Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.

Stunnel uses the OpenSSL library for cryptography, so it supports whatever cryptographic algorithms are compiled into the library. It can benefit from the FIPS 140-2 validation of the OpenSSL FIPS Object Module, as long as the building process meets its Security Policy. A scanned FIPS 140-2 Validation Certificate document is available for download on the NIST web page. The OpenSSL FIPS 140-2 module is currently only available for OpenSSL 1.0.2. FIPS-enabled Windows installers of stunnel are available on request with our customer support plans.

Portability (Threading Models)

• PTHREAD (Posix)
• FORK (traditional Unix)
• UCONTEXT (userlevel)
• WIN32

Performance and Scalability

• Load balancing backend servers with round-robin and priority strategies
• External session cache (for clusters)
• Compression (for limited bandwidth)

Support for OpenSSL Security Features

• Access control with TLS-PSK (pre-shared key) and certificates
• CRL and OCSP certificate revocation
• SNI (Server Name Indication) support for name-based virtual servers
• PFS (Perfect Forward Secrecy) with DH and ECDH key agreement
• FIPS mode (for compliance)
• OpenSSL engines, including CAPI (Microsoft CryptoAPI)