Fact-checked by Grok 2 weeks ago

Stunnel

Stunnel is a and open-source multi-platform software designed to provide universal TLS/SSL , enabling the addition of TLS protection to arbitrary connections between existing clients and servers without requiring any modifications to the applications' . Initially released on February 10, 1998, the latest stable version is 5.76, released on October 18, 2025. Developed by Trojnara, Stunnel functions as an encryption wrapper that secures communications for non-TLS-aware programs, such as POP3, IMAP, or other inetd-startable services, by listening on specified ports, encrypting incoming traffic, and forwarding it to the target server. It relies on the library for cryptographic operations, supporting a variety of algorithms compiled into OpenSSL, and includes features like validation through the OpenSSL FIPS Provider for compliance in regulated environments. Licensed under the GNU General Public License version 2 or later with an exception to permit dynamic linking, Stunnel is optimized for , portability across systems and Windows, and scalability, including load-balancing capabilities for high-traffic deployments. Widely used in settings for to protocols, it offers options alongside community resources, making it a reliable choice for enhancing without architectural overhauls.

Overview and History

Purpose and Functionality

Stunnel is an open-source designed to add TLS functionality to existing clients and servers without requiring any changes to the programs' code. It achieves this by creating encrypted tunnels for arbitrary connections, leveraging the library for cryptographic operations. This allows Stunnel to support a wide range of cryptographic algorithms as compiled into the library, ensuring compatibility with modern security standards. As an wrapper, Stunnel operates by intercepting unencrypted on a specified , encapsulating it within a TLS-secured connection, and forwarding it to a remote . Conversely, on the receiving end, it can decrypt incoming TLS and relay the to the target service. This intermediary role enables seamless integration of into network communications without altering underlying applications. Stunnel plays a key role in securing legacy or non-TLS protocols, such as SMTP and IMAP, by allowing them to operate over protected channels that would otherwise expose sensitive data to . For instance, it can wrap these protocols in TLS to facilitate secure email retrieval and transmission in environments where native support is absent. This capability is particularly valuable for maintaining compatibility with older systems while enforcing . Stunnel supports two primary operational modes: , where it encrypts outgoing connections from a local application to a remote , and server-side, where it decrypts incoming connections before passing them to a local service. These modes can be configured independently, providing flexibility for diverse deployment scenarios such as securing inbound services or initiating outbound secure tunnels.

Development Timeline

Stunnel was developed as a personal project by programmer Trojnara, who has remained its sole primary author since its inception. The project began in early 1998, with the initial version 0.1 released on February 10, 1998, as a basic testing skeleton for SSL wrapping of connections. The first public stable release, version 3.0, followed on April 19, 1999, introducing features such as client mode and peer . From the outset, Stunnel has been distributed under the GNU General Public License version 2 or later, with an exception for compatibility with the library. The software's major version progression reflects a steady from foundational SSL tunneling capabilities to enhanced security and compatibility features. Version 4.00, released on August 30, 2002, marked a significant overhaul, supporting 0.9.6g and adding standalone server mode improvements. Subsequent releases in the 4.x series incorporated key advancements, including support in version 4.06 on December 26, 2004; session caching in 4.15 on March 11, 2006; compliance in 4.21 on October 27, 2007; and compression via zlib in 4.51 on January 9, 2012. The transition to version 5.00 on March 6, 2014, introduced support for 1.0.1 and improved , with ongoing updates integrating newer engines for cryptographic operations. Notable developments in the mid-2000s and beyond emphasized integration with engines for and the addition of session caching and compression to optimize performance without expanding into a multi-contributor . Trojnara has retained full control over the codebase, ensuring consistent design focused on reliability and minimal dependencies. As of 2025, Stunnel remains actively maintained by Trojnara, with the latest stable release, version 5.76, issued on October 18, 2025, featuring bugfixes and 3.5.4 integration. Commercial support options are available, including tiered plans with response times up to a 24/7 for enterprise users, alongside free community resources like mailing lists.

Technical Features

Core Capabilities

Stunnel employs multiple threading models to ensure portability across diverse operating systems and environments. It supports PTHREAD for POSIX-compliant systems, providing efficient multithreading on Unix-like platforms; FORK for traditional Unix environments, leveraging process forking for concurrency; UCONTEXT for user-level threading, which avoids kernel dependencies for lighter-weight operations; and WIN32 threads for native Windows integration. To enhance and , Stunnel incorporates load balancing mechanisms using and priority-based strategies, distributing connections across multiple backend servers to prevent bottlenecks. It also features external session caching, which allows clusters to share TLS session data and reduce the computational overhead of repeated handshakes, particularly beneficial in high-traffic scenarios where resumed sessions can achieve up to 4,700 connections per second on a . Additionally, data compression is supported to optimize usage in constrained networks, though it trades some CPU cycles for reduced transmission sizes. Advanced proxy behaviors in Stunnel include transparent mode, available on select platforms, which intercepts without requiring client modifications by binding to local addresses. A delayed DNS resolver handles intermittent , such as in dial-up or dynamic setups, by postponing name resolution until necessary. Furthermore, the supports graceful reloading of and log files, enabling updates without interrupting active connections. For integration, Stunnel leverages engines, including the CAPI engine for utilizing on Windows, allowing hardware-accelerated cryptography where available. It handles encoding in configuration and log files for international compatibility, and implements ident-based to restrict connections based on user identification protocols.

Platform and Protocol Support

Stunnel supports a wide range of operating systems, with tailored features for environments and Windows. On systems such as , BSD, and , it integrates with security mechanisms including for , setuid and setgid for dropping, and libwrap (TCP Wrappers) for based on hostnames or addresses. On Windows, Stunnel provides a (GUI) for configuration and monitoring, operates in service mode for background execution, and supports cached storage of peer certificate chains to facilitate certificate verification without repeated disk access. In terms of network capabilities, Stunnel offers full support for both client and server connections, enabling seamless operation in dual-stack environments. It also handles Unix domain sockets for local , supports socket activation for on-demand service startup, and includes pseudo-terminal (PTY) allocation to enable interactive sessions over encrypted tunnels. Stunnel includes built-in protocol negotiation wrappers to transparently add TLS encryption to various application-layer protocols without modifying client or server code. These wrappers handle initial handshakes for protocols such as CIFS (for Samba file sharing), CONNECT (for HTTP proxies), IMAP (email retrieval), NNTP (Usenet news), PostgreSQL (database connections), POP3 (email download), PROXY (HAProxy protocol), SMTP (email submission), and SOCKS versions 4, 4a, and 5 (general proxying). Additionally, it can redirect connections to TLS upon authentication failures for certain protocols, ensuring secure fallback. For operational controls, Stunnel integrates with on systems for standardized logging, acts as an EGD (Entropy Gathering Daemon) client to gather random data for cryptographic operations, and functions as protocol-specific gateways that while preserving original semantics.

Installation and Configuration

Installation Methods

Stunnel requires the library as a mandatory , with 1.1.0 or newer recommended for with modern cryptographic features. An optional is libwrap for integration with wrappers to control access based on host rules. For Unix-like systems, Stunnel can be compiled from source by downloading the latest tarball, such as stunnel-5.76.tar.gz, from the official website. After extracting the archive, ensure OpenSSL is installed, then run ./configure to prepare the build environment (which checks for optional libwrap), followed by make to compile and make install to deploy the binaries, typically to /usr/local. Stunnel is available through popular package managers on various platforms. On Debian and Ubuntu systems, install it using sudo apt install stunnel4, which provides the stunnel4 package containing the daemon and utilities. For Red Hat Enterprise Linux (RHEL) and CentOS, use sudo dnf install stunnel (or sudo yum install stunnel on older versions) to obtain the package from the base repositories. On macOS, Homebrew users can install it with brew install stunnel, which handles dependencies like OpenSSL automatically. On Windows, download and run the official 64-bit installer, such as stunnel-5.76-win64-installer.exe, from the Stunnel website; this bundle includes the FIPS Provider for compliance. After installation, register Stunnel as a by executing stunnel.exe -install from an administrator command prompt in the directory. To verify the , run stunnel -[version](/page/Version) from the command line, which displays the Stunnel build , compilation flags, and linked details, including FIPS mode support if applicable. The default is located at /etc/stunnel/stunnel.conf on systems or in the directory on Windows.

Configuration Syntax and Options

Stunnel's configuration is managed through a single primary file, typically named stunnel.conf, which follows an INI-style format consisting of global options at the top followed by one or more service sections enclosed in square brackets, such as [service_name]. This structure allows for modular definition of multiple TLS-encrypted services within the same file, with each service section inheriting global options unless overridden. The configuration parser supports case-insensitive keys but requires exact matching for section names and values. Global options control overall behavior and are placed before any service sections; examples include debug = 7 to set the logging verbosity level (where 7 enables detailed debugging output) and output = /path/to/logfile to specify a custom log file location instead of standard output. The pid = /var/run/stunnel.pid directive designates the file where the is stored, facilitating management tasks like restarts or signals on systems. These options apply universally unless a service section redefines them. Service sections define individual TLS tunnels and must include at minimum an accept directive for incoming and a connect directive for outgoing ones. The accept = [host:]port option specifies the local address and where Stunnel listens for unencrypted , such as accept = 127.0.0.1:8080, while connect = remote_host:remote_port routes encrypted traffic to the backend , for instance connect = [example.com](/page/Example.com):443. For server-mode operation, cert = /path/to/cert.pem provides the path to the server's chain , and key = /path/to/key.pem specifies the corresponding private , which can be omitted if included in the certificate . In client mode, activated by client = yes, these services initiate outbound TLS , often paired with verify = 2 to enforce validation of the peer's full chain against trusted certificate authorities. Cipher suite restrictions are configured via ciphers = cipher_list in service sections, allowing selection of secure protocols such as ciphers = HIGH:!aNULL to permit only high-strength ciphers while excluding anonymous ones, applicable to TLS versions 1.2 and earlier. For TLS 1.3 (supported with OpenSSL 1.1.1+), use the ciphersuites option to specify allowed cipher suites, such as ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256. For enhanced security in peer authentication, the verify level can range from 0 (none) to 4 (require and verify chain), with level 2 being a common choice for strict chain validation without hostname checking. Protocol-specific behaviors, such as protocol = smtp for SMTP STARTTLS negotiation, can be set per service to handle application-layer handshakes. Advanced configuration supports modularity through include = /directory/for/includes, which recursively loads additional .conf files from the specified directory, enabling separation of global and service-specific settings across multiple files. Process management options like pid ensure proper daemon handling, while logging can be directed with output to a file or syslog facility. Syntax rules include line-based comments prefixed with ; or #, and quoted strings for values containing spaces, such as cert = "/path with spaces/cert.pem". Configuration reloading is achieved on Unix systems by sending a SIGHUP signal to the running process, updating most options without interruption except for immutable ones like chroot or user/group settings; on Windows, the -reload command-line option serves a similar purpose for NT services.

Applications and Examples

Common Use Cases

Stunnel is frequently employed to secure protocols by encapsulating unencrypted SMTP traffic on 25 within a TLS-encrypted on submission 465, thereby protecting sensitive credentials and message content from interception during transmission. This approach is particularly useful for legacy mail servers that do not natively support STARTTLS, allowing administrators to enforce encryption without modifying the underlying SMTP daemon. Similarly, Stunnel can wrap IMAP and POP3 connections for older servers, enabling secure retrieval of emails over public networks by listening on standard TLS ports like 993 for IMAP and 995 for POP3. In database environments, Stunnel serves as a frontend to encrypt connections to servers, especially when client applications lack built-in SSL support, ensuring data-in-transit protection for queries and authentication. By configuring Stunnel with the protocol = pgsql option, it handles the TLS handshake and forwards decrypted traffic to the database on port 5432, mitigating risks from unencrypted wire exposure in distributed setups. For legacy applications, Stunnel facilitates secure tunneling to outdated services such as older IMAP/POP3 servers or CIFS/ file shares, allowing encrypted access over insecure networks without requiring protocol updates to the backend systems. In CIFS scenarios, it proxies traffic on port 445, encrypting file transfers between clients and servers to prevent on shared resources. Load-balanced deployments leverage Stunnel's capabilities to distribute incoming encrypted traffic across multiple backend servers, enhancing for services like web or endpoints. This setup accepts TLS connections on a single frontend port and alternates connections to backend hosts, providing while maintaining . As a , Stunnel integrates with libwrap (TCP wrappers) to enforce access controls based on client or before decrypting and forwarding traffic, combining with granular policies at gateways. This configuration is common in restricted environments where Stunnel acts as a secure , rejecting unauthorized connections via hosts.allow/hosts.deny rules while tunneling approved sessions.

Sample Configurations

Stunnel configuration files are typically structured with global options followed by service-specific sections enclosed in square brackets. These examples illustrate practical setups for common scenarios, drawing from official templates provided in the Stunnel distribution. For providing SMTPS service on port 465 using implicit TLS, a server-mode section can be defined as follows. This configuration accepts incoming TLS connections on the standard SMTPS port and forwards the decrypted traffic to a local unencrypted SMTP service on port 25, using a server certificate for encryption. 
[ssmtp]
accept = 465
connect = 127.0.0.1:25
cert = server.pem
[imap-client]
client = yes
accept = 127.0.0.1:1143
connect = mail.example.com:993
verifyChain = yes
Here, client = yes activates client-mode operation, and verifyChain = yes ensures the remote server's certificate chain is validated against trusted authorities, enhancing security during the handshake. To implement load balancing across multiple backend servers, multiple connect directives can be specified within a single service section, with the default failover = prio behavior distributing connections in priority order (first connect target preferred until failure, then fallback). This is useful for high-availability setups, such as proxying HTTP traffic. 
[http-proxy]
accept = 8080
cert = server.pem
connect = backend1.example.com:80
connect = backend2.example.com:80
failover = prio
The alternative (failover = [rr](/page/R&R)) can be used instead for even distribution, but mode prioritizes the listed order for weighted or sequential load handling. On Windows, Stunnel can be installed and managed as a service via its graphical installer, which prompts for private key passphrases during setup and allows editing configurations through a interface. A sample forwarding service, suitable for this environment, terminates TLS on port 443 and forwards to a local HTTP , including a timeout adjustment to mitigate truncation issues in SChannel implementations. 
[https]
accept = 443
connect = 127.0.0.1:80
cert = server.pem
TIMEOUTclose = 0
The TIMEOUTclose = 0 option prevents premature closure without a TLS close-notify alert, addressing a known vulnerability in Windows SSL/TLS handling. The GUI facilitates passphrase entry for encrypted keys without exposing them in plain text. For resilient connection handling in unstable networks, global or per-service options can enable retries on failure and delay DNS resolutions. These directives promote automatic recovery without manual intervention. 
; Global options
retry = yes
delay = yes
The retry = yes setting attempts reconnection after disruptions, while delay = yes postpones DNS lookups for dynamic hostnames until connection time, reducing resolution errors.

Security and Maintenance

Encryption and Authentication

Stunnel relies on the library as its cryptographic backend to implement TLS and SSL protocols, with support for TLS 1.2 and higher being mandatory in configurations using 3.0 or later, while TLS 1.3 is fully supported when using 1.1.1 or newer. This integration enables Stunnel to handle encryption for arbitrary connections without requiring modifications to the underlying applications. Additionally, Stunnel supports (PSK) authentication for both clients and servers, digital certificates for , and revocation checking through Certificate Revocation Lists (CRL) and (OCSP) via 's capabilities. For , Stunnel enforces (PFS) using Diffie-Hellman (DH) and Diffie-Hellman (ECDH) parameters, with 2048-bit DH parameters hardcoded or autogenerated temporarily every 24 hours in versions 5.18 and later. suites are customizable through the ciphers option for TLS 1.2 and below, and ciphersuites for TLS 1.3, with defaults excluding weak options such as NULL authentication or export-grade ciphers to ensure robust security; for example, suites like TLS_AES_256_GCM_SHA384 are prioritized for TLS 1.3. ECDH curves, such as X25519 or P-256, can be specified via the curves option, aligning with OpenSSL's supported elliptic curves. Authentication in Stunnel centers on server-side presentation, which is mandatory unless PSK is employed, using certificates in format stored in files like cert.pem and key.pem. Client is optional and configurable across four levels: level 0 disables ; level 1 verifies the peer only if presented; level 2 requires of the full against trusted CAs specified in CAfile; and level 3 extends this to check the end-entity (leaf) 's CRL status. Level 4, while supported in earlier versions for specific pinning scenarios, is handled through options like verifyPeer in modern setups for validation without full checks. (SNI) is supported for multiple domains on a single , allowing selection of appropriate certificates based on the client's requested hostname. Stunnel achieves compliance by activating the FIPS Provider through the fips = yes configuration option, which restricts operations to approved algorithms and requires a FIPS-capable build; this provider holds NIST validation #4282, ensuring adherence to federal cryptographic standards. management in Stunnel accommodates both self-signed certificates, generated via commands like make cert or manual creation, and CA-issued certificates obtained through Certificate Signing Requests (CSRs) submitted to trusted authorities. Passphrase-protected private keys are supported but can be converted to unprotected format using openssl rsa -in key.pem -out key-unprotected.pem for automation; chains, including intermediate CAs, are handled by appending them to the primary file in format.

Vulnerabilities and Best Practices

Stunnel, relying on for its cryptographic operations, has been affected by several -dependent vulnerabilities, including the bug (CVE-2014-0160), a critical information disclosure flaw in the TLS heartbeat extension that allowed attackers to read up to 64 KB of server memory, potentially exposing private keys and sensitive data; this impacted Stunnel versions prior to 5.01, which was released on April 8, 2014, to incorporate 1.0.1g and mitigate the issue. Another notable -related vulnerability was CVE-2014-0016, a private key leakage due to improper pseudo-random number generator (PRNG) state updates in fork-threaded environments, affecting Stunnel versions before 5.00, with version 5.00 released in March 2014 addressing the issue through enhanced PRNG handling. Stunnel-specific bugs have been rarer but significant, such as the in NTLM authentication during CONNECT protocol negotiation (CVE-2013-1762), which could lead to remote code execution and was fixed in version 4.55 in March 2013, with the fix carried forward into the 5.x series. More recent Stunnel-specific issues include CVE-2021-20230, an authentication bypass with the "redirect" option, fixed in version 5.56 in October 2021. Common deployment risks stem primarily from configuration errors rather than inherent flaws. Insufficient certificate verification levels, such as using verify = 0 or 1, can enable man-in-the-middle (MITM) attacks by accepting untrusted or self-signed s without chain validation. Failure to restrict cipher suites may allow weak algorithms like those vulnerable to attacks such as or Lucky Thirteen, particularly if legacy SSLv2 or SSLv3 protocols are not explicitly disabled via options like NO_SSLv2 and NO_SSLv3. Unthrottled connection handling without can expose Stunnel to denial-of-service () attacks, as seen in older issues like CVE-2002-1563 involving signal race conditions, though modern versions incorporate better . To mitigate these risks, administrators should always deploy the latest version of Stunnel, such as 5.76 released on October 18, 2025, which includes updates to 3.5.4 for ongoing security patches; as of November 2025, beta version 5.77 is available for testing. Enable strict peer with verify = 3 or higher combined with verifyChain = yes to enforce full certificate chain validation, and activate using OCSPaia = yes for real-time revocation checks without external queries. Restrict listening and connection endpoints to specific addresses via accept and connect directives to minimize exposure, and configure cipher restrictions to prioritize modern suites like TLS 1.3 with cipher = ECDHE-ECDSA-AES256-GCM-SHA384 or equivalent, while disabling insecure protocols. For maintenance, automate Certificate Revocation List (CRL) and OCSP updates to ensure timely invalidation of compromised certificates, and test compliance mode (fips = yes) in a staging environment before production use to verify adherence to federal cryptographic standards. On systems, implement privilege separation by enabling chroot = /var/run/stunnel to confine the process and setuid = nobody / setgid = nogroup to drop root privileges post-startup, avoiding execution as root entirely. Regular monitoring of logs (e.g., via output = /var/log/stunnel.log) is essential to detect anomalies like handshake failures or unauthorized access attempts. Auditing Stunnel deployments involves tools such as openssl s_client -connect [localhost](/page/Localhost):port -servername example.com to simulate connections and verify TLS negotiation, validity, and usage. Integrate with system monitoring solutions to alert on expiration or unusual traffic patterns, ensuring proactive maintenance.

References

  1. [1]
    stunnel: Home
    Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code.Downloads · Documentation · Examples · About
  2. [2]
    mtrojnar/stunnel: Public repository based on official ... - GitHub
    The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote servers.
  3. [3]
    Certificate #4282 - Cryptographic Module Validation Program | CSRC
    The OpenSSL FIPS Provider is a software library providing a C-language application program interface (API) for use by applications that require cryptographic ...
  4. [4]
    stunnel
    **Summary of Stunnel History and Development (from https://www.stunnel.org/docs.html):**
  5. [5]
    stunnel TLS Proxy
    The stunnel program is designed to work as TLS encryption wrapper between remote clients and local (inetd-startable) or remote servers.
  6. [6]
    4.8. Using stunnel | Security Guide | Red Hat Enterprise Linux | 7
    The stunnel program is an encryption wrapper between a client and a server. It listens on the port specified in its configuration file, encrypts the ...
  7. [7]
    HOWTO - stunnel
    HOWTO page for stunnel: a multiplatform GNU/GPL-licensed proxy encrypting arbitrary TCP connections with SSL/TLS.
  8. [8]
    Change Log - stunnel
    stunnel change log. Version 5.76, 2025.10.18, urgency: MEDIUM. Security bugfixes. OpenSSL DLLs updated to version 3.5.4. Service-level multivalued options ...
  9. [9]
    Support - stunnel
    Commercial support. Example services provided ... We will add it for you! Our supporters: Go to the top. Donate. View Michal Trojnara's profile on LinkedIn.
  10. [10]
    Current Features - stunnel
    Current Features page for stunnel: a multiplatform GNU/GPL-licensed proxy encrypting arbitrary TCP connections with SSL/TLS.Missing: functionality | Show results with:functionality
  11. [11]
    Performance - stunnel
    Performance page for stunnel: a multiplatform GNU/GPL-licensed proxy encrypting arbitrary TCP connections with SSL/TLS.
  12. [12]
    stunnel(8) - Arch manual pages
    The protocol option should not be used with TLS encryption on a separate port. Currently supported protocols: cifs: Proprietary (undocumented) extension of CIFS ...
  13. [13]
    stunnel
    ### Summary of Installation Methods and Dependencies
  14. [14]
    stunnel - Homebrew Formulae
    Install command: brew install stunnel. SSL tunneling program. https://www.stunnel.org/. License: GPL-2.0-or-later.
  15. [15]
    Unix Configuration - stunnel
    Sample stunnel configuration file for Unix by Michal Trojnara 1998-2025. Some options used here may be inadequate for your particular configuration.Missing: verification | Show results with:verification
  16. [16]
    Use Stunnel to Secure POP, IMAP and SMTP - SitePoint
    Mar 1, 2024 · Stunnel works by creating an encrypted tunnel between the client and server for POP, IMAP, and SMTP protocols. It acts as a proxy, receiving ...Missing: legacy | Show results with:legacy
  17. [17]
    Documentation: 18: 18.8. Encryption Options - PostgreSQL
    Stunnel or SSH can also be used to encrypt transmissions. SSL Host Authentication. It is possible for both the client and server to provide SSL certificates to ...
  18. [18]
    how to secure samba with stunnel - NetBSD Wiki
    Stunnel secures Samba by listening on a client port and forwarding encrypted data to the server. Configure stunnel, and set up the server normally.Missing: case | Show results with:case
  19. [19]
    Windows Configuration - stunnel
    Windows Configuration page for stunnel: a multiplatform GNU/GPL-licensed proxy encrypting arbitrary TCP connections with SSL/TLS.
  20. [20]
    stunnel - TLS offloading and load-balancing proxy - Ubuntu Manpage
    The stunnel program is designed to work as TLS encryption wrapper between remote clients and local (inetd-startable) or remote servers.<|separator|>
  21. [21]
    Authentication - stunnel
    It provides both client and server authentication. PSK is also the fastest TLS authentication. PSK authentication requires stunnel version 5.09 or higher.
  22. [22]
    [stunnel-users] Difference between verify=2, 3 and 4 - Google Groups
    Sep 14, 2013 · They differ in how you manage certificates to validate them. The level 2 verify the peer certificate against CA (CAfile). The level 3 verify the ...
  23. [23]
    https://www.stunnel.org/auth.html
  24. [24]
    CVE-2014-0016 - Stunnel
    The affected versions of stunnel, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which ...Missing: Heartbleed | Show results with:Heartbleed
  25. [25]
    Known Vulnerabilities - stunnel
    Stunnel has known vulnerabilities including authentication bypass, private key leaks, remote code execution, denial of service, and file descriptor leaks.Missing: history Heartbleed
  26. [26]
    Release List - stunnel
    2025.10.18 - Version 5.76 released, urgency=MEDIUM · 2025.05.26 - Version 5.75 released, urgency=MEDIUM · 2024.12.13 - Version 5.74 released, urgency=HIGH ...Missing: initial | Show results with:initial