ChangeLog

stunnel         Universal SSL tunnel

Version 4.34, 2010.09.19, urgency: LOW:
* New features
  - Updated Win32 DLLs for OpenSSL 1.0.0a.
  - Updated Win32 DLLs for zlib 1.2.5.
  - Updated automake to version 1.11.1
  - Updated libtool to version 2.2.6b
  - Added ECC support with a new service-level "curve" option.
  - DH support is now enabled by default.
  - Added support for OpenSSL builds with some algorithms disabled.
  - ./configure modified to support cross-compilation.
  - Sample stunnel.init updated based on Debian init script.
* Bugfixes
  - Implemented fixes in user interface to enter engine PIN.
  - Fixed a transfer() loop issue on socket errors.
  - Fixed missing WIN32 taskbar icon while displaying a global option error.

Version 4.33, 2010.04.05, urgency: MEDIUM:
* New features
  - Win32 DLLs for OpenSSL 1.0.0.
    This library requires to c_rehash CApath/CRLpath directories on upgrade.
  - Win32 DLLs for zlib 1.2.4. 
  - Experimental support for local mode on WIN32 platform.
    Try "exec = c:\windows\system32\cmd.exe".
* Bugfixes
  - Inetd mode fixed.

Version 4.32, 2010.03.24, urgency: MEDIUM:
* New features
  - New service-level "libwrap" option for run-time control whether
    /etc/hosts.allow and /etc/hosts.deny are used for access control.
    Disabling libwrap significantly increases performance of stunnel.
  - Win32 DLLs for OpenSSL 0.9.8m.
* Bugfixes
  - Fixed a transfer() loop issue with SSLv2 connections.
  - Fixed a "setsockopt IP_TRANSPARENT" warning with "local" option.
  - Logging subsystem bugfixes and cleanup.
  - Installer bugfixes for Vista and later versions of Windows.
  - FIPS mode can be enabled/disabled at runtime.

Version 4.31, 2010.02.03, urgency: MEDIUM:
* New features
  - Log file reopen on USR1 signal was added.
* Bugfixes
  - Some regression issues introduced in 4.30 were fixed.

Version 4.30, 2010.01.21, urgency: LOW/EXPERIMENTAL:
* New features
  - Graceful configuration reload with HUP signal on Unix
    and with GUI on Windows.

Version 4.29, 2009.12.02, urgency: MEDIUM:
* New feature sponsored by Searchtech Limited http://www.astraweb.com/
  - sessiond, a high performance SSL session cache was built for stunnel.
    A new service-level "sessiond" option was added.  sessiond is
    available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ .
    stunnel clusters will be a lot faster, now!
* Bugfixes
  - "execargs" defaults to the "exec" parameter (thx to Peter Pentchev).
  - Compilation fixes added for AIX and old versions of OpenSSL.
  - Missing "fips" option was added to the manual.

Version 4.28, 2009.11.08, urgency: MEDIUM:
* New features
  - Win32 DLLs for OpenSSL 0.9.8l.
  - Transparent proxy support on Linux kernels >=2.6.28.
    See the manual for details.
  - New socket options to control TCP keepalive on Linux:
    TCP_KEEPCNT, TCP_KEEPIDLE, TCP_KEEPINTVL.
  - SSL options updated for the recent version of OpenSSL library.
* Bugfixes
  - A serious bug in asynchronous shutdown code fixed.
  - Data alignment updated in libwrap.c.
  - Polish manual encoding fixed.
  - Notes on compression implementation in OpenSSL added to the manual.

Version 4.27, 2009.04.16, urgency: MEDIUM:
* New features
  - Win32 DLLs for OpenSSL 0.9.8k.
  - FIPS support was updated for openssl-fips 1.2.
  - New priority failover strategy for multiple "connect" targets,
    controlled with "failover=rr" (default) or "failover=prio".
  - pgsql protocol negotiation by Marko Kreen <markokr@gmail.com>.
  - Building instructions were updated in INSTALL.W32 file.
* Bugfixes
  - Libwrap helper processes fixed to close standard
    input/output/error file descriptors.
  - OS2 compilation fixes.
  - WCE fixes by Pierre Delaage <delaage.pierre@free.fr>.

Version 4.26, 2008.09.20, urgency: MEDIUM:
* New features
  - Win32 DLLs for OpenSSL 0.9.8i.
  - /etc/hosts.allow and /etc/hosts.deny no longer need to be
    copied to the chrooted directory, as the libwrap processes
    are no longer chrooted.
  - A more informative error messages for invalid port number
    specified in stunnel.conf file.
  - Support for Microsoft Visual C++ 9.0 Express Edition.
* Bugfixes
  - Killing all libwrap processes at stunnel shutdown fixed.
  - A minor bug in stunnel.init sample SysV startup file fixed.

Version 4.25, 2008.06.01, urgency: MEDIUM:
* New features
  - Win32 DLLs for OpenSSL 0.9.8h.
* Bugfixes
  - Spawning libwrap processes delayed until privileges are dropped.
  - Compilation fix for systems without struct msghdr.msg_control.

Version 4.24, 2008.05.19, urgency: HIGH:
* Bugfixes
  - OCSP code was fixed to properly reject revocated certificates.

Version 4.23, 2008.05.03, urgency: HIGH:
* Bugfixes
  - Local privilege escalation bug on Windows NT based
    systems fixed.  A local user could exploit stunnel
    running as a service to gain localsystem privileges.

Version 4.22, 2008.03.28, urgency: MEDIUM:
* New features
  - Makefile was updated to use standard autoconf variables:
    sysconfdir, localstatedir and pkglibdir.
  - A new global option to control logging to syslog:
      syslog = yes|no
    Simultaneous logging to a file and the syslog is now possible.
  - A new service level option to control stack size:
      stack = <number of bytes>
* Bugfixes
  - Restored chroot() to be executed after decoding numerical
    userid and groupid values in drop_privileges().
  - A few bugs fixed the in the new libwrap support code.
  - TLSv1 method used by default in FIPS mode instead of
    SSLv3 client and SSLv23 server methods.
  - OpenSSL GPL license exception update based on
    http://www.gnu.org/licenses/gpl-faq.html#GPLIncompatibleLibs

Version 4.21, 2007.10.27, urgency: LOW/EXPERIMENTAL:
* New features sponsored by Open-Source Software Institute
  - Initial FIPS 140-2 support (see INSTALL.FIPS for details).
    Win32 platform is not currently supported.
* New features
  - Experimental fast support for non-MT-safe libwrap is provided
    with pre-spawned processes.
  - Stunnel binary moved from /usr/local/sbin to /usr/local/bin
    in order to meet FHS and LSB requirements.
    Please delete the /usr/local/sbin/stunnel when upgrading.
  - Added code to disallow compiling stunnel with pthreads when
    OpenSSL is compiled without threads support.
  - Win32 DLLs for OpenSSL 0.9.8g.
  - Minor manual update.
  - TODO file updated.
* Bugfixes
  - Dynamic locking callbacks added (needed by some engines to work).
  - AC_ARG_ENABLE fixed in configure.am to accept yes/no arguments.
  - On some systems libwrap requires yp_get_default_domain from libnsl,
    additional checking for libnsl was added to the ./configure script.
  - Sending a list of trusted CAs for the client to choose the right
    certificate restored.
  - Some compatibility issues with NTLM authentication fixed.
  - Taskbar icon (unless there is a config file parsing error) and
    "Save As" disabled in the service mode for local Win32 security
    (it's much like Yeti -- some people claim they have seen it).

Version 4.20, 2006.11.30, urgency: MEDIUM:
* Release notes
  - The new transfer() function has been well tested.
    I recommend upgrading any previous version with this one.
* Bugfixes
  - Fixed support for encrypted passphases on Unix (broken in 4.19).
  - Reduced amount of debug logs.
  - A minor man page update.

Version 4.19, 2006.11.11, urgency: LOW/EXPERIMENTAL:
* Release notes
  - There are a lot of new features in this version.  I recommend
    to test it well before upgrading your mission-critical systems.
* New features
  - New service-level option to specify OCSP server flag:
    OCSPflag = <flag>
  - "protocolCredentials" option changed to "protocolUsername"
    and "protocolPassword"
  - NTLM support to be enabled with the new service-level option:
    protocolAuthentication = NTLM
  - imap protocol negotiation support added.
  - Passphrase cache was added so the user does not need to reenter
    the same passphrase for each defined service any more.
  - New service-level option to retry connect+exec section:
    retry = yes|no
  - Local IP and port is logged for each established connection.
  - Win32 DLLs for OpenSSL 0.9.8d.
* Bugfixes
  - Serious problem with SSL_WANT_* retries fixed.
    The new code requires extensive testing!

Version 4.18, 2006.09.26, urgency: MEDIUM:
* Bugfixes
  - GPF on entering private key pass phrase on Win32 fixed.
  - Updated OpenSSL Win32 DLLs.
  - Minor configure script update.

Version 4.17, 2006.09.10, urgency: MEDIUM:
* New features
  - Win32 DLLs for OpenSSL 0.9.8c.
* Bugfixes
  - Problem with detecting getaddrinfo() in ./configure fixed.
  - Compilation problem due to misplaced #endif in ssl.c fixed.
  - Duplicate 220 in smtp_server() function in protocol.c fixed.
  - Minor os2.mak update.
  - Minor update of safestring()/safename() macros.

Version 4.16, 2006.08.31, urgency: MEDIUM:
* New features sponsored by Hewlett-Packard
  - A new global option to control engine:
    engineCtrl = <command>[:<parameter>]
  - A new service-level option to select engine to read private key:
    engineNum = <engine number>
  - OCSP support:
    ocsp = <URL>
* New features
  - A new option to select version of SSL protocol:
    sslVersion = all|SSLv2|SSLv3|TLSv1
  - Visual Studio vc.mak by David Gillingham <dgillingham@gmail.com>.
  - OS2 support by Paul Smedley (http://smedley.info)
* Bugfixes
  - An ordinary user can install stunnel again.
  - Compilation problem with --enable-dh fixed.
  - Some minor compilation warnings fixed.
  - Service-level CRL cert store implemented.
  - GPF on protocol negotiations fixed.
  - Problem detecting addrinfo() on Tru64 fixed.
  - Default group is now detected by configure script.
  - Check for maximum number of defined services added.
  - OpenSSL_add_all_algorithms() added to SSL initialization.
  - configure script sections reordered to detect pthread library funcions.
  - RFC 2487 autdoetection improved.  High resolution s_poll_wait()
    not currently supported by UCONTEXT threading.
  - More precise description of cert directory file names (thx to Muhammad
    Muquit).
* Other changes
  - Maximum number of services increased from 64 to 256 when poll() is used.

Version 4.15, 2006.03.11, urgency: LOW:
* Release notes
  - There are a lot of new features in this version.  I recommend
    to test it well before upgrading your mission-critical systems.
* Bugfixes
  - Fix for pthreads on Solaris 10.
  - Attempt to autodetect socklen_t type in configure script.
  - Default threading model changed to pthread for better portability.
  - DH parameters are not included in the certificate by default.
* New features sponsored by Software House http://www.swhouse.com/
  - Most SSL-related options (including client, cert, key) are now
    available on service level, so it is possible to have an SSL
    client and an SSL server in a single stunnel process.
  - Windows CE (version 3.0 and higher) support.
* New features
  - Client mode CONNECT protocol support (RFC 2817 section 5.2).
    http://www.ietf.org/rfc/rfc2817.txt
  - Retrying exec+connect services added.
* File locations are more compliant to Filesystem Hierarchy Standard 2.3
  - configuration and certificates are in $prefix/etc/stunnel/
  - binaries are in $prefix/sbin/
  - default pid file is $prefix/var/run/stunnel.pid
  - manual is $prefix/man/man8/stunnel.8
  - other docs are in $prefix/share/doc/stunnel/
  - libstunnel is in $prefix/lib
  - chroot directory is setup in $prefix/var/lib/stunnel/
    this directory is chmoded 1770 and group nogroup

Version 4.14, 2005.11.02, urgency: HIGH:
* Bugfixes
  - transfer() fixed to avoid random stalls introduced in version 4.12.
  - poll() error handing bug fixed.
  - Checking for dynamic loader libraries added again.
  - Default pidfile changed from $localstatedir/run/stunnel.pid
    to $localstatedir/stunnel/stunnel.pid.
  - Basic SSL library initalization moved to the beginning of execution.
* Release notes
  - This is an important bugfix release.  Upgrade is recommended.

Version 4.13, 2005.10.21, urgency: MEDIUM:
* DLLs for OpenSSL 0.9.7i included because protection faults were reported
  in 0.9.8 and 0.9.8a.
* New features
  - Libwrap code is executed as a separate process (no more delays due
    to a global and potentially long critical section).
* Bugfixes
  - Problem with zombies in UCONTEXT threading fixed.
  - Workaround for non-standard makecontext() uc_stack.ss_sp parameter
    semantics on SGI IRIX.
  - Protection fault in signals handling on IRIX fixed.
  - Problem finding pthread library on AIX fixed.
  - size_t printf() fixed in stack_info() (the previous fix didn't work).
  - socklen_t is used instead of int where required.

Version 4.12, 2005.09.29, urgency: MEDIUM:
* New features
  - Win32 installer added.
  - New Win32 commandline options: -start and -stop.
  - Log level and thread number are reported to syslog.
  - DLLs for OpenSSL 0.9.8.
  - stunnel.spec updated by neeo <neeo@irc.pl>.
* Bugfixes
  - Use of broken poll() is disabled on Mac OS X.
  - Yet another transfer() infinite loop condition fixed.
  - Workaround for a serious M$ bug (KB177346).
  - IPv6 DLLs allocation problem resulting in GPF on W2K fixed.
  - zlib added to shared libraries (OpenSSL may need it).
  - size_t printf() fixed in stack_info().
* Release notes
  - This is a bugfix release.  Upgrade is recommended.

Version 4.11, 2005.07.09, urgency: MEDIUM:
* New features
  - New ./configure option --with-threads to select thread model.
  - ./configure option --with-tcp-wrappers renamed to --disable-libwrap.
    I hope the meaning of the option is much more clear, now.
* Bugfixes
  - Workaround for non-standard makecontext() uc_stack.ss_sp parameter
    semantics on Sparc/Solaris 9 and earlier.
  - scan_waiting_queue() no longer drops contexts.
  - Inetd mode coredumps with UCONTEXT fixed.
  - Cleanup context is no longer used.
  - Releasing memory of the current context is delayed.
  - Win32 headers reordered for Visual Studio 7.
  - Some Solaris compilation warnings fixed.
  - Rejected inetd mode without 'connect' or 'exec'.
* Release notes
  - UCONTEXT threading seems stable, now.  Upgrade is recommended.

Version 4.10, 2005.04.23, urgency: LOW/EXPERIMENTAL:
* DLLs for OpenSSL 0.9.7g.
* Bugfixes
  - Missing locking on Win32 platform was added (thx to Yi Lin
    <yi.lin@convergys.com>)
  - Some problems with closing SSL fixed.
* New features
  - New UCONTEXT user-level non-preemptive threads model is used
    on systems that support SYSV-compatible ucontext.h.
  - Improved stunnel3 script with getopt-compatible syntax.
* Release notes
  - This version should be thoroughly tested before using it in the
    mission-critical environment.

Version 4.09, 2005.03.26, urgency: MEDIUM:
* DLLs for OpenSSL 0.9.7f.
* Bugfixes
  - Compilation problem with undeclarated socklen_t fixed.
  - TIMEOUTclose is not used when there is any data in the buffers.
  - Stunnel no longer relies on close_notify with SSL 2.0 connections,
    since SSL 2.0 protocol does not have any alerts defined.
  - Closing SSL socket when there is some data in SSL output buffer
    is detected and reported as an error.
  - Install/chmod race condition when installing default certificate fixed.
  - Stunnel no longer installs signal_handler on ignored signals.

Version 4.08, 2005.02.27, urgency: LOW:
* New features
  - New -quiet option was added to install NT service without a message box.
* Bugfixes
  - Using $(DESTDIR) in tools/Makefile.am.
  - Define NI_NUMERICHOST and NI_NUMERICSERV when needed.
  - Length of configuration file line increased from 256B to 16KB.
  - Stunnel sends close_notify when a close_notify is received from SSL
    peer and all remaining data is sent to SSL peer.
  - Some fixes for bugs detected by the watchdog.
* Release notes
  - There were many changes in the transfer() function (the main loop).
  - This version should be thoroughly tested before using it in the
    mission-critical environment.

Version 4.07, 2005.01.03, urgency: MEDIUM:
* Bugfixes
  - Problem with infinite poll() timeout negative, but not equal to -1 fixed.
  - Problem with a file descriptor ready to be read just after a non-blocking
    connect call fixed.
  - Compile error with EAI_NODATA not defined or equal to EAI_NONAME fixed.
  - IP address and TCP port textual representation length (IPLEN) increased
    to 128 bytes.
  - OpenSSL engine support is only used if engine.h header file exists.
  - Broken NT Service mode on Win32 platform fixed.
  - Support for IPv4-only Win32 machines restored.

Version 4.06, 2004.12.26, urgency: LOW:
* New feature sponsored by SURFnet http://www.surfnet.nl/
  - IPv6 support (to be enabled with ./configure --enable-ipv6).
* New features
  - poll() support - no more FD_SETSIZE limit!
  - Multiple connect=host:port options are allowed in a single service
    section.  Remote hosts are connected using round-robin algorithm.
    This feature is not compatible with delayed resolver.
  - New 'compression' option to enable compression.  To use zlib
    algorithm you have to enable it when building OpenSSL library.
  - New 'engine' option to select a hardware engine.
  - New 'TIMEOUTconnect' option with 10 seconds default added.
  - stunnel3 perl script to emulate version 3.x command line options.
  - French manual updated by Bernard Choppy <choppy AT free POINT fr>.
  - A watchdog to detect transfer() infinite loops added.
  - Configuration file comment character changed from '#' to ';'.
    '#' will still be recognized to keep compatibility.
  - MT-safe getaddrinfo() and getnameinfo() are used where available
    to get better performance on resolver calls.
  - Automake upgraded from 1.4-p4 to 1.7.9.
* Bugfixes
  - log() changed to s_log() to avoid conflicts on some systems.
  - Common CRIT_INET critical section introduced instead of separate
    CRIT_NTOA and CRIT_RESOLVER to avoid potential problems with
    libwrap (TCP Wrappers) library.
  - CreateThread() finally replaced with _beginthread() on Win32.
  - make install creates $(localstatedir)/stunnel.
    $(localstatedir)/stunnel/dev/zero is also created on Solaris.
  - Race condition with client session cache fixed.
  - Other minor bugfixes.
* Release notes
  - Win32 port requires Winsock2 to work.
    Some Win95 systems may need a free update from Microsoft.
    http://www.microsoft.com/windows95/downloads/
  - Default is *not* to use IPv6 '::' for accept and '::1' for
    connect.  For example to accept pop3s on IPv6 you could use:
    'accept = :::995'.  I hope the new syntax is clear enough.

Version 4.05, 2004.02.14, urgency: MEDIUM:
* New feature sponsored by SURFnet http://www.surfnet.nl/
  - Support for CIFS aka SMB protocol SSL negotiation.
* New features
  - CRL support with new CRLpath and CRLfile global options.
  - New 'taskbar' option on Win32 (thx to Ken Mattsen
    <ken.Mattsen@roxio.com>).
  - New -fd command line parameter to read configuration
    from a specified file descriptor instead of a file.
  - accept is reported as error when no '[section]' is
    defined (in stunnel 4.04 it was silently ignored causing
    problems for lusers who did not read the fine manual).
  - Use fcntl() instead of ioctlsocket() to set socket
    nonblocking where it is supported.
  - Basic support for hardware engines with OpenSSL >= 0.9.7.
  - French manual by Bernard Choppy <choppy@imaginet.fr>.
  - Thread stack size reduced to 64KB for maximum scalability.
  - Added optional code to debug thread stack usage.
  - Support for nsr-tandem-nsk (thx to Tom Bates <tom.bates@hp.com>).
* Bugfixes
  - TCP wrappers code moved to CRIT_NTOA critical section
    since it uses static inet_ntoa() result buffer.
  - SSL_ERROR_SYSCALL handling problems fixed.
  - added code to retry nonblocking SSL_shutdown() calls.
  - Use FD_SETSIZE instead of 16 file descriptors in inetd
    mode.
  - fdscanf groks lowercase protocol negotiation commands.
  - Win32 taskbar GDI objects leak fixed.
  - Libwrap detection bug in ./configure script fixed.
  - grp.h header detection fixed for NetBSD and possibly
    other systems.
  - Some other minor updates.

Version 4.04, 2003.01.12, urgency: MEDIUM:
* New feature sponsored by SURFnet http://www.surfnet.nl/
  - Encrypted private key can be used with Win32 GUI.
* New features
  - New 'options' configuration option to setup
    OpenSSL library hacks with SSL_CTX_set_options().
  - 'service' option also changes the name for
    TCP Wrappers access control in inetd mode.
  - Support for BeOS (thx to Mike I. Kozin <mik@sbor.net>)
  - SSL is negotiated before connecting remote host
    or spawning local process whenever possible.
  - REMOTE_HOST variable is always placed in the
    enrivonment of a process spawned with 'exec'.
  - Whole SSL error stack is dumped on errors.
  - 'make cert' rule is back (was missing since 4.00).
  - Manual page updated (special thanks to Brian Hatch).
  - TODO updated.
* Bugfixes
  - Major code cleanup (thx to Steve Grubb <linux_4ever@yahoo.com>).
  - Unsafe functions are removed from SIGCHLD handler.
  - Several bugs in auth_user() fixed.
  - Incorrect port when using 'local' option fixed.
  - OpenSSL tools '-rand' option is no longer directly
    used with a device (like '/dev/urandom').
    Temporary random file is created with 'dd' instead.
* DLLs for OpenSSL 0.9.7.

Version 4.03, 2002.10.27, urgency: HIGH:
* NT Service (broken since 4.01) is operational again.
* Memory leak in FORK environments fixed.
* sigprocmask() mistake corrected.
* struct timeval is reinitialized before select().
* EAGAIN handled in client.c for AIX.
* Manual page updated.

Version 4.02, 2002.10.21, urgency: HIGH:
* Serious bug in ECONNRESET handling fixed.

Version 4.01, 2002.10.20, urgency: MEDIUM:
* New features
  - OpenVMS support.
  - Polish manual and some manual updates.
  - 'service' option added on Win32 platform.
  - Obsolete FAQ has been removed.
  - Log file is created with 0640 mode.
  - exec->connect service sections (need more testing).
* Bugfixes
  - EINTR ingored in main select() loop.
  - Fixed problem with stunnel closing connections on
    TIMEOUTclose before all the data is sent.
  - Fixed EWOULDBLOCK on writesocket problem.
  - Potential DOS in Win32 GUI fixed.
  - Solaris compilation problem fixed.
  - Libtool configuration problems fixed.
  - Signal mask is cleared just before exec in local mode.
  - Accepting sockets and log file descriptors are no longer
    leaked to the child processes.
Special thanks to Steve Grubb for the source code audit.

Version 4.00, 2002.08.30, urgency: LOW:
* New features sponsored by MAXIMUS http://www.maximus.com/
  - New user interface (config file).
  - Single daemon can listen on multiple ports, now.
  - Native Win32 GUI added.
  - Native NT/2000/XP service added.
  - Delayed DNS lookup added.
* Other new features
  - All the timeouts are now configurable including
    TIMEOUTclose that can be set to 0 for MSIE and other
    buggy clients that do not send close_notify.
  - Stunnel process can be chrooted in a specified directory.
  - Numerical values for setuid() and setgid() are allowed, now.
  - Confusing code for setting certificate defaults introduced in
    version 3.8p3 was removed to simplify stunnel setup.
    There are no built-in defaults for CApath and CAfile options.
  - Private key file for a certificate can be kept in a separate
    file.  Default remains to keep it in the cert file.
  - Manual page updated.
  - New FHS-compatible build system based on automake and libtool.
* Bugfixes
  - `SSL socket closed on SSL_write' problem fixed.
  - Problem with localtime() crashing Solaris 8 fixed.
  - Problem with tcp wrappers library detection fixed.
  - Cygwin (http://www.cygwin.com/) support added.
  - __svr4__ macro defined for Sun C/C++ compiler.
* DLLs for OpenSSL 0.9.6g.

Version 3.22, 2001.12.20, urgency: HIGH:
* Format string bug fixed in protocol.c
  smtp, pop3 and nntp in client mode were affected.
  (stunnel clients could be attacked by malicious servers)
* Certificate chain can be supplied with -p option or in stunnel.pem.
* Problem with -r and -l options used together fixed.
* memmove() instead of memcpy() is used to move data in buffers.
* More detailed information about negotiated ciphers is printed.
* New ./configure options: '--enable-no-rsa' and '--enable-dh'.

Version 3.21c, 2001.11.11, urgency: LOW:
* autoconf scripts upgraded to version 2.52.
* Problem with pthread_sigmask on Darwin fixed (I hope).
* Some documentation typos corrected.
* Attempt to ignore EINTR in transfer().
* Shared library version reported on startup.
* DLLs for OpenSSL 0.9.6b.

Version 3.21b, 2001.11.03, urgency: MEDIUM:
* File descriptor leak on failed connect() fixed.

Version 3.21a, 2001.10.31, urgency: MEDIUM:
* Small bug in Makefile fixed.

Version 3.21, 2001.10.31, urgency: MEDIUM:
* Problem with errno and posix threads fixed.
* It is assumed that system has getopt() if it has getopt.h header file.
* SSL_CLIENT_DN and SSL_CLIENT_I_DN environment variables set in local mode
  (-l) process.  This feature doesn't work if
  client mode (-c) or protocol negotiation (-n) is used.
* Winsock error descriptions hardcoded (English version only).
* SetConsoleCtrlHandler() used to handle CTRL+C, logoff and shutdown on Win32.
* Stunnel always requests peer certificate with -v 0.
* sysconf()/getrlimit() used to calculate number of clients allowed.
* SSL mode changed for OpenSSL >= 0.9.6.
* close-on-exec option used to avoid socket inheriting.
* Buffer size increased from 8KB to 16KB.
* fdscanf()/fdprintf() changes:
   - non-blocking socket support,
   - timeout after 1 minute of inactivity.
* auth_user() redesigned to force 1 minute timeout.
* Some source arrangement towards 4.x architecture.
* No need for 'goto' any more.
* New Makefile 'test' rule.  It performs basic test of
  standalone/inetd, remote/local and server/client mode.
* pop3 server mode support added.

Version 3.20, 2001.08.15, urgency: LOW:
* setsockopt() optlen set according to the optval for Solaris.
* Minor NetBSD compatibility fixes by Martti Kuparinen.
* Minor MSVC6 compatibility fixes by Patrick Mayweg.
* SSL close_notify timeout reduced to 10 seconds of inactivity.
* Socket close instead of reset on close_notify timeout.
* Some source arrangement and minor bugfixes.

Version 3.19, 2001.08.10, urgency: MEDIUM:
* Critical section added around non MT-safe TCP Wrappers code.
* Problem with 'select: Interrupted system call' error fixed.
* errno replaced with get_last_socket_error() for Win32.
* Some FreeBSD/NetBSD patches to ./configure from Martti Kuparinen.
* Local mode process pid logged.
* Default FQDN (localhost) removed from stunnel.cnf
* ./configure changed to recognize POSIX threads library on OSF.
* New -O option to set socket options.

Version 3.18, 2001.07.31, urgency: MEDIUM:
* MAX_CLIENTS is calculated based on FD_SETSIZE, now.
* Problems with closing SSL in transfer() fixed.
* -I option to bind a static local IP address added.
* Debug output of info_callback redesigned.

Version 3.17, 2001.07.29, urgency: MEDIUM:
* Problem with coredump on exit with active threads fixed.
* Timeout for transfer() function added:
   - 1 hour if socket is open for read
   - 1 minute if socket is closed for read

Version 3.16, 2001.07.22, urgency: MEDIUM:
* Some transfer() bugfixes/improvements.
* STDIN/STDOUT are no logner assumed to be non-socket decriptors.
* Problem with --with-tcp-wrappers patch fixed.
* pop3 and nntp support bug fixed by Martin Germann.
* -o option to append log messages to a file added.
* Changed error message for SSL error 0.

Version 3.15, 2001.07.15, urgency: MEDIUM:
* Serious bug resulting in random transfer() hangs fixed.
* Separate file descriptors are used for inetd mode.
* -f (foreground) logs are now stamped with time.
* New ./configure option: --with-tcp-wrappers by Brian Hatch.
* pop3 protocol client support (-n pop3) by Martin Germann.
* nntp protocol client support (-n nntp) by Martin Germann.
* RFC 2487 (smtp STARTTLS) client mode support.
* Transparency support for Tru64 added.
* Some #includes for AIX added.

Version 3.14, 2001.02.21, urgency: LOW:
* Pidfile creation algorithm has been changed.

Version 3.13, 2001.01.25, urgency: MEDIUM:
* pthread_sigmask() argument in sthreads.c corrected.
* OOB data is now handled correctly.

Version 3.12, 2001.01.24, urgency: LOW:
* Attempted to fix problem with zombies in local mode.
* Patch for 64-bit machines by Nalin Dahyabhai <nalin@redhat.com> applied.
* Tiny bugfix for OSF cc by Dobrica Pavlinusic <dpavlin@rot13.org> added.
* PORTS file updated.

Version 3.11, 2000.12.21, urgency: MEDIUM:
* New problem with zombies fixed.
* Attempt to be integer-size independed.
* SIGHUP handler added.

Version 3.10, 2000.12.19, urgency: MEDIUM:
* Internal thread synchronization code added.
* libdl added to stunnel dependencies if it exists.
* Manpage converted to sdf format.
* stunnel deletes pid file before attempting to create it.
* Documentation updates.
* -D option now takes [facility].level as argument.  0-7 still supported.
* Problems with occasional zombies in FORK mode fixed.
* 'stunnel.exe' rule added to Makefile.
  You can cross-compile stunnel.exe on Unix, now.
  I'd like to be able to compile OpenSSL this way, too...

Version 3.9, 2000.12.13, urgency: HIGH:
* Updated temporary key generation:
   - stunnel is now honoring requested key-lengths correctly,
   - temporary key is changed every hour.
* transfer() no longer hangs on some platforms.
  Special thanks to Peter Wagemans for the patch.
* Potential security problem with syslog() call fixed.

Version 3.8p4, 2000.06.25  bri@stunnel.org:
* fixes for Windows platform

Version 3.8p3, 2000.06.24  bri@stunnel.org:
* Compile time definitions for the following:
    --with-cert-dir
    --with-cert-file
    --with-pem-dir
    --enable-ssllib-cs
* use daemon() function instead of daemonize, if available
* fixed FreeBSD threads checking (patch from robertw@wojo.com)
* added -S flag, allowing you to choose which default verify
  sources to use
* relocated service name output logging until after log_open.
  (no longer outputs log info to inetd socket, causing bad SSL)
* -V flag now outputs the default values used by stunnel
* Removed DH param generation in Makefile.in
* Moved stunnel.pem to sample.pem to keep people from blindly using it
* Removed confusing stunnel.pem check from Makefile.

* UPGRADE NOTE: this version seriously changes several previous stunnel
  default behaviours.  There are no longer any default cert file/dirs
  compilied into stunnel, you must use the --with-cert-dir and
  --with-cert-file configure arguments to set these manually, if desired.
  Stunnel does not use the underlying ssl library defaults by default
  unless configured with --enable-ssllib-cs.  Note that these can always
  be enabled at run time with the -A,-a, and -S flags.
  Additionally, unless --with-pem-dir is specified at compile time,
  stunnel will default to looking for stunnel.pem in the current directory.

Version 3.8p2, 2000.06.13  bri@stunnel.org:
* Fixes for Win32 platform
* Minor output formatting changes
* Fixed version number in files

Version 3.8p1, 2000.06.11  bri@stunnel.org:
* Added rigerous PRNG seeding
* PID changes (and related security-fix)
* Man page fixes
* Client SSL Session-IDs now used
* -N flag to specify tcpwrapper service name

Version 3.8, 2000.02.24:
* Checking for threads in c_r library for FreeBSD.
* Some compatibility fixes for Ultrix.
* configure.in has been cleaned up.
  Separate directories for SSL certs and SSL libraries/headers
  are no longer supported.  SSL ports maintainers should create
  softlinks in the main openssl directory if necessary.
* Added --with-ssl option to specify SSL directory.
* Added setgid (-g) option.
  (Special thanks to Brian Hatch for his feedback and support)
* Added pty.c based on a Public Domain code by Tatu Ylonen
* Distribution files are now signed with GnuPG

Version 3.7, 2000.02.10:
* /usr/pkg added to list of possible SSL directories for pkgsrc installs
  of OpenSSL under NetBSD.
* Added the -s option, which setuid()s to the specified user when running
  in daemon mode. Useful for cyrus imapd.
  (both based on patch by George Coulouris)
* PTY code ported to Solaris.  The port needs some more testing.
* Added handler for SIGINT.
* Added --with-random option to ./configure script.
* Fixed some problems with autoconfiguration on Solaris and others.
  It doesn't use config.h any more.
* /var/run changed to @localstatedir@/stunnel for better portability.
  The directory is chmoded a=rwx,+t.
* FAQ has been updated.

3.6 2000.02.03
* Automatic RFC 2487 detection based on patch by Pascual Perez and Borja Perez.
* Non-blocking sockets not used by default.
* DH support is disabled by default.
* (both can be enabled in ssl.c)

3.5 2000.02.02
* Support for openssl 0.9.4 added.
* /usr/ssl added to configure by Christian Zuckschwerdt.
* Added tunneling for PPP through the addition of PTY handling.
* Added some documentation.

3.4a 1999.07.13 (bugfix release)
* Problem with cipher negotiation fixed.
* setenv changed to putenv.

3.4 1999.07.12
* Local transparent proxy added with LD_PRELOADed shared library.
* DH code rewritten.
* Added -C option to set cipher list.
* stderr fflushed after fprintf().
* Minor portability bugfixes.
* Manual updated (but still not perfect).

3.3 1999.06.18
* Support for openssl 0.9.3 added.
* Generic support for protocol negotiation added (protocol.c).
* SMTP protocol negotiation support for Netscape client added.
* Transparent proxy mode (currently works on Linux only).
* SO_REUSEADDR enabled on listening socket in daemon mode.
* ./configure now accepts --prefix parameter.
* -Wall is only used with gcc compiler.
* Makefile.in and configure.in updated.
* SSL-related functions moved to a separate file.
* vsprintf changed to vsnprintf in log.c on systems have it.
* Pidfile in /var/run added for daemon mode.
* RSAref support fix (not tested).
* Some compatibility fixes for Solaris and NetBSD added.

3.2 1999.04.28
* RSAref support (not tested).
* Added full duplex with non-blocking sockets.
* RST sent instead of FIN on peer error (on error peer
  socket is reset - not just closed).
* RSA temporary key length changed back to 512 bits to fix
  a problem with Netscape.
* Added NO_RSA for US citizens having problems with patents.

3.1 1999.04.22
* Changed -l syntax (first argument specified is now argv[0]).
* Fixed problem with options passed to locally executed daemon.
* Fixed problem with ':' passed to libwrap in a service name:
  - ':' has been changed to '.';
  - user can specify his own service name as an argument.
* RSA temporary key length changed from 512 to 1024 bits.
* Added safecopy to avoid buffer overflows in stunnel.c.
* Fixed problems with GPF after unsuccessful resolver call
  and incorrect parameters passed to getopt() in Win32.
* FAQ updated.

3.0 1999.04.19
* Some bugfixes.
* FAQ added.

3.0b7 1999.04.14
* Win32 native port fixed (looks quite stable).
* New transfer() function algorithm.
* New 'make cert' to be compatible with openssl-0.9.2b.
* Removed support for memory leaks debugging.

3.0b6 1999.04.01
* Fixed problems with session cache (by Adam).
* Added client mode session cache.
* Source structure, autoconf script and Makefile changed.
* Added -D option to set debug level.
* Added support for memory leaks debugging
  (SSL library needs to be compiled with -DMFUNC).

3.0b5 1999.03.25
* Lots of changes to make threads work.
* Peer (client and server) authentication works!
* Added -V option to display version.

3.0b4 1999.03.22
* Early POSIX threads implementation.
* Work on porting to native Win32 application started.

3.0b3 1999.03.05
* Improved behavior on heavy load.

3.0b2 1999.03.04
* Fixed -v parsing bug.

3.0b1 1999.01.18
* New user interface.
* Client mode added.
* Peer certificate verification added (=strong authentication).
* Win32 port added.
* Other minor problems fixed.

2.1 1998.06.01
* Few bugs fixed.

2.0 1998.05.25
* Remote mode added!
* Standalone mode added!
* tcpd functionality added by libwrap utilization.
* DH callbacks removed by kravietZ.
* bind loopback on Intel and other bugs fixed by kravietZ.
* New manual page by kravietZ & myself.

1.6 1998.02.24
* Linux bind fix.
* New TODO ideas!

1.5 1998.02.24
* make_sockets() implemented with Internet sockets instead
  of Unix sockets for better compatibility.
  (i.e. to avoid random data returned by getpeername(2))
  This feature can be disabled in stunnel.c.

1.4 1998.02.16
* Ported to HP-UX, Solaris and probably other UNIXes.
* Autoconfiguration added.

1.3 1998.02.14
* Man page by Pawel Krawczyk <kravietz@ceti.com.pl> added!
* Copyrights added.
* Minor errors corrected.

1.2 1998.02.14
* Separate certificate for each service added.
* Connection logging support.

1.1 1998.02.14
* Callback functions added by Pawel Krawczyk
* <kravietz@ceti.com.pl>.

1.0 1998.02.11
* First version with SSL support
* - special thx to Adam Hernik <adas@infocentrum.com>.

0.1 1998.02.10
* Testing skeleton.