* New features sponsored by MAXIMUS http://www.maximus.com/
- New 'options' configuration option to setup
OpenSSL library hacks with SSL_CTX_set_options().
- 'service' option also changes the name for
TCP Wrappers access control in inetd mode.
- SSL is negotiated before connecting remote host
or spawning local process whenever possible.
- REMOTE_HOST variable is always placed in the
enrivonment of a process spawned with 'exec'.
- Whole SSL error stack is dumped on errors.
- Manual page updated (special thanks to Brian Hatch).
- New user interface (config file).
- Single daemon can listen on multiple ports, now.
- Delayed DNS lookup added.
* Other new features
- All the timeouts are now configurable including
TIMEOUTclose that can be set to 0 for MSIE and other
buggy clients that do not send close_notify.
- Stunnel process can be chrooted in a specified directory.
- Numerical values for setuid() and setgid() are allowed, now.
- Confusing code for setting certificate defaults introduced in
version 3.8p3 was removed to simplify stunnel setup.
There are no built-in defaults for CApath and CAfile options.
- Private key file for a certificate can be kept in a separate
file. Default remains to keep it in the cert file.
- Manual page updated.
- Format string bug fixed in protocol.c
smtp, pop3 and nntp in client mode were affected.
(stunnel clients could be attacked by malicious servers)
- Certificate chain can be supplied with -p option or in stunnel.pem.
- Problem with -r and -l options used together fixed.
- memmove() instead of memcpy() is used to move data in buffers.
- More detailed information about negotiated ciphers is printed.
- New ./configure options: "--enable-no-rsa" and "--enable-dh".
Changelog for version 3.21c, 2001.11.11, urgency: LOW:
* autoconf scripts upgraded to version 2.52.
* Problem with pthread_sigmask on Darwin fixed (I hope).
* Some documentation typos corrected.
* Attempt to ignore EINTR in transfer().
* Shared library version reported on startup.
* DLLs for OpenSSL 0.9.6b.
* Problem with errno and posix threads fixed.
* It is assumed that system has getopt() if it has getopt.h header file.
* SSL_CLIENT_DN and SSL_CLIENT_I_DN environment variables set in local mode
(-l) process. This feature doesn't work if
client mode (-c) or protocol negotiation (-n) is used.
* Winsock error descriptions hardcoded (English version only).
* SetConsoleCtrlHandler() used to handle CTRL+C, logoff and shutdown on Win32.
* Stunnel always requests peer certificate with -v 0.
* sysconf()/getrlimit() used to calculate number of clients allowed.
* SSL mode changed for OpenSSL >= 0.9.6.
* close-on-exec option used to avoid socket inheriting.
* Buffer size increased from 8KB to 16KB.
* fdscanf()/fdprintf() changes:
- non-blocking socket support,
- timeout after 1 minute of inactivity.
* auth_user() redesigned to force 1 minute timeout.
* Some source arrangement towards 4.x architecture.
* No need for "goto" any more.
* New Makefile "test" rule. It performs basic test of
standalone/inetd, remote/local and server/client mode.
* pop3 server mode support added.
Changelog for version 3.20, 2001.08.15, urgency: LOW:
* setsockopt() optlen set according to the optval for Solaris.
* Minor NetBSD compatibility fixes by Martti Kuparinen.
* Minor MSVC6 compatibility fixes by Patrick Mayweg.
* SSL close_notify timeout reduced to 10 seconds of inactivity.
* Socket close instead of reset on close_notify timeout.
* Some source arrangement and minor bugfixes.
Based on PR pkg/13679 by Martti Kuparinen.
Changelog for version 3.19, 2001.08.10, urgency: MEDIUM:
* Critical section added around non MT-safe TCP Wrappers code.
* Problem with "select: Interrupted system call" error fixed.
* errno replaced with get_last_socket_error() for Win32.
* Some FreeBSD/NetBSD patches to ./configure from Martti Kuparinen.
* Local mode process pid logged.
* Default FQDN (localhost) removed from stunnel.cnf
* ./configure changed to recognize POSIX threads library on OSF.
* New -O option to set socket options.
Changes:
* Some transfer() bugfixes/improvements.
* STDIN/STDOUT are no logner assumed to be non-socket decriptors.
* Problem with --with-tcp-wrappers patch fixed.
* pop3 and nntp support bug fixed by Martin Germann.
* -o option to append log messages to a file added.
* Changed error message for SSL error 0.
Provided by Martti Kuparinen in PR 13537.
Based on a pkg provided by Martti Kuparinen in PR 13484.
Changes include:
* Serious bug resulting in random transfer() hangs fixed.
* Separate file descriptors are used for inetd mode.
* -f (foreground) logs are now stamped with time.
* New ./configure option: --with-tcp-wrappers by Brian Hatch.
* pop3 protocol client support (-n pop3) by Martin Germann.
* nntp protocol client support (-n nntp) by Martin Germann.
* RFC 2487 (smtp STARTTLS) client mode support.
* Transparency support for Tru64 added.
* Some #includes for AIX added.
first component is now a package name+version/pattern, no more
executable/patchname/whatnot.
While there, introduce BUILD_USES_MSGFMT as shorthand to pull in
devel/gettext unless /usr/bin/msgfmt exists (i.e. on post-1.5 -current).
Patch by Alistair Crooks <agc@netbsd.org>
Hint from Martti Kuparinen in PR pkg/12046.
Changes:
* pthread_sigmask() argument in sthreads.c corrected.
* OOB data is now handled correctly.
* Attempted to fix problem with zombies in local mode.
* Patch for 64-bit machines by Nalin Dahyabhai <nalin@redhat.com> applied.
* Tiny bugfix for OSF cc by Dobrica Pavlinusic <dpavlin@rot13.org> added.
* PORTS file updated.
default certificate directory is now /etc/openssl/certs (matches OpenSSL's
default), but if stunnel uses the pkgsrc OpenSSL, then the default is
${PREFIX}/certs.
Changes from version 3.8 include:
* Updated temporary key generation:
- stunnel is now honoring requested key-lengths correctly,
- temporary key is changed every hour.
* transfer() no longer hangs on some platforms.
Special thanks to Peter Wagemans for the patch.
* Potential security problem with syslog() call fixed.
* use daemon() function instead of daemonize, if available
* added -S flag, allowing you to choose which default verify
sources to use
* relocated service name output logging until after log_open.
(no longer outputs log info to inetd socket, causing bad SSL)
* -V flag now outputs the default values used by stunnel
* Added rigerous PRNG seeding
* PID changes (and related security-fix)
* Man page fixes
* Client SSL Session-IDs now used
* -N flag to specify tcpwrapper service name
* UPGRADE NOTE: this version seriously changes several previous stunnel
default behaviours. There are no longer any default cert file/dirs
compilied into stunnel, you must use the --with-cert-dir and
--with-cert-file configure arguments to set these manually, if desired.
Stunnel does not use the underlying ssl library defaults by default
unless configured with --enable-ssllib-cs. Note that these can always
be enabled at run time with the -A,-a, and -S flags.
Additionally, unless --with-pem-dir is specified at compile time,
stunnel will default to looking for stunnel.pem in the current directory.
