diff -cr stunnel-4.04.orig/src/client.c stunnel-4.04/src/client.c
*** stunnel-4.04.orig/src/client.c	Wed Jan  1 11:04:39 2003
--- stunnel-4.04/src/client.c	Wed Apr 23 23:44:07 2003
***************
*** 234,239 ****
--- 234,249 ----
          sslerror("SSL_new");
          return -1;
      }
+ 
+     /* Set blinding iff it's not built into our OpenSSL version */
+ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL
+     if(options.option.cert)
+     	set_rsa_blinding(c->ssl);
+ #else
+     log(LOG_DEBUG, "Relying on OpenSSL RSA Blinding.");
+ #endif
+ 
+ 
  #if SSLEAY_VERSION_NUMBER >= 0x0922
      SSL_set_session_id_context(c->ssl, sid_ctx, strlen(sid_ctx));
  #endif
***************
*** 913,917 ****
--- 923,960 ----
      if(setsockopt(fd, SOL_SOCKET, SO_LINGER, (void *)&l, sizeof(l)))
          log_error(LOG_DEBUG, get_last_socket_error(), txt);
  }
+ 
+ 
+ int set_rsa_blinding(SSL *ssl) {
+ #ifndef NO_RSA
+ 
+     /* Turn on blinding iff using RSA */
+ 
+     RSA *rsa;
+     EVP_PKEY *pkey;
+ 
+     if ( (pkey = SSL_get_privatekey(ssl)) ) {
+ 	if ( (rsa = EVP_PKEY_get1_RSA(pkey)) ) {
+ 	    if ( RSA_blinding_on(rsa,NULL) ) {
+ 		log(LOG_DEBUG, "Stunnel manual RSA blinding enabled");
+ 	    } else {
+ 		log(LOG_ERR, "Unable to set RSA blinding");
+ 		sslerror("RSA_blinding_on");
+ 		exit(1);
+ 	    }
+ 	    /* EVP_PKEY_get1_RSA ups the count for rsa - free extra */
+ 	    RSA_free(rsa);
+ 	} else {
+ 	    log(LOG_DEBUG, "Private key is not RSA, no blinding needed");
+ 	}
+     } else {
+ 	log(LOG_ERR, "Unable to get access to the SSL private key.");
+ 	sslerror("SSL_get_privatekey");
+ 	exit(1);
+     }
+ #endif
+     return(1);
+ }
+ 
  
  /* End of client.c */
diff -cr stunnel-4.04.orig/src/prototypes.h stunnel-4.04/src/prototypes.h
*** stunnel-4.04.orig/src/prototypes.h	Wed Jan  1 06:33:54 2003
--- stunnel-4.04/src/prototypes.h	Wed Apr 23 23:36:08 2003
***************
*** 242,247 ****
--- 242,248 ----
  
  void *alloc_client_session(LOCAL_OPTIONS *, int, int);
  void *client(void *);
+ int set_rsa_blinding(SSL *);
  
  /**************************************** Prototype for protocol.c */
  
diff -cr stunnel-4.04.orig/src/ssl.c stunnel-4.04/src/ssl.c
*** stunnel-4.04.orig/src/ssl.c	Wed Jan  1 06:07:08 2003
--- stunnel-4.04/src/ssl.c	Wed Apr 23 23:36:08 2003
***************
*** 367,372 ****
--- 367,378 ----
      result=RSA_generate_key(keylen, RSA_F4, NULL);
  #endif
      log(LOG_DEBUG, "Temporary RSA key created");
+ 
+     /* Set blinding iff it's not built into our OpenSSL version */
+ #if SSLEAY_VERSION_NUMBER <= 0x0090701fL
+     RSA_blinding_on(result,NULL);
+ #endif
+ 
      return result;
  }