Version in base suite: 5.68-2

Base version: stunnel4_5.68-2
Target version: stunnel4_5.68-2+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/stunnel4/stunnel4_5.68-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/stunnel4/stunnel4_5.68-2+deb12u1.dsc

 changelog                |    8 ++++++++
 patches/08-tls-eof.patch |   41 +++++++++++++++++++++++++++++++++++++++++
 patches/series           |    1 +
 3 files changed, 50 insertions(+)

diff -Nru stunnel4-5.68/debian/changelog stunnel4-5.68/debian/changelog
--- stunnel4-5.68/debian/changelog	2023-02-12 11:40:09.000000000 +0000
+++ stunnel4-5.68/debian/changelog	2023-07-20 19:01:31.000000000 +0000
@@ -1,3 +1,11 @@
+stunnel4 (3:5.68-2+deb12u1) bookworm; urgency=medium
+
+  * Add the 08-tls-eof patch to fix the handling of a peer closing
+    a TLS connection without proper TLS shutdown messaging.
+    Closes: #1041545
+
+ -- Peter Pentchev <roam@debian.org>  Thu, 20 Jul 2023 22:01:31 +0300
+
 stunnel4 (3:5.68-2) unstable; urgency=medium
 
   * Add the 07-tests-errmsg patch to fix the FTBFS on several architectures
diff -Nru stunnel4-5.68/debian/patches/08-tls-eof.patch stunnel4-5.68/debian/patches/08-tls-eof.patch
--- stunnel4-5.68/debian/patches/08-tls-eof.patch	1970-01-01 00:00:00.000000000 +0000
+++ stunnel4-5.68/debian/patches/08-tls-eof.patch	2023-07-20 19:01:31.000000000 +0000
@@ -0,0 +1,41 @@
+Description: Fix handling of socket closed without TLS shuttdown
+ In versions before 5.70, stunnel4 fails to recognize a new OpenSSL 3.x
+ error code that signals that the remote side closed the network
+ connection without performing a proper TLS shutdown. Instead, stunnel
+ treats this situation as an error.
+ .
+ If there was any pending data that the stunnel service had enqueued for
+ sending over the encrypted connection, it is discarded, so if the TLS
+ session is later resumed, the encrypted data stream will be corrupted.
+Bug-Debian: https://bugs.debian.org/1041545
+Origin: upstream
+Author: Michal Trojnara <Michal.Trojnara@stunnel.org>
+Last-Update: 2023-07-20
+
+--- a/src/client.c
++++ b/src/client.c
+@@ -1118,6 +1118,24 @@
+                     "SSL_read returned WANT_X509_LOOKUP: retrying");
+                 break;
+             case SSL_ERROR_SSL:
++#ifdef SSL_R_UNEXPECTED_EOF_WHILE_READING
++                /* OpenSSL 3.0 changed the method of reporting socket EOF */
++                if(ERR_GET_REASON(ERR_peek_error())==
++                        SSL_R_UNEXPECTED_EOF_WHILE_READING) {
++                    /* EOF -> buggy (e.g. Microsoft) peer:
++                    * TLS socket closed without close_notify alert */
++                    if(c->sock_ptr || write_wants_write) {
++                        s_log(LOG_ERR,
++                            "TLS socket closed (SSL_read) with %ld unsent byte(s)",
++                            (long)c->sock_ptr);
++                        throw_exception(c, 1); /* reset the sockets */
++                    }
++                    s_log(LOG_INFO, "TLS socket closed (SSL_read)");
++                    SSL_set_shutdown(c->ssl,
++                        SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
++                    break;
++                }
++#endif /* SSL_R_UNEXPECTED_EOF_WHILE_READING */
+                 sslerror("SSL_read");
+                 throw_exception(c, 1);
+             case SSL_ERROR_ZERO_RETURN: /* received a close_notify alert */
diff -Nru stunnel4-5.68/debian/patches/series stunnel4-5.68/debian/patches/series
--- stunnel4-5.68/debian/patches/series	2023-02-12 11:40:09.000000000 +0000
+++ stunnel4-5.68/debian/patches/series	2023-07-20 19:01:31.000000000 +0000
@@ -4,3 +4,4 @@
 05-sample-sysconfdir.patch
 06-no-openssl-version-check-autopkgtest.patch
 07-tests-errmsg.patch
+08-tls-eof.patch