This code looks at the beginning of each read from the src for something
that looks like an ssl client hello message; if it finds one it tries to
upgrade the connection to proxied ssl. So it works only in the simple
case where the connection has no binary data before the upgrade attempt
(so there are no false positives), and where the client hello comes at
the beginning of a packet from the source.
Note that OpenSSL may not support -sha256 on all platforms so we
actually check for support before using it in `make test`. For the
examples, a modern version of OpenSSL that supports -sha256 is assumed.
Issue: #83
Allow for additional flags to pkg-config by means of a PCFLAGS variable.
This e.g. allows to set PCFLAGS='--static' for static builds in
combination with CFLAGS='-static' and LDFLAGS='-static'.
Issue: #82
Reported by: @kickwindbg
Introducing the overridable variables INSTALLUID, INSTALLGID, BINUID,
BINGID, BINMODE, MANUID, MANGID, MANMODE that allow overriding of uid,
gid and mode of installed files. Note that this solution still has the
limitation that uid, gid and mode of created directories cannot be set.
Issue: #81
Reported by: Shiloh Heurich
SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to
the extra certificates chain. When building on OpenSSL 1.0.2 or newer,
use the new API instead of directly accessing `extra_certs`.
Issue: #79
If the proper headers matching either the reported XNU version or OS X
version exactly cannot be found, use the latest headers that SSLsplit
knows about. This fixes build on new releases of OS X that have no
source code published by Apple yet.
This fixes the following make error on Mac OS X versions that we don't
explicitly support yet due to missing sources:
GNUmakefile:55: *** unterminated call to function `shell': missing `)'.
Stop.
Reported by: Justin Garrick
Percent is used to specify the interface for link-local addresses.
Even though this is not strictly necessary for NTFS, it makes sense to
replace percent with underscore as well to have cleaner filenames.
Also add some unit tests for sys_ip46str_sanitize() that actually test
the intended behaviour.
Store host and port in separate strings internally and get rid of the
[host]:port representation where separate host and port would be
cleaner. This includes the following user-visible changes:
- Generated filenames that contain host and port, such as by -S and
-F %d and %s, now use a host,port format instead of [host]:port.
- Connect log now uses separate fields for host and port.
Issue: #69#74
Reported by: Adam Jacob Muller
SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to
the extra certificates chain. When building on OpenSSL 1.0.2 or newer,
use the new API instead of directly accessing `extra_certs`.
Issue: #79
The state machine makes sure that both af and addr are written to before
they are being read. However, to silence compiler warnings, it does not
hurt to explicitly initialize af and addr anyway. This gets rid of the
following spurious compiler warnings:
opts.c: In function 'proxyspec_parse':
opts.c:380:8: warning: 'af' may be used uninitialized in this function [-Wmaybe-uninitialized]
af = sys_sockaddr_parse(&spec->connect_addr,
^
opts.c:316:8: warning: 'addr' may be used uninitialized in this function [-Wmaybe-uninitialized]
af = sys_sockaddr_parse(&spec->listen_addr,
^
Reported by: Thomas Klausner
Issue: #78
If the proper headers matching either the reported XNU version or OS X
version exactly cannot be found, use the latest headers that SSLsplit
knows about. This fixes build on new releases of OS X that have no
source code published by Apple yet.
- Update copyright to 2015
- Remove the non-standard "unmodified" from the 2-clause BSD license
- Remove scalable from the tagline to avoid misinterpretations
This fixes the following make error on Mac OS X versions that we don't
explicitly support yet due to missing sources:
GNUmakefile:55: *** unterminated call to function `shell': missing `)'.
Stop.
Reported by: Justin Garrick
Make -w and -W work in conjunction with dropping privileges and
chrooting by moving the cert writer code to a separate logger thread and
using the privsep framework to open the files if they do not exist
already.
Issue: #70
