What's new in Stunnel 5.46
May 29, 2018
- New features:
- The default cipher list was updated to a safer value: "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK".
- Bugfixes:
- Default accept address restored to INADDR_ANY.
New in Stunnel 5.41 (Apr 5, 2017)
- New features:
- PKCS#11 engine DLL updated to version 0.4.5.
- Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
- Key file name added into the passphrase console prompt.
- Performance optimization in memory leak detection.
- Bugfixes:
- Fixed crashes with the OpenSSL 1.1.0 branch.
- Fixed certificate verification with "verifyPeer = yes" and "verifyChain = no" (the default), while the peer only returns a single certificate.
New in Stunnel 5.38 (Dec 19, 2016)
- New features:
- "sni=" can be used to prevent sending the SNI extension.
- The AI_ADDRCONFIG resolver flag is used when available.
- Merged Debian 06-lfs.patch (thx Peter Pentchev).
- Bugfixes:
- Fixed a memory allocation bug causing crashes with OpenSSL 1.1.0.
- Fixed error handling for mixed IPv4/IPv6 destinations.
- Merged Debian 08-typos.patch (thx Peter Pentchev).
New in Stunnel 5.30 (Feb 8, 2016)
- Security bugfixes:
- OpenSSL DLLs updated to version 1.0.2f. https://www.openssl.org/news/secadv_20160128.txt
- New features:
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Added OpenSSL autodetection for the recent versions of Xcode.
- Bugfixes:
- Fixed references to /etc removed from stunnel.init.in.
- Stopped even trying -fstack-protector on unsupported platforms (thx to Rob Lockhart).
New in Stunnel 5.29 (Jan 18, 2016)
- New features:
- New WIN32 icons.
- Performance improvement: rwlocks used for locking with pthreads.
- Bugfixes:
- Compilation fix for *BSD.
- Fixed configuration file reload for relative stunnel.conf path on Unix.
- Fixed ignoring CRLfile unless CAfile was also specified (thx to Strukov Petr).
New in Stunnel 5.26 (Nov 8, 2015)
- Compilation fixes for OSX, *BSD and Solaris.
New in Stunnel 5.17 (May 20, 2015)
- Bugfixes:
- Fixed a NULL pointer dereference causing the service to crash. This bug was introduced in stunnel 5.15.
New in Stunnel 5.10 (Jan 25, 2015)
- New features:
- OCSP AIA (Authority Information Access) support. This feature can be enabled with the new service-level option "OCSPaia".
- Additional security features of the linker are enabled: "-z relro", "-z now", "-z noexecstack".
- Bugfixes:
- OpenSSL DLLs updated to version 1.0.1l. https://www.openssl.org/news/secadv_20150108.txt
- FIPS canister updated to version 2.0.9 in the Win32 binary build.
New in Stunnel 5.06 (Oct 20, 2014)
- Security bugfixes:
- OpenSSL DLLs updated to version 1.0.1j. https://www.openssl.org/news/secadv_20141015.txt
- The insecure SSLv2 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv2".
- The insecure SSLv3 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv3".
- Default sslVersion changed to "all" (also in FIPS mode) to autonegotiate the highest supported TLS version.
- New features:
- Added missing SSL options to match OpenSSL 1.0.1j.
- New "-options" commandline option to display the list of supported SSL options.
- Bugfixes:
- Fixed FORK threading build regression bug.
- Fixed missing periodic Win32 GUI log updates.
New in Stunnel 4.56 (Jan 13, 2014)
- New features:
- Win32 installer automatically configures firewall exceptions.
- Win32 installer configures administrative shortcuts to invoke UAC.
- Improved Win32 GUI shutdown time.
- Bugfixes:
- Fixed a regression bug introduced in version 4.55 causing random crashes on several platforms, including Windows 7.
- Fixed startup crashes on some Win32 systems.
- Fixed incorrect "stunnel -exit" process synchronisation.
- Fixed FIPS detection with new versions of the OpenSSL library.
- Failure to open the log file at startup is no longer ignored.
New in Stunnel 4.48 (Nov 28, 2011)
- FIPS-compliant OpenSSL DLLs are supplied with the Windows installer.
- FIPS mode can be disabled with the "fips = no" configuration file option.
- The stability of the Windows GUI was also improved.
New in Stunnel 4.46 (Nov 8, 2011)
- This version adds Unix socket support (e.g., "connect = /var/run/stunnel/socket") and a new certificate verification mode ("verify = 4") to ignore the CA chain and only verify the peer certificate.
- It also includes some performance and scalability optimizations, and compilation bugfixes.
New in Stunnel 4.45 (Oct 25, 2011)
- New "protocol = proxy" support was added to send the original client IP address to haproxy.
- This requires the accept-proxy bind option of haproxy 1.5-dev3 or later.
- A number of minor improvements and bugfixes were added, mostly related to Win32 GUI and compilation issues on various platforms.
New in Stunnel 4.39 (Jul 7, 2011)
- A new Windows installer module was added to build a self-signed stunnel.pem.
- Configuration file editing and log file reopening were added to the Windows GUI.
- Configuration file reloading with the Windows GUI was improved.
New in Stunnel 4.38 (Jun 29, 2011)
- Server Name Indication (SNI) TLS extension support was implemented for name-based virtual servers.
- Stunnel can now switch service section on the fly, based on the destination host name included in the Client Hello message.
- Numerous fixes were also added for bugs introduced in previous, experimental versions.
New in Stunnel 4.35 (Feb 8, 2011)
- New features:
- Updated Win32 DLLs for OpenSSL 1.0.0c.
- Transparent source (non-local bind) added for FreeBSD 8.x.
- Transparent destination ("transparent = destination") added for Linux.
- Bugfixes:
- Fixed reload of FIPS-enabled stunnel.
- Compiler options are now auto-detected by ./configure script in order to support obsolete versions of gcc.
- Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler.
- CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10. Irreparable race condition leaks remain on other Unix platforms. This issue may have security implications on some deployments.
- Directory lib64 included in the OpenSSL library search path.
- Windows CE compilation fixes (thx to Pierre Delaage).
- Deprecated RSA_generate_key() replaced with RSA_generate_key_ex().
- Domain name changes (courtesy of Bri Hatch):
- http://stunnel.mirt.net/ --> http://www.stunnel.org/
- ftp://stunnel.mirt.net/ --> http://ftp.stunnel.org/
- stunnel.mirt.net::stunnel --> rsync.stunnel.org::stunnel
- [email protected] --> [email protected]
- [email protected] --> [email protected]
New in Stunnel 4.32 (Mar 24, 2010)
- New features:
- Win32 DLLs for OpenSSL 0.9.8m.
- Bugfixes:
- Fixed a transfer() loop issue with SSLv2 connections.
- Fixed a "setsockopt IP_TRANSPARENT" warning with "local" option.
- Logging subsystem bugfixes and cleanup.
- Installer bugfixes for Vista and later versions of Windows.
- FIPS mode can be enabled/disabled at runtime.
New in Stunnel 4.26 (Sep 21, 2008)
- Win32 DLLs have been updated to OpenSSL 0.9.8i.
- /etc/hosts.allow and /etc/hosts.deny no longer need to be copied to the chrooted directory, as the libwrap processes are no longer chrooted.
- A more informative error message is logged for invalid port number specified in the stunnel.conf file.
- Support for Microsoft Visual C++ 9.0 Express Edition was added.
- All libwrap processes are killed at stunnel shutdown.
- A minor bug in the stunnel.init sample SysV startup file was fixed.