stunnel: TODO

stunnel TODO

High priority features. They will likely be supported some day. A sponsor could allocate my time to get them faster.

  • Add an Apparmor profile.
  • Optional line-buffering of the log file.
  • Log rotation on Windows.
  • Configuration file option to limit the number of concurrent connections.
  • "include" configuration file option to include all configuration file parts located in the specified directory (e.g. /etc/stunnel/conf.d/).
  • Implement reference counting of the SERVICE_OPTIONS structure
    • Add 'leastconn' failover strategy to order defined 'connect' targets by the number of active connections.
    • Add '-status' command line option reporting the number of clients connected to each service.
    • Deallocate SERVICE_OPTIONS structure when the configuration file is reloaded *and* old connections are closed.
  • Command-line server control interface on both Unix and Windows.
  • Separate GUI process running as current user on Windows.
  • An Android GUI.
  • Indirect CRL support (RFC 3280, section 5).
  • Provide 64-bit Windows builds (besides 32-bit builds). This requires either Microsoft Visual Studio Standard Edition or Microsoft Visual Studio Professional Edition in order to retain FIPS compliance.
  • MSI installer for Windows.
  • Database and/or directory interface for retrieving PSK secrets.
  • Extend the sessiond protocol to also store the "redirect" state.

Low priority features. They will unlikely ever be supported.

  • Support static FIPS-enabled build.
  • Service-level logging destination.
  • Enforce key renegotiation (re-handshake) for long connections.
  • Logging to NT EventLog on Windows.
  • Internationalization of logged messages (i18n).
  • Generic scripting engine instead or static protocol.c.

Features I won't support, unless convinced otherwise by a wealthy sponsor.

  • Support for adding X-Forwarded-For to HTTP request headers. This feature is less useful since PROXY protocol support is available.
  • Support for adding X-Forwarded-For to SMTP email headers. This feature is most likely to be implemented as a separate proxy.
  • Additional certificate checks (including wildcard comparison) based on:
    • CN (Common Name);
    • SAN (Subject Alternative Name);
    • O (Organization), and
    • OU (Organizational Unit).
  • Set processes title that appear on the ps(1) and top(1) commands. I could not find a portable *and* non-copyleft library for it.

View Michal Trojnara's profile on LinkedIn

OpenSSL

Valid HTML 4.01 Transitional