Stunnel.org

Stunnel Patches

At various times folks release patches to the current version of Stunnel. Sometimes these make it into the next version of the software, sometimes they do not. Below you will find various patches submitted by users.

If you wish to submit a patch, please retrieve the latest version of stunnel for comparison. Patches should be in 'diff -cr' form. You are welcome to submit them directly to the webmaster or you can submit them to the mailing list. Please include information about what the patch does, how, and why.

How do I get a patch included into the release versions of Stunnel?

Only patches released into the public domain stand a chance of getting into the actual Stunnel source. This means revised BSD patches are likely acceptable. Original BSD and GNU patches are not for example.

You are welcome to submit patches with alternate licenses, however you must explicitly say so when submitting them to the mailing list or maintainers. Any patch that is submitted without an acompanying license will be assumed to be a public domain patch.

User-submitted Patches

This website makes patches available for use by the Internet community. However it does not endorse any of the patches contained herein. They could be work perfectly, or totally foul up everything. We don't know. Contact the authors if you have any questions. Use at your own risk.

Creator Steven Van Acker
Patch to Version 4.05
Type New Feature
Patch poll_deepstar.patch
Description
(Full Text)
Poll vs Select handling

Creator Neil Dunbar
Patch to Version 4.05
Type New Feauter
Patch connect-proxy_dunbar.patch
Description
(Full Text)
HTTP Connect-style proxying

Creator Matthias Wald
Patch to Version 4.05
Type New Feature
Patch connect-proxy.mwald.patch
Description
(Full Text)
HTTP Connect-style proxy

Creator Brian Hatch
Patch to Version 4.04
Type New Feature
Patch stdin_confpatch_bri.patch
Description
(Full Text)
Allow config file on stdin or any arbitrary file descriptor

Creator Jan-Piet Mens
Patch to Version 4.04
Type New Feature
Patch dispatcher-ldap.patch
Description
(Full Text)
Determine tunnel endpoint dynamically via LDAP lookups

Creator Diarmuid O'Neill
Patch to Version 3.23
Type Enhancement
Patch stunnel-3.23_engine.patch
Description
(Full Text)
OpenSSL Engine support

Creator Diarmuid O'Neill
Patch to Version 4.04
Type New Feature
Patch stunnel-4.04_engine.patch
Description
(Full Text)
OpenSSL Engine Patch

Creator Brian Hatch
Patch to Version 4.04
Type Bugfix
Patch blinding-4.x_bri.patch
Status Not needed if you have recent versions (later than 0.9.6j or 0.9.7b) of OpenSSL. Patch fixed on Apr 23, 2003, to not turn on blinding in client mode when no cert in use.
Description
(Full Text)
Forces RSA blinding to prevent timing attacks which can determine an RSA private key.

Creator Brian Hatch
Patch to Version 3.22
Type Bugfix
Patch blinding-3.x_bri.patch
Status Not needed if you have recent versions (later than 0.9.6j or 0.9.7b) of OpenSSL. Patch included in 3.24 and later. Patch updated Apr 23, 2003 to fix bug where blinding attempted even in client mode with no cert.
Description
(Full Text)
Forces RSA blinding to prevent timing attacks which can determine an RSA private key.

Creator David A Jenkins
Patch to Version 4.04
Type Enhancement
Patch poll_dj.patch
Description
(Full Text)
Patch to replace calls to select with poll

Creator Peter Friend
Patch to Version 3.24
Type New Feature
Patch highfds.patch
Description
(Full Text)
Work around a bug in some systems (Solaris?) that have trouble with descriptors greater than 255.

Creator Richard Antony Burton
Patch to Version 4.04
Type New Feature
Patch MSVC++6.patch
Description
(Full Text)
Enables you to compile with Microsoft Visual C++ 6 natively. (Patch file is really a zip file, rename appropriately.)

Creator OpenSSL Development Team
Patch to Version 4.04
Type Bugfix
Patch openssl-rsablinding.patch
Description
(Full Text)
This is a patch to OpenSSL versions 0.9.7a and earlier, and 0.9.6i and earlier. It forces RSA blinding, which can defeat a recently discovered timing attack that could allow a cracker to brute force your private RSA keys. You do not need this if you use Stunnel 4.05 or later, or OpenSSL-0.9.7b or later or OpenSSL-0.9.6j or later.

Creator Sascha Silbe
Patch to Version 4.04
Type New Feature
Patch cert-purpose_sascha.patch
Description
(Full Text)
check peer's certificate purpose (client, server, smime, etc)

Creator Scott Gifford
Patch to Version 3.22
Type Enhancement
Patch many_sgifford.patch
Description
(Full Text)
Non-SSL passthrough for negotiated protocols, immediate chroot/setuid options, use open file descriptor instead of new remote socket or local program, and more.

Creator Joseph Formoso
Patch to Version 4.04
Type Bugfix
Patch irixsigchd_jformoso.patch
Description
(Full Text)
SIGCHLD fix for Irix

Creator Diarmuid O'Neill
Patch to Version 3.23
Type New Feature
Patch engine_doneill.patch
Description
(Full Text)
OpenSSL Engine support

Creator Diarmuid O'Neill
Patch to Version 4.04
Type New Feature
Patch engine-4.x_doneill.patch
Description
(Full Text)
OpenSSL Engine Support

Creator Geoff Thorpe
Patch to Version 4.04
Type New Feature
Patch distcache_geoff.patch
Description
(Full Text)
distributed session caching with distcache

Creator Markus Moeller
Patch to Version 4.04
Type new feature
Patch kerberos_mm.patch
Description
(Full Text)
Adds kerberos support to Stunnel

Creator Steve Grubb
Patch to Version 3.14
Type Enhancement
Patch chld-syslog-etc_grubb.patch
Description
(Full Text)
Patch for fork model (SIGCHLD, syslog, reaping, etc)

Creator Jukka Pihl
Patch to Version 3.20
Type Enhancement
Patch thread_pooling_jukka.patch
Description
(Full Text)
Posix Theard Pooling

Creator Peter D. Gray
Patch to Version 4.04
Type New Feature
Patch conndetails_peter.patch
Description
(Full Text)
writes connection details for current tunnel to filesystem

Creator Ken Mattsen
Patch to Version 4.04
Type New Feature
Patch showontray_kmattsen.patch
Description
(Full Text)
Ability to turn on/off the tray icon in Stunnel 4.x on Windows

Creator Aaron Linville
Patch to Version 3.19
Type Portability
Patch osx_aaron.patch
Description
(Full Text)
Allow compilation on Mac OS X and Darwin.

Creator Victor Danilchenko
Patch to Version 3.20
Type Bugfix
Patch syslog_danilche.patch
Description
(Full Text)
Force Stunnel to open and close the log each time it sends a message to avoid a bug in Digital Unix 4.0d (and perhaps others)

Creator Matthias Lange
Patch to Version 3.21c
Type Security
Patch formatbug_ml.patch
Status Will be incorporated into 3.22
Description
(Full Text)
Fix for format bug in pop/smtp negotiation code.

Creator deekoo@tentacle.net
Patch to Version 3.20
Type New feature
Patch env_rem_host_deeko.patch
Description
(Full Text)
Allow you to specify the remote host in an env var, not on command line

Creator Petr Vandrovec
Patch to Version 3.18
Type New Feature
Patch vandrove_oob.patch
Status Similar functionality introduced into Stunnel-3.19
Description
(Full Text)
New -O option to discard (rather than inline) OOB data.

Creator John R Durand
Patch to Version 4.03
Type New Feature
Patch xforwardedfor_jrd.patch
Description
(Full Text)
Add an X-Forwarded-For header for HTTP connections.

Creator Kristofer T. Karas
Patch to Version 3.14
Type feature
Patch stdout_ktk.patch
Status Similar functionality introduced into stunnel-3.15
Description
(Full Text)
Allow Stunnel to read from stdin and write to stdout

Creator Sven Paulus
Patch to Version 3.22
Type New Feature
Patch ssl_method_sp.patch
Description
(Full Text)
Select SSL method (ssl2/ssl3/tls) from the command line

Creator Martin Germann
Patch to Version 3.14
Type New feature
Patch nntp_germann.patch
Status Integrated into stunnel-3.15
Description
(Full Text)
Adds '-n nntp' negotiation option to Stunnel.

Creator Martin Germann
Patch to Version 3.14
Type New feature
Patch pop_germann.patch
Status Integrated into stunnel-3.15
Description
(Full Text)
Adds '-n pop' negotiation option to Stunnel.

Creator Nathan
Patch to Version 3.x
Type New Feature
Patch pop3_starttls_nathan.patch
Description
(Full Text)
POP3 STARTTLS server negotiation

Creator Brent Baccala
Patch to Version 3.14
Type Feature
Patch delay-lookup.baccala.patch
Description
(Full Text)
Delay dns lookups until connect time (run-time option)

Creator Michael Brown
Patch to Version 3.14
Type Feature
Patch delay-lookup.michaelb.patch
Description
(Full Text)
Delay dns lookups until connect time (run-time option)

Creator David A Jenkins
Patch to Version 3.14
Type New Feature
Patch bandwidth-limiting_dj.patch
Description
(Full Text)
Enable bandwidth-limiting options to Stunnel

Creator David A Jenkins
Patch to Version 4.04
Type New Feature
Patch bandwidth-limiting-2_dj.patch
Description
(Full Text)
Enable per-connection bandwidth limiting options to Stunnel

Creator Mike Wilson
Patch to Version 3.20
Type Enhancement
Patch nmake_wilson.patch
Description
(Full Text)
Patch to stunnel.mak to support nmake

Creator Martin Germann
Patch to Version 3.14
Type Bugfix
Patch smtp_martin.patch
Description
(Full Text)
Modify STARTTLS negotiation.

Creator Daniel Savard
Patch to Version 4.00
Type New Feature
Patch connect-proxy_savardd.patch
Description
(Full Text)
Use stunnel through a https proxy that supports the CONNECT protocol.

Creator Anon A. Mous
Patch to Version 3.22
Type New Feature
Patch proxy_anon.patch
Description
(Full Text)
Proxy Passthru (HTTP CONNECT) patch

Creator Tan Swee Heng
Patch to Version 3.14
Type New Feature
Patch proxy_sweeheng.patch
Description
(Full Text)
Patch Stunnel to support web proxies (squid, etc.)

Creator Craig Boston
Patch to Version 3.14
Type Enhancement
Patch winnt_cboston.patch
Description
(Full Text)
NT Enhancements - MS Visual C++, Native service support, NT event logging

Creator Jonathan Hoffman
Patch to Version 3.14
Type New Feature
Patch certchain_jih.patch
Description
(Full Text)
Allow use of certificate chains, borrowed from mod_ssl code.

Creator Kai Engert
Patch to Version 3.11
Type New feature
Patch smb_kai.patch
Description
(Full Text)
Adds SMB support to Stunnel for samba/windows mounts

Creator Markus Foerster
Patch to Version 3.11
Type feature
Patch setenv_mf.patch
Description
(Full Text)
Have Stunnel set several environment variables that are related to the SSL session, such as the client side certificate.

Creator Markus Foerster
Patch to Version 3.11
Type feature
Patch stdout_mf.patch
Status Similar functionality introduced into stunnel-3.15
Description
(Full Text)
Allow Stunnel to read from stdin and write to stdout

Creator Peter Wagemans
Patch to Version 3.8pX
Type new feature
Patch sslloop_pwagemans.patch
Status Integrated into stunnel-3.9.
Description
(Full Text)
Improved SSL loop code, based on the state_machine.c from Ben Laurie.
According to users who have tried it, this fixes the annoying random stalls and hangs that stunnel has occasionaly experienced on certain platforms or with other SSL software.

Creator Oliver Mandischer
Patch to Version 3.11
Type feature
Patch client_smtp_om.patch
Description
(Full Text)
Allow client mode smtp protocol

Creator Kristofer T. Karas
Patch to Version 3.8
Type new feature
Patch keylength_ktk.patch
Status Problem fixed independently in 3.9.
Description
(Full Text)
Patch to fix incompatible key-length problems. Stunnel wasn't honoring requested key-lengths correctly, causing some clients (such as IE 40-bit) to fail during the handshake phase.

Creator Ole Craig
Patch to Version 3.8p4
Type new feature
Patch syslog_fac_olc2.patch
Status Functionality will be included in stunnel-3.8p5.
Description
(Full Text)
An improved version of the previous syslog-facility patch. Allows you to specify a syslog facility instead of relying on DAEMON

Creator Robert Spier
Patch to Version 3.8p4
Type new feature
Patch wingui_rspier.patch
Status Alpha software. This functionality will be integrated when it is more tested. (Also requires the icon2.ico file in the patches directory)
Description
(Full Text)
A minimal GUI for Stunnel in Windows.

Creator Ole Craig
Patch to Version 3.8p4
Type new feature
Patch syslog_fac_olc.patch
Status Depreciated, use the newer patch which 'upgrades' the the -D flag instead.
Description
(Full Text)
Allow you to specify a syslog facility instead of relying on DAEMON

Creator Brent Baccala
Patch to Version 3.8p4
Type bugfix
Patch spec_baccala.patch
Status Will be incorporated into 3.8p5 as is.
Description
(Full Text)
Make pids write to /var/run instead of /usr/local/var/stunnel

Creator Brian Hatch
Patch to Version 3.8
Type security/bugfix/new features
Patch stunnel-3.8p1.patch
Description
(Full Text)
Patch from 3.8 => 3.8p1

Creator Brian Hatch
Patch to Version 3.8
Type security/new feature
Patch pid_bri.patch
Status Incorporated into stunnel-3.8p1 and later
Description
(Full Text)
Fix how stunnel handles pid creation/deletion and fix fopen() insecurity

Creator Brian Hatch
Patch to Version 3.8
Type security
Patch prng_bri.patch
Status Incorporated into stunnel-3.8p1 and later
Description
(Full Text)
A patch to properly seed OpenSSL's PRNG

Creator Brian Hatch
Patch to Version 3.8
Type bugfix
Patch man_bri.patch
Status Incorporated into stunnel-3.8p1 and later
Description
(Full Text)
Fix the manual pages and '-h' output

Creator Brian Hatch
Patch to Version 3.8
Type new feature
Patch cacert_bri.patch
Status Incorporated into stunnel-3.8p1 and later
Description
(Full Text)
Add a flag to specify the location of your CA Certificate pem.

Creator Brian Hatch
Patch to Version 3.8
Type bugfix
Patch sessid_bri.patch
Status Incorporated into stunnel-3.8p1 and later
Description
(Full Text)
Allow client side SSL session ID reuse.

The Stunnel software package does not contain any cryptography itself, however please remember that import and/or export of cryptographic software, code providing hooks to cryptographic algorithms, and discussion about cryptography is illegal in some countries. It is imperative for you to know your local laws governing cryptography. We're not liable for anything you do that violates your local laws.