diff --git a/SOURCES/stunnel-4.56-doc-accept.patch b/SOURCES/stunnel-4.56-doc-accept.patch
new file mode 100644
index 0000000..0ecc606
--- /dev/null
+++ b/SOURCES/stunnel-4.56-doc-accept.patch
@@ -0,0 +1,36 @@
+diff -up stunnel-4.56/doc/stunnel.html.accept stunnel-4.56/doc/stunnel.html
+--- stunnel-4.56/doc/stunnel.html.accept 2015-11-12 16:10:44.446099618 +0100
++++ stunnel-4.56/doc/stunnel.html 2016-03-31 17:19:13.648400089 +0200
+@@ -379,7 +379,7 @@ below.
+ If no host specified, defaults to all IPv4 addresses for the local host.
+ To listen on all IPv6 addresses use:
+
+- connect = :::port
++ accept = :::port
+
+ CApath = directory
+
+diff -up stunnel-4.56/doc/stunnel.pod.accept stunnel-4.56/doc/stunnel.pod
+--- stunnel-4.56/doc/stunnel.pod.accept 2015-11-12 16:10:44.447099641 +0100
++++ stunnel-4.56/doc/stunnel.pod 2016-03-31 17:19:13.649400112 +0200
+@@ -349,7 +349,7 @@ If no host specified, defaults to all IP
+
+ To listen on all IPv6 addresses use:
+
+- connect = :::port
++ accept = :::port
+
+ =item B = directory
+
+diff -up stunnel-4.56/doc/stunnel.8.accept stunnel-4.56/doc/stunnel.8
+--- stunnel-4.56/doc/stunnel.8.accept 2015-11-12 16:10:44.446099618 +0100
++++ stunnel-4.56/doc/stunnel.8 2016-03-31 17:19:13.647400065 +0200
+@@ -336,7 +336,7 @@ If no host specified, defaults to all IP
+ To listen on all IPv6 addresses use:
+ .Sp
+ .Vb 1
+-\& connect = :::port
++\& accept = :::port
+ .Ve
+ .IP "\fBCApath\fR = directory" 4
+ .IX Item "CApath = directory"
diff --git a/SOURCES/stunnel-4.56-doc-curve.patch b/SOURCES/stunnel-4.56-doc-curve.patch
new file mode 100644
index 0000000..1ce1702
--- /dev/null
+++ b/SOURCES/stunnel-4.56-doc-curve.patch
@@ -0,0 +1,44 @@
+diff -up stunnel-4.56/doc/stunnel.html.curve stunnel-4.56/doc/stunnel.html
+--- stunnel-4.56/doc/stunnel.html.curve 2016-03-31 17:19:13.000000000 +0200
++++ stunnel-4.56/doc/stunnel.html 2016-03-31 17:22:48.552416398 +0200
+@@ -452,8 +452,8 @@ c_rehash the directory on upgrade from <
+ curve = nid
+
+
+-specify ECDH curve name
+-To get a list of supported cuves use:
++specify ECDH curve name for server
++To get a list of supported curves use:
+
+ openssl ecparam -list_curves
+ default: prime256v1
+diff -up stunnel-4.56/doc/stunnel.pod.curve stunnel-4.56/doc/stunnel.pod
+--- stunnel-4.56/doc/stunnel.pod.curve 2016-03-31 17:19:13.000000000 +0200
++++ stunnel-4.56/doc/stunnel.pod 2016-03-31 17:21:59.705276204 +0200
+@@ -427,9 +427,9 @@ This file contains multiple CRLs, used w
+
+ =item B = nid
+
+-specify ECDH curve name
++specify ECDH curve name for server
+
+-To get a list of supported cuves use:
++To get a list of supported curves use:
+
+ openssl ecparam -list_curves
+
+diff -up stunnel-4.56/doc/stunnel.8.curve stunnel-4.56/doc/stunnel.8
+--- stunnel-4.56/doc/stunnel.8.curve 2016-03-31 17:19:13.000000000 +0200
++++ stunnel-4.56/doc/stunnel.8 2016-03-31 17:23:15.072035422 +0200
+@@ -406,9 +406,9 @@ Certificate Revocation Lists file
+ This file contains multiple CRLs, used with the \fIverify\fR.
+ .IP "\fBcurve\fR = nid" 4
+ .IX Item "curve = nid"
+-specify \s-1ECDH\s0 curve name
++specify \s-1ECDH\s0 curve name for server
+ .Sp
+-To get a list of supported cuves use:
++To get a list of supported curves use:
+ .Sp
+ .Vb 1
+ \& openssl ecparam \-list_curves
diff --git a/SOURCES/stunnel-4.56-log-version.patch b/SOURCES/stunnel-4.56-log-version.patch
new file mode 100644
index 0000000..85fe12d
--- /dev/null
+++ b/SOURCES/stunnel-4.56-log-version.patch
@@ -0,0 +1,11 @@
+diff -up stunnel-4.56/src/client.c.log-version stunnel-4.56/src/client.c
+--- stunnel-4.56/src/client.c.log-version 2013-03-14 23:54:24.000000000 +0100
++++ stunnel-4.56/src/client.c 2016-03-31 17:17:01.438314029 +0200
+@@ -928,6 +928,7 @@ static void print_cipher(CLI *c) { /* pr
+
+ if(global_options.debug_levelssl));
+ cipher=(SSL_CIPHER *)SSL_get_current_cipher(c->ssl);
+ s_log(LOG_INFO, "Negotiated %s ciphersuite: %s (%d-bit encryption)",
+ SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher),
diff --git a/SOURCES/stunnel-4.56-pollhup.patch b/SOURCES/stunnel-4.56-pollhup.patch
new file mode 100644
index 0000000..a086f05
--- /dev/null
+++ b/SOURCES/stunnel-4.56-pollhup.patch
@@ -0,0 +1,146 @@
+diff -up stunnel-4.56/src/client.c.pollhup stunnel-4.56/src/client.c
+--- stunnel-4.56/src/client.c.pollhup 2016-03-31 17:17:01.438314029 +0200
++++ stunnel-4.56/src/client.c 2016-03-31 17:25:48.573618470 +0200
+@@ -595,35 +595,6 @@ static void transfer(CLI *c) {
+ }
+ }
+
+- /****************************** check for hangup conditions */
+- if(s_poll_hup(c->fds, c->sock_rfd->fd)) {
+- s_log(LOG_INFO, "Read socket closed (hangup)");
+- sock_open_rd=0;
+- }
+- if(s_poll_hup(c->fds, c->sock_wfd->fd)) {
+- if(c->ssl_ptr) {
+- s_log(LOG_ERR,
+- "Write socket closed (hangup) with %d unsent byte(s)",
+- c->ssl_ptr);
+- longjmp(c->err, 1); /* reset the socket */
+- }
+- s_log(LOG_INFO, "Write socket closed (hangup)");
+- sock_open_wr=0;
+- }
+- if(s_poll_hup(c->fds, c->ssl_rfd->fd) ||
+- s_poll_hup(c->fds, c->ssl_wfd->fd)) {
+- /* hangup -> buggy (e.g. Microsoft) peer:
+- * SSL socket closed without close_notify alert */
+- if(c->sock_ptr) {
+- s_log(LOG_ERR,
+- "SSL socket closed (hangup) with %d unsent byte(s)",
+- c->sock_ptr);
+- longjmp(c->err, 1); /* reset the socket */
+- }
+- s_log(LOG_INFO, "SSL socket closed (hangup)");
+- SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+- }
+-
+ /****************************** retrieve results from c->fds */
+ sock_can_rd=s_poll_canread(c->fds, c->sock_rfd->fd);
+ sock_can_wr=s_poll_canwrite(c->fds, c->sock_wfd->fd);
+@@ -828,6 +799,36 @@ static void transfer(CLI *c) {
+ }
+ }
+
++ /****************************** check for hangup conditions */
++ if(s_poll_rdhup(c->fds, c->sock_rfd->fd) &&
++ !s_poll_canread(c->fds, c->sock_rfd->fd)) {
++ s_log(LOG_INFO, "Read socket closed (hangup)");
++ sock_open_rd=0;
++ }
++ if(s_poll_hup(c->fds, c->sock_wfd->fd)) {
++ if(c->ssl_ptr) {
++ s_log(LOG_ERR,
++ "Write socket closed (hangup) with %d unsent byte(s)",
++ c->ssl_ptr);
++ longjmp(c->err, 1); /* reset the socket */
++ }
++ s_log(LOG_INFO, "Write socket closed (hangup)");
++ sock_open_wr=0;
++ }
++ if((s_poll_hup(c->fds, c->ssl_rfd->fd) && !s_poll_canread(c->fds, c->sock_rfd->fd)) ||
++ s_poll_hup(c->fds, c->ssl_wfd->fd)) {
++ /* hangup -> buggy (e.g. Microsoft) peer:
++ * SSL socket closed without close_notify alert */
++ if(c->sock_ptr) {
++ s_log(LOG_ERR,
++ "SSL socket closed (hangup) with %d unsent byte(s)",
++ c->sock_ptr);
++ longjmp(c->err, 1); /* reset the socket */
++ }
++ s_log(LOG_INFO, "SSL socket closed (hangup)");
++ SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
++ }
++
+ /****************************** check write shutdown conditions */
+ if(sock_open_wr && SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN && !c->ssl_ptr) {
+ sock_open_wr=0; /* no further write allowed */
+diff -up stunnel-4.56/src/network.c.pollhup stunnel-4.56/src/network.c
+--- stunnel-4.56/src/network.c.pollhup 2013-03-13 14:41:02.000000000 +0100
++++ stunnel-4.56/src/network.c 2016-03-31 17:25:48.574618494 +0200
+@@ -79,8 +79,12 @@ void s_poll_add(s_poll_set *fds, int fd,
+ fds->ufds[i].events=0;
+ fds->nfds++;
+ }
+- if(rd)
++ if(rd) {
+ fds->ufds[i].events|=POLLIN;
++#ifdef POLLRDHUP
++ fds->ufds[i].events|=POLLRDHUP;
++#endif
++ }
+ if(wr)
+ fds->ufds[i].events|=POLLOUT;
+ }
+@@ -103,12 +107,27 @@ int s_poll_canwrite(s_poll_set *fds, int
+ return 0; /* not listed in fds */
+ }
+
++/* best doc: http://lxr.free-electrons.com/source/net/ipv4/tcp.c#L456 */
++
+ int s_poll_hup(s_poll_set *fds, int fd) {
+ unsigned int i;
+
+ for(i=0; infds; i++)
+ if(fds->ufds[i].fd==fd)
+- return fds->ufds[i].revents&POLLHUP;
++ return fds->ufds[i].revents&POLLHUP; /* read and write closed */
++ return 0; /* not listed in fds */
++}
++
++int s_poll_rdhup(s_poll_set *fds, int fd) {
++ unsigned int i;
++
++ for(i=0; infds; i++)
++ if(fds->ufds[i].fd==fd)
++#ifdef POLLRDHUP
++ return fds->ufds[i].revents&POLLRDHUP; /* read closed */
++#else
++ return fds->ufds[i].revents&POLLHUP; /* read and write closed */
++#endif
+ return 0; /* not listed in fds */
+ }
+
+@@ -336,6 +355,12 @@ int s_poll_hup(s_poll_set *fds, int fd)
+ return 0; /* FIXME: how to detect HUP condition with select()? */
+ }
+
++int s_poll_rdhup(s_poll_set *fds, int fd) {
++ (void)fds; /* skip warning about unused parameter */
++ (void)fd; /* skip warning about unused parameter */
++ return 0; /* FIXME: how to detect RDHUP condition with select()? */
++}
++
+ int s_poll_error(s_poll_set *fds, int fd) {
+ /* error conditions are signaled as read, but apparently *not* in Winsock:
+ * http://msdn.microsoft.com/en-us/library/windows/desktop/ms737625%28v=vs.85%29.aspx */
+diff -up stunnel-4.56/src/prototypes.h.pollhup stunnel-4.56/src/prototypes.h
+--- stunnel-4.56/src/prototypes.h.pollhup 2013-03-19 18:30:55.000000000 +0100
++++ stunnel-4.56/src/prototypes.h 2016-03-31 17:25:48.574618494 +0200
+@@ -385,6 +385,7 @@ void s_poll_add(s_poll_set *, int, int,
+ int s_poll_canread(s_poll_set *, int);
+ int s_poll_canwrite(s_poll_set *, int);
+ int s_poll_hup(s_poll_set *, int);
++int s_poll_rdhup(s_poll_set *, int);
+ int s_poll_error(s_poll_set *, int);
+ int s_poll_wait(s_poll_set *, int, int);
+
diff --git a/SOURCES/stunnel-4.56-tls.patch b/SOURCES/stunnel-4.56-tls.patch
new file mode 100644
index 0000000..05ea410
--- /dev/null
+++ b/SOURCES/stunnel-4.56-tls.patch
@@ -0,0 +1,12 @@
+diff -up stunnel-4.56/src/options.c.tls stunnel-4.56/src/options.c
+--- stunnel-4.56/src/options.c.tls 2015-11-12 16:10:44.000000000 +0100
++++ stunnel-4.56/src/options.c 2016-03-31 17:41:11.629988843 +0200
+@@ -1682,7 +1682,7 @@ static char *parse_service_option(CMD cm
+ return "Incorrect version of SSL protocol";
+ return NULL; /* OK */
+ case CMD_END:
+-#ifdef USE_FIPS
++#if 0
+ if(new_global_options.option.fips &&
+ ((section->option.client &&
+ section->client_method!=(SSL_METHOD *)TLSv1_client_method()) ||
diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec
index 84d7ab6..3a8edaf 100644
--- a/SPECS/stunnel.spec
+++ b/SPECS/stunnel.spec
@@ -1,7 +1,7 @@
Summary: An SSL-encrypting socket wrapper
Name: stunnel
Version: 4.56
-Release: 4%{?dist}
+Release: 6%{?dist}
License: GPLv2
Group: Applications/Internet
URL: http://www.stunnel.org/
@@ -15,6 +15,11 @@ Source5: pop3-redirect.xinetd
Source6: stunnel-pop3s-client.conf
Patch0: stunnel-4-authpriv.patch
Patch1: stunnel-4-sample.patch
+Patch2: stunnel-4.56-doc-accept.patch
+Patch3: stunnel-4.56-doc-curve.patch
+Patch4: stunnel-4.56-log-version.patch
+Patch5: stunnel-4.56-pollhup.patch
+Patch6: stunnel-4.56-tls.patch
Buildroot: %{_tmppath}/stunnel-root
# util-linux is needed for rename
BuildRequires: openssl-devel, pkgconfig, tcp_wrappers-devel, util-linux
@@ -32,6 +37,11 @@ in conjunction with imapd to create an SSL secure IMAP server.
%setup -q
%patch0 -p1 -b .authpriv
%patch1 -p1 -b .sample
+%patch2 -p1 -b .accept
+%patch3 -p1 -b .curve
+%patch4 -p1 -b .log-version
+%patch5 -p1 -b .pollhup
+%patch6 -p1 -b .tls
iconv -f iso-8859-1 -t utf-8 < doc/stunnel.fr.8 > doc/stunnel.fr.8_
mv doc/stunnel.fr.8_ doc/stunnel.fr.8
@@ -84,6 +94,14 @@ rm -rf $RPM_BUILD_ROOT
%exclude %{_sysconfdir}/stunnel/*
%changelog
+* Fri Apr 1 2016 Tomáš Mráz - 4.56-6
+- Do not lose data due to mishandled POLLHUP (#1170722)
+
+* Thu Mar 31 2016 Tomáš Mráz - 4.56-5
+- Allow TLS 1.1 and TLS 1.2 in FIPS mode
+- Documentation fixes of curve and accept/connect options (#1197340)
+- Add negotiated protocol version to the logs (#1275613)
+
* Fri Jan 24 2014 Daniel Mach - 4.56-4
- Mass rebuild 2014-01-24