diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f0584d0
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/stunnel-4.56.tar.gz
diff --git a/.stunnel.metadata b/.stunnel.metadata
new file mode 100644
index 0000000..c1d37b8
--- /dev/null
+++ b/.stunnel.metadata
@@ -0,0 +1 @@
+0e5e495e05b8d14deadd294166b211f87a667b24 SOURCES/stunnel-4.56.tar.gz
diff --git a/SOURCES/Certificate-Creation b/SOURCES/Certificate-Creation
new file mode 100644
index 0000000..16d86f9
--- /dev/null
+++ b/SOURCES/Certificate-Creation
@@ -0,0 +1,9 @@
+To generate a key and self signed certificate, execute the following commands:
+
+cd /etc/pki/tls/certs
+make stunnel.pem
+
+Note that by default, the file containing the key and certificate has its
+permissions set to 0600, which means that any service using it needs to be
+started as root in order to read it. Such a service should be configured
+to switch UIDs using stunnel's "-s" flag.
diff --git a/SOURCES/pop3-redirect.xinetd b/SOURCES/pop3-redirect.xinetd
new file mode 100644
index 0000000..73b95ad
--- /dev/null
+++ b/SOURCES/pop3-redirect.xinetd
@@ -0,0 +1,17 @@
+# default: off
+# description: The POP3 redirector allows client software which does not have \
+# native support for SSL to connect to the local machine's POP3 \
+# port and have the connection forwarded over the network using \
+# SSL. You will need to modify stunnel-pop3s-client.conf to \
+# specify the server to connect to in order for this to be useful.
+service pop3
+{
+ disable = yes
+ socket_type = stream
+ wait = no
+ user = root
+ server = /usr/sbin/stunnel
+ server_args = /etc/stunnel/stunnel-pop3s-client.conf
+ log_on_success += USERID
+ log_on_failure += USERID
+}
diff --git a/SOURCES/sfinger.xinetd b/SOURCES/sfinger.xinetd
new file mode 100644
index 0000000..39a91f5
--- /dev/null
+++ b/SOURCES/sfinger.xinetd
@@ -0,0 +1,11 @@
+# Not that anyone in their right mind would tunnel the finger protocol over
+# SSL, but here's how to do it using xinetd....
+service sfinger
+{
+ disable = yes
+ socket_type = stream
+ wait = no
+ user = root
+ server = /usr/sbin/stunnel
+ server_args = /etc/stunnel/stunnel-sfinger.conf
+}
diff --git a/SOURCES/stunnel-4-authpriv.patch b/SOURCES/stunnel-4-authpriv.patch
new file mode 100644
index 0000000..5e0c443
--- /dev/null
+++ b/SOURCES/stunnel-4-authpriv.patch
@@ -0,0 +1,52 @@
+diff -urNp stunnel-4.56-patched/doc/stunnel.8 stunnel-4.56-current/doc/stunnel.8
+--- stunnel-4.56-patched/doc/stunnel.8 2013-03-28 14:38:34.921698500 -0400
++++ stunnel-4.56-current/doc/stunnel.8 2013-03-28 14:39:09.676668676 -0400
+@@ -190,7 +190,7 @@ info (6), or debug (7). All logs for th
+ all levels numerically less than it will be shown. Use \fIdebug = debug\fR or
+ \&\fIdebug = 7\fR for greatest debugging output. The default is notice (5).
+ .Sp
+-The syslog facility 'daemon' will be used unless a facility name is supplied.
++The syslog facility 'authpriv' will be used unless a facility name is supplied.
+ (Facilities are not supported on Win32.)
+ .Sp
+ Case is ignored for both facilities and levels.
+diff -urNp stunnel-4.56-patched/doc/stunnel.html stunnel-4.56-current/doc/stunnel.html
+--- stunnel-4.56-patched/doc/stunnel.html 2013-03-28 14:38:34.960698467 -0400
++++ stunnel-4.56-current/doc/stunnel.html 2013-03-28 14:39:09.678668674 -0400
+@@ -224,7 +224,7 @@ emerg (0), alert (1), crit (2), err (3),
+ info (6), or debug (7). All logs for the specified level and
+ all levels numerically less than it will be shown. Use debug = debug or
+ debug = 7 for greatest debugging output. The default is notice (5).
+-The syslog facility 'daemon' will be used unless a facility name is supplied.
++
The syslog facility 'authpriv' will be used unless a facility name is supplied.
+ (Facilities are not supported on Win32.)
+ Case is ignored for both facilities and levels.
+
+diff -urNp stunnel-4.56-patched/doc/stunnel.pod stunnel-4.56-current/doc/stunnel.pod
+--- stunnel-4.56-patched/doc/stunnel.pod 2013-03-28 14:38:34.959698468 -0400
++++ stunnel-4.56-current/doc/stunnel.pod 2013-03-28 14:39:09.678668674 -0400
+@@ -184,7 +184,7 @@ info (6), or debug (7). All logs for th
+ all levels numerically less than it will be shown. Use I or
+ I for greatest debugging output. The default is notice (5).
+
+-The syslog facility 'daemon' will be used unless a facility name is supplied.
++The syslog facility 'authpriv' will be used unless a facility name is supplied.
+ (Facilities are not supported on Win32.)
+
+ Case is ignored for both facilities and levels.
+diff -urNp stunnel-4.56-patched/src/options.c stunnel-4.56-current/src/options.c
+--- stunnel-4.56-patched/src/options.c 2013-03-28 14:38:34.919698502 -0400
++++ stunnel-4.56-current/src/options.c 2013-03-28 14:39:09.680668671 -0400
+@@ -185,8 +185,12 @@ static char *parse_global_option(CMD cmd
+ case CMD_BEGIN:
+ new_global_options.debug_level=LOG_NOTICE;
+ #if !defined (USE_WIN32) && !defined (__vms)
++#if defined(LOG_AUTHPRIV)
++ new_global_options.facility=LOG_AUTHPRIV;
++#else
+ new_global_options.facility=LOG_DAEMON;
+ #endif
++#endif
+ break;
+ case CMD_EXEC:
+ if(strcasecmp(opt, "debug"))
diff --git a/SOURCES/stunnel-4-sample.patch b/SOURCES/stunnel-4-sample.patch
new file mode 100644
index 0000000..8528bf1
--- /dev/null
+++ b/SOURCES/stunnel-4-sample.patch
@@ -0,0 +1,39 @@
+diff -urNp stunnel-4.56-patched/tools/stunnel.conf-sample.in stunnel-4.56-current/tools/stunnel.conf-sample.in
+--- stunnel-4.56-patched/tools/stunnel.conf-sample.in 2013-03-28 14:38:34.992698440 -0400
++++ stunnel-4.56-current/tools/stunnel.conf-sample.in 2013-03-28 14:40:31.423595815 -0400
+@@ -9,7 +9,7 @@
+
+ ; A copy of some devices and system files is needed within the chroot jail
+ ; Chroot conflicts with configuration file reload and many other features
+-chroot = @prefix@/var/lib/stunnel/
++chroot = @localstatedir@/run/stunnel/
+ ; Chroot jail can be escaped if setuid option is not used
+ setuid = nobody
+ setgid = @DEFAULT_GROUP@
+@@ -26,8 +26,8 @@ pid = /stunnel.pid
+ ; **************************************************************************
+
+ ; Certificate/key is needed in server mode and optional in client mode
+-cert = @prefix@/etc/stunnel/mail.pem
+-;key = @prefix@/etc/stunnel/mail.pem
++cert = @sysconfdir@/stunnel/mail.pem
++;key = @sysconfdir@/stunnel/mail.pem
+
+ ; Authentication stuff needs to be configured to prevent MITM attacks
+ ; It is not enabled by default!
+@@ -36,12 +36,13 @@ cert = @prefix@/etc/stunnel/mail.pem
+ ; CApath is located inside chroot jail
+ ;CApath = /certs
+ ; It's often easier to use CAfile
+-;CAfile = @prefix@/etc/stunnel/certs.pem
++;CAfile = @sysconfdir@/stunnel/certs.pem
++;CAfile = @sysconfdir@/pki/tls/certs/ca-bundle.crt
+ ; Don't forget to c_rehash CRLpath
+ ; CRLpath is located inside chroot jail
+ ;CRLpath = /crls
+ ; Alternatively CRLfile can be used
+-;CRLfile = @prefix@/etc/stunnel/crls.pem
++;CRLfile = @sysconfdir@/stunnel/crls.pem
+
+ ; Disable support for insecure SSLv2 protocol
+ options = NO_SSLv2
diff --git a/SOURCES/stunnel-4.56-doc-accept.patch b/SOURCES/stunnel-4.56-doc-accept.patch
new file mode 100644
index 0000000..0ecc606
--- /dev/null
+++ b/SOURCES/stunnel-4.56-doc-accept.patch
@@ -0,0 +1,36 @@
+diff -up stunnel-4.56/doc/stunnel.html.accept stunnel-4.56/doc/stunnel.html
+--- stunnel-4.56/doc/stunnel.html.accept 2015-11-12 16:10:44.446099618 +0100
++++ stunnel-4.56/doc/stunnel.html 2016-03-31 17:19:13.648400089 +0200
+@@ -379,7 +379,7 @@ below.
+ If no host specified, defaults to all IPv4 addresses for the local host.
+ To listen on all IPv6 addresses use:
+
+- connect = :::port
++ accept = :::port
+
+ CApath = directory
+
+diff -up stunnel-4.56/doc/stunnel.pod.accept stunnel-4.56/doc/stunnel.pod
+--- stunnel-4.56/doc/stunnel.pod.accept 2015-11-12 16:10:44.447099641 +0100
++++ stunnel-4.56/doc/stunnel.pod 2016-03-31 17:19:13.649400112 +0200
+@@ -349,7 +349,7 @@ If no host specified, defaults to all IP
+
+ To listen on all IPv6 addresses use:
+
+- connect = :::port
++ accept = :::port
+
+ =item B = directory
+
+diff -up stunnel-4.56/doc/stunnel.8.accept stunnel-4.56/doc/stunnel.8
+--- stunnel-4.56/doc/stunnel.8.accept 2015-11-12 16:10:44.446099618 +0100
++++ stunnel-4.56/doc/stunnel.8 2016-03-31 17:19:13.647400065 +0200
+@@ -336,7 +336,7 @@ If no host specified, defaults to all IP
+ To listen on all IPv6 addresses use:
+ .Sp
+ .Vb 1
+-\& connect = :::port
++\& accept = :::port
+ .Ve
+ .IP "\fBCApath\fR = directory" 4
+ .IX Item "CApath = directory"
diff --git a/SOURCES/stunnel-4.56-doc-curve.patch b/SOURCES/stunnel-4.56-doc-curve.patch
new file mode 100644
index 0000000..1ce1702
--- /dev/null
+++ b/SOURCES/stunnel-4.56-doc-curve.patch
@@ -0,0 +1,44 @@
+diff -up stunnel-4.56/doc/stunnel.html.curve stunnel-4.56/doc/stunnel.html
+--- stunnel-4.56/doc/stunnel.html.curve 2016-03-31 17:19:13.000000000 +0200
++++ stunnel-4.56/doc/stunnel.html 2016-03-31 17:22:48.552416398 +0200
+@@ -452,8 +452,8 @@ c_rehash the directory on upgrade from <
+ curve = nid
+
+
+-specify ECDH curve name
+-To get a list of supported cuves use:
++specify ECDH curve name for server
++To get a list of supported curves use:
+
+ openssl ecparam -list_curves
+ default: prime256v1
+diff -up stunnel-4.56/doc/stunnel.pod.curve stunnel-4.56/doc/stunnel.pod
+--- stunnel-4.56/doc/stunnel.pod.curve 2016-03-31 17:19:13.000000000 +0200
++++ stunnel-4.56/doc/stunnel.pod 2016-03-31 17:21:59.705276204 +0200
+@@ -427,9 +427,9 @@ This file contains multiple CRLs, used w
+
+ =item B = nid
+
+-specify ECDH curve name
++specify ECDH curve name for server
+
+-To get a list of supported cuves use:
++To get a list of supported curves use:
+
+ openssl ecparam -list_curves
+
+diff -up stunnel-4.56/doc/stunnel.8.curve stunnel-4.56/doc/stunnel.8
+--- stunnel-4.56/doc/stunnel.8.curve 2016-03-31 17:19:13.000000000 +0200
++++ stunnel-4.56/doc/stunnel.8 2016-03-31 17:23:15.072035422 +0200
+@@ -406,9 +406,9 @@ Certificate Revocation Lists file
+ This file contains multiple CRLs, used with the \fIverify\fR.
+ .IP "\fBcurve\fR = nid" 4
+ .IX Item "curve = nid"
+-specify \s-1ECDH\s0 curve name
++specify \s-1ECDH\s0 curve name for server
+ .Sp
+-To get a list of supported cuves use:
++To get a list of supported curves use:
+ .Sp
+ .Vb 1
+ \& openssl ecparam \-list_curves
diff --git a/SOURCES/stunnel-4.56-log-version.patch b/SOURCES/stunnel-4.56-log-version.patch
new file mode 100644
index 0000000..85fe12d
--- /dev/null
+++ b/SOURCES/stunnel-4.56-log-version.patch
@@ -0,0 +1,11 @@
+diff -up stunnel-4.56/src/client.c.log-version stunnel-4.56/src/client.c
+--- stunnel-4.56/src/client.c.log-version 2013-03-14 23:54:24.000000000 +0100
++++ stunnel-4.56/src/client.c 2016-03-31 17:17:01.438314029 +0200
+@@ -928,6 +928,7 @@ static void print_cipher(CLI *c) { /* pr
+
+ if(global_options.debug_levelssl));
+ cipher=(SSL_CIPHER *)SSL_get_current_cipher(c->ssl);
+ s_log(LOG_INFO, "Negotiated %s ciphersuite: %s (%d-bit encryption)",
+ SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher),
diff --git a/SOURCES/stunnel-4.56-pollhup.patch b/SOURCES/stunnel-4.56-pollhup.patch
new file mode 100644
index 0000000..a086f05
--- /dev/null
+++ b/SOURCES/stunnel-4.56-pollhup.patch
@@ -0,0 +1,146 @@
+diff -up stunnel-4.56/src/client.c.pollhup stunnel-4.56/src/client.c
+--- stunnel-4.56/src/client.c.pollhup 2016-03-31 17:17:01.438314029 +0200
++++ stunnel-4.56/src/client.c 2016-03-31 17:25:48.573618470 +0200
+@@ -595,35 +595,6 @@ static void transfer(CLI *c) {
+ }
+ }
+
+- /****************************** check for hangup conditions */
+- if(s_poll_hup(c->fds, c->sock_rfd->fd)) {
+- s_log(LOG_INFO, "Read socket closed (hangup)");
+- sock_open_rd=0;
+- }
+- if(s_poll_hup(c->fds, c->sock_wfd->fd)) {
+- if(c->ssl_ptr) {
+- s_log(LOG_ERR,
+- "Write socket closed (hangup) with %d unsent byte(s)",
+- c->ssl_ptr);
+- longjmp(c->err, 1); /* reset the socket */
+- }
+- s_log(LOG_INFO, "Write socket closed (hangup)");
+- sock_open_wr=0;
+- }
+- if(s_poll_hup(c->fds, c->ssl_rfd->fd) ||
+- s_poll_hup(c->fds, c->ssl_wfd->fd)) {
+- /* hangup -> buggy (e.g. Microsoft) peer:
+- * SSL socket closed without close_notify alert */
+- if(c->sock_ptr) {
+- s_log(LOG_ERR,
+- "SSL socket closed (hangup) with %d unsent byte(s)",
+- c->sock_ptr);
+- longjmp(c->err, 1); /* reset the socket */
+- }
+- s_log(LOG_INFO, "SSL socket closed (hangup)");
+- SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+- }
+-
+ /****************************** retrieve results from c->fds */
+ sock_can_rd=s_poll_canread(c->fds, c->sock_rfd->fd);
+ sock_can_wr=s_poll_canwrite(c->fds, c->sock_wfd->fd);
+@@ -828,6 +799,36 @@ static void transfer(CLI *c) {
+ }
+ }
+
++ /****************************** check for hangup conditions */
++ if(s_poll_rdhup(c->fds, c->sock_rfd->fd) &&
++ !s_poll_canread(c->fds, c->sock_rfd->fd)) {
++ s_log(LOG_INFO, "Read socket closed (hangup)");
++ sock_open_rd=0;
++ }
++ if(s_poll_hup(c->fds, c->sock_wfd->fd)) {
++ if(c->ssl_ptr) {
++ s_log(LOG_ERR,
++ "Write socket closed (hangup) with %d unsent byte(s)",
++ c->ssl_ptr);
++ longjmp(c->err, 1); /* reset the socket */
++ }
++ s_log(LOG_INFO, "Write socket closed (hangup)");
++ sock_open_wr=0;
++ }
++ if((s_poll_hup(c->fds, c->ssl_rfd->fd) && !s_poll_canread(c->fds, c->sock_rfd->fd)) ||
++ s_poll_hup(c->fds, c->ssl_wfd->fd)) {
++ /* hangup -> buggy (e.g. Microsoft) peer:
++ * SSL socket closed without close_notify alert */
++ if(c->sock_ptr) {
++ s_log(LOG_ERR,
++ "SSL socket closed (hangup) with %d unsent byte(s)",
++ c->sock_ptr);
++ longjmp(c->err, 1); /* reset the socket */
++ }
++ s_log(LOG_INFO, "SSL socket closed (hangup)");
++ SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
++ }
++
+ /****************************** check write shutdown conditions */
+ if(sock_open_wr && SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN && !c->ssl_ptr) {
+ sock_open_wr=0; /* no further write allowed */
+diff -up stunnel-4.56/src/network.c.pollhup stunnel-4.56/src/network.c
+--- stunnel-4.56/src/network.c.pollhup 2013-03-13 14:41:02.000000000 +0100
++++ stunnel-4.56/src/network.c 2016-03-31 17:25:48.574618494 +0200
+@@ -79,8 +79,12 @@ void s_poll_add(s_poll_set *fds, int fd,
+ fds->ufds[i].events=0;
+ fds->nfds++;
+ }
+- if(rd)
++ if(rd) {
+ fds->ufds[i].events|=POLLIN;
++#ifdef POLLRDHUP
++ fds->ufds[i].events|=POLLRDHUP;
++#endif
++ }
+ if(wr)
+ fds->ufds[i].events|=POLLOUT;
+ }
+@@ -103,12 +107,27 @@ int s_poll_canwrite(s_poll_set *fds, int
+ return 0; /* not listed in fds */
+ }
+
++/* best doc: http://lxr.free-electrons.com/source/net/ipv4/tcp.c#L456 */
++
+ int s_poll_hup(s_poll_set *fds, int fd) {
+ unsigned int i;
+
+ for(i=0; infds; i++)
+ if(fds->ufds[i].fd==fd)
+- return fds->ufds[i].revents&POLLHUP;
++ return fds->ufds[i].revents&POLLHUP; /* read and write closed */
++ return 0; /* not listed in fds */
++}
++
++int s_poll_rdhup(s_poll_set *fds, int fd) {
++ unsigned int i;
++
++ for(i=0; infds; i++)
++ if(fds->ufds[i].fd==fd)
++#ifdef POLLRDHUP
++ return fds->ufds[i].revents&POLLRDHUP; /* read closed */
++#else
++ return fds->ufds[i].revents&POLLHUP; /* read and write closed */
++#endif
+ return 0; /* not listed in fds */
+ }
+
+@@ -336,6 +355,12 @@ int s_poll_hup(s_poll_set *fds, int fd)
+ return 0; /* FIXME: how to detect HUP condition with select()? */
+ }
+
++int s_poll_rdhup(s_poll_set *fds, int fd) {
++ (void)fds; /* skip warning about unused parameter */
++ (void)fd; /* skip warning about unused parameter */
++ return 0; /* FIXME: how to detect RDHUP condition with select()? */
++}
++
+ int s_poll_error(s_poll_set *fds, int fd) {
+ /* error conditions are signaled as read, but apparently *not* in Winsock:
+ * http://msdn.microsoft.com/en-us/library/windows/desktop/ms737625%28v=vs.85%29.aspx */
+diff -up stunnel-4.56/src/prototypes.h.pollhup stunnel-4.56/src/prototypes.h
+--- stunnel-4.56/src/prototypes.h.pollhup 2013-03-19 18:30:55.000000000 +0100
++++ stunnel-4.56/src/prototypes.h 2016-03-31 17:25:48.574618494 +0200
+@@ -385,6 +385,7 @@ void s_poll_add(s_poll_set *, int, int,
+ int s_poll_canread(s_poll_set *, int);
+ int s_poll_canwrite(s_poll_set *, int);
+ int s_poll_hup(s_poll_set *, int);
++int s_poll_rdhup(s_poll_set *, int);
+ int s_poll_error(s_poll_set *, int);
+ int s_poll_wait(s_poll_set *, int, int);
+
diff --git a/SOURCES/stunnel-4.56-tls.patch b/SOURCES/stunnel-4.56-tls.patch
new file mode 100644
index 0000000..05ea410
--- /dev/null
+++ b/SOURCES/stunnel-4.56-tls.patch
@@ -0,0 +1,12 @@
+diff -up stunnel-4.56/src/options.c.tls stunnel-4.56/src/options.c
+--- stunnel-4.56/src/options.c.tls 2015-11-12 16:10:44.000000000 +0100
++++ stunnel-4.56/src/options.c 2016-03-31 17:41:11.629988843 +0200
+@@ -1682,7 +1682,7 @@ static char *parse_service_option(CMD cm
+ return "Incorrect version of SSL protocol";
+ return NULL; /* OK */
+ case CMD_END:
+-#ifdef USE_FIPS
++#if 0
+ if(new_global_options.option.fips &&
+ ((section->option.client &&
+ section->client_method!=(SSL_METHOD *)TLSv1_client_method()) ||
diff --git a/SOURCES/stunnel-4.56.tar.gz.asc b/SOURCES/stunnel-4.56.tar.gz.asc
new file mode 100644
index 0000000..f827884
--- /dev/null
+++ b/SOURCES/stunnel-4.56.tar.gz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iD8DBQBRTNnJ/NU+nXTHMtERAuFEAKCBlmPjyX4YQK96Za0D7RM7f325LACfUQHm
+3OYKVP4zld5JJzzIkwWFBfU=
+=mI5i
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/stunnel-4.56.tar.gz.sha256 b/SOURCES/stunnel-4.56.tar.gz.sha256
new file mode 100644
index 0000000..e8d9442
--- /dev/null
+++ b/SOURCES/stunnel-4.56.tar.gz.sha256
@@ -0,0 +1 @@
+9cae2cfbe26d87443398ce50d7d5db54e5ea363889d5d2ec8d2778a01c871293 stunnel-4.56.tar.gz
diff --git a/SOURCES/stunnel-pop3s-client.conf b/SOURCES/stunnel-pop3s-client.conf
new file mode 100644
index 0000000..eb7fda9
--- /dev/null
+++ b/SOURCES/stunnel-pop3s-client.conf
@@ -0,0 +1,8 @@
+# Sample configuration for stunnel, tunnelling cleartext connections on the
+# default port (without an "accept" setting, stunnel uses stdio) over an
+# encrypted channel to pop3s-server.example.com:pop3s. See stunnel(8) for
+# more information.
+client = yes
+connect = pop3s-server.example.com:pop3s
+CAfile = /usr/share/ssl/certs/ca-bundle.crt
+verify = 2
diff --git a/SOURCES/stunnel-sfinger.conf b/SOURCES/stunnel-sfinger.conf
new file mode 100644
index 0000000..912888a
--- /dev/null
+++ b/SOURCES/stunnel-sfinger.conf
@@ -0,0 +1,8 @@
+# Sample configuration for stunnel, forwarding data from encrypted connections
+# on the default port (without an "accept" setting, stunnel uses stdio) over
+# an unencrypted set of pipes which are used for stdio by in.fingerd. See
+# stunnel(8) for more information.
+exec = /usr/sbin/in.fingerd
+execargs = in.fingerd
+key = /etc/stunnel/stunnel.pem
+cert = /etc/stunnel/stunnel.pem
diff --git a/SPECS/stunnel.spec b/SPECS/stunnel.spec
new file mode 100644
index 0000000..3a8edaf
--- /dev/null
+++ b/SPECS/stunnel.spec
@@ -0,0 +1,498 @@
+Summary: An SSL-encrypting socket wrapper
+Name: stunnel
+Version: 4.56
+Release: 6%{?dist}
+License: GPLv2
+Group: Applications/Internet
+URL: http://www.stunnel.org/
+Source0: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz
+Source1: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.asc
+Source7: https://www.stunnel.org/downloads/stunnel-%{version}.tar.gz.sha256
+Source2: Certificate-Creation
+Source3: sfinger.xinetd
+Source4: stunnel-sfinger.conf
+Source5: pop3-redirect.xinetd
+Source6: stunnel-pop3s-client.conf
+Patch0: stunnel-4-authpriv.patch
+Patch1: stunnel-4-sample.patch
+Patch2: stunnel-4.56-doc-accept.patch
+Patch3: stunnel-4.56-doc-curve.patch
+Patch4: stunnel-4.56-log-version.patch
+Patch5: stunnel-4.56-pollhup.patch
+Patch6: stunnel-4.56-tls.patch
+Buildroot: %{_tmppath}/stunnel-root
+# util-linux is needed for rename
+BuildRequires: openssl-devel, pkgconfig, tcp_wrappers-devel, util-linux
+# for /usr/bin/pod2man
+%if 0%{?fedora} > 18 || 0%{?rhel} >= 7
+BuildRequires: perl-podlators
+%endif
+
+%description
+Stunnel is a socket wrapper which can provide SSL (Secure Sockets
+Layer) support to ordinary applications. For example, it can be used
+in conjunction with imapd to create an SSL secure IMAP server.
+
+%prep
+%setup -q
+%patch0 -p1 -b .authpriv
+%patch1 -p1 -b .sample
+%patch2 -p1 -b .accept
+%patch3 -p1 -b .curve
+%patch4 -p1 -b .log-version
+%patch5 -p1 -b .pollhup
+%patch6 -p1 -b .tls
+
+iconv -f iso-8859-1 -t utf-8 < doc/stunnel.fr.8 > doc/stunnel.fr.8_
+mv doc/stunnel.fr.8_ doc/stunnel.fr.8
+
+%build
+CFLAGS="$RPM_OPT_FLAGS -fPIC"; export CFLAGS
+if pkg-config openssl ; then
+ CFLAGS="$CFLAGS `pkg-config --cflags openssl`";
+ LDFLAGS="`pkg-config --libs-only-L openssl`"; export LDFLAGS
+fi
+%configure --enable-fips --enable-ipv6 \
+ CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
+make LDADD="-pie -Wl,-z,defs,-z,relro,-z,now"
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/stunnel
+touch $RPM_BUILD_ROOT%{_sysconfdir}/stunnel/stunnel.pem
+make install DESTDIR=$RPM_BUILD_ROOT
+# Move the translated man pages to the right subdirectories, and strip off the
+# language suffixes.
+for lang in fr pl ; do
+ mkdir -p $RPM_BUILD_ROOT/%{_mandir}/${lang}/man8
+ mv $RPM_BUILD_ROOT/%{_mandir}/man8/*.${lang}.8* $RPM_BUILD_ROOT/%{_mandir}/${lang}/man8/
+ rename ".${lang}" "" $RPM_BUILD_ROOT/%{_mandir}/${lang}/man8/*
+done
+
+mkdir srpm-docs
+cp %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} srpm-docs
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root)
+%doc AUTHORS BUGS ChangeLog COPY* CREDITS PORTS README TODO
+%doc tools/stunnel.conf-sample
+%doc srpm-docs/*
+%lang(en) %doc doc/en/*
+%lang(po) %doc doc/pl/*
+%{_bindir}/stunnel
+%exclude %{_bindir}/stunnel3
+%exclude %{_datadir}/doc/stunnel
+%{_libdir}/stunnel
+%exclude %{_libdir}/stunnel/libstunnel.la
+%{_mandir}/man8/stunnel.8*
+%lang(fr) %{_mandir}/fr/man8/stunnel.8*
+%lang(pl) %{_mandir}/pl/man8/stunnel.8*
+%dir %{_sysconfdir}/%{name}
+%exclude %{_sysconfdir}/stunnel/*
+
+%changelog
+* Fri Apr 1 2016 Tomáš Mráz - 4.56-6
+- Do not lose data due to mishandled POLLHUP (#1170722)
+
+* Thu Mar 31 2016 Tomáš Mráz - 4.56-5
+- Allow TLS 1.1 and TLS 1.2 in FIPS mode
+- Documentation fixes of curve and accept/connect options (#1197340)
+- Add negotiated protocol version to the logs (#1275613)
+
+* Fri Jan 24 2014 Daniel Mach - 4.56-4
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach - 4.56-3
+- Mass rebuild 2013-12-27
+
+* Mon Aug 5 2013 Avesh Agarwal - 4.56-2
+- Ftp mirrors for NA does not work, so changing source code
+ URLs to the correct ones.
+
+* Mon Aug 5 2013 Avesh Agarwal - 4.56-1
+- New upstream realease 4.56.
+- Updated local patches.
+- Fixed upstream URL in spec file.
+- Sourced URL of sha256 hash file in spec file.
+
+* Tue Mar 26 2013 Avesh Agarwal - 4.55-2
+- Resolves: 927841
+
+* Mon Mar 4 2013 Avesh Agarwal - 4.55-1
+- New upstream realease 4.55
+- Updated local patches
+- enabled fips mode
+- Fixed for pod2man as it build-requires perl-podlators
+
+* Fri Feb 15 2013 Fedora Release Engineering - 4.54-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Dec 10 2012 Avesh Agarwal - 4.54-2
+- 884183: support for full relro.
+
+* Tue Oct 16 2012 Avesh Agarwal - 4.54-1
+- New upstream realease 4.54
+- Updated local patches
+
+* Sat Jul 21 2012 Fedora Release Engineering - 4.53-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon May 14 2012 Avesh Agarwal - 4.53-1
+- New upstream realease 4.53
+- Updated local patches
+
+* Tue Mar 6 2012 Avesh Agarwal - 4.52-1
+- New upstream realease 4.52
+- Updated local patches
+
+* Sat Jan 14 2012 Fedora Release Engineering - 4.50-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Jan 3 2012 Avesh Agarwal - 4.50-1
+- New upstream realease 4.50
+- Updated local patches
+
+* Tue Sep 20 2011 Avesh Agarwal - 4.44-1
+- New upstream realease 4.44
+- Updated local patches
+
+* Fri Aug 19 2011 Avesh Agarwal - 4.42-1
+- New upstream realease 4.42
+- Updated local patches
+- Fixes #732069
+
+* Mon Aug 1 2011 Avesh Agarwal - 4.41-1
+- New upstream realease 4.41
+- Updated local patches to match the new release
+
+* Tue Jun 28 2011 Avesh Agarwal - 4.37-1
+- New upstream realease 4.37
+- Updated local patches to match the new release
+
+* Mon Apr 4 2011 Avesh Agarwal - 4.35-1
+- New upstream realease 4.35
+- Updated authpriv and sample patches to match the new release
+
+* Wed Feb 09 2011 Fedora Release Engineering - 4.34-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Mon Oct 4 2010 Avesh Agarwal - 4.34-1
+- New upstream realease 4.34
+- Updated authpriv and sample patches to match the new release
+
+* Wed Apr 7 2010 Avesh Agarwal - 4.33-1
+- New upstream realease 4.33
+- Updated authpriv and sample patches to match the new release
+- Addresses bz 580117 (inted mode support issue)
+
+* Mon Mar 29 2010 Avesh Agarwal - 4.32-1
+- New upstream realease 4.32
+- Updated authpriv and sample patches to match the new release
+
+* Tue Feb 16 2010 Avesh Agarwal - 4.31-1
+- New upstream realease 4.31
+- Updated authpriv and sample patches to match the new release
+
+* Tue Jan 26 2010 Avesh Agarwal - 4.30-1
+- New upstream realease 4.30
+- Updated authpriv and sample patches for the new release
+
+* Tue Dec 09 2009 Avesh Agarwal - 4.29-1
+- New upstream realease 4.29
+- Updated authpriv and sample patches for the new release
+- Modified spec file to include dist tag
+
+* Fri Aug 21 2009 Tomas Mraz - 4.27-5
+- rebuilt with new openssl
+
+* Sun Jul 26 2009 Fedora Release Engineering - 4.27-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Sun May 3 2009 Miloslav Trmač - 4.27-3
+- Fix the previous patch.
+
+* Wed Apr 29 2009 Miloslav Trmač - 4.27-2
+- Avoid aliasing undefined by ISO C
+
+* Thu Apr 16 2009 Miloslav Trmač - 4.27-1
+- Update to stunnel-4.27.
+
+* Wed Feb 25 2009 Fedora Release Engineering - 4.26-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Sun Jan 18 2009 Tomas Mraz - 4.26-2
+- disable openssl upstream fips mode
+
+* Mon Sep 22 2008 Miloslav Trmač - 4.26-1
+- Update to stunnel-4.26.
+
+* Sun Jun 8 2008 Miloslav Trmač - 4.25-2
+- Use a clearer error message if the service name is unknown in "accept"
+ Resolves: #450344
+
+* Mon Jun 2 2008 Miloslav Trmač - 4.25-1
+- Update to stunnel-4.25
+
+* Tue May 20 2008 Miloslav Trmač - 4.24-2
+- Drop stunnel3
+ Resolves: #442842
+
+* Mon May 19 2008 Miloslav Trmač - 4.24-1
+- Update to stunnel-4.24
+
+* Fri Mar 28 2008 Miloslav Trmač - 4.22-1
+- Update to stunnel-4.22
+
+* Tue Feb 19 2008 Fedora Release Engineering - 4.20-6
+- Autorebuild for GCC 4.3
+
+* Tue Dec 4 2007 Miloslav Trmač - 4.20-5
+- Rebuild with openssl-0.9.8g
+
+* Tue Oct 16 2007 Miloslav Trmač - 4.20-4
+- Revert the port to NSS, wait for NSS-based stunnel 5.x instead
+ Resolves: #301971
+- Mark localized man pages with %%lang (patch by Ville Skyttä)
+ Resolves: #322281
+
+* Tue Aug 28 2007 Miloslav Trmač - 4.20-3.nss
+- Port to NSS
+
+* Mon Dec 4 2006 Miloslav Trmac - 4.20-2
+- Update BuildRequires for the separate tcp_wrappers-devel package
+
+* Thu Nov 30 2006 Miloslav Trmac - 4.20-1
+- Update to stunnel-4.20
+
+* Sat Nov 11 2006 Miloslav Trmac - 4.19-1
+- Update to stunnel-4.19
+
+* Wed Oct 25 2006 Miloslav Trmac - 4.18-1
+- Update to stunnel-4.18
+- Remove unused stunnel.cnf from the src.rpm
+- Fix some rpmlint warnings
+
+* Fri Aug 18 2006 Jesse Keating - 4.15-2
+- rebuilt with latest binutils to pick up 64K -z commonpagesize on ppc*
+ (#203001)
+
+* Wed Jul 12 2006 Jesse Keating - 4.15-1.1
+- rebuild
+
+* Sat Mar 18 2006 Miloslav Trmac - 4.15-1
+- Update to stunnel-4.15
+
+* Fri Feb 10 2006 Jesse Keating - 4.14-3.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating - 4.14-3.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Tue Jan 31 2006 Miloslav Trmac - 4.14-3
+- Use pthread threading to fix crash on x86_64 (#179236)
+
+* Fri Dec 09 2005 Jesse Keating
+- rebuilt
+
+* Wed Nov 9 2005 Miloslav Trmac - 4.14-2
+- Rebuild with newer openssl
+
+* Thu Nov 3 2005 Miloslav Trmac - 4.14-1
+- Update to stunnel-4.14
+- Override changed default pid file location, keep it in %%{_localstatedir}/run
+
+* Sat Oct 22 2005 Miloslav Trmac - 4.13-1
+- Update to stunnel-4.13
+
+* Fri Sep 30 2005 Miloslav Trmac - 4.12-1
+- Update to stunnel-4.12
+
+* Thu Sep 22 2005 Miloslav Trmac - 4.11-2
+- Enable IPv6 (#169050, patch by Peter Bieringer)
+- Don't ship another copy of man pages in HTML
+
+* Tue Jul 12 2005 Miloslav Trmac - 4.11-1
+- Update to stunnel-4.11
+- Fix int/size_t mismatches in stack_info ()
+- Update Certificate-Creation for /etc/pki
+
+* Wed Jun 1 2005 Miloslav Trmac - 4.10-2
+- Fix inetd mode
+- Remove unnecessary Requires: and BuildRequires:
+- Clean up the spec file
+
+* Tue Apr 26 2005 Nalin Dahyabhai 4.10-1
+- update to 4.10
+
+* Tue Apr 26 2005 Nalin Dahyabhai 4.08-2
+- add buildprereqs on libtool, util-linux; change textutils/fileutils dep to
+ coreutils (#133961)
+
+* Wed Mar 16 2005 Nalin Dahyabhai 4.08-1
+- update to 4.08
+- build stunnel as a PIE binary
+
+* Mon Nov 22 2004 Miloslav Trmac - 4.05-4
+- Convert man pages to UTF-8
+
+* Tue Jun 15 2004 Elliot Lee
+- rebuilt
+
+* Thu May 27 2004 Nalin Dahyabhai 4.05-2
+- move the sample configuration to %%doc, it shouldn't be used as-is (#124373)
+
+* Thu Mar 11 2004 Nalin Dahyabhai 4.05-1
+- update to 4.05
+
+* Tue Mar 02 2004 Elliot Lee
+- rebuilt
+
+* Fri Feb 13 2004 Elliot Lee
+- rebuilt
+
+* Thu Aug 7 2003 Elliot Lee 4.04-6
+- Fix libtool
+
+* Wed Jun 04 2003 Elliot Lee
+- rebuilt
+
+* Fri Mar 21 2003 Nalin Dahyabhai 4.04-4
+- fix xinetd configuration samples
+
+* Mon Feb 10 2003 Nalin Dahyabhai 4.04-3
+- rebuild
+
+* Wed Jan 22 2003 Tim Powers
+- rebuilt
+
+* Wed Jan 15 2003 Nalin Dahyabhai 4.04-1
+- update to 4.04
+
+* Tue Jan 7 2003 Nalin Dahyabhai 4.03-1
+- use pkgconfig for information about openssl, if available
+
+* Fri Jan 3 2003 Nalin Dahyabhai
+- update to 4.03
+
+* Mon Oct 21 2002 Nalin Dahyabhai 4.02-1
+- update to 4.02
+
+* Fri Oct 4 2002 Nalin Dahyabhai 4.00-1
+- don't create a dummy cert
+
+* Wed Sep 25 2002 Nalin Dahyabhai
+- update to 4.00
+- remove textutils and fileutils as buildreqs, add automake/autoconf
+
+* Fri Jun 21 2002 Tim Powers
+- automated rebuild
+
+* Sun May 26 2002 Tim Powers
+- automated rebuild
+
+* Fri May 17 2002 Nalin Dahyabhai 3.22-2
+- rebuild in new environment
+
+* Wed Jan 2 2002 Nalin Dahyabhai 3.22-1
+- update to 3.22, correcting a format-string vulnerability
+
+* Wed Oct 31 2001 Nalin Dahyabhai 3.21a-1
+- update to 3.21a
+
+* Tue Aug 28 2001 Nalin Dahyabhai 3.20-1
+- log using LOG_AUTHPRIV facility by default (#47289)
+- make permissions on stunnel binary 0755
+- implicitly trust certificates in %%{_datadir}/ssl/trusted (#24034)
+
+* Fri Aug 10 2001 Nalin Dahyabhai 3.19-1
+- update to 3.19 to avoid problems with stunnel being multithreaded, but
+ tcp wrappers not being thrad-safe
+
+* Mon Jul 30 2001 Nalin Dahyabhai
+- update to 3.17
+
+* Mon Jul 23 2001 Nalin Dahyabhai
+- update to 3.16
+
+* Mon Jul 16 2001 Nalin Dahyabhai
+- update to 3.15
+- enable tcp-wrappers support
+
+* Tue May 29 2001 Nalin Dahyabhai
+- remove explicit requirement on openssl (specific version isn't enough,
+ we have to depend on shared library version anyway)
+
+* Fri Apr 27 2001 Nalin Dahyabhai
+- update to 3.14
+
+* Mon Mar 26 2001 Preston Brown
+- depend on make (#33148)
+
+* Fri Mar 2 2001 Nalin Dahyabhai
+- rebuild in new environment
+
+* Tue Feb 6 2001 Nalin Dahyabhai
+- update to 3.13 to get pthread, OOB, 64-bit fixes
+- don't need sdf any more
+
+* Thu Dec 28 2000 Nalin Dahyabhai
+- pull in sdf to build the man page (#22892)
+
+* Fri Dec 22 2000 Nalin Dahyabhai
+- update to 3.11
+- chuck the SIGHUP patch (went upstream)
+- chuck parts of the 64-bit clean patch (went upstream)
+
+* Thu Dec 21 2000 Nalin Dahyabhai
+- update to 3.10
+- more 64-bit clean changes, hopefully the last bunch
+
+* Wed Dec 20 2000 Nalin Dahyabhai
+- change piddir from the default /var/stunnel to /var/run
+- clean out pid file on SIGHUP
+
+* Fri Dec 15 2000 Nalin Dahyabhai
+- update to 3.9 to get a security fix
+
+* Wed Oct 25 2000 Matt Wilson
+- change all unsigned longs to u_int32_t when dealing with network
+ addresses
+
+* Fri Aug 18 2000 Nalin Dahyabhai
+- make stunnel.pem also be (missingok)
+
+* Thu Jun 29 2000 Nalin Dahyabhai
+- move to Applications/Internet group
+- clean up %%post script
+- make stunnel.pem %%ghost %%config(noreplace)
+- provide a sample file for use with xinetd
+
+* Thu Jun 8 2000 Nalin Dahyabhai
+- FHS compliance fixes
+- modify defaults
+
+* Tue Mar 14 2000 Florian La Roche
+- update to 3.8
+- do not create certificate if one already exists
+
+* Mon Feb 21 2000 Florian La Roche
+- update to 3.7
+- add patch to find /usr/share/ssl
+- change some perms
+
+* Sat Oct 30 1999 Bernhard Rosenkraenzer
+- Modify spec file to match Red Hat standards
+
+* Fri Aug 12 1999 Damien Miller
+- Updated to 3.4a
+- Patched for OpenSSL 0.9.4
+- Cleaned up files section
+
+* Sun Jul 11 1999 Damien Miller
+- Updated to 3.3
+
+* Sat Nov 28 1998 Damien Miller
+- Initial RPMification