2013-04-24 13:39:31 +00:00
|
|
|
|
2017-07-25 13:07:39 +00:00
|
|
|
### SSLsplit develop
|
|
|
|
|
|
|
|
- No longer assume an out of memory condition when a certificate contains
|
|
|
|
neither a CN nor a subjectAltName extension.
|
|
|
|
- Extend -L content logging with EOF message to allow log parsers to figure
|
|
|
|
out when a connection ends (issue #128 by @mattes). Note that log parsers
|
|
|
|
need to be adjusted to handle the new EOF message.
|
|
|
|
- Add missing authors Maciej Kotowicz and Eun Soo Park to manual page.
|
|
|
|
- Fix multiple signal handling issues in the privilege separation parent
|
|
|
|
which led to the parent process being killed ungracefully (SIGTERM) or
|
|
|
|
being stuck in wait() while still having signals (SIGQUIT etc) queued up
|
|
|
|
for forwarding to the child process (issue #137).
|
|
|
|
- Fix SSL connections that result from autossl to shutdown cleanly.
|
|
|
|
- Fix data processing when EOF is received before all incoming data has been
|
|
|
|
processed.
|
|
|
|
- Fix parallel make build (-j) for the test target (issue #140).
|
|
|
|
- Do not set owner and group if install target is called by unprivileged
|
|
|
|
user (pull req #141 by @cgroschupp).
|
|
|
|
- Add XNU headers for Mac OS X 10.11.3, 10.11.4, 10.11.5, 10.11.6 and 10.12.
|
|
|
|
- Minor bugfixes and improvements.
|
|
|
|
|
|
|
|
|
2016-03-27 13:40:18 +00:00
|
|
|
### SSLsplit 0.5.0 2016-03-27
|
2014-12-12 22:22:11 +00:00
|
|
|
|
2016-03-27 13:07:34 +00:00
|
|
|
- Generically support STARTTLS through the new autossl proxyspec type that
|
|
|
|
upgrades a TCP connection to SSL/TLS when a ClientHello message is seen
|
|
|
|
(based on contribution by @RichardPoole42, pull req #87).
|
2016-03-27 13:40:18 +00:00
|
|
|
- Add separate src/dst host and port format specifiers %S, %p, %D and %q
|
2015-03-15 17:41:49 +00:00
|
|
|
to -F (pull req #74 by @AdamJacobMuller).
|
2014-12-12 22:22:11 +00:00
|
|
|
- Add options -w and -W to write generated leaf key, original and forged
|
|
|
|
certificates to disk (issue #67 by @psychomario).
|
2014-11-25 22:55:15 +00:00
|
|
|
- Add signal SIGUSR1 to re-open long-living -l/-L log files (issue #52).
|
2016-03-27 13:40:18 +00:00
|
|
|
- Add contributed -L log parsing scripts to extra/, including conversion to
|
|
|
|
PCAP using emulated IP and TCP headers (contributed by @mak, issue #27).
|
|
|
|
- Enable full-strength DHE and ECDHE by default, even for non-RSA leaf keys,
|
|
|
|
in order to avoid weak cipher warnings from browsers (issue #119).
|
2014-12-13 02:23:32 +00:00
|
|
|
- Use the same hash algorithm in signatures on forged certificates as the
|
|
|
|
original certificates use, instead of always using SHA-1.
|
2015-03-24 19:39:45 +00:00
|
|
|
- Removed all references to SHA-1 and small key RSA root CA keys from
|
|
|
|
documentation, examples and unit testing (issue #83).
|
2016-03-27 13:40:18 +00:00
|
|
|
- Introduce privilege separation architecture with privileged parent process
|
|
|
|
and unprivileged child process; all files are now opened with the
|
|
|
|
privileges of the user running SSLsplit; arguments to -S/-F are no longer
|
|
|
|
relative to the chroot() if used with the -j option.
|
|
|
|
- Filenames generated by -S and -F %d and %s changed from [host]:port to
|
|
|
|
host,port format and using underscore instead of colon in IPv6 addresses
|
|
|
|
in order to be NTFS clean (issue #69).
|
|
|
|
- Connect log format: host and port are now separate fields (issues #69 #74).
|
|
|
|
- Only initialize DNS subsystems when DNS lookups are actually needed by the
|
|
|
|
loaded proxy specifications (related to issue #104).
|
|
|
|
- Removed the non-standard word "unmodified" from the 2-clause BSD license.
|
|
|
|
- Warn when an OpenSSL version mismatch is detected (issue #88).
|
|
|
|
- Add XNU headers for OS X 10.11 El Capitan (issue #116).
|
|
|
|
- Fix EV_READ event re-enable bug that could lead to stalled connections
|
|
|
|
after throttling one direction (issue #109).
|
|
|
|
- Fix build with LibreSSL that lacks recent OpenSSL API additions.
|
|
|
|
- Fix build with OpenSSL versions that had SSLv3 support removed.
|
2017-07-25 13:07:39 +00:00
|
|
|
- Fix a rare segmentation fault upon receiving EOF on the outbound connection
|
|
|
|
while it has not been established yet (patch by @eunsoopark, issue #124).
|
2016-03-27 13:40:18 +00:00
|
|
|
- Fix SSL sessions to actually time out (patch by @eunsoopark, issue #115).
|
2015-04-30 15:00:06 +00:00
|
|
|
- Fix passthrough mode with -t and an empty directory (issue #92).
|
2015-03-15 23:58:27 +00:00
|
|
|
- Minor bugfixes and improvements.
|
|
|
|
|
|
|
|
|
2015-03-15 23:24:02 +00:00
|
|
|
### SSLsplit 0.4.11 2015-03-16
|
2015-03-14 23:07:19 +00:00
|
|
|
|
2015-03-15 23:20:18 +00:00
|
|
|
- Fix loading of certificate chains with OpenSSL 1.0.2 (issue #79).
|
|
|
|
- Fix build on Mac OS X 10.10.2 by improving XNU header selection.
|
2015-03-14 23:07:19 +00:00
|
|
|
|
2014-11-25 22:55:15 +00:00
|
|
|
|
2014-11-28 09:17:28 +00:00
|
|
|
### SSLsplit 0.4.10 2014-11-28
|
2014-11-03 21:08:07 +00:00
|
|
|
|
2014-11-13 22:45:49 +00:00
|
|
|
- Add option -F to log to separate files with printf-style % directives,
|
|
|
|
including process information for connections originating on the same
|
2014-11-14 15:22:46 +00:00
|
|
|
system when also using -i (pull reqs #36, #53, #54, #55 by @landonf).
|
2014-11-28 09:15:09 +00:00
|
|
|
- Add option -i to look up local process owning a connection for logging to
|
|
|
|
connection log; initial support on Mac OS X (by @landonf) and FreeBSD.
|
2014-11-05 19:06:11 +00:00
|
|
|
- Add option -r to force a specific SSL/TLS protocol version (issue #30).
|
|
|
|
- Add option -R to disable specific SSL/TLS protocol versions (issue #30).
|
2014-11-27 23:04:20 +00:00
|
|
|
- Disallow -u with pf proxyspecs on Mac OS X because Apple restricts
|
2014-11-28 09:15:09 +00:00
|
|
|
ioctl(/dev/pf) to root even on an fd initially opened by root (issue #65).
|
2014-11-19 19:25:51 +00:00
|
|
|
- Extend the certificate loading workaround for OpenSSL 1.0.0k and 1.0.1e
|
|
|
|
also to OpenSSL 0.9.8y; fixes cert loading crash due to bug in in OpenSSL.
|
2014-11-28 09:15:09 +00:00
|
|
|
- Extend Mac OS X pf support to Yosemite 10.10.1.
|
|
|
|
- Fix startup memory leaks in key/cert loader (pull req #56 by @wjjensen).
|
|
|
|
- Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER build knobs with a single
|
|
|
|
WITH_SSLV2 build knob.
|
2014-11-03 21:08:07 +00:00
|
|
|
- Minor bugfixes and improvements.
|
|
|
|
|
|
|
|
|
2014-11-03 18:42:24 +00:00
|
|
|
### SSLsplit 0.4.9 2014-11-03
|
2014-01-29 19:16:34 +00:00
|
|
|
|
2014-11-02 19:25:17 +00:00
|
|
|
- Filter out HSTS response header to allow users to accept untrusted certs.
|
2014-10-28 22:24:37 +00:00
|
|
|
- Build without SSLv2 support by default (issue #26).
|
2014-10-23 11:28:14 +00:00
|
|
|
- Add primary group override (-m) when dropping privileges to an
|
|
|
|
unprivileged user (pull req #35 by @landonf).
|
2014-10-21 13:55:56 +00:00
|
|
|
- Support pf on Mac OS X 10.10 Yosemite and fix segmentation fault if
|
|
|
|
no NAT engine is available (pull req #32 by @landonf).
|
2014-10-21 12:55:25 +00:00
|
|
|
- Support DESTDIR and MANDIR in the build (pull req #34 by @swills).
|
2014-10-28 22:31:07 +00:00
|
|
|
- No longer chroot() to /var/empty by default if run by root, in order to
|
|
|
|
prevent breaking -S and sni proxyspecs (issue #21).
|
2014-01-30 21:33:57 +00:00
|
|
|
- Load -t certificates before dropping privileges (issues #19 and #20).
|
2014-01-30 21:21:08 +00:00
|
|
|
- Fix segmentation fault when using -t without a CA.
|
2014-10-28 22:31:07 +00:00
|
|
|
- Minor bugfixes and improvements.
|
2014-01-29 19:16:34 +00:00
|
|
|
|
|
|
|
|
2014-01-15 18:07:07 +00:00
|
|
|
### SSLsplit 0.4.8 2014-01-15
|
2013-12-23 13:39:15 +00:00
|
|
|
|
2014-01-14 16:35:56 +00:00
|
|
|
- Filter out Alternate-Protocol response header to suppress SPDY/QUIC.
|
2014-01-10 13:58:04 +00:00
|
|
|
- Add experimental support for pf on Mac OS X 10.7+ (issue #15).
|
2014-01-11 16:55:17 +00:00
|
|
|
- Also build ipfw NAT engine if pf is detected to support pf divert-to.
|
2014-01-13 23:46:52 +00:00
|
|
|
- Unit tests (make test) no longer require Internet connectivity.
|
|
|
|
- Always use SSL_MODE_RELEASE_BUFFERS when available, which lowers the per
|
|
|
|
connection memory footprint significantly when using OpenSSL 1.0.0+.
|
2014-01-11 16:55:17 +00:00
|
|
|
- Fix memory corruption after the certificate in the cache had to be updated
|
|
|
|
during connection setup (issue #16).
|
2014-01-13 22:50:30 +00:00
|
|
|
- Fix file descriptor leak in passthrough mode (-P) after SSL errors.
|
|
|
|
- Fix OpenSSL data structures memory leak on certificate forgery.
|
2014-01-07 22:18:16 +00:00
|
|
|
- Fix segmentation fault on connections without SNI hostname, caused by
|
|
|
|
compilers optimizing away a NULL pointer check (issue #14).
|
2014-01-15 18:01:33 +00:00
|
|
|
- Fix thread manager startup failure under some circumstances (issue #17).
|
2014-01-13 23:29:45 +00:00
|
|
|
- Fix segmentation faults if thread manager fails to start (issue #10).
|
2013-12-23 13:39:15 +00:00
|
|
|
|
|
|
|
|
2013-07-02 14:06:16 +00:00
|
|
|
### SSLsplit 0.4.7 2013-07-02
|
2013-06-29 20:35:51 +00:00
|
|
|
|
2013-07-02 13:54:46 +00:00
|
|
|
- Fix remaining threading issues in daemon mode.
|
2013-06-29 20:35:51 +00:00
|
|
|
- Filter HPKP header lines from HTTP(S) response headers in order to prevent
|
2013-07-02 14:06:16 +00:00
|
|
|
public key pinning based on draft-ietf-websec-key-pinning-06.
|
2013-06-29 20:50:39 +00:00
|
|
|
- Add HTTP status code and content-length to connection log.
|
2013-06-29 20:35:51 +00:00
|
|
|
|
|
|
|
|
2013-06-03 15:58:03 +00:00
|
|
|
### SSLsplit 0.4.6 2013-06-03
|
2013-04-24 13:39:31 +00:00
|
|
|
|
2013-05-26 22:29:02 +00:00
|
|
|
- Fix fallback to passthrough (-P) when no matching certificate is found
|
|
|
|
for a connection (issue #9).
|
2013-04-24 13:39:31 +00:00
|
|
|
- Work around segmentation fault when loading certificates caused by a bug
|
|
|
|
in OpenSSL 1.0.0k and 1.0.1e.
|
2013-04-03 16:02:45 +00:00
|
|
|
- Fix binding to ports < 1024 with default settings (issue #8).
|
2013-04-24 13:39:31 +00:00
|
|
|
|
|
|
|
|
2012-11-07 17:36:51 +00:00
|
|
|
### SSLsplit 0.4.5 2012-11-07
|
2012-10-01 12:47:45 +00:00
|
|
|
|
|
|
|
- Add support for 2048 and 4096 bit Diffie-Hellman.
|
2012-10-23 21:01:59 +00:00
|
|
|
- Fix syslog error messages (issue #6).
|
2012-10-16 22:18:46 +00:00
|
|
|
- Fix threading issues in daemon mode (issue #5).
|
2012-10-01 12:47:45 +00:00
|
|
|
- Fix address family check in netfilter NAT lookup (issue #4).
|
|
|
|
- Fix build on recent glibc systems (issue #2).
|
|
|
|
- Minor code and build process improvements.
|
|
|
|
|
|
|
|
|
2012-10-16 20:01:48 +00:00
|
|
|
### SSLsplit 0.4.4 2012-05-11
|
2012-05-13 19:07:43 +00:00
|
|
|
|
|
|
|
- Improve OCSP denial for GET based OCSP requests.
|
|
|
|
- Default elliptic curve is now 'secp160r2' for better ECDH performance.
|
|
|
|
- More user-friendly handling of -c, -k and friends.
|
|
|
|
- Unit test source code renamed from *.t to *.t.c to prevent them from being
|
|
|
|
misdetected as perl instead of c by Github et al.
|
|
|
|
- Minor bugfixes.
|
|
|
|
|
|
|
|
|
2012-10-16 20:01:48 +00:00
|
|
|
### SSLsplit 0.4.3 2012-04-22
|
2012-05-13 19:07:43 +00:00
|
|
|
|
|
|
|
- Add generic OCSP denial (-O). OCSP requests transmitted over HTTP or HTTPS
|
|
|
|
are recognized and denied with OCSP tryLater(3) responses.
|
|
|
|
- Minor bugfixes.
|
|
|
|
|
|
|
|
|
2012-10-16 20:01:48 +00:00
|
|
|
### SSLsplit 0.4.2 2012-04-13
|
2012-05-13 19:07:43 +00:00
|
|
|
|
2016-03-27 13:40:18 +00:00
|
|
|
First public release.
|
2012-05-13 19:07:43 +00:00
|
|
|
|
|
|
|
|