Stunnel

Stunnel is an open source command-line program that has been designed to encrypt remote and local TCP (Transmission Control Protocol) connection using SSL (Secure Sockets Layer) encryption between the client and the server.

Features at a glance

The software is mostly used to add SSL functionality to IMAP and POP2/3 daemons. In order to support any cryptographic algorithm, Stunnel makes use of both SSLeay and OpenSSL libraries.

Additionally, Stunnel uses the FIPS 140-2 validation, which is part of the OpenSSL FIPS Object Module. It is currently available in the default software repositories of many Linux-based operating systems. The program also comes with support for various other sockets, including IPv6, poll or systemd.

Getting started with Stunnel

To install Stunnel in your GNU/Linux operating system, you must first download the latest version from Softoware (it is distributed as a universal sources archive), save it in a location of your choice, extract it and open a terminal windows.

Type the “./configure && make” command to configure and compile the program for your hardware architecture and OS (supported architectures include 32-bit and 64-bit). After a successful compilation, you can type the “make install” command as root or with sudo, without quotes.

When first used, the program will attempt to read its configuration file, which is located on /usr/local/etc/stunnel/stunnel.conf. You will be able to use a specific config file, as well as to read the config file from a file descriptor.

Under the hood and availability

Stunnel is written entirely in the C programming language and it’s distributed as a universal sources archive for optimizing the application on your GNU/Linux system. It has been successfully installed on both 32-bit and 64-bit machines.

What is new in this release:

• New features:
• The default cipher list was updated to a safer value: "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK".
• Bugfixes:
• Default accept address restored to INADDR_ANY.

What is new in version :

• New features:
• PKCS#11 engine DLL updated to version 0.4.5.
• Default engine UI set with ENGINE_CTRL_SET_USER_INTERFACE.
• Key file name added into the passphrase console prompt.
• Performance optimization in memory leak detection.
• Bugfixes:
• Fixed crashes with the OpenSSL 1.1.0 branch.
• Fixed certificate verification with "verifyPeer = yes" and "verifyChain = no" (the default), while the peer only returns a single certificate.

What is new in version 5.38:

• New features:
• "sni=" can be used to prevent sending the SNI extension.
• The AI_ADDRCONFIG resolver flag is used when available.
• Merged Debian 06-lfs.patch (thx Peter Pentchev).
• Bugfixes:
• Fixed a memory allocation bug causing crashes with OpenSSL 1.1.0.
• Fixed error handling for mixed IPv4/IPv6 destinations.
• Merged Debian 08-typos.patch (thx Peter Pentchev).

What is new in version 5.30:

• Security bugfixes:
• OpenSSL DLLs updated to version 1.0.2f. https://www.openssl.org/news/secadv_20160128.txt
• New features:
• Improved compatibility with the current OpenSSL 1.1.0-dev tree.
• Added OpenSSL autodetection for the recent versions of Xcode.
• Bugfixes:
• Fixed references to /etc removed from stunnel.init.in.
• Stopped even trying -fstack-protector on unsupported platforms (thx to Rob Lockhart).

What is new in version 5.26:

• Compilation fixes for OSX, *BSD and Solaris.

What is new in version 5.17:

• Bugfixes:
• Fixed a NULL pointer dereference causing the service to crash. This bug was introduced in stunnel 5.15.

What is new in version 5.10:

• New features:
• OCSP AIA (Authority Information Access) support. This feature can be enabled with the new service-level option "OCSPaia".
• Additional security features of the linker are enabled: "-z relro", "-z now", "-z noexecstack".
• Bugfixes:
• OpenSSL DLLs updated to version 1.0.1l. https://www.openssl.org/news/secadv_20150108.txt
• FIPS canister updated to version 2.0.9 in the Win32 binary build.

What is new in version 5.06:

• Security bugfixes:
• OpenSSL DLLs updated to version 1.0.1j. https://www.openssl.org/news/secadv_20141015.txt
• The insecure SSLv2 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv2".
• The insecure SSLv3 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv3".
• Default sslVersion changed to "all" (also in FIPS mode) to autonegotiate the highest supported TLS version.
• New features:
• Added missing SSL options to match OpenSSL 1.0.1j.
• New "-options" commandline option to display the list of supported SSL options.
• Bugfixes:
• Fixed FORK threading build regression bug.
• Fixed missing periodic Win32 GUI log updates.

What is new in version 4.56:

• New features:
• Win32 installer automatically configures firewall exceptions.
• Win32 installer configures administrative shortcuts to invoke UAC.
• Improved Win32 GUI shutdown time.
• Bugfixes:
• Fixed a regression bug introduced in version 4.55 causing random crashes on several platforms, including Windows 7.
• Fixed startup crashes on some Win32 systems.
• Fixed incorrect "stunnel -exit" process synchronisation.
• Fixed FIPS detection with new versions of the OpenSSL library.
• Failure to open the log file at startup is no longer ignored.

What is new in version 4.48:

• FIPS-compliant OpenSSL DLLs are supplied with the Windows installer.
• FIPS mode can be disabled with the "fips = no" configuration file option.
• The stability of the Windows GUI was also improved.

What is new in version 4.46:

• This version adds Unix socket support (e.g., "connect = /var/run/stunnel/socket") and a new certificate verification mode ("verify = 4") to ignore the CA chain and only verify the peer certificate.
• It also includes some performance and scalability optimizations, and compilation bugfixes.

What is new in version 4.45:

• New "protocol = proxy" support was added to send the original client IP address to haproxy.
• This requires the accept-proxy bind option of haproxy 1.5-dev3 or later.
• A number of minor improvements and bugfixes were added, mostly related to Win32 GUI and compilation issues on various platforms.

What is new in version 4.39:

• A new Windows installer module was added to build a self-signed stunnel.pem.
• Configuration file editing and log file reopening were added to the Windows GUI.
• Configuration file reloading with the Windows GUI was improved.

What is new in version 4.38:

• Server Name Indication (SNI) TLS extension support was implemented for name-based virtual servers.
• Stunnel can now switch service section on the fly, based on the destination host name included in the Client Hello message.
• Numerous fixes were also added for bugs introduced in previous, experimental versions.

What is new in version 4.35:

• New features:
• Updated Win32 DLLs for OpenSSL 1.0.0c.
• Transparent source (non-local bind) added for FreeBSD 8.x.
• Transparent destination ("transparent = destination") added for Linux.
• Bugfixes:
• Fixed reload of FIPS-enabled stunnel.
• Compiler options are now auto-detected by ./configure script in order to support obsolete versions of gcc.
• Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler.
• CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10. Irreparable race condition leaks remain on other Unix platforms. This issue may have security implications on some deployments.
• Directory lib64 included in the OpenSSL library search path.
• Windows CE compilation fixes (thx to Pierre Delaage).
• Deprecated RSA_generate_key() replaced with RSA_generate_key_ex().
• Domain name changes (courtesy of Bri Hatch):
• http://stunnel.mirt.net/ --> http://www.stunnel.org/
• ftp://stunnel.mirt.net/ --> http://ftp.stunnel.org/
• stunnel.mirt.net::stunnel --> rsync.stunnel.org::stunnel
• stunnel-users@mirt.net --> stunnel-users@stunnel.org
• stunnel-announce@mirt.net --> stunnel-announce@stunnel.org