stunnel 5.01, latest version for OpenWRT
As of April 16 2014, the latest upstream version of stunnel is 5.01. The version in OpenWRT's package repository is 4.33. (Here's a handy website to track upstream vs. OpenWRT versions of packages.)
Separating these two versions are many bugfixes and 2 CVEs: CVE-2013-1762 CVE-2014-0016
Running software with known vulnerabilities is a bad idea (citation needed). Therefore I compiled the latest version of stunnel for my router.
Download and Compile
You can grab the Makefile and other package definition files here.
Put the stunnel
directory somewhere under the packages/
directory under your openwrt buildroot and execute
make packages/path/to/stunnel/compile
If all goes well, you should see the compiled package under bin/
.
I compiled this successfully against the latest trunk buildroot; here's the binary package for target ar71xx, and it seems to run fine on my Netgear WNDRMACv2.
Changes
Compared to version 4.33 in OpenWRT feeds, the following are changed for 5.01:
- Source code of version 5.01 is downloaded and compiled instead of 4.33. Obviously.
- A dependence on
libpthread
is added. The compiled binary somehow depends onlibpthread
, even though during./configure
the option--with-threads=fork
is specified. I'm not sure whether this is proper behavior, but haven't investigated further. - Most patches removed since the code snippets they act on aren't around anymore.
- Changed the patches that act on the default
stunnel.conf
to match that in the new version. - Changed
stunnel.init
to remove checking forstunnel.pem
on start and generating certificate and keys if that file doesn't exist. I like putting my certificates elsewhere, and the key generator didn't even work anyways.
Possible bug?
In the compiled binary package, the default stunnel.conf
file has a line setgid = nobody
. This group does not exist on my OpenWRT installation; the proper group should be nogroup
. IIRC the same applies to the official 4.33 binary package.
Final Notes
The files linked in the Download and Compile section are released under GPLv2.
I am not responsible for any possible loss/consequences of using these instructions and files. Use at your own risk.