stunnel 5.01, latest version for OpenWRT

As of April 16 2014, the latest upstream version of stunnel is 5.01. The version in OpenWRT's package repository is 4.33. (Here's a handy website to track upstream vs. OpenWRT versions of packages.)

Separating these two versions are many bugfixes and 2 CVEs: CVE-2013-1762 CVE-2014-0016

Running software with known vulnerabilities is a bad idea (citation needed). Therefore I compiled the latest version of stunnel for my router.

Download and Compile

You can grab the Makefile and other package definition files here.

Put the stunnel directory somewhere under the packages/ directory under your openwrt buildroot and execute

make packages/path/to/stunnel/compile

If all goes well, you should see the compiled package under bin/.

I compiled this successfully against the latest trunk buildroot; here's the binary package for target ar71xx, and it seems to run fine on my Netgear WNDRMACv2.


Compared to version 4.33 in OpenWRT feeds, the following are changed for 5.01:

    • Source code of version 5.01 is downloaded and compiled instead of 4.33. Obviously.
    • A dependence on libpthread is added. The compiled binary somehow depends on libpthread, even though during ./configure the option --with-threads=fork is specified. I'm not sure whether this is proper behavior, but haven't investigated further.
    • Most patches removed since the code snippets they act on aren't around anymore.
    • Changed the patches that act on the default stunnel.conf to match that in the new version.
    • Changed stunnel.init to remove checking for stunnel.pem on start and generating certificate and keys if that file doesn't exist. I like putting my certificates elsewhere, and the key generator didn't even work anyways.

Possible bug?

In the compiled binary package, the default stunnel.conf file has a line setgid = nobody. This group does not exist on my OpenWRT installation; the proper group should be nogroup. IIRC the same applies to the official 4.33 binary package.

Final Notes

The files linked in the Download and Compile section are released under GPLv2.

I am not responsible for any possible loss/consequences of using these instructions and files. Use at your own risk.