third-party-mirrors/sslh
1
0
Fork 0
mirror of https://github.com/yrutschle/sslh.git synced 2025-04-14 08:07:14 +03:00
Code Issues Packages Projects Releases Wiki Activity
666 Commits 3 Branches 42 Tags
Commit Graph

666 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Yves Rutschle
b36fc73b7a log timeouts 2017-12-17 14:57:45 +01:00
Yves Rutschle
a7f0c456ab die if target cannot be resolved (otherwise, we segfault when printing the settings or later) 2017-12-17 14:55:51 +01:00
yrutschle
7808a3a766
Merge pull request #142 from astiob/select-bugs 
Fix several bugs in sslh-select
 2017-12-16 19:51:23 +01:00
yrutschle
f5b1b881a4
Merge pull request #145 from ariera/master 
Doc update about Transparent proxy support
 2017-12-16 19:11:34 +01:00
yrutschle
f8a16c7a29
Merge pull request #146 from guusdk/SSLv2-clienthello 
Allow SSLv2 CLIENT-HELLO (without SSL 2.0)
 2017-12-16 19:09:25 +01:00
yrutschle
b33c65ed53
Merge pull request #96 from candrews/patch-1 
Harden the systemd service
 2017-12-16 19:04:52 +01:00
yrutschle
2f8e635b67
Merge pull request #97 from candrews/patch-2 
make sure the files using version.h depend on it being generated first
 2017-12-16 19:01:28 +01:00
yrutschle
b8851d6714
Merge pull request #98 from candrews/patch-3 
Build systemd-sslh-generator if USESYSTEMD is set
 2017-12-16 18:59:36 +01:00
Craig Andrews
e33124718e
Harden the systemd service 2017-12-12 16:40:53 -05:00
yrutschle
85b94c3259
Merge pull request #153 from rdebath/master 
Move hexdump to verbose level 2
 2017-11-28 21:05:50 +01:00
Robert de Bath
4e790e074f Move hexdump to verbose level 2 
From the command line you use two "-v" options or in the configuration
file you replace the boolean "verbose:true" with an integer "verbose:2".
 2017-11-27 21:05:07 +00:00
Yves Rutschle
6ca1ee7bfd remove leftover debug messages 2017-11-26 20:10:05 +01:00
yrutschle
e66e443d5e
Merge pull request #151 from rdebath/patch-3 
Hexdump for verbose mode.
 2017-11-24 13:55:53 +01:00
yrutschle
faa928b75a
Merge pull request #150 from rdebath/patch-2 
Get libpcre working (and by default)
 2017-11-24 13:53:52 +01:00
yrutschle
2ad99fd36f
Merge pull request #149 from rdebath/patch-1 
Fixup compile using -std=c90
 2017-11-24 13:52:22 +01:00
Robert de Bath
64485d7a58 Send hexdump to stderr like other verbose logs. 2017-11-23 20:52:54 +00:00
orbitarm
5b756ebd0a verbose: dump hex value of packet 
uses the hexdump() function to display the hex value of each probed
packet, making it easy to create regex rules for unsupported connections
 2017-11-23 20:52:54 +00:00
Robert de Bath
021eb836e4 Adjust linking so that wrapper libraries are static. 2017-11-23 20:51:57 +00:00
Robert de Bath
cb90cc97ae Default to using libpcre and actually use it 
as libpcre has to better binary support.

Note, just linking libpcre only has no effect, the posix functions are
provided by libpcreposix.

Use "make USELIBPCRE=" to turn libpcre off and link POSIX library.
 2017-11-23 20:51:57 +00:00
Robert de Bath
338daafe87 Use REG_EXTENDED for regex matching 
The "7 regex" manual page called 'Basic' regular expressions "Obsolete".

It also matches the pcre expressions slightly better.
 2017-11-23 20:51:57 +00:00
Robert de Bath
9fcbe8c7ea Fixup compile using -std=c90 2017-11-23 20:50:49 +00:00
yrutschle
2a7bafdd7f
Merge pull request #147 from jmccrohan/master 
tls: ensure hostname is always null-terminated
 2017-11-13 23:03:12 +01:00
Jonathan McCrohan
3f5d9a4168 tls: ensure hostname is always null-terminated 
6cc3382 introduced a potential buffer overflow. Ensure that hostname is
always null-terminated. (Issue #135)

Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com>
 2017-11-13 00:15:41 +00:00
Guus der Kinderen
1f98b97756 Allow SSLv2 CLIENT-HELLO (without SSL 2.0) 
The existing TLS probe is documented to ignore SSL 2.0, citing RFC 6176 as a reason.
RFC 6176 does prohibit the usage of SSL 2.0, but does allow for ClientHello messages
in the version 2 CLIENT-HELLO format (as long as those are used to negotiate the use
of a higher protocol).

This commit extends the TLS probe, by making it accept SSL v2 ClientHello messages
that negotiate a version of SSL/TLS 1.0 or higher (which is the same version range
as the original code).
 2017-11-10 19:47:07 +01:00
Alejandro Riera
09d11e3bc8
Doc update about Transparent proxy support 
Advise users to save the configuration of `iptables` and `ip` rules and routes or they risk loosing it after a reboot and/or crash.
 2017-11-08 11:54:26 +01:00
Oleg Oshmyan
2a70470f13 sslh-select: reduce CPU and memory usage in forked processes 2017-10-28 23:27:10 +03:00
Oleg Oshmyan
2544f20bdf sslh-select: support forking for particular protocols 
To keep the code simple, use the same event loop in the child process
as in the parent process but close all irrelevant file descriptors.
 2017-10-28 23:27:06 +03:00
Oleg Oshmyan
60b11e4964 Fix defer_write when deferred_data != begin_deferred_data 
I think this currently never happens, but let's
not wait until it starts happening and blows up.
 2017-10-28 23:13:29 +03:00
Oleg Oshmyan
b7fafb5039 sslh-select: invoke FD_CLR on fd before closing fd 
POSIX requires the fd argument to any FD_ macro to be valid.
 2017-10-28 23:13:28 +03:00
Oleg Oshmyan
b56f302b85 sslh-select: simplify some code 2017-10-28 23:13:28 +03:00
Oleg Oshmyan
684c9afcc6 sslh-select: actually close socket on error in accept_new_connection 
Previously, it was leaked (and the client was left waiting for a timeout).
 2017-10-28 23:13:28 +03:00
Oleg Oshmyan
a3df50f31f sslh-select: fix connections with deferred data after connect_queue 
Previously, if some data was still deferred after the connect_queue
call, the server side of the connection would never start being
monitored for reads, while the client side kept being monitored
and new data from the client could be sent to the server before
the previously deferred data.
 2017-10-28 23:13:28 +03:00
Thilo Molitor
d243d36add Fix ipv6 config copy-paste errors 2017-10-10 07:36:09 +02:00
Thilo Molitor
74767cb781 Some cleanup 2017-10-10 07:22:44 +02:00
Thilo Molitor
2a76b520d5 Add better documentation of transparent proxy support. 
This allows for some more generalized configs.
You don't need to specify ports anymore and still can
connect directly to the running services if you want.

It also allows you to use "localhost" as destination in your sslh config,
something that wasn't possible with the old scheme.
 2017-10-10 07:07:28 +02:00
Yves Rutschlé
0929d39a34 move Let's encrypt config before TLS catchall 2017-09-24 19:55:38 +00:00
Yves Rutschle
f4d2a8d2ad fix logging to specified facility 2017-07-22 17:20:45 +02:00
Yves Rutschle
aa06261d70 added syslog_facility option 2017-07-21 22:46:24 +02:00
Yves Rutschle
dd900ebf3e fail gracefully if target protocol decription is incomplete 2017-07-09 20:51:53 +02:00
Yves Rutschlé
21f524f711 Add support for wildcard ALPN/SNI values 2017-06-12 21:05:12 +00:00
Jonathan McCrohan
1e65088b7e example.cfg: Add Let's Encrypt support to config 
Provides a sample config for Let's Encrypt using the tls-sni-*
challenges. Requires wildcard support added in 6cc3382.

Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com>
 2017-06-06 01:37:07 +01:00
Jonathan McCrohan
6cc33820d1 tls: permit wildcard ALPN/SNI values 
Use fnmatch(3) to provide support for glob style wildcard values in the
ALPN and SNI parameters of the TLS probe.

Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com>
 2017-06-06 01:11:29 +01:00
Yves Rutschle
00d5872aa1 ignore brackets in hostname in config files 2017-04-21 22:33:02 +02:00
Yves Rutschle
7d561af423 allocate listen[] before writing to it... 2017-04-18 21:04:30 +02:00
Yves Rutschle
cce42c6882 re-indent 2017-04-18 20:53:19 +02:00
Yves Rutschle
b0f4e24ce0 IP_FREEBIND: real fix, ignore catastrophic previous checkin 2017-04-06 17:13:11 +02:00
Yves Rutschle
078827ad3f Some systems define IP_FREEBIND but don't implement it which result in setsockopt() failing. No need to die in that case, just ignore the error. 2017-04-06 16:26:27 +02:00
yrutschle
4413284420 Merge pull request #120 from yann-morin-1998/yem/parallel-make 
Makefile: fix parallel build
 2017-02-23 22:54:55 +01:00
Yann E. MORIN
70a2ea926e Makefile: fix parallel build 
version.h is included by some .o files, but it is generated. As such, it
must be a dependency of those .o files.

Rather than filter exactly which .o file needs it, just add a generic
dependency for all .o files on version.h.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
 2017-02-23 22:49:31 +01:00
Yves Rutschle
e4a4e04bf8 Clarify no space after -F (Issue 108, take 2) 2017-01-08 13:00:19 +01:00