diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..413edf9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/stunnel-5.56.tar.gz diff --git a/.stunnel.metadata b/.stunnel.metadata new file mode 100644 index 0000000..01414ab --- /dev/null +++ b/.stunnel.metadata @@ -0,0 +1 @@ +a7fa3fb55d698f50f3d54e4fc08588a119f21cad SOURCES/stunnel-5.56.tar.gz diff --git a/SOURCES/Certificate-Creation b/SOURCES/Certificate-Creation new file mode 100644 index 0000000..16d86f9 --- /dev/null +++ b/SOURCES/Certificate-Creation @@ -0,0 +1,9 @@ +To generate a key and self signed certificate, execute the following commands: + +cd /etc/pki/tls/certs +make stunnel.pem + +Note that by default, the file containing the key and certificate has its +permissions set to 0600, which means that any service using it needs to be +started as root in order to read it. Such a service should be configured +to switch UIDs using stunnel's "-s" flag. diff --git a/SOURCES/pop3-redirect.xinetd b/SOURCES/pop3-redirect.xinetd new file mode 100644 index 0000000..73b95ad --- /dev/null +++ b/SOURCES/pop3-redirect.xinetd @@ -0,0 +1,17 @@ +# default: off +# description: The POP3 redirector allows client software which does not have \ +# native support for SSL to connect to the local machine's POP3 \ +# port and have the connection forwarded over the network using \ +# SSL. You will need to modify stunnel-pop3s-client.conf to \ +# specify the server to connect to in order for this to be useful. +service pop3 +{ + disable = yes + socket_type = stream + wait = no + user = root + server = /usr/sbin/stunnel + server_args = /etc/stunnel/stunnel-pop3s-client.conf + log_on_success += USERID + log_on_failure += USERID +} diff --git a/SOURCES/sfinger.xinetd b/SOURCES/sfinger.xinetd new file mode 100644 index 0000000..39a91f5 --- /dev/null +++ b/SOURCES/sfinger.xinetd @@ -0,0 +1,11 @@ +# Not that anyone in their right mind would tunnel the finger protocol over +# SSL, but here's how to do it using xinetd.... +service sfinger +{ + disable = yes + socket_type = stream + wait = no + user = root + server = /usr/sbin/stunnel + server_args = /etc/stunnel/stunnel-sfinger.conf +} diff --git a/SOURCES/stunnel-5.50-authpriv.patch b/SOURCES/stunnel-5.50-authpriv.patch new file mode 100644 index 0000000..13c1e9c --- /dev/null +++ b/SOURCES/stunnel-5.50-authpriv.patch @@ -0,0 +1,52 @@ +diff -up stunnel-5.50/doc/stunnel.8.in.authpriv stunnel-5.50/doc/stunnel.8.in +--- stunnel-5.50/doc/stunnel.8.in.authpriv 2018-12-02 23:47:20.000000000 +0100 ++++ stunnel-5.50/doc/stunnel.8.in 2019-01-14 12:15:05.135100163 +0100 +@@ -200,7 +200,7 @@ info (6), or debug (7). All logs for th + all levels numerically less than it will be shown. Use \fIdebug = debug\fR or + \&\fIdebug = 7\fR for greatest debugging output. The default is notice (5). + .Sp +-The syslog facility 'daemon' will be used unless a facility name is supplied. ++The syslog facility 'authpriv' will be used unless a facility name is supplied. + (Facilities are not supported on Win32.) + .Sp + Case is ignored for both facilities and levels. +diff -up stunnel-5.50/doc/stunnel.html.in.authpriv stunnel-5.50/doc/stunnel.html.in +--- stunnel-5.50/doc/stunnel.html.in.authpriv 2018-12-02 23:47:21.000000000 +0100 ++++ stunnel-5.50/doc/stunnel.html.in 2019-01-14 12:15:05.136100146 +0100 +@@ -244,7 +244,7 @@ + +

Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use debug = debug or debug = 7 for greatest debugging output. The default is notice (5).

+ +-

The syslog facility 'daemon' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

++

The syslog facility 'authpriv' will be used unless a facility name is supplied. (Facilities are not supported on Win32.)

+ +

Case is ignored for both facilities and levels.

+ +diff -up stunnel-5.50/doc/stunnel.pod.in.authpriv stunnel-5.50/doc/stunnel.pod.in +--- stunnel-5.50/doc/stunnel.pod.in.authpriv 2018-12-02 23:47:18.000000000 +0100 ++++ stunnel-5.50/doc/stunnel.pod.in 2019-01-14 12:15:05.136100146 +0100 +@@ -192,7 +192,7 @@ info (6), or debug (7). All logs for th + all levels numerically less than it will be shown. Use I or + I for greatest debugging output. The default is notice (5). + +-The syslog facility 'daemon' will be used unless a facility name is supplied. ++The syslog facility 'authpriv' will be used unless a facility name is supplied. + (Facilities are not supported on Win32.) + + Case is ignored for both facilities and levels. +diff -up stunnel-5.50/src/options.c.authpriv stunnel-5.50/src/options.c +--- stunnel-5.50/src/options.c.authpriv 2019-01-14 12:15:05.136100146 +0100 ++++ stunnel-5.50/src/options.c 2019-01-14 12:16:25.537727511 +0100 +@@ -1745,8 +1745,12 @@ NOEXPORT char *parse_service_option(CMD + case CMD_SET_DEFAULTS: + section->log_level=LOG_NOTICE; + #if !defined (USE_WIN32) && !defined (__vms) ++#if defined(LOG_AUTHPRIV) ++ new_global_options.log_facility=LOG_AUTHPRIV; ++#else + new_global_options.log_facility=LOG_DAEMON; + #endif ++#endif + break; + case CMD_SET_COPY: + section->log_level=new_service_options.log_level; diff --git a/SOURCES/stunnel-5.50-systemd-service.patch b/SOURCES/stunnel-5.50-systemd-service.patch new file mode 100644 index 0000000..9fc170b --- /dev/null +++ b/SOURCES/stunnel-5.50-systemd-service.patch @@ -0,0 +1,11 @@ +diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in +--- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100 ++++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100 +@@ -5,6 +5,7 @@ After=syslog.target network.target + [Service] + ExecStart=@bindir@/stunnel + Type=forking ++PrivateTmp=true + + [Install] + WantedBy=multi-user.target diff --git a/SOURCES/stunnel-5.56-coverity.patch b/SOURCES/stunnel-5.56-coverity.patch new file mode 100644 index 0000000..526f7f0 --- /dev/null +++ b/SOURCES/stunnel-5.56-coverity.patch @@ -0,0 +1,22 @@ +diff -up stunnel-5.48/src/str.c.coverity stunnel-5.48/src/str.c +--- stunnel-5.48/src/str.c.coverity 2018-07-02 23:30:10.000000000 +0200 ++++ stunnel-5.48/src/str.c 2018-09-04 17:24:08.949928906 +0200 +@@ -165,6 +165,7 @@ char *str_vprintf(const char *format, va + for(;;) { + va_copy(ap, start_ap); + n=vsnprintf(p, size, format, ap); ++ va_end(ap); + if(n>-1 && n<(int)size) + return p; + if(n>-1) /* glibc 2.1 */ +diff -up stunnel-5.48/src/stunnel.c.coverity stunnel-5.48/src/stunnel.c +--- stunnel-5.48/src/stunnel.c.coverity 2018-07-02 23:30:10.000000000 +0200 ++++ stunnel-5.48/src/stunnel.c 2018-09-04 17:24:08.949928906 +0200 +@@ -364,7 +364,6 @@ NOEXPORT int accept_connection(SERVICE_O + #endif + if(create_client(fd, s, alloc_client_session(opt, s, s))) { + s_log(LOG_ERR, "Connection rejected: create_client failed"); +- closesocket(s); + #ifndef USE_FORK + service_free(opt); + #endif diff --git a/SOURCES/stunnel-5.56-curves-doc-update.patch b/SOURCES/stunnel-5.56-curves-doc-update.patch new file mode 100644 index 0000000..84a01a3 --- /dev/null +++ b/SOURCES/stunnel-5.56-curves-doc-update.patch @@ -0,0 +1,66 @@ +--- stunnel-5.56/doc/stunnel.8.in.curves-doc-update 2020-04-16 17:12:48.171590017 +0200 ++++ stunnel-5.56/doc/stunnel.8.in 2020-04-16 17:16:07.001603122 +0200 +@@ -473,6 +473,8 @@ This file contains multiple CRLs, used w + .IX Item "curves = list" + \&\s-1ECDH\s0 curves separated with ':' + .Sp ++Note: This option is supported for server mode sockets only. ++.Sp + Only a single curve name is allowed for OpenSSL older than 1.1.0. + .Sp + To get a list of supported curves use: +--- stunnel-5.56/doc/stunnel.html.in.curves-doc-update 2020-04-16 17:13:25.664962696 +0200 ++++ stunnel-5.56/doc/stunnel.html.in 2020-04-16 17:16:55.897111302 +0200 +@@ -568,6 +568,8 @@ + +

ECDH curves separated with ':'

+ ++

Note: This option is supported for server mode sockets only.

++ +

Only a single curve name is allowed for OpenSSL older than 1.1.0.

+ +

To get a list of supported curves use:

+--- stunnel-5.56/doc/stunnel.pod.in.curves-doc-update 2020-04-16 17:13:43.412139122 +0200 ++++ stunnel-5.56/doc/stunnel.pod.in 2020-04-16 17:17:25.414418073 +0200 +@@ -499,6 +499,8 @@ I options. + + ECDH curves separated with ':' + ++Note: This option is supported for server mode sockets only. ++ + Only a single curve name is allowed for OpenSSL older than 1.1.0. + + To get a list of supported curves use: +--- stunnel-5.56/doc/stunnel.pl.pod.in.curves-doc-update 2020-04-16 17:25:22.631934496 +0200 ++++ stunnel-5.56/doc/stunnel.pl.pod.in 2020-04-16 17:47:46.872353210 +0200 +@@ -507,6 +507,8 @@ przez opcje I i Ikrzywe ECDH odddzielone ':'

+ ++

Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera.

++ +

Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej.

+ +

Listę dostępnych krzywych można uzyskać poleceniem:

+--- stunnel-5.56/doc/stunnel.pl.8.in.curves-doc-update 2020-04-16 17:24:25.665369474 +0200 ++++ stunnel-5.56/doc/stunnel.pl.8.in 2020-04-16 17:45:14.141792786 +0200 +@@ -483,6 +483,8 @@ przez opcje \fIverifyChain\fR i \fIverif + .IX Item "curves = lista" + krzywe \s-1ECDH\s0 odddzielone ':' + .Sp ++Uwaga: ta opcja wpływa tylko na gniazda w trybie serwera. ++.Sp + Wersje OpenSSL starsze niż 1.1.0 pozwalają na użycie tylko jednej krzywej. + .Sp + Listę dostępnych krzywych można uzyskać poleceniem: diff --git a/SOURCES/stunnel-5.56-default-tls-version.patch b/SOURCES/stunnel-5.56-default-tls-version.patch new file mode 100644 index 0000000..2515ee6 --- /dev/null +++ b/SOURCES/stunnel-5.56-default-tls-version.patch @@ -0,0 +1,92 @@ +--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200 ++++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200 +@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE); + ICON_IMAGE load_icon_file(const char *); + #endif + ++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL ++ crypto policies */ ++ + #endif /* defined PROTOTYPES_H */ + + /* end of prototypes.h */ +--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200 ++++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200 +@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD + return "Invalid protocol version"; + return NULL; /* OK */ + case CMD_INITIALIZE: +- if(section->max_proto_version && section->min_proto_version && +- section->max_proto_versionmin_proto_version) ++ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->min_proto_version != USE_DEFAULT_TLS_VERSION ++ && section->max_proto_versionmin_proto_version) + return "Invalid protocol version range"; + break; + case CMD_PRINT_DEFAULTS: +@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMax */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->max_proto_version=0; /* highest supported */ ++ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies.Do not ++ override it */ + break; + case CMD_SET_COPY: + section->max_proto_version=new_service_options.max_proto_version; +@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD + /* sslVersionMin */ + switch(cmd) { + case CMD_SET_DEFAULTS: +- section->min_proto_version=TLS1_VERSION; ++ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in ++ OpenSSL crypto ++ policies. Do not ++ override it */ + break; + case CMD_SET_COPY: + section->min_proto_version=new_service_options.min_proto_version; +--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200 ++++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200 +@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio + section->ctx=SSL_CTX_new(TLS_client_method()); + else /* server mode */ + section->ctx=SSL_CTX_new(TLS_server_method()); +- if(!SSL_CTX_set_min_proto_version(section->ctx, +- section->min_proto_version)) { +- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", +- section->min_proto_version); +- return 1; /* FAILED */ ++ ++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in \ ++ OpenSSL crypto policies. Not setting explicitly."); ++ } else { ++ if(!SSL_CTX_set_min_proto_version(section->ctx, ++ section->min_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X", ++ section->min_proto_version); ++ return 1; /* FAILED */ ++ } + } +- if(!SSL_CTX_set_max_proto_version(section->ctx, +- section->max_proto_version)) { +- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", +- section->max_proto_version); +- return 1; /* FAILED */ ++ ++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) { ++ s_log(LOG_INFO, "Using the default TLS version as specified in \ ++ OpenSSL crypto policies. Not setting explicitly"); ++ } else { ++ if(!SSL_CTX_set_max_proto_version(section->ctx, ++ section->max_proto_version)) { ++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X", ++ section->max_proto_version); ++ return 1; /* FAILED */ ++ } + } + #else /* OPENSSL_VERSION_NUMBER<0x10100000L */ + if(section->option.client) diff --git a/SOURCES/stunnel-5.56-system-ciphers.patch b/SOURCES/stunnel-5.56-system-ciphers.patch new file mode 100644 index 0000000..de8679c --- /dev/null +++ b/SOURCES/stunnel-5.56-system-ciphers.patch @@ -0,0 +1,12 @@ +diff -up stunnel-5.55/src/options.c.system-ciphers stunnel-5.55/src/options.c +--- stunnel-5.55/src/options.c.system-ciphers 2019-09-19 14:43:00.631059024 +0200 ++++ stunnel-5.55/src/options.c 2019-09-19 14:51:02.120053849 +0200 +@@ -277,7 +277,7 @@ static char *option_not_found= + "Specified option name is not valid here"; + + static char *stunnel_cipher_list= +- "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK"; ++ "PROFILE=SYSTEM"; + + #ifndef OPENSSL_NO_TLS1_3 + static char *stunnel_ciphersuites= diff --git a/SOURCES/stunnel-5.56.tar.gz.asc b/SOURCES/stunnel-5.56.tar.gz.asc new file mode 100644 index 0000000..6142f0f --- /dev/null +++ b/SOURCES/stunnel-5.56.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAl3YIPhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC +QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW +4BTuMw//R+LJhCo2prR6RIxEsYbfzIwkl9NwcE5EPTKse2umTOHsMRfVMpZiKjCl +5UC1tLbqUzSjAydQiFwdvcHZAJLWblr84p+CC5hEaS/rwX4PL221gqqrC8Ut7ap3 +n/v5gCJ8iqnpgZSgHPSGqucG3x1KlZotPnny1RVIjCSHPvoUtocAwJNSChRkyUT0 +ym8qhUPyOmRhYQZew1haxFJa26yc017dN5QZy+H3uo0zPLXaWJpPjJG/1pBtden4 +mL+mg8phZZ9MtBtEOK2NTA+4K24vcM+aHoEyMI/dcmi4NN256N5CJZ13tF3LgHNV +j0vp1a75p5aAMeRTv7zShegZGvJJciyYJKwRnOAUnHVFDhnsgd05VQHeWC1aFKjM +cXwrvHgGn+TG0V29ahnzR7NdVhkuP3etcqx6FuIgcj2omp0Bj4zFRlKSl4x+hY56 +MTvwksIXZTItHvffiE49ExGPA8OQW3S9Sr+lPFk98xjVuTU/P8GIVNp2kof4ezYN +Yhav4mA/KAkMX0fb+Cw6eyZl0aZEPx76hhkKhh2OmR8w3k5X2hetGcXX1/UFEHCm +uNCvWwV5Ry6Kc8Zpr8p6fUOh0Se4cNi59c1FKEwMX1hTgLklbIZioiFM/fR0RLOJ +PU/Cq+NbaZ3O8Cup7PsVjCDgXTcKcQAdQTOxgfW6f+szmTo5Qx4= +=RhpX +-----END PGP SIGNATURE----- diff --git a/SOURCES/stunnel-pop3s-client.conf b/SOURCES/stunnel-pop3s-client.conf new file mode 100644 index 0000000..eb7fda9 --- /dev/null +++ b/SOURCES/stunnel-pop3s-client.conf @@ -0,0 +1,8 @@ +# Sample configuration for stunnel, tunnelling cleartext connections on the +# default port (without an "accept" setting, stunnel uses stdio) over an +# encrypted channel to pop3s-server.example.com:pop3s. See stunnel(8) for +# more information. +client = yes +connect = pop3s-server.example.com:pop3s +CAfile = /usr/share/ssl/certs/ca-bundle.crt +verify = 2 diff --git a/SOURCES/stunnel-sfinger.conf b/SOURCES/stunnel-sfinger.conf new file mode 100644 index 0000000..912888a --- /dev/null +++ b/SOURCES/stunnel-sfinger.conf @@ -0,0 +1,8 @@ +# Sample configuration for stunnel, forwarding data from encrypted connections +# on the default port (without an "accept" setting, stunnel uses stdio) over +# an unencrypted set of pipes which are used for stdio by in.fingerd. See +# stunnel(8) for more information. +exec = /usr/sbin/in.fingerd +execargs = in.fingerd +key = /etc/stunnel/stunnel.pem +cert = /etc/stunnel/stunnel.pem diff --git a/SOURCES/stunnel@.service b/SOURCES/stunnel@.service new file mode 100644 index 0000000..d31ac9c --- /dev/null +++ b/SOURCES/stunnel@.service @@ -0,0 +1,11 @@ +[Unit] +Description=TLS tunnel for %I +After=syslog.target network.target + +[Service] +ExecStart=/usr/bin/stunnel /etc/stunnel/%i.conf +Type=forking +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec new file mode 100644 index 0000000..619dc00 --- /dev/null +++ b/SPECS/stunnel.spec @@ -0,0 +1,720 @@ +# Do not generate provides for private libraries +%global __provides_exclude_from ^%{_libdir}/stunnel/.*$ + +%if 0%{?fedora} > 27 || 0%{?rhel} > 7 +%bcond_with libwrap +%else +%bcond_without libwrap +%endif + +Summary: A TLS-encrypting socket wrapper +Name: stunnel +Version: 5.56 +Release: 4%{?dist} +License: GPLv2 +Group: Applications/Internet +URL: http://www.stunnel.org/ +Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz +Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc +Source2: Certificate-Creation +Source3: sfinger.xinetd +Source4: stunnel-sfinger.conf +Source5: pop3-redirect.xinetd +Source6: stunnel-pop3s-client.conf +Source7: stunnel@.service +Patch0: stunnel-5.50-authpriv.patch +Patch1: stunnel-5.50-systemd-service.patch +Patch3: stunnel-5.56-system-ciphers.patch +Patch4: stunnel-5.56-coverity.patch +Patch5: stunnel-5.56-default-tls-version.patch +Patch6: stunnel-5.56-curves-doc-update.patch +# util-linux is needed for rename +BuildRequires: gcc +BuildRequires: openssl-devel, pkgconfig, util-linux +BuildRequires: autoconf automake libtool +%if %{with libwrap} +Buildrequires: tcp_wrappers-devel +%endif +BuildRequires: /usr/bin/pod2man +BuildRequires: /usr/bin/pod2html +# build test requirements +BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps +BuildRequires: systemd +%{?systemd_requires} + +%description +Stunnel is a socket wrapper which can provide TLS/SSL +(Transport Layer Security/Secure Sockets Layer) support +to ordinary applications. For example, it can be used in +conjunction with imapd to create a TLS secure IMAP server. + +%prep +%setup -q +%patch0 -p1 -b .authpriv +%patch1 -p1 -b .systemd-service +%patch3 -p1 -b .system-ciphers +%patch4 -p1 -b .coverity +%patch5 -p1 -b .default-tls-version +%patch6 -p1 -b .curves-doc-update + +# Fix the configure script output for FIPS mode and stack protector flag +sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure + +# Fix a testcase with system-ciphers support +sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets + +%build +#autoreconf -v +CFLAGS="$RPM_OPT_FLAGS -fPIC"; export CFLAGS +if pkg-config openssl ; then + CFLAGS="$CFLAGS `pkg-config --cflags openssl`"; + LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS +fi +%configure --enable-fips --enable-ipv6 --with-ssl=%{_prefix} \ +%if %{with libwrap} +--enable-libwrap \ +%else +--disable-libwrap \ +%endif + CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" +make V=1 LDADD="-pie -Wl,-z,defs,-z,relro,-z,now" + +%install +make install DESTDIR=%{buildroot} +# Move the translated man pages to the right subdirectories, and strip off the +# language suffixes. +#for lang in fr pl ; do +for lang in pl ; do + mkdir -p %{buildroot}/%{_mandir}/${lang}/man8 + mv %{buildroot}/%{_mandir}/man8/*.${lang}.8* %{buildroot}/%{_mandir}/${lang}/man8/ + rename ".${lang}" "" %{buildroot}/%{_mandir}/${lang}/man8/* +done +mkdir srpm-docs +cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs +%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 +mkdir -p %{buildroot}%{_unitdir} +cp %{buildroot}%{_datadir}/doc/stunnel/examples/%{name}.service %{buildroot}%{_unitdir}/%{name}.service +cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service +%endif + +%check +# For unknown reason the 042_inetd test fails in Brew. The failure is not reproducible +# in Fedora or normal RHEL-8 install. +rm tests/recipes/042_inetd +# We override the security policy as it is too strict for the tests. +OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file +export OPENSSL_SYSTEM_CIPHERS_OVERRIDE +OPENSSL_CONF= +export OPENSSL_CONF +make test + +%files +%{!?_licensedir:%global license %%doc} +%doc AUTHORS.md BUGS.md CREDITS.md PORTS.md README.md TODO.md +%doc tools/stunnel.conf-sample +%doc srpm-docs/* +%license COPY* +%lang(en) %doc doc/en/* +%lang(pl) %doc doc/pl/* +%{_bindir}/stunnel +%exclude %{_bindir}/stunnel3 +%exclude %{_datadir}/doc/stunnel +%{_libdir}/stunnel +%exclude %{_libdir}/stunnel/libstunnel.la +%{_mandir}/man8/stunnel.8* +%lang(pl) %{_mandir}/pl/man8/stunnel.8* +%dir %{_sysconfdir}/%{name} +%exclude %{_sysconfdir}/stunnel/* +%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 +%{_unitdir}/%{name}*.service +%endif + +%post +/sbin/ldconfig +%systemd_post %{name}.service + +%preun +%systemd_preun %{name}.service + +%postun +/sbin/ldconfig +%systemd_postun_with_restart %{name}.service + +%changelog +* Thu Apr 16 2020 Sahana Prasad - 5.56-4 +- Updates documentation to specify that the option "curves" can be used in server mode only. + +* Wed Apr 08 2020 Sahana Prasad - 5.56-3 +- Fixes default tls version patch to handle default values from OpenSSL crypto policies + +* Mon Apr 06 2020 Sahana Prasad - 5.56-2 +- Adds default tls version patch to comply with OpenSSL crypto policies + +* Fri Apr 03 2020 Sahana Prasad - 5.56-1 +- New upstream release 5.56 + +* Tue Sep 4 2018 Tomáš Mráz - 5.48-5 +- Fix -fstack-protector-strong build flag application +- Fix bugs from Coverity scan + +* Fri Aug 3 2018 Tomáš Mráz - 5.48-3 +- Override system crypto policy for build tests + +* Tue Jul 31 2018 Tomáš Mráz - 5.48-2 +- Drop 042_inetd test which fails in the build environment + +* Tue Jul 24 2018 Tomáš Mráz - 5.48-1 +- New upstream release 5.48 + +* Thu May 31 2018 Tomáš Mráz - 5.46-1 +- New upstream release 5.46 + +* Fri Mar 2 2018 Tomáš Mráz - 5.44-5 +- Fix bind to localhost (patch backport by Christian Kujau) (#1542361) + +* Fri Feb 09 2018 Fedora Release Engineering - 5.44-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 25 2018 Igor Gnatenko - 5.44-3 +- Fix systemd executions/requirements + +* Mon Jan 15 2018 Tomáš Mráz - 5.44-2 +- Make the disablement of libwrap conditional + +* Thu Jan 11 2018 Tomáš Mráz - 5.44-1 +- New upstream release 5.44 +- Disable libwrap support (#1518789) + +* Tue Aug 22 2017 Tomáš Mráz - 5.42-1 +- New upstream release 5.42 +- Use the system cipher list by default (#1483967) + +* Thu Aug 03 2017 Fedora Release Engineering - 5.41-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 5.41-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Apr 17 2017 Neal Gompa - 5.41-1 +- New upstream release 5.41 + +* Mon Mar 20 2017 Neal Gompa - 5.40-1 +- New upstream release 5.40 +- Properly mark license files +- Rebase patches +- Eliminate unnecessary Provides +- Small spec cleanups and fixes + +* Sat Feb 11 2017 Fedora Release Engineering - 5.35-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jul 21 2016 Tomáš Mráz - 5.35-1 +- New upstream release 5.35 with fix for bug #1358810 + +* Wed Jul 13 2016 Tomáš Mráz - 5.34-1 +- New upstream release 5.34 + +* Wed Feb 3 2016 Tomáš Mráz - 5.30-1 +- New upstream release 5.30 +- Add generic stunnel@.service provided by Štefan Gurský (#1195742) + +* Mon Jun 22 2015 Avesh Agarwal - 5.18-1 +- New upstream release 5.18. +- Finally deleted the patch stunnel-5-sample.patch as upstream + has merged those changes. +- Fixes patches as per new code changes. +- Fixed systemd service file related changes. + +* Fri Jun 19 2015 Fedora Release Engineering - 5.17-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Jun 8 2015 Avesh Agarwal - 5.17-1 +- New upstream release 5.17. + +* Fri May 22 2015 Avesh Agarwal - 5.16-1 +- New upstream release 5.16. + +* Mon Apr 27 2015 Avesh Agarwal - 5.15-1 +- New upstream release 5.15. +- 1155977: Fixed upstream too so removed the associated patch +- Updates other patches too. + +* Mon Mar 30 2015 Avesh Agarwal - 5.14-1 +- New upstream release 5.14. + +* Sun Mar 29 2015 Avesh Agarwal - 5.13-1 +- New upstream release 5.13. + +* Sat Mar 28 2015 Avesh Agarwal - 5.12-1 +- New upstream release 5.12. + +* Fri Mar 27 2015 Avesh Agarwal - 5.11-1 +- New upstream release 5.11. + +* Wed Jan 28 2015 Avesh Agarwal - 5.10-1 +- New upstream release 5.10. + +* Thu Jan 8 2015 Avesh Agarwal - 5.09-1 +- 1163349: New upstream release 5.09. + +* Thu Dec 11 2014 Avesh Agarwal - 5.08-1 +- 1163349: New upstream release 5.08 + +* Sun Nov 23 2014 Avesh Agarwal - 5.08b6-1 +- 1163349: New upstream beta release 5.08b6 +- Fixed incorrect reporting of fips status in configure.ac + at compile time, requires autoconf automake at buildtime +- Fixed default OpenSSL directory issue by using with-ssl +- Updates local patches +- 1155977: Fixes man page issues + +* Tue Nov 04 2014 Avesh Agarwal - 5.07-1 +- New upstream release 5.07 + +* Fri Oct 17 2014 Avesh Agarwal - 5.06-1 +- New upstream release 5.06 +- Addresses Poodle security issue + +* Wed Oct 8 2014 Avesh Agarwal - 5.05b5-1 +- rhbz #1144393: New upstream beta release +- systemd socket activation support + +* Fri Sep 26 2014 Avesh Agarwal - 5.04-2 +- Fixes packaging issues mentioned in rhbz#226439 + +* Mon Sep 22 2014 Avesh Agarwal - 5.04-1 +- New upstream realease 5.04 +- Updates local patches so that they apply cleanly to + avoud hunk errors + +* Thu Aug 28 2014 Avesh Agarwal - 5.03-1 +- New upstream realease 5.03 + +* Mon Aug 18 2014 Fedora Release Engineering - 5.02-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Jul 14 2014 Avesh Agarwal - 5.02-1 +- rhbz#1108818: New upstream realease 5.02 +- Updated local patches +- The rhbz#530950 is tested and seems to work. STRLEN has + been no longer allocated statically since 4.36 version. + So it is possible that this bz might have got fixed + around 4.36 release. +- Fixes rpmlint errors + +* Sun Jun 08 2014 Fedora Release Engineering - 5.01-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon Apr 28 2014 Avesh Agarwal - 5.01-2 +- Integration with systemd. +- Spec file clean up +- Patched stunnel systemd unit file to have dependency on + network.target. +- rhbz#455815: Packaged systemd service file +- rhbz#782535: Fixed private tmp issue. +- rhbz#995831: Fixed wrong encoding of french man page. + +* Thu Apr 17 2014 Avesh Agarwal - 5.01-1 +- New upstream realease 5.01 +- Supports OpenSSL DLLs 1.0.1g. +- Fixes to take care of OpenSSL,s TLS heartbeat + read overrun (CVE-2014-0160). + +* Fri Mar 7 2014 Avesh Agarwal - 5.00-1 +- New upstream realease 5.00 +- Updated local patches. +- Fix for CVE-2014-0016 +- Fixed changelog date errors +- Fixes rhbz #1006819 + +* Mon Aug 5 2013 Avesh Agarwal - 4.56-3 +- Ftp mirrors for NA does not work, so changing source code + URLs to the correct ones. + +* Sun Aug 04 2013 Fedora Release Engineering - 4.56-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Apr 1 2013 Avesh Agarwal - 4.56-1 +- New upstream realease 4.56. +- Updated local patches. +- Fixed upstream URL in spec file. +- Sourced URL of sha256 hash file in spec file. + +* Tue Mar 26 2013 Avesh Agarwal - 4.55-2 +- Resolves: 927841 + +* Mon Mar 4 2013 Avesh Agarwal - 4.55-1 +- New upstream realease 4.55 +- Updated local patches +- enabled fips mode +- Fixed for pod2man as it build-requires perl-podlators + +* Fri Feb 15 2013 Fedora Release Engineering - 4.54-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Dec 10 2012 Avesh Agarwal - 4.54-2 +- 884183: support for full relro. + +* Tue Oct 16 2012 Avesh Agarwal - 4.54-1 +- New upstream realease 4.54 +- Updated local patches + +* Sat Jul 21 2012 Fedora Release Engineering - 4.53-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon May 14 2012 Avesh Agarwal - 4.53-1 +- New upstream realease 4.53 +- Updated local patches + +* Tue Mar 6 2012 Avesh Agarwal - 4.52-1 +- New upstream realease 4.52 +- Updated local patches + +* Sat Jan 14 2012 Fedora Release Engineering - 4.50-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Jan 3 2012 Avesh Agarwal - 4.50-1 +- New upstream realease 4.50 +- Updated local patches + +* Tue Sep 20 2011 Avesh Agarwal - 4.44-1 +- New upstream realease 4.44 +- Updated local patches + +* Fri Aug 19 2011 Avesh Agarwal - 4.42-1 +- New upstream realease 4.42 +- Updated local patches +- Fixes #732069 + +* Mon Aug 1 2011 Avesh Agarwal - 4.41-1 +- New upstream realease 4.41 +- Updated local patches to match the new release + +* Tue Jun 28 2011 Avesh Agarwal - 4.37-1 +- New upstream realease 4.37 +- Updated local patches to match the new release + +* Mon Apr 4 2011 Avesh Agarwal - 4.35-1 +- New upstream realease 4.35 +- Updated authpriv and sample patches to match the new release + +* Wed Feb 09 2011 Fedora Release Engineering - 4.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Oct 4 2010 Avesh Agarwal - 4.34-1 +- New upstream realease 4.34 +- Updated authpriv and sample patches to match the new release + +* Wed Apr 7 2010 Avesh Agarwal - 4.33-1 +- New upstream realease 4.33 +- Updated authpriv and sample patches to match the new release +- Addresses bz 580117 (inted mode support issue) + +* Mon Mar 29 2010 Avesh Agarwal - 4.32-1 +- New upstream realease 4.32 +- Updated authpriv and sample patches to match the new release + +* Tue Feb 16 2010 Avesh Agarwal - 4.31-1 +- New upstream realease 4.31 +- Updated authpriv and sample patches to match the new release + +* Tue Jan 26 2010 Avesh Agarwal - 4.30-1 +- New upstream realease 4.30 +- Updated authpriv and sample patches for the new release + +* Wed Dec 09 2009 Avesh Agarwal - 4.29-1 +- New upstream realease 4.29 +- Updated authpriv and sample patches for the new release +- Modified spec file to include dist tag + +* Fri Aug 21 2009 Tomas Mraz - 4.27-5 +- rebuilt with new openssl + +* Sun Jul 26 2009 Fedora Release Engineering - 4.27-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sun May 3 2009 Miloslav Trmač - 4.27-3 +- Fix the previous patch. + +* Wed Apr 29 2009 Miloslav Trmač - 4.27-2 +- Avoid aliasing undefined by ISO C + +* Thu Apr 16 2009 Miloslav Trmač - 4.27-1 +- Update to stunnel-4.27. + +* Wed Feb 25 2009 Fedora Release Engineering - 4.26-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sun Jan 18 2009 Tomas Mraz - 4.26-2 +- disable openssl upstream fips mode + +* Mon Sep 22 2008 Miloslav Trmač - 4.26-1 +- Update to stunnel-4.26. + +* Sun Jun 8 2008 Miloslav Trmač - 4.25-2 +- Use a clearer error message if the service name is unknown in "accept" + Resolves: #450344 + +* Mon Jun 2 2008 Miloslav Trmač - 4.25-1 +- Update to stunnel-4.25 + +* Tue May 20 2008 Miloslav Trmač - 4.24-2 +- Drop stunnel3 + Resolves: #442842 + +* Mon May 19 2008 Miloslav Trmač - 4.24-1 +- Update to stunnel-4.24 + +* Fri Mar 28 2008 Miloslav Trmač - 4.22-1 +- Update to stunnel-4.22 + +* Tue Feb 19 2008 Fedora Release Engineering - 4.20-6 +- Autorebuild for GCC 4.3 + +* Tue Dec 4 2007 Miloslav Trmač - 4.20-5 +- Rebuild with openssl-0.9.8g + +* Tue Oct 16 2007 Miloslav Trmač - 4.20-4 +- Revert the port to NSS, wait for NSS-based stunnel 5.x instead + Resolves: #301971 +- Mark localized man pages with %%lang (patch by Ville Skyttä) + Resolves: #322281 + +* Tue Aug 28 2007 Miloslav Trmač - 4.20-3.nss +- Port to NSS + +* Mon Dec 4 2006 Miloslav Trmac - 4.20-2 +- Update BuildRequires for the separate tcp_wrappers-devel package + +* Thu Nov 30 2006 Miloslav Trmac - 4.20-1 +- Update to stunnel-4.20 + +* Sat Nov 11 2006 Miloslav Trmac - 4.19-1 +- Update to stunnel-4.19 + +* Wed Oct 25 2006 Miloslav Trmac - 4.18-1 +- Update to stunnel-4.18 +- Remove unused stunnel.cnf from the src.rpm +- Fix some rpmlint warnings + +* Fri Aug 18 2006 Jesse Keating - 4.15-2 +- rebuilt with latest binutils to pick up 64K -z commonpagesize on ppc* + (#203001) + +* Wed Jul 12 2006 Jesse Keating - 4.15-1.1 +- rebuild + +* Sat Mar 18 2006 Miloslav Trmac - 4.15-1 +- Update to stunnel-4.15 + +* Fri Feb 10 2006 Jesse Keating - 4.14-3.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 4.14-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 31 2006 Miloslav Trmac - 4.14-3 +- Use pthread threading to fix crash on x86_64 (#179236) + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Wed Nov 9 2005 Miloslav Trmac - 4.14-2 +- Rebuild with newer openssl + +* Thu Nov 3 2005 Miloslav Trmac - 4.14-1 +- Update to stunnel-4.14 +- Override changed default pid file location, keep it in %%{_localstatedir}/run + +* Sat Oct 22 2005 Miloslav Trmac - 4.13-1 +- Update to stunnel-4.13 + +* Fri Sep 30 2005 Miloslav Trmac - 4.12-1 +- Update to stunnel-4.12 + +* Thu Sep 22 2005 Miloslav Trmac - 4.11-2 +- Enable IPv6 (#169050, patch by Peter Bieringer) +- Don't ship another copy of man pages in HTML + +* Tue Jul 12 2005 Miloslav Trmac - 4.11-1 +- Update to stunnel-4.11 +- Fix int/size_t mismatches in stack_info () +- Update Certificate-Creation for /etc/pki + +* Wed Jun 1 2005 Miloslav Trmac - 4.10-2 +- Fix inetd mode +- Remove unnecessary Requires: and BuildRequires: +- Clean up the spec file + +* Tue Apr 26 2005 Nalin Dahyabhai 4.10-1 +- update to 4.10 + +* Tue Apr 26 2005 Nalin Dahyabhai 4.08-2 +- add buildprereqs on libtool, util-linux; change textutils/fileutils dep to + coreutils (#133961) + +* Wed Mar 16 2005 Nalin Dahyabhai 4.08-1 +- update to 4.08 +- build stunnel as a PIE binary + +* Mon Nov 22 2004 Miloslav Trmac - 4.05-4 +- Convert man pages to UTF-8 + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu May 27 2004 Nalin Dahyabhai 4.05-2 +- move the sample configuration to %%doc, it shouldn't be used as-is (#124373) + +* Thu Mar 11 2004 Nalin Dahyabhai 4.05-1 +- update to 4.05 + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Aug 7 2003 Elliot Lee 4.04-6 +- Fix libtool + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Fri Mar 21 2003 Nalin Dahyabhai 4.04-4 +- fix xinetd configuration samples + +* Mon Feb 10 2003 Nalin Dahyabhai 4.04-3 +- rebuild + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Wed Jan 15 2003 Nalin Dahyabhai 4.04-1 +- update to 4.04 + +* Tue Jan 7 2003 Nalin Dahyabhai 4.03-1 +- use pkgconfig for information about openssl, if available + +* Fri Jan 3 2003 Nalin Dahyabhai +- update to 4.03 + +* Mon Oct 21 2002 Nalin Dahyabhai 4.02-1 +- update to 4.02 + +* Fri Oct 4 2002 Nalin Dahyabhai 4.00-1 +- don't create a dummy cert + +* Wed Sep 25 2002 Nalin Dahyabhai +- update to 4.00 +- remove textutils and fileutils as buildreqs, add automake/autoconf + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Sun May 26 2002 Tim Powers +- automated rebuild + +* Fri May 17 2002 Nalin Dahyabhai 3.22-2 +- rebuild in new environment + +* Wed Jan 2 2002 Nalin Dahyabhai 3.22-1 +- update to 3.22, correcting a format-string vulnerability + +* Wed Oct 31 2001 Nalin Dahyabhai 3.21a-1 +- update to 3.21a + +* Tue Aug 28 2001 Nalin Dahyabhai 3.20-1 +- log using LOG_AUTHPRIV facility by default (#47289) +- make permissions on stunnel binary 0755 +- implicitly trust certificates in %%{_datadir}/ssl/trusted (#24034) + +* Fri Aug 10 2001 Nalin Dahyabhai 3.19-1 +- update to 3.19 to avoid problems with stunnel being multithreaded, but + tcp wrappers not being thrad-safe + +* Mon Jul 30 2001 Nalin Dahyabhai +- update to 3.17 + +* Mon Jul 23 2001 Nalin Dahyabhai +- update to 3.16 + +* Mon Jul 16 2001 Nalin Dahyabhai +- update to 3.15 +- enable tcp-wrappers support + +* Tue May 29 2001 Nalin Dahyabhai +- remove explicit requirement on openssl (specific version isn't enough, + we have to depend on shared library version anyway) + +* Fri Apr 27 2001 Nalin Dahyabhai +- update to 3.14 + +* Mon Mar 26 2001 Preston Brown +- depend on make (#33148) + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Tue Feb 6 2001 Nalin Dahyabhai +- update to 3.13 to get pthread, OOB, 64-bit fixes +- don't need sdf any more + +* Thu Dec 28 2000 Nalin Dahyabhai +- pull in sdf to build the man page (#22892) + +* Fri Dec 22 2000 Nalin Dahyabhai +- update to 3.11 +- chuck the SIGHUP patch (went upstream) +- chuck parts of the 64-bit clean patch (went upstream) + +* Thu Dec 21 2000 Nalin Dahyabhai +- update to 3.10 +- more 64-bit clean changes, hopefully the last bunch + +* Wed Dec 20 2000 Nalin Dahyabhai +- change piddir from the default /var/stunnel to /var/run +- clean out pid file on SIGHUP + +* Fri Dec 15 2000 Nalin Dahyabhai +- update to 3.9 to get a security fix + +* Wed Oct 25 2000 Matt Wilson +- change all unsigned longs to u_int32_t when dealing with network + addresses + +* Fri Aug 18 2000 Nalin Dahyabhai +- make stunnel.pem also be (missingok) + +* Thu Jun 29 2000 Nalin Dahyabhai +- move to Applications/Internet group +- clean up %%post script +- make stunnel.pem %%ghost %%config(noreplace) +- provide a sample file for use with xinetd + +* Thu Jun 8 2000 Nalin Dahyabhai +- FHS compliance fixes +- modify defaults + +* Tue Mar 14 2000 Florian La Roche +- update to 3.8 +- do not create certificate if one already exists + +* Mon Feb 21 2000 Florian La Roche +- update to 3.7 +- add patch to find /usr/share/ssl +- change some perms + +* Sat Oct 30 1999 Bernhard Rosenkraenzer +- Modify spec file to match Red Hat standards + +* Thu Aug 12 1999 Damien Miller +- Updated to 3.4a +- Patched for OpenSSL 0.9.4 +- Cleaned up files section + +* Sun Jul 11 1999 Damien Miller +- Updated to 3.3 + +* Sat Nov 28 1998 Damien Miller +- Initial RPMification