pkgsrc/security/stunnel/Makefile

# $NetBSD: Makefile,v 1.70 2010/04/15 09:57:47 tron Exp $

DISTNAME=		stunnel-4.33
CATEGORIES=		security
MASTER_SITES=		ftp://stunnel.mirt.net/stunnel/ \
			http://www.stunnel.org/download/stunnel/src/

MAINTAINER=		shaun@inerd.com
HOMEPAGE=		http://www.stunnel.org/
COMMENT=		Universal SSL tunnel
LICENSE=		gnu-gpl-v2

PKG_DESTDIR_SUPPORT=	user-destdir

BUILD_DEFS+=		VARBASE
USE_LIBTOOL=		yes
GNU_CONFIGURE=		yes
CONFIGURE_ARGS+=	--localstatedir=${VARBASE}
CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
CONFIGURE_ARGS+=	--with-cert-dir=${SSLCERTS:Q}
CONFIGURE_ARGS+=	--with-pem-dir=${SSLCERTS:Q}
CONFIGURE_ARGS+=	--with-ssl=${SSLBASE:Q}

STUNNEL_USER?=		stunnel
STUNNEL_GROUP?=		stunnel
PKG_HOME?=		${VARBASE}/chroot/stunnel
PKG_USERS=		${STUNNEL_USER}:${STUNNEL_GROUP}::Stunnel:${PKG_HOME}
PKG_GROUPS=		${STUNNEL_GROUP}
USER_GROUP=		${STUNNEL_USER} ${STUNNEL_GROUP}

PKG_SYSCONFSUBDIR=	stunnel
PKG_SYSCONFDIR_PERMS=	${USER_GROUP} 0700

OWN_DIRS_PERMS=		${PKG_HOME} ${USER_GROUP} 0700
CONF_FILES_PERMS+=	${PREFIX}/share/examples/stunnel/stunnel.conf-sample \
			    ${PKG_SYSCONFDIR}/stunnel.conf ${USER_GROUP} 0644

RCD_SCRIPTS=		stunnel

REPLACE_PERL+=		src/stunnel3.in
USE_TOOLS+=		perl:run

SUBST_CLASSES+=		chroot
SUBST_MESSAGE.chroot=	Fix chroot path
SUBST_STAGE.chroot=	pre-configure
SUBST_FILES.chroot=	tools/stunnel.conf-sample.in
SUBST_SED.chroot+=	-e 's|@prefix@/var/lib|@localstatedir@/chroot|'

SUBST_CLASSES+=		stunnel
SUBST_MESSAGE.stunnel=	Fix user and group
SUBST_STAGE.stunnel=	post-configure
SUBST_FILES.stunnel=	tools/stunnel.conf-sample
SUBST_SED.stunnel=	-e 's|setuid = nobody|setuid = ${STUNNEL_USER}|'
SUBST_SED.stunnel+=	-e 's|setgid = nogroup|setgid = ${STUNNEL_GROUP}|'

.include "options.mk"

.include "../../security/openssl/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
Update "stunnel" package to version 4.33. Changes since 4.29: - New features - New service-level "libwrap" option for run-time control whether /etc/hosts.allow and /etc/hosts.deny are used for access control. Disabling libwrap significantly increases performance of stunnel. - Log file reopen on USR1 signal was added. - Graceful configuration reload with HUP signal on Unix and with GUI on Windows. - Bugfixes - Inetd mode fixed - Fixed a transfer() loop issue with SSLv2 connections. - Fixed a "setsockopt IP_TRANSPARENT" warning with "local" option. - Logging subsystem bugfixes and cleanup. - Installer bugfixes for Vista and later versions of Windows. - FIPS mode can be enabled/disabled at runtime. 2010-04-15 11:57:47 +02:00			`# $NetBSD: Makefile,v 1.70 2010/04/15 09:57:47 tron Exp $`
A new pkg for the stunnel program, a tool to wrap existing servers into SSL connections. 2000-04-03 11:25:35 +02:00
Update "stunnel" package to version 4.33. Changes since 4.29: - New features - New service-level "libwrap" option for run-time control whether /etc/hosts.allow and /etc/hosts.deny are used for access control. Disabling libwrap significantly increases performance of stunnel. - Log file reopen on USR1 signal was added. - Graceful configuration reload with HUP signal on Unix and with GUI on Windows. - Bugfixes - Inetd mode fixed - Fixed a transfer() loop issue with SSLv2 connections. - Fixed a "setsockopt IP_TRANSPARENT" warning with "local" option. - Logging subsystem bugfixes and cleanup. - Installer bugfixes for Vista and later versions of Windows. - FIPS mode can be enabled/disabled at runtime. 2010-04-15 11:57:47 +02:00			`DISTNAME= stunnel-4.33`
Update stunnel to 3.9. For NetBSD, if in-tree OpenSSL exists, then the default certificate directory is now /etc/openssl/certs (matches OpenSSL's default), but if stunnel uses the pkgsrc OpenSSL, then the default is ${PREFIX}/certs. Changes from version 3.8 include: * Updated temporary key generation: - stunnel is now honoring requested key-lengths correctly, - temporary key is changed every hour. * transfer() no longer hangs on some platforms. Special thanks to Peter Wagemans for the patch. * Potential security problem with syslog() call fixed. * use daemon() function instead of daemonize, if available * added -S flag, allowing you to choose which default verify sources to use * relocated service name output logging until after log_open. (no longer outputs log info to inetd socket, causing bad SSL) * -V flag now outputs the default values used by stunnel * Added rigerous PRNG seeding * PID changes (and related security-fix) * Man page fixes * Client SSL Session-IDs now used * -N flag to specify tcpwrapper service name * UPGRADE NOTE: this version seriously changes several previous stunnel default behaviours. There are no longer any default cert file/dirs compilied into stunnel, you must use the --with-cert-dir and --with-cert-file configure arguments to set these manually, if desired. Stunnel does not use the underlying ssl library defaults by default unless configured with --enable-ssllib-cs. Note that these can always be enabled at run time with the -A,-a, and -S flags. Additionally, unless --with-pem-dir is specified at compile time, stunnel will default to looking for stunnel.pem in the current directory. 2000-12-19 08:03:21 +01:00			`CATEGORIES= security`
Update "stunnel" package to version 4.33. Changes since 4.29: - New features - New service-level "libwrap" option for run-time control whether /etc/hosts.allow and /etc/hosts.deny are used for access control. Disabling libwrap significantly increases performance of stunnel. - Log file reopen on USR1 signal was added. - Graceful configuration reload with HUP signal on Unix and with GUI on Windows. - Bugfixes - Inetd mode fixed - Fixed a transfer() loop issue with SSLv2 connections. - Fixed a "setsockopt IP_TRANSPARENT" warning with "local" option. - Logging subsystem bugfixes and cleanup. - Installer bugfixes for Vista and later versions of Windows. - FIPS mode can be enabled/disabled at runtime. 2010-04-15 11:57:47 +02:00			`MASTER_SITES= ftp://stunnel.mirt.net/stunnel/ \`
Update stunnel to 3.15. Based on a pkg provided by Martti Kuparinen in PR 13484. Changes include: * Serious bug resulting in random transfer() hangs fixed. * Separate file descriptors are used for inetd mode. * -f (foreground) logs are now stamped with time. * New ./configure option: --with-tcp-wrappers by Brian Hatch. * pop3 protocol client support (-n pop3) by Martin Germann. * nntp protocol client support (-n nntp) by Martin Germann. * RFC 2487 (smtp STARTTLS) client mode support. * Transparency support for Tru64 added. * Some #includes for AIX added. 2001-07-19 14:22:17 +02:00			`http://www.stunnel.org/download/stunnel/src/`
A new pkg for the stunnel program, a tool to wrap existing servers into SSL connections. 2000-04-03 11:25:35 +02:00
Update stunnel to 4.15. Patch provided by Shaun Amott via PR 34436, take maintainership. And define USE_LIBTOOL, regen patch with mkpatches. 2006-10-14 13:12:19 +02:00			`MAINTAINER= shaun@inerd.com`
Update stunnel to 3.9. For NetBSD, if in-tree OpenSSL exists, then the default certificate directory is now /etc/openssl/certs (matches OpenSSL's default), but if stunnel uses the pkgsrc OpenSSL, then the default is ${PREFIX}/certs. Changes from version 3.8 include: * Updated temporary key generation: - stunnel is now honoring requested key-lengths correctly, - temporary key is changed every hour. * transfer() no longer hangs on some platforms. Special thanks to Peter Wagemans for the patch. * Potential security problem with syslog() call fixed. * use daemon() function instead of daemonize, if available * added -S flag, allowing you to choose which default verify sources to use * relocated service name output logging until after log_open. (no longer outputs log info to inetd socket, causing bad SSL) * -V flag now outputs the default values used by stunnel * Added rigerous PRNG seeding * PID changes (and related security-fix) * Man page fixes * Client SSL Session-IDs now used * -N flag to specify tcpwrapper service name * UPGRADE NOTE: this version seriously changes several previous stunnel default behaviours. There are no longer any default cert file/dirs compilied into stunnel, you must use the --with-cert-dir and --with-cert-file configure arguments to set these manually, if desired. Stunnel does not use the underlying ssl library defaults by default unless configured with --enable-ssllib-cs. Note that these can always be enabled at run time with the -A,-a, and -S flags. Additionally, unless --with-pem-dir is specified at compile time, stunnel will default to looking for stunnel.pem in the current directory. 2000-12-19 08:03:21 +01:00			`HOMEPAGE= http://www.stunnel.org/`
Update to new COMMENT style: COMMENT var in Makefile instead of pkg/COMMENT. 2001-02-17 18:42:09 +01:00			`COMMENT= Universal SSL tunnel`
Update "stunnel" package to version 4.27. Changes since 4.26: - New features - FIPS support was updated for openssl-fips 1.2. - New priority failover strategy for multiple "connect" targets, controlled with "failover=rr" (default) or "failover=prio". - pgsql protocol negotiation by Marko Kreen <markokr@gmail.com>. - Bugfixes - Libwrap helper processes fixed to close standard input/output/error file descriptors. 2009-07-10 13:23:10 +02:00			`LICENSE= gnu-gpl-v2`
A new pkg for the stunnel program, a tool to wrap existing servers into SSL connections. 2000-04-03 11:25:35 +02:00
Update to stunnel-4.24. 4.24: fix security problem (properly reject revoked certs) 4.23: WinNT bugfix 4.22: - A new global option to control logging to syslog. Simultaneous logging to a file and the syslog is now possible. - A new service level option to control stack size. - Restored chroot() to be executed after decoding numerical userid and groupid values in drop_privileges(). - A few bugs fixed the in the new libwrap support code. - TLSv1 method used by default in FIPS mode instead of SSLv3 client and SSLv23 server methods. 4.21: - Initial FIPS 140-2 support (see INSTALL.FIPS for details). - Experimental fast support for non-MT-safe libwrap is provided with pre-spawned processes. - Stunnel binary moved from /usr/local/sbin to /usr/local/bin in order to meet FHS and LSB requirements. - Added code to disallow compiling stunnel with pthreads when OpenSSL is compiled without threads support. - Minor manual update. - TODO file updated. - Dynamic locking callbacks added (needed by some engines to work). - AC_ARG_ENABLE fixed in configure.am to accept yes/no arguments. - On some systems libwrap requires yp_get_default_domain from libnsl, additional checking for libnsl was added to the ./configure script. - Sending a list of trusted CAs for the client to choose the right certificate restored. - Some compatibility issues with NTLM authentication fixed. 2008-05-27 13:51:32 +02:00			`PKG_DESTDIR_SUPPORT= user-destdir`

- create a specific user:group for stunnel - fix the configuration path and file, so it can use the proper user:group and the chroot - fix some pkglint warnings regarding PKG_OPTIONS: 'pthread' => 'threads', 'libwrap' => 'tcpwrappers' (in accordance to mk/defaults/options.description) Bump PKGREVISION. 2009-10-31 00:54:52 +01:00			`BUILD_DEFS+= VARBASE`
Update stunnel to 4.15. Patch provided by Shaun Amott via PR 34436, take maintainership. And define USE_LIBTOOL, regen patch with mkpatches. 2006-10-14 13:12:19 +02:00			`USE_LIBTOOL= yes`
Replaced "# defined" with "yes" in Makefile variables like GNU_CONFIGURE, NO_BUILD, USE_LIBTOOL. 2005-09-28 22:52:18 +02:00			`GNU_CONFIGURE= yes`
Changes 4.26: * libwrap related fixes, better debugging messages, MS Visual C++ support Changes 4.25: * delay libwrap process spawning after dropping privs, other improvements 2008-10-17 09:31:58 +02:00			`CONFIGURE_ARGS+= --localstatedir=${VARBASE}`
			`CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}`
			`CONFIGURE_ARGS+= --with-cert-dir=${SSLCERTS:Q}`
			`CONFIGURE_ARGS+= --with-pem-dir=${SSLCERTS:Q}`
			`CONFIGURE_ARGS+= --with-ssl=${SSLBASE:Q}`
Install example file under the examples hierarchy and honour PKG_SYSCONFDIR. Bump PKGREVISION to 1. 2003-07-29 13:18:38 +02:00
- create a specific user:group for stunnel - fix the configuration path and file, so it can use the proper user:group and the chroot - fix some pkglint warnings regarding PKG_OPTIONS: 'pthread' => 'threads', 'libwrap' => 'tcpwrappers' (in accordance to mk/defaults/options.description) Bump PKGREVISION. 2009-10-31 00:54:52 +01:00			`STUNNEL_USER?= stunnel`
			`STUNNEL_GROUP?= stunnel`
			`PKG_HOME?= ${VARBASE}/chroot/stunnel`
			`PKG_USERS= ${STUNNEL_USER}:${STUNNEL_GROUP}::Stunnel:${PKG_HOME}`
			`PKG_GROUPS= ${STUNNEL_GROUP}`
			`USER_GROUP= ${STUNNEL_USER} ${STUNNEL_GROUP}`

Install example file under the examples hierarchy and honour PKG_SYSCONFDIR. Bump PKGREVISION to 1. 2003-07-29 13:18:38 +02:00			`PKG_SYSCONFSUBDIR= stunnel`
- create a specific user:group for stunnel - fix the configuration path and file, so it can use the proper user:group and the chroot - fix some pkglint warnings regarding PKG_OPTIONS: 'pthread' => 'threads', 'libwrap' => 'tcpwrappers' (in accordance to mk/defaults/options.description) Bump PKGREVISION. 2009-10-31 00:54:52 +01:00			`PKG_SYSCONFDIR_PERMS= ${USER_GROUP} 0700`

			`OWN_DIRS_PERMS= ${PKG_HOME} ${USER_GROUP} 0700`
			`CONF_FILES_PERMS+= ${PREFIX}/share/examples/stunnel/stunnel.conf-sample \`
			`${PKG_SYSCONFDIR}/stunnel.conf ${USER_GROUP} 0644`
Add OpenSSL directory to build defines. 2000-04-03 19:37:51 +02:00
Add simple rc.d script. Bump PKGREVISION. 2004-06-06 16:19:04 +02:00			`RCD_SCRIPTS= stunnel`
- create a specific user:group for stunnel - fix the configuration path and file, so it can use the proper user:group and the chroot - fix some pkglint warnings regarding PKG_OPTIONS: 'pthread' => 'threads', 'libwrap' => 'tcpwrappers' (in accordance to mk/defaults/options.description) Bump PKGREVISION. 2009-10-31 00:54:52 +01:00
Fixed warnings found by pkglint -Wall. 2006-02-17 08:43:36 +01:00			`REPLACE_PERL+= src/stunnel3.in`
REPLACE_PERL without a runtime dependency to Perl is useless. Bumped PKGREVISION. 2006-06-16 11:23:22 +02:00			`USE_TOOLS+= perl:run`
Add simple rc.d script. Bump PKGREVISION. 2004-06-06 16:19:04 +02:00
- create a specific user:group for stunnel - fix the configuration path and file, so it can use the proper user:group and the chroot - fix some pkglint warnings regarding PKG_OPTIONS: 'pthread' => 'threads', 'libwrap' => 'tcpwrappers' (in accordance to mk/defaults/options.description) Bump PKGREVISION. 2009-10-31 00:54:52 +01:00			`SUBST_CLASSES+= chroot`
			`SUBST_MESSAGE.chroot= Fix chroot path`
			`SUBST_STAGE.chroot= pre-configure`
			`SUBST_FILES.chroot= tools/stunnel.conf-sample.in`
			`SUBST_SED.chroot+= -e 's\|@prefix@/var/lib\|@localstatedir@/chroot\|'`

			`SUBST_CLASSES+= stunnel`
			`SUBST_MESSAGE.stunnel= Fix user and group`
			`SUBST_STAGE.stunnel= post-configure`
			`SUBST_FILES.stunnel= tools/stunnel.conf-sample`
			`SUBST_SED.stunnel= -e 's\|setuid = nobody\|setuid = ${STUNNEL_USER}\|'`
			`SUBST_SED.stunnel+= -e 's\|setgid = nogroup\|setgid = ${STUNNEL_GROUP}\|'`

Make pthreads support optional. Bump PKGREVISION. 2007-08-11 16:41:36 +02:00			`.include "options.mk"`
Update stunnel to 4.15. Patch provided by Shaun Amott via PR 34436, take maintainership. And define USE_LIBTOOL, regen patch with mkpatches. 2006-10-14 13:12:19 +02:00
Convert to buildlink3. 2004-04-25 05:12:29 +02:00			`.include "../../security/openssl/buildlink3.mk"`
A new pkg for the stunnel program, a tool to wrap existing servers into SSL connections. 2000-04-03 11:25:35 +02:00			`.include "../../mk/bsd.pkg.mk"`