stunnel 5.14

The stunnel program works as SSL encryption wrapper between remote and local network sockets or inetd-started daemons. It adds SSL or TLS functionality to any network service, commonly POP3, IMAP or HTTP servers. Stunnel uses OpenSSL for cryptography. It can itself function as port redirection deamon, or as temporary traffic interceptor, and requires no adaption of the shadowed programs.

Tags c ssl tls network-daemon inetd
License GNU GPL
State stable

Homepage Download

Recent Releases

5.1426 Mar 2015 17:45 security: Security bugfixes. The "redirect" option now also redirects clients on SSL session reuse. In stunnel versions 5.00 to 5.12 reused sessions were never redirected regardless of their certificate verification result. New features: Windows service is automatically restarted after upgrade. Bugfixes: Fixed a memory allocation error during Unix daemon shutdown. Fixed handling multiple connect/redirect destinations. OpenSSL FIPS builds are now correctly reported on startup.
5.1112 Mar 2015 07:05 minor feature: New featuresOpenSSL DLLs updated to version 1.0.2. Removed dereferences of internal OpenSSL data structures. PSK key lookup algorithm performance improved from O(N) (linear) to O(log N) (logarithmic). BugfixesFixed peer certificate list in the main window on Win32 (thx to @fyer for reporting it). Fixed console logging in tstunnel.exe. _tputenv_s() replaced with more portable _tputenv() on Win32.
5.1023 Jan 2015 17:45 minor feature: New featuresOCSP AIA (Authority Information Access) support. This feature can be enabled with the new service-level option "OCSPaia". Additional security features of the linker are enabled: "-z relro", "-z now", "-z noexecstack". BugfixesOpenSSL DLLs updated to version 1.0.1l. https://www.openssl.org/news/secadv_20150108.txt FIPS canister updated to version 2.0.9 in the Win32 binary build.
5.0905 Jan 2015 15:25 minor feature: New featuresAdded PSK authentication with two new service-level configuration file options "PSKsecrets" and "PSKidentity". Added additional security checks to the OpenSSL memory management functions. Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE OpenSSL configuration flags. Added compatibility with the current OpenSSL 1.1.0-dev tree. BugfixesRemoved defective s_poll_error() code occasionally causing connections to be prematurely closed (truncated). This bug was introduced in stunnel 4.34. Fixed ./configure systemd detection (thx to Kip Walraven). Fixed ./configure sysroot detection (thx to Kip Walraven). Fixed compilation against old versions of OpenSSL. Removed outdated French manual page.
5.0810 Dec 2014 07:25 minor feature: New featuresAdded SOCKS4/SOCKS4a protocol support. Added SOCKS5 protocol support. Added SOCKS RESOLVE F0 TOR extension support. Updated automake to version 1.14.1. OpenSSL directory searching is now relative to the sysroot. BugfixesFixed improper hangup condition handling. Fixed missing -pic linker option. This is required for Android 5.0 and improves security.
5.0702 Nov 2014 03:16 minor feature: New featuresSeveral SMTP server protocol negotiation improvements. Added UTF-8 byte order marks to stunnel.conf templates. DH parameters are no longer generated by "make cert". The hardcoded DH parameters are sufficiently secure, and modern TLS implementations will use ECDH anyway. Updated manual for the "options" configuration file option. Added support for systemd 209 or later. New --disable-systemd ./configure option. setuid/setgid commented out in stunnel.conf-sample. BugfixesAdded support for UTF-8 byte order mark in stunnel.conf. Compilation fix for OpenSSL with disabled SSLv2 or SSLv3. Non-blocking mode set on inetd and systemd descriptors. shfolder.h replaced with shlobj.h for compatibility with modern Microsoft compilers.
5.0511 Oct 2014 03:16 minor feature: New featuresAsynchronous communication with the GUI thread for faster logging on Win32. systemd socket activation (thx to Mark Theunissen). The parameter of "options" can now be prefixed with "-" to clear an SSL option, for example: "options = -LEGACY_SERVER_CONNECT". Improved "transparent = destination" manual page (thx to Vadim Penzin). BugfixesFixed POLLIN POLLHUP condition handling error resulting in prematurely closed (truncated) connection. Fixed a null pointer dereference regression bug in the "transparent = destination" functionality (thx to Vadim Penzin). This bug was introduced in stunnel 5.00. Fixed startup thread synchronization with Win32 GUI. Fixed erroneously closed stdin/stdout/stderr if specified as the -fd commandline option parameter. A number of minor Win32 GUI bugfixes and improvements. Merged most of the Windows CE patches (thx to Pierre Delaage). Fixed incorrect CreateService() error message on Win32. Implemented a workaround for defective Cygwin file descriptor passing breaking the libwrap support: http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
5.0417 Sep 2014 03:15 minor feature: New featuresSupport for local mode ("exec" option) on Win32. A more explicit service description provided for the Windows SCM (thx to Pierre Delaage). TCP/IP dependency added for NT service in order to (hopefully) prevent initialization failure at boot time. FIPS canister updated to version 2.0.8 in the Win32 binary build. Bugfixesload_icon_default() modified to return copies of default icons instead of the original resources to prevent the resources from being destroyed. Reportedly more compatible values used for the dwDesiredAccess parameter of the CreateFile() function (thx to Pierre Delaage). Partially merged UNICODE compilation fixes (thx to Pierre Delaage). Partially merged Windows CE patches (thx to Pierre Delaage). Fixed typos in stunnel.init.in and vc.mak. Fixed incorrect memory allocation statistics update in str_realloc(). Missing REMOTE_PORT environmental variable is provided to processes spawned with "exec" on Unix platforms. Taskbar icon is no longer disabled for NT service.
5.0308 Aug 2014 18:02 security: High priority security bugfixes include the OpenSSL update to 1.0.1i. While new features include some FIPS autoconfiguration cleanup, and the FIPS canister update to version 2.0.6. SNI diagnostic logging was also improved. Compilation fixes for old versions of OpenSSL were applied, and some whitespace handling in the stunnel.init script fixed.