diff options
| author | Michael Haas <haas@computerlinguist.org> | 2015-03-10 09:54:17 +0100 |
|---|---|---|
| committer | Michael Haas <haas@cl.uni-heidelberg.de> | 2015-03-17 13:47:55 +0100 |
| commit | f6927350e4f5aedd9870a65923ceff232bd10bf3 (patch) | |
| tree | 1195b75d62d800a44517c24b2352522b734e8303 /net/stunnel/files | |
| parent | b59def2299027085c99137f86bae56239bb882c5 (diff) | |
stunnel: Bring it back at v5.10
From: Michael Haas <haas@computerlinguist.org>
* init script no longer creates certificates (consider client mode as use
case)
* patches/010_fix_getnameinfo.patch: Fix getnameinfo signature
* patches/011_disable_ssp_linking.patch: Disable -fstack-protector as it
is not always available in OpenWRT
* old patches (in oldpackages) no longer necessary
* remove libwrap dependency
* remove libpthread dependency
* respect CONFIG_IPV6
* init script uses procd
* sample stunnel.conf runs in client mode - prevents start failure,
does not require cert
Possible enhancement: automatically generate certificate as done in
uhttpd. However, as client mode is a possible use case, I'd rather not.
Additionally, stunnel may use several certs with user-defined locations
and we can't easily set a cert location via command-line args.
The package is based on
https://sites.google.com/site/twisteroidambassador/openwrt/stunnel
Signed-off-by: Michael Haas <haas@computerlinguist.org>
Diffstat (limited to 'net/stunnel/files')
| -rw-r--r-- | net/stunnel/files/stunnel.conf | 45 | ||||
| -rw-r--r-- | net/stunnel/files/stunnel.init | 12 |
2 files changed, 57 insertions, 0 deletions
diff --git a/net/stunnel/files/stunnel.conf b/net/stunnel/files/stunnel.conf new file mode 100644 index 000000000..2f10800b9 --- /dev/null +++ b/net/stunnel/files/stunnel.conf @@ -0,0 +1,45 @@ +; Drop privileges +setuid = nobody +setgid = nogroup + +; When running under procd, stay in foreground +foreground = yes + +; Don't log to stderr, use syslog +syslog = yes + +; 1-7. Use 7 for greatest verbosity +;debug = 5 + +; Starting here, enter your services or uncomment the examples + +; Example: +; If your local httpd does not support HTTPS, use stunnel in remote +; mode to forward TLS connections coming in on port 443 to non-TLS +; on port 80. +; Make sure that the cert is available. +;[httpd] +;accept = 443 +;connect = 127.0.0.1:80 +;cert = /etc/stunnel/stunnel.pem + +; Example: +; If your local email client does not support TLS, +; use stunnel in client mode to forward non-TLS connections on +; port 143 to TLS-enabled servername:993. +;[imap] +;client = yes +;accept = 143 +;connect = servername:993 +; Disable peer verification - be sure to understand the limitations of peer +; verification in stunnel when enabling. +;verify = 0 + +; Default client section: +; stunnel requires at least one section to start successfully. +; You can safely remove this section once you have configured +; your own. We use client mode here as server requires a certificate. +[dummy] +client = yes +accept = localhost:6000 +connect = localhost:6001 diff --git a/net/stunnel/files/stunnel.init b/net/stunnel/files/stunnel.init new file mode 100644 index 000000000..e622205b8 --- /dev/null +++ b/net/stunnel/files/stunnel.init @@ -0,0 +1,12 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2006-2008 OpenWrt.org + +START=90 +USE_PROCD=1 + +start_service() { + procd_open_instance + procd_set_param command /usr/bin/stunnel /etc/stunnel/stunnel.conf + procd_set_param respawn # respawn automatically if something died + procd_close_instance +} |