[stunnel-users] Three patches: DNS CommonName verification support, separated stderr/foreground options, and support for minimal ssl libs

Tristan Schmelcher tristan_schmelcher at alumni.uwaterloo.ca
Mon May 31 23:50:29 CEST 2010


Hello,

Recently I started using stunnel in an embedded Linux product and I
had need to add several features that I think other users would
benefit from. I have attached them as separate patches against 4.33. I
hereby release them into the public domain.

Here is a description of each:

stunnel-4.33-handle-minimal-ssl-libs.patch:

Add support for building against a libssl/libcrypo that has had
various non-essential features removed via the "no-<feature>"
Configure options for openssl. This requires disabling non-essential
Stunnel features at compile-time if they have dependencies on disabled
libssl/libcrypto features.

For memory-constrained embedded systems, this is a big win. With this
patch I was able to cut the memory footprint of stunnel+openssl by
about a third simply by disabling openssl features that I didn't need.

stunnel-4.33-separate-stderr-option.patch

This splits the stderr logging effect of the "foreground" option into
a separate option named "stderr", so that users have the freedom to
enable foreground without stderr logging, or vice versa. For backwards
compatibility though, specifying foreground = yes implies stderr = yes
unless followed in the config by stderr = no.

This is useful on embedded Linux systems that lack an implementation
of fork() (due to the processor not having an MMU), because on such
systems every daemon has to be launched in a foreground mode and
pre-daemonized with the simpler vfork() function, e.g. using "&" from
a shell. In this mode, logging to stderr does not make sense, because
in reality the process is still a daemon so the logging clutters the
terminal.

stunnel-4.33-dns-commonname-verify-support.patch:

I saved the best for last. ;) This adds a "verify_dns" option to check
the CommonName in peer certificates against their DNS name when
verifying, much as web browsers do.

I have seen posts from users asking for this feature in the past, so I
think it's value is self-evident.


I'd also like to take this opportunity to say that I'm a long-time
user of Stunnel on my personal Linux desktop machine and it is a
really excellent piece of software. Thank you for making it free and
open source.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-4.33-handle-minimal-ssl-libs.patch
Type: text/x-patch
Size: 6031 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100531/2ce33897/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-4.33-separate-stderr-option.patch
Type: text/x-patch
Size: 4746 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100531/2ce33897/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-4.33-dns-commonname-verify-support.patch
Type: text/x-patch
Size: 6009 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100531/2ce33897/attachment-0002.bin>


More information about the stunnel-users mailing list