stunnel         Universal SSL tunnel

Version 3.10, 2000.12.19, urgency: MEDIUM:
* Internal thread synchronization code added.
* libdl added to stunnel dependencies if it exists.
* Manpage converted to sdf format.
* stunnel deletes pid file before attempting to create it.
* Documentation updates.
* -D option now takes [facility].level as argument.  0-7 still supported.
* Problems with occasional zombies in FORK mode fixed.
* 'stunnel.exe' rule added to Makefile.
  You can cross-compile stunnel.exe on Unix, now.
  I'd like to be able to compile OpenSSL this way, too...

Version 3.9, 2000.12.13, urgency: HIGH:
* Updated temporary key generation:
   - stunnel is now honoring requested key-lengths correctly,
   - temporary key is changed every hour.
* transfer() no longer hangs on some platforms.
  Special thanks to Peter Wagemans for the patch.
* Potential security problem with syslog() call fixed.

Version 3.8p4, 2000.06.25  bri@stunnel.org:
* fixes for Windows platform

Version 3.8p3, 2000.06.24  bri@stunnel.org:
* Compile time definitions for the following:
	--with-cert-dir
	--with-cert-file
	--with-pem-dir
	--enable-ssllib-cs
* use daemon() function instead of daemonize, if available
* fixed FreeBSD threads checking (patch from robertw@wojo.com)
* added -S flag, allowing you to choose which default verify
  sources to use
* relocated service name output logging until after log_open.
  (no longer outputs log info to inetd socket, causing bad SSL)
* -V flag now outputs the default values used by stunnel
* Removed DH param generation in Makefile.in
* Moved stunnel.pem to sample.pem to keep people from blindly using it
* Removed confusing stunnel.pem check from Makefile.

* UPGRADE NOTE: this version seriously changes several previous stunnel
  default behaviours.  There are no longer any default cert file/dirs
  compilied into stunnel, you must use the --with-cert-dir and
  --with-cert-file configure arguments to set these manually, if desired.
  Stunnel does not use the underlying ssl library defaults by default
  unless configured with --enable-ssllib-cs.  Note that these can always
  be enabled at run time with the -A,-a, and -S flags.
  Additionally, unless --with-pem-dir is specified at compile time,
  stunnel will default to looking for stunnel.pem in the current directory.

Version 3.8p2, 2000.06.13  bri@stunnel.org:
* Fixes for Win32 platform
* Minor output formatting changes
* Fixed version number in files

Version 3.8p1, 2000.06.11  bri@stunnel.org:
* Added rigerous PRNG seeding
* PID changes (and related security-fix)
* Man page fixes
* Client SSL Session-IDs now used
* -N flag to specify tcpwrapper service name


Version 3.8, 2000.02.24:
* Checking for threads in c_r library for FreeBSD.
* Some compatibility fixes for Ultrix.
* configure.in has been cleaned up.
  Separate directories for SSL certs and SSL libraries/headers
  are no longer supported.  SSL ports maintainers should create
  softlinks in the main openssl directory if necessary.
* Added --with-ssl option to specify SSL directory.
* Added setgid (-g) option.
  (Special thanks to Brian Hatch for his feedback and support)
* Added pty.c based on a Public Domain code by Tatu Ylonen
* Distribution files are now signed with GnuPG

Version 3.7, 2000.02.10:
* /usr/pkg added to list of possible SSL directories for pkgsrc installs
  of OpenSSL under NetBSD.
* Added the -s option, which setuid()s to the specified user when running
  in daemon mode. Useful for cyrus imapd.
  (both based on patch by George Coulouris)
* PTY code ported to Solaris.  The port needs some more testing.
* Added handler for SIGINT.
* Added --with-random option to ./configure script.
* Fixed some problems with autoconfiguration on Solaris and others.
  It doesn't use config.h any more.
* /var/run changed to @localstatedir@/stunnel for better portability.
  The directory is chmoded a=rwx,+t.
* FAQ has been updated.

3.6 2000.02.03	Automatic RFC 2487 detection based on patch by
		Pascual Perez and Borja Perez.
		Non-blocking sockets not used by default.
		DH support is disabled by default.
		(both can be enabled in ssl.c)

3.5 2000.02.02	Support for openssl 0.9.4 added.
		/usr/ssl added to configure by Christian Zuckschwerdt.
		Added tunneling for PPP through the addition of PTY
		handling, and some documentation.

3.4a 1999.07.13	(bugfix release)
		Problem with cipher negotiation fixed.
		setenv changed to putenv.

3.4 1999.07.12	Local transparent proxy added with LD_PRELOADed shared library.
		DH code rewritten.
		Added -C option to set cipher list.
		stderr fflushed after fprintf().
		Minor portability bugfixes.
		Manual updated (but still not perfect).

3.3 1999.06.18	Support for openssl 0.9.3 added.
		Generic support for protocol negotiation added (protocol.c).
		SMTP protocol negotiation support for Netscape client added.
		Transparent proxy mode (currently works on Linux only).
		SO_REUSEADDR enabled on listening socket in daemon mode.
		./configure now accepts --prefix parameter.
		-Wall is only used with gcc compiler.
		Makefile.in and configure.in updated.
		SSL-related functions moved to a separate file.
		vsprintf changed to vsnprintf in log.c on systems have it.
		Pidfile in /var/run added for daemon mode.
		RSAref support fix (not tested).
		Some compatibility fixes for Solaris and NetBSD added.

3.2 1999.04.28	RSAref support (not tested).
		Added full duplex with non-blocking sockets.
		RST sent instead of FIN on peer error (on error peer
		socket is reset - not just closed).
		RSA temporary key length changed back to 512 bits to fix
		problem with Netscape.
		Added NO_RSA for US citizens having problems with patents.

3.1 1999.04.22	Changed -l syntax (first argument specified is now argv[0]).
		Fixed problem with options passed to locally executed daemon.
		Fixed problem with ':' passed to libwrap in a service name:
		 - ':' has been changed to '.';
		 - user can specify his own service name as an argument.
		RSA temporary key length changed from 512 to 1024 bits.
		Added safecopy to avoid buffer overflows in stunnel.c.
		Fixed problems with GPF after unsuccessful resolver call
		and incorrect parameters passed to getopt() in Win32.
		FAQ updated.

3.0 1999.04.19	Some bugfixes.
		FAQ added.
  
3.0b7 1999.04.14
		WIN32 native port fixed (looks quite stable).
		New transfer() function algorithm.
		New 'make cert' to be compatible with openssl-0.9.2b.
		Removed support for memory leaks debugging.

3.0b6 1999.04.01
		Fixed problems with session cache (by Adam).
		Added client mode session cache.
		Source structure, autoconf script and Makefile changed.
		Added -D option to set debug level.
		Added support for memory leaks debugging
		(SSL library needs to be compiled with -DMFUNC).

3.0b5 1999.03.25
		Lots of changes to make threads work.
		Peer (client and server) authentication works!
		Added -V option to display version.

3.0b4 1999.03.22
		Early POSIX threads implementation.
		Work on porting to native Win32 application started.

3.0b3 1999.03.05
		Improved behavior on heavy load.

3.0b2 1999.03.04
		Fixed -v parsing bug.

3.0b1 1999.01.18
		New user interface.
		Client mode added.
		Peer certificate verification added (=strong authentication).
		WIN32 port added.
		Other minor problems fixed.

2.1 1998.06.01	Few bugs fixed.

2.0 1998.05.25	Remote mode added!
                Standalone mode added!
		tcpd functionality added by libwrap utilization.
		DH callbacks removed by kravietZ.
		bind loopback on Intel and other bugs fixed by kravietZ.
		New manual page by kravietZ & myself.

1.6 1998.02.24	Linux bind fix.
		New TODO ideas!

1.5 1998.02.24	make_sockets() implemented with Internet sockets instead
		of Unix sockets for better compatibility.
		(i.e. to avoid random data returned by getpeername(2))
		This feature can be disabled in stunnel.c.

1.4 1998.02.16	Ported to HP-UX, Solaris and probably other UNIXes.
		Autoconfiguration added.

1.3 1998.02.14	Man page by Pawel Krawczyk <kravietz@ceti.com.pl> added!
		Copyrights added.
		Minor errors corrected.

1.2 1998.02.14	Separate certificate for each service added.
		Connection logging support.

1.1 1998.02.14	Callback functions added by Pawel Krawczyk
		<kravietz@ceti.com.pl>.

1.0 1998.02.11	First version with SSL support
		- special thx to Adam Hernik <adas@infocentrum.com>.

0.1 1998.02.10	Testing skeleton.

