The company I work for has used it as a relatively simple method for implementing mutual TLS (mTLS) for legacy apps or systems for which it would otherwise be annoying or more difficult to integrate mTLS for, or which doesn’t support mTLS with custom trust store.
No joke, it just came up at work as a possible solution to something. We have some legacy systems that talk over TCP in plaintext. It's all within well-secured networks on locked down machines, so fine. But now we want to move things to Megaport, and their agreement says "btw don't put anything in plaintext ever, we guarantee nothing". So stunnel will probably be the fix.
I mean, most web application backends don't implement TLS at all, under the assumption that you're using it alongside a reverse proxy. Most of the time this is nginx, but if you want to ensure no bugs are introduced on the HTTP level by the reverse proxy, stunnel is a perfectly fine option.
Is there anything that isn't horribly outdated that still needs this?
The company I work for has used it as a relatively simple method for implementing mutual TLS (mTLS) for legacy apps or systems for which it would otherwise be annoying or more difficult to integrate mTLS for, or which doesn’t support mTLS with custom trust store.
Let me introduce you to software for public library information systems that still thinks it's the 90s!
wrapping z39.50?
No joke, it just came up at work as a possible solution to something. We have some legacy systems that talk over TCP in plaintext. It's all within well-secured networks on locked down machines, so fine. But now we want to move things to Megaport, and their agreement says "btw don't put anything in plaintext ever, we guarantee nothing". So stunnel will probably be the fix.
I used it once with althttpd. https://sqlite.org/althttpd/doc/trunk/althttpd.md
I mean, most web application backends don't implement TLS at all, under the assumption that you're using it alongside a reverse proxy. Most of the time this is nginx, but if you want to ensure no bugs are introduced on the HTTP level by the reverse proxy, stunnel is a perfectly fine option.
I use it to wrap my gstreamer tcp streams in TLS to send them over the internet, but socat can also do the same thing.