SSLproxy

Commit Graph

Author	SHA1	Message	Date
Daniel Roethlisberger	17d753fc2d	Fix NULL pointer dereference in bev write handler Only manipulate other->bev if it is not NULL to avoid a NULL pointer dereference in the proxy bufferevent write handler when only one direction is fully established, for example during connection shutdown. Reported by: @david-holonet Introduced in: `2bcfaf4` Issue: #109	9 years ago
Daniel Roethlisberger	2bcfaf4b44	Re-enable EV_READ if disabled and outbuf empty The event buffer write handler failes to re-enable the corresponding read event of the opposite connection if the buffer is not only down to less than half the limit, but completely emptied. In that case, the read event would never be re-enabled and the connection would stall and time out. Issue: #109 Patch by: Eun Soo Park	9 years ago
Daniel Roethlisberger	57a2ab8588	Rewrite protocol version macros and refactoring Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and HAVE_TLSV12 to indicate that support for the respective protocol is available in OpenSSL. This was necessary due to the increased complexity of testing version support following the phasing out of SSLv2 and SSLv3 from OpenSSL implementations. This fixes the build with OpenSSL versions which have SSLv3 support removed. While here, de-duplicate code for setting SSL_CTX options and do not set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit in the context of splitting SSL/TLS for analysis. Reported by: Jérémie Courrèges-Anglas	9 years ago
Daniel Roethlisberger	a08a7233ab	Move free() to the else branch where it belongs This prevents free(NULL) in case of failures in ssl_x509_fingerprint(). Issue: #103 Reported by: @david-stratusee	9 years ago
Daniel Roethlisberger	f12dd5bb92	Fix debug mode memory leak of cert fingerprint Issue: #103 Reported by: Scot Loach	9 years ago
Richard Poole	0f2714ed8a	spelling fix	10 years ago
Richard Poole	1f1f7b5559	bugfix: correct calls to log_dbg_printf	10 years ago
Daniel Roethlisberger	914360eb5e	Separate host and port into separate strings Store host and port in separate strings internally and get rid of the [host]:port representation where separate host and port would be cleaner. This includes the following user-visible changes: - Generated filenames that contain host and port, such as by -S and -F %d and %s, now use a host,port format instead of [host]:port. - Connect log now uses separate fields for host and port. Issue: #69 #74 Reported by: Adam Jacob Muller	10 years ago
Daniel Roethlisberger	91da4674e5	Update copyright, license and tagline - Update copyright to 2015 - Remove the non-standard "unmodified" from the 2-clause BSD license - Remove scalable from the tagline to avoid misinterpretations	10 years ago
Daniel Roethlisberger	f16783cee2	Move cert writer to logger thread using privsep Make -w and -W work in conjunction with dropping privileges and chrooting by moving the cert writer code to a separate logger thread and using the privsep framework to open the files if they do not exist already. Issue: #70	10 years ago
Daniel Roethlisberger	6ec6c56ded	Refactored -w/-W and improved docs	10 years ago
PsychoMario	3aff928daf	moved key output to main.c, caught some bugs	10 years ago
PsychoMario	a83cd68605	stored fpr as char* in ctx	10 years ago
PsychoMario	1736564b32	error handling	10 years ago
PsychoMario	4f310a877a	implemented -W to write original certs	10 years ago
PsychoMario	a7e2d99b39	added logging of fingerprints, uppercased names	10 years ago
PsychoMario	13dce0aa35	moved write to pxy_srccert_create, -X to -w, opts_free use	10 years ago
PsychoMario	73042d4daa	fix mutual exclusivity, sprintf->asprintf	10 years ago
PsychoMario	cbb2a179f9	naive implementation with -X, no help, validation, logging	10 years ago
Daniel Roethlisberger	c4b22efa5a	Fix segmentation fault for aborted connections	10 years ago
Daniel Roethlisberger	65f56f634d	Improve error handling on logging calls	10 years ago
Daniel Roethlisberger	b5e3856a97	Move open() and mkdir() to logger thread	10 years ago
Daniel Roethlisberger	007823b16e	Fix connect logging for corner cases	10 years ago
Daniel Roethlisberger	c5b8fd127f	Add version and ciphersuite to connect and debug log	10 years ago
Daniel Roethlisberger	fcd008df4b	Unify asprintf error handling	10 years ago
Daniel Roethlisberger	b1ec5d0e09	Improve log_content_open() error handling	10 years ago
Daniel Roethlisberger	328e3320f9	Fix build for !HAVE_LOCAL_PROCINFO	10 years ago
Daniel Roethlisberger	e022b2af26	Add local process information to connect log	10 years ago
Daniel Roethlisberger	08ca5b2891	Also print pid if lookup (partially or fully) fails	10 years ago
Daniel Roethlisberger	150650c7e9	Make local procinfo run-time optional (-i) and use src host:port	10 years ago
Daniel Roethlisberger	42497693d1	Rename define for consistency	10 years ago
Daniel Roethlisberger	0237fe34dc	Only build local process info code where supported	10 years ago
Daniel Roethlisberger	966fe80c0c	Move process information code from sys to proc	10 years ago
Daniel Roethlisberger	c3922d9852	Refactor process lookup out of NAT engine code Local process lookup is independent of the NAT engine used, it depends only on the operating system's process enumeration API. Moving the code out of NAT lookup also makes it work for static and SNI proxyspecs.	10 years ago
Daniel Roethlisberger	dc7a3ee9e3	Break line to 80 cols	10 years ago
Landon Fuller	a4c518c8a0	Merge remote-tracking branch 'origin/fix-macosx' into logspec_path_support	10 years ago
Landon Fuller	efca8d73c9	Remove debugging statement.	10 years ago
Landon Fuller	81bf954c17	Merge commit '5ed49c498596995c79a5b7fda3d1ee1eb09ce8ec' into sys_proc_info	10 years ago
Landon Fuller	fe5eb66b53	Merge commit '9204418c806fc85ba04c3650dc4002bd440083ca' into nat_local_pid	10 years ago
Daniel Roethlisberger	375bf2a13c	Clarify comment about logging	10 years ago
Daniel Roethlisberger	6b0e47dc89	Allow more control over used SSL/TLS versions Add -r to force a specific SSL/TLS protocol version. Add -R to disable one or several SSL/TLS protocol versions. Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2. Issue: #30 Reported by: @Apollo2342	10 years ago
Daniel Roethlisberger	5219d494f3	Protect session cache calls from sess == NULL	10 years ago
Daniel Roethlisberger	fcb64e85e7	Make SSLv2 support opt-in instead of opt-out Migrate knobs from DISABLE_SSLV2_CLIENT and DISABLE_SSLV2_SERVER to WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER and remove the DISABLE_SSLV2_SESSION_CACHE knob entirely, automatically including the respective code if SSLv2 support is compiled into SSLsplit.	10 years ago
Daniel Roethlisberger	769fbd042d	Filter HSTS response headers to allow cert override Also remove HTTP Strict Transport Security (HSTS, RFC 6797) headers from HTTP responses. With HSTS active, the user is not allowed to accept untrusted certificates.	10 years ago
Daniel Roethlisberger	b1a7b11aea	Don't depend on the space when parsing HTTP headers	10 years ago
Daniel Roethlisberger	d85e5ddbe2	Disable SSLv2 support by default	10 years ago
Landon Fuller	8350b1deb0	Plumb user/group/path information through the logging API.	10 years ago
Landon Fuller	5ed49c4985	Implement user and group name lookup.	10 years ago
Landon Fuller	52d979e29d	Add a standard API for fetching process name, uid, and gid.	10 years ago
Landon Fuller	9204418c80	Thread pid lookup support through the NAT API. This exposes the pid lookup code as a standard attribute of NAT lookup -- if a matching process cannot be found, or if pid lookup isn't supported by the NAT backend, a pid of -1 is returned. This also adds the local_pid to the pxyconn context; this will be used to populate log strings.	10 years ago

1 2

86 Commits (17d753fc2dfa3101977018537ef4d33f62615d94)