- stunnel-announce - stunnel.org

stunnel 5.09 released
by Michal Trojnara 02 Jan '15

02 Jan '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.09 of stunnel. The ChangeLog entry: Version 5.09, 2015.01.02, urgency: LOW: * New features - Added PSK authentication with two new service-level configuration file options "PSKsecrets" and "PSKidentity". - Added additional security checks to the OpenSSL memory management functions. - Added support for the OPENSSL_NO_OCSP and OPENSSL_NO_ENGINE OpenSSL configuration flags. - Added compatibility with the current OpenSSL 1.1.0-dev tree. * Bugfixes - Removed defective s_poll_error() code occasionally causing connections to be prematurely closed (truncated). This bug was introduced in stunnel 4.34. - Fixed ./configure systemd detection (thx to Kip Walraven). - Fixed ./configure sysroot detection (thx to Kip Walraven). - Fixed compilation against old versions of OpenSSL. - Removed outdated French manual page. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 87b34a74061861d1edd2ab238c73eb989b3d0a17e44574b7b6ead1a16aae38c8 stunnel-5.09.tar.gz 4abbddf3c1dbedf54b14fa5a18ead11e4df6387f13189b665c2ec5759c4afd30 stunnel-5.09-installer.exe 23c33dc46cc1bfb1df77c88d3c48901822bc113dd1e67d138bcf5fb1bb3d4197 stunnel-5.09-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlSmt98ACgkQ/NU+nXTHMtGZowCfTspj4OZn8DRBUboG2S+1Qy2A ocoAoLdZpjJU7BjERXqQakhNIPOXFojN =/MD9 -----END PGP SIGNATURE-----

1 0

Stunnel PSK authentication
by Michal Trojnara 11 Dec '14

11 Dec '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, Starting with stunnel-5.09b1 it is now possible to use stunnel without certificates. https://www.stunnel.org/downloads.html Example server configuration is: [PSK server] accept = <stunnel_port> connect = <dst_port> PSKsecrets = psk.txt , where the psk.txt may contain the following lines: test1:oaP4EishaeSaishei6rio6xeeph3az test2:yah5uS4aijooxilier8iaphuwah1Lo Example client configuration: [PSK client 1] client = yes accept = 127.0.0.1:<src_port> connect = <stunnel_ip>:<stunnel_port> PSKsecrets = psk1.txt PSKidentity = test1 The psk1.txt file only needs to contain: test1:oaP4EishaeSaishei6rio6xeeph3az Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlSKHNMACgkQ/NU+nXTHMtE72wCg/EZp4NdVnkrQFffGVWZO65lE QucAn3ddp+yTDruP+gNkevf///0olb1+ =o0k3 -----END PGP SIGNATURE-----

1 0

stunnel 5.08 released
by Michal Trojnara 09 Dec '14

09 Dec '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.08 of stunnel. The ChangeLog entry: Version 5.08, 2014.12.09, urgency: MEDIUM: * New features - Added SOCKS4/SOCKS4a protocol support. - Added SOCKS5 protocol support. - Added SOCKS RESOLVE [F0] TOR extension support. - Updated automake to version 1.14.1. - OpenSSL directory searching is now relative to the sysroot. * Bugfixes - Fixed improper hangup condition handling. - Fixed missing -pic linker option. This is required for Android 5.0 and improves security. To setup SOCKS4 VPN configure the following client service: [socks_client] client = yes accept = 127.0.0.1:1080 connect = vpn_server:9080 verify = 4 CAfile = stunnel.pem The corresponding configuration on the vpn_server host: [socks_server] protocol = socks accept = 9080 cert = stunnel.pem key = stunnel.key SOCKS-enabled clients (e.g. web browsers) can now use stunnel client for a VPN service. Encrypted DNS resolver is supported with SOCKS4a, SOCKS5, and SOCKS RESOLVE [F0] TOR extension. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 830b21d24cd237e96f4d7993be43553d4eba4d3cfa2660faa78dec8d41d314fc stunnel-5.08.tar.gz 84c06c8a3f8b6bbb5c1a2b6e352c70bdad1c87f1d5a37476e5dee02f2d65065c stunnel-5.08-installer.exe 28750afe9e5fec4b60b98468ea834cd126e149e8d97074b813b216723a889802 stunnel-5.08-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlSGzsMACgkQ/NU+nXTHMtHQlwCgwsX66e0EU5PMxsfMCdC5sfVt Fy4AnRXe65YLabb7K1XOn6tKncEH0smR =WP5h -----END PGP SIGNATURE-----

1 0

socks4 support
by Michal Trojnara 15 Nov '14

15 Nov '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, Please take a look at the latest stunnel-5.08b4 available for download on https://www.stunnel.org/downloads.html It adds support for SOCKS4 and SOCKS4a protocols. The SOCKS protocol itself is encapsulated within SSL/TLS encryption layer to protect the final destination address. http://www.openssh.com/txt/socks4.protocol http://www.openssh.com/txt/socks4a.protocol The BIND command of the SOCKS protocol is not supported. The USERID parameter is ignored. To setup SOCKS4 VPN configure the following client service: [socks_client] client = yes accept = 127.0.0.1:1080 connect = vpn_server:9080 verify = 4 CAfile = stunnel.pem The corresponding configuration on the vpn_server host: [socks_server] protocol = socks accept = 9080 cert = stunnel.pem key = stunnel.key Now test your configuration on the client machine with: curl --socks4a localhost http://www.example.com/ Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRmVXgACgkQ/NU+nXTHMtHuZwCfXlH0YYTHYhThoXPrCgV4OhrE BwsAoLgIpVWDOdBbISzrP53m2H9LUR6W =9DEh -----END PGP SIGNATURE-----

1 1

stunnel 5.07 released
by Michal Trojnara 01 Nov '14

01 Nov '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.07 of stunnel. The ChangeLog entry: Version 5.07, 2014.11.01, urgency: MEDIUM: * New features - Several SMTP server protocol negotiation improvements. - Added UTF-8 byte order marks to stunnel.conf templates. - DH parameters are no longer generated by "make cert". The hardcoded DH parameters are sufficiently secure, and modern TLS implementations will use ECDH anyway. - Updated manual for the "options" configuration file option. - Added support for systemd 209 or later. - New --disable-systemd ./configure option. - setuid/setgid commented out in stunnel.conf-sample. * Bugfixes - Added support for UTF-8 byte order mark in stunnel.conf. - Compilation fix for OpenSSL with disabled SSLv2 or SSLv3. - Non-blocking mode set on inetd and systemd descriptors. - shfolder.h replaced with shlobj.h for compatibility with modern Microsoft compilers. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 505c6c63c4a20fc0cce8c35ef1ab7626c7b01071e3fca4ac6ea417afe8065309 stunnel-5.07.tar.gz 0e8d41a8102437d2c04a347bfe38ad80408fd2eb1451c559dcc7932ff2d09bd9 stunnel-5.07-installer.exe d3ced258ad35bea656ec178644d83e7d0b9fe8a2e4b2d6511e5c898ac9e6c7fc stunnel-5.07-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRU61wACgkQ/NU+nXTHMtEwLwCdEprl4s5aleq7+MzK9JmYcnQ+ q+gAniP9aOtMuQtML9zcRPK0LY6Yb/3H =IVK/ -----END PGP SIGNATURE-----

1 0

stunnel 5.06 released
by Michal Trojnara 15 Oct '14

15 Oct '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.06 of stunnel. This is a security bugfix release. Update is recommended. The ChangeLog entry: Version 5.06, 2014.10.15, urgency: HIGH: * Security bugfixes - OpenSSL DLLs updated to version 1.0.1j. https://www.openssl.org/news/secadv_20141015.txt - The insecure SSLv2 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv2". - The insecure SSLv3 protocol is now disabled by default. It can be enabled with "options = -NO_SSLv3". - Default sslVersion changed to "all" (also in FIPS mode) to autonegotiate the highest supported TLS version. * New features - Added missing SSL options to match OpenSSL 1.0.1j. - New "-options" commandline option to display the list of supported SSL options. * Bugfixes - Fixed FORK threading build regression bug. - Fixed missing periodic Win32 GUI log updates. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 098c2b6db0793ea4fa5b6767ce6ef1853e9f6cc2f32133024be55f6a460b1a40 stunnel-5.06.tar.gz 55afb3013406da1afcc1ab7ccc25bb1c66605ca3e004636a6b49cac555cb4d09 stunnel-5.06-installer.exe a1741eb8bb050d3d29515ddef46a0a6828372a991f2658995dee1e06af8c05c8 stunnel-5.06-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQ+4v4ACgkQ/NU+nXTHMtFwNwCgvZyndOwkAQqmsWnuL7DcRAPq lSIAnig726aVMrFzFAoQzKXxxmWo/Qo9 =ok3p -----END PGP SIGNATURE-----

1 0

stunnel 5.05 released
by Michal Trojnara 10 Oct '14

10 Oct '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.05 of stunnel. The ChangeLog entry: Version 5.05, 2014.10.10, urgency: MEDIUM: * New features - Asynchronous communication with the GUI thread for faster logging on Win32. - systemd socket activation (thx to Mark Theunissen). - The parameter of "options" can now be prefixed with "-" to clear an SSL option, for example: "options = -LEGACY_SERVER_CONNECT". - Improved "transparent = destination" manual page (thx to Vadim Penzin). * Bugfixes - Fixed POLLIN|POLLHUP condition handling error resulting in prematurely closed (truncated) connection. - Fixed a null pointer dereference regression bug in the "transparent = destination" functionality (thx to Vadim Penzin). This bug was introduced in stunnel 5.00. - Fixed startup thread synchronization with Win32 GUI. - Fixed erroneously closed stdin/stdout/stderr if specified as the -fd commandline option parameter. - A number of minor Win32 GUI bugfixes and improvements. - Merged most of the Windows CE patches (thx to Pierre Delaage). - Fixed incorrect CreateService() error message on Win32. - Implemented a workaround for defective Cygwin file descriptor passing breaking the libwrap support: http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: c7e1653345150db7e48d00e1129cf571c7c85de8e7e1aa70b21cf1d76b1e31ef stunnel-5.05.tar.gz 19f8b78aecc26c291d90e4fa72807bdb75063a7641fd64f224222b526cfa83aa stunnel-5.05-installer.exe 65129c4c1a73dc04a0f66571a9bda2860d70376cdcc2c1d83fd575dcb0adc7a5 stunnel-5.05-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQ3ofIACgkQ/NU+nXTHMtHnmQCg8sncLzw4bfiuw3ziL7HGFEdJ luwAoKTF4C3jbUihpz8ODEPvtGbK24Cs =Z+GJ -----END PGP SIGNATURE-----

1 0

stunnel 5.04 released
by Michal Trojnara 21 Sep '14

21 Sep '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Users, I have released version 5.04 of stunnel. The ChangeLog entry: Version 5.04, 2014.09.21, urgency: LOW: * New features - Support for local mode ("exec" option) on Win32. - Support for UTF-8 config file and log file. - Win32 UTF-16 build (thx to Pierre Delaage for support). - Support for Unicode file names on Win32. - A more explicit service description provided for the Windows SCM (thx to Pierre Delaage). - TCP/IP dependency added for NT service in order to prevent initialization failure at boot time. - FIPS canister updated to version 2.0.8 in the Win32 binary build. * Bugfixes - load_icon_default() modified to return copies of default icons instead of the original resources to prevent the resources from being destroyed. - Partially merged Windows CE patches (thx to Pierre Delaage). - Fixed typos in stunnel.init.in and vc.mak. - Fixed incorrect memory allocation statistics update in str_realloc(). - Missing REMOTE_PORT environmental variable is provided to processes spawned with "exec" on Unix platforms. - Taskbar icon is no longer disabled for NT service. - Fixed taskbar icon initialization when commandline options are specified. - Reportedly more compatible values used for the dwDesiredAccess parameter of the CreateFile() function (thx to Pierre Delaage). - A number of minor Win32 GUI bugfixes and improvements. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: ee9702e073cb8d5940a1310ae171a38d3264f1ce3b087160728bbbcf5710cec1 stunnel-5.04.tar.gz 045145b4e6ef66d29774b558837bd693a0dbab9f7295586da9e5f0de4c5a7481 stunnel-5.04-installer.exe d1bc5c00278f31c64ad4a601d9e398b21284777f9079e91b8cbaef1e8e91f538 stunnel-5.04-android.zip Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQfAqsACgkQ/NU+nXTHMtH1cACeLEi7tFSEoxYJCfZROeaTLD4J +8sAoKK+l/6Bjl2sLwPRTcmw/Vj4+PYy =F0H9 -----END PGP SIGNATURE-----

1 0

stunnel beta (5.04b2) is available for testing
by Michal Trojnara 19 Sep '14

19 Sep '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Guys, Please feel free to try the second beta version: https://www.stunnel.org/downloads/beta/stunnel-5.04b2.tar.gz https://www.stunnel.org/downloads/beta/stunnel-5.04b2-installer.exe I have finished implementing Win32 UNICODE support. The following planned features depend on UNICODE support: - Non-ASCII path names (this is already partially implemented) - UTF8 stunnel.conf - Windows CE GUI stunnel 5.04b2 also fixes missing taskbar icon when stunnel is executed with commandline switches (for example "stunnel -help"). Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQcnAcACgkQ/NU+nXTHMtHOnQCeJFPogmAyhDFQ+CoLT17nhd1I CSIAni1tOnInyScnXwB/d876RF0o9YYt =PJ+o -----END PGP SIGNATURE-----

1 0

Re: [stunnel-announce] [stunnel-users] stunnel beta (5.04b1) is available for testing
by Michal Trojnara 16 Sep '14

16 Sep '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 josealf(a)rocketmail.com wrote: > Are you sure the stunnel-5.04b1.tar.gz file includes all changed > files since 5.03 release? Argh. I indeed copied the wrong file. My mistake. Thank you for reporting it. I corrected the stunnel-5.04b1.tar.gz file. Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQYoD4ACgkQ/NU+nXTHMtHv6ACfcqL//tSfU3I5JsJeMUchIBun A1wAoIHQuGy5+pVx0apCSHsH9VKqeVZk =AgTb -----END PGP SIGNATURE-----

1 0