Hello Michal, I've read that you prefer not to support X-Forwarded-For because an old code had a buffer overflow and did not support keep-alive functions of HTTP/1.1. I believe the overflow was fixed in the newer version of the patch I've attached. IMHO the patch will still be very useful, even if it does not support keep-alive: often in high-performence setups keep-alive is not even desired because it fills up ressources needlessly. Even if this does not provide all features, a lot of people would be satisfied with it. There is a great desire for this patch, if one searches for "stunnel x-forwarded-for" on google, you will find more than 60 pages and not only a few dozens of blogs/mailing lists that discuss applying the patch and getting it to work as an SSL terminator for loadbalancing software. And last, I know that the patch (the one Willy Tarreau is hosting on haproxy.1wt.eu and is attached) is in use at several high-traffic websites and runs stable. ;) If it's too much of a hassle for you to review and/or integrate the patch, I can understand that very well, I'd just like to open a discussion and would like to know if you have concerns regarding the patch quality, even if you do not want to include the patch at this time. :) Best regards, Stefan Behte