Merge 'master' into staging

(relatively simple conflicts)

16 files changed, 90 insertions, 344 deletions

diff --git a/pkgs/tools/networking/cjdns/default.nix b/pkgs/tools/networking/cjdns/default.nix
index e602ee5f412..569d84bd72e 100644
--- a/pkgs/tools/networking/cjdns/default.nix
+++ b/pkgs/tools/networking/cjdns/default.nix
@@ -2,7 +2,7 @@
 
 let
   version = "16"; # see ${src}/util/version/Version.h
-  date = "20150308";
+  date = "20150422";
 in
 stdenv.mkDerivation {
   name = "cjdns-${version}-${date}";
@@ -10,8 +10,8 @@ stdenv.mkDerivation {
   src = fetchFromGitHub {
     owner = "cjdelisle";
     repo = "cjdns";
-    rev = "dc7eaf676cb83f13ba3e76a1bd0f2e093e6d6e1b";
-    sha256 = "1llhv9kflh4rzv9b9qq9zhrckcc6a7xs0dp147adwmaxqjj8v601";
+    rev = "78e13484b6639adacefc62eb7cf93ef7db4a936f";
+    sha256 = "1l1c43r11mj4c8is24988yfycw74flgv7qvc2cfhlisz7fhgfkds";
   };
 
   buildInputs = [ which python27 nodejs ] ++
diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix
index 4fd30cc1fa1..713fe40c189 100644
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@@ -16,11 +16,11 @@ assert scpSupport -> libssh2 != null;
 assert c-aresSupport -> c-ares != null;
 
 stdenv.mkDerivation rec {
-  name = "curl-7.41.0";
+  name = "curl-7.42.0";
 
   src = fetchurl {
     url = "http://curl.haxx.se/download/${name}.tar.bz2";
-    sha256 = "1slbbxp2k8m34mdzrl5qhafr5zhhcv7fgjhs2mcxjmswvimm92wz";
+    sha256 = "13yhcqfksy2vwc4sjv97nv3cbd2pb2a8lnvv8g46qp1gail7sm9j";
   };
 
   # Zlib and OpenSSL must be propagated because `libcurl.la' contains
diff --git a/pkgs/tools/networking/dropbear/default.nix b/pkgs/tools/networking/dropbear/default.nix
index 15422d81f41..0cbf41754c3 100644
--- a/pkgs/tools/networking/dropbear/default.nix
+++ b/pkgs/tools/networking/dropbear/default.nix
@@ -2,11 +2,11 @@
 sftpPath ? "/var/run/current-system/sw/libexec/sftp-server" }:
 
 stdenv.mkDerivation rec {
-  name = "dropbear-2014.66";
+  name = "dropbear-2015.67";
 
   src = fetchurl {
     url = "http://matt.ucc.asn.au/dropbear/releases/${name}.tar.bz2";
-    sha256 = "0xmbcjm2pbhih459667wy8acs4nax4amvzwqwfxw0z2i19ky4gxb";
+    sha256 = "1rf8k3v0bklp04a6x85zpa4f45ad5rfqmiv5f1wfbzaxcja0asby";
   };
 
   dontDisableStatic = enableStatic;
@@ -31,10 +31,6 @@ stdenv.mkDerivation rec {
     # Allow sessions to inherit the PATH from the parent dropbear.
     # Otherwise they only get the usual /bin:/usr/bin kind of PATH
     ./pass-path.patch
-
-    # Bugfix
-    # http://article.gmane.org/gmane.network.ssh.dropbear/1361
-    ./proxycrash.patch
   ];
 
   buildInputs = [ zlib ];
diff --git a/pkgs/tools/networking/dropbear/proxycrash.patch b/pkgs/tools/networking/dropbear/proxycrash.patch
deleted file mode 100644
index 1a17e7e3c62..00000000000
--- a/pkgs/tools/networking/dropbear/proxycrash.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-diff -r 5ba19d00da08 cli-runopts.c
---- a/cli-runopts.c	Sun May 26 18:43:00 2013 +0800
-+++ b/cli-runopts.c	Mon Jun 17 19:51:08 2013 +0000
-@@ -383,6 +383,13 @@
- 		exit(EXIT_FAILURE);
- 	}
-
-+#ifdef ENABLE_CLI_PROXYCMD
-+	if (cli_opts.proxycmd) {
-+		/* To match the common path of m_freeing it */
-+		cli_opts.proxycmd = m_strdup(cli_opts.proxycmd);
-+	}
-+#endif
-+
- 	if (cli_opts.remoteport == NULL) {
- 		cli_opts.remoteport = "22";
- 	}
diff --git a/pkgs/tools/networking/hans/default.nix b/pkgs/tools/networking/hans/default.nix
new file mode 100644
index 00000000000..fcb3e903753
--- /dev/null
+++ b/pkgs/tools/networking/hans/default.nix
@@ -0,0 +1,40 @@
+{ stdenv, fetchFromGitHub, nettools }:
+
+let version = "0.4.4"; in
+stdenv.mkDerivation rec {
+  name = "hans-${version}";
+
+  src = fetchFromGitHub {
+    sha256 = "1xskffmmdmg1whlrl5wpkv9z29vh0igrbmsz0b45s9v0761a7kis";
+    rev = "v${version}";
+    repo = "hans";
+    owner = "friedrich";
+  };
+
+  meta = with stdenv.lib; {
+    inherit version;
+    description = "Tunnel IPv4 over ICMP";
+    longDescription = ''
+      Hans makes it possible to tunnel IPv4 through ICMP echo packets, so you
+      could call it a ping tunnel. This can be useful when you find yourself in
+      the situation that your Internet access is firewalled, but pings are
+      allowed.
+    '';
+    homepage = http://code.gerade.org/hans/;
+    license = with licenses; gpl3Plus;
+    platforms = with platforms; linux;
+    maintainers = with maintainers; [ nckx ];
+  };
+
+  buildInputs = [ nettools ];
+
+  postPatch = ''
+    substituteInPlace src/tun.cpp --replace "/sbin/" "/${nettools}/bin/"
+  '';
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    install -D -m0755 hans $out/bin/hans
+  '';
+}
diff --git a/pkgs/tools/networking/hping/default.nix b/pkgs/tools/networking/hping/default.nix
index aa2574fbc1d..23322d5b8f2 100644
--- a/pkgs/tools/networking/hping/default.nix
+++ b/pkgs/tools/networking/hping/default.nix
@@ -44,5 +44,6 @@ stdenv.mkDerivation rec {
     description = "A command-line oriented TCP/IP packet assembler/analyzer";
     homepage = "http://www.hping.org/";
     license = stdenv.lib.licenses.gpl2;
+    platforms = stdenv.lib.platforms.all;
   };
 }
diff --git a/pkgs/tools/networking/i2p/default.nix b/pkgs/tools/networking/i2p/default.nix
index 088e8e8de7f..9a20e009e58 100644
--- a/pkgs/tools/networking/i2p/default.nix
+++ b/pkgs/tools/networking/i2p/default.nix
@@ -1,7 +1,4 @@
-{ stdenv, procps, coreutils, fetchurl, openjdk8, ant, gcj, gettext }:
-
-# TODO: support other systems, just copy appropriate lib/wrapper.. to $out
-assert stdenv.system != "x86_64-linux";
+{ stdenv, procps, coreutils, fetchurl, openjdk8, openjre, ant, gcj, gettext }:
 
 stdenv.mkDerivation rec {
   name = "i2p-0.9.18";
@@ -9,7 +6,7 @@ stdenv.mkDerivation rec {
     url = "https://github.com/i2p/i2p.i2p/archive/${name}.tar.gz";
     sha256 = "1hahdzvfh1zqb8qdc59xbjpqm8qq95k2xx22mpnhcdh90lb6xqnl";
   };
-  buildInputs = [ openjdk8 ant gcj gettext ];
+  buildInputs = [ openjdk8 ant gettext ];
   buildPhase = ''
     export JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF8"
     ant preppkg-linux-only
@@ -24,7 +21,8 @@ stdenv.mkDerivation rec {
       -e "s#/usr/ucb/ps#${procps}/bin/ps#" \
       -e "s#/usr/bin/tr#${coreutils}/bin/tr#" \
       -e 's#%USER_HOME#$HOME#' \
-      -e "s#%SYSTEM_java_io_tmpdir#/tmp#"
+      -e "s#%SYSTEM_java_io_tmpdir#/tmp#" \
+      -e 's#JAVA=java#JAVA=${openjre}/bin/java#'
     mv $out/runplain.sh $out/bin/i2prouter-plain
     mv $out/man $out/share/
     chmod +x $out/bin/* $out/i2psvc
@@ -35,7 +33,8 @@ stdenv.mkDerivation rec {
     homepage = "https://geti2p.net";
     description = "Applications and router for I2P, anonymity over the Internet";
     maintainers = [ stdenv.lib.maintainers.joelmo ];
-    licenses = licenses.gpl2;
-    platforms = platforms.linux;
+    license = licenses.gpl2;
+    # TODO: support other systems, just copy appropriate lib/wrapper.. to $out
+    platforms = [ "x86_64-linux" ];
   };
 }
diff --git a/pkgs/tools/networking/i2pd/default.nix b/pkgs/tools/networking/i2pd/default.nix
index 984e91e255f..f1b32ddb7e7 100644
--- a/pkgs/tools/networking/i2pd/default.nix
+++ b/pkgs/tools/networking/i2pd/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   meta = with stdenv.lib; {
     homepage = "https://track.privacysolutions.no/projects/i2pd";
     description = "Minimal I2P router written in C++";
-    licenses = licenses.gpl2;
+    license = licenses.gpl2;
     maintainers = with maintainers; [ edwtjo ];
     platforms = platforms.linux;
   };
diff --git a/pkgs/tools/networking/lftp/default.nix b/pkgs/tools/networking/lftp/default.nix
index 9901a1e2a96..1e1f1bd8b76 100644
--- a/pkgs/tools/networking/lftp/default.nix
+++ b/pkgs/tools/networking/lftp/default.nix
@@ -1,14 +1,14 @@
 { stdenv, fetchurl, gnutls, pkgconfig, readline, zlib }:
 
 stdenv.mkDerivation rec {
-  name = "lftp-4.6.0";
+  name = "lftp-4.6.1";
 
   src = fetchurl {
     urls = [
       "http://lftp.yar.ru/ftp/${name}.tar.bz2"
       "http://lftp.yar.ru/ftp/old/${name}.tar.bz2"
       ];
-    sha256 = "1liry2icaqyn9zlp7w6sykp3nyqsn172xnqglhvr6awz23r3b1fr";
+    sha256 = "0w9nb24abqlnjzi30q8s0yv3h0zjxhynliyxwdgnrv0qag0k401s";
   };
 
   patches = [ ./no-gets.patch ];
diff --git a/pkgs/tools/networking/mu/default.nix b/pkgs/tools/networking/mu/default.nix
index 924eb2f9f42..2104768e3b9 100644
--- a/pkgs/tools/networking/mu/default.nix
+++ b/pkgs/tools/networking/mu/default.nix
@@ -3,12 +3,12 @@
 , gtk3, webkit, libsoup, icu, withMug ? false /* doesn't build with current gtk3 */ }:
 
 stdenv.mkDerivation rec {
-  version = "0.9.11";
+  version = "0.9.12";
   name = "mu-${version}";
 
   src = fetchurl {
     url = "https://github.com/djcb/mu/archive/v${version}.tar.gz";
-    sha256 = "01n1lzq4pfsm5pn932p948d1z55yqc7kkm1ifjxjchb3k8lr66fh";
+    sha256 = "1bxryacmas2llj68m2dv8dr1vwx8f5k2i2azh69jajkpqx7i4wdq";
   };
 
   buildInputs =
diff --git a/pkgs/tools/networking/netsniff-ng/default.nix b/pkgs/tools/networking/netsniff-ng/default.nix
index 196c176018a..0830871c0cd 100644
--- a/pkgs/tools/networking/netsniff-ng/default.nix
+++ b/pkgs/tools/networking/netsniff-ng/default.nix
@@ -2,15 +2,16 @@
 , libnetfilter_conntrack, libnl, libpcap, libsodium, liburcu, ncurses, perl
 , pkgconfig, zlib }:
 
-stdenv.mkDerivation rec {
-  version = "v0.5.9-rc4-53-gdd5d906";
+let version = "v0.5.9-rc5"; in
+stdenv.mkDerivation {
   name = "netsniff-ng-${version}";
 
-  src = fetchFromGitHub rec { # Upstream recommends and supports git
+  # Upstream recommends and supports git
+  src = fetchFromGitHub rec {
     repo = "netsniff-ng";
     owner = repo;
-    rev = "dd5d906c40db5264d8d33c37565b39540f0258c8";
-    sha256 = "0iwnfjbxiv10zk5mfpnvs2xb88f14hv1a156kn9mhasszknp0a57";
+    rev = "76f4acca4bef1658543a97475f1c1d83accc395c";
+    sha256 = "11k88lsdqy41j4xwyx3vq85zjj4n39hj828f1b6naq1ywyfcvmr5";
   };
 
   buildInputs = [ bison flex geoip geolite-legacy libcli libnet libnl
@@ -40,6 +41,7 @@ stdenv.mkDerivation rec {
   '';
 
   meta = with stdenv.lib; {
+    inherit version;
     description = "Swiss army knife for daily Linux network plumbing";
     longDescription = ''
       netsniff-ng is a free Linux networking toolkit. Its gain of performance
diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix
index 93dad85ce1e..9bd1e7f4853 100644
--- a/pkgs/tools/networking/ntp/default.nix
+++ b/pkgs/tools/networking/ntp/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, autoreconfHook, libcap ? null }:
+{ stdenv, fetchurl, autoreconfHook, libcap ? null, openssl ? null }:
 
 assert stdenv.isLinux -> libcap != null;
 
@@ -10,11 +10,18 @@ stdenv.mkDerivation rec {
     sha256 = "0ccv9kh5asxpk7bjn73vwrqimbkbfl743bgx0km47bfajl7bqs8d";
   };
 
-  configureFlags = stdenv.lib.optional (libcap != null) "--enable-linuxcaps";
+  configureFlags = [
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+    "--enable-ignore-dns-errors"
+  ] ++ stdenv.lib.optional (libcap != null) "--enable-linuxcaps";
 
-  buildInputs = [ autoreconfHook libcap ];
+  nativeBuildInputs = [ autoreconfHook ];
+  buildInputs = [ libcap openssl ];
 
-  postInstall = "rm -rf $out/share/doc";
+  postInstall = ''
+    rm -rf $out/share/doc
+  '';
 
   meta = {
     homepage = http://www.ntp.org/;
diff --git a/pkgs/tools/networking/sproxy-web/default.nix b/pkgs/tools/networking/sproxy-web/default.nix
deleted file mode 100644
index 67daab08359..00000000000
--- a/pkgs/tools/networking/sproxy-web/default.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ cabal, aeson, blazeHtml, blazeMarkup, configurator, hflags
-, httpTypes, mtl, postgresqlSimple, resourcePool, scotty, text
-, waiExtra, waiMiddlewareStatic, fetchurl
-}:
-
-cabal.mkDerivation (self: {
-  pname = "sproxy-web";
-  version = "0.1.0.2";
-  src = fetchurl {
-    url = "https://github.com/zalora/sproxy-web/archive/0.1.0.2.tar.gz";
-    sha256 = "1rdzglvsas0rdgq3j5c9ll411yk168x7v3l7w8zdjgafa947j4d4";
-  };
-  isLibrary = false;
-  isExecutable = true;
-  buildDepends = [
-    aeson blazeHtml blazeMarkup configurator hflags httpTypes mtl
-    postgresqlSimple resourcePool scotty text waiExtra
-    waiMiddlewareStatic
-  ];
-  meta = {
-    homepage = "http://bitbucket.org/zalorasea/sproxy-web";
-    description = "Web interface to sproxy";
-    license = self.stdenv.lib.licenses.bsd3;
-    platforms = self.ghc.meta.platforms;
-    broken = true;
-  };
-})
diff --git a/pkgs/tools/networking/sproxy/default.nix b/pkgs/tools/networking/sproxy/default.nix
deleted file mode 100644
index 5ecd7d06e26..00000000000
--- a/pkgs/tools/networking/sproxy/default.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ cabal, aeson, attoparsec, caseInsensitive, certificate
-, concurrentExtra, conduit, connection, cryptoRandom, curl
-, dataDefault, hslogger, hspec, httpConduit, httpKit, httpTypes
-, interpolatedstringPerl6, mtl, network, optparseApplicative
-, postgresqlSimple, safe, SHA, split, stringConversions, time, tls
-, unorderedContainers, utf8String, wai, warp, x509, yaml, fetchurl
-}:
-
-cabal.mkDerivation (self: {
-  pname = "sproxy";
-  version = "0.8.0";
-  src = fetchurl {
-    url = "https://github.com/zalora/sproxy/archive/0.8.0.tar.gz";
-    sha256 = "11xn4k509ck73pacyz2kh0924n2vy8rwakwd42dwbvhhysf47rdx";
-  };
-  isLibrary = false;
-  isExecutable = true;
-  patches = [ ./new-http-kit.patch ];
-  doCheck = false;
-  buildDepends = [
-    aeson attoparsec caseInsensitive certificate concurrentExtra
-    cryptoRandom curl dataDefault hslogger httpKit httpTypes
-    interpolatedstringPerl6 mtl network optparseApplicative
-    postgresqlSimple safe SHA split stringConversions time tls
-    unorderedContainers utf8String x509 yaml
-  ];
-  testDepends = [
-    aeson attoparsec caseInsensitive certificate concurrentExtra
-    conduit connection cryptoRandom curl dataDefault hslogger hspec
-    httpConduit httpKit httpTypes interpolatedstringPerl6 mtl network
-    optparseApplicative postgresqlSimple safe SHA split
-    stringConversions time tls unorderedContainers utf8String wai warp
-    x509 yaml
-  ];
-  meta = {
-    license = self.stdenv.lib.licenses.mit;
-    platforms = self.ghc.meta.platforms;
-    broken = true;
-  };
-})
diff --git a/pkgs/tools/networking/sproxy/new-http-kit.patch b/pkgs/tools/networking/sproxy/new-http-kit.patch
deleted file mode 100644
index c15c3f3989a..00000000000
--- a/pkgs/tools/networking/sproxy/new-http-kit.patch
+++ /dev/null
@@ -1,224 +0,0 @@
-From 383d2cbe240600a86ab99fdefcea4e913d171ec6 Mon Sep 17 00:00:00 2001
-From: Simon Hengel <sol@typeful.net>
-Date: Thu, 24 Apr 2014 22:51:02 +0800
-Subject: [PATCH] Depend on http-kit >= 0.2
-
----
- sproxy.cabal        |  2 +-
- src/Authenticate.hs | 17 ++++++++---------
- src/HTTP.hs         | 47 +++++++++--------------------------------------
- src/Proxy.hs        | 32 ++++++++++++++------------------
- 4 files changed, 32 insertions(+), 66 deletions(-)
-
-diff --git a/sproxy.cabal b/sproxy.cabal
-index 08e1d61..91adf5d 100644
---- a/sproxy.cabal
-+++ b/sproxy.cabal
-@@ -49,7 +49,7 @@ executable sproxy
-                        unix,
-                        utf8-string,
-                        x509,
--                       http-kit,
-+                       http-kit >= 0.2,
-                        yaml >= 0.8
-   default-language:    Haskell2010
-   ghc-options:         -Wall -threaded -O2
-diff --git a/src/Authenticate.hs b/src/Authenticate.hs
-index 7d4c218..15a69a9 100644
---- a/src/Authenticate.hs
-+++ b/src/Authenticate.hs
-@@ -30,8 +30,7 @@ import           System.Posix.Types (EpochTime)
- import           System.Posix.Time (epochTime)
- import           Data.Digest.Pure.SHA (hmacSha1, showDigest)
- 
--import           Network.HTTP.Toolkit.Header
--import           Network.HTTP.Toolkit.Request
-+import           Network.HTTP.Toolkit
- 
- import           Type
- import           Cookies
-@@ -90,19 +89,19 @@ instance FromJSON UserInfo where
- 
- -- https://wiki.zalora.com/Main_Page -> https://wiki.zalora.com/
- -- Note that this always uses https:
--rootURI :: RequestHeader -> URI.URI
--rootURI (MessageHeader _ headers) =
-+rootURI :: Request a -> URI.URI
-+rootURI (Request _ _ headers _) =
-   let host = cs $ fromMaybe (error "Host header not found") $ lookup "Host" headers
-   in URI.URI "https:" (Just $ URI.URIAuth "" host "") "/" "" ""
- 
--redirectForAuth :: AuthConfig -> RequestHeader -> SendData -> IO ()
--redirectForAuth c request@(MessageHeader (_, path_) _) send = do
-+redirectForAuth :: AuthConfig -> Request a -> SendData -> IO ()
-+redirectForAuth c request@(Request _ path_ _ _) send = do
-   let redirectUri = rootURI request
-       path = urlEncode True path_
-       authURL = "https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&state=" ++ cs path ++ "&redirect_uri=" ++ (cs $ show $ redirectUri) ++ "&response_type=code&client_id=" ++ authConfigClientID c ++ "&approval_prompt=force&access_type=offline"
--  sendResponse send found302 [("Location", UTF8.fromString $ authURL)] ""
-+  sendResponse_ send found302 [("Location", UTF8.fromString $ authURL)] ""
- 
--authenticate :: AuthConfig -> SendData -> RequestHeader -> ByteString -> ByteString -> IO ()
-+authenticate :: AuthConfig -> SendData -> Request a -> ByteString -> ByteString -> IO ()
- authenticate config send request path code = do
-   tokenRes <- post "https://accounts.google.com/o/oauth2/token" ["code=" ++ UTF8.toString code, "client_id=" ++ clientID, "client_secret=" ++ clientSecret, "redirect_uri=" ++ (cs $ show $ rootURI request), "grant_type=authorization_code"]
-   case tokenRes of
-@@ -121,7 +120,7 @@ authenticate config send request path code = do
-                 Just userInfo -> do
-                   clientToken <- authToken authTokenKey (userEmail userInfo) (userGivenName userInfo, userFamilyName userInfo)
-                   let cookie = setCookie cookieDomain cookieName (show clientToken) authShelfLife
--                  sendResponse send found302 [("Location", cs $ (show $ (rootURI request) {URI.uriPath = ""}) ++ cs (urlDecode False path)), ("Set-Cookie", UTF8.fromString cookie)] ""
-+                  sendResponse_ send found302 [("Location", cs $ (show $ (rootURI request) {URI.uriPath = ""}) ++ cs (urlDecode False path)), ("Set-Cookie", UTF8.fromString cookie)] ""
-   where
-     cookieDomain = authConfigCookieDomain config
-     cookieName = authConfigCookieName config
-diff --git a/src/HTTP.hs b/src/HTTP.hs
-index 07038a0..dbcae71 100644
---- a/src/HTTP.hs
-+++ b/src/HTTP.hs
-@@ -1,19 +1,14 @@
- {-# LANGUAGE OverloadedStrings #-}
- module HTTP (
--  sendRequest
--, sendResponse
--, sendResponse_
-+  sendResponse_
- , internalServerError
- ) where
- 
--import           Data.Foldable (forM_)
- import           Data.ByteString (ByteString)
--import qualified Data.ByteString as B
--import qualified Data.ByteString.Char8 as B8
--import qualified Data.ByteString.UTF8 as UTF8
--import qualified Data.CaseInsensitive as CI
-+import qualified Data.ByteString.Char8 as B
- import           Network.HTTP.Types
--import           Network.HTTP.Toolkit.Body
-+import           Network.HTTP.Toolkit
-+import qualified Network.HTTP.Toolkit.Body as Body
- 
- import           Type
- import qualified Log
-@@ -21,34 +16,10 @@ import qualified Log
- internalServerError :: SendData -> String -> IO ()
- internalServerError send err = do
-   Log.debug $ show err
--  sendResponse send internalServerError500 [] "Internal Server Error"
-+  sendResponse_ send internalServerError500 [] "Internal Server Error"
- 
--sendRequest :: SendData -> Method -> ByteString -> [Header] -> BodyReader -> IO ()
--sendRequest send method path headers body = do
--  sendHeader send startLine headers
--  sendBody send body
-+sendResponse_ :: SendData -> Status -> [Header] -> ByteString -> IO ()
-+sendResponse_ send status headers_ body = do
-+  Body.fromByteString body >>= sendResponse send . Response status headers
-   where
--    startLine = B8.unwords [method, path, "HTTP/1.1"]
--
--sendResponse :: SendData -> Status -> [Header] -> ByteString -> IO ()
--sendResponse send status headers_ body = do
--  sendHeader send (statusLine status) headers
--  send body
--  where
--    headers = ("Content-Length", UTF8.fromString $ show $ B.length body) : headers_
--
--sendResponse_ :: SendData -> Status -> [Header] -> BodyReader -> IO ()
--sendResponse_ send status headers body = do
--  sendHeader send (statusLine status) headers
--  sendBody send body
--
--statusLine :: Status -> ByteString
--statusLine status = B.concat ["HTTP/1.1 ", UTF8.fromString $ show (statusCode status), " ", statusMessage status]
--
--sendHeader :: SendData -> ByteString -> [Header] -> IO ()
--sendHeader send startLine headers = do
--  send startLine
--  send "\r\n"
--  forM_ headers $ \(k, v) -> do
--    send $ B.concat [CI.original k, ": ", v, "\r\n"]
--  send "\r\n"
-+    headers = ("Content-Length", B.pack . show . B.length $ body) : headers_
-diff --git a/src/Proxy.hs b/src/Proxy.hs
-index aa320af..88b95d9 100644
---- a/src/Proxy.hs
-+++ b/src/Proxy.hs
-@@ -32,11 +32,7 @@ import qualified Network.URI as URI
- import Options.Applicative hiding (action)
- import System.IO
- 
--import Network.HTTP.Toolkit.Body
--import Network.HTTP.Toolkit.Header
--import Network.HTTP.Toolkit.Connection
--import Network.HTTP.Toolkit.Request
--import Network.HTTP.Toolkit.Response
-+import Network.HTTP.Toolkit
- 
- import Type
- import Util
-@@ -142,10 +138,10 @@ runProxy port config authConfig authorize = (listen port (serve config authConfi
- redirectToHttps :: SockAddr -> Socket -> IO ()
- redirectToHttps _ sock = do
-   conn <- makeConnection (Socket.recv sock 4096)
--  (request, _) <- readRequest conn
--  sendResponse (Socket.sendAll sock) seeOther303 [("Location", cs $ show $ requestURI request)] ""
-+  request <- readRequest conn
-+  sendResponse_ (Socket.sendAll sock) seeOther303 [("Location", cs $ show $ requestURI request)] ""
-   where
--    requestURI (MessageHeader (_, path) headers) =
-+    requestURI (Request _ path headers _) =
-       let host = fromMaybe (error "Host header not found") $ lookup "Host" headers
-       in fromJust $ URI.parseURI $ "https://" ++ cs host ++ cs path
- 
-@@ -171,8 +167,8 @@ serve config authConfig withAuthorizeAction addr sock = do
-     serve_ send conn authorize = go
-       where
-         go :: IO ()
--        go = forever $ readRequest conn >>= \(request, body) -> case request of
--          MessageHeader (_, url) headers -> do
-+        go = forever $ readRequest conn >>= \request -> case request of
-+          Request _ url headers _ -> do
-             -- TODO: Don't loop for more input on Connection: close header.
-             -- Check if this is an authorization response.
-             case URI.parseURIReference $ BU.toString url of
-@@ -192,17 +188,17 @@ serve config authConfig withAuthorizeAction addr sock = do
-                         case auth of
-                           Nothing -> redirectForAuth authConfig request send
-                           Just token -> do
--                            forwardRequest config send authorize cookies addr request body token
-+                            forwardRequest config send authorize cookies addr request token
- 
- -- Check our access control list for this user's request and forward it to the backend if allowed.
--forwardRequest :: Config -> SendData -> AuthorizeAction -> [(Name, Cookies.Value)] -> SockAddr -> RequestHeader -> BodyReader -> AuthToken -> IO ()
--forwardRequest config send authorize cookies addr (MessageHeader (method, path) headers) body token = do
-+forwardRequest :: Config -> SendData -> AuthorizeAction -> [(Name, Cookies.Value)] -> SockAddr -> Request BodyReader -> AuthToken -> IO ()
-+forwardRequest config send authorize cookies addr request@(Request method path headers _) token = do
-     groups <- authorize (authEmail token) (maybe (error "No Host") cs $ lookup "Host" headers) path method
-     ip <- formatSockAddr addr
-     case groups of
-         [] -> do
-             -- TODO: Send back a page that allows the user to request authorization.
--            sendResponse send forbidden403 [] "Access Denied"
-+            sendResponse_ send forbidden403 [] "Access Denied"
-         _ -> do
-             -- TODO: Reuse connections to the backend server.
-             let downStreamHeaders =
-@@ -216,10 +212,10 @@ forwardRequest config send authorize cookies addr (MessageHeader (method, path)
-                     setCookies $
-                     fromList headers
-             bracket (connectTo host port) hClose $ \h -> do
--              sendRequest (B.hPutStr h) method path downStreamHeaders body
--              conn <- makeConnection (B.hGetSome h 4096)
--              (MessageHeader status responseHeaders, responseBody) <- readResponse method conn
--              sendResponse_ send status (removeConnectionHeader responseHeaders) responseBody
-+              sendRequest (B.hPutStr h) request{requestHeaders = downStreamHeaders}
-+              conn <- connectionFromHandle h
-+              response <- readResponse method conn
-+              sendResponse send response{responseHeaders = removeConnectionHeader (responseHeaders response)}
-   where
-     host = configBackendAddress config
-     port = PortNumber (configBackendPort config)
--- 
-1.9.1
-
diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix
index 74788e6ff2a..ef9c56deacb 100644
--- a/pkgs/tools/networking/stunnel/default.nix
+++ b/pkgs/tools/networking/stunnel/default.nix
@@ -2,15 +2,24 @@
 
 stdenv.mkDerivation rec {
   name    = "stunnel-${version}";
-  version = "5.14";
+  version = "5.16";
 
   src = fetchurl {
     url    = "http://www.stunnel.org/downloads/${name}.tar.gz";
-    sha256 = "0nk9cjrgpa54sphykizqx4kayrq71z1zmwdsr1lvlbmq3pyb95r1";
+    sha256 = "13b0ad7smz4949hchdgsx3yjr5i3z8flwiy8w6xalvk2n8zykdxn";
   };
 
   buildInputs = [ openssl ];
-  configureFlags = [ "--with-ssl=${openssl}" ];
+  configureFlags = [
+    "--with-ssl=${openssl}"
+    "--sysconfdir=/etc"
+    "--localstatedir=/var"
+  ];
+
+  installFlags = [
+    "sysconfdir=\${out}/etc"
+    "localstatedir=\${TMPDIR}"
+  ];
 
   meta = {
     description = "universal tls/ssl wrapper";