SSLproxy/NEWS


### SSLsplit master

-   SSLsplit no longer chroot()s to /var/empty by default if run by root,
    in order to prevent breaking -S and sni proxyspecs (issue #21).
-   Load -t certificates before dropping privileges (issues #19 and #20).
-   Fix segmentation fault when using -t without a CA.


### SSLsplit 0.4.8 2014-01-15

-   Filter out Alternate-Protocol response header to suppress SPDY/QUIC.
-   Add experimental support for pf on Mac OS X 10.7+ (issue #15).
-   Also build ipfw NAT engine if pf is detected to support pf divert-to.
-   Unit tests (make test) no longer require Internet connectivity.
-   Always use SSL_MODE_RELEASE_BUFFERS when available, which lowers the per
    connection memory footprint significantly when using OpenSSL 1.0.0+.
-   Fix memory corruption after the certificate in the cache had to be updated
    during connection setup (issue #16).
-   Fix file descriptor leak in passthrough mode (-P) after SSL errors.
-   Fix OpenSSL data structures memory leak on certificate forgery.
-   Fix segmentation fault on connections without SNI hostname, caused by
    compilers optimizing away a NULL pointer check (issue #14).
-   Fix thread manager startup failure under some circumstances (issue #17).
-   Fix segmentation faults if thread manager fails to start (issue #10).


### SSLsplit 0.4.7 2013-07-02

-   Fix remaining threading issues in daemon mode.
-   Filter HPKP header lines from HTTP(S) response headers in order to prevent
    public key pinning based on draft-ietf-websec-key-pinning-06.
-   Add HTTP status code and content-length to connection log.


### SSLsplit 0.4.6 2013-06-03

-   Fix fallback to passthrough (-P) when no matching certificate is found
    for a connection (issue #9).
-   Work around segmentation fault when loading certificates caused by a bug
    in OpenSSL 1.0.0k and 1.0.1e.
-   Fix binding to ports < 1024 with default settings (issue #8).


### SSLsplit 0.4.5 2012-11-07

-   Add support for 2048 and 4096 bit Diffie-Hellman.
-   Fix syslog error messages (issue #6).
-   Fix threading issues in daemon mode (issue #5).
-   Fix address family check in netfilter NAT lookup (issue #4).
-   Fix build on recent glibc systems (issue #2).
-   Minor code and build process improvements.


### SSLsplit 0.4.4 2012-05-11

-   Improve OCSP denial for GET based OCSP requests.
-   Default elliptic curve is now 'secp160r2' for better ECDH performance.
-   More user-friendly handling of -c, -k and friends.
-   Unit test source code renamed from *.t to *.t.c to prevent them from being
    misdetected as perl instead of c by Github et al.
-   Minor bugfixes.


### SSLsplit 0.4.3 2012-04-22

-   Add generic OCSP denial (-O).  OCSP requests transmitted over HTTP or HTTPS
    are recognized and denied with OCSP tryLater(3) responses.
-   Minor bugfixes.


### SSLsplit 0.4.2 2012-04-13

-   First public release.
Work around segfault with OpenSSL 1.0.0k/1.0.1e A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading certificates using SSL_get_certificate(). Work around the bug by directly accessing the respective members of SSL* when using any of the broken versions of OpenSSL. 2013-04-24 13:39:31 +00:00
SSLsplit master 2014-01-29 19:16:34 +00:00			`### SSLsplit master`

No longer chroot() by default when run as root No longer implicitly use -j /var/empty by default and document clearly the implications of using -j with -S and/or sni proxyspecs. Issue: #21 2014-01-30 22:34:37 +00:00			`- SSLsplit no longer chroot()s to /var/empty by default if run by root,`
			`in order to prevent breaking -S and sni proxyspecs (issue #21).`
Load -t certificates before dropping privileges Load the certificates from the directory given by -t into the certificate cache after preinit, but before dropping privileges. This fixes a number of issues, such as -t directory not being found after chroot()ing to a different root, -t directory inaccessible due to changing user with -u, and when using encrypted keys. This bug was introduced in 0675219 as a spurious part of fixing #5. Issue: #20, #19 Reported by: Miroslav Stampar 2014-01-30 21:33:57 +00:00			`- Load -t certificates before dropping privileges (issues #19 and #20).`
Fix segmentation fault when using -t without a CA The key type checks which are used to optimize the loading of DH and ECDH parameters should check the type of the supplied server key, not the global options key. 2014-01-30 21:21:08 +00:00			`- Fix segmentation fault when using -t without a CA.`
SSLsplit master 2014-01-29 19:16:34 +00:00

SSLsplit 0.4.8 release 2014-01-15 18:07:07 +00:00			`### SSLsplit 0.4.8 2014-01-15`
Update NEWS 2013-12-23 13:39:15 +00:00
Suppress SPDY/QUIC by removing Alternate-Protocol headers 2014-01-14 16:35:56 +00:00			`- Filter out Alternate-Protocol response header to suppress SPDY/QUIC.`
Add experimental support for pf on Mac OS X Support pf rdr on Mac OS X 10.7, 10.8 and 10.9 by including the missing Apple headers in the source tree and enable private Apple code. Since we are using an interface marked private by Apple, this code is very experimental. Issue: #15 Reported by: Amit Chowdhary 2014-01-10 13:58:04 +00:00			`- Add experimental support for pf on Mac OS X 10.7+ (issue #15).`
Update NEWS 2014-01-11 16:55:17 +00:00			`- Also build ipfw NAT engine if pf is detected to support pf divert-to.`
Update NEWS 2014-01-13 23:46:52 +00:00			`- Unit tests (make test) no longer require Internet connectivity.`
			`- Always use SSL_MODE_RELEASE_BUFFERS when available, which lowers the per`
			`connection memory footprint significantly when using OpenSSL 1.0.0+.`
Update NEWS 2014-01-11 16:55:17 +00:00			`- Fix memory corruption after the certificate in the cache had to be updated`
			`during connection setup (issue #16).`
Fix memory leak in fake cert generation code The code in pxy_ossl_servername_cb() which generated the forged certificates did not call SSL_CTX_free() on the newly allocated SSL_CTX struct after associating it with the SSL struct, which increments the reference count internally. Also add some comments explaining OpenSSL reference counting behaviour to be more explicit on what happens to the instances that OpenSSL keeps track of. 2014-01-13 22:50:30 +00:00			`- Fix file descriptor leak in passthrough mode (-P) after SSL errors.`
			`- Fix OpenSSL data structures memory leak on certificate forgery.`
Update NEWS 2014-01-07 22:18:16 +00:00			`- Fix segmentation fault on connections without SNI hostname, caused by`
			`compilers optimizing away a NULL pointer check (issue #14).`
Update NEWS 2014-01-15 18:01:33 +00:00			`- Fix thread manager startup failure under some circumstances (issue #17).`
Update NEWS 2014-01-13 23:29:45 +00:00			`- Fix segmentation faults if thread manager fails to start (issue #10).`
Update NEWS 2013-12-23 13:39:15 +00:00

SSLsplit 0.4.7 release 2013-07-02 14:06:16 +00:00			`### SSLsplit 0.4.7 2013-07-02`
Add HTTP response header filtering Filter response headers in order to remove HPKP headers. As an added benefit, parse the HTTP status code and add it to the connection log. 2013-06-29 20:35:51 +00:00
Start thrmgr threads after forking 2013-07-02 13:54:46 +00:00			`- Fix remaining threading issues in daemon mode.`
Add HTTP response header filtering Filter response headers in order to remove HPKP headers. As an added benefit, parse the HTTP status code and add it to the connection log. 2013-06-29 20:35:51 +00:00			`- Filter HPKP header lines from HTTP(S) response headers in order to prevent`
SSLsplit 0.4.7 release 2013-07-02 14:06:16 +00:00			`public key pinning based on draft-ietf-websec-key-pinning-06.`
Add HTTP content-length to connect log 2013-06-29 20:50:39 +00:00			`- Add HTTP status code and content-length to connection log.`
Add HTTP response header filtering Filter response headers in order to remove HPKP headers. As an added benefit, parse the HTTP status code and add it to the connection log. 2013-06-29 20:35:51 +00:00

SSLsplit 0.4.6 release 2013-06-03 15:58:03 +00:00			`### SSLsplit 0.4.6 2013-06-03`
Work around segfault with OpenSSL 1.0.0k/1.0.1e A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading certificates using SSL_get_certificate(). Work around the bug by directly accessing the respective members of SSL* when using any of the broken versions of OpenSSL. 2013-04-24 13:39:31 +00:00
Update NEWS for issue #9 2013-05-26 22:29:02 +00:00			`- Fix fallback to passthrough (-P) when no matching certificate is found`
			`for a connection (issue #9).`
Work around segfault with OpenSSL 1.0.0k/1.0.1e A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading certificates using SSL_get_certificate(). Work around the bug by directly accessing the respective members of SSL* when using any of the broken versions of OpenSSL. 2013-04-24 13:39:31 +00:00			`- Work around segmentation fault when loading certificates caused by a bug`
			`in OpenSSL 1.0.0k and 1.0.1e.`
Bind to ports before dropping privileges This fixes a regression which caused bind() to ports < 1024 to fail with the default settings of dropping privileges to nobody. Issue: #8 Reported by: Ian Grispan 2013-04-03 16:02:45 +00:00			`- Fix binding to ports < 1024 with default settings (issue #8).`
Work around segfault with OpenSSL 1.0.0k/1.0.1e A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading certificates using SSL_get_certificate(). Work around the bug by directly accessing the respective members of SSL* when using any of the broken versions of OpenSSL. 2013-04-24 13:39:31 +00:00

SSLsplit 0.4.5 release 2012-11-07 17:36:51 +00:00			`### SSLsplit 0.4.5 2012-11-07`
Update NEWS and TODO 2012-10-01 12:47:45 +00:00
			`- Add support for 2048 and 4096 bit Diffie-Hellman.`
Update NEWS 2012-10-23 21:01:59 +00:00			`- Fix syslog error messages (issue #6).`
Update NEWS 2012-10-16 22:18:46 +00:00			`- Fix threading issues in daemon mode (issue #5).`
Update NEWS and TODO 2012-10-01 12:47:45 +00:00			`- Fix address family check in netfilter NAT lookup (issue #4).`
			`- Fix build on recent glibc systems (issue #2).`
			`- Minor code and build process improvements.`


Remove commit ids from NEWS file 2012-10-16 20:01:48 +00:00			`### SSLsplit 0.4.4 2012-05-11`
Add NEWS file, documenting release history 2012-05-13 19:07:43 +00:00
			`- Improve OCSP denial for GET based OCSP requests.`
			`- Default elliptic curve is now 'secp160r2' for better ECDH performance.`
			`- More user-friendly handling of -c, -k and friends.`
			`- Unit test source code renamed from .t to .t.c to prevent them from being`
			`misdetected as perl instead of c by Github et al.`
			`- Minor bugfixes.`


Remove commit ids from NEWS file 2012-10-16 20:01:48 +00:00			`### SSLsplit 0.4.3 2012-04-22`
Add NEWS file, documenting release history 2012-05-13 19:07:43 +00:00
			`- Add generic OCSP denial (-O). OCSP requests transmitted over HTTP or HTTPS`
			`are recognized and denied with OCSP tryLater(3) responses.`
			`- Minor bugfixes.`


Remove commit ids from NEWS file 2012-10-16 20:01:48 +00:00			`### SSLsplit 0.4.2 2012-04-13`
Add NEWS file, documenting release history 2012-05-13 19:07:43 +00:00
			`- First public release.`