stunnel 5.54 released
Dear Users, I have released version 5.54 of stunnel. Version 5.54, 2019.05.15, urgency: LOW * New features - New "ticketKeySecret" and "ticketMacSecret" options to control confidentiality and integrity protection of the issued session tickets. These options allow for session resumption on other nodes in a cluster. - Added logging the list of active connections on SIGUSR2 or with Windows GUI. - Logging of the assigned bind address instead of the requested bind address. * Bugfixes - Service threads are terminated before OpenSSL cleanup to prevent occasional stunnel crashes at shutdown. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 5e8588a6c274b46b1d63e1b50f0725f4908dec736f6588eb48d1eb3d20c87902 stunnel-5.54.tar.gz ed8424731f7d6e0c9b11f4c7b597a072e558dae7979102d0b213759678079481 stunnel-5.54-win64-installer.exe 7659f605065e5155577a99abe1129dbc89523796196c8bf50d3fa9265ec34d93 stunnel-5.54-android.zip Best regards, Mike signature.asc Description: OpenPGP digital signature
stunnel 5.53 released
Dear Users, I have released version 5.53 of stunnel. Version 5.53, 2019.04.10, urgency: HIGH * Bugfixes - Fixed data transfer stalls introduced in stunnel 5.51. * New features - Android binary updated to support Android 4.x. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 80439896ee14269eb70bc8bc669433c7d619018a62c9f9c5c760a24515302585 stunnel-5.53.tar.gz 4f2d24d08f547943b8a499d411425409a52973a349c9120c650ba77d3f29ef79 stunnel-5.53-win64-installer.exe e619880f4fc25a7a4869cace9f6e6f3f5940cfdb764ed9987d892d9e9b0ea35d stunnel-5.53-android.zip Best regards, Mike signature.asc Description: OpenPGP digital signature
stunnel 5.52 released
Dear Users, I have released version 5.52 of stunnel. Version 5.52, 2019.04.08, urgency: HIGH * Bugfixes - Fixed a transfer() loop bug introduced in stunnel 5.51. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 00b973aa0d48b0707dd722c4e0a20b8378fc9b0ba301fdb785ffb75341024e21 stunnel-5.52.tar.gz c9224c35cdd3a6de8fab7c2844ca0c185ebcc96fd9183a05407e2ba77cadc7c6 stunnel-5.52-win64-installer.exe d4ff581e1547c2e194abd586e9542bfe20399c1287f970eaa5ba1824e4567453 stunnel-5.52-android.zip Best regards, Mike signature.asc Description: OpenPGP digital signature
stunnel 5.51 released
Dear Users, I have released version 5.51 of stunnel. Version 5.51, 2019.04.04, urgency: MEDIUM * New features - Hexadecimal PSK keys are automatically converted to binary. - Session ticket support (requires OpenSSL 1.1.1 or later). "connect" address persistence is currently unsupported with session tickets. - SMTP HELO before authentication (thx to Jacopo Giudici). - New "curves" option to control the list of elliptic curves in OpenSSL 1.1.0 and later. - New "ciphersuites" option to control the list of permitted TLS 1.3 ciphersuites. - Include file name and line number in OpenSSL errors. - Compatibility with the current OpenSSL 3.0.0-dev branch. - Better performance with SSL_set_read_ahead()/SSL_pending(). * Bugfixes - Fixed PSKsecrets as a global option (thx to Teodor Robas). - Fixed a memory allocation bug (thx to matanfih). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 77437cdd1aef1a621824bb3607e966534642fe90c69f4d2279a9da9fa36c3253 stunnel-5.51.tar.gz a0e26fde3ba09d6545cfbb44cab06ebd4ddf9c4b536e7d8eb76615ab54b2339c stunnel-5.51-win64-installer.exe ee90bef40cb47617fe7372707dba119f5176cb0fd9eb1bc00cdd1e2c370041db stunnel-5.51-android.zip Best regards, Mike
[openssl-users] stunnel 5.50 released
Dear Users, I have released version 5.50 of stunnel. Version 5.50, 2018.12.02, urgency: MEDIUM * New features - 32-bit Windows builds replaced with 64-bit builds. - OpenSSL DLLs updated to version 1.1.1. - Check whether "output" is not a relative file name. - Major code cleanup in the configuration file parser. - Added sslVersion, sslVersionMin and sslVersionMax for OpenSSL 1.1.0 and later. * Bugfixes - Fixed PSK session resumption with TLS 1.3. - Fixed a memory leak in WIN32 logging subsystem. - Allow for zero value (ignored) TLS options. - Partially refactored configuration file parsing and logging subsystems for clearer code and minor bugfixes. * Caveats - We removed FIPS support from our standard builds. FIPS will still be available with bespoke builds. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 951d92502908b852a297bd9308568f7c36598670b84286d3e05d4a3a550c0149 stunnel-5.50.tar.gz e855d58a05dca0943a5da8d030b5904630ee9cff47c3d747d326e151724f3bc8 stunnel-5.50-win64-installer.exe ad6c952cd26951c5a986efe8034b71af07c951e11d06e0b0ce73ef82594b1041 stunnel-5.50-android.zip Best regards, Mike signature.asc Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.49 released
Dear Users, I have released version 5.49 of stunnel. Version 5.49, 2018.09.03, urgency: MEDIUM * New features - Performance optimizations. - Logging of negotiated or resumed TLS session IDs (thx to ANSSI - National Cybersecurity Agency of France). - Merged Debian 10-enabled.patch and 11-killproc.patch (thx to Peter Pentchev). - OpenSSL DLLs updated to version 1.0.2p. - PKCS#11 engine DLL updated to version 0.4.9. * Bugfixes - Fixed a crash in the session persistence implementation. - Fixed syslog identifier after configuration file reload. - Fixed non-interactive "make check" invocations. - Fixed reloading syslog configuration. - stunnel.pem created with SHA-256 instead of SHA-1. - SHA-256 "make check" certificates. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 3d6641213a82175c19f23fde1c3d1c841738385289eb7ca1554f4a58b96d955e stunnel-5.49.tar.gz 459bbb212baf0b9821c80e0664c830246ef6e97c7329fb08160e87ff11ae9692 stunnel-5.49-win32-installer.exe 72416c6664106ad815a8da67a525c6593247fc06cbca3b8918ffc87ae92595e8 stunnel-5.49-android.zip Best regards, Mike signature.asc Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.48 released
Dear Users, I have released version 5.48 of stunnel. Version 5.48, 2018.07.02, urgency: HIGH * Security bugfixes - Fixed requesting client certificate when specified as a global option. * New features - Certificate subject checks modified to accept certificates if at least one of the specified checks matches. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 1011d5a302ce6a227882d094282993a3187250f42f8a801dcc1620da63b2b8df stunnel-5.48.tar.gz eb160fdf28061eb509e09824ab9cd26f4f0ca9be3b90008bba32274d5136c7eb stunnel-5.48-win32-installer.exe 667ee8c8d5440117285eb5a5ddf0d305a6dd1dbb93dcf5b7bac62f84ddba7466 stunnel-5.48-android.zip Best regards, Mike signature.asc Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.47 released
Dear Users, I have released version 5.47 of stunnel. Version 5.47, 2018.06.23, urgency: HIGH * New features - Fast add_lock_callback for OpenSSL < 1.1.0. This largely improves performance on heavy load. - Automatic detection of Homebrew OpenSSL. - Clarified port binding error logs. - Various "make test" improvements. * Bugfixes - Fixed a crash on switching to SNI slave sections. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: c4e675db996eb92beef885f72a3ed8af3c7603fea6b99d2873198dd6c0021d0b stunnel-5.47.tar.gz 985e1d65a3f4a7599cc78630960e1b2c97981f91ce6bc41f2eefcd371b4067a3 stunnel-5.47-win32-installer.exe 309cfb79329448f0c134aece0d10d0737e3728b25c288e9a76650837cd6f839c stunnel-5.47-android.zip Best regards, Mike signature.asc Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] stunnel 5.46 released
On 30.05.2018 19:12, Viktor Dukhovni wrote: > So I would disable only kDH, but not DHE. Keep in mind that > some remote systems will not support EECDH, and by disabling > DHE, you get only kRSA, which is worse. So I think that > '!DH' is unwise. I respectfully disagree. The only practical disadvantage of kRSA is that it doesn't provide PFS. Losing PFS is bad, but it's not a huge price for ensuring secure key exchange. Actually, there aren't that many platforms nowadays that support kDHE and not kECDHE. Best regards, Mike signature.asc Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.46 released
Dear Users, I have released version 5.46 of stunnel. Version 5.46, 2018.05.28, urgency: MEDIUM * New features - The default cipher list was updated to a safer value: "HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK". * Bugfixes - Default accept address restored to INADDR_ANY. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 76aab48c28743d78e4b2f6b2dfe49994b6ca74126046c179444f699fae7a84c7 stunnel-5.46.tar.gz 721cc4d7c385743df767a32a53c11477def2440ae20ad4538d8e685f7b7d6538 stunnel-5.46-win32-installer.exe d08a3b3598868064db08d6f0e3a97e3c49dedbf6c8d7f348a613b832eca16dd6 stunnel-5.46-android.zip Best regards, Mike -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.45 released
Dear Users, I have released version 5.45 of stunnel. Version 5.45, 2018.05.21, urgency: MEDIUM * New feature sponsored by https://loadbalancer.org/ - Implemented delayed deallocation of service sections after configuration file reload. * Other new features - OpenSSL DLLs updated to version 1.0.2o. - Deprecated the sslVersion option. - The "socket" option is now also available in service sections. - Implemented try-restart in the SysV init script (thx to Peter Pentchev). - TLS 1.3 compliant session handling for OpenSSL 1.1.1. - Default "failover" value changed from "rr" to "prio". - New "make check" tests. * Bugfixes - A service no longer refuses to start if binding fails for some (but not all) addresses:ports. - Fixed compression handling with OpenSSL 1.1.0 and later. - _beginthread() replaced with safer _beginthreadex(). - Fixed exception handling in libwrap. - Fixed exec+connect services. - Fixed automatic resolver delaying. - Fixed a Gentoo cross-compilation bug (thx to Joe Harvell). - A number of "make check" framework fixes. - Fixed false postive memory leak logs. - Build fixes for OpenSSL versions down to 0.9.7. - Fixed (again) round-robin failover in the FORK threading model. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 548244839b8a4bf4dffea46c97893b203d1b9eed118c3dd6a9ac4d8d02592ee3 stunnel-5.45.tar.gz fc13a224c7ec1290035efe8317c53d62a0980a5ab2efe8930b06aae269fbe873 stunnel-5.45-win32-installer.exe 29025eaed007c62856f16c7a8a22f9713eee9762ed95009f6f91f729c35c0bc0 stunnel-5.45-android.zip Best regards, Mike signature.asc Description: OpenPGP digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.31 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Users, I have released version 5.31 of stunnel. The ChangeLog entry: Version 5.31, 2016.03.01, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 1.0.2g. https://www.openssl.org/news/secadv_20160301.txt * New features - Added logging the list of client CAs requested by the server. - Improved compatibility with the current OpenSSL 1.1.0-dev tree. * Bugfixes - Only reset the watchdog if some data was actually transferred. - A workaround implemented for the unexpected exceptfds set by select() on WinCE 6.0 (thx to Richard Kraemer). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: a746b71ab3dc6c23eacb0daf7342467870e43ac933430905eb1b1d050bbae0b7 stunnel-5.31.tar.gz c662fc1254f22ce5ac3f6e09bf643b3a0a99a884b6414f55cc8ab22d7c680fd5 stunnel-5.31-installer.exe f14d7c9cf23a25bdcef8480f9d35c66233bb9e64f82098f1867edf4b038b41c4 stunnel-5.31-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJW1cIFAAoJEC78f/DUFuAU998P/1LpUY+B/Q4E7XWCctK1XspG zcFi8U5UhaMek9eTPlY0mJWUGihX4qQOeQi+9MV9LqvzLLfWbgMzWSv/rAiWxCzx NbHw7yASK5+xfnGBGoSenvdbvmL6s4RPxM0Qf3lrVj9kpha75JS9aHPnDhq90aLG YXle0uTj/dvDC3aG2UY0TYFQMvvubrx87JyoiTbf9i2f6q85iM76DaeP15mMZSXZ eq+9bP37OVG6RDFrlFSoSSHxOWHA5ebftwvf4MjedrziXld6pzYSzwIJ7eJhZO7Y ob+hRO3D86chiGfynYj1WWws51Q+TE4hg2NQ7vWPEi7HuN+/62CMZg3q1h/LAIT+ 2qzjVFIoVwwl8B3RZ94aJ8AzsFnhWOp5AZJ7nOBFbF69cRAuIT6DQL+GwcJoB+RJ +sxlJAyhu+3/RuAPbZYXzSzr7Lsp4/fhWIxVRW5rBqHSJCBZU+QqSOTu9GP06F9i 7FaUq9p7RxajVjtqn+QmzDpVTgBymkYvc3F1+ATSUZZNLU8KPWG+aYTtSYKKEDQS VBtQJ3BRR0Ne/TqBXStdK3PdG8t8r7hoYhPSAE1IX59F0/4MaKHcAoyDEAH5aKQx rK1Iowb5DUNF/Rcota3CXzLFBfp/ePmZFbjpQd9YcGtMXnMGFk9/Lnc+8If+vHGk p66Kx7ZYLNzkIPf0y8wn =WkNw -END PGP SIGNATURE- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.30 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Users, I have released version 5.30 of stunnel. The ChangeLog entry: Version 5.30, 2016.01.28, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 1.0.2f. https://www.openssl.org/news/secadv_20160128.txt * New features - Improved compatibility with the current OpenSSL 1.1.0-dev tree. - Added OpenSSL autodetection for the recent versions of Xcode. * Bugfixes - Fixed references to /etc removed from stunnel.init.in. - Stopped even trying -fstack-protector on unsupported platforms (thx to Rob Lockhart). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 7d6eb389f6a1954b3bcf6c71d4ae3c5f9dde1990dd0b9e0cb1c7caf138d60570 stunnel-5.30.tar.gz cf13a881d2f19b8db5e70fafac6e5dad31f041ee6b9c0316dbd8f9f425c16418 stunnel-5.30-installer.exe 102c54d0f58937fc3c3de2a6fb629562e48eae200123d6357889defa45c1 stunnel-5.30-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWqkhcAAoJEC78f/DUFuAUbZoP/iH+4dndQdh5SSpSH8NR2dUf Nx10nPHP9WXZIVF9C0pISDGpRcpRi6k+4p3NU8SblGsTRm78zCpWYmeEso46Q9ve IHCrUrmQntygZ5xL5Igij9rvN8s6VeucxiMX1pZBJWAvtV5Mj2XDWFEgGiUc+sPC leCJIhj+2G6hNZJzl5whptW48+smqQvh8LC5jEtFaAUp5C0ptjrmz/vebEDlVKOs qZOZMwLmNojP3WGWWrt5fkBCLZXKvkDipgI4ln3aro/fCYQZ5fikGYbW7dTOvNCT lFmCS2vXg1hqFNM3qBWp8HKqiyYR9nVYNesW5vQW/INp6wRSqul9QSJQwsVge37N wbl19KLZL0bqXYV5a5OTovi5X1X+wRbKkcGE8yozptifV4n1AgZL4rbLkKqFu/BF zHHUmOi1m5SkRAoN8pmaTmNFe/Zp72o6unN1kfrXyvJj6NCiDKXMqTmYw4bfoSBM UUg6uKtc7k7XGPvgca/HrdEu8DJPQIWcRqNVqQ5AxVnub9gBFsJC15XdgutHJK97 XuLhZhHBdm10Frf2u/nk2Q2GpPdHAPK67QgERzO2Nr35KGOxwMXahyxKK0jI5ue5 bekTLYjZYUKS94Lt/uUgxaVmwG0x1qjurfhdXoUemuYKUAzv2tZlNF1NiGme3feP WqLyTnuGhYIxEbltnFif =gYXk -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SSL_COMP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Guys, Any idea how to properly use: STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) *meths); in the latest OpenSSL 1.1 git, which no longer declares SSL_COMP? I guess openssl/ssl.h should be modified to include: typedef struct ssl_comp_st SSL_COMP; DEFINE_STACK_OF(SSL_COMP) Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWlMHlAAoJEC78f/DUFuAU3JMQAMtCTOp6fK45IPWwJf+wQ89M J6Le/KtsVN1IHqnubJF8OUcAxJCMRf0u75irRukuhil8SQ5SgVmham8IhD2oeQ2F EAbLAZC1GRBBD5q2E+1XcXGB520PKiSjHjz0cEAr7GmLkzUggw1d1/cDKsjiKpnx CMdCCQ1cTZ/tWt4m2dHnqh4lDpjnKN8AhTsMo8NZjqf3w4gZPtQbUhoIDhR18OUt xiiaDtKXlYUu+aGtI5lLC2FoU1cFJ8t5ovynsfzB5lLaB5kKKxx7JbjyhtbW1Nxa UCjzkgJCrpFkeWKx38ddWpf9gCjPMUJ+1rirlukuVs5mitqf8jsiqOIk8qW+E0KJ ANlWfMNRkk/vLqw4tO9TfPn3WUzmuGbFt3TFUrF8Wj8AtgGYatHdB88m2UzQqdz/ mMaCYZq6B60BnMsHFTKoqdpYRVyTaAde/kAYTBp5CcXbYN/hWx63EtYgtxxtl++2 ts06xj3xze6cy9L9Q4d1qsPf8GtBRiQgkwU7qFjvI4ZE1P5YdJDejNOjOpO7yP8x S+oFjX0DiaxHFEkoo2GTMj4dBMTBmZ58h7BTZY6PH72JibH1juDe/WWTwSUqWYzJ zrRkDqiU8cVxonEvVTrppK/jd5gCYmF0b1jlaBZrvrPCEBOCRpYGxI7AIdInk5tv YeMSmqRugknjQ88AQYxT =BCDL -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.28 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Users, I have released version 5.28 of stunnel. This is a bugfix release. I highly recommend upgrading your stunnel. The ChangeLog entry: Version 5.28, 2015.12.11, urgency: HIGH * New features - Build matrix (.travis.yml) extended with ./configure options. - mingw.mak updated to build tstunnel.exe (thx to Jose Alf.). * Bugfixes - Fixed incomplete initialization. - Fixed UCONTEXT threading on OSX. - Fixed exit codes for information requests (as in "stunnel -version" or "stunnel -help"). Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 9a25b87b1ef0c08fa3d796edce07b4408e6a8acece23de2eb7ee9285b78852b5 stunnel-5.28.tar.gz 020b5bd8a97a1da91e9b379c0d2fa8a14606402e2b0c1eb9191fe99c7f4665f9 stunnel-5.28-installer.exe 0af65879343b37bcda89dbbde51f6cfde016a044a533f7bdec229f4e1ec25eb9 stunnel-5.28-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWarN7AAoJEC78f/DUFuAUKhcQAJ62DQW+GMpAmtggO42LhaEj NcAdpgYvCAJnemRnTj+YMHHAGGIn7MY7VQZVzIIHL0y4CS6yy8kg1WVQeDgxS7PM zil/CViLayNQUnEaUSpoD3yFlb5i6wqofPa5/ohObAvUwTejN/XtOlyT6OMTEovF ZWWLsqYnVTCkbrY1Usu9DNRlSWaCgGeqL5ZqhbiJHk7hDHIH5Yy8KXKw3dVuOxBZ 86uYNH0WW3qNHKJrI1z70cA+18c6Kab5/4NnzzmWG+TyYCVVLL8JVkahEHhCX5mc yBYcMyBrSkrUoS++IdEZtOKYjwxfiEFdre0junC1m5DqtbOc+vWcvqZRGUfCszHK bg4LlCoNs6VhaAFzY9dyXKWqFP+HvH1cqcVcagCaofcdAEaFrwP4dqwUUBKCT44z JNhEzyrI6+coGq92SZUeSiko2bj+rQWDf3s5pY+zWQVvUe12rTo427Mhbge3sBhQ QykwMsihtrP9s25YkDQHqlpBV85W3axq/O2veb15QlbETDM6eGfnMCFjqhxpBBMO sSgHOr9E1E4pxN4kcokPhwKizxSe0EHVQYM27qGfNXJkzVAvHE+mz0WR2kMPpjT5 N6th9lOMgrjXGo6aTBQO3DIEkw+BB0C9OVWnNXMWqmUnsKp80QVeZKZXgK5c2t1y Y8e0W7HH2xdaQemUQp+n =GrPO -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.27 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Users, I have released version 5.27 of stunnel. The ChangeLog entry: Version 5.27, 2015.12.03, urgency: MEDIUM * Security bugfixes - OpenSSL DLLs updated to version 1.0.2e. https://www.openssl.org/news/secadv_20151203.txt * New features - Automated build testing configured with .travis.yml. - Added reading server certificates from hardware engines. For example: cert = id_45 - Only attempt to use potentially harmful compiler or linker options if gcc was detected. - /opt/csw added to the OpenSSL directory lookup list. - mingw.mak updates (thx to Jose Alf.). - TODO list updated. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 7474e986710e88a5cc3330b6b1762f9449f01eccf826fa0f97e56d064c05ead3 stunnel-5.27.tar.gz 04b11dea9a29e7a16d46b2c4e6c66a5ca6f588abb29a827dcca2c6f6456eb4c6 stunnel-5.27-installer.exe 76e4297212eaa99a674191f3e955ec3959abcdd0c081d2df0ce8786a577a6883 stunnel-5.27-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWYG/VAAoJEC78f/DUFuAUKloP/jRcbtEuSpiLbFTg2hQqJcZf T6C6x+pCRDqefPZMQNgN5HIU9TBUAm1dGNH3KxRqrfCTlYKnhqafDoj66fsQe6sm vUDOxxxwCcKBZaiO4II5cLxd05d9GX9FnI86GBfiztSX0nr2wMLu1EdKHdTO2R5s VXsjRl1ey2X0ukhzQ+gsD2bOf2tz0gkCjrcoAZZyGqBE+Zy3hMGSlK8mXeTfU8Of ygUT+nEcUmQb+zbEBrJCp+Q2TP0dMzXSgpKz67toH1wJJ85iTpxqPa6L6LcKwHXd kA2c75Y7HXmc4C+eKpXessifbHTHdJXbsF4ZOc06IxIg2+v47Fqqz13sL2rMKdYQ aldOP7NiOyCxywjQ3bZElvF8f8Q1RJz/+qMKG0QEWwe1cRHmDOweZ2BrqsBsZNbE Pxx2lavAqRruREL9PnL12mH/u9e0SBIaXsgmN1xo9IvaVy98K9+VL23m2GpXeVMp cPGOtfwX2M0NWRIU6keQ8FOqszuP0A7CSFTKwmM2/ZGNjPOk00/NCJk9qchyqZcr 8RDnkMOknvqEp5Uf0PWpBafK0yUps7aPwyTQX9SQ8uvz3ra/30ghkpEyAeIeEP3p Y5DqlSXupIbPAmUw3fNblU7E7SgflPP4LXF8oznLUkWFmPpR/wPUiHC1EnEOGtEQ GHF3H9CS1fr51rPm0UaK =hfT6 -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.26 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Users, I have released version 5.26 of stunnel. The ChangeLog entry: Version 5.26, 2015.11.06, urgency: MEDIUM * Bugfixes - Compilation fixes for OSX, *BSD and Solaris. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 2c90d469011eed8dc94f003013e3c055de6fdb687ef1e71fa004281d7f7c2726 stunnel-5.26.tar.gz 797e89783bbab29d5eedbd3193da2cb2461bcf47d314a9ee671b228e207e2b15 stunnel-5.26-installer.exe cd62a3ed4818677e7eeab36017accbae697a67cfd85f58eae82d2ad2db781664 stunnel-5.26-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWPJBJAAoJEC78f/DUFuAUSWUQAKglnyE5OkITYqd7deO768mv AC7DvDrP+mwmICbl/ZQhVzuUB4E9WYUnbyrOduIbCoN3FrDr1hROcO6Tuf63DFXa 5Qal5tFFEgVm5LKi7MxPn022d5e8Q04RADtJ7DNzSrJNltyivHG3h6jAVlXcmlui BkFORjWbZAZ2AUvKBbUYYdjfR2rnpqlrUNIcZwMz0hR5e4JT5Yw5WHa3NfAcXknh XZ27+BoKg6jDyEx+mk2aXYFpeCvWPx5vaKmtAqbIkEaNKhmolpYxf02JespwmvpJ Y/rD0kko+r8zSwMQRZ8FSNncVbQ1Zir3rZM6IE78TkNeGnJKiq29H3dzrUuZP4uW Hv5qjAW7IaVMFUMUOsM/eyKTyh7ibgXLIshb7byn9zm5BHmlY4PgVUyeAXVVbYfK qgfMq43VjgXcyvFw4osQx5xYnA0P3edxFyx1v+GMeHssxh2CLv5MwrcmTcnf5SSm t2COdxi+4gA0mJwsSrdw8d7fuTLg/zhzWKSwB9XZqZ+xM+nTNVI3hzoQJ+Fhe/KP kfJ6qPrSHMj2WX740DDY/tGDTdxKnOEgJb0sJepEJyprIm8LFMSrBBt5fAdqgrPy a9znXn7RG+C71oxoaP/Q77fdAUQ9147SfGOO18ooYDzev5w5nHRg0kaPRrMDHxUg CyNsej8I/7CSXCH4PtjL =KQPP -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.25 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Users, I have released version 5.25 of stunnel. The ChangeLog entry: Version 5.25, 2015.11.02, urgency: MEDIUM * New features - SMTP client protocol negotiation support for "protocolUsername", "protocolPassword", and "protocolAuthentication" (thx to Douglas Harris). - New service-level option "config" to specify OpenSSL >=1.0.2 configuration commands (thx to Stephen Wall). - The global option "foreground" now also accepts "quiet" parameter, which does not enable logging to stderr. - Manual page updated. - Obsolete OpenSSL engines removed from the Windows build: 4758cca, aep, atalla, cswift, nuron, sureware. - Improved compatibility with the current OpenSSL 1.1.0-dev tree: gracefully handle symbols renamed from SSLeay* to OpenSSL*. * Bugfixes - Fixed the "s_poll_wait returned 1, but no descriptor is ready" internal error. - Fixed "exec" hangs due to incorrect thread-local storage handling (thx to Philip Craig). - Fixed PRNG initialization (thx to Philip Craig). - Setting socket options no longer performed on PTYs. - Fixed 64-bit Windows build. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 1fb2209f1e006cc01813e1688599c4d0fb0adde4434c31ab95745b1db97484b7 stunnel-5.25.tar.gz 506846a28154e5111c6f374de5861c51221a5c9ddcf012952eaf7b4819176cd9 stunnel-5.25-installer.exe 58e79879a5fa922e2ae28ef0892f447d92d27517dfc0f921095b7180a7fd6905 stunnel-5.25-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWN2IVAAoJEC78f/DUFuAUhBoP/ifLB0Bl8yz13uGyy7mFghTN qwGLfLc5Nmu/flGOnynGWj6gXdRQT7WFaVkPCEoeNpttXEHzt+Q9psNAM4syOhBx KqiGJvq3atGfwGZwrIwUKZIXWT2jZldwL2vIctNe4i2oh6iWROcuTJqVa8eyLobw NJyuWCJqs60UK6IZN0ByrrO5Hc6Z7aTgJRkKmaWYY52ZeFrEUBY56yodfw8wvzAi JL/drDdJCyx4Q7ZQR14ZjhegAIqiEJ7GsbfosxBq3eApJKX/5L7zTP+BHL/jrFCu kiU/BhnjeYIuZ+R2j4tFWVhReMYjYIvjMAvPEo7GG1Z6xuVPpCQ90VW376cPbh8N 918Q/Gh/PF60covJmNYdW8Wn4L84vJrOM5uHkDCH2ZVFWWXUBGHZ0ZxBb1lB+kVC 69AzbK5hwHwEyfs/JjXjaIW3Tih9/Ig9t/+CD/131eWEqjGAxGtCGYgJMi0JgAt0 ei/kXeNuq39DxhTquGD1QOn98rVyrFsvvvV7aaMIECPri2MTHnZyMAF+N7txpcT2 UhD8Dlfnif6nF3JJ08/KWRh7x2tvmsFyZyqNV+uw3q3unUvZD6lcW7DCWAuXK4ap 5+fFJsxdvMUlqKZWrPrA2xrpObKAVdRdlLjDTl/oD3DuT9xfW3UQ6WKB76aLlnkL MdkEcOQuN+oCQNSlAv// =WhEM -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] stunnel 5.24 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Users, I have released version 5.24 of stunnel. The ChangeLog entry: Version 5.24, 2015.10.08, urgency: MEDIUM * New features - Custom CRL verification was replaced with the internal OpenSSL functionality. - *BSD support for "transparent = destination" and client-side "protocol = socks". This feature should work at least on FreeBSD, OpenBSD and OS X. - Added a new "protocolDomain" option for the NTLM authentication (thx to Andreas Botsikas). - Improved compatibility of the NTLM phase 1 message (thx to Andreas Botsikas). - "setuid" and "setgid" options are now also available in service sections. They can be used to set owner and group of the Unix socket specified with "accept". - Added support for the new OpenSSL 1.0.2 SSL options. - Added OPENSSL_NO_EGD support (thx to Bernard Spil). - VC autodetection added to makew32.bat (thx to Andreas Botsikas). * Bugfixes - Fixed the RESOLVE [F0] TOR extension support in SOCKS5. - Fixed the error code reported on the failed bind() requests. - Fixed the sequential log id with the FORK threading. - Restored the missing Microsoft.VC90.CRT.manifest file. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: ab2e5a1034d422951ddad21b572eb7fa8efb4c4ce04bc86536c6845f3d02b07e stunnel-5.24.tar.gz f6c38d51c2708f3eddbad651091bf0b59e4149a1d0c1e3b227b033f126c6dbee stunnel-5.24-installer.exe ed2a2c5f280970bd5f5efcecbc1dbbd06f66efb68102af31c27d33e3beb48bb5 stunnel-5.24-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWFoR0AAoJEC78f/DUFuAU/toP/0xkTZGeUUQwBuT2wWqo0X7K YGPs1y+WJ6ef/E9Ax9xiceWRUcMAtu8POM/BSgNdnCGPEtUXhCcNkD+wyp329Fub dc6cxeK4hE0BlcAzkkTT7t2TSNGIzoBiDp4w0RBDjiRTFWNrf6nBP3SoeZ2zlNAM Ue73sIEdLgdT87Ndwyn2oaP4dKLSlgXHWfeXjBH4x2gjBfWZsmPc6sZ4BMDYU6Zg 7O8rZ3ToBjdd+UxatDLhTva7gxJnMVDACri456Ic0mIqg2eiL+8qlXDoT7mvV3Xo WVGIBwRO7SUY69nx2TUR/fdsoP7ktbcDAX9sdEfHs20WINTuS910wTmKESkLTipB w4iHyCC+nr5B/eOGvzNpf3FmsjVNs1Vh8k3Ly3Ya8DxhgD9IJF5t/K/4NziWh6ZE yvuiOIwKByK+grmdVeRNIqPCxiJ48IdX8C9S3+8ozjaZ8YBLxjftUkENIcLJW3tb QwpXdYTeIh1HUgEvAx0Jxt/K3HAjxlnhyNkJaZEQEh/MeYXkQ62OXXMJ+/XyG5xz tZh0tCIURV87Mup6T4xcA8vmcSgsQLZnJ+GARwFGWQqjAMFOMh4VgCDXKp9bb8q3 u+tRTgQRp9RZyPZw7ehxwnUqOEuSPH7tYmVP85Zbn05GYmoBzQg4qnhAu8Z/AR82 7VE4jPYZWBPIgS5nLZ+s =D7VR -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
stunnel 5.07 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Users, I have released version 5.07 of stunnel. The ChangeLog entry: Version 5.07, 2014.11.01, urgency: MEDIUM: * New features - Several SMTP server protocol negotiation improvements. - Added UTF-8 byte order marks to stunnel.conf templates. - DH parameters are no longer generated by make cert. The hardcoded DH parameters are sufficiently secure, and modern TLS implementations will use ECDH anyway. - Updated manual for the options configuration file option. - Added support for systemd 209 or later. - New --disable-systemd ./configure option. - setuid/setgid commented out in stunnel.conf-sample. * Bugfixes - Added support for UTF-8 byte order mark in stunnel.conf. - Compilation fix for OpenSSL with disabled SSLv2 or SSLv3. - Non-blocking mode set on inetd and systemd descriptors. - shfolder.h replaced with shlobj.h for compatibility with modern Microsoft compilers. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 505c6c63c4a20fc0cce8c35ef1ab7626c7b01071e3fca4ac6ea417afe8065309 stunnel-5.07.tar.gz 0e8d41a8102437d2c04a347bfe38ad80408fd2eb1451c559dcc7932ff2d09bd9 stunnel-5.07-installer.exe d3ced258ad35bea656ec178644d83e7d0b9fe8a2e4b2d6511e5c898ac9e6c7fc stunnel-5.07-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlRU61wACgkQ/NU+nXTHMtEwLwCdEprl4s5aleq7+MzK9JmYcnQ+ q+gAniP9aOtMuQtML9zcRPK0LY6Yb/3H =IVK/ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
stunnel 5.06 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Users, I have released version 5.06 of stunnel. This is a security bugfix release. Update is recommended. The ChangeLog entry: Version 5.06, 2014.10.15, urgency: HIGH: * Security bugfixes - OpenSSL DLLs updated to version 1.0.1j. https://www.openssl.org/news/secadv_20141015.txt - The insecure SSLv2 protocol is now disabled by default. It can be enabled with options = -NO_SSLv2. - The insecure SSLv3 protocol is now disabled by default. It can be enabled with options = -NO_SSLv3. - Default sslVersion changed to all (also in FIPS mode) to autonegotiate the highest supported TLS version. * New features - Added missing SSL options to match OpenSSL 1.0.1j. - New -options commandline option to display the list of supported SSL options. * Bugfixes - Fixed FORK threading build regression bug. - Fixed missing periodic Win32 GUI log updates. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 098c2b6db0793ea4fa5b6767ce6ef1853e9f6cc2f32133024be55f6a460b1a40 stunnel-5.06.tar.gz 55afb3013406da1afcc1ab7ccc25bb1c66605ca3e004636a6b49cac555cb4d09 stunnel-5.06-installer.exe a1741eb8bb050d3d29515ddef46a0a6828372a991f2658995dee1e06af8c05c8 stunnel-5.06-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlQ+4v4ACgkQ/NU+nXTHMtFwNwCgvZyndOwkAQqmsWnuL7DcRAPq lSIAnig726aVMrFzFAoQzKXxxmWo/Qo9 =ok3p -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
stunnel 5.05 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Users, I have released version 5.05 of stunnel. The ChangeLog entry: Version 5.05, 2014.10.10, urgency: MEDIUM: * New features - Asynchronous communication with the GUI thread for faster logging on Win32. - systemd socket activation (thx to Mark Theunissen). - The parameter of options can now be prefixed with - to clear an SSL option, for example: options = -LEGACY_SERVER_CONNECT. - Improved transparent = destination manual page (thx to Vadim Penzin). * Bugfixes - Fixed POLLIN|POLLHUP condition handling error resulting in prematurely closed (truncated) connection. - Fixed a null pointer dereference regression bug in the transparent = destination functionality (thx to Vadim Penzin). This bug was introduced in stunnel 5.00. - Fixed startup thread synchronization with Win32 GUI. - Fixed erroneously closed stdin/stdout/stderr if specified as the -fd commandline option parameter. - A number of minor Win32 GUI bugfixes and improvements. - Merged most of the Windows CE patches (thx to Pierre Delaage). - Fixed incorrect CreateService() error message on Win32. - Implemented a workaround for defective Cygwin file descriptor passing breaking the libwrap support: http://wiki.osdev.org/Cygwin_Issues#Passing_file_descriptors Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: c7e1653345150db7e48d00e1129cf571c7c85de8e7e1aa70b21cf1d76b1e31ef stunnel-5.05.tar.gz 19f8b78aecc26c291d90e4fa72807bdb75063a7641fd64f224222b526cfa83aa stunnel-5.05-installer.exe 65129c4c1a73dc04a0f66571a9bda2860d70376cdcc2c1d83fd575dcb0adc7a5 stunnel-5.05-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlQ3ofIACgkQ/NU+nXTHMtHnmQCg8sncLzw4bfiuw3ziL7HGFEdJ luwAoKTF4C3jbUihpz8ODEPvtGbK24Cs =Z+GJ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
stunnel 5.03 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Users, I have released version 5.03 of stunnel. The ChangeLog entry: Version 5.03, 2014.08.07, urgency: HIGH: * Security bugfixes - OpenSSL DLLs updated to version 1.0.1i. See https://www.openssl.org/news/secadv_20140806.txt * New features - FIPS autoconfiguration cleanup. - FIPS canister updated to version 2.0.6. - Improved SNI diagnostic logging. * Bugfixes - Compilation fixes for old versions of OpenSSL. - Fixed whitespace handling in the stunnel.init script. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 5e8196f913bf7460082c1c7e5d436fbfba7f65d56c60065e6ccf0df9057294ef stunnel-5.03-android.zip 803bc85fbc80f22d71b13d4180e2d51c02586b2cc611169961a2745e47e31c4f stunnel-5.03-installer.exe 9a1e369466fa756e6f48b11480a3338c1fa4717e6472871bf4a3a96c483edd03 stunnel-5.03.tar.gz Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlPj3nMACgkQ/NU+nXTHMtGM3ACfdFm7k754Pzo1rhDkVb6rT5nO EEUAoJoSXbRPHu3jphxXYVA5SeJ05BXj =tFws -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
stunnel 5.02 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Users, I have released version 5.02 of stunnel. The ChangeLog entry: Version 5.02, 2014.06.09, urgency: HIGH: * Security bugfixes - OpenSSL DLLs updated to version 1.0.1h. See http://www.openssl.org/news/secadv_20140605.txt * New features - Major rewrite of the protocol.c interface: it is now possible to add protocol negotiations at multiple connection phases, protocols can individually decide whether the remote connection will be established before or after SSL/TLS is negotiated. - Heap memory blocks are wiped before release. This only works for block allocated by stunnel, and not by OpenSSL or other libraries. - The safe_memcmp() function implemented with execution time not dependent on the compared data. - Updated the stunnel.conf and stunnel.init templates. - Added a client-mode example to the manual. * Bugfixes - Fixed failover = rr broken since version 5.00. - Fixed taskbar = no broken since version 5.00. - Compilation fix for missing SSL_OP_MSIE_SSLV2_RSA_PADDING option. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: c258b71d7f82bba5b0a4ccc69fbda632f1fefe9108589a92aa1016f33985973e stunnel-5.02.tar.gz 2125bf8e9241cb9f7969cb74f8409ce77f2c49e1390d363aa46bc436b9d908aa stunnel-5.02-installer.exe f962a2f4a0e16f07ff10339066ec89d7686734dcabba88654f2e71da4f658529 stunnel-5.02-android.zip Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOVrZkACgkQ/NU+nXTHMtHBIQCfefzazgvECg8p4qoHgsMjw/KM gTQAoM0mYm+S7exolJjiBBfSlx2G8Rjn =hyr4 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Syringe
Hi Guys, I'm glad to announce syringe, a service for testing client-side heartbleed. It allows to easily examine most of the obscure TLS clients (for example embedded devices). The service is available online at https://www.stunnel.org:4433/ Best regards, Mike signature.asc Description: OpenPGP digital signature
stunnel 5.00 released
Dear Users, I have released version 5.00 of stunnel. The ChangeLog entry: stunnel 5.00 disables some features previously enabled by default. Users should review whether the new defaults are appropriate for their particular deployments. Packages maintainers may consider prepending the old defaults for fips (if supported by their OpenSSL library), pid and libwrap to stunnel.conf during automated updates. Version 5.00, 2014.03.06, urgency: HIGH: * Security bugfixes - Added PRNG state update in fork threading (CVE-2014-0016). * New global configuration file defaults - Default fips option value is now no, as FIPS mode is only helpful for compliance, and never for actual security. - Default pid is now , i.e. not to create a pid file at startup. * New service-level configuration file defaults - Default ciphers updated to HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 due to AlFBPPS attack and bad performance of DH ciphersuites. - Default libwrap setting is now no to improve performance. * New features - OpenSSL DLLs updated to version 1.0.1f. - zlib DLL updated to version 1.2.8. - autoconf scripts upgraded to version 2.69. - TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode. - New service-level option redirect to redirect SSL client connections on authentication failures instead of rejecting them. - New global engineDefault configuration file option to control which OpenSSL tasks are delegated to the current engine. Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. - New service-level configuration file option engineId to select the engine by identifier, e.g. engineId = capi. - New global configuration file option log to control whether to append (the default), or to overwrite log file while (re)opening. - Different taskbar icon colors to indicate the service state. - New global configuration file options iconIdle, iconActive, and iconError to select status icon on GUI taskbar. - Removed the limit of 63 stunnel.conf sections on Win32 platform. - Installation of a sample certificate was moved to a separate cert target in order to allow unattended (e.g. scripted) installations. - Reduced length of the logged thread identifier. It is still based on the OS thread ID, and thus not unique over long periods of time. - Improved readability of error messages printed when stunnel refuses to start due to a critical error. * Bugfixes - LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs). - CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary compatibility with diverse builds of OpenSSL (thx to Norm Jacobs). - Corrected round-robin failover behavior under heavy load. - Numerous fixes in the engine support code. - On Win32 platform .rnd file moved from c:\ to the stunnel folder. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hash for stunnel-5.00.tar.gz: 88986d52a7ef1aff0cc26fc0a9830361c991baba7ee591d5cf1cc8baef75bc13 Best regards, Mike signature.asc Description: OpenPGP digital signature
stunnel 4.56 released
Dear Users, I have released version 4.56 of stunnel. The ChangeLog entry: Version 4.56, 2013.03.22, urgency: HIGH: * New features - Win32 installer automatically configures firewall exceptions. - Win32 installer configures administrative shortcuts to invoke UAC. - Improved Win32 GUI shutdown time. * Bugfixes - Fixed a regression bug introduced in version 4.55 causing random crashes on several platforms, including Windows 7. - Fixed startup crashes on some Win32 systems. - Fixed incorrect stunnel -exit process synchronisation. - Fixed FIPS detection with new versions of the OpenSSL library. - Failure to open the log file at startup is no longer ignored. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hash for stunnel-4.56.tar.gz: 9cae2cfbe26d87443398ce50d7d5db54e5ea363889d5d2ec8d2778a01c871293 Best regards, Mike signature.asc Description: OpenPGP digital signature
stunnel 4.55 released (security update)
Dear Users, I have released version 4.55 of stunnel. This is a massive bugfix release, including a security bugfix. Update is highly recommended. The ChangeLog entry: Version 4.55, 2013.03.03, urgency: HIGH: * Security bugfix - OpenSSL updated to version 1.0.1e in Win32/Android builds. - Buffer overflow vulnerability fixed in the NTLM authentication of the CONNECT protocol negotiation. See https://www.stunnel.org/CVE-2013-1762.html for details. * New features - SNI wildcard matching in server mode. - Terminal version of stunnel (tstunnel.exe) build for Win32. * Bugfixes - Fixed write half-close handling in the transfer() function (thx to Dustin Lundquist). - Fixed EAGAIN error handling in the transfer() function (thx to Jan Bee). - Restored default signal handlers before execvp() (thx to Michael Weiser). - Fixed memory leaks in protocol negotiation (thx to Arthur Mesh). - Fixed a file descriptor leak during configuration file reload (thx to Arthur Mesh). - Closed SSL sockets were removed from the the transfer() c-fds poll. - Minor fix in handling exotic inetd-mode configurations. - WCE compilation fixes. - IPv6 compilation fix in protocol.c. - Windows installer fixes. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hash for stunnel-4.55.tar.gz: 5a4acecfabd454415c727435acdfca7dc46aa542998fb278293f494a6d36d37a Best regards, Mike signature.asc Description: OpenPGP digital signature
stunnel 4.54 released
Dear Users, I have released version 4.54 of stunnel. The ChangeLog entry: Version 4.54, 2012.10.09, urgency: MEDIUM: * New Win32 features - FIPS module updated to version 2.0. - OpenSSL DLLs updated to version 1.0.1c. - zlib DLL updated to version 1.2.7. - Engine DLLs added: 4758cca, aep, atalla, capi, chil, cswift, gmp, gost, nuron, padlock, sureware, ubsec. * Other new features - session option renamed to more readable sessionCacheTimeout. The old name remains accepted for backward compatibility. - New service-level sessionCacheSize option to control session cache size. - New service-level option reset to control whether TCP RST flag is used to indicate errors. The default value is reset = yes. - New service-level option renegotiation to disable SSL renegotiation. This feature is based on a public-domain patch by Janusz Dziemidowicz. - New FreeBSD socket options: IP_FREEBIND, IP_BINDANY, IPV6_BINDANY (thx to Janusz Dziemidowicz). - New parameters to configure TLS v1.1/v1.2 with OpenSSL version 1.0.1 or higher (thx to Henrik Riomar). * Bugfixes - Fixed Application Failed to Initialize Properly (0xc0150002) error. - Fixed missing SSL state debug log entries. - Fixed a race condition in libwrap code resulting in random stalls (thx to Andrew Skalski). - Session cache purged at configuration file reload to reduce memory leak. Remaining leak of a few kilobytes per section is yet to be fixed. - Fixed regression bug in transparent = destination functionality (thx to Stefan Lauterbach). This bug was introduced in stunnel 4.51. - transparent = destination is now a valid endpoint in inetd mode. - delay = yes fixed to work even if specified *after* connect option. - Multiple connect targets fixed to also work with delayed resolver. - The number of resolver retries of EAI_AGAIN error has been limited to 3 in order to prevent infinite loops.. Home page: https://www.stunnel.org/ http://stunnel.mirt.net/ Download: https://www.stunnel.org/downloads.html ftp://stunnel.mirt.net/stunnel/ SHA-256 hash for stunnel-4.54.tar.gz: b7e1b9e63569574dbdabee8af90b8ab88db3fe13dcb1268d59a1408c56e6de7b Best regards, Mike signature.asc Description: OpenPGP digital signature
stunnel 4.53 released
Dear Users, I have released version 4.53 of stunnel. This is major a bugfix release. Upgrade is highly recommended. The ChangeLog entry: Version 4.53, 2012.03.19, urgency: MEDIUM: * New features - Added client-mode sni option to directly control the value of TLS Server Name Indication (RFC 3546) extension. - Added support for IP_FREEBIND socket option with a pached Linux kernel. - Glibc-specific dynamic allocation tuning was applied to help unused memory deallocation. - Non-blocking OCSP implementation. * Bugfixes - Compilation fixes for old versions of OpenSSL (tested against 0.9.6). - Usage of uninitialized variables fixed in exec+connect services. - Occasional logging subsystem crash with exec+connect services. - OpenBSD compilation fix (thx to Michele Orru'). - Session id context initialized with session name rather than a constant. - Fixed handling of a rare inetd mode use case, where either stdin or stdout is a socket, but not both of them at the same time. - Fixed missing OPENSSL_Applink http://www.openssl.org/support/faq.html#PROG2 - Fixed crash on termination with FORK threading model. - Fixed dead canary after configuration reload with open connections. - Fixed missing file descriptors passed to local mode processes. - Fixed required jmp_buf alignment on Itanium platform. - Removed creating /dev/zero in the chroot jail on Solaris platform. - Fixed detection of WSAECONNREFUSED Winsock error. - Missing Microsoft.VC90.CRT.manifest added to Windows installer. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.53.tar.gz: 3e640aa4c96861d10addba758b66e99e7c5aec8697764f2a59ca2268901b8e57 Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.52 released
Dear Users, I have released version 4.52 of stunnel. This is a bugfix release. Upgrade is highly recommended. The ChangeLog entry: Version 4.52, 2012.01.12, urgency: MEDIUM: * Bugfixes - Fixed write closure notification for non-socket file descriptors. - Removed a line logged to stderr in inetd mode. - Fixed Socket operation on non-socket error in inetd mode on Mac OS X platform. - Removed direct access to the fields of the X509_STORE_CTX data structure. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.52.tar.gz: 7c78c178074e9b96331518a9c309d2e95ca9ad6e0338a96d5ab8ad47fde4347c Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.51 released
Dear Users, I have released version 4.51 of stunnel. The ChangeLog entry: Version 4.51, 2012.01.09, urgency: MEDIUM: * New features - Updated Win32 binary distribution OpenSSL DLLs to version 0.9.8s-fips. - Updated Android binary OpenSSL to version 1.0.0f. - Zlib support added to Win32 and Android binary builds. - New compression = deflate global option to enable RFC 2246 compresion. For compatibility with previous versions compression = zlib and compression = rle also enable the deflate (RFC 2246) compression. - Separate default ciphers and sslVersion for fips = yes and fips = no. - UAC support for editing configuration file with Windows GUI. * Bugfixes - Fixed exec+connect sections. - Added a workaround for broken Android getaddrinfo(): http://stackoverflow.com/questions/7818246/segmentation-fault-in-getaddrinfo Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.51.tar.gz: dc52b22de48a2d71ab6170adb628dbe05dd406d6c9103fc43fbdbda776c3e90b Best regards, Mike signature.asc Description: This is a digitally signed message part.
stunnel 4.50 released
Dear Users, I have released version 4.50 of stunnel. The ChangeLog entry: Version 4.50, 2011.12.03, urgency: MEDIUM: * New features - Added Android port. - Updated INSTALL.FIPS. * Bugfixes - Fixed internal memory allocation problem in inetd mode. - Fixed FIPS mode on Microsoft Vista, Server 2008, and Windows 7. This fix required to compile OpenSSL FIPS-compliant DLLs with MSVC 9.0, instead of MSVC 10.0. msvcr100.dll was replaced with msvcr90.dll. GPL compatibility issues are explained in the GPL FAQ: http://www.gnu.org/licenses/gpl-faq.html#WindowsRuntimeAndGPL - POP3 server-side protocol negotiation updated to report STLS capability (thx to Anthony Morgan). Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.50.tar.gz: 933467009529bae4f338bb20e758e0ea20b0759130e7695ea2193c4f270e5eaf Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.49 released
Dear Users, I have released version 4.49 of stunnel. The ChangeLog entry: Version 4.49, 2011.11.28, urgency: MEDIUM: * Bugfixes - Missing Microsoft Visual C++ Redistributable (msvcr100.dll) required by FIPS-compliant OpenSSL library was added to the Windows installer. - A bug was fixed causing crashes on MacOS X and some other platforms. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.49.tar.gz: dcb0e1f21e9fcf56f4d67bc7a5a4ef8720845b61063a749953417db2616cb20d Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.48 released
Dear Users, I have released version 4.48 of stunnel. The ChangeLog entry: Version 4.48, 2011.11.26, urgency: MEDIUM: * New features - FIPS support on Win32 platform added. OpenSSL 0.9.8r DLLs based on FIPS 1.2.3 canister are included with this version of stunnel. FIPS mode can be disabled with fips = no configuration file option. * Bugfixes - Fixed canary initialization problem on Win32 platform. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.48.tar.gz: 9fa723595726806cbf6547a2c453e695e33bf635f2d4771e80d110a06f27ea37 Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.47 released
Dear Users, I have released version 4.47 of stunnel. This version includes a number of important bugfixes. The ChangeLog entry: Version 4.47, 2011.11.21, urgency: MEDIUM: * Internal improvements - CVE-2010-3864 workaround improved to check runtime version of OpenSSL rather than compiled version, and to allow OpenSSL 0.x.x = 0.9.8p. - Encoding of man page sources changed to UTF-8. * Bugfixes - Handling of socket/SSL close in transfer() function was fixed. - Logging was modified to save and restore system error codes. - Option service was restricted to Unix, as since stunnel 4.42 it wasn't doing anything useful on Windows platform. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.47.tar.gz: 0b70f8bad8b6963e6154606571a83a3f0e0dea88d7dbd7e3b83cde5a07dd95ae Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.46 released
Dear Users, I have released version 4.46 of stunnel. The ChangeLog entry: Version 4.46, 2011.11.04, urgency: LOW: * New features - Added Unix socket support (e.g. connect = /var/run/stunnel/ socket). - Added verify = 4 mode to ignore CA chain and only verify peer certificate. - Removed the limit of 16 IP addresses for a single 'connect' option. - Removed the limit of 256 stunnel.conf sections in PTHREAD threading model. It is still not possible have more than 63 sections on WIN32 platform. http://msdn.microsoft.com/en-us/library/windows/desktop/ms740141(v=vs.85).aspx * Optimizations - Reduced per-connection memory usage. - Performed a major refactoring of internal data structures. Extensive internal testing was performed, but some regression bugs are expected. * Bugfixes - Fixed WIN32 compilation with Mingw32. - Fixed non-blocking API emulation layer in UCONTEXT threading model. - Fixed signal handling in UCONTEXT threading model. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.46.tar.gz: 8ea8943bdfcd74a2e66dc00d4ed17b402bbd39d040a125901534f6f4308da99d Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.44 released
Dear Users, I have released version 4.44 of stunnel. The ChangeLog entry: Version 4.44, 2011.09.17, urgency: MEDIUM: * New features - Major automake/autoconf cleanup. - Heap buffer overflow protection with canaries. - Stack buffer overflow protection with -fstack-protector. * Bugfixes - Fixed garbled error messages on errors with setuid/setgid options. - SNI fixes (thx to Alexey Drozdov). - Use after free in fdprintf() (thx to Alexey Drozdov). This issue might cause GPF with protocol or ident options. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.44.tar.gz: fa0dfc33f323abfbc94aa993d90d37481cd2f652ee93ec2f8c333ac7a496c7b9 Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.43 released
Dear Users, I have released version 4.43 of stunnel. The ChangeLog entry: Version 4.43, 2011.09.07, urgency: MEDIUM: * New features - Updated Win32 DLLs for OpenSSL 1.0.0e. - Major optimization of the logging subsystem. Benchmarks indicate up to 15% performance improvement. * Bugfixes - Fixed WIN32 configuration file reload. - Fixed FORK and UCONTEXT threading models. - Corrected INSTALL.W32 file. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.43.tar.gz: 93a002d9e1652d7684756af75b44b00f99aa93574e8a5a2e69f88656221d5ce2 Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.42 released
Dear Users, I have released version 4.42 of stunnel. This is a security bugfix release. Upgrade is highly recommended! The ChangeLog entry: Version 4.42, 2011.08.18, urgency: HIGH: * New features - New verify level 0 to request and ignore peer certificate. This feature is useful with the new Windows GUI menu to save cached peer certificate chains, as SSL client certificates are not sent by default. - Manual page has been updated. - Removed support for changing Windows Service name with service option. * Bugfixes - Fixed a heap corruption vulnerability in versions 4.40 and 4.41. It may possibly be leveraged to perform DoS or remote code execution attacks. - The -quiet commandline option was applied to *all* message boxes. - Silent install (/S option) no longer attempts to create stunnel.pem. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.42.tar.gz: d33c407bfc4f58070e818081bd082c38f91cab7691ccbb794da63143c535de3b Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.41 released
Dear Users, I have released version 4.41 of stunnel. This is a bugfix release. I highly recommend Windows users to upgrade. The ChangeLog entry: Version 4.41, 2011.07.25, urgency: MEDIUM: * Bugfixes - Fixed Windows service crash of stunnel 4.40. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.41.tar.gz: 08e0e7df42bfb8b8551eb6c4b5b50eae6051aaf75077101d729e67c7a3a00c72 Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.40 released
Dear Users, I have released version 4.40 of stunnel. The ChangeLog entry: Version 4.40, 2011.07.23, urgency: LOW: * New Win32 features - Added a GUI menu to save cached peer certificate chains. - Added -exit option to stop stunnel *not* running as a service. This option may be useful for scripts. - Added file version information to stunnel.exe. - A number of other GUI improvements. * Other new features - Hardcoded 2048-bit DH parameters are used as a fallback if DH parameters are not provided in stunnel.pem. - Default ciphers value updated to prefer ECDH: ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH. - Default ECDH curve updated to prime256v1. - Removed support for temporary RSA keys (used in obsolete export ciphers). Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.40.tar.gz: 91f32c7654dde0e1cf37ed0d8517e0d0b5985cd30443a9d64cd33d232b5fe9ce Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.39 released
Dear Users, I have just released version 4.39 of stunnel. This version includes major improvements of the Windows GUI and installer. The ChangeLog entry: Version 4.39, 2011.07.06, urgency: LOW: * New features - New Win32 installer module to build self-signed stunnel.pem. - Added configuration file editing with Windows GUI. - Added log file reopening file editing with Windows GUI. It might be useful to also implement log file rotation. - Improved configuration file reload with Windows GUI. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.39.tar.gz: 972e4c150e3012ba8777f149c858e1e290aeb7ad7976e1551ac1752bc04fb0ed Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.38 released
Dear Users, I have just released version 4.38 of stunnel. The ChangeLog entry: Version 4.38, 2011.06.28, urgency: MEDIUM: * New features - Server-side SNI implemented (RFC 3546 section 3.1) with a new service-level option nsi. - socket option also accepts yes and no for flags. - Nagle's algorithm is now disabled by default for improved interactivity. * Bugfixes - A compilation fix was added for OpenSSL version 1.0.0. - Signal pipe set to non-blocking mode. This bug caused hangs of stunnel features based on signals, e.g. local mode, FORK threading, or configuration file reload on Unix. Win32 platform was not affected. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.38.tar.gz: aa49012195fde4dc3e4bed2bb25283cb40a6e0ad8295a47e730652f611e2268c Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.37 released
Dear Users, I have just released version 4.37 of stunnel. This release is mainly intended to fix bugs and portability issues introduced in versions 4.35 and 4.36. This version also provides new security defaults, updated to better match current best practices in cryptographic applications. The ChangeLog entry: Version 4.37, 2011.06.17, urgency: MEDIUM: * New features - Client-side SNI implemented (RFC 3546 section 3.1). - Default ciphers changed from the OpenSSL default to a more secure and faster RC4-MD5:HIGH:!aNULL:!SSLv2. A paranoid (and usually slower) setting would be HIGH:!aNULL:! SSLv2. - Recommended options = NO_SSLv2 added to the sample stunnel.conf file. - Default client method upgraded from SSLv3 to TLSv1. To connect servers without TLS support use sslVersion = SSLv3 option. - Improved --enable-fips and --disable-fips ./configure option handling. - On startup stunnel now compares the compiled version of OpenSSL against the running version of OpenSSL. A warning is logged on mismatch. * Bugfixes - Non-blocking socket handling in local mode fixed (Debian bug #626856). - UCONTEXT threading mode fixed. - Removed the use of gcc Thread-Local Storage for improved portability. - va_copy macro defined for platforms that do not have it. - Fixed local option parsing on IPv4 systems. - Solaris compilation fix (redefinition of STR). Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.37.tar.gz: 02ca30609ccb26f6e52ff7eb79a6778ea452a04432eaef7d959d19933f6fe109 Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.36 released
Dear Users, Version 4.36 of stunnel was released. The ChangeLog entry: Version 4.36, 2011.05.03, urgency: LOW: * New features - Updated Win32 DLLs for OpenSSL 1.0.0d. - Dynamic memory management for strings manipulation: no more static STRLEN limit, lower stack footprint. - Strict public key comparison added for verify = 3 certificate checking mode (thx to Philipp Hartwig). - Backlog parameter of listen(2) changed from 5 to SOMAXCONN: improved behavior on heavy load. - Example tools/stunnel.service file added for systemd service manager. * Bugfixes - Missing pthread_attr_destroy() added to fix memory leak (thx to Paul Allex and Peter Pentchev). - Fixed the incorrect way of setting FD_CLOEXEC flag. - Fixed --enable-libwrap option of ./configure script. - /opt/local added to OpenSSL search path for MacPorts compatibility. - Workaround implemented for signal handling on MacOS X. - A trivial bug fixed in the stunnel.init script. - Retry implemented on EAI_AGAIN error returned by resolver calls. Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.36.tar.gz: 3483fc2011e8a9d2614a93a9dbf7eabf405044df3566f29144fe2d1dd37a35f5 Best regards, Mike PGP.sig Description: This is a digitally signed message part
stunnel 4.35 released
Dear Users, I'm pleased to announce long-awaited version 4.35 of stunnel. The ChangeLog entry: * New features - Updated Win32 DLLs for OpenSSL 1.0.0c. - Transparent source (non-local bind) added for FreeBSD 8.x. - Transparent destination (transparent = destination) added for Linux. * Bugfixes - Fixed reload of FIPS-enabled stunnel. - Compiler options are now auto-detected by ./configure script in order to support obsolete versions of gcc. - Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler. - CLOEXEC file descriptor leaks fixed on Linux = 2.6.28 with glibc = 2.10. Irreparable race condition leaks remain on other Unix platforms. This issue may have security implications on some deployments. - Directory lib64 included in the OpenSSL library search path. - Windows CE compilation fixes (thx to Pierre Delaage). - Deprecated RSA_generate_key() replaced with RSA_generate_key_ex(). * Domain name changes (courtesy of Bri Hatch) - http://stunnel.mirt.net/ -- http://www.stunnel.org/ - ftp://stunnel.mirt.net/ -- http://ftp.stunnel.org/ - stunnel.mirt.net::stunnel -- rsync.stunnel.org::stunnel - stunnel-us...@mirt.net -- stunnel-us...@stunnel.org - stunnel-annou...@mirt.net -- stunnel-annou...@stunnel.org Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.35.tar.gz: a810e220498239483e14fae24eeb2a188a6167e9118958b903f8793768c4460f Best regards, Mike PGP.sig Description: This is a digitally signed message part
Stunnel 4.34 released
Dear Users, The ChangeLog entry: Version 4.34, 2010.09.19, urgency: LOW: * New features - Updated Win32 DLLs for OpenSSL 1.0.0a. - Updated Win32 DLLs for zlib 1.2.5. - Updated automake to version 1.11.1 - Updated libtool to version 2.2.6b - Added ECC support with a new service-level curve option. - DH support is now enabled by default. - Added support for OpenSSL builds with some algorithms disabled. - ./configure modified to support cross-compilation. - Sample stunnel.init updated based on Debian init script. * Bugfixes - Implemented fixes in user interface to enter engine PIN. - Fixed a transfer() loop issue on socket errors. - Fixed missing WIN32 taskbar icon while displaying a global option error. SHA-1 value for stunnel-4.34.tar.gz: 367bb46aedd1d84654853feef7e702738e4a65da Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to use CAPI engine in OpenSSL 1.0.0a
Patrick Patterson wrote: openssl engine -t -post list_options:35 -post list_certs Thank you very much for mentioning the standard Binary Package. The following even works without a .cnf file: C:\OpenSSL-Win32\binopenssl engine -t dynamic -pre SO_PATH:capi -pre ID:capi -pre LOAD -post list_options:35 -post list_certs Unfortunately mingw build of engines seem to be broken. I normally cross-compile OpenSSL under Debian with: ./Configure --cross-compile-prefix=i586-mingw32msvc- mingw shared zlib-dynamic make Unfortunately this simple option seems to produce unusable CAPI dll. I found the following references: http://rt.openssl.org/Ticket/Display.html?id=1747 http://www.listware.net/201006/openssl-dev/11903-compiling-openssl-100a-using-mingw-my-notes.html Was anyone able to get CAPI engine working using mingw compiler? Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to use CAPI engine in OpenSSL 1.0.0a
Guys, I spent a day trying to load CAPI engine in OpenSSL 1.0.0a. The error I received was: C:\testopenssl engine -t dynamic -pre SO_PATH:capieay32 -pre ID:capi -pre LOAD WARNING: can't open config file: /usr/local/ssl/openssl.cnf (dynamic) Dynamic engine loading support [Success]: SO_PATH:capieay32 [Success]: ID:capi [Failure]: LOAD 5220:error:260B606D:engine routines:DYNAMIC_LOAD:init failed:eng_dyn.c:521: [ unavailable ] The same error is printed when a full path is specified. For an incorrect file name it returned a different error: C:\testopenssl engine -t dynamic -pre SO_PATH:nonexisting -pre ID:capi -pre LOAD WARNING: can't open config file: /usr/local/ssl/openssl.cnf (dynamic) Dynamic engine loading support [Success]: SO_PATH:nonexisting [Success]: ID:capi [Failure]: LOAD 4672:error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library:dso_win32.c:18 0:filename(nonexisting.dll) 4672:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 4672:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: [ unavailable ] Was anyone able to use CAPI in OpenSSL 1.0.0a? I tried to find any example in the Internet, but without any luck. Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Stunnel 4.33 released
The ChangeLog entry: Version 4.33, 2010.04.05, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 1.0.0. This library requires to c_rehash CApath/CRLpath directories on upgrade. - Win32 DLLs for zlib 1.2.4. - Experimental support for local mode on WIN32 platform. Try exec = c:\windows\system32\cmd.exe. * Bugfixes - Inetd mode fixed SHA-1 value for stunnel-4.33.tar.gz: 695c7ef834952cb8ddbc790e10b6e32798fc2767 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara signature.asc Description: This is a digitally signed message part.
Stunnel 4.32 released
Dear Users, I'm glad to announce a new version of stunnel. The ChangeLog entry: Version 4.32, 2010.03.24, urgency: MEDIUM: * New features - New service-level libwrap option for run-time control whether /etc/hosts.allow and /etc/hosts.deny are used for access control. Disabling libwrap significantly increases performance of stunnel. - Win32 DLLs for OpenSSL 0.9.8m. * Bugfixes - Fixed a transfer() loop issue with SSLv2 connections. - Fixed a setsockopt IP_TRANSPARENT warning with local option. - Logging subsystem bugfixes and cleanup. - Installer bugfixes for Vista and later versions of Windows. - FIPS mode can be enabled/disabled at runtime. SHA-1 value for stunnel-4.32.tar.gz: e9be8b9150d1c901a7c37b58494e351815147a79 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Stunnel 4.31 released
The ChangeLog entry: Version 4.31, 2010.02.03, urgency: MEDIUM: * New features - Log file reopen on USR1 signal was added. * Bugfixes - Some regression issues introduced in 4.30 were fixed. SHA-1 value for stunnel-4.31.tar.gz: f51fc544a0554f6eee2bfca1fcb8ddcb8386ce32 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Stunnel 4.30 released
The ChangeLog entry: Version 4.30, 2010.01.21, urgency: LOW/EXPERIMENTAL: * New features - Graceful configuration reload with HUP signal on Unix and with GUI on Windows. This release involves major modifications of the code. I expect some regression issues, so please make sure to test this version well before running it on your production systems. SHA-1 value for stunnel-4.30.tar.gz: 46d21c3ad0e761d697f4de8c258ef999287f13f9 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Stunnel 4.29 released
Carter Browne cbro...@cbcs-usa.com wrote: I think it is a problem with your website - the copy on the backup site works properly. With all due respect ftp://stunnel.mirt.net/stunnel/ is hardly a website... Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Stunnel 4.29 released
Carter Browne wrote: The link to stunnel-4.29-installer.exe is broken in both Firefox (error 505) and IE8. The other links I tried were ok. I guess there is a policy on your Windows machine to disallow downloading .exe files with a web browser. You could try to use an FTP client instead of a web broser. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Stunnel 4.29 released
The ChangeLog entry: Version 4.29, 2009.12.02, urgency: MEDIUM: * New feature sponsored by Searchtech Limited http://www.astraweb.com/ - sessiond, a high performance SSL session cache was built for stunnel. A new service-level sessiond option was added. sessiond is available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ . stunnel clusters will be a lot faster, now! * Bugfixes - execargs defaults to the exec parameter (thx to Peter Pentchev). - Compilation fixes added for AIX and old versions of OpenSSL. - Missing fips option was added to the manual. SHA-1 value for stunnel-4.29.tar.gz: f93ac9054c62b1db0dcf44f668d323d82cc0f413 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Stunnel 4.28 released
The ChangeLog entry: Version 4.28, 2009.11.08, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 0.9.8l. - Transparent proxy support on Linux kernels =2.6.28. See the manual for details. - New socket options to control TCP keepalive on Linux: TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL. - SSL options updated for the recent version of OpenSSL library. * Bugfixes - A serious bug in asynchronous shutdown code fixed. - Data alignment updated in libwrap.c. - Polish manual encoding fixed. - Notes on compression implementation in OpenSSL added to the manual. SHA-1 value for stunnel-4.28.tar.gz: 868cba9ec56ed6a02c8ecfa2a87614b4d433611b Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michal Trojnara __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Stunnel 4.27 released
The ChangeLog entry: Version 4.27, 2009.04.16, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 0.9.8k. - FIPS support was updated for openssl-fips 1.2. - New priority failover strategy for multiple connect targets, controlled with failover=rr (default) or failover=prio. - pgsql protocol negotiation by Marko Kreen mark...@gmail.com. - Building instructions were updated in INSTALL.W32 file. * Bugfixes - Libwrap helper processes fixed to close standard input/output/error file descriptors. - OS2 compilation fixes. - WCE fixes by Pierre Delaage delaage.pie...@free.fr. SHA-1 value for stunnel-4.27.tar.gz: 2daf52fb0906de9fc5bd6a270e620e9316034fd4 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Michał Trojnara __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-fips 1.2 questions
Steve Marquess marqu...@oss-institute.org wrote: Stunnel has official FIPS mode support. I'm working on some fixes to cleanly compile stunnel with openssl-fips 1.2. Unfortunately it looks like fipsld is no longer installed during the openssl-fips installation process. Can you confirm it? Is there a recommended way to find fipsld in ./configure script? TIA, Michal Trojnara __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
stunnel 4.26 released
Dear Users, Version 4.26, 2008.09.20, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 0.9.8i. - /etc/hosts.allow and /etc/hosts.deny no longer need to be copied to the chrooted directory, as the libwrap processes are no longer chrooted. - A more informative error messages for invalid port number specified in stunnel.conf file. - Support for Microsoft Visual C++ 9.0 Express Edition. * Bugfixes - Killing all libwrap processes at stunnel shutdown fixed. - A minor bug in stunnel.init sample SysV startup file fixed. Home page/download: http://stunnel.mirt.net/ sha1sum for stunnel-4.24.tar.gz file: 1c9f5dd6b21f354c356cd9100899a90a83068c68 Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
stunnel 4.25 released
Dear Users, Version 4.25, 2008.06.01, urgency: MEDIUM: * New features - Win32 DLLs for OpenSSL 0.9.8h. * Bugfixes - Spawning libwrap processes delayed until privileges are dropped. - Compilation fix for systems without struct msghdr.msg_control. Home page/download: http://stunnel.mirt.net/ sha1sum for stunnel-4.24.tar.gz file: fc6d61fad996f750c76ea627c5dd9f789af0eaf6 Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
stunnel 4.23 released
Dear Users, I have just released a new version of stunnel. Please find below the ChangeLog entry: Version 4.23, 2008.05.03, urgency: HIGH: * Bugfixes - Local privilege escalation bug on Windows NT based systems fixed. A local user could exploit stunnel running as a service to gain localsystem privileges. Home page/download: http://stunnel.mirt.net/ sha1sum for stunnel-4.23.tar.gz file: d0fef8b518a44b9623692381a53680e0b4b01686 Best regards, Mike signature.asc Description: This is a digitally signed message part.
stunnel 4.21 released
Dear Users, The new version is available for download on: ftp://stunnel.mirt.net/stunnel/ Version 4.21, 2007.10.27, urgency: LOW/EXPERIMENTAL: * New features sponsored by Open-Source Software Institute - Initial FIPS 140-2 support (see INSTALL.FIPS for details). Win32 platform is not currently supported. * New features - Experimental fast support for non-MT-safe libwrap is provided with pre-spawned processes. - Stunnel binary moved from /usr/local/sbin to /usr/local/bin in order to meet FHS and LSB requirements. Please delete the /usr/local/sbin/stunnel when upgrading. - Added code to disallow compiling stunnel with pthreads when OpenSSL is compiled without threads support. - Win32 DLLs for OpenSSL 0.9.8g. - Minor manual update. - TODO file updated. * Bugfixes - Dynamic locking callbacks added (needed by some engines to work). - AC_ARG_ENABLE fixed in configure.am to accept yes/no arguments. - On some systems libwrap requires yp_get_default_domain from libnsl, additional checking was added. - Sending a list of trusted CAs for the client to choose the right certificate restored. - Some compatibility issues with NTLM authentication fixed. - Taskbar icon (unless there is a config file parsing error) and Save As disabled in the service mode for local Win32 security (it's much like Yeti -- some people claim they have seen it). sha1 hash for stunnel-4.21.tar.gz file: 7785c45167d902aa728b839adee02a8cc056d86a Best regards, Mike signature.asc Description: This is a digitally signed message part.
Re: Bignum is not thread-safe
On Sunday 10 December 2006 00:19, Michal Trojnara wrote: Calling SSL_connect() and SSL_accept() from a critical section helps a little. Instead of core dumps I get the following errors: SSL_connect: 1408C095: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed I've found an evidence that it's not only the problem of stunnel: http://support.segue.com/kbshow.php?q=13730 Of course the proposed solution (to enable the session cache to reduce the probability of failure on negotiating a new session) is just a lame workaround. I think the short definition of the problem is now: SSL_connect() fails on multithreaded session negotiation. The problem is easy to reproduce. Best regards, Mike pgpRPTrZ957n0.pgp Description: PGP signature
Re: Bignum is not thread-safe
Michal Trojnara wrote: On Sunday 10 December 2006 00:42, Ben Sandee wrote: On 12/9/06, Michal Trojnara wrote: The library is OpenSSL 0.9.8d configured with: ./Configure threads shared zlib debug-linux-elf Can you help me find a solution or a better workaround? Did you set the threading/locking callbacks to valid implementations? (for reference, see http://www.openssl.org/docs/crypto/threads.html) We haven't experienced any concurrency issues once these are set properly for the target platform. Of course. The code is there since version 3.0b4 released on 1999.03.22: One question about http://www.openssl.org/docs/crypto/threads.html. It claims that: Additionally, OpenSSL supports dynamic locks, and sometimes, some parts of OpenSSL need it for better performance. and: Also, dynamic locks are currently not used internally by OpenSSL, but may do so in the future. Aren't these statements mutually exclusive? How can the dynamic locks be needed and not used at the same time? Do I have to support them or not? I'm confused... Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Bignum is not thread-safe
Marek Marcola [EMAIL PROTECTED] wrote: Aren't these statements mutually exclusive? How can the dynamic locks be needed and not used at the same time? Do I have to support them or not? I'm confused... No. Dynamic callbacks are used by some ENGINE modules (NCipher for example). You're right. I've verified it in the OpenSSL source code. My problem is still not solved, then. I'm going to publish my testing programs and script so you can see the error by yourself. Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Bignum is not thread-safe
On Monday 11 December 2006 18:03, Nils Larsch wrote: does it help is you build openssl without BN_DEBUG ? When BN_DEBUG is defined bn_check_top() is a macro that should check if the BIGNUM::top value is correclty set (note: this isn't really a solution as bn_check_top() (without BN_DEBUG_RAND) should be mt-safe). No, it doesn't. As always problems with non mt-safe functions cause errors that look random. That wan was just an example. I turned debugging of to get the symbols in the stack backtrace. Here is the test suite I use to reproduce this problem. http://stunnel.mirt.net/tcpstress/ I disable session cache by changing: SSL_CTX_set_session_cache_mode(section-ctx, SSL_SESS_CACHE_BOTH); to: SSL_CTX_set_session_cache_mode(section-ctx, SSL_SESS_CACHE_OFF); in ctx.c file. BTW: As expected adding dynamic locking callbacks didn't help. Best regards, Mike pgpnrA0CecISe.pgp Description: PGP signature
Bignum is not thread-safe
Dear OpenSSL users, When performing stress-testing of stunnel with session cache disabled I receive core dumps on concurrent SSL_connect() calls. Here is an example stack backtrace: #0 0xa7e60d41 in BN_ucmp (a=0x80a28fc, b=0x80a1f08) at bn_lib.c:662 662 bn_check_top(b); (gdb) bt #0 0xa7e60d41 in BN_ucmp (a=0x80a28fc, b=0x80a1f08) at bn_lib.c:662 #1 0xa7e6c803 in BN_from_montgomery (ret=0x80a28fc, a=0x80a2924, mont=0x80a1ef0, ctx=0x80a2578) at bn_mont.c:281 #2 0xa7e6c3ca in BN_mod_mul_montgomery (r=0x80a28fc, a=0x80a28fc, b=0x80a28fc, mont=0x80a1ef0, ctx=0x80a2578) at bn_mont.c:145 #3 0xa7e5e555 in BN_mod_exp_mont (rr=0x80a28d4, a=0x80a28c0, p=0x80a1d80, m=0x80a22a8, ctx=0x80a2578, in_mont=0x80a1ef0) at bn_exp.c:464 #4 0xa7e81a8c in RSA_eay_public_encrypt (flen=48, from=0xa7fa0960 \003, to=0x808083c , rsa=0x80e88c0, padding=1) at rsa_eay.c:238 #5 0xa7e83e99 in RSA_public_encrypt (flen=48, from=0xa7fa0960 \003, to=0x808083c , rsa=0x80e88c0, padding=1) at rsa_lib.c:282 #6 0xa7f55fb1 in ssl3_send_client_key_exchange (s=0x80e7f10) at s3_clnt.c:1680 #7 0xa7f531a9 in ssl3_connect (s=0x80e7f10) at s3_clnt.c:327 #8 0xa7f6a6fd in SSL_connect (s=0x80e7f10) at ssl_lib.c:850 #9 0x0804c96b in init_ssl (c=0x2) at client.c:322 #10 0x0804c581 in do_client (c=0x806eb68) at client.c:208 #11 0x0804c52e in run_client (c=0x806eb68) at client.c:151 #12 0x0804c29b in client (arg=0x806eb68) at client.c:124 #13 0x4dd17ca3 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #14 0x4db98f5a in clone () from /lib/tls/i686/cmov/libc.so.6 (gdb) l bn_lib.c:662 657 { 658 int i; 659 BN_ULONG t1,t2,*ap,*bp; 660 661 bn_check_top(a); 662 bn_check_top(b); 663 664 i=a-top-b-top; 665 if (i != 0) return(i); 666 ap=a-d; Serializing requests solves the problem, but is definitely not a solution for real life applications. 8-) Calling SSL_connect() and SSL_accept() from a critical section helps a little. Instead of core dumps I get the following errors: SSL_connect: 1408C095: error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed The library is OpenSSL 0.9.8d configured with: ./Configure threads shared zlib debug-linux-elf Can you help me find a solution or a better workaround? TIA, Mike pgpL5fWLvjpU6.pgp Description: PGP signature
stunnel 4.20 released
Dear Users, I have just released a new version of stunnel. Here is the ChangeLog entry: Version 4.20, 2006.11.30, urgency: MEDIUM: * Release notes - The new transfer() function has been well tested. I recommend upgrading any previous version with this one. * Bugfixes - Fixed support for encrypted passphases (broken in 4.19). - Reduced amount of debug logs. - A minor man page update. Home page/download: http://stunnel.mirt.net/ sha1sum for stunnel-4.20.tar.gz fie: a9a449b28a4f34ab22f6b4bfaa81c1904a5883c4 Best regards, Mike pgp8UAsMMgbDv.pgp Description: PGP signature
Stunnel 4.19 released
Dear Users, A new version of stunnel has just been released. Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL: * Release notes - There are a lot of new features in this version. I recommend to test it well before upgrading your mission-critical systems. * New features - New service-level option to specify OCSP server flag: OCSPflag = flag - protocolCredentials option changed to protocolUsername and protocolPassword - NTLM support to be enabled with the new service-level option: protocolAuthentication = NTLM - imap protocol negotiation support added. - Passphrase cache was added so the user does not need to reenter the same passphrase for each defined service any more. - New service-level option to retry connect+exec section: retry = yes|no - Local IP and port is logged for each established connection. - Win32 DLLs for OpenSSL 0.9.8d. * Bugfixes - Serious problem with SSL_WANT_* retries fixed. The new code requires extensive testing! Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ sha1sum for stunnel-4.19.tar.gz: d58da8117278d71598279c77935585de81b74394 Best regards, Mike pgpzeF6yq4JYb.pgp Description: PGP signature
Re: SSL3_GET_RECORD:wrong version number error
James Brown wrote: [ssmtp] client = yes accept = 465 connect = 192.168.1.31:25 Port numbers suggest you're going to setup SSL server instead of SSL client. Just remove client = yes line. Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
stunnel 4.18 released
Version 4.18, 2006.09.26, urgency: MEDIUM: * Bugfixes - GPF on entering private key pass phrase on Win32 fixed. - Updated Win32 OpenSSL DLLs. - Minor configure script update. Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ sha1sum for stunnel-4.18.tar.gz: 3ed3eaefae91d80fcfcbb29dd285d0f773756397 Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
stunnel 4.16 released
A new version of stunnel has been released. Version 4.16, 2006.08.31, urgency: MEDIUM: * New features sponsored by Hewlett-Packard - A new global option to control engine: engineCtrl = command[:parameter] - A new service-level option to select engine to read private key: engineNum = engine number - OCSP support: ocsp = URL * New features - A new option to select version of SSL protocol: sslVersion = all|SSLv2|SSLv3|TLSv1 - Visual Studio vc.mak by David Gillingham [EMAIL PROTECTED]. - OS2 support by Paul Smedley (http://smedley.info) * Bugfixes - An ordinary user can install stunnel again. - Compilation problem with --enable-dh fixed. - Some minor compilation warnings fixed. - Service-level CRL cert store implemented. - GPF on protocol negotiations fixed. - Problem detecting addrinfo() on Tru64 fixed. - Default group is now detected by configure script. - Check for maximum number of defined services added. - OpenSSL_add_all_algorithms() added to SSL initialization. - configure script sections reordered to detect pthread library funcions. - RFC 2487 autodetection improved (thx to Hans Werner Strube). High resolution s_poll_wait() not currently supported by UCONTEXT threading. - More precise description of cert directory file names (thx to Muhammad Muquit). * Other changes - Maximum number of services increased from 64 to 256 when poll() is used. Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ sha1 hash for stunnel-4.16.tar.gz file: 6772e0c7f26c2596564ba66978597db8cd229a72 Best regards, Mike pgpn9dbNbtA86.pgp Description: PGP signature
stunnel 4.15 released
Version 4.15, 2006.03.11, urgency: LOW: * Release notes - There are a lot of new features in this version. I recommend to test it well before upgrading your mission-critical systems. * Bugfixes - Fix for pthreads on Solaris 10 (thx to Hans Werner Strube [EMAIL PROTECTED]). - Attempt to autodetect socklen_t type in configure script. - Default threading model changed to pthread for better portability. - DH parameters are not included in the certificate by default. * New features sponsored by Software House http://www.swhouse.com/ - Most SSL-related options (including client, cert, key) are now available on service level, so it is possible to have an SSL client and an SSL server in a single stunnel process. - Windows CE (version 3.0 and higher) support. * New features - Client mode CONNECT protocol support (RFC 2817 section 5.2). http://www.ietf.org/rfc/rfc2817.txt - Retrying exec+connect services added. * File locations are more compliant to Filesystem Hierarchy Standard 2.3 - configuration and certificates are in $prefix/etc/stunnel/ - binaries are in $prefix/sbin/ - default pid file is $prefix/var/run/stunnel.pid - manual is $prefix/man/man8/stunnel.8 - other docs are in $prefix/share/doc/stunnel/ - libstunnel is in $prefix/lib - chroot directory is setup in $prefix/var/lib/stunnel/ this directory is chmoded 1770 and group nogroup sha1sum for stunnel-4.15.tar.gz: 735406c1ca94904581158a434214e1f6568539d0 Home page: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Mike pgppJuebEDQhd.pgp Description: PGP signature
AES key length selection bug in OpenSSL 0.9.8a
Dear OpenSSL users, OpenSSL 0.9.8a does not allow to properly select AES key length. It selects both 128-bit and 256-bit AES no matter which one was specified: [EMAIL PROTECTED]:~$ /usr/local/ssl/bin/openssl version OpenSSL 0.9.8a 11 Oct 2005 [EMAIL PROTECTED]:~$ /usr/local/ssl/bin/openssl ciphers -v AES256-SHA AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 The old OpenSSL version works fine: [EMAIL PROTECTED]:~$ /usr/bin/openssl version OpenSSL 0.9.7e 25 Oct 2004 [EMAIL PROTECTED]:~$ /usr/bin/openssl ciphers -v AES256-SHA AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 Here is another example of the same problem: [EMAIL PROTECTED]:~$ /usr/local/ssl/bin/openssl s_client -cipher AES128-SHA CONNECTED(0003) [cut] SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA [cut] Is there any known solution? Can you help? Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
stunnel 4.11 relaesed
Dear Users, Here is the ChangeLog entry: Version 4.11, 2005.07.09, urgency: MEDIUM: * New features - New ./configure option --with-threads to select thread model. - ./configure option --with-tcp-wrappers renamed to --disable-libwrap. I hope the meaning of the option is much more clear, now. * Bugfixes - Workaround for non-standard makecontext() uc_stack.ss_sp parameter semantics on Sparc/Solaris 9 and earlier. - scan_waiting_queue() no longer drops contexts. - Inetd mode coredumps with UCONTEXT fixed. - Cleanup context is no longer used. - Releasing memory of the current context is delayed. - Win32 headers reordered for Visual Studio 7. - Some Solaris compilation warnings fixed. - Rejected inetd mode without 'connect' or 'exec'. * Release notes - UCONTEXT threading seems stable, now. Upgrade is recommended. sha1sum for stunnel-4.11.tar.gz file: cf57169d591fbe3371a29e432d840e7f66103a9f Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Stunnel 4.10 released
Here is the ChangeLog entry: Version 4.10, 2005.04.23, urgency: LOW/EXPERIMENTAL: * DLLs for OpenSSL 0.9.7g. * Bugfixes - Missing locking on Win32 platform was added (thx to Yi Lin [EMAIL PROTECTED]) - Some problems with closing SSL fixed. * New features - New UCONTEXT user-level non-preemptive threads model is used on systems that support SYSV-compatible ucontext.h. - Improved stunnel3 script with getopt-compatible syntax. * Release notes - This version should be thoroughly tested before using it in the mission-critical environment. Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Mike pgppKEQ4awSYB.pgp Description: PGP signature
Re: Use of Engines
On Thursday 07 of April 2005 23:42, Edward Chan wrote: I have looked in various code, and I mostly see the latter. But in the stunnel code, I see them doing ENGINE* e = ENGINE_by_id(id); ENGINE_init(e); ENGINE_set_default(e, ENGINE_METHOD_ALL); That's exactly what engine(3) manual recommends in Using a specific ENGINE implementation section, isn't it? Best regards, Mike pgpVr1CqJODEd.pgp Description: PGP signature
Re: SSL_shutdown returns 0 (retry) after EPIPE sys error.
On 2005-03-29, at 21:15, [EMAIL PROTECTED] wrote: On Solaris, truss shows this: 18416: poll(0xFEE219D0, 2, 4320) = 1 18416: write(13, 150301\018 3F1DBCCCBCAE3.., 29) Err#32 EPIPE What is your configuration? The stunnel source implies that it will retry the shutdown when SSL_shutdown returns 0. The manual claims: 0 The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error(3) may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. -1 The shutdown was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non blocking BIOs. Call SSL_get_error(3) with the return value ret to find out the reason. So SSL_shutdown() should return -1 on a fatal error, shouldn't it? Stunnel does not check for system errors when SSL_shutdown returns 0 ( maybe it should?). I don't think so... In fact it's explicitly forbidden to check for an error here... Best regards, Mike (the author of stunnel) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Stunnel 4.09 released
New stunnel 4.09 can be found on my FTP site: ftp://stunnel.mirt.net/stunnel/ Here is the ChangeLog entry: * DLLs for OpenSSL 0.9.7f. * Bugfixes - Compilation problem with undeclarated socklen_t fixed. - TIMEOUTclose is not used when there is any data in the buffers. - Stunnel no longer relies on close_notify with SSL 2.0 connections, since SSL 2.0 protocol does not have any alerts defined. - Closing SSL socket when there is some data in SSL output buffer is detected and reported as an error. - Install/chmod race condition when installing default certificate fixed. - Stunnel no longer installs signal_handler on ignored signals. Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Stunnel 4.08 released
Here is the ChangeLog entry for the new stunnel 4.08: Version 4.08, 2005.02.27, urgency: LOW: * New features - New -quiet option was added to install NT service without a message box. * Bugfixes - Using $(DESTDIR) in tools/Makefile.am. - Define NI_NUMERICHOST and NI_NUMERICSERV when needed. - Length of configuration file line increased from 256B to 16KB. - Stunnel sends close_notify when a close_notify is received from SSL peer and all remaining data is sent to SSL peer. - Some fixes for bugs detected by the watchdog. * Release notes - There were many changes in the transfer() function (the main loop). This version should be thoroughly tested before using it in the mission-critical environment. Home page downloads: http://stunnel.mirt.net/ Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Stunnel 4.07 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 New release fixes several bugs introduced in version 4.06. ChangeLog entry: Version 4.07, 2005.01.03, urgency: MEDIUM: * Bugfixes - Problem with infinite poll() timeout negative, but not equal to -1 fixed. - Problem with a file descriptor ready to be read just after a non-blocking connect call fixed. - Compile error with EAI_NODATA not defined or equal to EAI_NONAME fixed. - IP address and TCP port textual representation length (IPLEN) increased to 128 bytes. - OpenSSL engine support is only used if engine.h header file exists. - Broken NT Service mode on WIN32 platform fixed. - Support for IPv4-only WIN32 machines restored. Homepage: http://stunnel.mirt.net/ Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB2IcR/NU+nXTHMtERAn/hAJ42XjEtUrkyixamOeMV0rRGCvqwDACg21LB sYFF8L4teETWdrkLjfkdX2E= =qOfD -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Stunnel 4.06 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here is the ChangeLog entry: Version 4.06, 2004.12.26, urgency: LOW: * New feature sponsored by SURFnet http://www.surfnet.nl/ - IPv6 support (to be enabled with ./configure --enable-ipv6). * New features - poll() support - no more FD_SETSIZE limit! - Multiple connect=host:port options are allowed in a single service section. Remote hosts are connected using round-robin algorithm. This feature is not compatible with delayed resolver. - New 'compression' option to enable compression. To use zlib algorithm you have to enable it when building OpenSSL library. - New 'engine' option to select a hardware engine. - New 'TIMEOUTconnect' option with 10 seconds default added. - stunnel3 perl script to emulate version 3.x command line options. - French manual updated by Bernard Choppy choppy AT free POINT fr. - A watchdog to detect transfer() infinite loops added. - Configuration file comment character changed from '#' to ';'. '#' will still be recognized to keep compatibility. - MT-safe getaddrinfo() and getnameinfo() are used where available to get better performance on resolver calls. - Automake upgraded from 1.4-p4 to 1.7.9. * Bugfixes - log() changed to s_log() to avoid conflicts on some systems. - Common CRIT_INET critical section introduced instead of separate CRIT_NTOA and CRIT_RESOLVER to avoid potential problems with libwrap (TCP Wrappers) library. - CreateThread() finally replaced with _beginthread() on Win32. - make install creates $(localstatedir)/stunnel. $(localstatedir)/stunnel/dev/zero is also created on Solaris. - Race condition with client session cache fixed. - Other minor bugfixes. * Release notes - Win32 port requires Winsock2 to work. Some Win95 systems may need a free update from Microsoft. http://www.microsoft.com/windows95/downloads/ - Default is *not* to use IPv6 '::' for accept and '::1' for connect. For example to accept pop3s on IPv6 you could use: 'accept = :::995'. I hope the new syntax is clear enough. Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBzf1b/NU+nXTHMtERAtUVAKD+41kLTFS/qrOleskfH1MZEkYr2ACfcJPZ 4QQk085XimnyplqENZaT7nk= =zIM2 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Updated cross_mingw32.sh
Dear OpenSSL Users, I've updated my cross_mingw32.sh script to cross-compile WIN32 binaries on Unix. ftp://stunnel.mirt.net/stunnel/openssl/cross_mingw32.sh I think it could be a good idea to update the script on http://www.openssl.org/contrib/ page. Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [Fwd: stunnel 4.04 crashes running on Win2K Prof]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrey, You've discovered a serious bug in the OpenSSL 0.9.7 library. Disassembling the library revealed that you GPF appeared in the middle of list sestion of the SSL_SESSION_list_remove() function located in the ssl_sess.c source file. I guess the list gets corrupted somewhere else, possibly due to a heap allocation problem (a heap overflow or a double-free). I'm forwarding this message to the openssl-users mailing list where it belongs. The original report by Andrey A. Beletsky [EMAIL PROTECTED]: I've installed stunnel 4.04 and OpenSSL 0.9.7 (taken recently from www.stunnel.org) on Win2k Prof workstation. I use it to wrap mailer requests to my Internet provider into SSL tunnel. stunnel installed as Win2k service. It's very important for me to have stunnel service working permanently. But from time to time this service crashes... About two-three times a week... In such case in the System Event Log I have the following message: == Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7031 Date: 17.02.2003 Time: 10:24:56 User: N/A Computer: INET Description: The stunnel service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action. == While in the Application Event Log the message is more informative: == Event Type: Information Event Source: DrWatson Event Category: None Event ID: 4097 Date: 17.02.2003 Time: 10:24:03 User: N/A Computer: INET Description: The application, , generated an application error The error occurred on 02/17/2003 @ 10:24:02.887 The exception generated was c005 at address 6B086C9C (SSL_SESSION_get_ex_new_index) Data: : 0d 0a 0d 0a 41 70 70 6c Appl 0008: 69 63 61 74 69 6f 6e 20 ication 0010: 65 78 63 65 70 74 69 6f exceptio 0018: 6e 20 6f 63 63 75 72 72 n occurr 0020: 65 64 3a 0d 0a 20 20 20 ed:.. 0028: 20 20 20 20 20 41 70 70App 0030: 3a 20 20 28 70 69 64 3d : (pid= 0038: 36 31 36 29 0d 0a 20 20 616).. 0040: 20 20 20 20 20 20 57 68 Wh 0048: 65 6e 3a 20 31 37 2e 30 en: 17.0 0050: 32 2e 32 30 30 33 20 40 2.2003 @ 0058: 20 31 30 3a 32 34 3a 3010:24:0 0060: 32 2e 38 38 37 0d 0a 20 2.887.. 0068: 20 20 20 20 20 20 20 45 E 0070: 78 63 65 70 74 69 6f 6e xception 0078: 20 6e 75 6d 62 65 72 3anumber: 0080: 20 63 30 30 30 30 30 30c00 0088: 35 20 28 61 63 63 65 73 5 (acces 0090: 73 20 76 69 6f 6c 61 74 s violat 0098: 69 6f 6e 29 0d 0a 0d 0a ion) 00a0: 2a 2d 2d 2d 2d 3e 20 53 * S 00a8: 79 73 74 65 6d 20 49 6e ystem In 00b0: 66 6f 72 6d 61 74 69 6f formatio 00b8: 6e 20 3c 2d 2d 2d 2d 2a n * 00c0: 0d 0a 20 20 20 20 20 20 .. 00c8: 20 20 43 6f 6d 70 75 74 Comput 00d0: 65 72 20 4e 61 6d 65 3a er Name: 00d8: 20 49 4e 45 54 0d 0a 20INET.. 00e0: 20 20 20 20 20 20 20 55 U 00e8: 73 65 72 20 4e 61 6d 65 ser Name 00f0: 3a 20 53 59 53 54 45 4d : SYSTEM 00f8: 0d 0a 20 20 20 20 20 20 .. 0100: 20 20 4e 75 6d 62 65 72 Number 0108: 20 6f 66 20 50 72 6f 63of Proc 0110: 65 73 73 6f 72 73 3a 20 essors: 0118: 31 0d 0a 20 20 20 20 20 1.. 0120: 20 20 20 50 72 6f 63 65 Proce 0128: 73 73 6f 72 20 54 79 70 ssor Typ 0130: 65 3a 20 78 38 36 20 46 e: x86 F 0138: 61 6d 69 6c 79 20 35 20 amily 5 0140: 4d 6f 64 65 6c 20 34 20 Model 4 0148: 53 74 65 70 70 69 6e 67 Stepping 0150: 20 33 0d 0a 20 20 20 203.. 0158: 20 20 20 20 57 69 6e 64 Wind 0160: 6f 77 73 20 32 30 30 30 ows 2000 0168: 20 56 65 72 73 69 6f 6eVersion 0170: 3a 20 35 2e 30 0d 0a 20 : 5.0.. 0178: 20 20 20 20 20 20 20 43 C 0180: 75 72 72 65 6e 74 20 42 urrent B 0188: 75 69 6c 64 3a 20 32 31 uild: 21 0190: 39 35 0d 0a 20 20 20 20 95.. 0198: 20 20 20 20 53 65 72 76 Serv 01a0: 69 63 65 20 50 61 63 6b ice Pack 01a8: 3a 20 33 0d 0a 20 20 20 : 3.. 01b0: 20 20 20 20 20 43 75 72Cur 01b8: 72 65 6e 74 20 54 79 70 rent Typ 01c0: 65 3a 20 55 6e 69 70 72 e: Unipr 01c8: 6f 63 65 73 73 6f 72 20 ocessor 01d0: 46 72 65 65 0d 0a 20 20 Free.. 01d8: 20 20 20 20 20 20 52 65 Re 01e0: 67 69 73 74 65 72 65 64 gistered 01e8: 20 4f 72 67 61 6e 69 7aOrganiz 01f0: 61 74 69 6f 6e 3a 20 53 ation: S 01f8: 74 79 6c 65 20 4c 74 64 tyle Ltd 0200: 2e 0d 0a 20 20 20 20 20 ... 0208: 20 20 20 52 65 67 69 73 Regis 0210: 74 65 72 65 64 20 4f 77 tered Ow 0218: 6e 65 72 3a 20 53 6f 6d ner: Som 0220: 65 0d 0a 0d 0a 2a 2d 2d e*-- 0228: 2d 2d 3e 20 54 61 73 6b -- Task 0230: 20 4c 69 73 74 20 3c 2dList - 0238:
Stunnel 4.04 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Version 4.04, 2003.01.12, urgency: MEDIUM: * New feature sponsored by SURFnet http://www.surfnet.nl/ - Encrypted private key can be used with Win32 GUI. * New features - New 'options' configuration option to setup OpenSSL library hacks with SSL_CTX_set_options(). - 'service' option also changes the name for TCP Wrappers access control in inetd mode. - Support for BeOS (thx to Mike I. Kozin [EMAIL PROTECTED]) - SSL is negotiated before connecting remote host or spawning local process whenever possible. - REMOTE_HOST variable is always placed in the enrivonment of a process spawned with 'exec'. - Whole SSL error stack is dumped on errors. - 'make cert' rule is back (was missing since 4.00). - Manual page updated (special thanks to Brian Hatch). - TODO updated. * Bugfixes - Major code cleanup (thx to Steve Grubb [EMAIL PROTECTED]). - Unsafe functions are removed from SIGCHLD handler. - Several bugs in auth_user() fixed. - Incorrect port when using 'local' option fixed. - OpenSSL tools '-rand' option is no longer directly used with a device (like '/dev/urandom'). Temporary random file is created with 'dd' instead. * DLLs for OpenSSL 0.9.7. The problem with unsafe SIGCHLD handler is a serious one, so I recommend the upgrade. Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+IZBO/NU+nXTHMtERAki4AJ9orDnEQ/QAGLJLwUA/384LQINP0ACdHwZH gAcF2V4G00rBWtwLf+uMolg= =1mlP -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Stunnel 4.01 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Version 4.02, 2002.10.21, urgency: HIGH: * Serious bug in ECONNRESET handling fixed. Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj20UDEACgkQ/NU+nXTHMtGh0wCg4HSdSAGIYchAYKebqnCA04S6 h2cAoNI8nwc8W74o6yXlcOHUo4peWSp4 =4Aa8 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
stunnel 4.00 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Version 4.00, 2002.08.30, urgency: LOW: * New features sponsored by MAXIMUS http://www.maximus.com/ - New user interface (config file). - Single daemon can listen on multiple ports, now. - Native Win32 GUI added. - Native NT/2000/XP service added. - Delayed DNS lookup added. * Other new features - All the timeouts are now configurable including TIMEOUTclose that can be set to 0 for MSIE and other buggy clients that do not send close_notify. - Stunnel process can be chrooted in a specified directory. - Numerical values for setuid() and setgid() are allowed, now. - Confusing code for setting certificate defaults introduced in version 3.8p3 was removed to simplify stunnel setup. There are no built-in defaults for CApath and CAfile options. - Private key file for a certificate can be kept in a separate file. Default remains to keep it in the cert file. - Manual page updated. - New FHS-compatible build system based on automake and libtool. * Bugfixes - `SSL socket closed on SSL_write' problem fixed. - Problem with localtime() crashing Solaris 8 fixed. - Problem with tcp wrappers library detection fixed. - Cygwin (http://www.cygwin.com/) support added. - __svr4__ macro defined for Sun C/C++ compiler. * DLLs for OpenSSL 0.9.6g. Homepage: http://stunnel.mirt.net/ Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj1vvB8ACgkQ/NU+nXTHMtEyngCfT0vvlck8HriYQXvvNJ5HvpPX TPsAn2QFY0fJ6+10YELDjG9PJh1eOAii =GBUs -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
A script to cross compile OpenSSL DLLs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've written a script to cross compile OpenSSL DLLs on a Unix platform. I hope you'll find it useful. My script is in the attachment. It was tested on Debian GNU/Linux (Woody) and mingw32-linux-x86-glibc-2.1.tar.gz Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjznmCEACgkQ/NU+nXTHMtGVSACg25xpj7NJC6YsNfAsSZMjZb3u 3XwAoOtC70FFPuiUSzWgzr3+Xcd6thQs =+9S8 -END PGP SIGNATURE- cross_mingw32.sh Description: cross compilation sript
Cross-compiling
I was able to compile openssl executable for Win32 on my Linux machine (just like I do for my stunnel for a long time). The target definition in Configure file was: mingw32msvc, i386-mingw32msvc-gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::-lws ock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::win32i386-mingw32msvc-ranlib, My cross-compiler was mingw32-linux-x86-glibc-2.1.tar.gz. I had to rename openssl to openssl.exe Then I created dlls: perl util/mkdef.pl 32 libeay ms/libeay32.def perl util/mkdef.pl 32 ssleay ms/ssleay32.def i386-mingw32msvc-dllwrap --dllname libeay32.dll --output-lib libeay32.a --def ms/libeay32.def libcrypto.a -lwsock32 -lgdi32 i386-mingw32msvc-dllwrap --dllname libssl32.dll --output-lib libssl32.a --def ms/ssleay32.def libssl.a libeay32.a My questions: 1. What is the reason behind #ifdef WINDOWS #include bss_file.c at apps/apps.c and other places? (after Vadim Fedukovich [EMAIL PROTECTED] on Mon, 17 Dec 2001 18:04:06 +0200) 2. Is there a chance for the cross-compilation to be supported? Should I send someone a patch? You can download results of my work from from ftp://ftp.mirt.net/openssl/binary/. BTW: Am I the on the only developer that doesn't have a Windows development machine? Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problems connecting to peer
Dustin Swint wrote: Aug 21 16:57:05 pearl stunnel[9253]: SSL_connect: error:24064064: random number generator:SSLEAY_RAND_BYTES:PRNG not seeded Read: http://www.stunnel.org/faq/troubleshooting.html#ToC18 Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Stunnel 3.17 released
Changelog for version 3.17, 2001.07.29, urgency: MEDIUM: * Problem with coredump on exit with active threads fixed. * Timeout for transfer() function added: - 1 hour if socket is open for read - 1 minute if socket is closed for read Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_get_rfd() and SSL_get_wfd()
Dear OpenSSL maintainers, Two of OpenSSL functions: int SSL_get_rfd(SSL *ssl); int SSL_get_wfd(SSL *ssl); are docummented in the manual, but not implemented. It would be nice to have this problem fixed. Best regards, Michal Trojnara the author of stunnel __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Stunnel 3.15 has been released
Changelog for version 3.15, 2001.07.15, urgency: MEDIUM: * Serious bug resulting in random transfer() hangs fixed. * Separate file descriptors are used for inetd mode. * -f (foreground) logs are now stamped with time. * New ./configure option: --with-tcp-wrappers by Brian Hatch. * pop3 protocol client support (-n pop3) by Martin Germann. * nntp protocol client support (-n nntp) by Martin Germann. * RFC 2487 (smtp STARTTLS) client mode support. * Transparency support for Tru64 added. * Some #includes for AIX added. Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Stunnel 3.9 released
For your information: stunnel version 3.9 has been released. New features: * Updated temporary key generation: - stunnel is now honoring requested key-lengths correctly, - temporary key is changed every hour. * transfer() no longer hangs on some platforms. Special thanks to Peter Wagemans for the patch. * Potential security problem with syslog() call fixed. Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
stunnel homepage
Dear OpenSSL users, Stunnel has a new homepage: http://stunnel.mirt.net/ Please update your links bookmarks. Regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: C equivalent of a perl function
Odpowiedz automatyczna: Do 5 maja przebywam na zasluzonym urlopie. W pilnych sprawach prosze o kontakt z Kamilem Kilinskim. Z powazaniem, Michal Trojnara "[EMAIL PROTECTED]" 05/05/00 16:43 AFAIK there is not a =~ On Thu, 04 May 2000, Paul Khavkine wrote: Hi. Anyone would know what is the C equivalent of: pack('H*', $data) Or if there's no function for that, how would i do that? Thanx Paul __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Memory leaks when PEM_read_bio_PrivateKey fails
Odpowiedz automatyczna: Do 5 maja przebywam na zasluzonym urlopie. W pilnych sprawach prosze o kontakt z Kamilem Kilinskim. Z powazaniem, Michal Trojnara "[EMAIL PROTECTED]" 05/01/00 21:51 Amit Chopra [EMAIL PROTECTED]: I had reported some leaks some time back, but got no response from the mailing list. OpenSSL 0.9.4 leaks 332 bytes for ERR_STATE struct allocated while doing SSL_read. ERR_get_state [err.c:561] = ret=(ERR_STATE *)Malloc(sizeof(ERR_STATE)); It also leaks 12 bytes allocated for an LHASH_NODE in SSL_read . lh_insert [lhash.c:196] ((nn=(LHASH_NODE*)Malloc(sizeof(LHASH_NODE))) Are these the leaks in question ? I still havent found a way to fix them. Please try the latest snapshost. If your program calls ERR_remove_state(0) before exiting, there should be no such leaks now. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: BN functions and Solaris 7 'bc' disagree
Odpowiedz automatyczna: Do 5 maja przebywam na zasluzonym urlopie. W pilnych sprawach prosze o kontakt z Kamilem Kilinskim. Z powazaniem, Michal Trojnara "[EMAIL PROTECTED]" 04/29/00 19:36 Ted Powell @tgivan.com: When I ran openssl-0.9.5a's "make test", the tmp.bntest file that was written contained (out of 1800+ tests) seven expressions which Solaris 7's 'bc' evaluated to give non-zero results. [...] When I feed the problematic tmp.bntest to GNU bc (version 1.05a, on Red Hat Linux 6.2) all the expressions evaluate to zero, as they should. My concern is this: Do the BN library and GNU 'bc' agree with each other because they are both right (and the Solaris 'bc' has a bug), or do the BN library and GNU 'bc' agree with each other because they each have the same bug (and the Solaris 'bc' is giving correct answers)? GNU bc does not use the BN library, so it would be strange if they had the same bugs; so this looks like problem of Solaris bc. Why don't you post the offending lines so that the computations can be verified with yet other software? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]