here's an update to stunnel, following diff brings it to 5.42.
Index: Makefile =================================================================== RCS file: /cvs/ports/security/stunnel/Makefile,v retrieving revision 1.87 diff -u -p -r1.87 Makefile --- Makefile 9 Jan 2017 15:40:30 -0000 1.87 +++ Makefile 8 Sep 2017 19:30:49 -0000 @@ -2,7 +2,7 @@ COMMENT= SSL encryption wrapper for standard network daemons -DISTNAME= stunnel-5.39 +DISTNAME= stunnel-5.42 CATEGORIES= security MAINTAINER= Gleydson Soares <gsoa...@openbsd.org> Index: distinfo =================================================================== RCS file: /cvs/ports/security/stunnel/distinfo,v retrieving revision 1.43 diff -u -p -r1.43 distinfo --- distinfo 9 Jan 2017 15:40:30 -0000 1.43 +++ distinfo 8 Sep 2017 19:30:49 -0000 @@ -1,2 +1,2 @@ -SHA256 (stunnel-5.39.tar.gz) = KIwIelBGU5DQVQgGisdshBiiH65ydf68xj8EHsWwTe4= -SIZE (stunnel-5.39.tar.gz) = 647101 +SHA256 (stunnel-5.42.tar.gz) = G2p66lyiI5kLyL1iH7CEa6pCeOGz4A/27uJ5y45UD6s= +SIZE (stunnel-5.42.tar.gz) = 649496 Index: patches/patch-Makefile_in =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-Makefile_in,v retrieving revision 1.13 diff -u -p -r1.13 patch-Makefile_in --- patches/patch-Makefile_in 4 Dec 2015 01:38:56 -0000 1.13 +++ patches/patch-Makefile_in 8 Sep 2017 19:30:49 -0000 @@ -1,7 +1,8 @@ $OpenBSD: patch-Makefile_in,v 1.13 2015/12/04 01:38:56 gsoares Exp $ ---- Makefile.in.orig Mon Nov 30 13:00:41 2015 -+++ Makefile.in Thu Dec 3 19:26:54 2015 -@@ -357,7 +357,7 @@ top_build_prefix = @top_build_prefix@ +Index: Makefile.in +--- Makefile.in.orig ++++ Makefile.in +@@ -352,7 +352,7 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ ACLOCAL_AMFLAGS = -I m4 Index: patches/patch-src_ctx_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_ctx_c,v retrieving revision 1.4 diff -u -p -r1.4 patch-src_ctx_c --- patches/patch-src_ctx_c 9 Nov 2016 23:14:31 -0000 1.4 +++ patches/patch-src_ctx_c 8 Sep 2017 19:30:49 -0000 @@ -1,7 +1,17 @@ $OpenBSD: patch-src_ctx_c,v 1.4 2016/11/09 23:14:31 gsoares Exp $ ---- src/ctx.c.orig Tue Jun 21 12:06:14 2016 -+++ src/ctx.c Thu Nov 3 23:13:15 2016 -@@ -366,7 +366,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { +Index: src/ctx.c +--- src/ctx.c.orig ++++ src/ctx.c +@@ -295,7 +295,7 @@ NOEXPORT int matches_wildcard(char *servername, char * + + #ifndef OPENSSL_NO_DH + +-#if OPENSSL_VERSION_NUMBER<0x10100000L ++#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + NOEXPORT STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) { + return ctx->cipher_list; + } +@@ -398,7 +398,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *section) { /**************************************** initialize OpenSSL CONF */ NOEXPORT int conf_init(SERVICE_OPTIONS *section) { Index: patches/patch-src_options_c =================================================================== RCS file: patches/patch-src_options_c diff -N patches/patch-src_options_c --- patches/patch-src_options_c 9 Jan 2017 15:40:30 -0000 1.8 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,25 +0,0 @@ -$OpenBSD: patch-src_options_c,v 1.8 2017/01/09 15:40:30 gsoares Exp $ - -use SSLv23_client_method() required to build with libressl since that it haven't -TLS_client_method() for now. - ---- src/options.c.orig Sun Jan 1 19:29:01 2017 -+++ src/options.c Mon Jan 9 10:53:59 2017 -@@ -2630,7 +2630,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O - /* sslVersion */ - switch(cmd) { - case CMD_BEGIN: --#if OPENSSL_VERSION_NUMBER>=0x10100000L -+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - section->client_method=(SSL_METHOD *)TLS_client_method(); - section->server_method=(SSL_METHOD *)TLS_server_method(); - #else -@@ -2642,7 +2642,7 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_O - if(strcasecmp(opt, "sslVersion")) - break; - if(!strcasecmp(arg, "all")) { --#if OPENSSL_VERSION_NUMBER>=0x10100000L -+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - section->client_method=(SSL_METHOD *)TLS_client_method(); - section->server_method=(SSL_METHOD *)TLS_server_method(); - #else Index: patches/patch-src_prototypes_h =================================================================== RCS file: patches/patch-src_prototypes_h diff -N patches/patch-src_prototypes_h --- patches/patch-src_prototypes_h 9 Jan 2017 15:40:30 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,19 +0,0 @@ -$OpenBSD: patch-src_prototypes_h,v 1.3 2017/01/09 15:40:30 gsoares Exp $ ---- src/prototypes.h.orig Fri Dec 16 06:29:28 2016 -+++ src/prototypes.h Mon Jan 9 10:53:59 2017 -@@ -664,13 +664,13 @@ typedef enum { - #endif /* OPENSSL_NO_DH */ - STUNNEL_LOCKS /* number of locks */ - } LOCK_TYPE; --#if OPENSSL_VERSION_NUMBER < 0x10100004L -+#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER) - typedef int STUNNEL_RWLOCK; - #else - typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK; - #endif - extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; --#if OPENSSL_VERSION_NUMBER>=0x10100004L -+#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) - #define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type) - #define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type) - #else Index: patches/patch-src_ssl_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_ssl_c,v retrieving revision 1.5 diff -u -p -r1.5 patch-src_ssl_c --- patches/patch-src_ssl_c 9 Jan 2017 15:40:30 -0000 1.5 +++ patches/patch-src_ssl_c 8 Sep 2017 19:30:49 -0000 @@ -1,8 +1,9 @@ $OpenBSD: patch-src_ssl_c,v 1.5 2017/01/09 15:40:30 gsoares Exp $ ---- src/ssl.c.orig Mon Jan 9 10:52:07 2017 -+++ src/ssl.c Mon Jan 9 10:52:47 2017 -@@ -50,7 +50,7 @@ NOEXPORT int add_rand_file(GLOBAL_OPTIONS *, const cha - int index_cli, index_opt, index_redirect, index_addr; +Index: src/ssl.c +--- src/ssl.c.orig ++++ src/ssl.c +@@ -51,7 +51,7 @@ int index_ssl_cli, index_ssl_ctx_opt; + int index_session_authenticated, index_session_connect_address; int ssl_init(void) { /* init TLS before parsing configuration file */ -#if OPENSSL_VERSION_NUMBER>=0x10100000L @@ -10,7 +11,7 @@ $OpenBSD: patch-src_ssl_c,v 1.5 2017/01/ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); #else -@@ -83,7 +83,7 @@ int ssl_init(void) { /* init TLS before parsing config +@@ -86,7 +86,7 @@ int ssl_init(void) { /* init TLS before parsing config } #ifndef OPENSSL_NO_DH Index: patches/patch-src_sthreads_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_sthreads_c,v retrieving revision 1.2 diff -u -p -r1.2 patch-src_sthreads_c --- patches/patch-src_sthreads_c 10 Nov 2016 10:10:50 -0000 1.2 +++ patches/patch-src_sthreads_c 8 Sep 2017 19:30:49 -0000 @@ -1,9 +1,10 @@ $OpenBSD: patch-src_sthreads_c,v 1.2 2016/11/10 10:10:50 gsoares Exp $ ---- src/sthreads.c.orig Sat Oct 29 05:25:37 2016 -+++ src/sthreads.c Wed Nov 9 20:22:39 2016 -@@ -47,7 +47,7 @@ - STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS]; - #endif +Index: src/sthreads.c +--- src/sthreads.c.orig ++++ src/sthreads.c +@@ -216,7 +216,7 @@ void stunnel_rwlock_destroy_debug(struct CRYPTO_dynloc + + struct CRYPTO_dynlock_value stunnel_locks[STUNNEL_LOCKS]; -#if OPENSSL_VERSION_NUMBER<0x10100004L +#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER) Index: patches/patch-src_verify_c =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-src_verify_c,v retrieving revision 1.5 diff -u -p -r1.5 patch-src_verify_c --- patches/patch-src_verify_c 10 Nov 2016 10:10:50 -0000 1.5 +++ patches/patch-src_verify_c 8 Sep 2017 19:30:49 -0000 @@ -1,10 +1,11 @@ $OpenBSD: patch-src_verify_c,v 1.5 2016/11/10 10:10:50 gsoares Exp $ ---- src/verify.c.orig Wed Jul 6 13:18:17 2016 -+++ src/verify.c Thu Nov 10 07:00:09 2016 -@@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback +Index: src/verify.c +--- src/verify.c.orig ++++ src/verify.c +@@ -353,7 +353,7 @@ NOEXPORT int cert_check_local(X509_STORE_CTX *callback + cert=X509_STORE_CTX_get_current_cert(callback_ctx); subject=X509_get_subject_name(cert); - #if OPENSSL_VERSION_NUMBER>=0x10000000L -#if OPENSSL_VERSION_NUMBER<0x10100006L +#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER) #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs Index: patches/patch-tools_stunnel_conf-sample_in =================================================================== RCS file: /cvs/ports/security/stunnel/patches/patch-tools_stunnel_conf-sample_in,v retrieving revision 1.15 diff -u -p -r1.15 patch-tools_stunnel_conf-sample_in --- patches/patch-tools_stunnel_conf-sample_in 9 Nov 2016 23:14:31 -0000 1.15 +++ patches/patch-tools_stunnel_conf-sample_in 8 Sep 2017 19:30:49 -0000 @@ -1,6 +1,7 @@ $OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.15 2016/11/09 23:14:31 gsoares Exp $ ---- tools/stunnel.conf-sample.in.orig Tue Jul 5 18:27:57 2016 -+++ tools/stunnel.conf-sample.in Thu Nov 3 23:16:09 2016 +Index: tools/stunnel.conf-sample.in +--- tools/stunnel.conf-sample.in.orig ++++ tools/stunnel.conf-sample.in @@ -7,17 +7,18 @@ ; * Global options * ; ************************************************************************** @@ -24,7 +25,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl ; Enable FIPS 140-2 mode if needed for compliance ;fips = yes -@@ -37,7 +38,7 @@ +@@ -46,7 +47,7 @@ ; * Include all configuration file fragments from the specified folder * ; ************************************************************************** @@ -33,7 +34,7 @@ $OpenBSD: patch-tools_stunnel_conf-sampl ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * -@@ -50,72 +51,72 @@ +@@ -59,32 +60,32 @@ ; a hardcoded path of the stunnel package, as it is not related to the ; stunnel configuration in @sysconfdir@/stunnel/. @@ -87,6 +88,10 @@ $OpenBSD: patch-tools_stunnel_conf-sampl +;CApath = ${SYSCONFDIR}/ssl/certs +;checkHost = smtp.gmail.com +;OCSPaia = yes + + ; Encrypted HTTP proxy authenticated with a client certificate + ; located in a cryptographic token +@@ -98,43 +99,43 @@ OCSPaia = yes ; ***************************************** Example TLS server mode services