stunnel 5.72

The stunnel program works as SSL encryption wrapper between remote and local network sockets or inetd-started daemons. It adds SSL or TLS functionality to any network service, commonly POP3, IMAP or HTTP servers. Stunnel uses OpenSSL for cryptography. It can itself function as port redirection deamon, or as temporary traffic interceptor, and requires no adaption of the shadowed programs.

Tags ssl tls network-daemon inetd security network c
License GNU GPL
State stable

Recent Releases

5.7214 Feb 2024 10:25 minor feature: Security.. OpenSSL DLLs updated to version 3.1.3. the console output of tstunnel.exe. Features sponsored by SAE IT-systems.. OCSP stapling is requested and verified in the client mode.. Using "verifyChain" automatically enables OCSP. Stapling in the client mode.. OCSP stapling is always available in the server mode.. An inconclusive OCSP verification breaks TLS negotiation. This can be disabled with "OCSPrequire = no".. Added the "TIMEOUTocsp" option to control the maximum Time allowed for connecting an OCSP responder. Features.. Added support for Red Hat OpenSSL 3.x patches.
5.7129 Jan 2024 12:29 minor feature: Security bugfixes OpenSSL DLLs updated to version 3.1.3. Bugfixes Fixed the console output of tstunnel.exe. Features sponsored by SAE IT-systems OCSP stapling is requested and verified in the client mode. Using "verifyChain" automatically enables OCSP stapling in the client mode. OCSP stapling is always available in the server mode. An inconclusive OCSP verification breaks TLS negotiation. This can be disabled with "OCSPrequire = no". Added the "TIMEOUTocsp" option to control the maximum time allowed for connecting an OCSP responder. Features Added support for Red Hat OpenSSL 3.x patches.
5.7.129 Jan 2024 12:28 minor feature: Security bugfixes OpenSSL DLLs updated to version 3.1.3. Bugfixes Fixed the console output of tstunnel.exe. Features sponsored by SAE IT-systems OCSP stapling is requested and verified in the client mode. Using "verifyChain" automatically enables OCSP stapling in the client mode. OCSP stapling is always available in the server mode. An inconclusive OCSP verification breaks TLS negotiation. This can be disabled with "OCSPrequire = no". Added the "TIMEOUTocsp" option to control the maximum time allowed for connecting an OCSP responder. Features Added support for Red Hat OpenSSL 3.x patches.
5.5311 Apr 2019 22:45 minor feature: data transfer stalls introduced in stunnel 5.51.. New features.. Android binary updated to support Android 4.x.
5.5211 Apr 2019 04:05 minor feature: a transfer() loop introduced in stunnel 5.51.
5.5106 Apr 2019 04:45 minor feature: New features.. Hexadecimal PSK keys are automatically converted to binary. Session support (requires OpenSSL 1.1.1 or later). "connect" address persistence is currently unsupported with session. SMTP HELO before authentication (thx to Jacopo Giudici). New "curves" option to control the list of elliptic curves in OpenSSL 1.1.0 and later. New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites. Include file name and line number in OpenSSL errors. Compatibility with the current OpenSSL 3.0.0-dev branch. Better performance with SSL_set_read_ahead()/SSL_pending().... PSKsecrets as a global option (thx to Teodor Robas). a memory allocation (thx to matanfih).
5.5003 Dec 2018 16:45 minor feature: New features.. 32-bit Windows builds replaced with 64-bit builds. OpenSSL DLLs updated to version 1.1.1. Check whether "output" is not a relative file name. Major code cleanup in the configuration file parser. Added sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later.... PSK session resumption with TLS 1.3. a memory leak in WIN32 logging subsystem. Allow for zero value (ignored) TLS options. Partially refactored configuration file parsing and logging subsystems for clearer code and minor.. Caveats.. We removed FIPS support from our standard builds. FIPS will still be available with bespoke builds.
5.4904 Sep 2018 10:25 minor feature: New features.. Performance optimizations. Logging of negotiated or resumed TLS session IDs (thx to ANSSI - National Cybersecurity Agency of France). Merged Debian 10-enabled.patch and 11-killproc.patch (thx to Peter Pentchev). OpenSSL DLLs updated to version 1.0.2p. PKCS#11 engine DLL updated to version 0.4.9.... a crash in the session persistence implementation. syslog identifier after configuration file reload. non-interactive "make check" invocations. reloading syslog configuration. stunnel.pem created with SHA-256 instead of SHA-1. SHA-256 "make check" certificates.
5.4803 Jul 2018 20:25 minor feature: Security.. requesting client certificate when specified as a global option.. New features.. Certificate subject checks modified to accept certificates if at least one of the specified checks matches.
5.4724 Jun 2018 15:05 minor feature: New features.. Fast add_lock_callback for OpenSSL lt; 1.1.0. This largely improves performance on heavy load. Automatic detection of Homebrew OpenSSL. Clarified port binding error logs. Various "make test" improvements.... a crash on switching to SNI slave sections.
5.4629 May 2018 17:05 minor feature: New features.. The default cipher list was updated to a safer value: "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK".... Default accept address restored to INADDR_ANY.
5.4525 May 2018 23:25 minor feature: New features.. The default cipher list was updated to "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK".... Default accept address restored to INADDR_ANY.
5.4427 Nov 2017 19:25 minor feature: New features.. Signed Win32 executables, libraries, and installer.... Default accept address restored to INADDR_ANY. a race condition in "make check". removing the pid file after configuration reload.
5.4306 Nov 2017 03:17 minor feature: New features.. OpenSSL DLLs updated to version 1.0.2m. Android build updated to OpenSSL 1.1.0g. Allow for multiple "accept" ports per section. Self-test framework (make check). Added config load before OpenSSL init (thx to Dmitrii Pichulin). OpenSSL 1.1.0 support for Travis CI. OpenSSL 1.1.1-dev compilation.... a memory fault on Solaris. round-robin failover in the FORK threading model. handling SSL_ERROR_ZERO_RETURN in SSL_shutdown(). Minor of the logging subsystem.
5.4217 Jul 2017 20:45 minor feature: New features.. "redirect" also supports "exec" and not only "connect". PKCS#11 engine DLL updated to version 0.4.7.... premature cron thread initialization causing hangs. verifyPeer = yes" on OpenSSL lt;= 1.0.1. pthreads support on OpenSolaris.
5.4103 Apr 2017 05:45 minor feature: New features.. PKCS#11 engine DLL updated to version 0.4.5. Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE. Key file name added into the passphrase console prompt. Performance optimization in memory leak detection.... crashes with the OpenSSL 1.1.0 branch. certificate verification with "verifyPeer = yes" and "verifyChain = no" (the default), while the peer only returns a single certificate.
5.4030 Jan 2017 17:45 minor feature:
5.3903 Jan 2017 02:45 minor feature: New features.. PKCS#11 engine (pkcs11.dll) added to the Win32 build. Per-destination TLS session cache added for the client mode. The new "logId" parameter "process" added to log PID values. Added support for the new SSL_set_options() values. Updated the manual page. Obsolete references to "SSL" replaced with "TLS".... "logId" parameter to also work in inetd mode. delay = yes" properly enforces "failover = prio". fd_set allocation size on Win64. reloading invalid configuration file on Win32. resolving addresses with unconfigured network interfaces.
5.3827 Nov 2016 13:25 minor feature: New features.. "sni=" can be used to prevent sending the SNI extension. The AI_ADDRCONFIG resolver flag is used when available. Merged Debian 06-lfs.patch (thx Peter Pentchev).... a memory allocation causing crashes with OpenSSL 1.1.0. error handling for mixed IPv4/IPv6 destinations. Merged Debian 08-typos.patch (thx Peter Pentchev).
5.3708 Nov 2016 22:45 minor feature: OpenSSL DLLs updated to version 1.0.2j (stops crashes). The default SNI target (not handled by any slave service) is handled by the master service rather than rejected. Removed thread synchronization in the FORK threading model.
5.3616 Oct 2016 09:05 minor feature: Security.. OpenSSL DLLs updated to version 1.0.2i. https://www.openssl.org/news/secadv_20160922.txt. New features.. Added support for OpenSSL 1.1.0 built with "no-deprecated". Removed direct zlib dependency.
5.3518 Jul 2016 07:25 minor feature: incorrectly enforced client certificate requests. Only default to SO_EXCLUSIVEADDRUSE on Vista and later. thread safety of the configuration file reopening.
5.3406 Jul 2016 13:45 minor feature: Security.. malfunctioning "verify = 4".. New features.. Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32. Added three new service-level options: requireCert, verifyChain, and verifyPeer for fine-grained certificate verification control. Improved compatibility with the current OpenSSL 1.1.0-dev tree.
5.3328 Jun 2016 07:05 minor feature: New features
5.3204 May 2016 23:45 minor feature: Security.. OpenSSL DLLs updated to version 1.0.2h. https://www.openssl.org/news/secadv_20160503.txt. New features.. New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6. Memory leak detection. Improved compatibility with the current OpenSSL 1.1.0-dev tree. Added/Red Hat scripts (thx to Andrew Colin Kissa).... Workaround for a WinCE sockets quirk (thx to Richard Kraemer). data alignment on 64-bit MSVC (thx to Yuris W. Auzins).
5.3126 Feb 2016 10:25 minor feature: Security.. OpenSSL DLLs updated to version 1.0.2g. https://www.openssl.org/news/secadv_20160301.txt. New features.. Added logging the list of client CAs requested by the server. Improved compatibility with the current OpenSSL 1.1.0-dev tree.... Only reset the watchdog if some data was actually transferred. A workaround implemented for the unexpected exceptfds set by select() on WinCE 6.0 (thx to Richard Kraemer).
5.3031 Jan 2016 17:25 minor feature: Security.. OpenSSL DLLs updated to version 1.0.2f. https://www.openssl.org/news/secadv_20160128.txt. New features.. Improved compatibility with the current OpenSSL 1.1.0-dev tree. Added OpenSSL autodetection for the recent versions of Xcode.... references to /etc removed from stunnel.init.in. Stopped even trying -fstack-protector on unsupported platforms (thx to Rob Lockhart).
5.2909 Jan 2016 15:45 minor feature: New features.. New WIN32 icons. Performance improvement: rwlocks used for locking with pthreads.... Compilation for *BSD. configuration file reload for relative stunnel.conf path on Unix. ignoring CRLfile unless CAfile was also specified (thx to Strukov Petr).
5.2812 Dec 2015 15:25 minor feature: New features.. Build matrix (.travis.yml) extended with./configure options. mingw.mak updated to build tstunnel.exe (thx to Jose Alf.).... incomplete initialization. UCONTEXT threading on OSX. exit codes for information requests (as in "stunnel -version" or "stunnel -help").
5.2707 Dec 2015 00:45 minor feature: New features
5.2608 Nov 2015 08:25 minor feature: New features.. Added reading server certificates from hardware engines. For example: cert = id_45.
5.2503 Nov 2015 17:05 minor feature: New features.. SMTP client protocol negotiation support for "protocolUsername", "protocolPassword", and "protocolAuthentication" (thx to Douglas Harris). New service-level option "config" to specify OpenSSL.
5.2409 Oct 2015 17:45 minor feature: New features.. Custom CRL verification was replaced with the internal OpenSSL functionality. BSD support for "transparent = destination" and client-side "protocol = socks". This feature should work at least on FreeBSD, OpenBSD and OS X. Added a new "protocolDomain" option for the NTLM authentication (thx to Andreas Botsikas). Improved compatibility of the NTLM phase 1 message (thx to Andreas Botsikas). setuid" and "setgid" options are now also available in service sections. They can be used to set owner and group of the Unix socket specified with "accept". Added support for the new OpenSSL 1.0.2 SSL options. Added OPENSSL_NO_EGD support (thx to Bernard Spil). VC autodetection added to makew32.bat (thx to Andreas Botsikas).... the RESOLVE F0 TOR extension support in SOCKS5. the error code reported on the failed bind() requests. the sequential log id with the FORK threading. Restored the missing Microsoft.VC90.CRT.manifest file.
5.2304 Sep 2015 05:45 minor feature: New features: Client-side support for the SOCKS protocol. See https://www.stunnel.org/socksvpn.html for details. Reject SOCKS requests to connect loopback addresses. New service-level option "OCSPnonce". The default value is "OCSPnonce = no". Win32 directory structure rearranged. The installer script provides automatic migration for common setups. Added Win32 installer option to install stunnel for the current user only. This feature does not deploy the NT service, but it also does not require aministrative privileges to install and configure stunnel. stunnel.cnf was renamed to openssl.cnf in order to to prevent users from mixing it up with stunnel.conf. Win32 desktop is automatically refreshed when the icon is created or removed. The ca-certs.pem file is now updated on stunnel upgrade. Inactive ports were removed from the PORTS file. Added IPv6 support to the transparent proxy code.... Compilation for OpenSSL version older than 1.0.0. Compilation for mingw.
5.2202 Aug 2015 14:45 minor feature: New features.. New service-level option "OCSPnonce". The default value is "OCSPnonce = no". Inactive ports removed from the PORTS file.
5.2128 Jul 2015 09:05 minor feature: New features.. Signal names are displayed instead of numbers. First resolve IPv4 addresses on passive resolver requests. This speeds up stunnel startup on Win32 with a slow/defunct DNS service. The "make check" target was modified to only build Win32 executables when stunnel is built from a git repository (thx to Peter Pentchev). More elaborate descriptions were added to the warning about using "verify = 2" without "checkHost" or "checkIP". Performance optimization was performed on the debug code.. Bugfixes.. Fixed the FORK and UCONTEXT threading support. Fixed "failover=prio" (broken since stunnel 5.15). Added a retry when sleep(3) was interrupted by a signal in the cron thread scheduler.
5.2010 Jul 2015 14:25 security bugfix: OpenSSL DLLs updated to version 1.0.2d. https://www.openssl.org/news/secadv_20150709.txt. New features.. poll(2) re-enabled on MacOS X 10.5 and later. Xcode SDK is automatically used on MacOS X if no other locally installed OpenSSL directory is found. The SSL library detection algorithm was made a bit smarter. Warnings about insecure authentication were modified to include the name of the affected service section. A warning was added to stunnel.init if no pid file was specified in the configuration file (thx to Peter Pentchev). Optional debugging symbols are included in the Win32 installer. Documentation updates.. Bugfixes.. Signal pipe reinitialization added to prevent turning the main accepting thread into a busy wait loop when an external condition breaks the signal pipe. This bug was found to surface on Win32, but other platforms may also be affected. Fixed removing the disabled taskbar icon. Generated temporary DH parameters are used for configuration reload instead of the static defaults. LSB compatibility fixes added to the stunnel.init script (thx to Peter Pentchev). Fixed the manual page headers (thx to Gleydson Soares).
5.1918 Jun 2015 00:05 minor feature: New features.. OpenSSL DLLs updated to version 1.0.2c. Added a runtime check whether COMP_zlib() method is implemented in order to improve compatibility with the Debian OpenSSL build.. Bugfixes.. Improved socket error handling. Cron thread priority on Win32 platform changed to THREAD_PRIORITY_LOWEST to improve portability. Makefile bugfixes for stunnel 5.18 regressions. Fixed some typos in docs and scripts (thx to Peter Pentchev). Fixed a log level check condition (thx to Peter Pentchev).
5.1814 Jun 2015 01:25 minor feature: New features.. OpenSSL DLLs updated to version 1.0.2b. https://www.openssl.org/news/secadv_20150611.txt Added "include" configuration file option to include all configuration file parts located in a specified directory. Log file is reopened every 24 hours. With "log = overwrite" this feature can be used to prevent filling up disk space. Temporary DH parameters are refreshed every 24 hours, unless static DH parameters were provided in the certificate file. Unique initial DH parameters are distributed with each release. Warnings are logged on potentially insecure authentication. Improved compatibility with the current OpenSSL 1.1.0-dev tree: removed RLE compression support, etc. Updated stunnel.spec (thx to Bill Quayle).. Bugfixes.. Fixed handling of dynamic connect targets. Fixed handling of trailing whitespaces in the Content-Length header of the NTLM authentication. Fixed --sysconfdir and --localstatedir handling (thx to Dagobert Michelsen).
5.1730 Apr 2015 07:05 minor feature: Bugfixes: Fixed a NULL pointer dereference causing the service to crash. This bug was introduced in stunnel 5.15.
5.1623 Apr 2015 05:45 minor feature: Bugfixes. . Fixed compilation with old versions of gcc.
5.1518 Apr 2015 04:25 minor feature: New features: Added new service-level options "checkHost", "checkEmail" and "checkIP" for additional checks of the peer certificate subject. These options require OpenSSL version 1.0.2 or higher. Win32 binary distribution now ships with the Mozilla root CA bundle. This bundle is intended be used together with the new "checkHost" option to validate server certs accepted by Mozilla. New commandline options "-reload" to reload the configuration file and "-reopen" to reopen the log file of stunnel running as a Windows service (thx to Marc McLaughlin). Added session persistence based on negotiated TLS sessions. https://en.wikipedia.org/wiki/Load_balancing_ 28computing 29#Persistence The current implementation does not support external TLS session caching with sessiond. MEDIUM ciphers (currently SEED and RC4) are removed from the default cipher list. The "redirect" option was improved to not only redirect sessions established with an untrusted certificate, but also sessions established without a client certificate. OpenSSL version checking modified to distinguish FIPS and non-FIPS builds. Improved compatibility with the current OpenSSL 1.1.0-dev tree. Removed support for OpenSSL versions older than 0.9.7. The final update for the OpenSSL 0.9.6 branch was 17 Mar 2004. sessiond" support improved to also work in OpenSSL 0.9.7. Randomize the initial value of the round-robin counter. New stunnel.conf templates are provided for Windows and Unix.. Bugfixes. . Fixed compilation against old versions of OpenSSL. Fixed memory leaks in certificate verification.
5.1426 Mar 2015 17:45 security: Security bugfixes. The "redirect" option now also redirects clients on SSL session reuse. In stunnel versions 5.00 to 5.12 reused sessions were never redirected regardless of their certificate verification result. New features: Windows service is automatically restarted after upgrade. Bugfixes: Fixed a memory allocation error during Unix daemon shutdown. Fixed handling multiple connect/redirect destinations. OpenSSL FIPS builds are now correctly reported on startup.
5.1112 Mar 2015 07:05 minor feature: New featuresOpenSSL DLLs updated to version 1.0.2. Removed dereferences of internal OpenSSL data structures. PSK key lookup algorithm performance improved from O(N) (linear) to O(log N) (logarithmic). BugfixesFixed peer certificate list in the main window on Win32 (thx to @fyer for reporting it). Fixed console logging in tstunnel.exe. _tputenv_s() replaced with more portable _tputenv() on Win32.
5.1023 Jan 2015 17:45 minor feature: New featuresOCSP AIA (Authority Information Access) support. This feature can be enabled with the new service-level option "OCSPaia". Additional security features of the linker are enabled: "-z relro", "-z now", "-z noexecstack". BugfixesOpenSSL DLLs updated to version 1.0.1l. https://www.openssl.org/news/secadv_20150108.txt FIPS canister updated to version 2.0.9 in the Win32 binary build.
5.0905 Jan 2015 15:25 minor feature: New featuresAdded PSK authentication with two new service-level configuration file options "PSKsecrets" and "PSKidentity". Added additional security checks to the OpenSSL memory management functions. Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE OpenSSL configuration flags. Added compatibility with the current OpenSSL 1.1.0-dev tree. BugfixesRemoved defective s_poll_error() code occasionally causing connections to be prematurely closed (truncated). This bug was introduced in stunnel 4.34. Fixed ./configure systemd detection (thx to Kip Walraven). Fixed ./configure sysroot detection (thx to Kip Walraven). Fixed compilation against old versions of OpenSSL. Removed outdated French manual page.
5.0810 Dec 2014 07:25 minor feature: New featuresAdded SOCKS4/SOCKS4a protocol support. Added SOCKS5 protocol support. Added SOCKS RESOLVE F0 TOR extension support. Updated automake to version 1.14.1. OpenSSL directory searching is now relative to the sysroot. BugfixesFixed improper hangup condition handling. Fixed missing -pic linker option. This is required for Android 5.0 and improves security.
5.0702 Nov 2014 03:16 minor feature: New featuresSeveral SMTP server protocol negotiation improvements. Added UTF-8 byte order marks to stunnel.conf templates. DH parameters are no longer generated by "make cert". The hardcoded DH parameters are sufficiently secure, and modern TLS implementations will use ECDH anyway. Updated manual for the "options" configuration file option. Added support for systemd 209 or later. New --disable-systemd ./configure option. setuid/setgid commented out in stunnel.conf-sample. BugfixesAdded support for UTF-8 byte order mark in stunnel.conf. Compilation fix for OpenSSL with disabled SSLv2 or SSLv3. Non-blocking mode set on inetd and systemd descriptors. shfolder.h replaced with shlobj.h for compatibility with modern Microsoft compilers.
5.0511 Oct 2014 03:16 minor feature: New featuresAsynchronous communication with the GUI thread for faster logging on Win32. systemd socket activation (thx to Mark Theunissen). The parameter of "options" can now be prefixed with "-" to clear an SSL option, for example: "options = -LEGACY_SERVER_CONNECT". Improved "transparent = destination" manual page (thx to Vadim Penzin). BugfixesFixed POLLIN POLLHUP condition handling error resulting in prematurely closed (truncated) connection. Fixed a null pointer dereference regression bug in the "transparent = destination" functionality (thx to Vadim Penzin). This bug was introduced in stunnel 5.00. Fixed startup thread synchronization with Win32 GUI. Fixed erroneously closed stdin/stdout/stderr if specified as the -fd commandline option parameter. A number of minor Win32 GUI bugfixes and improvements. Merged most of the Windows CE patches (thx to Pierre Delaage). Fixed incorrect CreateService() error message on Win32. Implemented a workaround for defective Cygwin file descriptor passing breaking the libwrap support: http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors
5.0417 Sep 2014 03:15 minor feature: New featuresSupport for local mode ("exec" option) on Win32. A more explicit service description provided for the Windows SCM (thx to Pierre Delaage). TCP/IP dependency added for NT service in order to (hopefully) prevent initialization failure at boot time. FIPS canister updated to version 2.0.8 in the Win32 binary build. Bugfixesload_icon_default() modified to return copies of default icons instead of the original resources to prevent the resources from being destroyed. Reportedly more compatible values used for the dwDesiredAccess parameter of the CreateFile() function (thx to Pierre Delaage). Partially merged UNICODE compilation fixes (thx to Pierre Delaage). Partially merged Windows CE patches (thx to Pierre Delaage). Fixed typos in stunnel.init.in and vc.mak. Fixed incorrect memory allocation statistics update in str_realloc(). Missing REMOTE_PORT environmental variable is provided to processes spawned with "exec" on Unix platforms. Taskbar icon is no longer disabled for NT service.
5.0308 Aug 2014 18:02 security: High priority security bugfixes include the OpenSSL update to 1.0.1i. While new features include some FIPS autoconfiguration cleanup, and the FIPS canister update to version 2.0.6. SNI diagnostic logging was also improved. Compilation fixes for old versions of OpenSSL were applied, and some whitespace handling in the stunnel.init script fixed.