Hello Michal,
I've read that you prefer not to support X-Forwarded-For because an old code had a buffer overflow and did not support keep-alive functions of HTTP/1.1.
I believe the overflow was fixed in the newer version of the patch I've attached.
IMHO the patch will still be very useful, even if it does not support keep-alive: often in high-performence setups keep-alive is not even desired because it fills up ressources needlessly. Even if this does not provide all features, a lot of people would be satisfied with it.
There is a great desire for this patch, if one searches for "stunnel x-forwarded-for" on google, you will find more than 60 pages and not only a few dozens of blogs/mailing lists that discuss applying the patch and getting it to work as an SSL terminator for loadbalancing software.
And last, I know that the patch (the one Willy Tarreau is hosting on haproxy.1wt.eu and is attached) is in use at several high-traffic websites and runs stable. ;)
If it's too much of a hassle for you to review and/or integrate the patch, I can understand that very well, I'd just like to open a discussion and would like to know if you have concerns regarding the patch quality, even if you do not want to include the patch at this time. :)
Best regards,
Stefan Behte