stunnel TODO

Updated defaults planned for stunnel 6.xx

More secure defaults planned for the next major version.

• OCSPaia = yes
• verifyPeer = yes (on the client)

High priority features

These features will likely be supported some day. A sponsor could allocate my time to get them faster.

• Add client certificate autoselection based on the list of accepted issuers: SSL_CTX_set_client_cert_cb(), SSL_get_client_CA_list().
• OCSP stapling (tlsext_status).
• Indirect CRL support (RFC 3280, section 5).
• Add an Apparmor profile.
• Log rotation on Windows.
• Configuration file option to limit the number of concurrent connections.
• Command-line server control interface on Unix.
• An Android GUI.
• MSI installer for Windows.
• Add 'leastconn' failover strategy to order defined 'connect' targets by the number of active connections.
• MariaDB (formerly MySQL) protocol negotiation: MariaDB Handshake Protocol

Low priority features

These features will unlikely ever be supported.

• Database and/or directory interface for retrieving PSK secrets.
• Service-level logging destination.
• Logging to NT EventLog on Windows.
• Internationalization of logged messages (i18n).
• Generic scripting engine instead or static protocol.c.

Rejected features

Features I will not support, unless convinced otherwise by a wealthy sponsor.

• Support for adding X-Forwarded-For to HTTP request headers. This feature is less useful since PROXY protocol support is available.
• Support for adding X-Forwarded-For to SMTP email headers. This feature is most likely to be implemented as a separate proxy.
• Additional certificate checks (including wildcard comparison) based on:
  • O (Organization), and
  • OU (Organizational Unit).
• Set processes title that appear on the ps(1) and top(1) commands. I could not find a portable and non-copyleft library for it.