diff --git a/.gitignore b/.gitignore
index 169d686..84378ef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/stunnel-5.58.tar.gz
+SOURCES/stunnel-5.62.tar.gz
diff --git a/.stunnel.metadata b/.stunnel.metadata
index 3a90b86..beea5ac 100644
--- a/.stunnel.metadata
+++ b/.stunnel.metadata
@@ -1 +1 @@
-7e9bd07267f9ff6505a68f5b7034ed0154651ab2 SOURCES/stunnel-5.58.tar.gz
+e18be56bfee006f5e58de044fda7bdcfaa425b3f SOURCES/stunnel-5.62.tar.gz
diff --git a/SOURCES/stunnel-5.50-systemd-service.patch b/SOURCES/stunnel-5.50-systemd-service.patch
deleted file mode 100644
index 9fc170b..0000000
--- a/SOURCES/stunnel-5.50-systemd-service.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -up stunnel-5.50/tools/stunnel.service.in.systemd-service stunnel-5.50/tools/stunnel.service.in
---- stunnel-5.50/tools/stunnel.service.in.systemd-service 2019-01-14 12:17:15.826868965 +0100
-+++ stunnel-5.50/tools/stunnel.service.in 2019-01-14 12:18:21.186753131 +0100
-@@ -5,6 +5,7 @@ After=syslog.target network.target
- [Service]
- ExecStart=@bindir@/stunnel
- Type=forking
-+PrivateTmp=true
-
- [Install]
- WantedBy=multi-user.target
diff --git a/SOURCES/stunnel-5.56-default-tls-version.patch b/SOURCES/stunnel-5.56-default-tls-version.patch
deleted file mode 100644
index b66753e..0000000
--- a/SOURCES/stunnel-5.56-default-tls-version.patch
+++ /dev/null
@@ -1,92 +0,0 @@
---- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
-+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
-@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
- ICON_IMAGE load_icon_file(const char *);
- #endif
-
-+#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
-+ crypto policies */
-+
- #endif /* defined PROTOTYPES_H */
-
- /* end of prototypes.h */
---- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 18:58:48.947214149 +0200
-+++ stunnel-5.56/src/options.c 2020-04-08 15:45:18.093520780 +0200
-@@ -3123,8 +3123,9 @@ NOEXPORT char *parse_service_option(CMD
- return "Invalid protocol version";
- return NULL; /* OK */
- case CMD_INITIALIZE:
-- if(section->max_proto_version && section->min_proto_version &&
-- section->max_proto_version<section->min_proto_version)
-+ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
-+ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
-+ && section->max_proto_version<section->min_proto_version)
- return "Invalid protocol version range";
- break;
- case CMD_PRINT_DEFAULTS:
-@@ -3142,7 +3143,10 @@ NOEXPORT char *parse_service_option(CMD
- /* sslVersionMax */
- switch(cmd) {
- case CMD_SET_DEFAULTS:
-- section->max_proto_version=0; /* highest supported */
-+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
-+ OpenSSL crypto
-+ policies.Do not
-+ override it */
- break;
- case CMD_SET_COPY:
- section->max_proto_version=new_service_options.max_proto_version;
-@@ -3173,7 +3177,10 @@ NOEXPORT char *parse_service_option(CMD
- /* sslVersionMin */
- switch(cmd) {
- case CMD_SET_DEFAULTS:
-- section->min_proto_version=TLS1_VERSION;
-+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
-+ OpenSSL crypto
-+ policies. Do not
-+ override it */
- break;
- case CMD_SET_COPY:
- section->min_proto_version=new_service_options.min_proto_version;
---- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
-+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
-@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
- section->ctx=SSL_CTX_new(TLS_client_method());
- else /* server mode */
- section->ctx=SSL_CTX_new(TLS_server_method());
-- if(!SSL_CTX_set_min_proto_version(section->ctx,
-- section->min_proto_version)) {
-- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
-- section->min_proto_version);
-- return 1; /* FAILED */
-+
-+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
-+ s_log(LOG_INFO, "Using the default TLS version as specified in \
-+ OpenSSL crypto policies. Not setting explicitly.");
-+ } else {
-+ if(!SSL_CTX_set_min_proto_version(section->ctx,
-+ section->min_proto_version)) {
-+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
-+ section->min_proto_version);
-+ return 1; /* FAILED */
-+ }
- }
-- if(!SSL_CTX_set_max_proto_version(section->ctx,
-- section->max_proto_version)) {
-- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
-- section->max_proto_version);
-- return 1; /* FAILED */
-+
-+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
-+ s_log(LOG_INFO, "Using the default TLS version as specified in \
-+ OpenSSL crypto policies. Not setting explicitly");
-+ } else {
-+ if(!SSL_CTX_set_max_proto_version(section->ctx,
-+ section->max_proto_version)) {
-+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
-+ section->max_proto_version);
-+ return 1; /* FAILED */
-+ }
- }
- #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
- if(section->option.client)
diff --git a/SOURCES/stunnel-5.58-openssl30.patch b/SOURCES/stunnel-5.58-openssl30.patch
deleted file mode 100644
index f786bd2..0000000
--- a/SOURCES/stunnel-5.58-openssl30.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -up stunnel-5.58/src/ctx.c.openssl30 stunnel-5.58/src/ctx.c
---- stunnel-5.58/src/ctx.c.openssl30 2021-08-03 16:02:24.687409192 +0200
-+++ stunnel-5.58/src/ctx.c 2021-08-03 16:03:36.889009510 +0200
-@@ -1011,6 +1011,7 @@ NOEXPORT int ui_retry() {
- switch(ERR_GET_REASON(err)) {
- case UI_R_RESULT_TOO_LARGE:
- case UI_R_RESULT_TOO_SMALL:
-+ case UI_R_PROCESSING_ERROR:
- return 1;
- default:
- return 0;
diff --git a/SOURCES/stunnel-5.58.tar.gz.asc b/SOURCES/stunnel-5.58.tar.gz.asc
deleted file mode 100644
index 9809494..0000000
--- a/SOURCES/stunnel-5.58.tar.gz.asc
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmAxUhNfFIAAAAAALgAo
-aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
-QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
-4BTjnw//WxZJR4No++ri5S4amhfYpLPY3Zr9qUGQ5hepESCWTYf/K+b24fPtKsiU
-x/qn1jneQWw/dzPsD1e3UuPH+4d4ryzLzxVW9T8T+6cFQlaU89m5h0Epdd/LjwhF
-YECEawGU3dA+pgrNrumgyUTzYtsWGCAkylS02eDrD3auYL3mllarAuXmOpjFxIRB
-zod4HILm5fKggZ9++GsIeTFLz+q8Q1Y6QdELLje5p9wrqgP/N2Misc6yrYN8ZdOV
-HvFirN/M/Zb0AYknYNe6GHu06u8SM5bZpbwqrrMGaY95mL0lYDn5mi8quel0dnBv
-sI9rrflo1G9NMymSPN1knV9UeTKSnpSSr9HFxl1Y5eH2DcLIhfQZ9STBzrRPivxb
-JC0gNE51K36Komd4VhfYA2RPtih+YeGi7bADSMoH3UOZDsMJ9YitO9NAsFS/MaY7
-EkxKcqisfccZ69ruykHVxfYHujdby/EOXIUZVmmkrV7BWudhnDmukFg6k6uOq7LT
-k1ABoNhqfQx3f/daR0oluNgdOPz6bkt/9fa1RjFHqVLo+YOMBrHAEUv6eSQ2V0z5
-Lh5UCQQmPk7M6JWta1Bs9Ftv+H+CR6k6Ix9oF3lMjAjcJu4oj7zeRN4yH4KlGltP
-SfWgOEK0SqwZZL8yE7Fp61WiDlTW3b02U7iESj/OJK6Z1CpCxtE=
-=EoHl
------END PGP SIGNATURE-----
diff --git a/SOURCES/stunnel-5.61-default-tls-version.patch b/SOURCES/stunnel-5.61-default-tls-version.patch
new file mode 100644
index 0000000..f779e4e
--- /dev/null
+++ b/SOURCES/stunnel-5.61-default-tls-version.patch
@@ -0,0 +1,95 @@
+diff -up stunnel-5.61/src/ctx.c.default-tls-version stunnel-5.61/src/ctx.c
+--- stunnel-5.61/src/ctx.c.default-tls-version 2021-12-13 09:43:22.000000000 +0100
++++ stunnel-5.61/src/ctx.c 2022-01-10 19:27:49.913243127 +0100
+@@ -149,18 +149,28 @@ int context_init(SERVICE_OPTIONS *sectio
+ section->ctx=SSL_CTX_new(section->option.client ?
+ TLS_client_method() : TLS_server_method());
+ #endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
+- if(!SSL_CTX_set_min_proto_version(section->ctx,
+- section->min_proto_version)) {
+- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
+- section->min_proto_version);
+- return 1; /* FAILED */
+- }
+- if(!SSL_CTX_set_max_proto_version(section->ctx,
+- section->max_proto_version)) {
+- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
+- section->max_proto_version);
+- return 1; /* FAILED */
++ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
++ s_log(LOG_INFO, "Using the default TLS version as specified in "
++ "OpenSSL crypto policies. Not setting explicitly.");
++ } else {
++ if(!SSL_CTX_set_min_proto_version(section->ctx,
++ section->min_proto_version)) {
++ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
++ section->min_proto_version);
++ return 1; /* FAILED */
++ }
+ }
++ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
++ s_log(LOG_INFO, "Using the default TLS version as specified in "
++ "OpenSSL crypto policies. Not setting explicitly");
++ } else {
++ if(!SSL_CTX_set_max_proto_version(section->ctx,
++ section->max_proto_version)) {
++ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
++ section->max_proto_version);
++ return 1; /* FAILED */
++ }
++ }
+ #else /* OPENSSL_VERSION_NUMBER<0x10100000L */
+ if(section->option.client)
+ section->ctx=SSL_CTX_new(section->client_method);
+diff -up stunnel-5.61/src/options.c.default-tls-version stunnel-5.61/src/options.c
+--- stunnel-5.61/src/options.c.default-tls-version 2022-01-10 19:23:15.096254067 +0100
++++ stunnel-5.61/src/options.c 2022-01-10 19:23:15.098254103 +0100
+@@ -3297,8 +3297,9 @@ NOEXPORT char *parse_service_option(CMD
+ return "Invalid protocol version";
+ return NULL; /* OK */
+ case CMD_INITIALIZE:
+- if(section->max_proto_version && section->min_proto_version &&
+- section->max_proto_version<section->min_proto_version)
++ if(section->max_proto_version != USE_DEFAULT_TLS_VERSION
++ && section->min_proto_version != USE_DEFAULT_TLS_VERSION
++ && section->max_proto_version<section->min_proto_version)
+ return "Invalid protocol version range";
+ break;
+ case CMD_PRINT_DEFAULTS:
+@@ -3316,7 +3317,10 @@ NOEXPORT char *parse_service_option(CMD
+ /* sslVersionMax */
+ switch(cmd) {
+ case CMD_SET_DEFAULTS:
+- section->max_proto_version=0; /* highest supported */
++ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
++ OpenSSL crypto
++ policies.Do not
++ override it */
+ break;
+ case CMD_SET_COPY:
+ section->max_proto_version=new_service_options.max_proto_version;
+@@ -3347,7 +3351,10 @@ NOEXPORT char *parse_service_option(CMD
+ /* sslVersionMin */
+ switch(cmd) {
+ case CMD_SET_DEFAULTS:
+- section->min_proto_version=TLS1_VERSION;
++ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
++ OpenSSL crypto
++ policies. Do not
++ override it */
+ break;
+ case CMD_SET_COPY:
+ section->min_proto_version=new_service_options.min_proto_version;
+diff -up stunnel-5.61/src/prototypes.h.default-tls-version stunnel-5.61/src/prototypes.h
+--- stunnel-5.61/src/prototypes.h.default-tls-version 2021-12-13 09:43:22.000000000 +0100
++++ stunnel-5.61/src/prototypes.h 2022-01-10 19:23:15.099254121 +0100
+@@ -932,6 +932,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
+ ICON_IMAGE load_icon_file(const char *);
+ #endif
+
++#define USE_DEFAULT_TLS_VERSION ((int)-2) /* Use defaults in OpenSSL
++ crypto policies */
++
+ #endif /* defined PROTOTYPES_H */
+
+ /* end of prototypes.h */
diff --git a/SOURCES/stunnel-5.61-openssl30-fips.patch b/SOURCES/stunnel-5.61-openssl30-fips.patch
new file mode 100644
index 0000000..faaeef9
--- /dev/null
+++ b/SOURCES/stunnel-5.61-openssl30-fips.patch
@@ -0,0 +1,19 @@
+tests: Adapt to OpenSSL 3.x FIPS mode
+
+In OpenSSL 3.0 with FIPS enabled, this test no longer fails with
+a human-readable error message (such as "no ciphers available"), but
+instead causes an internal error. Extend the success regex list to also
+accept this result.
+diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 stunnel-5.61/tests/plugins/p11_fips_cipher.py
+--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.openssl30 2022-01-12 15:15:03.211690650 +0100
++++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 15:15:20.937008173 +0100
+@@ -91,7 +91,8 @@ class FailureCiphersuitesFIPS(StunnelTes
+ self.events.count = 1
+ self.events.success = [
+ "disabled for FIPS",
+- "no ciphers available"
++ "no ciphers available",
++ "TLS alert \\(write\\): fatal: internal error"
+ ]
+ self.events.failure = [
+ "peer did not return a certificate",
diff --git a/SOURCES/stunnel-5.61-systemd-service.patch b/SOURCES/stunnel-5.61-systemd-service.patch
new file mode 100644
index 0000000..8c82221
--- /dev/null
+++ b/SOURCES/stunnel-5.61-systemd-service.patch
@@ -0,0 +1,11 @@
+diff -up stunnel-5.61/tools/stunnel.service.in.systemd-service stunnel-5.61/tools/stunnel.service.in
+--- stunnel-5.61/tools/stunnel.service.in.systemd-service 2022-01-12 14:48:32.474150329 +0100
++++ stunnel-5.61/tools/stunnel.service.in 2022-01-12 14:50:15.253984639 +0100
+@@ -6,6 +6,7 @@ After=syslog.target network-online.targe
+ ExecStart=@bindir@/stunnel
+ ExecReload=/bin/kill -HUP $MAINPID
+ Type=forking
++PrivateTmp=true
+
+ [Install]
+ WantedBy=multi-user.target
diff --git a/SOURCES/stunnel-5.62-disabled-curves.patch b/SOURCES/stunnel-5.62-disabled-curves.patch
new file mode 100644
index 0000000..075ccec
--- /dev/null
+++ b/SOURCES/stunnel-5.62-disabled-curves.patch
@@ -0,0 +1,57 @@
+Limit curves defaults in FIPS mode
+
+Our copy of OpenSSL disables the X25519 and X448 curves in FIPS mode,
+but stunnel defaults to enabling them and then fails to do so.
+
+Upstream-Status: Inappropriate [caused by a downstream patch to openssl]
+diff -up stunnel-5.62/src/options.c.disabled-curves stunnel-5.62/src/options.c
+--- stunnel-5.62/src/options.c.disabled-curves 2022-02-04 13:46:45.936884124 +0100
++++ stunnel-5.62/src/options.c 2022-02-04 13:53:16.346725153 +0100
+@@ -40,8 +40,10 @@
+
+ #if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ #define DEFAULT_CURVES "X25519:P-256:X448:P-521:P-384"
++#define DEFAULT_CURVES_FIPS "P-256:P-521:P-384"
+ #else /* OpenSSL version < 1.1.1 */
+ #define DEFAULT_CURVES "prime256v1"
++#define DEFAULT_CURVES_FIPS "prime256v1"
+ #endif /* OpenSSL version >= 1.1.1 */
+
+ #if defined(_WIN32_WCE) && !defined(CONFDIR)
+@@ -1855,7 +1857,7 @@ NOEXPORT char *parse_service_option(CMD
+ /* curves */
+ switch(cmd) {
+ case CMD_SET_DEFAULTS:
+- section->curves=str_dup_detached(DEFAULT_CURVES);
++ section->curves = NULL;
+ break;
+ case CMD_SET_COPY:
+ section->curves=str_dup_detached(new_service_options.curves);
+@@ -1870,9 +1872,26 @@ NOEXPORT char *parse_service_option(CMD
+ section->curves=str_dup_detached(arg);
+ return NULL; /* OK */
+ case CMD_INITIALIZE:
++ if(!section->curves) {
++ /* this is only executed for global options, because
++ * section->curves is no longer NULL in sections */
++#ifdef USE_FIPS
++ if(new_global_options.option.fips)
++ section->curves=str_dup_detached(DEFAULT_CURVES_FIPS);
++ else
++#endif /* USE_FIPS */
++ section->curves=str_dup_detached(DEFAULT_CURVES);
++ }
+ break;
+ case CMD_PRINT_DEFAULTS:
+- s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
++ if(fips_available()) {
++ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
++ DEFAULT_CURVES_FIPS, "(with \"fips = yes\")");
++ s_log(LOG_NOTICE, "%-22s = %s %s", "curves",
++ DEFAULT_CURVES, "(with \"fips = no\")");
++ } else {
++ s_log(LOG_NOTICE, "%-22s = %s", "curves", DEFAULT_CURVES);
++ }
+ break;
+ case CMD_PRINT_HELP:
+ s_log(LOG_NOTICE, "%-22s = ECDH curve names", "curves");
diff --git a/SOURCES/stunnel-5.62.tar.gz.asc b/SOURCES/stunnel-5.62.tar.gz.asc
new file mode 100644
index 0000000..194a431
--- /dev/null
+++ b/SOURCES/stunnel-5.62.tar.gz.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEEK8fk5n48wMG+py+MLvx/8NQW4BQFAmHlyoBfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDJC
+QzdFNEU2N0UzQ0MwQzFCRUE3MkY4QzJFRkM3RkYwRDQxNkUwMTQACgkQLvx/8NQW
+4BRqiw//dzBO+CqezKNlkVT5sePEfriVPk0iYa7IyGQ2xclohI3X3A0NaLHhwysa
+2pFo+myUn5h2qVM6jfuPbXHxDSgDQIcRoEEWpLbVEnVy5vMpVsB5wY4fwfyd3crM
+2J24XPdODE8H2mB28JXHyQdXehMtzOAMJ57ugUbrU4drNOR8sCRbp+sBChI8JK9Q
+IYvUoMPMCukFXws0KFEYjRom/FyQlde2Wz9ZPiluRzj6RWPQvQht8EiB7IfPrq2m
+fiPmOxUnB+Ry6/eaSp7JLlrnL4q5Zhw0HS/pMbWpiB9nPb9SLoKufJ9hYQs5X2h9
+L85VPMAAAStQ4PcvFYWt/nV03p3agImdMLrwlaMi/Bb95+tk7OoNLu7yz9RQ9QAo
+SPamduORs4/KhtlMzRf2G8utIQRa4fI47KDOO1+1qRfTH4t/Bf3Fr/gI34AW24ZZ
+hu2nHqr+UxGkU42HJEhsL9tAvBFr/mBI64sHtAI41e25CkqBQSqD+FxUw5snbVgP
+XxiM9tNo/UUZpCMnmkAZUqVFKYT10VSFTDo6/LcoMYZf1zzCWch3wJTtf2ZPUJYG
+6kNpdCEzsXYileL6iCof9+J5hNaNGpsgTi+ljz1jujzOHWGw6hyIWUiYTBGmRAbl
+Pehbx5RYqQe9gX0nFRRs3o9y9p8B4MLMAvJdhx6vqxgd2H1SDJA=
+=MLHM
+-----END PGP SIGNATURE-----
diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec
index 24c057f..b2a3fd4 100644
--- a/SPECS/stunnel.spec
+++ b/SPECS/stunnel.spec
@@ -9,10 +9,10 @@
Summary: A TLS-encrypting socket wrapper
Name: stunnel
-Version: 5.58
-Release: 6%{?dist}
+Version: 5.62
+Release: 2%{?dist}
License: GPLv2
-URL: http://www.stunnel.org/
+URL: https://www.stunnel.org/
Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
Source2: Certificate-Creation
@@ -22,12 +22,13 @@ Source5: pop3-redirect.xinetd
Source6: stunnel-pop3s-client.conf
Source7: stunnel@.service
Patch0: stunnel-5.50-authpriv.patch
-Patch1: stunnel-5.50-systemd-service.patch
+Patch1: stunnel-5.61-systemd-service.patch
Patch3: stunnel-5.56-system-ciphers.patch
Patch4: stunnel-5.56-coverity.patch
-Patch5: stunnel-5.56-default-tls-version.patch
+Patch5: stunnel-5.61-default-tls-version.patch
Patch6: stunnel-5.56-curves-doc-update.patch
-Patch7: stunnel-5.58-openssl30.patch
+Patch7: stunnel-5.61-openssl30-fips.patch
+Patch8: stunnel-5.62-disabled-curves.patch
# util-linux is needed for rename
BuildRequires: make
BuildRequires: gcc
@@ -40,6 +41,7 @@ BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/bin/pod2html
# build test requirements
BuildRequires: /usr/bin/nc, /usr/bin/lsof, /usr/bin/ps
+BuildRequires: python3 openssl
BuildRequires: systemd
%{?systemd_requires}
@@ -57,13 +59,11 @@ conjunction with imapd to create a TLS secure IMAP server.
%patch4 -p1 -b .coverity
%patch5 -p1 -b .default-tls-version
%patch6 -p1 -b .curves-doc-update
-%patch7 -p1 -b .openssl30
+%patch7 -p1 -b .openssl30-fips
+%patch8 -p1 -b .disabled-curves
-# Fix the configure script output for FIPS mode and stack protector flag
-sed -i '/yes).*result: no/,+1{s/result: no/result: yes/;s/as_echo "no"/as_echo "yes"/};s/-fstack-protector/-fstack-protector-strong/' configure
-
-# Fix a testcase with system-ciphers support
-sed -i '/client = yes/a \\ ciphers = PSK' tests/recipes/014_PSK_secrets
+# Fix the stack protector flag
+sed -i 's/-fstack-protector/-fstack-protector-strong/' configure
%build
#autoreconf -v
@@ -100,15 +100,13 @@ cp %{SOURCE7} %{buildroot}%{_unitdir}/%{name}@.service
%endif
%check
-# For unknown reason the 042_inetd test fails in Koji. The failure is not reproducible
-# in local build.
-rm tests/recipes/042_inetd
-# We override the security policy as it is too strict for the tests.
-OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
-export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
-OPENSSL_CONF=
-export OPENSSL_CONF
-make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
+if ! make test; then
+ for i in tests/logs/*.log; do
+ echo "$i":
+ cat "$i"
+ done
+ exit 1
+fi
%files
%{!?_licensedir:%global license %%doc}
@@ -130,6 +128,7 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
%{_unitdir}/%{name}*.service
%endif
+%{_datadir}/bash-completion/completions/%{name}.bash
%post
/sbin/ldconfig
@@ -143,6 +142,16 @@ make test || (for i in tests/logs/*.log ; do echo "$i": ; cat "$i" ; done)
%systemd_postun_with_restart %{name}.service
%changelog
+* Fri Feb 04 2022 Clemens Lang <cllang@redhat.com> - 5.62-2
+- Fix stunnel in FIPS mode
+ Resolves: rhbz#2050617
+- Fail build if tests fail
+ Resolves: rhbz#2051083
+
+* Tue Jan 18 2022 Clemens Lang <cllang@redhat.com> - 5.62-1
+- New upstream release 5.62
+ Resolves: rhbz#2039299
+
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 5.58-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688