-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Peter,
10-no-zlib-compression.patch
I'm completely confused by this patch. According to my tests it only makes stunnel reporting different errors when a user tries to enable compression on Debian. Why would anyone need this patch?
Well, the problem is that stunnel unconditionally adds zlib to the compression stack, no matter what compression algorithm the user has actually chosen. Right now, OpenSSL does not provide any other compression methods, just "zlib" and "rle", but if the user has her own OpenSSL version with a custom compression algorithm built in or added as some sort of extension, trying to use it would fail because stunnel would first try to add "zlib" - and that's not present on Debian.
This patch's purpose is mainly the ssl.c change, the "de-mandatorizing" of COMP_zlib(). The change to the configuration parser is more of a convenience - display an informative error message to the user about the Debian-specific reason that her choice of zlib would not work. That's the main reason why I haven't forwarded this particular patch to you yet - I do believe it to be a Debian-specific thing, and I do think that it's useful for Debian.
So the solution that might be merged upstream would be to somehow detect if the OpenSSL library was modified to remove zlib support, and to remove the dependency in this case. Am I right?
12-restore-pidfile-default.patch
I strongly disagree with this approach, as it breaks configuration file compatibility with the upstream. Debian should instead rewrite stunnel.conf when upgrading from stunnel 4.xx.
I agree with your strong disagreement with this patch. I was kind of uncomfortable adding it in the first place, but the point was to not break compatibility and, well, yes, to avoid rewriting the configuration file in a possibly buggy automated manner :/
My intention has always been to only keep this patch for one Debian release cycle, adding a warning during the system startup so that people might actually see it. Now that Debian 8 (Jessie) is scheduled to be released this weekend (here's hoping!), I will remove the patch in the next upload of stunnel that will target Debian unstable/testing. However, with all due respect (and I do really respect your opinion on this and pretty much all other stunnel- or security-related matters :), the stunnel version in Jessie will have the patch.
I see your point. The problem is that users may expect 5.x behavior when stunnel 5.x is installed, and not the backported 4.x behavior. Backporting 4.x behavior is probably fine as long as it is clearly documented on the manual page.
Right, these will be dropped in my upcoming update to stunnel-5.16 after Jessie is released.
Just be aware of the critical security vulnerability that allows certificate-based access control to be completely bypassed when the "redirect" option is used. Versions 5.00 to 5.12 are vulnerable. Other important bugfixes include a fix for truncated connections in stunnel 5.09, a fix for handling multiple connect/redirect destinations in stunnel 5.14, and memory leak fixes in stunnel 5.15. Adopting stunnel 5.16 might be easier than backporting those bugfixes.
Thanks a lot, and once again, apologies for my silence :(
I hope our communication will get better in the future. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVOkw5AAoJEC78f/DUFuAUTbwQAIk/bMFzu3Z+UfphYmbt5/zl rMmVcIr9DPcFdx3qRAE02070/NVnjYs5tmLE9V3jz+RSm2aTOckoc79FUlhJWGuH lsbJZgJ9xcBuYzS0+Zhjk1vLTFR3cxZspr80wWbzkpZFAhrU53Hy2F9XvPRU6ErU ipQGcgrSzRGNziTpozujOXAq3qVJKJEYiyijnVaDUF3A9hfScG3hJmnWQYvBE10i Fitf3E2fCIGe4Igqw2heW84CgH1KQ2sHJm0bQ1MfykkLPh5rXnh7/ngNluLwpNP5 Nn2kzJfGENTUx/IZU+rIX73b+4ItTMTAr0xSmVd1j0/Q9zX/Sh8UWxKjVc3aTPQh A4ubO4gNxylrqSlBdYkjNTXOKUpOOb561S89BrvCMJLFuiEwH046v+D/zClTs0gN lUfbjaVqAS2iSo5vEewEZTmWVaL1EEnp6Qio62LLZrY2ZBmYU3wHuz3Sd7gxPHKl nOXRqvcXDhcrqWjaMQYrmLe64fYP0oSiO4GsRzGDyOoJkH/oCz7176I6c8P7kvhn wARfBJixasr7zxcQxir9TX1qormqtM2FzZ1Z9EAcuCFlvtiRHRjRHFZYFOgVgSuE k4VYXd3ANuqr1BpY+Xtl7n4/ObUajqyLIJDBgcwW1/3sYsXxcq5mCu65x4fSyO+r U1xkwCrJ8dsiqlQEFpb1 =YLQS -----END PGP SIGNATURE-----