I'm setting up an internet-facing server that will be running a service wrapped with stunnel.  Given that, it made sense to me to use fail2ban to block repeat connection attempts from clients who don't have the right certificate (the system is using client-certificate authentication).  Unfortunately, stunnel4 doesn't put the client source IP in connection failure log lines, so I made this quick patch to enable that. ---cut here---- --- src/client.c.orig 2011-10-05 16:47:48.000000000 -0700 +++ src/client.c 2011-10-05 16:50:37.000000000 -0700 @@ -358,10 +358,13 @@ continue; } } - if(c->opt->option.client) + if(c->opt->option.client) { sslerror("SSL_connect"); - else - sslerror("SSL_accept"); + } else { + char buf[255]; + sprintf(buf, "SSL_accept from %s ", c->accepted_address); + sslerror(buf); + } longjmp(c->err, 1); } if(SSL_session_reused(c->ssl)) { ----cut here----