Version 5.75; 2025.05.26; urgency: MEDIUM$$$Security bugfixes$$$OpenSSL DLLs updated to version 3.4.1.$$$OpenSSL FIPS Provider updated to version 3.1.2.$$$Bugfixes$$$Fixed infinite loop triggered by OCSP URL parsing errors (thx to Richard Könning for reporting).$$$Fixed OPENSSL_NO_OCSP build issues (thx to Dmitry Mostovoy for reporting).$$$Fixed default curve selection in FIPS mode with OpenSSL 3.4+.$$$Fixed tests with modern Python versions.$$$Fixed tests with multiple OpenSSL versions installed.$$$Features$$$Added provider URI support for cert and key options.$$$Added new CAstore service-level option (OpenSSL 3.0+).$$$Added provider (OpenSSL 3.0+); providerParameter (OpenSSL 3.5+); and setEnv global options.$$$Key file/URI path added to passphrase prompt on Unix.$$$PKCS#11 provider installed on Windows.

stunnel change log$$$Version 5.74; 2024.12.13; urgency: HIGH$$$Bugfixes$$$Fixed a stapling cache deallocation crash.$$$Fixed redirect with protocol negotiation.$$$Features$$$protocolHost support for socks protocol clients.$$$More detailed logs in OpenSSL 3.0 or later.

stunnel change log$$$Version 5.73; 2024.09.09; urgency: MEDIUM$$$Security bugfixes$$$OpenSSL DLLs updated to version 3.3.2.$$$OpenSSL FIPS Provider updated to version 3.0.9.$$$Bugfixes$$$Fixed a memory leak while reloading stunnel.conf sections with client=yes and delay=no.$$$Fixed TIMEOUTocsp with values greater than 4.$$$Fix the IPv6 test on a non-IPv6 machine.$$$Features$$$HELO replaced with EHLO in the post-STARTTLS SMTP protocol negotiation (thx to Peter Pentchev).$$$OCSP stapling fetches moved away from server threads.$$$Improved client-side session resumption.$$$Added support for the mimalloc allocator.$$$Check for protocolHost moved to configuration file processing for the client-side CONNECT protocol.$$$Clarified some confusing OpenSSLs certificate verification error messages.$$$stunnel.nsi updated for Debian 13 and Fedora.$$$Improved NetBSD compatibility.

Version 5.72; 2024.02.04; urgency: MEDIUM$$$Security bugfixes$$$OpenSSL DLLs updated to version 3.2.1.$$$Bugfixes$$$Fixed SSL_CTX_new() errors handling.$$$Fixed OPENSSL_NO_PSK builds.$$$Android build updated for NDK r23c.$$$stunnel.nsi updated for Debian 12.$$$Fixed tests with OpenSSL older than 1.0.2.

* Security bugfixes$$$ - OpenSSL DLLs updated to version 3.1.3.$$$* Bugfixes$$$ - Fixed the console output of tstunnel.$$$* Features sponsored by SAE IT-systems$$$ - OCSP stapling is requested and verified in the client mode.$$$ - Using verifyChain automatically enables OCSP$$$ stapling in the client mode.$$$ - OCSP stapling is always available in the server mode.$$$ - An inconclusive OCSP verification breaks TLS negotiation.$$$ This can be disabled with OCSPrequire = no.$$$ - Added the TIMEOUTocsp option to control the maximum$$$ time allowed for connecting an OCSP responder.$$$* Features$$$ - Added support for Red Hat OpenSSL 3.x patches.

* Security bugfixes$$$ - OpenSSL DLLs updated to version 3.1.3.$$$* Bugfixes$$$ - Fixed the console output of tstunnel.$$$* Features sponsored by SAE IT-systems$$$ - OCSP stapling is requested and verified in the client mode.$$$ - Using verifyChain automatically enables OCSP$$$ stapling in the client mode.$$$ - OCSP stapling is always available in the server mode.$$$ - An inconclusive OCSP verification breaks TLS negotiation.$$$ This can be disabled with OCSPrequire = no.$$$ - Added the TIMEOUTocsp option to control the maximum$$$ time allowed for connecting an OCSP responder.$$$* Features$$$ - Added support for Red Hat OpenSSL 3.x patches.