| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
### Version 5.56, 2019.11.22, urgency: HIGH
* New features
- Various text files converted to Markdown format.
* Bugfixes
- Support for realpath(3) implementations incompatible
with POSIX.1-2008, such as 4.4BSD or Solaris.
- Support for engines without PRNG seeding methods (thx to
Petr Mikhalitsyn).
- Retry unsuccessful port binding on configuration
file reload.
- Thread safety fixes in SSL_SESSION object handling.
- Terminate clients on exit in the FORK threading model.
|
|
Version 5.32, 2016.05.03, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2h.
https://www.openssl.org/news/secadv_20160503.txt
* New features
- New "socket = a:IPV6_V6ONLY=yes" option to only bind IPv6.
- Memory leak detection.
- Improved compatibility with the current OpenSSL 1.1.0-dev tree.
- Added/fixed Red Hat scripts (thx to Andrew Colin Kissa).
* Bugfixes
- Workaround for a WinCE sockets quirk (thx to Richard Kraemer).
- Fixed data alignment on 64-bit MSVC (thx to Yuris W. Auzins).
|
|
distfile was signed with:
pub 4096R/DD3AAAA3 2015-02-06
Key fingerprint = AC91 5EA3 0645 D9D3 D4DA E4FE B104 8932 DD3A AAA3
uid [ unknown] MichaĆ Trojnara <Michal.Trojnara@stunnel.org>
|
|
These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or
ignored otherwise.
|
|
Version 4.39, 2011.07.06, urgency: LOW:
New features
New Win32 installer module to build self-signed stunnel.pem.
Added configuration file editing with Windows GUI.
Added log file reopening file editing with Windows GUI. It might be useful to also implement log file rotation.
Improved configuration file reload with Windows GUI.
Version 4.38, 2011.06.28, urgency: MEDIUM:
New features
Server-side SNI implemented (RFC 3546 section 3.1) with a new service-level option "nsi".
"socket" option also accepts "yes" and "no" for flags.
Nagle's algorithm is now disabled by default for improved interactivity.
Bugfixes
A compilation fix was added for OpenSSL version < 1.0.0.
Signal pipe set to non-blocking mode. This bug caused hangs of stunnel features based on signals, e.g. local mode, FORK threading, or configuration file reload on Unix. Win32 platform was not affected.
Version 4.37, 2011.06.17, urgency: MEDIUM:
New features
Client-side SNI implemented (RFC 3546 section 3.1).
Default "ciphers" changed from the OpenSSL default to a more secure and faster "RC4-MD5:HIGH:!aNULL:!SSLv2". A paranoid (and usually slower) setting would be "HIGH:!aNULL:!SSLv2".
Recommended "options = NO_SSLv2" added to the sample stunnel.conf file.
Default client method upgraded from SSLv3 to TLSv1. To connect servers without TLS support use "sslVersion = SSLv3" option.
Improved --enable-fips and --disable-fips ./configure option handling.
On startup stunnel now compares the compiled version of OpenSSL against the running version of OpenSSL. A warning is logged on mismatch.
Bugfixes
Non-blocking socket handling in local mode fixed (Debian bug #626856).
UCONTEXT threading mode fixed.
Removed the use of gcc Thread-Local Storage for improved portability.
va_copy macro defined for platforms that do not have it.
Fixed "local" option parsing on IPv4 systems.
Solaris compilation fix (redefinition of "STR").
Version 4.36, 2011.05.03, urgency: LOW:
New features
Updated Win32 DLLs for OpenSSL 1.0.0d.
Dynamic memory management for strings manipulation: no more static STRLEN limit, lower stack footprint.
Strict public key comparison added for "verify = 3" certificate checking mode (thx to Philipp Hartwig).
Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved behavior on heavy load.
Example tools/stunnel.service file added for systemd service manager.
Bugfixes
Missing pthread_attr_destroy() added to fix memory leak (thx to Paul Allex and Peter Pentchev).
Fixed the incorrect way of setting FD_CLOEXEC flag.
Fixed --enable-libwrap option of ./configure script.
/opt/local added to OpenSSL search path for MacPorts compatibility.
Workaround implemented for signal handling on MacOS X.
A trivial bug fixed in the stunnel.init script.
Retry implemented on EAI_AGAIN error returned by resolver calls.
Version 4.35, 2011.02.05, urgency: LOW:
New features
Updated Win32 DLLs for OpenSSL 1.0.0c.
Transparent source (non-local bind) added for FreeBSD 8.x.
Transparent destination ("transparent = destination") added for Linux.
Bugfixes
Fixed reload of FIPS-enabled stunnel.
Compiler options are now auto-detected by ./configure script in order to support obsolete versions of gcc.
Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler.
CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10. Irreparable race condition leaks remain on other Unix platforms. This issue may have security implications on some deployments: http://udrepper.livejournal.com/20407.html
Directory lib64 included in the OpenSSL library search path.
Windows CE compilation fixes (thx to Pierre Delaage).
Deprecated RSA_generate_key() replaced with RSA_generate_key_ex().
Domain name changes (courtesy of Bri Hatch)
http://stunnel.mirt.net/ --> http://www.stunnel.org/
ftp://stunnel.mirt.net/ --> http://ftp.stunnel.org/
stunnel.mirt.net::stunnel --> rsync.stunnel.org::stunnel
stunnel-users@mirt.net --> stunnel-users@stunnel.org
stunnel-announce@mirt.net --> stunnel-announce@stunnel.org
Version 4.34, 2010.09.19, urgency: LOW:
New features
Updated Win32 DLLs for OpenSSL 1.0.0a.
Updated Win32 DLLs for zlib 1.2.5.
Updated automake to version 1.11.1
Updated libtool to version 2.2.6b
Added ECC support with a new service-level "curve" option.
DH support is now enabled by default.
Added support for OpenSSL builds with some algorithms disabled.
./configure modified to support cross-compilation.
Sample stunnel.init updated based on Debian init script.
Bugfixes
Implemented fixes in user interface to enter engine PIN.
Fixed a transfer() loop issue on socket errors.
Fixed missing WIN32 taskbar icon while displaying a global option error.
|
|
|
|
4.24: fix security problem (properly reject revoked certs)
4.23: WinNT bugfix
4.22:
- A new global option to control logging to syslog.
Simultaneous logging to a file and the syslog is now possible.
- A new service level option to control stack size.
- Restored chroot() to be executed after decoding numerical
userid and groupid values in drop_privileges().
- A few bugs fixed the in the new libwrap support code.
- TLSv1 method used by default in FIPS mode instead of
SSLv3 client and SSLv23 server methods.
4.21:
- Initial FIPS 140-2 support (see INSTALL.FIPS for details).
- Experimental fast support for non-MT-safe libwrap is provided
with pre-spawned processes.
- Stunnel binary moved from /usr/local/sbin to /usr/local/bin
in order to meet FHS and LSB requirements.
- Added code to disallow compiling stunnel with pthreads when
OpenSSL is compiled without threads support.
- Minor manual update.
- TODO file updated.
- Dynamic locking callbacks added (needed by some engines to work).
- AC_ARG_ENABLE fixed in configure.am to accept yes/no arguments.
- On some systems libwrap requires yp_get_default_domain from libnsl,
additional checking for libnsl was added to the ./configure script.
- Sending a list of trusted CAs for the client to choose the right
certificate restored.
- Some compatibility issues with NTLM authentication fixed.
|
|
Version 4.20, 2006.11.30, urgency: MEDIUM:
* Release notes
- The new transfer() function has been well tested.
I recommend upgrading any previous version with this one.
* Bugfixes
- Fixed support for encrypted passphases (broken in 4.19).
- Reduced amount of debug logs.
- A minor man page update.
Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL:
* Release notes
- There are a lot of new features in this version. I recommend
to test it well before upgrading your mission-critical systems.
* New features
- New service-level option to specify OCSP server flag:
OCSPflag = <flag>
- "protocolCredentials" option changed to "protocolUsername"
and "protocolPassword"
- NTLM support to be enabled with the new service-level option:
protocolAuthentication = NTLM
- imap protocol negotiation support added.
- Passphrase cache was added so the user does not need to reenter
the same passphrase for each defined service any more.
- New service-level option to retry connect+exec section:
retry = yes|no
- Local IP and port is logged for each established connection.
- Win32 DLLs for OpenSSL 0.9.8d.
* Bugfixes
- Serious problem with SSL_WANT_* retries fixed.
The new code requires extensive testing!
Version 4.18, 2006.09.26, urgency: MEDIUM:
* Bugfixes
- GPF on entering private key pass phrase on Win32 fixed.
- Updated OpenSSL Win32 DLLs.
- Minor configure script update.
Version 4.17, 2006.09.10, urgency: MEDIUM:
* New features
- Win32 DLLs for OpenSSL 0.9.8c.
* Bugfixes
- Problem with detecting getaddrinfo() in ./configure fixed.
- Compilation problem due to misplaced #endif in ssl.c fixed.
- Duplicate 220 in smtp_server() function in protocol.c fixed.
- Minor os2.mak update.
- Minor update of safestring()/safename() macros.
Version 4.16, 2006.08.31, urgency: MEDIUM:
* New features sponsored by Hewlett-Packard
- A new global option to control engine:
engineCtrl = <command>[:<parameter>]
- A new service-level option to select engine to read private key:
engineNum = <engine number>
- OCSP support:
ocsp = <URL>
* New features
- A new option to select version of SSL protocol:
sslVersion = all|SSLv2|SSLv3|TLSv1
- Visual Studio vc.mak by David Gillingham <dgillingham@gmail.com>.
- OS2 support by Paul Smedley (http://smedley.info)
* Bugfixes
- An ordinary user can install stunnel again.
- Compilation problem with --enable-dh fixed.
- Some minor compilation warnings fixed.
- Service-level CRL cert store implemented.
- GPF on protocol negotiations fixed.
- Problem detecting addrinfo() on Tru64 fixed.
- Default group is now detected by configure script.
- Check for maximum number of defined services added.
- OpenSSL_add_all_algorithms() added to SSL initialization.
- configure script sections reordered to detect pthread library funcions.
- RFC 2487 autdoetection improved. High resolution s_poll_wait()
not currently supported by UCONTEXT threading.
- More precise description of cert directory file names (thx to Muhammad
Muquit).
* Other changes
- Maximum number of services increased from 64 to 256 when poll() is used.
|
|
Patch provided by Shaun Amott via PR 34436, take maintainership.
And define USE_LIBTOOL, regen patch with mkpatches.
|
|
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
|
|
* An "stunnel3" perl script is installed. REPLACE_PERL and add to PLIST.
* Regenerate patches to lose fuzz.
* Format DESCR.
* Bump PKGREVISION.
|
|
All library names listed by *.la files no longer need to be listed
in the PLIST, e.g., instead of:
lib/libfoo.a
lib/libfoo.la
lib/libfoo.so
lib/libfoo.so.0
lib/libfoo.so.0.1
one simply needs:
lib/libfoo.la
and bsd.pkg.mk will automatically ensure that the additional library
names are listed in the installed package +CONTENTS file.
Also make LIBTOOLIZE_PLIST default to "yes".
|
|
* New feature sponsored by SURFnet http://www.surfnet.nl/
- Support for CIFS aka SMB protocol SSL negotiation.
* New features
- CRL support with new CApath and CAfile global options.
- New 'taskbar' option on WIN32 (thx to Ken Mattsen
<ken.Mattsen@roxio.com>).
- New -fd command line parameter to read configuration
from a specified file descriptor instead of a file.
- accept is reported as error with [section] defined (in
stunnel 4.04 it was silently ignored causing problems
for lusers that did not read the fine manual).
- Use fcntl() instead of ioctlsocket() to set socket
nonblocking when it is supported.
- Basic support for hardware engines with OpenSSL >= 0.9.7.
- French manual by Bernard Choppy <choppy@imaginet.fr>.
- Thread stack size reduced to 64KB for maximum scalability.
- Added optional code to debug thread stack usage.
- Support for nsr-tandem-nsk (thx to Tom Bates <tom.bates@hp.com>).
* Bugfixes
- TCP wrappers code moved to CRIT_NTOA critical section
since it uses static inet_ntoa() result buffer.
- SSL_ERROR_SYSCALL handling problems fixed.
- added code to retry nonblocking SSL_shutdown() calls.
- Use FD_SETSIZE instead of 16 file descriptors in inetd
mode.
- fdscanf groks lowercase protocol negotiation commands.
- WIN32 taskbar GDI objects leak fixed.
- Libwrap detection bug in ./configure script fixed.
- grp.h header detection fixed for NetBSD and possibly
other systems.
- Some other minor updates.
|
|
Bump PKGREVISION to 1.
|
|
* New features sponsored by MAXIMUS http://www.maximus.com/
- New 'options' configuration option to setup
OpenSSL library hacks with SSL_CTX_set_options().
- 'service' option also changes the name for
TCP Wrappers access control in inetd mode.
- SSL is negotiated before connecting remote host
or spawning local process whenever possible.
- REMOTE_HOST variable is always placed in the
enrivonment of a process spawned with 'exec'.
- Whole SSL error stack is dumped on errors.
- Manual page updated (special thanks to Brian Hatch).
- New user interface (config file).
- Single daemon can listen on multiple ports, now.
- Delayed DNS lookup added.
* Other new features
- All the timeouts are now configurable including
TIMEOUTclose that can be set to 0 for MSIE and other
buggy clients that do not send close_notify.
- Stunnel process can be chrooted in a specified directory.
- Numerical values for setuid() and setgid() are allowed, now.
- Confusing code for setting certificate defaults introduced in
version 3.8p3 was removed to simplify stunnel setup.
There are no built-in defaults for CApath and CAfile options.
- Private key file for a certificate can be kept in a separate
file. Default remains to keep it in the cert file.
- Manual page updated.
|
|
|
