When transparent mode is enabled and sslh listening on :: IPv6 address then
source origin address is propagated to target application independently if
connection is IPv4 or IPv6.
On Linux by default IPv6 socket can accept also IPv4 connections. More
applications, including OpenSSH server do not accept IPv4 connections on
IPv6 socket and therefore such transparent configuration does not work.
On BSD systems it is turned off by default due to security reasons.
This patch disables IPv4 connections on IPv6 listening sockets. If somebody
needs to have sslh listening on both IPv4 and IPv6 addresses, then still it
is possible by specifying multiple --listen arguments.
I think it is more misleading if option --listen :::443 cause listening on
both IPv4 and IPv6 addresses even IPv4 address was not specified. This can
also cause security related problems for people who do not know about this
fact as documentation does not mentioned this behavior.
When the source and destination are the same, the bind_peer() will
fail, thus end the connection. Therefore a check of all the interface
IPs are checked to skip bind() if they are the same.
Use libcap for saving CAP_NET_ADMIN (if --transparent is given) over a
setuid(). We don’t need CAP_NET_BIND_SERVICE as the listening sockets
are established before dropping root.
The current asprintf usage triggers many warnings like:
sslh-main.c: In function 'print_usage':
sslh-main.c:86:17: warning: ignoring return value of 'asprintf',
declared with attribute warn_unused_result [-Wunused-result]
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Corrected OpenVPN probe to support pre-shared secret
mode (OpenVPN port-sharing code is... wrong). Thanks
to Kai Ellinger for help in investigating and
testing.
Added an actual TLS/SSL probe.
Added configurable --on-timeout protocol
specification.
Added a --anyprot protocol probe (equivalent to what
--ssl was).
Makefile respects the user's compiler and CFLAG
choices (falling back to the current values if
undefined), as well as LDFLAGS.
(Michael Palimaka)
Added "After" and "KillMode" to systemd.sslh.service
(Thomas Weischuh).
Added LSB tags to etc.init.d.sslh
(Thomas Varis).
Added support for configuration file.
New protocol probes can be defined using regular
expressions that match the first packet sent by the
client.
sslh now connects timed out connections to the first
configured protocol instead of 'ssh' (just make sure
ssh is the first defined protocol).
sslh now tries protocols in the order in which they
are defined (just make sure sslh is the last defined
protocol).
WARNING: defaults have been removed for --user and
--pidfile options, update your start-up scripts!
No longer stop sslh when reverse DNS requests fail
for logging.
Added HTTP probe.
No longer create new session if running in
foreground.
No longer default to changing user to 'nobody'. If
--user isn't specified, just run as current user.
No longer create PID file by default, it should be
explicitely set with --pidfile.
No longer log to syslog if in foreground. Logs are
instead output to stderr.
The four changes above make it straightforward to
integrate sslh with systemd, and should help with
launchd.
Fixed calls referring to sockaddr length so they work
with FreeBSD.
Try target addresses in turn until one works if
there are several (e.g. "localhost:22" resolves to
an IPv6 address and an IPv4 address and sshd does
not listen on IPv6).
Fixed sslh-fork so killing the head process kills
the listener processes.
Heavily cleaned up test suite. Added stress test
t_load script. Added coverage (requires lcov).
Support for XMPP (Arnaud Gendre).
Updated README.MacOSX (Aaron Madlon-Kay).
