Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
440 Commits
2 Branches
25 Tags
3.0 MiB
develop
master
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '25b096450d'
${ noResults }
Commit Graph

440 Commits (25b096450de21fd143007792cfcc566575ae1e29)
 

Author SHA1 Message Date
Daniel Roethlisberger 25b096450d Modernize DHE and ECDHE support 
Enable full strength DHE and ECDHE by default in order to allow modern
browsers to connect without weak crypto warnings.

Issue:		#119
Reported by:	@curioustwo
 8 years ago
Daniel Roethlisberger e632490888 Add exception handler to logger, exit on errors 
Add exception handler mechanism to logger and use that to exit cleanly
when sslsplit fails to write to a log file or fails to open a log file.

Issue:		#113
Reported by:	Matthias Kadenbach
 8 years ago
Daniel Roethlisberger 0b858431a2 Add warning if version string is bogus 8 years ago
Daniel Roethlisberger 0506024587 Update copyright notices to 2016 8 years ago
Daniel Roethlisberger 1c9aa249a9 Fix Travis build by disabling tests using IPv6 
TravisCI has removed IPv6 support in 2016.  To cope with this regression
in the testing infrastructure, disable all tests on Travis that depend
on the system being able to handle ::1 as an IP address.  Normal unit
testing still uses the full test suite.
 8 years ago
Daniel Roethlisberger d404063eab Attempt at fixing TravisCI ::1 resolution 8 years ago
Daniel Roethlisberger 43b697d875 Initialize proxy before daemonizing 
Issue:		#104
 8 years ago
Daniel Roethlisberger b3a3c36b70 Fix the SSL session timeout calculation 
Issue:		#115
Reported by:	Eun Soo Park
 8 years ago
Daniel Roethlisberger 73324dcd7b Update NEWS.md 8 years ago
Daniel Roethlisberger 88973e1757 Add support for XNU 3247.1.106, 3247.10.11 and 3248.20.55 
Add XNU headers for OS X 10.11, 10.11.1 and 10.11.2.
 8 years ago
Daniel Roethlisberger ba2f451f5e Fix bev write handler for other->closed case 
When other->closed is set, the bufferevent write handler accesses
other->bev even though it is invalid.  Fix this access, and as added
layer of defense against future bugs, set ->bev to NULL whenever
invalidating it, except where the connection is torn down completely.

Reported by:	Eun Soo Park
Introduced in:	2bcfaf4 17d753f
Issue:		#109
 9 years ago
Daniel Roethlisberger 17d753fc2d Fix NULL pointer dereference in bev write handler 
Only manipulate other->bev if it is not NULL to avoid a NULL pointer
dereference in the proxy bufferevent write handler when only one
direction is fully established, for example during connection shutdown.

Reported by:	@david-holonet
Introduced in:	2bcfaf4
Issue:		#109
 9 years ago
Daniel Roethlisberger 2bcfaf4b44 Re-enable EV_READ if disabled and outbuf empty 
The event buffer write handler failes to re-enable the corresponding
read event of the opposite connection if the buffer is not only down to
less than half the limit, but completely emptied.  In that case, the
read event would never be re-enabled and the connection would stall and
time out.

Issue:		#109
Patch by:	Eun Soo Park
 9 years ago
Daniel Roethlisberger 02ab680b34 Add log to PCAP conversion script 
Add contributed python script for parsing the output of sslsplit -L
from a log file or named pipe and converting the log entries to an
emulated PCAP format.  Information not contained in the log, such as
sequence numbers, IP IDs etc is emulated and does not correspond to the
original packets on the network.

Issue:		#27
Contributed by:	Maciej Kotowicz
 9 years ago
Daniel Roethlisberger ceffe7a676 Add log parsing script for sslsplit -L 
Add contributed script to read and parse the output of sslsplit -L from
a named pipe or log file and post-process the logged connection data
programmatically from python.

Issue:		#27
Contributed by:	Maciej Kotowicz
 9 years ago
Daniel Roethlisberger b95f46b8bd Add XNU headers for OS X 10.10.3, 10.10.4 and 10.10.5 
Add pf ioctl API headers for XNU releases 2782.20.48 (10.10.3),
2782.30.5 (10.10.4) and 2782.40.9 (10.10.5).
 9 years ago
Daniel Roethlisberger 0e2b748bba Only init DNS when DNS is required by proxy specs 
Only initialize evdns if DNS lookups are actually required by the loaded
proxy specifications.  This allows sslsplit to work in non-DNS modes in
situations where the local DNS resolver does not work, such as for local
use on a system without network connectivity.  Currently, only SNI based
proxy specs require DNS.  On systems without network connectivity, DNS
subsystem init may fail due to /etc/resolv.conf being (temporarily)
unavailable.

Issue:		#104
 9 years ago
Daniel Roethlisberger 0d38bca4e0 Add XNU 2782.10.72 headers for OS X 10.10.2 9 years ago
Daniel Roethlisberger d0d3ca9d21 Update docs and -V for LibreSSL and BoringSSL 9 years ago
Daniel Roethlisberger 79d570fe2e Use direct access workaround with LibreSSL 
LibreSSL defines OPENSSL_VERSION_NUMBER == 0x20000000L and therefore
needs special treatment when detecting OpenSSL API features based on
OPENSSL_VERSION_NUMBER.  LibreSSL currently does not seem to implement
SSL_CTX_get0_chain_certs().  Once it does, there will be a need for a
specific version check on LIBRESSL_VERSION_NUMBER.

Reported by:		Jérémie Courrèges-Anglas
 9 years ago
Daniel Roethlisberger a084aa62ec Update NEWS.md 9 years ago
Daniel Roethlisberger 57a2ab8588 Rewrite protocol version macros and refactoring 
Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and
HAVE_TLSV12 to indicate that support for the respective protocol is
available in OpenSSL.  This was necessary due to the increased
complexity of testing version support following the phasing out of SSLv2
and SSLv3 from OpenSSL implementations.  This fixes the build with
OpenSSL versions which have SSLv3 support removed.

While here, de-duplicate code for setting SSL_CTX options and do not set
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit
in the context of splitting SSL/TLS for analysis.

Reported by:	Jérémie Courrèges-Anglas
 9 years ago
Daniel Roethlisberger a08a7233ab Move free() to the else branch where it belongs 
This prevents free(NULL) in case of failures in ssl_x509_fingerprint().

Issue:		#103
Reported by:	@david-stratusee
 9 years ago
Daniel Roethlisberger f12dd5bb92 Fix debug mode memory leak of cert fingerprint 
Issue:		#103
Reported by:	Scot Loach
 9 years ago
Daniel Roethlisberger 3f39f589f2 Warn on OpenSSL version mismatch in debug mode 
Issue:		#88
 9 years ago
Daniel Roethlisberger 558ffb8d33 List the dependencies in the install notes 9 years ago
Daniel Roethlisberger 29f7ae7bb4 Add a note that pkg-config is used when available 9 years ago
Daniel Roethlisberger 64cc8ffcde Fix lib search w/o pkg-config w/multiple instances 
Fix automatic search for dependencies when multiple instances of the
same library are installed in different prefixes that we search, by
using the first one found.  Automatic search is only used when
pkg-config was not found.  This fixes compiler errors caused by spurious
path names within compiler or linker flags, such as

    ld: can't map file, errno=22 file '/usr/lib' for architecture x86_64
    clang: error: linker command failed with exit code 1 (use -v to see
    invocation)

While here, also make XNU header version fallback more robust and add
(diabled) version mappings for 10.10.2 and 10.10.3 which are not
published by Apple yet.

Issue:		#96
Reported by:	Jan Vilhuber
 9 years ago
Daniel Roethlisberger ad5de848c7 Refrain from naming a specific OpenSSL release 9 years ago
Daniel Roethlisberger bbbeb7c3a4 Further improve wording for clarity 9 years ago
Daniel Roethlisberger a0a27742dc Rewrite description for clarity 
Issue:		#60, #93
 9 years ago
Daniel Roethlisberger b765cb7e0f Update NEWS.md for #92 9 years ago
Daniel Roethlisberger 95d4a9bc35 Explicitly initialize OpenSSL with SSL proxy specs 
Make sure we always initialize OpenSSL explicitly, even if there are no
certificates or keys loaded or generated.  Previously, OpenSSL would
only have been initialized if the configuration actually uses
certificates or keys, which is not always the case, e.g. with -t
pointing to an empty directory.

Issue:		#92
Reported by:	xelalexv
 9 years ago
Daniel Roethlisberger dd0d3238ca Add sha1(NEWS.md) to BUILD_INFO when VERSION from dir 
Issue:		#85
 9 years ago
Daniel Roethlisberger c28ca34fe1 Revert "bugfix: actually parse resolv.conf at startup" 
This reverts commit aaa4e94f84.

The initialize_nameservers argument to evdns_base_new was deliberately
not set to 1 because we call evdns_resolv_conf_parse manually later, as
we want more differentiated error reporting.

Issue:		#86
 9 years ago
Daniel Roethlisberger a9863c012b Add Richard Poole to contributor lists 9 years ago
Daniel Roethlisberger c7ba155ce9 Merge branch 'issue/86' into develop 
Issue:		#86
Reported by:	Richard Poole
 9 years ago
Richard Poole aaa4e94f84 bugfix: actually parse resolv.conf at startup 9 years ago
Richard Poole 0f2714ed8a spelling fix 9 years ago
Richard Poole 1f1f7b5559 bugfix: correct calls to log_dbg_printf 9 years ago
Daniel Roethlisberger 330ea4a74c Clarify explanation of -t 
Issue:		#84
 9 years ago
Daniel Roethlisberger 62b4848998 Add debug mode output to list of things to provide 9 years ago
Daniel Roethlisberger 7badc2fc13 Move all test RSA keys from 1024 bit to 2048 bit 
Issue:		#83
 9 years ago
Daniel Roethlisberger 77109df8d2 Improve docs on autogenerated 1024 bit RSA leaf key 
Issue:		#83
 9 years ago
Daniel Roethlisberger 6e53e93d0f Move from sha1 to sha256 in examples and tests 
Note that OpenSSL may not support -sha256 on all platforms so we
actually check for support before using it in `make test`.  For the
examples, a modern version of OpenSSL that supports -sha256 is assumed.

Issue:		#83
 9 years ago
Daniel Roethlisberger 35dae31624 Rename badly named local var to avoid grep FPs 
Issue:		#83
 9 years ago
Daniel Roethlisberger 9b5006d6f7 Add PCFLAGS for additional pkg-config flags 
Allow for additional flags to pkg-config by means of a PCFLAGS variable.
This e.g. allows to set PCFLAGS='--static' for static builds in
combination with CFLAGS='-static' and LDFLAGS='-static'.

Issue:		#82
Reported by:	@kickwindbg
 9 years ago
Daniel Roethlisberger a14354d18b Allow uid, gid and mode of installed files to be tuned 
Introducing the overridable variables INSTALLUID, INSTALLGID, BINUID,
BINGID, BINMODE, MANUID, MANGID, MANMODE that allow overriding of uid,
gid and mode of installed files.  Note that this solution still has the
limitation that uid, gid and mode of created directories cannot be set.

Issue:		#81
Reported by:	Shiloh Heurich
 9 years ago
Daniel Roethlisberger 7ae02fa6d0 Merge branch 'master' into develop after 0.4.11 9 years ago
Daniel Roethlisberger 22b4d3c108 SSLsplit 0.4.11 maintenance release 9 years ago