pkgsrc/security/hitch/Makefile

# $NetBSD: Makefile,v 1.8 2018/12/15 21:12:22 wiz Exp $

DISTNAME=	hitch-1.4.8
CATEGORIES=	security
MASTER_SITES=	https://hitch-tls.org/source/

MAINTAINER=	fhajny@NetBSD.org
HOMEPAGE=	https://hitch-tls.org/
COMMENT=	High performance SSL/TLS proxy
LICENSE=	2-clause-bsd

BUILD_DEPENDS+=	${PYPKGPREFIX}-docutils-[0-9]*:../../textproc/py-docutils

GNU_CONFIGURE=	yes
USE_TOOLS+=	pkg-config

.include "../../mk/bsd.prefs.mk"

CHECK_PORTABILITY_SKIP+=	src/tests/*

CONFIGURE_ARGS+=	--with-rst2man=${PREFIX}/bin/rst2man.py${PYVERSSUFFIX}

CPPFLAGS.SunOS+=	-D__EXTENSIONS__
LIBS.SunOS+=		-lnsl -lsocket

BUILD_DEFS+=		HITCH_USER HITCH_GROUP HITCH_CERTS

HITCH_USER?=		hitch
HITCH_GROUP?=		hitch
HITCH_CERTS?=		${PKG_SYSCONFDIR}/certs.pem
HITCH_OCSP?=		${VARBASE}/db/hitch

PKG_GROUPS+=		${HITCH_GROUP}
PKG_USERS+=		${HITCH_USER}:${HITCH_GROUP}
PKG_GECOS.${HITCH_USER}=hitch daemon user

RCD_SCRIPTS=		hitch

MESSAGE_SUBST+=		HITCH_CERTS=${HITCH_CERTS}

SUBST_CLASSES+=		dir
SUBST_STAGE.dir=	pre-configure
SUBST_FILES.dir=	hitch.conf.example src/configuration.c
SUBST_VARS.dir=		HITCH_USER HITCH_GROUP HITCH_CERTS HITCH_OCSP
SUBST_MESSAGE.dir=	Setting default configuration values

PKG_SYSCONFSUBDIR=	hitch
CONF_FILES+=		share/examples/hitch/hitch.conf.example \
			${PKG_SYSCONFDIR}/hitch.conf

INSTALLATION_DIRS+=	share/examples/hitch

OWN_DIRS_PERMS+=	${HITCH_OCSP} ${HITCH_USER} ${HITCH_GROUP} 0755

post-install:
	${MV} ${DESTDIR}${PREFIX}/share/doc/hitch/hitch.conf.example \
		${DESTDIR}${PREFIX}/share/examples/hitch

PYTHON_FOR_BUILD_ONLY=	yes
.include "../../lang/python/pyversion.mk"
.include "../../devel/libev/buildlink3.mk"
.include "../../security/openssl/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
*: update email for fhajny 2018-12-15 22:12:18 +01:00			`# $NetBSD: Makefile,v 1.8 2018/12/15 21:12:22 wiz Exp $`
Import hitch-1.2.0 as security/hitch (based on wip/hitch). Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software. 2016-05-25 22:15:34 +02:00
security/hitch: Update to 1.4.8. hitch-1.4.8 (2018-04-19) ------------------------ - Reworked the dynamic backend bits. - Update docs to recommend running Hitch as a separate non-privileged user. hitch-1.4.7 (2018-01-11) ------------------------ - Massive test suite refactor and update. - Fix OpenBSD/FreeBSD/POSIX portability issues: restrict fstat(1) to OpenBSD, bring sockstat(1) support back, drop pathchk(1) usage in the test suite, switch from sockstat(1) to fstat(1) - Add an OCSP refresh timeout parameter - Autotools polish - Random usage of config section if reduntant - Support for separate key files - Fix logging to syslog even when set to syslog = off - Making log-filename, recv-bufsize and send-bufsize parameters available though command line and config file. - Fix: global backaddr is assumed to be static - Add support for session-cache in config file and as cmdline option - Plug file descriptor leak: killing worker processes would leave the pipe's write end open, leaking one file descriptor per worker upon reload 2018-09-07 15:54:45 +02:00			`DISTNAME= hitch-1.4.8`
Import hitch-1.2.0 as security/hitch (based on wip/hitch). Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software. 2016-05-25 22:15:34 +02:00			`CATEGORIES= security`
			`MASTER_SITES= https://hitch-tls.org/source/`

*: update email for fhajny 2018-12-15 22:12:18 +01:00			`MAINTAINER= fhajny@NetBSD.org`
Import hitch-1.2.0 as security/hitch (based on wip/hitch). Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software. 2016-05-25 22:15:34 +02:00			`HOMEPAGE= https://hitch-tls.org/`
			`COMMENT= High performance SSL/TLS proxy`
			`LICENSE= 2-clause-bsd`

			`BUILD_DEPENDS+= ${PYPKGPREFIX}-docutils-[0-9]*:../../textproc/py-docutils`

			`GNU_CONFIGURE= yes`
			`USE_TOOLS+= pkg-config`

			`.include "../../mk/bsd.prefs.mk"`

Update security/hitch to 1.4.4. hitch-1.4.4 (2016-12-22) ------------------------ - OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully supported with Hitch. - Fix a bug in the OCSP refresh code that could make it loop with immediate refreshes flooding an OCSP responder. - Force the SSL_OP_SINGLE_DH_USE setting. This protects against an OpenSSL vulnerability where a remote attacker could discover private DH exponents (CVE-2016-0701). hitch-1.4.3 (2016-11-14) ------------------------ - OCSP stapling is now enabled by default. Users should create ocsp-dir (default: /var/lib/hitch/) and make it writable for the hitch user. - Build error due to man page generation on FreeBSD (most likely non-Linux) has been fixed. hitch-1.4.2 (2016-11-08) ------------------------ - Example configuration file hitch.conf.example has been shortened and defaults moved into Hitch itself. Default cipher string is now what we believe to be secure. Users are recommended to use the built-in default from now on, unless they have special requirements. - hitch.conf(5) manual has been added. - Hitch will now send a TLS Close notification during connection teardown. This fixes an incomplete read with a GnuTLS client when the backend (thttpd) used EOF to signal end of data, leaving some octets discarded by gnutls client-side. (Issue 127_) - Autotools will now detect SO_REUSEPORT availability. (Issue 122_) - Improved error handling on memory allocation failure. 2017-01-09 14:02:20 +01:00			`CHECK_PORTABILITY_SKIP+= src/tests/*`

Import hitch-1.2.0 as security/hitch (based on wip/hitch). Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software. 2016-05-25 22:15:34 +02:00			`CONFIGURE_ARGS+= --with-rst2man=${PREFIX}/bin/rst2man.py${PYVERSSUFFIX}`

			`CPPFLAGS.SunOS+= -D__EXTENSIONS__`
Update security/hitch to 1.4.0. hitch-1.4.0 (2016-09-12) - Fix a bug in the OCSP request code where it broke if the OCSP responder required a Host header. (#113) - Add support for ECC certificates (#116). hitch-1.4.0-beta1 (2016-08-26) - NPN/ALPN support for negotiating a protocol in the SSL handshake. This lets you use Hitch for terminating TLS in front of an HTTP/2 capable backend. For ALPN, OpenSSL 1.0.2 is needed, while NPN requires OpenSSL 1.0.1. - Expanded PROXY protocol support for communicating an ALPN/NPN negotiated protocol to the backend. Hitch will now include the ALPN/NPN protocol that was selected during the handshake as part of the PROXYv2 header. 2016-09-19 11:33:57 +02:00			`LIBS.SunOS+= -lnsl -lsocket`
Import hitch-1.2.0 as security/hitch (based on wip/hitch). Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software. 2016-05-25 22:15:34 +02:00
			`BUILD_DEFS+= HITCH_USER HITCH_GROUP HITCH_CERTS`

			`HITCH_USER?= hitch`
			`HITCH_GROUP?= hitch`
			`HITCH_CERTS?= ${PKG_SYSCONFDIR}/certs.pem`
Update security/hitch to 1.4.4. hitch-1.4.4 (2016-12-22) ------------------------ - OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully supported with Hitch. - Fix a bug in the OCSP refresh code that could make it loop with immediate refreshes flooding an OCSP responder. - Force the SSL_OP_SINGLE_DH_USE setting. This protects against an OpenSSL vulnerability where a remote attacker could discover private DH exponents (CVE-2016-0701). hitch-1.4.3 (2016-11-14) ------------------------ - OCSP stapling is now enabled by default. Users should create ocsp-dir (default: /var/lib/hitch/) and make it writable for the hitch user. - Build error due to man page generation on FreeBSD (most likely non-Linux) has been fixed. hitch-1.4.2 (2016-11-08) ------------------------ - Example configuration file hitch.conf.example has been shortened and defaults moved into Hitch itself. Default cipher string is now what we believe to be secure. Users are recommended to use the built-in default from now on, unless they have special requirements. - hitch.conf(5) manual has been added. - Hitch will now send a TLS Close notification during connection teardown. This fixes an incomplete read with a GnuTLS client when the backend (thttpd) used EOF to signal end of data, leaving some octets discarded by gnutls client-side. (Issue 127_) - Autotools will now detect SO_REUSEPORT availability. (Issue 122_) - Improved error handling on memory allocation failure. 2017-01-09 14:02:20 +01:00			`HITCH_OCSP?= ${VARBASE}/db/hitch`
Import hitch-1.2.0 as security/hitch (based on wip/hitch). Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software. 2016-05-25 22:15:34 +02:00
			`PKG_GROUPS+= ${HITCH_GROUP}`
			`PKG_USERS+= ${HITCH_USER}:${HITCH_GROUP}`
			`PKG_GECOS.${HITCH_USER}=hitch daemon user`

			`RCD_SCRIPTS= hitch`

			`MESSAGE_SUBST+= HITCH_CERTS=${HITCH_CERTS}`

			`SUBST_CLASSES+= dir`
			`SUBST_STAGE.dir= pre-configure`
Update security/hitch to 1.4.4. hitch-1.4.4 (2016-12-22) ------------------------ - OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully supported with Hitch. - Fix a bug in the OCSP refresh code that could make it loop with immediate refreshes flooding an OCSP responder. - Force the SSL_OP_SINGLE_DH_USE setting. This protects against an OpenSSL vulnerability where a remote attacker could discover private DH exponents (CVE-2016-0701). hitch-1.4.3 (2016-11-14) ------------------------ - OCSP stapling is now enabled by default. Users should create ocsp-dir (default: /var/lib/hitch/) and make it writable for the hitch user. - Build error due to man page generation on FreeBSD (most likely non-Linux) has been fixed. hitch-1.4.2 (2016-11-08) ------------------------ - Example configuration file hitch.conf.example has been shortened and defaults moved into Hitch itself. Default cipher string is now what we believe to be secure. Users are recommended to use the built-in default from now on, unless they have special requirements. - hitch.conf(5) manual has been added. - Hitch will now send a TLS Close notification during connection teardown. This fixes an incomplete read with a GnuTLS client when the backend (thttpd) used EOF to signal end of data, leaving some octets discarded by gnutls client-side. (Issue 127_) - Autotools will now detect SO_REUSEPORT availability. (Issue 122_) - Improved error handling on memory allocation failure. 2017-01-09 14:02:20 +01:00			`SUBST_FILES.dir= hitch.conf.example src/configuration.c`
			`SUBST_VARS.dir= HITCH_USER HITCH_GROUP HITCH_CERTS HITCH_OCSP`
Import hitch-1.2.0 as security/hitch (based on wip/hitch). Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software. 2016-05-25 22:15:34 +02:00			`SUBST_MESSAGE.dir= Setting default configuration values`

			`PKG_SYSCONFSUBDIR= hitch`
Update security/hitch to 1.3.1. hitch-1.3.1 (2016-08-16) - Fixes a bug in the autotools configuration which led to man pages not being built. hitch-1.3.0 (2016-08-16) - Fix a bug where we crashed in the OCSP handling if there was no default SSLCTX configured. - Minor documentation fix. hitch-1.3.0-beta3 (2016-07-26) - Fully automated retrieval and refreshes of OCSP responses (see configuration.md for details). - New parameters ocsp-dir, ocsp-resp-tmo and ocsp-connect-tmo. - Cleanup of various log messages. - Verification of OCSP staples. Enabled by setting ocsp-verify-staple = on. - Make rst2man an optional requirement (#93). Thanks to Barry Allard. - Avoid stapling expired OCSP responses - A few fixes to the shared cache updating code. Thanks to Piyush Dewnani hitch-1.3.0-beta2 (2016-05-31) - Options given on the command line now take presedence over configuration file settings. I.e. there is no longer a need to specify --config first to get this behavior. - Config file regression: "yes" and "no" are now accepted by the config file parser as boolean values. - Documentation improvements and spelling fixes. - Various minor autotools build fixes. hitch-1.3.0-beta1 (2016-05-11) - Support for OCSP stapling (see configuration.md for details) - Initialize OpenSSL locking callback if an engine is loaded. Some SSL accelerator cards have their custom SSL engine running in a multithreaded context. For these to work correctly, Hitch needs to initialize a set of mutexes utilized by the OpenSSL library. - #82: A mistake in the SNI lookup code caused us to inspect the wrong list when looking for wildcard certificate matches. 2016-08-22 11:34:40 +02:00			`CONF_FILES+= share/examples/hitch/hitch.conf.example \`
Import hitch-1.2.0 as security/hitch (based on wip/hitch). Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software. 2016-05-25 22:15:34 +02:00			`${PKG_SYSCONFDIR}/hitch.conf`

			`INSTALLATION_DIRS+= share/examples/hitch`

Update security/hitch to 1.4.4. hitch-1.4.4 (2016-12-22) ------------------------ - OpenSSL 1.1.0 compatibility fixes. OpenSSL 1.1.0 is now fully supported with Hitch. - Fix a bug in the OCSP refresh code that could make it loop with immediate refreshes flooding an OCSP responder. - Force the SSL_OP_SINGLE_DH_USE setting. This protects against an OpenSSL vulnerability where a remote attacker could discover private DH exponents (CVE-2016-0701). hitch-1.4.3 (2016-11-14) ------------------------ - OCSP stapling is now enabled by default. Users should create ocsp-dir (default: /var/lib/hitch/) and make it writable for the hitch user. - Build error due to man page generation on FreeBSD (most likely non-Linux) has been fixed. hitch-1.4.2 (2016-11-08) ------------------------ - Example configuration file hitch.conf.example has been shortened and defaults moved into Hitch itself. Default cipher string is now what we believe to be secure. Users are recommended to use the built-in default from now on, unless they have special requirements. - hitch.conf(5) manual has been added. - Hitch will now send a TLS Close notification during connection teardown. This fixes an incomplete read with a GnuTLS client when the backend (thttpd) used EOF to signal end of data, leaving some octets discarded by gnutls client-side. (Issue 127_) - Autotools will now detect SO_REUSEPORT availability. (Issue 122_) - Improved error handling on memory allocation failure. 2017-01-09 14:02:20 +01:00			`OWN_DIRS_PERMS+= ${HITCH_OCSP} ${HITCH_USER} ${HITCH_GROUP} 0755`

Import hitch-1.2.0 as security/hitch (based on wip/hitch). Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software. 2016-05-25 22:15:34 +02:00			`post-install:`
Update security/hitch to 1.3.1. hitch-1.3.1 (2016-08-16) - Fixes a bug in the autotools configuration which led to man pages not being built. hitch-1.3.0 (2016-08-16) - Fix a bug where we crashed in the OCSP handling if there was no default SSLCTX configured. - Minor documentation fix. hitch-1.3.0-beta3 (2016-07-26) - Fully automated retrieval and refreshes of OCSP responses (see configuration.md for details). - New parameters ocsp-dir, ocsp-resp-tmo and ocsp-connect-tmo. - Cleanup of various log messages. - Verification of OCSP staples. Enabled by setting ocsp-verify-staple = on. - Make rst2man an optional requirement (#93). Thanks to Barry Allard. - Avoid stapling expired OCSP responses - A few fixes to the shared cache updating code. Thanks to Piyush Dewnani hitch-1.3.0-beta2 (2016-05-31) - Options given on the command line now take presedence over configuration file settings. I.e. there is no longer a need to specify --config first to get this behavior. - Config file regression: "yes" and "no" are now accepted by the config file parser as boolean values. - Documentation improvements and spelling fixes. - Various minor autotools build fixes. hitch-1.3.0-beta1 (2016-05-11) - Support for OCSP stapling (see configuration.md for details) - Initialize OpenSSL locking callback if an engine is loaded. Some SSL accelerator cards have their custom SSL engine running in a multithreaded context. For these to work correctly, Hitch needs to initialize a set of mutexes utilized by the OpenSSL library. - #82: A mistake in the SNI lookup code caused us to inspect the wrong list when looking for wildcard certificate matches. 2016-08-22 11:34:40 +02:00			`${MV} ${DESTDIR}${PREFIX}/share/doc/hitch/hitch.conf.example \`
Import hitch-1.2.0 as security/hitch (based on wip/hitch). Hitch is a libev-based high performance SSL/TLS proxy by Varnish Software. 2016-05-25 22:15:34 +02:00			`${DESTDIR}${PREFIX}/share/examples/hitch`

			`PYTHON_FOR_BUILD_ONLY= yes`
			`.include "../../lang/python/pyversion.mk"`
			`.include "../../devel/libev/buildlink3.mk"`
			`.include "../../security/openssl/buildlink3.mk"`
			`.include "../../mk/bsd.pkg.mk"`