /etc/init.d/*
%changelog
* Wed Feb 18 2009 - vetter@physik.uni-wuerzburg.de
- updated to 4.26
- adjust ownership of /var/lib/stunnel/var/run (pid file creation)
* Thu May 10 2007 - ro@suse.de
- added openssl to buildrequires
* Mon Apr 02 2007 - rguenther@suse.de
- add zlib-devel BuildRequires
* Tue Oct 17 2006 - poeml@suse.de
- there is no SuSEconfig.syslog script anymore, thus remove the
YaST hint from the sysconfig template
* Wed Sep 27 2006 - poeml@suse.de
- upstream 4.16
* New features sponsored by Hewlett-Packard
- A new global option to control engine: engineCtrl = <command>[:<parameter>]
- A new service-level option to select engine to read private key: engineNum = <engine number>
- OCSP support: ocsp = <URL>
* New features
- A new option to select version of SSL protocol: sslVersion = all|SSLv2|SSLv3|TLSv1
- Visual Studio vc.mak by David Gillingham <dgillingham@gmail.com>.
- OS2 support by Paul Smedley (http://smedley.info)
* Bugfixes
- An ordinary user can install stunnel again.
- Compilation problem with --enable-dh fixed.
- Some minor compilation warnings fixed.
- Service-level CRL cert store implemented.
- GPF on protocol negotiations fixed.
- Problem detecting addrinfo() on Tru64 fixed.
- Default group is now detected by configure script.
- Check for maximum number of defined services added.
- OpenSSL_add_all_algorithms() added to SSL initialization.
- configure script sections reordered to detect pthread library funcions.
- RFC 2487 autdetection improved (thx to Hans Werner Strube). High
resolution s_poll_wait() not currently supported by UCONTEXT threading.
- More precise description of cert directory file names (thx to Muhammad
Muquit).
* Other changes
- Maximum number of services increased from 64 to 256 when poll() is used.
- add BuildRequires: tcp_wrappers gcc-c++ for building on Fedora
- remove doc files installed by make install, which are picked up
by %%doc
* Fri Jun 23 2006 - poeml@suse.de
- build as non-root
- build with fPIE/pie on SUSE 10.0 or newer, or on any other
platform
- fix BuildRequires for Fedora Core, and wrap suse_version macros
- upstream 4.15
* Release notes
- There are a lot of new features in this version. I recommend
to test it well before upgrading your mission-critical systems.
[note by packager: out since 3 months, without major problems]
* Bugfixes
- Default threading model changed to pthread for better portability.
- DH parameters are not included in the certificate by default.
* New features sponsored by Software House http://www.swhouse.com/
- Most SSL-related options (including client, cert, key) are now
available on service level, so it is possible to have an SSL
client and an SSL server in a single stunnel process.
* New features
- Client mode CONNECT protocol support (RFC 2817 section 5.2).
http://www.ietf.org/rfc/rfc2817.txt
- Retrying exec+connect services added.
- make install now tries to create /var/lib/stunnel chmoded 1770
and group nogroup, which we don't do.
* Wed Jan 25 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
* Sun Nov 27 2005 - lmuelle@suse.de
- update to 4.14
* Thu Oct 06 2005 - poeml@suse.de
- fix hang/segfault upon connect. Use pthreads by removing
configure check for ucontext.h [#119650]
* Tue Aug 30 2005 - poeml@suse.de
- fix parsing of ldd output when setting up the chroot jail [#114090]
* Tue Jun 21 2005 - poeml@suse.de
- update to 4.10
- Some bugfixes and code cleanup were done.
- A new user-level non-preemptive thread model was added for even
greater scalability.
- The stunnel3 script was improved to be more compatible with
getopt.
- add post-4.10 stunnel-4.10-inetd.patch
- compile with tcp wrappers
- compile as PIE and link with -z relro
* Tue Jan 04 2005 - poeml@suse.de
- update to 4.07
* Bugfixes
- Problem with infinite poll() timeout negative, but not equal
to -1 fixed.
- Problem with a file descriptor ready to be read just after a
non-blocking connect call fixed.
- Compile error with EAI_NODATA not defined or equal to
EAI_NONAME fixed.
- IP address and TCP port textual representation length (IPLEN)
increased to 128 bytes.
- OpenSSL engine support is only used if engine.h header file
exists.
- Broken NT Service mode on WIN32 platform fixed.
- Support for IPv4-only WIN32 machines restored.
* Tue Dec 28 2004 - poeml@suse.de
- update to 4.06
In this version, IPv6 support, compression support, hardware
engine selection and many other features were added. A new
stunnel3 Perl script to emulate version 3.x command line options
was added. poll() is used instead of select() where available,
so FD_SETSIZE no longer limits the number of concurrent
connections.
- add stunnel-4.06-nfds.dif
stunnel-4.06-poll_timeout.patch
stunnel-4.06-race_condition.patch
* Thu Nov 11 2004 - poeml@suse.de
- fix filelist for /usr/lib
* Fri Mar 05 2004 - poeml@suse.de
- update to 4.05. new features (excerpt):
* New feature sponsored by SURFnet http://www.surfnet.nl/
- Support for CIFS aka SMB protocol SSL negotiation.
* New features
- CRL support with new CApath and CAfile global options.
- New -fd command line parameter to read configuration
from a specified file descriptor instead of a file.
- accept is reported as error with [section] defined (in
stunnel 4.04 it was silently ignored causing problems
for lusers that did not read the fine manual).
- Use fcntl() instead of ioctlsocket() to set socket
nonblocking when it is supported.
- Basic support for hardware engines with OpenSSL >= 0.9.7.
- French manual by Bernard Choppy <choppy@imaginet.fr>.
- Thread stack size reduced to 64KB for maximum scalability.
- Added optional code to debug thread stack usage.
- Support for nsr-tandem-nsk (thx to Tom Bates <tom.bates@hp.com>).
* Bugfixes
- TCP wrappers code moved to CRIT_NTOA critical section
since it uses static inet_ntoa() result buffer.
- SSL_ERROR_SYSCALL handling problems fixed.
- added code to retry nonblocking SSL_shutdown() calls.
- Use FD_SETSIZE instead of 16 file descriptors in inetd
mode.
- fdscanf groks lowercase protocol negotiation commands.
- Libwrap detection bug in ./configure script fixed.
- Some other minor updates.
- show readme only at first installation
* Tue Aug 26 2003 - poeml@suse.de
- add Config: syslog-ng to sysconfig.syslog-stunnel
* Thu Aug 14 2003 - poeml@suse.de
- add activation metadata to sysconfig template [#28954]
- rename README.SuSE to README.{SuSE,UnitedLinux}
- don't show blurb in %%post if a certificate exists
* Tue Aug 12 2003 - poeml@suse.de
- implement 'try-restart' in rcstunnel correctly [#28636]
* Wed Jul 30 2003 - poeml@suse.de
- add an example configuration for tunneling MySQL
- make stunnel3_wrapper compatible to more shells, and merge it
with stunnel3_convert (which becomes a symlink)
- new macros for stop/restart of services on rpm update/removal
* Tue May 13 2003 - poeml@suse.de
- delete (from the build root) files not to be packaged
- package the libtool library file
- add a commented option to the sample configuration
* Thu Mar 13 2003 - poeml@suse.de
- rc.stunnel: do not write the startup log to a world writable
directory [cf. #25239]
* Mon Feb 17 2003 - poeml@suse.de
- Version 4.04, 2003.01.12, urgency: MEDIUM:
* New features [excerpt]
- New 'options' configuration option to setup
OpenSSL library hacks with SSL_CTX_set_options().
- 'service' option also changes the name for
TCP Wrappers access control in inetd mode.
- SSL is negotiated before connecting remote host
or spawning local process whenever possible.
- REMOTE_HOST variable is always placed in the
enrivonment of a process spawned with 'exec'.
- Whole SSL error stack is dumped on errors.
- 'make cert' rule is back (was missing since 4.00).
- Manual page updated (special thanks to Brian Hatch).
* Bugfixes
- Major code cleanup (thx to Steve Grubb <linux_4ever@yahoo.com>).
- Unsafe functions are removed from SIGCHLD handler.
- Several bugs in auth_user() fixed.
- Incorrect port when using 'local' option fixed.
- OpenSSL tools '-rand' option is no longer directly
used with a device (like '/dev/urandom').
Temporary random file is created with 'dd' instead.
- fix typo in conf file example
* Wed Feb 12 2003 - mmj@suse.de
- Add sysconfig metadata [#22699]
* Thu Oct 31 2002 - poeml@suse.de
- update to 4.03
- add stunnel3_wrapper that translates the cmdline arguments into a
configuration file
- fix default path of pidfile
- more examples
* Fri Oct 25 2002 - poeml@suse.de
- write the pid file before dropping the privileges
* Fri Oct 25 2002 - poeml@suse.de
- major version upgrade to 4.02
- better permissions for /etc/stunnel and keys [#18557]
- run as "stunnel" user in chroot jail
- add sysconfig.syslog-stunnel template and /var/lib/stunnel/dev
for an additional syslog socket
- added init script and example configuration
* Sat Jul 27 2002 - adrian@suse.de
- use %%run_ldconfig
* Thu Mar 08 2001 - bk@suse.de
- update to 3.14 and fix localstatedir (/var/run/stunnel)
* Mon Feb 05 2001 - bk@suse.de
- fixed neededforbuild
* Sun Feb 04 2001 - bk@suse.de
- new package
