ports/security/stunnel/patches/patch-tools_stunnel_conf-sample_in

Index: tools/stunnel.conf-sample.in
--- tools/stunnel.conf-sample.in.orig
+++ tools/stunnel.conf-sample.in
@@ -7,17 +7,18 @@
 ; * Global options                                                         *
 ; **************************************************************************
 
+chroot = /var/stunnel/
 ; It is recommended to drop root privileges if stunnel is started by root
-;setuid = nobody
-;setgid = @DEFAULT_GROUP@
+setuid = _stunnel
+setgid = _stunnel
 
 ; PID file is created inside the chroot jail (if enabled)
-;pid = @localstatedir@/run/stunnel.pid
+;pid = /stunnel.pid
 
 ; Debugging stuff (may be useful for troubleshooting)
 ;foreground = yes
 ;debug = info
-;output = @localstatedir@/log/stunnel.log
+;output = /stunnel.log
 
 ; Enable FIPS 140-2 mode if needed for compliance
 ;fips = yes
@@ -46,7 +47,7 @@
 ; * Include all configuration file fragments from the specified folder     *
 ; **************************************************************************
 
-;include = @sysconfdir@/stunnel/conf.d
+;include = ${SYSCONFDIR}/stunnel/conf.d
 
 ; **************************************************************************
 ; * Service definitions (remove all services for inetd mode)               *
@@ -54,37 +55,37 @@
 
 ; ***************************************** Example TLS client mode services
 
-; The following examples use /etc/ssl/certs, which is the common location
+; The following examples use ${SYSCONFDIR}/ssl/certs, which is the common location
 ; of a hashed directory containing trusted CA certificates.  This is not
 ; a hardcoded path of the stunnel package, as it is not related to the
 ; stunnel configuration in @sysconfdir@/stunnel/.
 
-[gmail-pop3]
-client = yes
-accept = 127.0.0.1:110
-connect = pop.gmail.com:995
-verifyChain = yes
-CApath = /etc/ssl/certs
-checkHost = pop.gmail.com
-OCSPaia = yes
+;[gmail-pop3]
+;client = yes
+;accept = 127.0.0.1:110
+;connect = pop.gmail.com:995
+;verifyChain = yes
+;CApath = ${SYSCONFDIR}/ssl/certs
+;checkHost = pop.gmail.com
+;OCSPaia = yes
 
-[gmail-imap]
-client = yes
-accept = 127.0.0.1:143
-connect = imap.gmail.com:993
-verifyChain = yes
-CApath = /etc/ssl/certs
-checkHost = imap.gmail.com
-OCSPaia = yes
+;[gmail-imap]
+;client = yes
+;accept = 127.0.0.1:143
+;connect = imap.gmail.com:993
+;verifyChain = yes
+;CApath = ${SYSCONFDIR}/ssl/certs
+;checkHost = imap.gmail.com
+;OCSPaia = yes
 
-[gmail-smtp]
-client = yes
-accept = 127.0.0.1:25
-connect = smtp.gmail.com:465
-verifyChain = yes
-CApath = /etc/ssl/certs
-checkHost = smtp.gmail.com
-OCSPaia = yes
+;[gmail-smtp]
+;client = yes
+;accept = 127.0.0.1:25
+;connect = smtp.gmail.com:465
+;verifyChain = yes
+;CApath = ${SYSCONFDIR}/ssl/certs
+;checkHost = smtp.gmail.com
+;OCSPaia = yes
 
 ; Encrypted HTTP proxy authenticated with a client certificate
 ; located in a cryptographic token
@@ -101,12 +102,12 @@ OCSPaia = yes
 ;[pop3s]
 ;accept  = 995
 ;connect = 110
-;cert = @sysconfdir@/stunnel/stunnel.pem
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
 ;[imaps]
 ;accept  = 993
 ;connect = 143
-;cert = @sysconfdir@/stunnel/stunnel.pem
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
 ; Either only expose this service to trusted networks, or require
 ; authentication when relaying emails originated from loopback.
@@ -114,29 +115,29 @@ OCSPaia = yes
 ;[ssmtp]
 ;accept  = 465
 ;connect = 25
-;cert = @sysconfdir@/stunnel/stunnel.pem
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 
 ; TLS front-end to a web server
 ;[https]
 ;accept  = 443
 ;connect = 80
-;cert = @sysconfdir@/stunnel/stunnel.pem
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
 ; Microsoft implementations do not use TLS close-notify alert and thus they
 ; are vulnerable to truncation attacks
 ;TIMEOUTclose = 0
 
 ; Remote shell protected with PSK-authenticated TLS
-; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
+; Create "${SYSCONFDIR}/stunnel/secrets.txt" containing IDENTITY:KEY pairs
 ;[shell]
 ;accept = 1337
 ;exec = /bin/sh
 ;execArgs = sh -i
-;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
+;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt
 
 ; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
 ;[mysql]
-;cert = @sysconfdir@/stunnel/stunnel.pem
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
 ;accept = 3307
 ;connect = /run/mysqld/mysqld.sock
SecBSD's official ports repository 2023-08-16 22:26:55 +00:00			`Index: tools/stunnel.conf-sample.in`
			`--- tools/stunnel.conf-sample.in.orig`
			`+++ tools/stunnel.conf-sample.in`
			`@@ -7,17 +7,18 @@`
			`; * Global options *`
			`; **************************************************************************`

			`+chroot = /var/stunnel/`
			`; It is recommended to drop root privileges if stunnel is started by root`
			`-;setuid = nobody`
			`-;setgid = @DEFAULT_GROUP@`
			`+setuid = _stunnel`
			`+setgid = _stunnel`

			`; PID file is created inside the chroot jail (if enabled)`
			`-;pid = @localstatedir@/run/stunnel.pid`
			`+;pid = /stunnel.pid`

			`; Debugging stuff (may be useful for troubleshooting)`
			`;foreground = yes`
			`;debug = info`
			`-;output = @localstatedir@/log/stunnel.log`
			`+;output = /stunnel.log`

			`; Enable FIPS 140-2 mode if needed for compliance`
			`;fips = yes`
			`@@ -46,7 +47,7 @@`
			`; * Include all configuration file fragments from the specified folder *`
			`; **************************************************************************`

			`-;include = @sysconfdir@/stunnel/conf.d`
			`+;include = ${SYSCONFDIR}/stunnel/conf.d`

			`; **************************************************************************`
			`; * Service definitions (remove all services for inetd mode) *`
			`@@ -54,37 +55,37 @@`

			`; ***************************************** Example TLS client mode services`

			`-; The following examples use /etc/ssl/certs, which is the common location`
			`+; The following examples use ${SYSCONFDIR}/ssl/certs, which is the common location`
			`; of a hashed directory containing trusted CA certificates. This is not`
			`; a hardcoded path of the stunnel package, as it is not related to the`
			`; stunnel configuration in @sysconfdir@/stunnel/.`

			`-[gmail-pop3]`
			`-client = yes`
			`-accept = 127.0.0.1:110`
			`-connect = pop.gmail.com:995`
			`-verifyChain = yes`
			`-CApath = /etc/ssl/certs`
			`-checkHost = pop.gmail.com`
			`-OCSPaia = yes`
			`+;[gmail-pop3]`
			`+;client = yes`
			`+;accept = 127.0.0.1:110`
			`+;connect = pop.gmail.com:995`
			`+;verifyChain = yes`
			`+;CApath = ${SYSCONFDIR}/ssl/certs`
			`+;checkHost = pop.gmail.com`
			`+;OCSPaia = yes`

			`-[gmail-imap]`
			`-client = yes`
			`-accept = 127.0.0.1:143`
			`-connect = imap.gmail.com:993`
			`-verifyChain = yes`
			`-CApath = /etc/ssl/certs`
			`-checkHost = imap.gmail.com`
			`-OCSPaia = yes`
			`+;[gmail-imap]`
			`+;client = yes`
			`+;accept = 127.0.0.1:143`
			`+;connect = imap.gmail.com:993`
			`+;verifyChain = yes`
			`+;CApath = ${SYSCONFDIR}/ssl/certs`
			`+;checkHost = imap.gmail.com`
			`+;OCSPaia = yes`

			`-[gmail-smtp]`
			`-client = yes`
			`-accept = 127.0.0.1:25`
			`-connect = smtp.gmail.com:465`
			`-verifyChain = yes`
			`-CApath = /etc/ssl/certs`
			`-checkHost = smtp.gmail.com`
			`-OCSPaia = yes`
			`+;[gmail-smtp]`
			`+;client = yes`
			`+;accept = 127.0.0.1:25`
			`+;connect = smtp.gmail.com:465`
			`+;verifyChain = yes`
			`+;CApath = ${SYSCONFDIR}/ssl/certs`
			`+;checkHost = smtp.gmail.com`
			`+;OCSPaia = yes`

			`; Encrypted HTTP proxy authenticated with a client certificate`
			`; located in a cryptographic token`
			`@@ -101,12 +102,12 @@ OCSPaia = yes`
			`;[pop3s]`
			`;accept = 995`
			`;connect = 110`
			`-;cert = @sysconfdir@/stunnel/stunnel.pem`
			`+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem`

			`;[imaps]`
			`;accept = 993`
			`;connect = 143`
			`-;cert = @sysconfdir@/stunnel/stunnel.pem`
			`+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem`

			`; Either only expose this service to trusted networks, or require`
			`; authentication when relaying emails originated from loopback.`
			`@@ -114,29 +115,29 @@ OCSPaia = yes`
			`;[ssmtp]`
			`;accept = 465`
			`;connect = 25`
			`-;cert = @sysconfdir@/stunnel/stunnel.pem`
			`+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem`

			`; TLS front-end to a web server`
			`;[https]`
			`;accept = 443`
			`;connect = 80`
			`-;cert = @sysconfdir@/stunnel/stunnel.pem`
			`+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem`
			`; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel`
			`; Microsoft implementations do not use TLS close-notify alert and thus they`
			`; are vulnerable to truncation attacks`
			`;TIMEOUTclose = 0`

			`; Remote shell protected with PSK-authenticated TLS`
			`-; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs`
			`+; Create "${SYSCONFDIR}/stunnel/secrets.txt" containing IDENTITY:KEY pairs`
			`;[shell]`
			`;accept = 1337`
			`;exec = /bin/sh`
			`;execArgs = sh -i`
			`-;PSKsecrets = @sysconfdir@/stunnel/secrets.txt`
			`+;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt`

			`; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket`
			`;[mysql]`
			`-;cert = @sysconfdir@/stunnel/stunnel.pem`
			`+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem`
			`;accept = 3307`
			`;connect = /run/mysqld/mysqld.sock`