Package: stunnel4
Version: 3:5.73-1
Severity: minor
* What led up to the situation?
Checking for defects with
test-[g|n]roff -mandoc -t -K utf8 -rF0 -rHY=0 -ww -b -z < "man page"
[Use "groff -e ' $' <file>" to find trailing spaces.]
["test-groff" is a script in the repository for "groff"; is not shipped]
(local copy and "troff" slightly changed by me).
[The fate of "test-nroff" was decided in groff bug #55941.]
* What was the outcome of this action?
troff: backtrace: '<stdin>':11: macro 'Vb'
troff: backtrace: file '<stdin>':336
troff:<stdin>:336: warning: font name 'CW' is deprecated
troff: backtrace: file '<stdin>':440
troff:<stdin>:440: warning: [page 5, 9.1i]: cannot break line
Output from "test-nroff -mandoc -t -K utf8 -rF0 -rHY=0 -ww -b -z ":
troff: backtrace: file '<stdin>':440
troff:<stdin>:440: warning: [page 6, line 27]: cannot break line
troff: backtrace: file '<stdin>':755
troff:<stdin>:755: warning: [page 10, line 41]: cannot break line
* What outcome did you expect instead?
No output (no warnings).
-.-
General remarks and further material, if a diff-file exist, are in the
attachments.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.11.7-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages stunnel4 depends on:
ii adduser 3.137
ii init-system-helpers 1.67
ii libc6 2.40-3
ii libssl3t64 3.3.2-2
ii libsystemd0 256.7-3
ii libwrap0 7.6.q-33+b1
ii netbase 6.4
ii openssl 3.3.2-2
ii perl 5.40.0-7
ii systemd [systemd-sysusers] 256.7-3
stunnel4 recommends no packages.
Versions of packages stunnel4 suggests:
pn logcheck-database <none>
-- no debconf information
Any program (person), that produces man pages, should check the output
for defects by using (both groff and nroff)
[gn]roff -mandoc -t -ww -b -z -K utf8 <man page>
The same goes for man pages that are used as an input.
For a style guide use
mandoc -T lint
-.-
So any 'generator' should check its products with the above mentioned
'groff', 'mandoc', and additionally with 'nroff ...'.
This is just a simple quality control measure.
The 'generator' may have to be corrected to get a better man page,
the source file may, and any additional file may.
Common defects:
Input text line longer than 80 bytes.
Not removing trailing spaces (in in- and output).
The reason for these trailing spaces should be found and eliminated.
Not beginning each input sentence on a new line.
Lines should thus be shorter.
See man-pages(7), item 'semantic newline'.
-.-
The difference between the formatted output of the original and patched file
can be seen with:
nroff -mandoc <file1> > <out1>
nroff -mandoc <file2> > <out2>
diff -u <out1> <out2>
and for groff, using
"printf '%s\n%s\n' '.kern 0' '.ss 12 0' | groff -mandoc -Z - "
instead of 'nroff -mandoc'
Add the option '-t', if the file contains a table.
Read the output of 'diff -u' with 'less -R' or similar.
-.-.
If 'man' (man-db) is used to check the manual for warnings,
the following must be set:
The option "-warnings=w"
The environmental variable:
export MAN_KEEP_STDERR=yes (or any non-empty value)
or
(produce only warnings):
export MANROFFOPT="-ww -b -z"
export MAN_KEEP_STDERR=yes (or any non-empty value)
-.-.
Output from "mandoc -T lint stunnel4.8": (shortened list)
5 empty block
32 input text line longer than 80 bytes
-.-.
Output from "test-groff -mandoc -t -ww -b -z stunnel4.8": (shortened list)
1 cannot break line
1 font name 'CW' is deprecated
-.-.
Strings longer than 3/4 of a standard line length (80)
Use "\:" to split the string at the end of an output line, for example a
long URLs (web address)
440 default:
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
755
\&\fIhttp://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982\fR
762 \&\fIhttps://www.haproxy.org/download/1.8/doc/proxy\-protocol.txt\fR
869 \&\fIhttp://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html\fR
-.-.
Add a comma (or \&) after "e.g." and "i.e.", or use English words
(man-pages(7)).
Abbreviation points should be protected against being interpreted as
an end of sentence, if they are not, and that independent of the
current place on the line.
172:Some other functions may need devices, e.g. /dev/zero or /dev/null.
675:internal (e.g. corporate) responders, and not on public OCSP responders.
993:be redirected. The pattern may start with the '*' character, e.g.
-.-.
Wrong distance between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
The best procedure is to always start a new sentence on a new line,
at least, if you are typing on a computer.
Remember coding: Only one command ("sentence") on each (logical) line.
E-mail: Easier to quote exactly the relevant lines.
Generally: Easier to edit the sentence.
Patches: Less unaffected text.
Search for two adjacent words is easier, when they belong to the same line,
and the same phrase.
The amount of space between sentences in the output can then be
controlled with the ".ss" request.
79:servers. The concept is that having non-TLS aware daemons running on
172:Some other functions may need devices, e.g. /dev/zero or /dev/null.
476:\&\fIverifyChain\fR and \fIverifyPeer\fR options. Note that the CRLs in
this directory
610:The files are included in the ascending alphabetical order of their names.
The
675:internal (e.g. corporate) responders, and not on public OCSP responders.
901:The security level corresponds to a minimum of 80 bits of security. Any
902:parameters offering below 80 bits of security are excluded. As a result RSA,
904:prohibited. All export cipher suites are prohibited since they all offer
less
905:than 80 bits of security. SSL version 2 is prohibited. Any cipher suite
using
909:Security level set to 112 bits of security. As a result RSA, DSA and DH keys
910:shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In
912:prohibited. SSL version 3 is also not allowed. Compression is disabled.
915:Security level set to 128 bits of security. As a result RSA, DSA and DH keys
916:shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited. In
918:are prohibited. TLS versions below 1.1 are not permitted. Session tickets
are
922:Security level set to 192 bits of security. As a result RSA, DSA and DH keys
924:Cipher suites using SHA1 for the MAC are prohibited. TLS versions below 1.2
are
928:Security level set to 256 bits of security. As a result RSA, DSA and DH keys
1230:\& \-m ! \-\-uid\-owner <stunnel_user_id> \e
1534:to the peer. It also needs a private key to decrypt the incoming
1535:data. The easiest way to obtain a certificate and a key is to
1536:generate them with the free \fBOpenSSL\fR package. You can find more
1574:(mouse movements, creating windows, etc.) the screen contents are not
-.-.
Split lines longer than 80 characters into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
Line 83, length 87
\&\fBstunnel\fR can be used to add \fITLS\fR functionality to commonly used
\fIInetd\fR
Line 160, length 94
\&\fBchroot\fR keeps \fBstunnel\fR in a chrooted jail. \fICApath\fR,
\fICRLpath\fR, \fIpid\fR
Line 232, length 82
This option allows you to disable entering FIPS mode if \fBstunnel\fR was
compiled
Line 303, length 81
The specified service name is used for syslog and as the \fIinetd\fR mode
service
Line 362, length 81
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL
1.x.x\fR
Line 436, length 102
The \fIciphersuites\fR option ignores unknown ciphers when compiled with
\fBOpenSSL 3.0.0\fR or later.
Line 440, length 83
default:
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Line 450, length 81
The \fBOpenSSL\fR configuration command is executed with the specified
parameter.
Line 455, length 82
Several \fIconfig\fR lines can be used to specify multiple configuration
commands.
Line 476, length 86
\&\fIverifyChain\fR and \fIverifyPeer\fR options. Note that the CRLs in this
directory
Line 480, length 82
c_rehash the directory on upgrade from \fBOpenSSL 0.x.x\fR to \fBOpenSSL
1.x.x\fR.
Line 548, length 81
While the \fIdebug = debug\fR or \fIdebug = 7\fR level generates the most
verbose
Line 690, length 88
\&\fR\f(BISSL_CTX_set_options\fR\fI\|(3ssl)\fR manual, but without
\fISSL_OP_\fR prefix.
Line 712, length 83
Use \fIsslVersionMax\fR or \fIsslVersionMin\fR option instead of disabling
specific
Line 720, length 84
The \fIprotocol\fR option should not be used with TLS encryption on a separate
port.
Line 738, length 114
Based on RFC 2817 \- \fIUpgrading to TLS Within HTTP/1.1\fR, section 5.2 \-
\fIRequesting a Tunnel with CONNECT\fR
Line 746, length 109
Based on RFC 2830 \- \fILightweight Directory Access Protocol (v3): Extension
for Transport Layer Security\fR
Line 749, length 106
Based on RFC 4642 \- \fIUsing Transport Layer Security (TLS) with Network News
Transfer Protocol (NNTP)\fR
Line 810, length 82
For the 'connect' protocol negotiations, \fIprotocolHost\fR specifies HOST:PORT
of
Line 812, length 84
directly connected by \fBstunnel\fR must be specified with the \fIconnect\fR
option.
Line 814, length 81
For the 'smtp' protocol negotiations, \fIprotocolHost\fR controls the client
SMTP
Line 832, length 83
\&\fIPSKidentity\fR can be used on \fBstunnel\fR clients to select the PSK
identity
Line 935, length 98
The \fIsecurityLevel\fR option is only available when compiled with \fBOpenSSL
1.1.0\fR and later.
Line 944, length 86
Both \fIverifyChain = yes\fR and \fIverifyPeer = yes\fR imply \fIrequireCert =
yes\fR.
Line 951, length 82
As a global option: \fBsetgid()\fR to the specified group in daemon mode and
clear
Line 968, length 83
\&\fIsessionCacheSize\fR specifies the maximum number of the internal session
cache
Line 991, length 82
\&\fISERVICE_NAME\fR specifies the primary service that accepts client
connections
Line 992, length 83
with the \fIaccept\fR option. \fISERVER_NAME_PATTERN\fR specifies the host
name to
Line 1001, length 84
The \fIconnect\fR option of the secondary service is ignored when the
\fIprotocol\fR
Line 1009, length 81
The \fIsni\fR option is only available when compiled with \fBOpenSSL 1.0.0\fR
and
Line 1018, length 81
The \fIsni\fR option is only available when compiled with \fBOpenSSL 1.0.0\fR
and
Line 1112, length 83
Combining \fIticketKeySecret\fR and \fIticketMacSecret\fR options allow to
resume a
Line 1189, length 85
\&\fBstunnel\fR must also to be executed as root and without the \fIsetuid\fR
option.
Line 1192, length 86
This configuration requires the kernel to be compiled with the \fItransparent
proxy\fR
Line 1197, length 85
\&\fBstunnel\fR must also to be executed as root and without the \fIsetuid\fR
option.
Line 1201, length 85
\&\fBstunnel\fR must also to be executed as root and without the \fIsetuid\fR
option.
Line 1237, length 83
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <stunnel_port> \-j
ACCEPT
Line 1238, length 82
\& /sbin/iptables \-t nat \-I PREROUTING \-p tcp \-\-dport <redirected_port>
\e
Line 1333, length 89
The use of the 'setuid' option will also prevent \fBstunnel\fR from binding to
privileged
Line 1336, length 86
When the 'chroot' option is used, \fBstunnel\fR will look for all its files
(including
Line 1337, length 86
the configuration file, certificates, the log file and the pid file) within the
chroot
Line 1453, length 87
An example of advanced engine configuration allows for authentication with
private keys
Line 1456, length 88
The client key is automatically selected based on the list of CAs trusted by
the server.
Line 1520, length 83
\& imaps stream tcp nowait root /usr/bin/stunnel stunnel
/etc/stunnel/imaps.conf
Line 1587, length 82
\&\fBOpenSSL\fR is likely to use it even though it is listed at the very bottom
of
Line 1591, length 84
\&\fBstunnel\fR 4.40 and later contains hardcoded 2048\-bit DH parameters.
Starting
Line 1592, length 82
with \fBstunnel\fR 5.18, these hardcoded DH parameters are replaced every 24
hours
-.-.
Add a zero (0) in front of a decimal fraction that begins with a period
(.)
7:.if t .sp .5v
-.-.
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -ww -b -z ":
troff: backtrace: '<stdin>':11: macro 'Vb'
troff: backtrace: file '<stdin>':336
troff:<stdin>:336: warning: font name 'CW' is deprecated
troff: backtrace: file '<stdin>':440
troff:<stdin>:440: warning: [page 5, 9.1i]: cannot break line
Output from "test-nroff -mandoc -t -K utf8 -rF0 -rHY=0 -ww -b -z ":
troff: backtrace: file '<stdin>':440
troff:<stdin>:440: warning: [page 6, line 27]: cannot break line
troff: backtrace: file '<stdin>':755
troff:<stdin>:755: warning: [page 10, line 41]: cannot break line
