Package: stunnel4
Version: 3:5.74-2
Severity: minor
Tags: patch
* What led up to the situation?
Checking for defects with a new version
test-[g|n]roff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z < "man
page"
[Use "groff -e ' $' -e '\\~$' <file>" to find obvious trailing spaces.]
["test-groff" is a script in the repository for "groff"; is not shipped]
(local copy and "troff" slightly changed by me).
[The fate of "test-nroff" was decided in groff bug #55941.]
* What was the outcome of this action?
an.tmac:<stdin>:73: style: 4 leading space(s) on input line
an.tmac:<stdin>:74: style: 4 leading space(s) on input line
troff:<stdin>:336: warning: font name 'CW' is deprecated
troff:<stdin>:440: warning: [page 5, 9.1i]: cannot break line
* What outcome did you expect instead?
No output (no warnings).
-.-
General remarks and further material, if a diff-file exist, are in the
attachments.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.12-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1),
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages stunnel4 depends on:
ii adduser 3.137
ii init-system-helpers 1.68
ii libc6 2.40-7
ii libssl3t64 3.4.1-1
ii libsystemd0 257.3-1
ii libwrap0 7.6.q-36
ii netbase 6.4
ii openssl 3.4.1-1
ii perl 5.40.1-2
ii systemd [systemd-sysusers] 257.3-1
stunnel4 recommends no packages.
Versions of packages stunnel4 suggests:
pn logcheck-database <none>
-- no debconf information
Input file is stunnel4.8
Output from "mandoc -T lint stunnel4.8": (shortened list)
5 empty block: RS
1 input text line longer than 80 bytes: An example of advanc...
1 input text line longer than 80 bytes: As a global option: ...
1 input text line longer than 80 bytes: Based on RFC 2817 \-...
1 input text line longer than 80 bytes: Based on RFC 2830 \-...
1 input text line longer than 80 bytes: Based on RFC 4642 \-...
1 input text line longer than 80 bytes: Both \fIverifyChain ...
1 input text line longer than 80 bytes: Combining \fIticketK...
1 input text line longer than 80 bytes: For the 'connect' pr...
1 input text line longer than 80 bytes: For the 'smtp' proto...
1 input text line longer than 80 bytes: Several \fIconfig\fR...
1 input text line longer than 80 bytes: The \fBOpenSSL\fR co...
1 input text line longer than 80 bytes: The \fIciphersuites\...
1 input text line longer than 80 bytes: The \fIconnect\fR op...
1 input text line longer than 80 bytes: The \fIprotocol\fR o...
1 input text line longer than 80 bytes: The \fIsecurityLevel...
2 input text line longer than 80 bytes: The \fIsni\fR option...
1 input text line longer than 80 bytes: The client key is au...
1 input text line longer than 80 bytes: The specified servic...
1 input text line longer than 80 bytes: The use of the 'setu...
1 input text line longer than 80 bytes: This configuration r...
1 input text line longer than 80 bytes: This option allows y...
1 input text line longer than 80 bytes: Use \fIsslVersionMax...
1 input text line longer than 80 bytes: When the 'chroot' op...
1 input text line longer than 80 bytes: While the \fIdebug =...
2 input text line longer than 80 bytes: c_rehash the directo...
1 input text line longer than 80 bytes: default: TLS_CHACHA2...
1 input text line longer than 80 bytes: directly connected b...
1 input text line longer than 80 bytes: the configuration fi...
1 input text line longer than 80 bytes: with \fBstunnel\fR 5...
1 input text line longer than 80 bytes: with the \fIaccept\f...
-.-.
Output from "test-groff -mandoc -t -ww -z stunnel4.8": (shortened list)
1 cannot break line
1 font name 'CW' is deprecated
-.-.
Show if Pod::Man generated this.
Who is actually creating this man page? Debian or upstream?
Is the generating software out of date?
2:.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
-.-.
Remove space in the first column, if not indented.
Use ".in +<number>n" and ".in" to end it; ".nf" and ".fi" to end
it, for an extra indention.
stunnel4.8:73: \-reload | \-reopen | \-exit ] [\-quiet] [FILE] ] |
stunnel4.8:74: \-help | \-version | \-sockets | \-options
-.-.
Strings longer than 3/4 of a standard line length (80)
Use "\:" to split the string at the end of an output line, for example a
long URL (web address)
440 default:
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
755
\&\fIhttp://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982\fR
762 \&\fIhttps://www.haproxy.org/download/1.8/doc/proxy\-protocol.txt\fR
869 \&\fIhttp://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html\fR
-.-.
Add a "\&" (or a comma (Oxford comma)) after "e.g." and "i.e.",
or use English words
(man-pages(7)).
Abbreviation points should be marked as such and protected against being
interpreted as an end of sentence, if they are not, and that independent
of the current place on the line.
172:Some other functions may need devices, e.g. /dev/zero or /dev/null.
675:internal (e.g. corporate) responders, and not on public OCSP responders.
995:be redirected. The pattern may start with the '*' character, e.g.
-.-.
Wrong distance between sentences in the input file.
Separate the sentences and subordinate clauses; each begins on a new
line. See man-pages(7) ("Conventions for source file layout") and
"info groff" ("Input Conventions").
The best procedure is to always start a new sentence on a new line,
at least, if you are typing on a computer.
Remember coding: Only one command ("sentence") on each (logical) line.
E-mail: Easier to quote exactly the relevant lines.
Generally: Easier to edit the sentence.
Patches: Less unaffected text.
Search for two adjacent words is easier, when they belong to the same line,
and the same phrase.
The amount of space between sentences in the output can then be
controlled with the ".ss" request.
Mark a final abbreviation point as such by suffixing it with "\&".
Some sentences (etc.) do not begin on a new line.
Split (sometimes) lines after a punctuation mark; before a conjunction.
N.B.
The number of lines affected can be too large to be in a patch.
Lines with only one (or two) space(s) between sentences could be split,
so latter sentences begin on a new line.
Use
#!/usr/bin/sh
sed -e '/^\./n' \
-e 's/\([[:alpha:]]\)\. */\1.\n/g' $1
to split lines after a sentence period.
Check result with the difference between the formatted outputs.
See also the attachment "general.bugs"
[List of affected lines removed.]
-.-.
Split lines longer than 80 characters into two or more lines.
Appropriate break points are the end of a sentence and a subordinate
clause; after punctuation marks.
Add "\:" to split the string for the output, "\<newline>" in the source.
[List of affected lines removed.]
-.-
Add a zero (0) in front of a decimal fraction that begins with a period
(.)
7:.if t .sp .5v
-.-.
Put a parenthetical sentence, phrase on a separate line,
if not part of a code.
See man-pages(7), item "semantic newline".
[List of affected lines removed.]
-.-
Use ".na" (no adjustment) instead of ".ad l" (and ".ad" to begin the
same adjustment again as before).
61:.if n .ad l
-.-.
Add lines to use the CR font for groff instead of CW.
.if t \{\
. ie \n(.g .ft CR
. el .ft CW
.\}
11:.ft CW
-.-.
Section headings (.SH and .SS) do not need quoting.
134:.SH "CONFIGURATION FILE"
154:.SS "GLOBAL OPTIONS"
318:.SS "SERVICE-LEVEL OPTIONS"
1310:.SH "RETURN VALUE"
1509:.SS "INETD MODE"
1591:.SS "DH PARAMETERS"
1613:.SH "SEE ALSO"
-.-.
Output from "test-groff -mandoc -t -K utf8 -rF0 -rHY=0 -rCHECKSTYLE=10 -ww -z
":
an.tmac:<stdin>:73: style: 4 leading space(s) on input line
an.tmac:<stdin>:74: style: 4 leading space(s) on input line
troff:<stdin>:336: warning: font name 'CW' is deprecated
troff:<stdin>:440: warning: [page 5, 9.1i]: cannot break line
-.-.
Additionally:
Add a space ( \&) and quotes to a textual argument for the .IP macro to avoid
a no-space between the argument and the following text.
-.-
Generally:
Split (sometimes) lines after a punctuation mark; before a conjunction.
--- stunnel4.8 2025-02-28 10:29:53.932608239 +0000
+++ stunnel4.8.new 2025-02-28 13:15:54.410274870 +0000
@@ -4,11 +4,14 @@
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
+.if t .sp 0.5v
.if n .sp
..
.de Vb \" Begin verbatim text
-.ft CW
+.if t \{\
+. ie \n(.g .ft CR
+. el .ft CW
+.\}
.nf
.ne \\$1
..
@@ -52,13 +55,27 @@
. \}
.\}
.rr rF
+.
+.\" Define a fallback for font CW with
+.if t \{\
+. ie \n(.g .ds fC \f(CR
+. el .ds fC \f(CW
+. \}
+. ds fP \fP
+.\}
+.
+.if n \{\
+. ds fC \fR
+. ds fP \fP
+.\}
+.
.\" ========================================================================
.\"
.IX Title "stunnel 8"
.TH stunnel 8 2025.01.28 5.74 "stunnel4 TLS Proxy"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
-.if n .ad l
+.if n .na
.nh
.SH NAME
stunnel \- TLS offloading and load\-balancing proxy
@@ -66,12 +83,14 @@ stunnel \- TLS offloading and load\-bala
.IX Header "SYNOPSIS"
.IP \fBUnix:\fR 4
.IX Item "Unix:"
-\&\fBstunnel\fR [FILE] | \-fd\ N | \-help | \-version | \-sockets | \-options
+\fBstunnel\fR [FILE] | \-fd\ N | \-help | \-version | \-sockets | \-options
.IP \fBWIN32:\fR 4
.IX Item "WIN32:"
\&\fBstunnel\fR [ [ \-install | \-uninstall | \-start | \-stop |
- \-reload | \-reopen | \-exit ] [\-quiet] [FILE] ] |
- \-help | \-version | \-sockets | \-options
+.if n .in +4n
+\-reload | \-reopen | \-exit ] [\-quiet] [FILE] ] |
+\-help | \-version | \-sockets | \-options
+.if n .in -4n
.SH DESCRIPTION
.IX Header "DESCRIPTION"
The \fBstunnel\fR program is designed to work as \fITLS\fR encryption wrapper
@@ -131,7 +150,7 @@ Exit an already started stunnel
.IP "\fB\-quiet\fR (Win32 only)" 4
.IX Item "-quiet (Win32 only)"
Don't display any message boxes
-.SH "CONFIGURATION FILE"
+.SH CONFIGURATION FILE
.IX Header "CONFIGURATION FILE"
Each line of the configuration file can be either:
.IP \(bu 4
@@ -151,7 +170,7 @@ A colon-separated pair of IP address (ei
port number.
.IP \(bu 4
A Unix socket path (Unix only).
-.SS "GLOBAL OPTIONS"
+.SS GLOBAL OPTIONS
.IX Subsection "GLOBAL OPTIONS"
.IP "\fBchroot\fR = DIRECTORY (Unix only)" 4
.IX Item "chroot = DIRECTORY (Unix only)"
@@ -169,9 +188,7 @@ Delayed resolver typically needs /etc/ns
.IP \(bu 4
Local time in log files needs /etc/timezone.
.IP \(bu 4
-Some other functions may need devices, e.g. /dev/zero or /dev/null.
-.RE
-.RS 4
+Some other functions may need devices, e.g.\& /dev/zero or /dev/null.
.RE
.IP "\fBcompression\fR = deflate | zlib" 4
.IX Item "compression = deflate | zlib"
@@ -315,7 +332,7 @@ default: yes
enable the taskbar icon
.Sp
default: yes
-.SS "SERVICE-LEVEL OPTIONS"
+.SS SERVICE-LEVEL OPTIONS
.IX Subsection "SERVICE-LEVEL OPTIONS"
Each configuration section begins with a service name in square brackets.
The service name is used for libwrap (TCP Wrappers) access control and lets
@@ -437,7 +454,7 @@ The \fIciphersuites\fR option ignores un
.Sp
This option requires OpenSSL 1.1.1 or later.
.Sp
-default:
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
+default:
TLS_CHACHA20_POLY1305_SHA256:\:TLS_AES_256_GCM_SHA384:\:TLS_AES_128_GCM_SHA256
.IP "\fBclient\fR = yes | no" 4
.IX Item "client = yes | no"
client mode (remote service uses TLS)
@@ -514,20 +531,20 @@ connections.
.Sp
Currently supported types:
.RS 4
-.IP \fIsequential\fR 4
+.IP \fIsequential\fR 3
.IX Item "sequential"
The numeric sequential identifier is only unique within a single instance of
\&\fBstunnel\fR, but very compact. It is most useful for manual log analysis.
-.IP \fIunique\fR 4
+.IP \fIunique\fR 3
.IX Item "unique"
This alphanumeric identifier is globally unique, but longer than the sequential
number. It is most useful for automated log analysis.
-.IP \fIthread\fR 4
+.IP \fIthread\fR 3
.IX Item "thread"
The operating system thread identifier is neither unique (even within a single
instance of \fBstunnel\fR) nor short. It is most useful for debugging software
or configuration issues.
-.IP \fIprocess\fR 4
+.IP \fIprocess\fR 3
.IX Item "process"
The operating system process identifier (PID) may be useful in the inetd mode.
.RE
@@ -535,7 +552,7 @@ The operating system process identifier
.Sp
default: sequential
.RE
-.IP "\fBdebug\fR = LEVEL" 4
+.IP "\fBdebug\fR = LEVEL" 3
.IX Item "debug = LEVEL"
debugging level
.Sp
@@ -549,7 +566,7 @@ While the \fIdebug = debug\fR or \fIdebu
output, it is only intended to be used by stunnel developers. Please only use
this value if you are a developer, or you intend to send your logs to our
technical support. Otherwise, the generated logs \fBwill\fR be confusing.
-.IP "\fBdelay\fR = yes | no" 4
+.IP "\fBdelay\fR = yes | no" 3
.IX Item "delay = yes | no"
delay DNS lookup for the \fIconnect\fR option
.Sp
@@ -562,15 +579,15 @@ startup any of the \fIconnect\fR targets
Delayed resolver inflicts \fIfailover = prio\fR.
.Sp
default: no
-.IP "\fBengineId\fR = ENGINE_ID" 4
+.IP "\fBengineId\fR = ENGINE_ID" 3
.IX Item "engineId = ENGINE_ID"
select engine ID for the service
-.IP "\fBengineNum\fR = ENGINE_NUMBER" 4
+.IP "\fBengineNum\fR = ENGINE_NUMBER" 3
.IX Item "engineNum = ENGINE_NUMBER"
select engine number for the service
.Sp
The engines are numbered starting from 1.
-.IP "\fBexec\fR = EXECUTABLE_PATH" 4
+.IP "\fBexec\fR = EXECUTABLE_PATH" 3
.IX Item "exec = EXECUTABLE_PATH"
execute a local inetd-type program
.Sp
@@ -578,14 +595,14 @@ execute a local inetd-type program
.Sp
The following environmental variables are set on Unix platforms:
REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN.
-.ie n .IP "\fBexecArgs\fR = $0 $1 $2 ..." 4
-.el .IP "\fBexecArgs\fR = \f(CW$0\fR \f(CW$1\fR \f(CW$2\fR ..." 4
+.ie n .IP "\fBexecArgs\fR = $0 $1 $2 ..." 3
+.el .IP "\fBexecArgs\fR = \*(fC($0 $1 $2\*(fP ..." 3
.IX Item "execArgs = $0 $1 $2 ..."
arguments for \fIexec\fR including the program name ($0)
.Sp
Quoting is currently not supported.
Arguments are separated with an arbitrary amount of whitespace.
-.IP "\fBfailover\fR = rr | prio" 4
+.IP "\fBfailover\fR = rr | prio" 3
.IX Item "failover = rr | prio"
Failover strategy for multiple "connect" targets.
.RS 4
@@ -672,7 +689,7 @@ send and verify the OCSP nonce extension
.Sp
This option protects the OCSP protocol against replay attacks. Due to its
computational overhead, the nonce extension is usually only supported on
-internal (e.g. corporate) responders, and not on public OCSP responders.
+internal (e.g.\& corporate) responders, and not on public OCSP responders.
.IP "\fBOCSPrequire\fR = yes | no" 4
.IX Item "OCSPrequire = yes | no"
require a conclusive OCSP response
@@ -721,57 +738,57 @@ The \fIprotocol\fR option should not be
.Sp
Currently supported protocols:
.RS 4
-.IP \fIcifs\fR 4
+.IP \fIcifs\fR 3
.IX Item "cifs"
Proprietary (undocummented) extension of CIFS protocol implemented in Samba.
Support for this extension was dropped in Samba 3.0.0.
-.IP \fIcapwin\fR 4
+.IP \fIcapwin\fR 3
.IX Item "capwin"
http://www.capwin.org/ application support
-.IP \fIcapwinctrl\fR 4
+.IP \fIcapwinctrl\fR 3
.IX Item "capwinctrl"
http://www.capwin.org/ application support
.Sp
This protocol is only supported in client mode.
-.IP \fIconnect\fR 4
+.IP \fIconnect\fR 3
.IX Item "connect"
Based on RFC 2817 \- \fIUpgrading to TLS Within HTTP/1.1\fR, section 5.2 \-
\fIRequesting a Tunnel with CONNECT\fR
.Sp
This protocol is only supported in client mode.
-.IP \fIimap\fR 4
+.IP \fIimap\fR 3
.IX Item "imap"
Based on RFC 2595 \- \fIUsing TLS with IMAP, POP3 and ACAP\fR
-.IP \fIldap\fR 4
+.IP \fIldap\fR 3
.IX Item "ldap"
Based on RFC 2830 \- \fILightweight Directory Access Protocol (v3): Extension
for Transport Layer Security\fR
-.IP \fInntp\fR 4
+.IP \fInntp\fR 3
.IX Item "nntp"
Based on RFC 4642 \- \fIUsing Transport Layer Security (TLS) with Network News
Transfer Protocol (NNTP)\fR
.Sp
This protocol is only supported in client mode.
-.IP \fIpgsql\fR 4
+.IP \fIpgsql\fR 3
.IX Item "pgsql"
Based on
-\&\fIhttp://www.postgresql.org/docs/8.3/static/protocol\-flow.html#AEN73982\fR
-.IP \fIpop3\fR 4
+\&\fIhttp://www.postgresql.org/\:docs/\:8.3/\:static/\:protocol\-flow.html#AEN73982\fR
+.IP \fIpop3\fR 3
.IX Item "pop3"
Based on RFC 2449 \- \fIPOP3 Extension Mechanism\fR
-.IP \fIproxy\fR 4
+.IP \fIproxy\fR 3
.IX Item "proxy"
Passing of the original client IP address with HAProxy PROXY protocol version 1
-\&\fIhttps://www.haproxy.org/download/1.8/doc/proxy\-protocol.txt\fR
-.IP \fIsmtp\fR 4
+\&\fIhttps://www.haproxy.org/\:download/\:1.8/\:doc/\:proxy\-protocol.txt\fR
+.IP \fIsmtp\fR 3
.IX Item "smtp"
Based on RFC 2487 \- \fISMTP Service Extension for Secure SMTP over TLS\fR
-.IP \fIsocks\fR 4
+.IP \fIsocks\fR 3
.IX Item "socks"
SOCKS versions 4, 4a, and 5 are supported. The SOCKS protocol itself
is encapsulated within TLS encryption layer to protect the final
destination address.
.Sp
-\&\fIhttp://www.openssh.com/txt/socks4.protocol\fR
+\fIhttp://www.openssh.com/\:txt/\:socks4.protocol\fR
.Sp
-\&\fIhttp://www.openssh.com/txt/socks4a.protocol\fR
+\fIhttp://www.openssh.com/\:txt/\:socks4a.protocol\fR
.Sp
The BIND command of the SOCKS protocol is not supported.
The USERID parameter is ignored.
@@ -779,8 +796,6 @@ The USERID parameter is ignored.
See Examples section for sample configuration files for VPN based on SOCKS
encryption.
.RE
-.RS 4
-.RE
.IP "\fBprotocolAuthentication\fR = AUTHENTICATION" 4
.IX Item "protocolAuthentication = AUTHENTICATION"
authentication type for the protocol negotiations
@@ -866,7 +881,7 @@ or re-keying long lasting connections.
On the other hand this feature can facilitate a trivial CPU-exhaustion
DoS attack:
.Sp
-\&\fIhttp://vincent.bernat.im/en/blog/2011\-ssl\-dos\-mitigation.html\fR
+\&\fIhttp://vincent.bernat.im/\:en/\:blog/\:2011\-ssl\-dos\-mitigation.html\fR
.Sp
Please note that disabling TLS renegotiation does not fully mitigate
this issue.
@@ -992,7 +1007,7 @@ Name Indication TLS extension (RFC 3546)
.Sp
\&\fISERVICE_NAME\fR specifies the primary service that accepts client
connections
with the \fIaccept\fR option. \fISERVER_NAME_PATTERN\fR specifies the host
name to
-be redirected. The pattern may start with the '*' character, e.g.
+be redirected. The pattern may start with the '*' character, e.g.\&
\&'*.example.com'. Multiple secondary services are normally specified for
a single primary service. The \fIsni\fR option can also be specified more than
once within a single secondary service.
@@ -1160,7 +1175,7 @@ enable transparent proxy support on sele
.Sp
Supported values:
.RS 4
-.IP \fInone\fR 4
+.IP "\fInone \&\fR" 4
.IX Item "none"
Disable transparent proxy support. This is the default.
.IP \fIsource\fR 4
@@ -1207,8 +1222,6 @@ This configuration works by pre-loading
_RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on
other platforms.
.RE
-.RS 4
-.RE
.IP \fIdestination\fR 4
.IX Item "destination"
The original destination is used instead of the \fIconnect\fR option.
@@ -1242,7 +1255,7 @@ For a connect target installed on a remo
.Ve
.Sp
The transparent destination option is currently only supported on Linux.
-.IP \fIboth\fR 4
+.IP "\fIboth \&\fR" 4
.IX Item "both"
Use both \fIsource\fR and \fIdestination\fR transparent proxy.
.RE
@@ -1256,8 +1269,6 @@ This option has been renamed to \fIsourc
.IX Item "no"
This option has been renamed to \fInone\fR.
.RE
-.RS 4
-.RE
.IP "\fBverify\fR = LEVEL" 4
.IX Item "verify = LEVEL"
verify the peer certificate
@@ -1286,8 +1297,6 @@ certificate against a locally installed
.IX Item "default"
No verify.
.RE
-.RS 4
-.RE
.IP "\fBverifyChain\fR = yes | no" 4
.IX Item "verifyChain = yes | no"
verify the peer certificate chain starting from the root CA
@@ -1307,7 +1316,7 @@ The end-entity (leaf) peer certificate n
specified with \fICAfile\fR, or in the directory specified with \fICApath\fR.
.Sp
default: no
-.SH "RETURN VALUE"
+.SH RETURN VALUE
.IX Header "RETURN VALUE"
\&\fBstunnel\fR returns zero on success, non-zero on error.
.SH SIGNALS
@@ -1506,7 +1515,7 @@ corresponding private key from a SoftHSM
\&\fBstunnel\fR cannot be used for the FTP daemon because of the nature
of the FTP protocol which utilizes multiple ports for data transfers.
There are available TLS-enabled versions of FTP and telnet daemons, however.
-.SS "INETD MODE"
+.SS INETD MODE
.IX Subsection "INETD MODE"
The most common use of \fBstunnel\fR is to listen on a network
port and establish communication with either a new port
@@ -1588,7 +1597,7 @@ Important note: If /dev/urandom is avail
with it while checking the random state. On systems with /dev/urandom
\&\fBOpenSSL\fR is likely to use it even though it is listed at the very
bottom of
the list above. This is the behaviour of \fBOpenSSL\fR and not \fBstunnel\fR.
-.SS "DH PARAMETERS"
+.SS DH PARAMETERS
.IX Subsection "DH PARAMETERS"
\&\fBstunnel\fR 4.40 and later contains hardcoded 2048\-bit DH parameters.
Starting
with \fBstunnel\fR 5.18, these hardcoded DH parameters are replaced every 24
hours
@@ -1610,7 +1619,7 @@ certificate file, which disables generat
.SH BUGS
.IX Header "BUGS"
The \fIexecArgs\fR option and the Win32 command line do not support quoting.
-.SH "SEE ALSO"
+.SH SEE ALSO
.IX Header "SEE ALSO"
.IP \fBtcpd\fR\|(8) 4
.IX Item "tcpd"
Any program (person), that produces man pages, should check the output
for defects by using (both groff and nroff)
[gn]roff -mandoc -t -ww -b -z -K utf8 <man page>
The same goes for man pages that are used as an input.
For a style guide use
mandoc -T lint
-.-
Any "autogenerator" should check its products with the above mentioned
'groff', 'mandoc', and additionally with 'nroff ...'.
It should also check its input files for too long (> 80) lines.
This is just a simple quality control measure.
The "autogenerator" may have to be corrected to get a better man page,
the source file may, and any additional file may.
Common defects:
Not removing trailing spaces (in in- and output).
The reason for these trailing spaces should be found and eliminated.
"git" has a "tool" to point out whitespace,
see for example "git-apply(1)" and git-config(1)")
Not beginning each input sentence on a new line.
Line length and patch size should thus be reduced.
The script "reportbug" uses 'quoted-printable' encoding when a line is
longer than 1024 characters in an 'ascii' file.
See man-pages(7), item "semantic newline".
-.-
The difference between the formatted output of the original and patched file
can be seen with:
nroff -mandoc <file1> > <out1>
nroff -mandoc <file2> > <out2>
diff -d -u <out1> <out2>
and for groff, using
\"printf '%s\n%s\n' '.kern 0' '.ss 12 0' | groff -mandoc -Z - \"
instead of 'nroff -mandoc'
Add the option '-t', if the file contains a table.
Read the output from 'diff -d -u ...' with 'less -R' or similar.
-.-.
If 'man' (man-db) is used to check the manual for warnings,
the following must be set:
The option \"-warnings=w\"
The environmental variable:
export MAN_KEEP_STDERR=yes (or any non-empty value)
or
(produce only warnings):
export MANROFFOPT=\"-ww -b -z\"
export MAN_KEEP_STDERR=yes (or any non-empty value)
-.-
