* libwrap related fixes, better debugging messages, MS Visual C++ support
Changes 4.25:
* delay libwrap process spawning after dropping privs, other improvements
only suggest pthread option when native pthread exists.
We cannot use pthread.buildlink3.mk to just detect if suituable pthread
implementation exist or not.
Avoid unwanted dependency on pthread package when no native pthread and
pthread option off.
* Move inclusion of seculity/tcp_wappers/buildlink3.mk to rightful place in
options.mk.
Avoid unwanted dependency on tcp_wrappers when libwrap option off.
* Remove deprecated(?) --with-tcp-wrappers from CONFIGURE_ARGS.
* Remove --enable-libwrap from CONFIGURE_ARGS even if require tcp_wrappers.
It affect not only check of existence of tcp_wappers but also blow off
needful addition of -lwrap to LIBS.
Fixes PR 39635
4.24: fix security problem (properly reject revoked certs)
4.23: WinNT bugfix
4.22:
- A new global option to control logging to syslog.
Simultaneous logging to a file and the syslog is now possible.
- A new service level option to control stack size.
- Restored chroot() to be executed after decoding numerical
userid and groupid values in drop_privileges().
- A few bugs fixed the in the new libwrap support code.
- TLSv1 method used by default in FIPS mode instead of
SSLv3 client and SSLv23 server methods.
4.21:
- Initial FIPS 140-2 support (see INSTALL.FIPS for details).
- Experimental fast support for non-MT-safe libwrap is provided
with pre-spawned processes.
- Stunnel binary moved from /usr/local/sbin to /usr/local/bin
in order to meet FHS and LSB requirements.
- Added code to disallow compiling stunnel with pthreads when
OpenSSL is compiled without threads support.
- Minor manual update.
- TODO file updated.
- Dynamic locking callbacks added (needed by some engines to work).
- AC_ARG_ENABLE fixed in configure.am to accept yes/no arguments.
- On some systems libwrap requires yp_get_default_domain from libnsl,
additional checking for libnsl was added to the ./configure script.
- Sending a list of trusted CAs for the client to choose the right
certificate restored.
- Some compatibility issues with NTLM authentication fixed.
Version 4.20, 2006.11.30, urgency: MEDIUM:
* Release notes
- The new transfer() function has been well tested.
I recommend upgrading any previous version with this one.
* Bugfixes
- Fixed support for encrypted passphases (broken in 4.19).
- Reduced amount of debug logs.
- A minor man page update.
Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL:
* Release notes
- There are a lot of new features in this version. I recommend
to test it well before upgrading your mission-critical systems.
* New features
- New service-level option to specify OCSP server flag:
OCSPflag = <flag>
- "protocolCredentials" option changed to "protocolUsername"
and "protocolPassword"
- NTLM support to be enabled with the new service-level option:
protocolAuthentication = NTLM
- imap protocol negotiation support added.
- Passphrase cache was added so the user does not need to reenter
the same passphrase for each defined service any more.
- New service-level option to retry connect+exec section:
retry = yes|no
- Local IP and port is logged for each established connection.
- Win32 DLLs for OpenSSL 0.9.8d.
* Bugfixes
- Serious problem with SSL_WANT_* retries fixed.
The new code requires extensive testing!
Version 4.18, 2006.09.26, urgency: MEDIUM:
* Bugfixes
- GPF on entering private key pass phrase on Win32 fixed.
- Updated OpenSSL Win32 DLLs.
- Minor configure script update.
Version 4.17, 2006.09.10, urgency: MEDIUM:
* New features
- Win32 DLLs for OpenSSL 0.9.8c.
* Bugfixes
- Problem with detecting getaddrinfo() in ./configure fixed.
- Compilation problem due to misplaced #endif in ssl.c fixed.
- Duplicate 220 in smtp_server() function in protocol.c fixed.
- Minor os2.mak update.
- Minor update of safestring()/safename() macros.
Version 4.16, 2006.08.31, urgency: MEDIUM:
* New features sponsored by Hewlett-Packard
- A new global option to control engine:
engineCtrl = <command>[:<parameter>]
- A new service-level option to select engine to read private key:
engineNum = <engine number>
- OCSP support:
ocsp = <URL>
* New features
- A new option to select version of SSL protocol:
sslVersion = all|SSLv2|SSLv3|TLSv1
- Visual Studio vc.mak by David Gillingham <dgillingham@gmail.com>.
- OS2 support by Paul Smedley (http://smedley.info)
* Bugfixes
- An ordinary user can install stunnel again.
- Compilation problem with --enable-dh fixed.
- Some minor compilation warnings fixed.
- Service-level CRL cert store implemented.
- GPF on protocol negotiations fixed.
- Problem detecting addrinfo() on Tru64 fixed.
- Default group is now detected by configure script.
- Check for maximum number of defined services added.
- OpenSSL_add_all_algorithms() added to SSL initialization.
- configure script sections reordered to detect pthread library funcions.
- RFC 2487 autdoetection improved. High resolution s_poll_wait()
not currently supported by UCONTEXT threading.
- More precise description of cert directory file names (thx to Muhammad
Muquit).
* Other changes
- Maximum number of services increased from 64 to 256 when poll() is used.
(PKG_SYSCONFDIR already includes "stunnel" by default, so avoid the
package adding another and making $PREFIX/etc/stunnel/stunnel/stunnel.conf;
the pidfile does not normally belong under $PREFIX as $PREFIX/var/run is
not normally cleaned/checked by OS-supplied processes.)
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
Version 4.07, 2005.01.03, urgency: MEDIUM:
* Bugfixes
- Problem with infinite poll() timeout negative, but not equal to -1 fixed.
- Problem with a file descriptor ready to be read just after a non-blocking
connect call fixed.
- Compile error with EAI_NODATA not defined or equal to EAI_NONAME fixed.
- IP address and TCP port textual representation length (IPLEN) increased
to 128 bytes.
- OpenSSL engine support is only used if engine.h header file exists.
Version 4.06, 2004.12.26, urgency: LOW:
* New feature sponsored by SURFnet http://www.surfnet.nl/
- IPv6 support (to be enabled with ./configure --enable-ipv6).
* New features
- poll() support - no more FD_SETSIZE limit!
- Multiple connect=host:port options are allowed in a single service
section. Remote hosts are connected using round-robin algorithm.
This feature is not compatible with delayed resolver.
- New 'compression' option to enable compression. To use zlib
algorithm you have to enable it when building OpenSSL library.
- New 'engine' option to select a hardware engine.
- New 'TIMEOUTconnect' option with 10 seconds default added.
- stunnel3 perl script to emulate version 3.x command line options.
- French manual updated by Bernard Choppy <choppy AT free POINT fr>.
- A watchdog to detect transfer() infinite loops added.
- Configuration file comment character changed from '#' to ';'.
'#' will still be recognized to keep compatibility.
- MT-safe getaddrinfo() and getnameinfo() are used where available
to get better performance on resolver calls.
- Automake upgraded from 1.4-p4 to 1.7.9.
* Bugfixes
- log() changed to s_log() to avoid conflicts on some systems.
- Common CRIT_INET critical section introduced instead of separate
CRIT_NTOA and CRIT_RESOLVER to avoid potential problems with
libwrap (TCP Wrappers) library.
- CreateThread() finally replaced with _beginthread() on Win32.
- make install creates $(localstatedir)/stunnel.
$(localstatedir)/stunnel/dev/zero is also created on Solaris.
- Race condition with client session cache fixed.
- Other minor bugfixes.
* Release notes
- Default is *not* to use IPv6 '::' for accept and '::1' for
connect. For example to accept pop3s on IPv6 you could use:
'accept = :::995'. I hope the new syntax is clear enough.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
All library names listed by *.la files no longer need to be listed
in the PLIST, e.g., instead of:
lib/libfoo.a
lib/libfoo.la
lib/libfoo.so
lib/libfoo.so.0
lib/libfoo.so.0.1
one simply needs:
lib/libfoo.la
and bsd.pkg.mk will automatically ensure that the additional library
names are listed in the installed package +CONTENTS file.
Also make LIBTOOLIZE_PLIST default to "yes".
* New feature sponsored by SURFnet http://www.surfnet.nl/
- Support for CIFS aka SMB protocol SSL negotiation.
* New features
- CRL support with new CApath and CAfile global options.
- New 'taskbar' option on WIN32 (thx to Ken Mattsen
<ken.Mattsen@roxio.com>).
- New -fd command line parameter to read configuration
from a specified file descriptor instead of a file.
- accept is reported as error with [section] defined (in
stunnel 4.04 it was silently ignored causing problems
for lusers that did not read the fine manual).
- Use fcntl() instead of ioctlsocket() to set socket
nonblocking when it is supported.
- Basic support for hardware engines with OpenSSL >= 0.9.7.
- French manual by Bernard Choppy <choppy@imaginet.fr>.
- Thread stack size reduced to 64KB for maximum scalability.
- Added optional code to debug thread stack usage.
- Support for nsr-tandem-nsk (thx to Tom Bates <tom.bates@hp.com>).
* Bugfixes
- TCP wrappers code moved to CRIT_NTOA critical section
since it uses static inet_ntoa() result buffer.
- SSL_ERROR_SYSCALL handling problems fixed.
- added code to retry nonblocking SSL_shutdown() calls.
- Use FD_SETSIZE instead of 16 file descriptors in inetd
mode.
- fdscanf groks lowercase protocol negotiation commands.
- WIN32 taskbar GDI objects leak fixed.
- Libwrap detection bug in ./configure script fixed.
- grp.h header detection fixed for NetBSD and possibly
other systems.
- Some other minor updates.
* New features sponsored by MAXIMUS http://www.maximus.com/
- New 'options' configuration option to setup
OpenSSL library hacks with SSL_CTX_set_options().
- 'service' option also changes the name for
TCP Wrappers access control in inetd mode.
- SSL is negotiated before connecting remote host
or spawning local process whenever possible.
- REMOTE_HOST variable is always placed in the
enrivonment of a process spawned with 'exec'.
- Whole SSL error stack is dumped on errors.
- Manual page updated (special thanks to Brian Hatch).
- New user interface (config file).
- Single daemon can listen on multiple ports, now.
- Delayed DNS lookup added.
* Other new features
- All the timeouts are now configurable including
TIMEOUTclose that can be set to 0 for MSIE and other
buggy clients that do not send close_notify.
- Stunnel process can be chrooted in a specified directory.
- Numerical values for setuid() and setgid() are allowed, now.
- Confusing code for setting certificate defaults introduced in
version 3.8p3 was removed to simplify stunnel setup.
There are no built-in defaults for CApath and CAfile options.
- Private key file for a certificate can be kept in a separate
file. Default remains to keep it in the cert file.
- Manual page updated.
- Format string bug fixed in protocol.c
smtp, pop3 and nntp in client mode were affected.
(stunnel clients could be attacked by malicious servers)
- Certificate chain can be supplied with -p option or in stunnel.pem.
- Problem with -r and -l options used together fixed.
- memmove() instead of memcpy() is used to move data in buffers.
- More detailed information about negotiated ciphers is printed.
- New ./configure options: "--enable-no-rsa" and "--enable-dh".
Changelog for version 3.21c, 2001.11.11, urgency: LOW:
* autoconf scripts upgraded to version 2.52.
* Problem with pthread_sigmask on Darwin fixed (I hope).
* Some documentation typos corrected.
* Attempt to ignore EINTR in transfer().
* Shared library version reported on startup.
* DLLs for OpenSSL 0.9.6b.
* Problem with errno and posix threads fixed.
* It is assumed that system has getopt() if it has getopt.h header file.
* SSL_CLIENT_DN and SSL_CLIENT_I_DN environment variables set in local mode
(-l) process. This feature doesn't work if
client mode (-c) or protocol negotiation (-n) is used.
* Winsock error descriptions hardcoded (English version only).
* SetConsoleCtrlHandler() used to handle CTRL+C, logoff and shutdown on Win32.
* Stunnel always requests peer certificate with -v 0.
* sysconf()/getrlimit() used to calculate number of clients allowed.
* SSL mode changed for OpenSSL >= 0.9.6.
* close-on-exec option used to avoid socket inheriting.
* Buffer size increased from 8KB to 16KB.
* fdscanf()/fdprintf() changes:
- non-blocking socket support,
- timeout after 1 minute of inactivity.
* auth_user() redesigned to force 1 minute timeout.
* Some source arrangement towards 4.x architecture.
* No need for "goto" any more.
* New Makefile "test" rule. It performs basic test of
standalone/inetd, remote/local and server/client mode.
* pop3 server mode support added.
