When alt_config_file is set, global_defs() returns before creating
the PID file directory. stunnel then fails to start because it
cannot write its PID file to the nonexistent directory.
Move the PID directory creation and ownership setup above the
alt_config_file early return so it runs regardless of config mode.
Fixes: openwrt/openwrt#28982
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bugfixes:
* Fixed infinite loop triggered by OCSP URL parsing errors (thx to Richard Könning for reporting).
* Fixed OPENSSL_NO_OCSP build issues (thx to Dmitry Mostovoy for reporting).
* Fixed default curve selection in FIPS mode with OpenSSL 3.4+.
* Fixed tests with modern Python versions.
* Fixed tests with multiple OpenSSL versions installed.
Features:
* Added provider URI support for "cert" and "key" options.
* Added new "CAstore" service-level option (OpenSSL 3.0+).
* Added "provider" (OpenSSL 3.0+), "providerParameter" (OpenSSL 3.5+), and "setEnv" global options.
* Key file/URI path added to passphrase prompt on Unix.
* PKCS#11 provider installed on Windows.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Bugfixes:
* Fixed a stapling cache deallocation crash.
* Fixed "redirect" with protocol negotiation.
Features:
* "protocolHost" support for "socks" protocol clients.
* More detailed logs in OpenSSL 3.0 or later.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Bugfixes
* Fixed a memory leak while reloading stunnel.conf sections with
"client=yes" and "delay=no".
* Fixed TIMEOUTocsp with values greater than 4.
* Fix the IPv6 test on a non-IPv6 machine.
Features
* HELO replaced with EHLO in the post-STARTTLS SMTP protocol negotiation
* OCSP stapling fetches moved away from server threads.
* improved client-side session resumption.
* Added support for the mimalloc allocator.
* Check for protocolHost moved to configuration file processing for the
client-side CONNECT protocol.
* Clarified some confusing OpenSSL's certificate verification error messages.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Automatically compute and substitute current values for all
$(AUTORELEASE) instances as this feature is deprecated and shouldn't be
used.
The following temporary change was made to the core:
diff --git a/rules.mk b/rules.mk
index 57d7995d4fa8..f16367de87a8 100644
--- a/rules.mk
+++ b/rules.mk
@@ -429,7 +429,7 @@ endef
abi_version_str = $(subst -,,$(subst _,,$(subst .,,$(1))))
COMMITCOUNT = $(if $(DUMP),0,$(call commitcount))
-AUTORELEASE = $(if $(DUMP),0,$(call commitcount,1))
+AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
all:
FORCE: ;
And this command used to fix affected packages:
for i in $(cd feeds/packages; git grep -l PKG_RELEASE:=.*AUTORELEASE | \
sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
make package/$i/download
done
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
The CONTRIBUTING.md requests an (or multiple) SPDX identifier for GPL
licenses. But a lot of packages did use a different, non-SPDX style with a
"+" at the end instead of "-or-later".
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Update to latest stable release 5.54
Add new options ticketKeySecret and ticketMacSecret to uci validation.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The reworked init script:
* Loads and validates options using uci_validate_section() (through
uci_load_validate())
* Allows service options be specified in the globals section
* Hard-codes less global options (debug, syslog), as their default
values already work
* Adds support for almost all options (up to the current package
version, 5.49)
* Moves the pid file into a subdirectory (/var/run/stunnel) so that it
can be created successfully when setuid is used
Certain options are omitted:
* chroot - requires more setup than the init script can manage
* fips, libwrap - disabled at compile-time
* iconActive, iconError, iconIdle, taskbar - gui/win32 only
* verify - obsolete, verifyChain and/or verifyPeer should be used
instead
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The registered URLs only point to the latest version. After adding the archive
URL we could now download older version again.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If a service section is not presented in the configuration then stunnel will
always start anyway. This ends in a crash loop because the configuration is not
valid.
Checking in "uci" mode if a service section is presented and only then
start the stunnel service will solve this issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Do not send a SIGHUP on reload configuration let procd restart the
service with stop/start. This is saver.
Add uci generated stunnel file to procd "file" attribute to
reload/restart the stunnel service.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Add an enabled option for the service section, so you could keep your
configuration in place without apply this section on startup or service reload.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* 010_fix_getnameinfo.patch is no longer needed
* 011-cron-without-pthread-fix.patch added, fixes incorrect
ifdef when building without pthreads
Signed-off-by: Michael Haas <haas@computerlinguist.org>
From: Michael Haas <haas@computerlinguist.org>
* init script no longer creates certificates (consider client mode as use
case)
* patches/010_fix_getnameinfo.patch: Fix getnameinfo signature
* patches/011_disable_ssp_linking.patch: Disable -fstack-protector as it
is not always available in OpenWRT
* old patches (in oldpackages) no longer necessary
* remove libwrap dependency
* remove libpthread dependency
* respect CONFIG_IPV6
* init script uses procd
* sample stunnel.conf runs in client mode - prevents start failure,
does not require cert
Possible enhancement: automatically generate certificate as done in
uhttpd. However, as client mode is a possible use case, I'd rather not.
Additionally, stunnel may use several certs with user-defined locations
and we can't easily set a cert location via command-line args.
The package is based on
https://sites.google.com/site/twisteroidambassador/openwrt/stunnel
Signed-off-by: Michael Haas <haas@computerlinguist.org>
Yanase Yuki
Joshua Klinesmith
Florian Eckert
Paul Fertser
Sven Eckelmann
Daniel Engberg
Jeffery To
diizzyy
Felix Fietkau
Michael Haas