SSLproxy/NEWS.md


### SSLsplit develop

-   Fix EV_READ event re-enable bug that could lead to stalled connections
    after throttling one direction (issue #109).
-   Add contributed -L log parsing scripts to extra/, including conversion to
    PCAP using emulated IP and TCP headers (contributed by @mak, issue #27).
-   Only initialize DNS subsystems when DNS lookups are actually needed by the
    loaded proxy specifications (related to issue #104).
-   Fix build with LibreSSL that lacks recent OpenSSL API additions.
-   Fix build with OpenSSL versions that had SSLv3 support removed.
-   Warn when an OpenSSL version mismatch is detected (issue #88).
-   Added separate src/dst host and port format specifiers %S, %p, %D and %q
    to -F (pull req #74 by @AdamJacobMuller).
-   Filenames generated by -S and -F %d and %s changed from [host]:port to
    host,port format and using underscore instead of colon in IPv6 addresses
    in order to be NTFS clean (issue #69).
-   Connect log format: host and port are now separate fields (issues #69 #74).
-   Removed the non-standard word "unmodified" from the 2-clause BSD license.
-   Add options -w and -W to write generated leaf key, original and forged
    certificates to disk (issue #67 by @psychomario).
-   Add signal SIGUSR1 to re-open long-living -l/-L log files (issue #52).
-   Introduce privilege separation architecture with privileged parent process
    and unprivileged child process; all files are now opened with the
    privileges of the user running SSLsplit; arguments to -S/-F are no longer
    relative to the chroot() if used with the -j option.
-   Use the same hash algorithm in signatures on forged certificates as the
    original certificates use, instead of always using SHA-1.
-   Removed all references to SHA-1 and small key RSA root CA keys from
    documentation, examples and unit testing (issue #83).
-   Fix passthrough mode with -t and an empty directory (issue #92).
-   Minor bugfixes and improvements.


### SSLsplit 0.4.11 2015-03-16

-   Fix loading of certificate chains with OpenSSL 1.0.2 (issue #79).
-   Fix build on Mac OS X 10.10.2 by improving XNU header selection.


### SSLsplit 0.4.10 2014-11-28

-   Add option -F to log to separate files with printf-style % directives,
    including process information for connections originating on the same
    system when also using -i (pull reqs #36, #53, #54, #55 by @landonf).
-   Add option -i to look up local process owning a connection for logging to
    connection log; initial support on Mac OS X (by @landonf) and FreeBSD.
-   Add option -r to force a specific SSL/TLS protocol version (issue #30).
-   Add option -R to disable specific SSL/TLS protocol versions (issue #30).
-   Disallow -u with pf proxyspecs on Mac OS X because Apple restricts
    ioctl(/dev/pf) to root even on an fd initially opened by root (issue #65).
-   Extend the certificate loading workaround for OpenSSL 1.0.0k and 1.0.1e
    also to OpenSSL 0.9.8y; fixes cert loading crash due to bug in in OpenSSL.
-   Extend Mac OS X pf support to Yosemite 10.10.1.
-   Fix startup memory leaks in key/cert loader (pull req #56 by @wjjensen).
-   Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER build knobs with a single
    WITH_SSLV2 build knob.
-   Minor bugfixes and improvements.


### SSLsplit 0.4.9 2014-11-03

-   Filter out HSTS response header to allow users to accept untrusted certs.
-   Build without SSLv2 support by default (issue #26).
-   Add primary group override (-m) when dropping privileges to an
    unprivileged user (pull req #35 by @landonf).
-   Support pf on Mac OS X 10.10 Yosemite and fix segmentation fault if
    no NAT engine is available (pull req #32 by @landonf).
-   Support DESTDIR and MANDIR in the build (pull req #34 by @swills).
-   No longer chroot() to /var/empty by default if run by root, in order to
    prevent breaking -S and sni proxyspecs (issue #21).
-   Load -t certificates before dropping privileges (issues #19 and #20).
-   Fix segmentation fault when using -t without a CA.
-   Minor bugfixes and improvements.


### SSLsplit 0.4.8 2014-01-15

-   Filter out Alternate-Protocol response header to suppress SPDY/QUIC.
-   Add experimental support for pf on Mac OS X 10.7+ (issue #15).
-   Also build ipfw NAT engine if pf is detected to support pf divert-to.
-   Unit tests (make test) no longer require Internet connectivity.
-   Always use SSL_MODE_RELEASE_BUFFERS when available, which lowers the per
    connection memory footprint significantly when using OpenSSL 1.0.0+.
-   Fix memory corruption after the certificate in the cache had to be updated
    during connection setup (issue #16).
-   Fix file descriptor leak in passthrough mode (-P) after SSL errors.
-   Fix OpenSSL data structures memory leak on certificate forgery.
-   Fix segmentation fault on connections without SNI hostname, caused by
    compilers optimizing away a NULL pointer check (issue #14).
-   Fix thread manager startup failure under some circumstances (issue #17).
-   Fix segmentation faults if thread manager fails to start (issue #10).


### SSLsplit 0.4.7 2013-07-02

-   Fix remaining threading issues in daemon mode.
-   Filter HPKP header lines from HTTP(S) response headers in order to prevent
    public key pinning based on draft-ietf-websec-key-pinning-06.
-   Add HTTP status code and content-length to connection log.


### SSLsplit 0.4.6 2013-06-03

-   Fix fallback to passthrough (-P) when no matching certificate is found
    for a connection (issue #9).
-   Work around segmentation fault when loading certificates caused by a bug
    in OpenSSL 1.0.0k and 1.0.1e.
-   Fix binding to ports < 1024 with default settings (issue #8).


### SSLsplit 0.4.5 2012-11-07

-   Add support for 2048 and 4096 bit Diffie-Hellman.
-   Fix syslog error messages (issue #6).
-   Fix threading issues in daemon mode (issue #5).
-   Fix address family check in netfilter NAT lookup (issue #4).
-   Fix build on recent glibc systems (issue #2).
-   Minor code and build process improvements.


### SSLsplit 0.4.4 2012-05-11

-   Improve OCSP denial for GET based OCSP requests.
-   Default elliptic curve is now 'secp160r2' for better ECDH performance.
-   More user-friendly handling of -c, -k and friends.
-   Unit test source code renamed from *.t to *.t.c to prevent them from being
    misdetected as perl instead of c by Github et al.
-   Minor bugfixes.


### SSLsplit 0.4.3 2012-04-22

-   Add generic OCSP denial (-O).  OCSP requests transmitted over HTTP or HTTPS
    are recognized and denied with OCSP tryLater(3) responses.
-   Minor bugfixes.


### SSLsplit 0.4.2 2012-04-13

-   First public release.
Work around segfault with OpenSSL 1.0.0k/1.0.1e A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading certificates using SSL_get_certificate(). Work around the bug by directly accessing the respective members of SSL* when using any of the broken versions of OpenSSL. 2013-04-24 13:39:31 +00:00
Update documentation 2014-12-13 02:23:32 +00:00			`### SSLsplit develop`
Update documentation 2014-12-12 22:22:11 +00:00
Re-enable EV_READ if disabled and outbuf empty The event buffer write handler failes to re-enable the corresponding read event of the opposite connection if the buffer is not only down to less than half the limit, but completely emptied. In that case, the read event would never be re-enabled and the connection would stall and time out. Issue: #109 Patch by: Eun Soo Park 2015-10-25 16:54:27 +00:00			`- Fix EV_READ event re-enable bug that could lead to stalled connections`
			`after throttling one direction (issue #109).`
Add log to PCAP conversion script Add contributed python script for parsing the output of sslsplit -L from a log file or named pipe and converting the log entries to an emulated PCAP format. Information not contained in the log, such as sequence numbers, IP IDs etc is emulated and does not correspond to the original packets on the network. Issue: #27 Contributed by: Maciej Kotowicz 2015-10-09 09:09:08 +00:00			`- Add contributed -L log parsing scripts to extra/, including conversion to`
			`PCAP using emulated IP and TCP headers (contributed by @mak, issue #27).`
Only init DNS when DNS is required by proxy specs Only initialize evdns if DNS lookups are actually required by the loaded proxy specifications. This allows sslsplit to work in non-DNS modes in situations where the local DNS resolver does not work, such as for local use on a system without network connectivity. Currently, only SNI based proxy specs require DNS. On systems without network connectivity, DNS subsystem init may fail due to /etc/resolv.conf being (temporarily) unavailable. Issue: #104 2015-09-27 14:39:24 +00:00			`- Only initialize DNS subsystems when DNS lookups are actually needed by the`
			`loaded proxy specifications (related to issue #104).`
Update docs and -V for LibreSSL and BoringSSL 2015-08-02 20:06:51 +00:00			`- Fix build with LibreSSL that lacks recent OpenSSL API additions.`
Update NEWS.md 2015-07-28 21:58:57 +00:00			`- Fix build with OpenSSL versions that had SSLv3 support removed.`
Warn on OpenSSL version mismatch in debug mode Issue: #88 2015-06-23 17:07:23 +00:00			`- Warn when an OpenSSL version mismatch is detected (issue #88).`
Update documentation for new -F formats 2015-03-15 17:41:49 +00:00			`- Added separate src/dst host and port format specifiers %S, %p, %D and %q`
			`to -F (pull req #74 by @AdamJacobMuller).`
Separate host and port into separate strings Store host and port in separate strings internally and get rid of the [host]:port representation where separate host and port would be cleaner. This includes the following user-visible changes: - Generated filenames that contain host and port, such as by -S and -F %d and %s, now use a host,port format instead of [host]:port. - Connect log now uses separate fields for host and port. Issue: #69 #74 Reported by: Adam Jacob Muller 2015-03-15 16:10:25 +00:00			`- Filenames generated by -S and -F %d and %s changed from [host]:port to`
IPv6 addrs in filenames use underscore not colon Use underscore instead of colon for all IPv6 addresses in generated filenames in order to generate NTFS clean filenames. Issue: #69 2015-03-15 16:52:04 +00:00			`host,port format and using underscore instead of colon in IPv6 addresses`
			`in order to be NTFS clean (issue #69).`
Separate host and port into separate strings Store host and port in separate strings internally and get rid of the [host]:port representation where separate host and port would be cleaner. This includes the following user-visible changes: - Generated filenames that contain host and port, such as by -S and -F %d and %s, now use a host,port format instead of [host]:port. - Connect log now uses separate fields for host and port. Issue: #69 #74 Reported by: Adam Jacob Muller 2015-03-15 16:10:25 +00:00			`- Connect log format: host and port are now separate fields (issues #69 #74).`
Update copyright, license and tagline - Update copyright to 2015 - Remove the non-standard "unmodified" from the 2-clause BSD license - Remove scalable from the tagline to avoid misinterpretations 2015-02-24 18:19:20 +00:00			`- Removed the non-standard word "unmodified" from the 2-clause BSD license.`
Update documentation 2014-12-12 22:22:11 +00:00			`- Add options -w and -W to write generated leaf key, original and forged`
			`certificates to disk (issue #67 by @psychomario).`
Update NEWS.md for feature/privsep 2014-11-25 22:55:15 +00:00			`- Add signal SIGUSR1 to re-open long-living -l/-L log files (issue #52).`
			`- Introduce privilege separation architecture with privileged parent process`
			`and unprivileged child process; all files are now opened with the`
			`privileges of the user running SSLsplit; arguments to -S/-F are no longer`
			`relative to the chroot() if used with the -j option.`
Update documentation 2014-12-13 02:23:32 +00:00			`- Use the same hash algorithm in signatures on forged certificates as the`
			`original certificates use, instead of always using SHA-1.`
Move all test RSA keys from 1024 bit to 2048 bit Issue: #83 2015-03-24 19:39:45 +00:00			`- Removed all references to SHA-1 and small key RSA root CA keys from`
			`documentation, examples and unit testing (issue #83).`
Update NEWS.md for #92 2015-04-30 15:00:06 +00:00			`- Fix passthrough mode with -t and an empty directory (issue #92).`
Merge branch 'master' into develop after 0.4.11 2015-03-15 23:58:27 +00:00			`- Minor bugfixes and improvements.`


SSLsplit 0.4.11 maintenance release 2015-03-15 23:24:02 +00:00			`### SSLsplit 0.4.11 2015-03-16`
Fix loading of certificate chains with OpenSSL 1.0.2 SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to the extra certificates chain. When building on OpenSSL 1.0.2 or newer, use the new API instead of directly accessing `extra_certs`. Issue: #79 2015-03-14 23:07:19 +00:00
Reorder major bug fixes 2015-03-15 23:20:18 +00:00			`- Fix loading of certificate chains with OpenSSL 1.0.2 (issue #79).`
			`- Fix build on Mac OS X 10.10.2 by improving XNU header selection.`
Fix loading of certificate chains with OpenSSL 1.0.2 SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to the extra certificates chain. When building on OpenSSL 1.0.2 or newer, use the new API instead of directly accessing `extra_certs`. Issue: #79 2015-03-14 23:07:19 +00:00
Update NEWS.md for feature/privsep 2014-11-25 22:55:15 +00:00
SSLsplit 0.4.10 release 2014-11-28 09:17:28 +00:00			`### SSLsplit 0.4.10 2014-11-28`
Add some CPPFLAGS to cppcheck arguments 2014-11-03 21:08:07 +00:00
Update NEWS.md 2014-11-13 22:45:49 +00:00			`- Add option -F to log to separate files with printf-style % directives,`
			`including process information for connections originating on the same`
Update NEWS.md for -i 2014-11-14 15:22:46 +00:00			`system when also using -i (pull reqs #36, #53, #54, #55 by @landonf).`
Update NEWS.md 2014-11-28 09:15:09 +00:00			`- Add option -i to look up local process owning a connection for logging to`
			`connection log; initial support on Mac OS X (by @landonf) and FreeBSD.`
Allow more control over used SSL/TLS versions Add -r to force a specific SSL/TLS protocol version. Add -R to disable one or several SSL/TLS protocol versions. Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2. Issue: #30 Reported by: @Apollo2342 2014-11-05 19:06:11 +00:00			`- Add option -r to force a specific SSL/TLS protocol version (issue #30).`
			`- Add option -R to disable specific SSL/TLS protocol versions (issue #30).`
Don't allow -u on Mac OS X with pf proxyspecs Apple checks EUID==0 on ioctl(/dev/pf), whereas OpenBSD and FreeBSD only check permissions on open(/dev/pf). This means that on OS X, it is not possible to open /dev/pf, drop privileges, and send an ioctl to the file descriptor opened earlier with EUID==0. It also means Apple broke the Unix way of dealing with device nodes - why are there file permissions on /dev/pf when they later enforce EUID==0 on use, thereby breaking basic Unix mechanisms? Work around this by disallowing -u with pf proxyspecs and by not automatically dropping to nobody on Mac OS X. Issue: #65 Reported by: Vladimir Marteev 2014-11-27 23:04:20 +00:00			`- Disallow -u with pf proxyspecs on Mac OS X because Apple restricts`
Update NEWS.md 2014-11-28 09:15:09 +00:00			`ioctl(/dev/pf) to root even on an fd initially opened by root (issue #65).`
Update NEWS.md for OpenSSL 0.9.8y bug workaround 2014-11-19 19:25:51 +00:00			`- Extend the certificate loading workaround for OpenSSL 1.0.0k and 1.0.1e`
			`also to OpenSSL 0.9.8y; fixes cert loading crash due to bug in in OpenSSL.`
Update NEWS.md 2014-11-28 09:15:09 +00:00			`- Extend Mac OS X pf support to Yosemite 10.10.1.`
			`- Fix startup memory leaks in key/cert loader (pull req #56 by @wjjensen).`
			`- Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER build knobs with a single`
			`WITH_SSLV2 build knob.`
Add some CPPFLAGS to cppcheck arguments 2014-11-03 21:08:07 +00:00			`- Minor bugfixes and improvements.`


SSLsplit 0.4.9 release 2014-11-03 18:42:24 +00:00			`### SSLsplit 0.4.9 2014-11-03`
SSLsplit master 2014-01-29 19:16:34 +00:00
Filter HSTS response headers to allow cert override Also remove HTTP Strict Transport Security (HSTS, RFC 6797) headers from HTTP responses. With HSTS active, the user is not allowed to accept untrusted certificates. 2014-11-02 19:25:17 +00:00			`- Filter out HSTS response header to allow users to accept untrusted certs.`
Disable SSLv2 support by default 2014-10-28 22:24:37 +00:00			`- Build without SSLv2 support by default (issue #26).`
Update documentation after merging pull req #35 2014-10-23 11:28:14 +00:00			`- Add primary group override (-m) when dropping privileges to an`
			`unprivileged user (pull req #35 by @landonf).`
Update documentation after merge of pull req #32 2014-10-21 13:55:56 +00:00			`- Support pf on Mac OS X 10.10 Yosemite and fix segmentation fault if`
			`no NAT engine is available (pull req #32 by @landonf).`
Update documentation after merge of #34 2014-10-21 12:55:25 +00:00			`- Support DESTDIR and MANDIR in the build (pull req #34 by @swills).`
Don't depend on the space when parsing HTTP headers 2014-10-28 22:31:07 +00:00			`- No longer chroot() to /var/empty by default if run by root, in order to`
			`prevent breaking -S and sni proxyspecs (issue #21).`
Load -t certificates before dropping privileges Load the certificates from the directory given by -t into the certificate cache after preinit, but before dropping privileges. This fixes a number of issues, such as -t directory not being found after chroot()ing to a different root, -t directory inaccessible due to changing user with -u, and when using encrypted keys. This bug was introduced in 0675219 as a spurious part of fixing #5. Issue: #20, #19 Reported by: Miroslav Stampar 2014-01-30 21:33:57 +00:00			`- Load -t certificates before dropping privileges (issues #19 and #20).`
Fix segmentation fault when using -t without a CA The key type checks which are used to optimize the loading of DH and ECDH parameters should check the type of the supplied server key, not the global options key. 2014-01-30 21:21:08 +00:00			`- Fix segmentation fault when using -t without a CA.`
Don't depend on the space when parsing HTTP headers 2014-10-28 22:31:07 +00:00			`- Minor bugfixes and improvements.`
SSLsplit master 2014-01-29 19:16:34 +00:00

SSLsplit 0.4.8 release 2014-01-15 18:07:07 +00:00			`### SSLsplit 0.4.8 2014-01-15`
Update NEWS 2013-12-23 13:39:15 +00:00
Suppress SPDY/QUIC by removing Alternate-Protocol headers 2014-01-14 16:35:56 +00:00			`- Filter out Alternate-Protocol response header to suppress SPDY/QUIC.`
Add experimental support for pf on Mac OS X Support pf rdr on Mac OS X 10.7, 10.8 and 10.9 by including the missing Apple headers in the source tree and enable private Apple code. Since we are using an interface marked private by Apple, this code is very experimental. Issue: #15 Reported by: Amit Chowdhary 2014-01-10 13:58:04 +00:00			`- Add experimental support for pf on Mac OS X 10.7+ (issue #15).`
Update NEWS 2014-01-11 16:55:17 +00:00			`- Also build ipfw NAT engine if pf is detected to support pf divert-to.`
Update NEWS 2014-01-13 23:46:52 +00:00			`- Unit tests (make test) no longer require Internet connectivity.`
			`- Always use SSL_MODE_RELEASE_BUFFERS when available, which lowers the per`
			`connection memory footprint significantly when using OpenSSL 1.0.0+.`
Update NEWS 2014-01-11 16:55:17 +00:00			`- Fix memory corruption after the certificate in the cache had to be updated`
			`during connection setup (issue #16).`
Fix memory leak in fake cert generation code The code in pxy_ossl_servername_cb() which generated the forged certificates did not call SSL_CTX_free() on the newly allocated SSL_CTX struct after associating it with the SSL struct, which increments the reference count internally. Also add some comments explaining OpenSSL reference counting behaviour to be more explicit on what happens to the instances that OpenSSL keeps track of. 2014-01-13 22:50:30 +00:00			`- Fix file descriptor leak in passthrough mode (-P) after SSL errors.`
			`- Fix OpenSSL data structures memory leak on certificate forgery.`
Update NEWS 2014-01-07 22:18:16 +00:00			`- Fix segmentation fault on connections without SNI hostname, caused by`
			`compilers optimizing away a NULL pointer check (issue #14).`
Update NEWS 2014-01-15 18:01:33 +00:00			`- Fix thread manager startup failure under some circumstances (issue #17).`
Update NEWS 2014-01-13 23:29:45 +00:00			`- Fix segmentation faults if thread manager fails to start (issue #10).`
Update NEWS 2013-12-23 13:39:15 +00:00

SSLsplit 0.4.7 release 2013-07-02 14:06:16 +00:00			`### SSLsplit 0.4.7 2013-07-02`
Add HTTP response header filtering Filter response headers in order to remove HPKP headers. As an added benefit, parse the HTTP status code and add it to the connection log. 2013-06-29 20:35:51 +00:00
Start thrmgr threads after forking 2013-07-02 13:54:46 +00:00			`- Fix remaining threading issues in daemon mode.`
Add HTTP response header filtering Filter response headers in order to remove HPKP headers. As an added benefit, parse the HTTP status code and add it to the connection log. 2013-06-29 20:35:51 +00:00			`- Filter HPKP header lines from HTTP(S) response headers in order to prevent`
SSLsplit 0.4.7 release 2013-07-02 14:06:16 +00:00			`public key pinning based on draft-ietf-websec-key-pinning-06.`
Add HTTP content-length to connect log 2013-06-29 20:50:39 +00:00			`- Add HTTP status code and content-length to connection log.`
Add HTTP response header filtering Filter response headers in order to remove HPKP headers. As an added benefit, parse the HTTP status code and add it to the connection log. 2013-06-29 20:35:51 +00:00

SSLsplit 0.4.6 release 2013-06-03 15:58:03 +00:00			`### SSLsplit 0.4.6 2013-06-03`
Work around segfault with OpenSSL 1.0.0k/1.0.1e A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading certificates using SSL_get_certificate(). Work around the bug by directly accessing the respective members of SSL* when using any of the broken versions of OpenSSL. 2013-04-24 13:39:31 +00:00
Update NEWS for issue #9 2013-05-26 22:29:02 +00:00			`- Fix fallback to passthrough (-P) when no matching certificate is found`
			`for a connection (issue #9).`
Work around segfault with OpenSSL 1.0.0k/1.0.1e A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading certificates using SSL_get_certificate(). Work around the bug by directly accessing the respective members of SSL* when using any of the broken versions of OpenSSL. 2013-04-24 13:39:31 +00:00			`- Work around segmentation fault when loading certificates caused by a bug`
			`in OpenSSL 1.0.0k and 1.0.1e.`
Bind to ports before dropping privileges This fixes a regression which caused bind() to ports < 1024 to fail with the default settings of dropping privileges to nobody. Issue: #8 Reported by: Ian Grispan 2013-04-03 16:02:45 +00:00			`- Fix binding to ports < 1024 with default settings (issue #8).`
Work around segfault with OpenSSL 1.0.0k/1.0.1e A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading certificates using SSL_get_certificate(). Work around the bug by directly accessing the respective members of SSL* when using any of the broken versions of OpenSSL. 2013-04-24 13:39:31 +00:00

SSLsplit 0.4.5 release 2012-11-07 17:36:51 +00:00			`### SSLsplit 0.4.5 2012-11-07`
Update NEWS and TODO 2012-10-01 12:47:45 +00:00
			`- Add support for 2048 and 4096 bit Diffie-Hellman.`
Update NEWS 2012-10-23 21:01:59 +00:00			`- Fix syslog error messages (issue #6).`
Update NEWS 2012-10-16 22:18:46 +00:00			`- Fix threading issues in daemon mode (issue #5).`
Update NEWS and TODO 2012-10-01 12:47:45 +00:00			`- Fix address family check in netfilter NAT lookup (issue #4).`
			`- Fix build on recent glibc systems (issue #2).`
			`- Minor code and build process improvements.`


Remove commit ids from NEWS file 2012-10-16 20:01:48 +00:00			`### SSLsplit 0.4.4 2012-05-11`
Add NEWS file, documenting release history 2012-05-13 19:07:43 +00:00
			`- Improve OCSP denial for GET based OCSP requests.`
			`- Default elliptic curve is now 'secp160r2' for better ECDH performance.`
			`- More user-friendly handling of -c, -k and friends.`
			`- Unit test source code renamed from .t to .t.c to prevent them from being`
			`misdetected as perl instead of c by Github et al.`
			`- Minor bugfixes.`


Remove commit ids from NEWS file 2012-10-16 20:01:48 +00:00			`### SSLsplit 0.4.3 2012-04-22`
Add NEWS file, documenting release history 2012-05-13 19:07:43 +00:00
			`- Add generic OCSP denial (-O). OCSP requests transmitted over HTTP or HTTPS`
			`are recognized and denied with OCSP tryLater(3) responses.`
			`- Minor bugfixes.`


Remove commit ids from NEWS file 2012-10-16 20:01:48 +00:00			`### SSLsplit 0.4.2 2012-04-13`
Add NEWS file, documenting release history 2012-05-13 19:07:43 +00:00
			`- First public release.`