Softpedia >Mac >Network/Admin >stunnel >  Changelog

stunnel Changelog

What's new in stunnel 5.53

Apr 11, 2019
  • Bugfixes:
  • Fixed data transfer stalls introduced in stunnel 5.51.
  • New features:
  • Android binary updated to support Android 4.x.

New in stunnel 5.52 (Apr 9, 2019)

  • Bugfixes:
  • Fixed a transfer() loop bug introduced in stunnel 5.51.

New in stunnel 5.51 (Apr 5, 2019)

  • New featuresL
  • Hexadecimal PSK keys are automatically converted to binary.
  • Session ticket support (requires OpenSSL 1.1.1 or later). "connect" address persistence is currently unsupported with session tickets.
  • SMTP HELO before authentication (thx to Jacopo Giudici).
  • New "curves" option to control the list of elliptic curves in OpenSSL 1.1.0 and later.
  • New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites.
  • Include file name and line number in OpenSSL errors.
  • Compatibility with the current OpenSSL 3.0.0-dev branch.
  • Better performance with SSL_set_read_ahead()/SSL_pending().
  • BugfixesL
  • Fixed PSKsecrets as a global option (thx to Teodor Robas).
  • Fixed a memory allocation bug (thx to matanfih).

New in stunnel 5.50 (Apr 5, 2019)

  • New features:
  • 32-bit Windows builds replaced with 64-bit builds.
  • OpenSSL DLLs updated to version 1.1.1.
  • Check whether "output" is not a relative file name.
  • Added sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later.
  • Bugfixes:
  • Fixed PSK session resumption with TLS 1.3.
  • Fixed a memory leak in the WIN32 logging subsystem.
  • Allow for zero value (ignored) TLS options.
  • Partially refactored configuration file parsing and logging subsystems for clearer code and minor bugfixes.
  • Caveats:
  • We removed FIPS support from our standard builds. FIPS will still be available with custom builds.

New in stunnel 5.49 (Sep 3, 2018)

  • New features:
  • Performance optimizations.
  • Logging of negotiated or resumed TLS session IDs (thx to ANSSI - National Cybersecurity Agency of France).
  • Merged Debian 10-enabled.patch and 11-killproc.patch (thx to Peter Pentchev).
  • OpenSSL DLLs updated to version 1.0.2p.
  • PKCS#11 engine DLL updated to version 0.4.9.
  • Bug fixes:
  • Fixed a crash in the session persistence implementation.
  • Fixed syslog identifier after configuration file reload.
  • Fixed non-interactive "make check" invocations.
  • Fixed reloading syslog configuration.
  • stunnel.pem created with SHA-256 instead of SHA-1.
  • SHA-256 "make check" certificates.

New in stunnel 5.49 Beta 2 (Aug 19, 2018)

  • New features:
  • Reloading syslog configuration.
  • Bug fixes:
  • Fixed syslog identifier after configuration file reload.

New in stunnel 5.49 Beta 1 (Aug 9, 2018)

  • New features:
  • Performance optimizations.
  • Logging of negotiated or resumed TLS session IDs
  • Bug fixes:
  • Fixed non-interactive "make check" invocations.

New in stunnel 5.48 (Jul 4, 2018)

  • Security bug fixes:
  • Fixed requesting client certificate when specified as a global option.
  • New features:
  • Certificate subject checks modified to accept certificates if at least one of the specified checks matches.

New in stunnel 5.47 (Jun 23, 2018)

  • New features:
  • Fast add_lock_callback for OpenSSL < 1.1.0. This largely improves performance on heavy load.
  • Automatic detection of Homebrew OpenSSL.
  • Clarified port binding error logs.
  • Various "make test" improvements.
  • Bug fixes:
  • Fixed a crash on switching to SNI slave sections.

New in stunnel 5.47 Beta 2 (Jun 4, 2018)

  • Bug fixes
  • New features:
  • Automatic detection of Homebrew OpenSSL.

New in stunnel 5.46 (May 29, 2018)

  • New features:
  • The default cipher list was updated to a safer value: "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK".
  • Bug fixes:
  • Default accept address restored to INADDR_ANY.

New in stunnel 5.46 Beta 1 (May 24, 2018)

  • New features:
  • The default cipher list was updated to "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK".
  • Bug fixes:
  • Default accept address restored to INADDR_ANY.

New in stunnel 5.45 (May 22, 2018)

  • New features:
  • Implemented try-restart in the SysV init script (thx to Peter Pentchev).
  • Bug fixes:
  • A service no longer refuses to start if binding fails for some (but not all) addresses:ports.
  • Fixed compression handling with OpenSSL 1.1.0 and later.
  • _beginthread() replaced with safer _beginthreadex().

New in stunnel 5.45 Beta 9 (May 13, 2018)

  • New feature sponsored by https://loadbalancer.org/:
  • Implemented delayed deallocation of service sections after configuration file reload.
  • New features:
  • The "socket" option is now also available in service sections.
  • Implemented try-restart in the SysV init script (thx to Peter Pentchev).
  • TLS 1.3 compliant session handling.
  • Bug fixes:
  • A service no longer refuses to start if binding fails for some (but not all) addresses:ports.
  • Fixed compression handling with OpenSSL 1.1.0 and later.
  • _beginthread() replaced with safer _beginthreadex().
  • Fixed exception handling in libwrap.
  • Fixed exec+connect services.
  • Fixed automatic resolver delaying.

New in stunnel 5.45 Beta 7 (Apr 20, 2018)

  • New feature sponsored by https://loadbalancer.org/:
  • Implemented delayed deallocation of service sections after configuration file reload.
  • New features:
  • TLS 1.3 compliant session handling.
  • Bug fixes
  • Fixed exception handling in libwrap.
  • Fixed exec+connect services.
  • Fixed automatic resolver delaying.

New in stunnel 5.45 Beta 6 (Mar 20, 2018)

  • Bug fixes:
  • _beginthread() replaced with safer _beginthreadex().
  • Fixed exception handling in libwrap.

New in stunnel 5.45 Beta 1 (Feb 8, 2018)

  • New features:
  • Implemented try-restart in the SysV init script.
  • Bug fixes:
  • A service no longer refuses to start if binding fails for some (but not all) addresses:ports.
  • Fixed compression handling with OpenSSL 1.1.0 and later.

New in stunnel 5.44 (Nov 27, 2017)

  • New features:
  • Signed Win32 executables, libraries, and installer.
  • Bug fixes:
  • Default accept address restored to INADDR_ANY.
  • Fixed a race condition in "make check".
  • Fixed removing the pid file after configuration reload.

New in stunnel 5.43 (Nov 27, 2017)

  • New features:
  • OpenSSL DLLs updated to version 1.0.2m.
  • Android build updated to OpenSSL 1.1.0g.
  • Allow for multiple "accept" ports per section.
  • Self-test framework (make check).
  • Added config load before OpenSSL init (thx to Dmitrii Pichulin).
  • OpenSSL 1.1.0 support for Travis CI.
  • OpenSSL 1.1.1-dev compilation fixes.
  • Bug fixes:
  • Fixed a memory fault on Solaris.
  • Fixed round-robin failover in the FORK threading model.
  • Fixed handling SSL_ERROR_ZERO_RETURN in SSL_shutdown().
  • Minor fixes of the logging subsystem.

New in stunnel 5.43 Beta 14 (Oct 19, 2017)

  • Bug fixes:
  • Fixed round-robin failover in the FORK threading model.

New in stunnel 5.43 Beta 9 (Oct 17, 2017)

  • New features:
  • Allow for multiple "accept" ports per section.
  • Self-test framework (make check).
  • Added config load before OpenSSL init (thx to Dmitrii Pichulin).
  • OpenSSL 1.1.0 support for Travis CI.
  • OpenSSL 1.1.1-dev compilation fixes.
  • Bug fixes"
  • Fixed a memory fault on Solaris.
  • Fixed handling SSL_ERROR_ZERO_RETURN in SSL_shutdown().
  • Minor fixes of the logging subsystem.

New in stunnel 5.42 (Jul 17, 2017)

  • New features:
  • "redirect" also supports "exec" and not only "connect".
  • PKCS#11 engine DLL updated to version 0.4.7.
  • Bug fixes:
  • Fixed premature cron thread initialization causing hangs.
  • Fixed "verifyPeer = yes" on OpenSSL

New in stunnel 5.42 Beta 2 (Jun 22, 2017)

  • New features:
  • "redirect" also supports "exec" and not only "connect".
  • Bugfixes
  • Fixed a hang on shutdown.
  • Fixed "verifyPeer = yes" on OpenSSL

New in stunnel 5.41 (Jun 22, 2017)

  • New features:
  • PKCS#11 engine DLL updated to version 0.4.5.
  • Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
  • Key file name added into the passphrase console prompt.
  • Performance optimization in memory leak detection.
  • Bug fixes:
  • Fixed crashes with the OpenSSL 1.1.0 branch.
  • Fixed certificate verification with "verifyPeer = yes" and "verifyChain = no" (the default), while the peer only returns a single certificate.

New in stunnel 5.41 Beta 4 (Mar 20, 2017)

  • New features:
  • PKCS#11 engine DLL updated to version 4.4.
  • Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
  • Key file name added into the passphrase prompt on console.
  • Performance optimization in memory leak detection.
  • Bug fixes:
  • Adopted the implicit session free introduced in OpenSSL 1.1.0. This resulted in crashes caused by double free.
  • Fixed "verifyPeer = yes" with "verifyChain = no" (default) and the peer only returning a single certificate.

New in stunnel 5.40 (Jan 29, 2017)

  • Security bugfixes:
  • OpenSSL DLLs updated to version 1.0.2k. https://www.openssl.org/news/secadv/20170126.txt
  • New features:
  • DH ciphersuites are now disabled by default.
  • The daily server DH parameter regeneration is only performed if DH ciphersuites are enabled in the configuration file.
  • "checkHost" and "checkEmail" were modified to require either "verifyChain" or "verifyPeer" (thx to Małorzata Olszówka).
  • Bug fixes:
  • Fixed setting default cipher

New in stunnel 5.36 (Sep 23, 2016)

  • Security bug fixes:
  • OpenSSL DLLs updated to version 1.0.2i. https://www.openssl.org/news/secadv_20160922.txt
  • New features:
  • Added support for OpenSSL 1.1.0 built with "no-deprecated".
  • Removed direct zlib dependency.

New in stunnel 5.36 Beta 1 (Sep 7, 2016)

  • New features:
  • Added support for OpenSSL 1.1.0 built with "no-deprecated".
  • Removed direct zlib dependency.

New in stunnel 5.35 (Jul 18, 2016)

  • Bug fixes:
  • Fixed incorrectly enforced client certificate requests.
  • Only default to SO_EXCLUSIVEADDRUSE on Vista and later.
  • Fixed thread safety of the configuration file reopening.

New in stunnel 5.35 Beta 2 (Jul 7, 2016)

  • Bug fixes:
  • Fixed enabling certificate by default.

New in stunnel 5.34 (Jul 6, 2016)

  • Security bug fixes:
  • Fixed malfunctioning "verify = 4".
  • New features:
  • Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
  • Added three new service-level options: requireCert, verifyChain, and verifyPeer for fine-grained certificate verification control.
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree.

New in stunnel 5.33 (Jun 23, 2016)

  • New features:
  • Improved memory leak detection performance and accuracy.
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree.
  • SNI support also enabled on OpenSSL 0.9.8f and later (thx to Guillermo Rodriguez Garcia).
  • Added support for PKCS #12 (.p12/.pfx) certificates (thx to Dmitry Bakshaev).
  • Bugfixes:
  • Fixed a TLS session caching memory leak (thx to Richard Kraemer). Before stunnel 5.27 this leak only emerged with sessiond enabled.
  • Yet another WinCE socket fix (thx to Richard Kraemer).
  • Fixed passphrase/pin dialogs in tstunnel.exe.
  • Fixed a FORK threading build regression bug.
  • OPENSSL_NO_DH compilation fix (thx to Brian Lin).

New in stunnel 5.33 Beta 7 (Jun 21, 2016)

  • New features:
  • Improved memory leak detection performance and accuracy.

New in stunnel 5.33 Beta 3 (Jun 20, 2016)

  • New features:
  • SNI support also enabled on OpenSSL 0.9.8f and later (thx to Guillermo Rodriguez Garcia).
  • Support for PKCS #12 (.p12/.pfx) certificates (thx to Dmitry Bakshaev).
  • Bug fixes:
  • Yet another WinCE socket fix (thx to Richard Kraemer).
  • OPENSSL_NO_DH compilation fix (thx to Brian Lin).
  • Fixed password/pin dialogs in tstunnel.exe.

New in stunnel 5.33 Beta 2 (May 16, 2016)

  • New features:
  • SNI support also enabled on OpenSSL 0.9.8f and later (thx to Guillermo Rodriguez Garcia).

New in stunnel 5.33 Beta 1 (May 12, 2016)

  • New features:
  • Updated the memory leak detection heuristics.
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree.
  • Bug fixes:
  • Fixed a memory leak in the TLS session caching code (thx to Richard Kraemer).
  • Fixed a FORK threading build regression bug.

New in stunnel 5.32 (May 4, 2016)

  • Security bugfixes:
  • OpenSSL DLLs updated to version 1.0.2h. https://www.openssl.org/news/secadv_20160503.txt
  • New features:
  • New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
  • Memory leak detection.
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree.
  • Added/fixed Red Hat scripts (thx to Andrew Colin Kissa).
  • Bug fixes:
  • Workaround for a WinCE sockets quirk (thx to Richard Kraemer).
  • Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins).

New in stunnel 5.32 Beta 2 (Apr 20, 2016)

  • New features:
  • Memory leak detection.

New in stunnel 5.32 Beta 1 (Apr 7, 2016)

  • New features:
  • New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree.
  • Bug fixes:
  • Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins).

New in stunnel 5.31 (Mar 1, 2016)

  • Security bug fixes:
  • OpenSSL DLLs updated to version 1.0.2g.
  • New features:
  • Added logging the list of client CAs requested by the server.
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree.
  • Bug fixes:
  • Only reset the watchdog if some data was actually transferred.
  • A workaround implemented for the unexpected exceptfds set by select() on WinCE 6.0 (thx to Richard Kraemer).

New in stunnel 5.31 Beta 2 (Feb 21, 2016)

  • New features
  • Bug fixes:
  • A workaround implemented for the unexpected exceptfds set by select() on WinCE 6.0 (thx to Richard Kraemer).

New in stunnel 5.31 Beta 1 (Feb 17, 2016)

  • Bug fixes:
  • Only reset the watchdog if some data was actually transferred.

New in stunnel 5.30 (Jan 29, 2016)

  • Security bug fixes:
  • OpenSSL DLLs updated to version 1.0.2f.
  • New features:
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree.
  • Added OpenSSL autodetection for the recent versions of Xcode.
  • Bug fixes:
  • Fixed references to /etc removed from stunnel.init.in.
  • Stopped even trying -fstack-protector on unsupported platforms

New in stunnel 5.30 Beta 3 (Jan 21, 2016)

  • Bug fixes:
  • Fixed references to /etc removed from stunnel.init.in.
  • Avoid even trying -fstack-protector on unsupported platforms (thx to Rob Lockhart).

New in stunnel 5.30 Beta 1 (Jan 12, 2016)

  • Bug fixes.
  • New features:
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree.

New in stunnel 5.29 (Jan 8, 2016)

  • New features:
  • New WIN32 icons.
  • Performance improvement: rwlocks used for locking with pthreads.
  • Bug fixes:
  • Compilation fix for *BSD.
  • Fixed configuration file reload for relative stunnel.conf path on Unix.
  • Fixed ignoring CRLfile unless CAfile was also specified.

New in stunnel 5.29 Beta 2 (Dec 23, 2015)

  • New features:
  • New icons.
  • Performance improvement: rwlocks used for locking with pthreads.
  • Bug fixes:
  • Fixed configuration file reload for relative stunnel.conf path.
  • Fixed ignoring CRLfile unless CAfile was also specified (thx to Strukov Petr).

New in stunnel 5.29 Beta 1 (Dec 14, 2015)

  • Compilation fix for *BSD

New in stunnel 5.28 (Dec 11, 2015)

  • New features:
  • Build matrix (.travis.yml) extended with ./configure options.
  • mingw.mak updated to build tstunnel.exe (thx to Jose Alf.).
  • Bug fixes:
  • Fixed incomplete initialization.
  • Fixed UCONTEXT threading on OSX.
  • Fixed exit codes for information requests (as in "stunnel -version" or "stunnel -help").

New in stunnel 5.28 Beta 2 (Dec 11, 2015)

  • Fixed incomplete initialization.

New in stunnel 5.28 Beta 1 (Dec 9, 2015)

  • New features:
  • Build matrix (.travis.yml) extended with ./configure options.
  • Bug fixes:
  • Fixed UCONTEXT threading on OSX.
  • Fixed exit codes for information requests (as in "stunnel -version" or "stunnel -help").

New in stunnel 5.27 (Dec 9, 2015)

  • Security bugfixes:
  • OpenSSL DLLs updated to version 1.0.2e. https://www.openssl.org/news/secadv_20151203.txt
  • New features:
  • Automated build testing configured with .travis.yml.
  • TODO list updated.

New in stunnel 5.27 Beta 3 (Nov 13, 2015)

  • Bug fixes.
  • New features:
  • Only attempt to use potentially harmful compiler or linker options if gcc was detected.

New in stunnel 5.27 Beta 2 (Nov 7, 2015)

  • New features:
  • /opt/csw added to the OpenSSL directory lookup list
  • mingw.mak updates (thx to Jose Alf.)

New in stunnel 5.27 Beta 1 (Nov 6, 2015)

  • New features:
  • Added reading server certificates from hardware engines.
  • Example: cert = id_45
  • Bug fixes

New in stunnel 5.26 (Nov 6, 2015)

  • Bug fixes: Compilation fixes for OSX, *BSD and Solaris.

New in stunnel 5.26 Beta 1 (Nov 3, 2015)

  • Bug fixes:
  • Compilation fixes for BSD and Solaris.

New in stunnel 5.25 (Nov 2, 2015)

  • New features:
  • SMTP client protocol negotiation support for "protocolUsername", "protocolPassword", and "protocolAuthentication" (thx to Douglas Harris).
  • New service-level option "config" to specify OpenSSL >=1.0.2 configuration commands (thx to Stephen Wall).
  • The global option "foreground" now also accepts "quiet" parameter, which does not enable logging to stderr.
  • Manual page updated.
  • Obsolete OpenSSL engines removed from the Windows build: 4758cca, aep, atalla, cswift, nuron, sureware.
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree: gracefully handle symbols renamed from SSLeay to OpenSSL.
  • Bug fixes:
  • Fixed the "s_poll_wait returned 1, but no descriptor is ready" internal error.
  • Fixed "exec" hangs due to incorrect thread-local storage handling (thx to Philip Craig).
  • Fixed PRNG initialization (thx to Philip Craig).
  • Setting socket options no longer performed on PTYs.
  • Fixed 64-bit Windows build.

New in stunnel 5.25 Beta 5 (Oct 16, 2015)

  • New features:
  • SMTP client protocol negotiation support for "protocolUsername", "protocolPassword", and "protocolAuthentication" (thx to Douglas Harris).
  • The global option "foreground" now also accepts "quiet" parameter, which does not enable logging to stderr.
  • Manual page updated.
  • Bug fixes:
  • Fixed PRNG initialization (thx to Philip Craig).

New in stunnel 5.25 Beta 2 (Oct 14, 2015)

  • New features:
  • New service-level option "config" to specify OpenSSL >=1.0.2 configuration commands (thx to Stephen Wall).
  • Bug fixes:
  • Fixed the "s_poll_wait returned 1, but no descriptor is ready" internal error.
  • Fixed "exec" hangs due to incorrect thread-local storage handling (thx to Philip Craig).
  • Setting socket options no longer performed on PTYs.
  • Fixed 64-bit Windows build.

New in stunnel 5.24 (Oct 8, 2015)

  • New features:
  • Added support for the new OpenSSL 1.0.2 SSL options.
  • Added OPENSSL_NO_EGD support.

New in stunnel 5.24 Beta 5 (Oct 6, 2015)

  • New features:
  • BSD support for "transparent = destination" and client-side "protocol = socks". This feature should work at least on FreeBSD, OpenBSD and OS X.
  • "setuid" and "setgid" options are now also available in service sections. They can be used to set owner and group of the Unix socket specified with "accept".
  • Added support for "options = NO_DTLSv1", "options = NO_DTLSv1_2", and "options = NO_SSL_MASK" supported since OpenSSL 1.0.2.
  • Bug fixes:
  • Restored Microsoft.VC90.CRT.manifest.

New in stunnel 5.24 Beta 4 (Sep 23, 2015)

  • New features:
  • Custom CRL verification was replaced with the internal OpenSSL functionality.
  • VC autodetection added to makew32.bat
  • Bug fixes:
  • Fixed the sequential log id with the fork threading.

New in stunnel 5.24 Beta 3 (Sep 14, 2015)

  • New features:
  • Added a new "protocolDomain" option for the NTLM authentication.
  • Improved compatibility of the NTLM phase 1 message.
  • Added OPENSSL_NO_EGD support.
  • Bug fixes:
  • Fixed the error code reported on the failed bind() requests.

New in stunnel 5.24 Beta 2 (Sep 8, 2015)

  • New features:
  • FreeBSD and OS X support for "transparent = destination" and client-side "protocol = socks".
  • Bug fixes:
  • Fixed SOCKS5 RESOLVE [F0] TOR extension support.

New in stunnel 5.23 (Sep 7, 2015)

  • New features:
  • Client-side support for the SOCKS protocol. See https://www.stunnel.org/socksvpn.html for details.
  • Reject SOCKS requests to connect loopback addresses.
  • New service-level option "OCSPnonce". The default value is "OCSPnonce = no".
  • Win32 directory structure rearranged. The installer script provides automatic migration for common setups.
  • Added Win32 installer option to install stunnel for the current user only. This feature does not deploy the NT service, but it also does not require aministrative privileges to install and configure stunnel.
  • stunnel.cnf was renamed to openssl.cnf in order to to prevent users from mixing it up with stunnel.conf.
  • Win32 desktop is automatically refreshed when the icon is created or removed.
  • The ca-certs.pem file is now updated on stunnel upgrade.
  • Inactive ports were removed from the PORTS file.
  • Added IPv6 support to the transparent proxy code.
  • Bug fixes:
  • Compilation fix for OpenSSL version older than 1.0.0.
  • Compilation fix for mingw.

New in stunnel 5.23 Beta 3 (Aug 13, 2015)

  • New features:
  • Added Win32 installer option to install stunnel for the current user only. This feature does not deploy the NT service, but it also does not require aministrative privileges to install and configure stunnel.
  • stunnel.cnf was renamed to openssl.cnf in order to to prevent users from mixing it up with stunnel.conf.
  • Win32 engine DLLs was moved to a separate directory.
  • Win32 desktop is automatically refreshed when the icon is created or removed.
  • The ca-certs.pem file is now updated on stunnel upgrade.
  • Bug fixes:
  • Compilation fix for mingw.

New in stunnel 5.23 Beta 2 (Aug 6, 2015)

  • Bug fixes: Compilation fix for OpenSSL version older than 1.0.0.

New in stunnel 5.23 Beta 1 (Aug 4, 2015)

  • New features:
  • New service-level option "OCSPnonce". The default value is "OCSPnonce = no".
  • Inactive ports removed from the PORTS file.

New in stunnel 5.22 (Jul 31, 2015)

  • New features:
  • "OCSPaia = yes" added to the configuration file templates.
  • Improved double free detection.
  • Bug fixes:
  • Fixed a number of OCSP bugs. The most severe of those bugs caused stunnel to treat OCSP responses that failed OCSP_basic_verify() checks as if they were successful.
  • Fixed the passive IPv6 resolver (broken in stunnel 5.21).

New in stunnel 5.21 (Jul 27, 2015)

  • New features:
  • Signal names are displayed instead of numbers.
  • First resolve IPv4 addresses on passive resolver requests. This speeds up stunnel startup on Win32 with a slow/defunct DNS service.
  • The "make check" target was modified to only build Win32 executables when stunnel is built from a git repository (thx to Peter Pentchev).
  • More elaborate descriptions were added to the warning about using "verify = 2" without "checkHost" or "checkIP".
  • Performance optimization was performed on the debug code.
  • Bug fixes:
  • Fixed the FORK and UCONTEXT threading support.
  • Fixed "failover=prio" (broken since stunnel 5.15).
  • Added a retry when sleep(3) was interrupted by a singal in the cron thread scheduler.

New in stunnel 5.21 Beta 2 (Jul 17, 2015)

  • New features:
  • "make check" target was modified to only build Win32 executables when stunnel is built from a git repository (thx to Peter Pentchev).
  • First resolve IPv4 addresses on passive resolver requests. This speeds up stunnel startup on Win32 with slow/defunct DNS service.
  • Bug fixes:
  • Fixed a cron thread scheduling issue.

New in stunnel 5.21 Beta 1 (Jul 11, 2015)

  • New features - Signal names are displayed instead of numbers.
  • Bug fixes - Fixed the FORK threading compilation.

New in stunnel 5.20 (Jul 10, 2015)

  • Security bug fixes:
  • OpenSSL DLLs updated to version 1.0.2d. https://www.openssl.org/news/secadv_20150709.txt
  • New features:
  • The SSL library detection algorithm was made a bit smarter.

New in stunnel 5.20 Beta 10 (Jul 3, 2015)

  • New features:
  • poll(2) re-enabled on MacOS X 10.5 and higher.
  • Documentation updates (closes Debian bug #781669).

New in stunnel 5.20 Beta 9 (Jun 26, 2015)

  • New features:
  • Xcode SDK is automatically used on MacOS X if no other locally installed OpenSSL directory is found.

New in stunnel 5.20 Beta 8 (Jun 25, 2015)

  • New features:
  • Warnings about insecure authentication were modified to include the name of the affected service section.
  • A warning was added to stunnel.init if no pid file was specified in the configuration file (thx to Peter Pentchev).
  • Bug fixes:
  • LSB compatibility fixes added to the stunnel.init script

New in stunnel 5.20 Beta 7 (Jun 23, 2015)

  • New features:
  • Debugging symbols are included in the Win32 installer.
  • Bug fixes:
  • Fixed removing the disabled taskbar icon.
  • Fixed manual page headers.

New in stunnel 5.20 Beta 6 (Jun 22, 2015)

  • New features:
  • Service name included in insecure authentication warnings.
  • Include debugging symbols in the Win32 installer.
  • Bug fixes:
  • Signal pipe reinitalization added to prevent turning the main accepting thread into a busy wait loop when an external condition causes breaks the the signal pipe.
  • Generated temporary DH parameters are used for configuration reload instead of the static defaults.

New in stunnel 5.19 (Jun 22, 2015)

  • New features
  • OpenSSL DLLs updated to version 1.0.2c.
  • Added a runtime check whether COMP_zlib() method is implemented in order to improve compatibility with the Debian OpenSSL build.
  • Bug fixes:
  • Improved socket error handling.
  • Cron thread priority on Win32 platform changed to THREAD_PRIORITY_LOWEST to improve portability.
  • Makefile bugfixes for stunnel 5.18 regressions.
  • Fixed some typos in docs and scripts (thx to Peter Pentchev).
  • Fixed a log level check condition (thx to Peter Pentchev).

New in stunnel 5.18 Beta 1 (May 18, 2015)

  • New features:
  • Warnings are logged on potentially insecure authentication.
  • Bug fixes:
  • Fixed handling of trailing whitespaces in the Content-Length header of the NTLM authentication.

New in stunnel 5.17 (Apr 30, 2015)

  • Bug fixes:
  • Fixed a NULL pointer dereference causing the service to crash. This bug was introduced in stunnel 5.15.

New in stunnel 5.16 (Apr 20, 2015)

  • Bug fixes: Fixed compilation with old versions of gcc.

New in stunnel 5.16 Beta 3 (Apr 17, 2015)

  • Bug fixes: Compilation fix for old versions of gcc.

New in stunnel 5.15 (Apr 17, 2015)

  • New features:
  • Added new service-level options "checkHost", "checkEmail" and "checkIP" for additional checks of the peer certificate subject. These options require OpenSSL version 1.0.2 or higher.
  • Win32 binary distribution now ships with the Mozilla root CA bundle. This bundle is intended be used together with the new "checkHost" option to validate server certs accepted by Mozilla.
  • New commandline options "-reload" to reload the configuration file and "-reopen" to reopen the log file of stunnel running as a Windows service (thx to Marc McLaughlin).
  • Added session persistence based on negotiated TLS sessions. https://en.wikipedia.org/wiki/Load_balancing_(computing)#Persistence The current implementation does not support external TLS session caching with sessiond.
  • MEDIUM ciphers (currently SEED and RC4) are removed from the default cipher list.
  • The "redirect" option was improved to not only redirect sessions established with an untrusted certificate, but also sessions established without a client certificate.
  • OpenSSL version checking modified to distinguish FIPS and non-FIPS builds.
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree.
  • Removed support for OpenSSL versions older than 0.9.7. The final update for the OpenSSL 0.9.6 branch was 17 Mar 2004.
  • "sessiond" support improved to also work in OpenSSL 0.9.7.
  • Randomize the initial value of the round-robin counter.
  • New stunnel.conf templates are provided for Windows and Unix.
  • Bug fixes:
  • Fixed compilation against old versions of OpenSSL.
  • Fixed memory leaks in certificate verification.

New in stunnel 5.15 Beta 3 (Apr 14, 2015)

  • New features:
  • Added new service-level options "checkHost", "checkEmail" and "checkIP" for additional checks of peer certificate subject. These options require OpenSSL version 1.0.2 or higher.
  • New commandline options "-reload" to reload the configuration file and "-reopen" to reopen the log file of stunnel running as a Windows service (thx to Marc McLaughlin).
  • The "redirect" option was improved to not only redirect sessions established with an untrusted certificate, but also sessions established without a client certificate.
  • "sessiond" support improved to also work in OpenSSL 0.9.7.
  • Randomize the initial value of round-robin counter.

New in stunnel 5.15 Beta 2 (Apr 6, 2015)

  • New features:
  • Added now service-level options "checkHost", "checkEmail" and "checkIP" for additional checks of peer certificate subject. These options require OpenSSL version 1.0.2 or higher.
  • MEDIUM ciphers (currently SEED and RC4) were removed from the default cipher list.
  • Improved compatibility with the current OpenSSL 1.1.0-dev tree.
  • Removed support for OpenSSL versions older than 0.9.7. The final update for the OpenSSL 0.9.6 branch was 17 Mar 2004.
  • Bug fixes:
  • Fixed compilation against old versions of OpenSSL.
  • Fixed memory leaks in certificate verification.

New in stunnel 5.15 Beta 1 (Mar 30, 2015)

  • New features:
  • Added session persistence based on negotiated TLS sessions. https://en.wikipedia.org/wiki/Load_balancing_(computing)#Persistence The current implementation does not support external TLS session caching with sessiond.
  • OpenSSL version checking improved to distinguish FIPS and non-FIPS builds.

New in stunnel 5.14 (Mar 26, 2015)

  • Security bugfixes:
  • The "redirect" option now also redirects clients on SSL session reuse. In stunnel versions 5.00 to 5.12 reused sessions were never redirected regardless of their certificate verification result.
  • This vulnerability was reported by Johan Olofsson.
  • New features:
  • Windows service is automatically restarted after upgrade.
  • Bug fixes:
  • Fixed a memory allocation error during Unix daemon shutdown.
  • Fixed handling multiple connect/redirect destinations.
  • OpenSSL FIPS builds are now correctly reported on startup.

New in stunnel 5.14 Beta 1 (Mar 23, 2015)

  • Bug fixes:
  • Fixed a memory allocation error during Unix daemon shutdown.
  • Fixed handling multiple connect/redirect destinations.

New in stunnel 5.13 (Mar 21, 2015)

  • New features:
  • The "service" option was modified to also control the syslog service name.
  • Bug fixes:
  • Fixed Windows service crash.

New in stunnel 5.12 (Mar 20, 2015)

  • Security bugfixes:
  • OpenSSL DLLs updated to version 1.0.2a. https://www.openssl.org/news/secadv_20150319.txt
  • New features:
  • New service-level option "logId" to specify the connection identifier type. Currently supported types: "sequential" (default), "unique", and "thread".
  • New service-level option "debug" to individually control logging verbosity of defined services.
  • Bug fixes:
  • OCSP fixed on Windows platform (thx to Alec Kosky).

New in stunnel 5.11 (Mar 12, 2015)

  • New features:
  • OpenSSL DLLs updated to version 1.0.2.
  • Removed dereferences of internal OpenSSL data structures.
  • PSK key lookup algorithm performance improved from O(N) (linear) to O(log N) (logarithmic).
  • Bug fixes:
  • Fixed peer certificate list in the main window on Win32 (thx to @fyer for reporting it).
  • Fixed console logging in tstunnel.exe.
  • _tputenv_s() replaced with more portable _tputenv() on Win32.

New in stunnel 5.11 Beta 3 (Mar 2, 2015)

  • New features:
  • Removed dereferences of internal OpenSSL data structures.

New in stunnel 5.11 Beta 2 (Jan 31, 2015)

  • New features:
  • OpenSSL DLLs updated to version 1.0.2.
  • Bug fixes:
  • Fixed console logging in tstunnel.exe.
  • _tputenv_s() replaced with more portable _tputenv() on Win32.

New in stunnel 5.10 Beta (Jan 23, 2015)

  • New features:
  • OCSP AIA (Authority Information Access) support. This feature can be enabled with the new service-level option "OCSPaia".
  • Additional security features of the linker are enabled: "-z relro", "-z now", "-z noexecstack".
  • Bug fixes:
  • OpenSSL DLLs updated to version 1.0.1l. https://www.openssl.org/news/secadv_20150108.txt
  • FIPS canister updated to version 2.0.9 in the Win32 binary build.

New in stunnel 5.09 (Jan 5, 2015)

  • New features:
  • Added PSK authentication with two new service-level configuration file options "PSKsecrets" and "PSKidentity".
  • Added additional security checks to the OpenSSL memory management functions.
  • Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE OpenSSL configuration flags.
  • Added compatibility with the current OpenSSL 1.1.0-dev tree.
  • Bug fixes:
  • Removed defective s_poll_error() code occasionally causing connections to be prematurely closed (truncated).
  • This bug was introduced in stunnel 4.34.
  • Fixed ./configure systemd detection (thx to Kip Walraven).
  • Fixed ./configure sysroot detection (thx to Kip Walraven).
  • Fixed compilation against old versions of OpenSSL.
  • Removed outdated French manual page.

New in stunnel 5.09 Beta 1 (Dec 13, 2014)

  • New features:
  • Added PSK authentication with two new service-level configuration file options "PSKsecrets" and "PSKidentity".
  • Bug fixes:
  • Fixed ./configure systemd detection (thx to Kip Walraven).
  • Fixed ./configure sysroot detection (thx to Kip Walraven).
  • Removed outdated French manual page.

New in stunnel 5.08 (Dec 9, 2014)

  • New features:
  • Updated automake to version 1.14.1.
  • OpenSSL directory searching is now relative to the sysroot.
  • Bug fixes:
  • Fixed improper hangup condition handling.

New in stunnel 5.08 Beta 7 (Dec 4, 2014)

  • Bug fixes: Fixed missing -pic linker option.

New in stunnel 5.08 Beta 6 (Nov 26, 2014)

  • New features:
  • Added SOCKS4/SOCKS4a protocol support.
  • Added SOCKS5 protocol support.
  • Added SOCKS RESOLVE [F0] TOR extension support.
  • OpenSSL directory searching is now relative to the sysroot.

New in stunnel 5.08 Beta 3 (Nov 10, 2014)

  • New features:
  • Updated automake to version 1.14.1.
  • Bug fixes:
  • Fixed improper hangup condition handling.

New in stunnel 5.07 (Nov 10, 2014)

  • New features:
  • Several SMTP server protocol negotiation improvements.
  • Added UTF-8 byte order marks to stunnel.conf templates.
  • DH parameters are no longer generated by "make cert". The hardcoded DH parameters are sufficiently secure, and modern TLS implementations will use ECDH anyway.
  • Updated manual for the "options" configuration file option.
  • Added support for systemd 209 or later.
  • New --disable-systemd ./configure option.
  • setuid/setgid commented out in stunnel.conf-sample.
  • Bug fixes:
  • Added support for UTF-8 byte order mark in stunnel.conf.
  • Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.
  • Non-blocking mode set on inetd and systemd descriptors.
  • shfolder.h replaced with shlobj.h for compatibility with modern Microsoft compilers.

New in stunnel 5.07 Beta 4 (Oct 25, 2014)

  • Several SMTP server protocol negotiation improvements.

New in stunnel 5.07 Beta 3 (Oct 24, 2014)

  • New features:
  • DH parameters are no longer generated by "make cert". The hardcoded DH parameters are sufficiently secure, and modern TLS implementations will use ECDH anyway.
  • Updated manual for the "options" configuration file option.
  • New --disable-systemd ./configure option

New in stunnel 5.07 Beta 2 (Oct 16, 2014)

  • New features:
  • Support for systemd 209 or later.
  • Bug fixes:
  • Compilation fix for OpenSSL with disabled SSLv2 or SSLv3.

New in stunnel 5.06 (Oct 16, 2014)

  • Security bug fixes:
  • OpenSSL DLLs updated to version 1.0.1j. https://www.openssl.org/news/secadv_20141015.txt
  • The insecure SSLv2 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv2".
  • The insecure SSLv3 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv3".
  • Default sslVersion changed to "all" (also in FIPS mode) to autonegotiate the highest supported TLS version.
  • New features:
  • Added missing SSL options to match OpenSSL 1.0.1j.
  • New "-options" commandline option to display the list of supported SSL options.
  • Bug fixes:
  • Fixed FORK threading build regression bug.
  • Fixed missing periodic Win32 GUI log updates.

New in stunnel 5.05 (Oct 10, 2014)

  • New features:
  • Asynchronous communication with the GUI thread for faster logging on Win32.
  • systemd socket activation (thx to Mark Theunissen).
  • The parameter of "options" can now be prefixed with "-" to clear an SSL option, for example: "options = -LEGACY_SERVER_CONNECT".
  • Improved "transparent = destination" manual page (thx to Vadim Penzin).
  • Bug fixes:
  • Fixed POLLIN|POLLHUP condition handling error resulting in prematurely closed (truncated) connection.
  • Fixed a null pointer dereference regression bug in the "transparent = destination" functionality (thx to Vadim Penzin). This bug was introduced in stunnel 5.00.
  • Fixed startup thread synchronization with Win32 GUI.
  • Fixed erroneously closed stdin/stdout/stderr if specified as the -fd commandline option parameter.
  • A number of minor Win32 GUI bugfixes and improvements.
  • Merged most of the Windows CE patches (thx to Pierre Delaage).
  • Fixed incorrect CreateService() error message on Win32.
  • Implemented a workaround for defective Cygwin file descriptor passing breaking the libwrap support: http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors

New in stunnel 5.04 (Sep 23, 2014)

  • New features:
  • Support for local mode ("exec" option) on Win32.
  • Support for UTF-8 config file and log file.
  • Win32 UTF-16 build (thx to Pierre Delaage for support).
  • Support for Unicode file names on Win32.
  • A more explicit service description provided for the Windows SCM (thx to Pierre Delaage).
  • TCP/IP dependency added for NT service in order to prevent initialization failure at boot time.
  • FIPS canister updated to version 2.0.8 in the Win32 binary build.
  • Bug fixes:
  • load_icon_default() modified to return copies of default icons instead of the original resources to prevent the resources from being destroyed.
  • Partially merged Windows CE patches (thx to Pierre Delaage).
  • Fixed typos in stunnel.init.in and vc.mak.
  • Fixed incorrect memory allocation statistics update in str_realloc().
  • Missing REMOTE_PORT environmental variable is provided to processes spawned with "exec" on Unix platforms.
  • Taskbar icon is no longer disabled for NT service.
  • Fixed taskbar icon initialization when commandline options are specified.
  • Reportedly more compatible values used for the dwDesiredAccess parameter of the CreateFile() function (thx to Pierre Delaage).
  • A number of minor Win32 GUI bugfixes and improvements.

New in stunnel 5.04 Beta 1 (Sep 17, 2014)

  • New features:
  • Support for local mode ("exec" option) on Win32.
  • A more explicit service description provided for the Windows SCM (thx to Pierre Delaage).
  • TCP/IP dependency added for NT service in order to (hopefully) prevent initialization failure at boot time.
  • FIPS canister updated to version 2.0.8 in the Win32 binary build.
  • Bug fixes:
  • load_icon_default() modified to return copies of default icons instead of the original resources to prevent the resources from being destroyed.
  • Reportedly more compatible values used for the dwDesiredAccess parameter of the CreateFile() function (thx to Pierre Delaage).
  • Partially merged UNICODE compilation fixes (thx to Pierre Delaage).
  • Partially merged Windows CE patches (thx to Pierre Delaage).
  • Fixed typos in stunnel.init.in and vc.mak.
  • Fixed incorrect memory allocation statistics update in str_realloc().
  • Missing REMOTE_PORT environmental variable is provided to processes spawned with "exec" on Unix platforms.
  • Taskbar icon is no longer disabled for NT service.

New in stunnel 5.03 (Aug 8, 2014)

  • Security bug fixes:
  • OpenSSL DLLs updated to version 1.0.1i. See https://www.openssl.org/news/secadv_20140806.txt
  • New features:
  • FIPS autoconfiguration cleanup.
  • FIPS canister updated to version 2.0.6.
  • Improved SNI diagnostic logging.
  • Bug fixes:
  • Compilation fixes for old versions of OpenSSL.
  • Fixed whitespace handling in the stunnel.init script.

New in stunnel 5.03 Beta 1 (Jun 27, 2014)

  • New features: FIPS code cleanup.

New in stunnel 5.02 (Jun 27, 2014)

  • Security bugfixes:
  • OpenSSL DLLs updated to version 1.0.1h.
  • New features:
  • Major rewrite of the protocol.c interface: it is now possible to add protocol negotiations at multiple connection phases, protocols can individually decide whether the remote connection will be established before or after SSL/TLS is negotiated.
  • Heap memory blocks are wiped before release. This only works for block allocated by stunnel, and not by OpenSSL or other libraries.
  • A safe_memcmp() implemented with execution time not dependent on the compared data.
  • Updated the stunnel.conf and stunnel.init templates.
  • Added a client-mode example to the manual.
  • Bug fixes:
  • Fixed "failover = rr" broken since version 5.00.
  • Fixed "taskbar = no" broken since version 5.00.
  • Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option.

New in stunnel 5.02 Beta 2 (May 20, 2014)

  • New features:
  • Cleanup heap memory that is no longer used.
  • This only works for stunnel allocations, not OpenSSL allocations.
  • A safe_memcmp() implementation with execution time not dependent on the compared data.
  • Major rewrite of the protocol.c interface: it is now possible to add protocol negotiations at multiple connection phases, protocols can individually decide whether remote connection will be established before or after SSL/TLS is negotiated.
  • Bug fixes:
  • Fixed "failover = rr" regression bug introduced in version 5.00.

New in stunnel 5.01 (May 20, 2014)

  • Security bugfixes:
  • OpenSSL DLLs updated to version 1.0.1g.
  • This version mitigates TLS heartbeat read overrun (CVE-2014-0160).
  • New features:
  • X.509 extensions added to the created self-signed stunnel.pem.
  • "FIPS = no" also allowed in non-FIPS builds of stunnel.
  • Search all certificates with the same subject name for a matching public key rather than only the first one (thx to Leon Winter).
  • Create logs in the local application data folder if stunnel folder is not writable on Win32.
  • Bug fixes:
  • close_notify not sent when SSL still has some data buffered.
  • Protocol negotiation with server-side SNI fixed.
  • A Mac OS X missing symbols fixed.
  • Win32 configuration file reload crash fixed.
  • Added s_pool_free() on exec+connect service retires.
  • Line-buffering enforced on stderr output.

New in stunnel 4.53 (Aug 3, 2012)

  • New features:
  • Added client-mode "sni" option to directly control the value ofTLS Server Name Indication (RFC 3546) extension.
  • Added support for IP_FREEBIND socket option with a pached Linux kernel.
  • Glibc-specific dynamic allocation tuning was applied to help unused memorydeallocation.
  • Non-blocking OCSP implementation.
  • Bug fixes:
  • Compilation fixes for old versions of OpenSSL (tested against 0.9.6).
  • Usage of uninitialized variables fixed in exec+connect services.
  • Occasional logging subsystem crash with exec+connect services.
  • OpenBSD compilation fix (thx to Michele Orru').
  • Session id context initialized with session name rather than a constant.
  • Fixed handling of a rare inetd mode use case, where either stdin or stdoutis a socket, but not both of them at the same time.
  • Fixed missing OPENSSL_Applink http://www.openssl.org/support/faq.html#PROG2
  • Fixed crash on termination with FORK threading model.
  • Fixed dead canary after configuration reload with open connections.
  • Fixed missing file descriptors passed to local mode processes.
  • Fixed required jmp_buf alignment on Itanium platform.
  • Removed creating /dev/zero in the chroot jail on Solaris platform.
  • Fixed detection of WSAECONNREFUSED Winsock error.
  • Missing Microsoft.VC90.CRT.manifest added to Windows installer.

New in stunnel 4.48 (Nov 28, 2011)

  • New features:
  • FIPS support on Win32 platform added. OpenSSL 0.9.8r DLLs based on FIPS 1.2.3 canister are included with this version of stunnel. FIPS support can be disabled with "fips = no" configuration file option.
  • Bug fixes:
  • Fixed canary initialization problem on Win32 platform.

New in stunnel 4.46 (Nov 8, 2011)

  • New features:
  • Added Unix socket support (e.g. "connect = /var/run/stunnel/socket").
  • Added "verify = 4" mode to ignore CA chain and only verify peer certificate.
  • Removed the limit of 16 IP addresses for a single 'connect' option.
  • Removed the limit of 256 stunnel.conf sections in PTHREAD threading model. It is still not possible have more than 63 sections on WIN32 platform. http://msdn.microsoft.com/en-us/library/windows/desktop/ms740141(v=vs.85).aspx
  • Optimizations:
  • Reduced per-connection memory usage.
  • Performed a major refactoring of internal data structures. Extensive internal testing was performed, but some regression bugs are expected.
  • Bug fixes:
  • Fixed WIN32 compilation with Mingw32.
  • Fixed non-blocking API emulation layer in UCONTEXT threading model.
  • Fixed signal handling in UCONTEXT threading model.

New in stunnel 4.45 (Oct 26, 2011)

  • New features:
  • "protocol = proxy" support to send original client IP address to haproxy: http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt. This requires accept-proxy bind option of haproxy 1.5-dev3 or later.
  • Added Win32 configuration reload without a valid configuration loaded.
  • Added compatibility with LTS OpenSSL versions 0.9.6 and 0.9.7. Some features are only available in OpenSSL 1.0.0 and later.
  • Performance optimizations:
  • Use SSL_MODE_RELEASE_BUFFERS if supported by the OpenSSL library.
  • Libwrap helper processes are no longer started if libwrap is disabled in all sections of the configuration file.
  • Internal improvements:
  • Protocol negotiation framework was rewritten to support additional code to be executed after SSL_accept()/SSL_connect().
  • Handling of memory allocation errors was rewritten to gracefully terminate the process (thx to regenrecht for the idea).
  • Bug fixes:
  • Fixed -l option handling in stunnel3 script (thx to Kai Gülzau).
  • Script to build default stunnel.pem was fixed (thx to Sebastian Kayser).
  • MinGW compilation script (mingw.mak) was fixed (thx to Jose Alf).
  • MSVC compilation script (vc.mak) was fixed.
  • A number of problems in WINSOCK error handling were fixed.

New in stunnel 4.43 (Sep 8, 2011)

  • New features:
  • Updated Win32 DLLs for OpenSSL 1.0.0e.
  • Major optimization of the logging subsystem. Benchmarks indicate up to 15% performance improvement.
  • Bug fixes:
  • Fixed WIN32 configuration file reload.
  • Fixed FORK and UCONTEXT threading models.
  • Corrected INSTALL.W32 file.

New in stunnel 4.40 (Jul 24, 2011)

  • Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters are not provided in stunnel.pem.
  • Default "ciphers" value updated to prefer ECDH: "ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
  • Default ECDH curve updated to "prime256v1".
  • Removed support for temporary RSA keys (used in obsolete export ciphers)

New in stunnel 4.39 (Jul 7, 2011)

  • New features:
  • New Win32 installer module to build self-signed stunnel.pem.
  • Added configuration file editing with Windows GUI.
  • Added log file reopening file editing with Windows GUI. It might be useful to also implement log file rotation.
  • Improved configuration file reload with Windows GUI.

New in stunnel 4.38 (Jun 29, 2011)

  • New features:
  • Server-side SNI implemented (RFC 3546 section 3.1) with a new service-level option "nsi".
  • "socket" option also accepts "yes" and "no" for flags.
  • Nagle's algorithm is now disabled by default for improved interactivity.
  • Bug fixes:
  • A compilation fix was added for OpenSSL version < 1.0.0.
  • Signal pipe set to non-blocking mode. This bug caused hangs of stunnel features based on signals, e.g. local mode, FORK threading, or configuration file reload on Unix. Win32 platform was not affected.

New in stunnel 4.36 (May 3, 2011)

  • New features:
  • Updated Win32 DLLs for OpenSSL 1.0.0d.
  • Dynamic memory management for strings manipulation: no more static STRLEN limit, lower stack footprint.
  • Strict public key comparison added for "verify = 3" certificate checking mode (thx to Philipp Hartwig).
  • Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved behavior on heavy load.
  • Example tools/stunnel.service file added for systemd service manager.
  • Bugfixes:
  • Missing pthread_attr_destroy() added to fix memory leak (thx to Paul Allex and Peter Pentchev).
  • Fixed the incorrect way of setting FD_CLOEXEC flag.
  • Fixed --enable-libwrap option of ./configure script.
  • /opt/local added to OpenSSL search path for MacPorts compatibility.
  • Workaround implemented for signal handling on MacOS X.
  • A trivial bug fixed in the stunnel.init script.
  • Retry implemented on EAI_AGAIN error returned by resolver calls.

New in stunnel 4.35 (Feb 7, 2011)

  • New features:
  • Updated Win32 DLLs for OpenSSL 1.0.0c.
  • Transparent source (non-local bind) added for FreeBSD 8.x.
  • Transparent destination ("transparent = destination") added for Linux.
  • Bugfixes:
  • Fixed reload of FIPS-enabled stunnel.
  • Compiler options are now auto-detected by ./configure script in order to support obsolete versions of gcc.
  • Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler.
  • CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10. Irreparable race condition leaks remain on other Unix platforms. This issue may have security implications on some deployments.
  • Directory lib64 included in the OpenSSL library search path.
  • Windows CE compilation fixes (thx to Pierre Delaage).
  • Deprecated RSA_generate_key() replaced with RSA_generate_key_ex().
  • Domain name changes (courtesy of Bri Hatch):
  • http://stunnel.mirt.net/ --> http://www.stunnel.org/
  • ftp://stunnel.mirt.net/ --> http://ftp.stunnel.org/
  • stunnel.mirt.net::stunnel --> rsync.stunnel.org::stunnel
  • [email protected] --> [email protected]
  • [email protected] --> [email protected]

New in stunnel 4.33 (Apr 6, 2010)

  • New features
  • Win32 DLLs for OpenSSL 1.0.0.
  • This library requires to c_rehash CApath/CRLpath directories on upgrade.
  • Win32 DLLs for zlib 1.2.4.
  • Experimental support for local mode on WIN32 platform.
  • Try "exec = c:\windows\system32\cmd.exe".
  • Bugfixes
  • Inetd mode fixed