Stunnel v5.56 releases: encrypt arbitrary TCP connections inside SSL

Stunnel

Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs’ code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.

Stunnel uses the OpenSSL library for cryptography, so it supports whatever cryptographic algorithms are compiled into the library. It can benefit from the FIPS 140-2 validation of the OpenSSL FIPS Object Module, as long as the building process meets its Security Policy. A scanned FIPS 140-2 Validation Certificate document is available for download on the NIST web page. The Windows binary installer is compiled with FIPS 140-2 support. The FIPS mode of operation is no longer enabled by default since stunnel 5.00.

Feature

Portability (Threading Models)

  • PTHREAD (Posix)
  • FORK (traditional Unix)
  • UCONTEXT (userlevel)
  • WIN32

Performance and Scalability

  • Load balancing backend servers with round-robin and priority strategies
  • External session cache (for clusters)
  • Compression (for limited bandwidth)

Support for OpenSSL Security Features

  • Access control with TLS-PSK (pre-shared key) and certificates
  • CRL and OCSP certificate revocation
  • SNI (Server Name Indication) support for name-based virtual servers
  • PFS (Perfect Forward Secrecy) with DH and ECDH key agreement
  • FIPS mode (for compliance)
  • OpenSSL engines, including CAPI (Microsoft CryptoAPI)

Other Cross-platform Features

  • Remote (socket) and local (inetd-style) mode
  • Redirection of TLS client connections on authentication failures
  • IPv6 support
  • Application-level protocol support for:
    • cifs
    • connect
    • imap
    • nntp
    • pgsql
    • pop3
    • proxy
    • smtp
    • socks versions 4, 4a, and 5
  • Delayed resolver (for dial-up connections and dynamic remote IP)
  • Graceful configuration file reloading
  • Graceful log file reopening
  • UTF-8 configuration and log files
  • Ident access control

Unix Features

  • Unix socket support
  • Socket activation with systemd
  • Transparent proxy on selected platforms
  • Optional pseudo-terminal allocation for the local mode
  • Logging to syslog
  • chroot (additional security)
  • setuid/setgid (additional security)
  • Libwrap (TCP Wrappers) access control
  • EGD (Entropy Gathering Daemon) client

Windows Features

  • GUI
  • Saving cached peer certificate chains to files
  • Windows service mode

Changelog v5.56

  • New features
    • Various text files converted to Markdown format.
  • Bugfixes
    • Support for realpath(3) implementations incompatible with POSIX.1-2008, such as 4.4BSD or Solaris.
    • Support for engines without PRNG seeding methods (thx to Petr Mikhalitsyn).
    • Retry unsuccessful port binding on configuration file reload.
    • Thread safety fixes in SSL_SESSION object handling.
    • Terminate clients on exit in the FORK threading model.

Download

Tutorial

Copyright (C) 1998-2018 Michal Trojnara