- stunnel-announce - stunnel.org

stunnel 4.42 released
by Michal Trojnara 18 Aug '11

18 Aug '11

Dear Users, I have released version 4.42 of stunnel. This is a security bugfix release. Upgrade is highly recommended! The ChangeLog entry: Version 4.42, 2011.08.18, urgency: HIGH: * New features - New verify level 0 to request and ignore peer certificate. This feature is useful with the new Windows GUI menu to save cached peer certificate chains, as SSL client certificates are not sent by default. - Manual page has been updated. - Removed support for changing Windows Service name with "service" option. * Bugfixes - Fixed a heap corruption vulnerability in versions 4.40 and 4.41. It may possibly be leveraged to perform DoS or remote code execution attacks. - The -quiet commandline option was applied to *all* message boxes. - Silent install (/S option) no longer attempts to create stunnel.pem. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.42.tar.gz: d33c407bfc4f58070e818081bd082c38f91cab7691ccbb794da63143c535de3b Best regards, Mike

1 0

stunnel 4.41 released
by Michal Trojnara 25 Jul '11

25 Jul '11

Dear Users, I have released version 4.41 of stunnel. This is a bugfix release. I highly recommend Windows users to upgrade. The ChangeLog entry: Version 4.41, 2011.07.25, urgency: MEDIUM: * Bugfixes - Fixed Windows service crash of stunnel 4.40. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.41.tar.gz: 08e0e7df42bfb8b8551eb6c4b5b50eae6051aaf75077101d729e67c7a3a00c72 Best regards, Mike

1 0

stunnel 4.40 released
by Michal Trojnara 23 Jul '11

23 Jul '11

Dear Users, I have released version 4.40 of stunnel. The ChangeLog entry: Version 4.40, 2011.07.23, urgency: LOW: * New Win32 features - Added a GUI menu to save cached peer certificate chains. - Added "-exit" option to stop stunnel *not* running as a service. This option may be useful for scripts. - Added file version information to stunnel.exe. - A number of other GUI improvements. * Other new features - Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters are not provided in stunnel.pem. - Default "ciphers" value updated to prefer ECDH: "ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH". - Default ECDH curve updated to "prime256v1". - Removed support for temporary RSA keys (used in obsolete export ciphers). Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.40.tar.gz: 91f32c7654dde0e1cf37ed0d8517e0d0b5985cd30443a9d64cd33d232b5fe9ce Best regards, Mike

1 0

stunnel 4.40b1
by Michal Trojnara 17 Jul '11

17 Jul '11

Dear Users, I have just added a new Windows GUI menu to save peer certificate chains. Please to give it a try and let me know if there are any issues, so I can fix them in the final stunnel 4.40: ftp://ftp.stunnel.org/stunnel/stunnel-4.40b1-installer.exe Another useful function would probably be a replacement for Unix c_rehash script. 8-) I also appreciate your comments are suggestions related to the new functionality. Best regards, Mike

1 0

stunnel 4.39 released
by Michal Trojnara 06 Jul '11

06 Jul '11

Dear Users, I have just released version 4.39 of stunnel. This version includes major improvements of the Windows GUI and installer. The ChangeLog entry: Version 4.39, 2011.07.06, urgency: LOW: * New features - New Win32 installer module to build self-signed stunnel.pem. - Added configuration file editing with Windows GUI. - Added log file reopening file editing with Windows GUI. It might be useful to also implement log file rotation. - Improved configuration file reload with Windows GUI. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.39.tar.gz: 972e4c150e3012ba8777f149c858e1e290aeb7ad7976e1551ac1752bc04fb0ed Best regards, Mike

1 0

stunnel 4.38 released
by Michal Trojnara 28 Jun '11

28 Jun '11

Dear Users, I have just released version 4.38 of stunnel. The ChangeLog entry: Version 4.38, 2011.06.28, urgency: MEDIUM: * New features - Server-side SNI implemented (RFC 3546 section 3.1) with a new service-level option "nsi". - "socket" option also accepts "yes" and "no" for flags. - Nagle's algorithm is now disabled by default for improved interactivity. * Bugfixes - A compilation fix was added for OpenSSL version < 1.0.0. - Signal pipe set to non-blocking mode. This bug caused hangs of stunnel features based on signals, e.g. local mode, FORK threading, or configuration file reload on Unix. Win32 platform was not affected. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.38.tar.gz: aa49012195fde4dc3e4bed2bb25283cb40a6e0ad8295a47e730652f611e2268c Best regards, Mike

1 0

stunnel 4.37 released
by Michal Trojnara 17 Jun '11

17 Jun '11

Dear Users, I have just released version 4.37 of stunnel. This release is mainly intended to fix bugs and portability issues introduced in versions 4.35 and 4.36. This version also provides new security defaults, updated to better match current best practices in cryptographic applications. The ChangeLog entry: Version 4.37, 2011.06.17, urgency: MEDIUM: * New features - Client-side SNI implemented (RFC 3546 section 3.1). - Default "ciphers" changed from the OpenSSL default to a more secure and faster "RC4-MD5:HIGH:!aNULL:!SSLv2". A paranoid (and usually slower) setting would be "HIGH:!aNULL:! SSLv2". - Recommended "options = NO_SSLv2" added to the sample stunnel.conf file. - Default client method upgraded from SSLv3 to TLSv1. To connect servers without TLS support use "sslVersion = SSLv3" option. - Improved --enable-fips and --disable-fips ./configure option handling. - On startup stunnel now compares the compiled version of OpenSSL against the running version of OpenSSL. A warning is logged on mismatch. * Bugfixes - Non-blocking socket handling in local mode fixed (Debian bug #626856). - UCONTEXT threading mode fixed. - Removed the use of gcc Thread-Local Storage for improved portability. - va_copy macro defined for platforms that do not have it. - Fixed "local" option parsing on IPv4 systems. - Solaris compilation fix (redefinition of "STR"). Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.37.tar.gz: 02ca30609ccb26f6e52ff7eb79a6778ea452a04432eaef7d959d19933f6fe109 Best regards, Mike

1 0

stunnel 4.36 released
by Michal Trojnara 02 May '11

02 May '11

Dear Users, Version 4.36 of stunnel was released. The ChangeLog entry: Version 4.36, 2011.05.03, urgency: LOW: * New features - Updated Win32 DLLs for OpenSSL 1.0.0d. - Dynamic memory management for strings manipulation: no more static STRLEN limit, lower stack footprint. - Strict public key comparison added for "verify = 3" certificate checking mode (thx to Philipp Hartwig). - Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved behavior on heavy load. - Example tools/stunnel.service file added for systemd service manager. * Bugfixes - Missing pthread_attr_destroy() added to fix memory leak (thx to Paul Allex and Peter Pentchev). - Fixed the incorrect way of setting FD_CLOEXEC flag. - Fixed --enable-libwrap option of ./configure script. - /opt/local added to OpenSSL search path for MacPorts compatibility. - Workaround implemented for signal handling on MacOS X. - A trivial bug fixed in the stunnel.init script. - Retry implemented on EAI_AGAIN error returned by resolver calls. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.36.tar.gz: 3483fc2011e8a9d2614a93a9dbf7eabf405044df3566f29144fe2d1dd37a35f5 Best regards, Mike

1 0

stunnel 4.35 released
by Michal Trojnara 05 Feb '11

05 Feb '11

Dear Users, I'm pleased to announce long-awaited version 4.35 of stunnel. The ChangeLog entry: * New features - Updated Win32 DLLs for OpenSSL 1.0.0c. - Transparent source (non-local bind) added for FreeBSD 8.x. - Transparent destination ("transparent = destination") added for Linux. * Bugfixes - Fixed reload of FIPS-enabled stunnel. - Compiler options are now auto-detected by ./configure script in order to support obsolete versions of gcc. - Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler. - CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10. Irreparable race condition leaks remain on other Unix platforms. This issue may have security implications on some deployments. - Directory lib64 included in the OpenSSL library search path. - Windows CE compilation fixes (thx to Pierre Delaage). - Deprecated RSA_generate_key() replaced with RSA_generate_key_ex(). * Domain name changes (courtesy of Bri Hatch) - http://stunnel.mirt.net/ --> http://www.stunnel.org/ - ftp://stunnel.mirt.net/ --> http://ftp.stunnel.org/ - stunnel.mirt.net::stunnel --> rsync.stunnel.org::stunnel - stunnel-users(a)mirt.net --> stunnel-users(a)stunnel.org - stunnel-announce(a)mirt.net --> stunnel-announce(a)stunnel.org Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.35.tar.gz: a810e220498239483e14fae24eeb2a188a6167e9118958b903f8793768c4460f Best regards, Mike

1 0

What legal issues come up if I use GPL-incompatible libraries with GPL software?
by Michal Trojnara 17 Jan '11

17 Jan '11

Dear Users, I just noticed some people declare GPL license on stunnel patches. Since stunnel uses GPL license *with OpenSSL exception* (OpenSSL license is not GPL-compatible), it cannot be distributed if it is linked against any GPL code (patches, libraries) without this exception. It is still legal to distribute stunnel with patches that use GPL license with OpenSSL exception. Such patches constitute forks of stunnel and will *never* be accepted to my source tree. Third party patches rarely meet my quality criteria, but I occasionally accept patches released as public domain or having their copyright ownership transferred to me. Also see: http://www.gnu.org/licenses/gpl-faq.html#GPLIncompatibleLibs https://secure.wikimedia.org/wikipedia/en/wiki/Fork_%28software_development… Mike

1 0