Commit Graph

49 Commits

Author SHA1 Message Date
Soner Tari
a314be6e94 Add conn context and is_child fields to proxy context struct to get rid of extra function params and to simplify conditionals
Remove redundant parent/conn pointer vars
Use conn instead of parent amap
2018-09-23 02:02:15 +03:00
Soner Tari
9213734c95 Enable header insertion for tcp and ssl proxspecs as well, reported by @Sfinx
Remove redundant mail field of proxyspec
2018-09-22 02:34:25 +03:00
Soner Tari
d2e9ab4487 Merge sslsplit-develop changes 2018-09-15 02:51:26 +03:00
Soner Tari
a584363f62 Add defined(LIBRESSL_VERSION_NUMBER) directives to fix signal 6 and 10 crashes: LibreSSL versions up to v2.7.4 behave like OPENSSL_VERSION_NUMBER < 0x1000200fL, beware not just OPENSSL_VERSION_NUMBER < 0x10100000L
Fix up:port af, use a different var, because utm port af is always AF_INET, and it breaks the target address af if the listening address is AF_INET6
Enable -O2 C flag, because LibreSSL is compiled with -O2 too
2018-08-22 22:48:55 +03:00
Soner Tari
0c8348db75 Merge sslsplit develop changes 2018-08-03 23:36:51 +03:00
Soner Tari
e8054deed3 Set option defaults in opts_new() now
Use bit instead of int for boolean options
2018-08-03 17:14:21 +03:00
Soner Tari
7ac3e0a445 Remove most of defined(LIBRESSL_VERSION_NUMBER), LibreSSL behaves more like OPENSSL_VERSION_NUMBER >= 0x10100000L now 2018-08-03 16:07:54 +03:00
Soner Tari
5a4b8974bf Add fall through comment for missing break in case statement, as gcc (Ubuntu 7.3.0-16ubuntu3) 7.3.0 complains about it now
Break out of for loop if max token is reached
2018-08-01 21:38:12 +03:00
Soner Tari
ee3278d2bb Fix a possible memory corruption due to incorrect size allocation for argv 2018-05-10 21:13:53 +03:00
Soner Tari
27650fab69 Support all command line options in the conf file as well
Update with the latest sslsplit-devel changes
2018-05-09 20:05:29 +03:00
Soner Tari
5bba07b27f Use SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() functions to force SSL/TLS protocol version for OpenSSL 1.1.0+ 2018-03-16 12:12:48 +03:00
Soner Tari
9d435e180c Update with SSLsplit 0.5.2 and develop branch changes as of 270218 2018-02-27 22:20:58 +03:00
Soner Tari
4c8831bd90 Update with SSLsplit 0.5.1 changes, fix LibreSSL version issues
Add VerifyPeer and AllowWrongHost options
2018-01-18 03:18:53 +03:00
Soner Tari
4fceaaa0e9 Fix compiler warning
Rename the man page for the ports package
2017-08-22 02:02:30 +03:00
Soner Tari
9ec58f821b Changes needed while adding SSL proxy support to WUI
Separate mail/mails to pop3/pop3s/smtp/smpts for statistics
Write connect logs to syslog too, for statistics
Fix log lines for statistics, remove fds from err logs
2017-08-20 01:46:57 +03:00
Soner Tari
7748e3ec1b Add conf file support, with -f command line option, supports a subset of all possible options 2017-08-16 16:01:52 +03:00
Soner Tari
1a6eab50a5 Tidy and clean logs up
Add DEBUG_PROXY directive around all log_dbg_level_printf() and related lines
Log stats to syslog, similar to error logs, so that it is simpler to rotate and parse
-O w/o -g is failing bufferevent_socket_connect for parent dst, so either enable -O w/ -g, or disable -O w/o -g (-O2 is failing too)
Refactoring
2017-08-13 04:36:33 +03:00
Soner Tari
4bfc85868b Add support for pop3 (p3scan pop3 proxy)
Send sslproxy info only once, in the first packet only
Clean-up
2017-08-03 14:55:57 +03:00
Soner Tari
67ddee1585 Import sslsplit-devel changes
Add stats logs, initial
Add SSLproxy_SrcAddr header field
Clean-up
2017-07-25 16:07:39 +03:00
Soner Tari
5a496d04e0 Make utm service port spec a command line option
Check NULL retvals, clean-up
2017-07-22 16:30:40 +03:00
Soner Tari
26cbefa3a4 Use inet_ntop() instead of inet_ntoa()
Fix compiler warnings
2017-07-22 13:52:40 +03:00
Soner Tari
133584361f Rename and clean-up 2017-07-13 00:45:12 +03:00
Soner Tari
82b58c2dab Fix multithreading
Clean-up
2017-06-25 14:21:32 +03:00
Soner Tari
ad63380b07 Fix e2 port specs, otherwise we get:
"Error from socket() fd2: Protocol not supported (43)
Error opening socket: Bad file descriptor (9)"
2017-06-11 14:47:51 +03:00
Soner Tari
d033ea68dd Plain TCP version is running good enough, next will try to switch the SSL on 2017-05-29 12:22:23 +03:00
Daniel Roethlisberger
29f44c3d64 Add autossl spec parsing tests and improve docs 2016-03-27 14:38:06 +02:00
Daniel Roethlisberger
e67978f4dd Merge branch 'develop' into feature/autossl 2016-03-27 13:27:38 +02:00
Daniel Roethlisberger
3bda2715c7 Don't test NONNULL spec in first loop iteration 2016-03-25 16:44:05 +01:00
Daniel Roethlisberger
0506024587 Update copyright notices to 2016 2016-03-25 12:19:23 +01:00
Daniel Roethlisberger
b3b7a7ab17 Merge branch 'develop' into feature/autossl 2016-03-15 20:13:12 +01:00
Daniel Roethlisberger
0e2b748bba Only init DNS when DNS is required by proxy specs
Only initialize evdns if DNS lookups are actually required by the loaded
proxy specifications.  This allows sslsplit to work in non-DNS modes in
situations where the local DNS resolver does not work, such as for local
use on a system without network connectivity.  Currently, only SNI based
proxy specs require DNS.  On systems without network connectivity, DNS
subsystem init may fail due to /etc/resolv.conf being (temporarily)
unavailable.

Issue:		#104
2015-09-27 16:39:24 +02:00
Daniel Roethlisberger
57a2ab8588 Rewrite protocol version macros and refactoring
Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and
HAVE_TLSV12 to indicate that support for the respective protocol is
available in OpenSSL.  This was necessary due to the increased
complexity of testing version support following the phasing out of SSLv2
and SSLv3 from OpenSSL implementations.  This fixes the build with
OpenSSL versions which have SSLv3 support removed.

While here, de-duplicate code for setting SSL_CTX options and do not set
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit
in the context of splitting SSL/TLS for analysis.

Reported by:	Jérémie Courrèges-Anglas
2015-07-28 23:39:51 +02:00
Daniel Roethlisberger
6671a82aed Rename genericstarttls to autossl and improve docs
Issue:		#87
2015-04-21 16:00:55 +02:00
Richard Poole
5c8b5e30d5 connection upgrade feature: upgrade tcp to ssl on client hello
This code looks at the beginning of each read from the src for something
that looks like an ssl client hello message; if it finds one it tries to
upgrade the connection to proxied ssl. So it works only in the simple
case where the connection has no binary data before the upgrade attempt
(so there are no false positives), and where the client hello comes at
the beginning of a packet from the source.
2015-04-18 13:34:04 +01:00
Daniel Roethlisberger
80b727054b Refactor proxyspec printing into proxyspec_str() 2015-03-15 22:55:34 +01:00
Daniel Roethlisberger
22abde706b Initialize af and addr even though not strictly necessary
The state machine makes sure that both af and addr are written to before
they are being read.  However, to silence compiler warnings, it does not
hurt to explicitly initialize af and addr anyway.  This gets rid of the
following spurious compiler warnings:

    opts.c: In function 'proxyspec_parse':
    opts.c:380:8: warning: 'af' may be used uninitialized in this function [-Wmaybe-uninitialized]
         af = sys_sockaddr_parse(&spec->connect_addr,
            ^
    opts.c:316:8: warning: 'addr' may be used uninitialized in this function [-Wmaybe-uninitialized]
         af = sys_sockaddr_parse(&spec->listen_addr,
            ^

Reported by:	Thomas Klausner
Issue:		#78
2015-03-02 10:23:48 +01:00
Daniel Roethlisberger
91da4674e5 Update copyright, license and tagline
-   Update copyright to 2015
-   Remove the non-standard "unmodified" from the 2-clause BSD license
-   Remove scalable from the tagline to avoid misinterpretations
2015-02-24 19:19:20 +01:00
PsychoMario
b34336ab4b moved to develop branch 2014-12-12 17:03:06 +00:00
PsychoMario
13dce0aa35 moved write to pxy_srccert_create, -X to -w, opts_free use 2014-12-09 20:02:25 +00:00
Daniel Roethlisberger
c01ace1261 Introduce privilege separation architecture
Fork into a monitor parent process and an actual proxy child process,
communicating over AF_UNIX sockets.  Certain privileged operations are
performed through the privileged parent process, like opening log files
or listener sockets, while all other operations happen in the child
process, which can now drop its privileges without side-effects for
log file opening and other privileged operations.  This is also a
preparation for -l/-L logfile reopening through SIGUSR1.

This means that -S and -F are no longer relative to chroot() if used
with -j.  This is a deliberate POLA violation.
2014-11-24 22:14:09 +01:00
Daniel Roethlisberger
206c688219 Refactor SSL/TLS debug code 2014-11-05 21:18:53 +01:00
Daniel Roethlisberger
6b0e47dc89 Allow more control over used SSL/TLS versions
Add -r to force a specific SSL/TLS protocol version.
Add -R to disable one or several SSL/TLS protocol versions.
Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2.

Issue:		#30
Reported by:	@Apollo2342
2014-11-05 20:06:11 +01:00
Daniel Roethlisberger
b1b8fe09b9 Merge pull request #35 from fix-macosx/specify-custom-gid
Add support for specifying an explicit group when dropping privileges.
2014-10-23 13:00:42 +02:00
Daniel Roethlisberger
bea022540f Handle strdup() failure in early stages of main()
Issue:		#38
Reported by:	Markus Elfring
2014-10-23 12:49:12 +02:00
Landon Fuller
9d54677009 Add support for specifying an explicit group when dropping privileges.
This simplifies my use of pf(4) when using group-based
rules to exclude splitssl from redirection.
2014-10-18 00:34:51 -06:00
Landon Fuller
ecbc84438a Fix crash in strdup() when no default NAT engine is available. 2014-10-17 19:35:44 -06:00
Daniel Roethlisberger
ca923ee7f1 Update copyright notices to 2014 2014-01-06 14:09:18 +01:00
Daniel Roethlisberger
c972501063 Update copyright notices 2013-04-24 20:36:38 +02:00
Daniel Roethlisberger
4cfdef405a Initial import of sslsplit-0.4.2 2012-04-13 14:47:30 +02:00