October 2025 - stunnel-users

+=item B<requireCert> = yes | no ignored when client = yes
by u34＠net9.cf 13 Nov '25

13 Nov '25

In my opinion, the following emphasis worth including: --- stunnel.pod.in.orig 2025-10-07 19:50:30.097392645 +0000 +++ stunnel.pod.in.new 2025-10-07 20:25:54.448391940 +0000 @@ -1065,6 +1065,8 @@ =item B<requireCert> = yes | no +Ignored when client = yes. + require a client certificate for I<verifyChain> or I<verifyPeer> With I<requireCert> set to I<no>, the B<stunnel> server accepts client

2 1

Should remote host IPs recorded at lower debug levels too?
by u34＠net9.cf 21 Oct '25

21 Oct '25

Does recording the IPs of the remote host depends on other configuration directives, other then the debug directive? Is it correct that at LOG5, IPs of the remote host are recorded at the log file? Is it correct that at LOG3, no IPs are recorded even when other information for a particular connection is considered worth recording? Aren't IPs considered important information worth recording when error conditions are recorded?

1 0

stunnel 5.76 released
by Michał Trojnara 18 Oct '25

18 Oct '25

Dear Users, I have released version 5.76 of stunnel. ### Version 5.76, 2025.10.18, urgency: MEDIUM * Security bugfixes - OpenSSL DLLs updated to version 3.5.4. - Service-level multivalued options now override (rather than append to) global defaults, preventing unintended configurations. * Bugfixes - Fixed enabling/disabling of the default fips=yes property. - Missing OCSP stapling is no longer logged as an error. - Fixed a crash when a PIN was required due to the PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute. * Features - Quantum-resistant hybrid key agreement X25519+ML-KEM-768 (X25519MLKEM768) used by default with OpenSSL 3.5+ and TLS 1.3. - Multiple cert sources are supported, allowing a certificate to be fetched from a provider while loading the chain from a file. - Android build switched to a 16 KB page size. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: cda37eb4d0fb1e129718ed27ad77b5735e899394ce040bb2be28bbb937fd79e1 stunnel-5.76.tar.gz d93c7c01366d38ebd27689d606e45197ba8e2e2a32d1a186a81d2b01186bfb56 stunnel-5.76-win64-installer.exe f081281c92f6dc245e23d57930f3963d0155a9fc4a707b7414c941e8e60a1957 stunnel-5.76-android.zip Best regards, Mike

1 0

LOG3[per-minute]: OCSP: SSL_get_certificate
by u34＠net9.cf 15 Oct '25

15 Oct '25

With stunnel version 5.74 and debug = 3 foreground = yes setgid = abcde setuid = abcde output = /path/to/log/file [service] PSKsecrets = /path/to/secretfile accept = ip1:port1 connect = ip2:port1 debug = 3 setgid = abcde setuid = abcde This configuration looks to me similar to the [shell] option from the configuration examples. There is a 1 per minute LOG3[per-minute]: OCSP: SSL_get_certificate line at the log file. Does it a bug? This wasn't discussed 3 weeks ago at [How to get rid of "No OCSP stapling response received" warning?](https://www.stunnel.org/mailman3/hyperkitty/list/stunnel-users@st…, was it?

1 0

Client mode certificate pinning
by Ian Pilcher 11 Oct '25

11 Oct '25

Is $SUBJECT possible? I use stunnel to connect to my old "smart" switches that don't support modern TLS protocols, ciphers, etc. Recently, their existing certificates all expired, and I tried to install new certificates on all of them, only to discover that they won't accept my new CA certificate, because it was signed with a 3072-bit key. I could go through the trouble of generating a separate CA certificate with a 2048-bit key, sign new certificates with that key, etc., etc., but it starts to seem a bit silly at that point. Far better to simply generate a self-signed certificate for each switch and configure stunnel to only accept that particular certificate (i.e. "pin" it). Is this possible with stunnel? If so, how would I go about configuring it to do this? (Search engines are telling me to use "verify = 4", but stunnel(8) says that option is obsolete.) TIA! -- ======================================================================== If your user interface is intuitive in retrospect ... it isn't intuitive ========================================================================

2 1