Stunnel Changelog

New in version 5.17

May 20th, 2015
  • Bugfixes:
  • Fixed a NULL pointer dereference causing the service to crash. This bug was introduced in stunnel 5.15.

New in version 5.10 (January 25th, 2015)

  • New features:
  • OCSP AIA (Authority Information Access) support. This feature can be enabled with the new service-level option "OCSPaia".
  • Additional security features of the linker are enabled: "-z relro", "-z now", "-z noexecstack".
  • Bugfixes:
  • OpenSSL DLLs updated to version 1.0.1l.
  • FIPS canister updated to version 2.0.9 in the Win32 binary build.

New in version 5.06 (October 20th, 2014)

  • Security bugfixes:
  • OpenSSL DLLs updated to version 1.0.1j.
  • The insecure SSLv2 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv2".
  • The insecure SSLv3 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv3".
  • Default sslVersion changed to "all" (also in FIPS mode) to autonegotiate the highest supported TLS version.
  • New features:
  • Added missing SSL options to match OpenSSL 1.0.1j.
  • New "-options" commandline option to display the list of supported SSL options.
  • Bugfixes:
  • Fixed FORK threading build regression bug.
  • Fixed missing periodic Win32 GUI log updates.

New in version 4.56 (January 13th, 2014)

  • New features:
  • Win32 installer automatically configures firewall exceptions.
  • Win32 installer configures administrative shortcuts to invoke UAC.
  • Improved Win32 GUI shutdown time.
  • Bugfixes:
  • Fixed a regression bug introduced in version 4.55 causing random crashes on several platforms, including Windows 7.
  • Fixed startup crashes on some Win32 systems.
  • Fixed incorrect "stunnel -exit" process synchronisation.
  • Fixed FIPS detection with new versions of the OpenSSL library.
  • Failure to open the log file at startup is no longer ignored.

New in version 4.48 (November 28th, 2011)

  • FIPS-compliant OpenSSL DLLs are supplied with the Windows installer.
  • FIPS mode can be disabled with the "fips = no" configuration file option.
  • The stability of the Windows GUI was also improved.

New in version 4.46 (November 8th, 2011)

  • This version adds Unix socket support (e.g., "connect = /var/run/stunnel/socket") and a new certificate verification mode ("verify = 4") to ignore the CA chain and only verify the peer certificate.
  • It also includes some performance and scalability optimizations, and compilation bugfixes.

New in version 4.45 (October 25th, 2011)

  • New "protocol = proxy" support was added to send the original client IP address to haproxy.
  • This requires the accept-proxy bind option of haproxy 1.5-dev3 or later.
  • A number of minor improvements and bugfixes were added, mostly related to Win32 GUI and compilation issues on various platforms.

New in version 4.39 (July 7th, 2011)

  • A new Windows installer module was added to build a self-signed stunnel.pem.
  • Configuration file editing and log file reopening were added to the Windows GUI.
  • Configuration file reloading with the Windows GUI was improved.

New in version 4.38 (June 29th, 2011)

  • Server Name Indication (SNI) TLS extension support was implemented for name-based virtual servers.
  • Stunnel can now switch service section on the fly, based on the destination host name included in the Client Hello message.
  • Numerous fixes were also added for bugs introduced in previous, experimental versions.

New in version 4.35 (February 8th, 2011)

  • New features:
  • Updated Win32 DLLs for OpenSSL 1.0.0c.
  • Transparent source (non-local bind) added for FreeBSD 8.x.
  • Transparent destination ("transparent = destination") added for Linux.
  • Bugfixes:
  • Fixed reload of FIPS-enabled stunnel.
  • Compiler options are now auto-detected by ./configure script in order to support obsolete versions of gcc.
  • Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler.
  • CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10. Irreparable race condition leaks remain on other Unix platforms. This issue may have security implications on some deployments.
  • Directory lib64 included in the OpenSSL library search path.
  • Windows CE compilation fixes (thx to Pierre Delaage).
  • Deprecated RSA_generate_key() replaced with RSA_generate_key_ex().
  • Domain name changes (courtesy of Bri Hatch):
  • -->
  • -->
  • -->
  • -->
  • -->

New in version 4.32 (March 24th, 2010)

  • New features:
  • Win32 DLLs for OpenSSL 0.9.8m.
  • Bugfixes:
  • Fixed a transfer() loop issue with SSLv2 connections.
  • Fixed a "setsockopt IP_TRANSPARENT" warning with "local" option.
  • Logging subsystem bugfixes and cleanup.
  • Installer bugfixes for Vista and later versions of Windows.
  • FIPS mode can be enabled/disabled at runtime.

New in version 4.26 (September 21st, 2008)

  • Win32 DLLs have been updated to OpenSSL 0.9.8i.
  • /etc/hosts.allow and /etc/hosts.deny no longer need to be copied to the chrooted directory, as the libwrap processes are no longer chrooted.
  • A more informative error message is logged for invalid port number specified in the stunnel.conf file.
  • Support for Microsoft Visual C++ 9.0 Express Edition was added.
  • All libwrap processes are killed at stunnel shutdown.
  • A minor bug in the stunnel.init sample SysV startup file was fixed.