Commit Graph

31 Commits

Author SHA1 Message Date
Daniel Roethlisberger
f076336e0b Don't allow -u on Mac OS X with pf proxyspecs
Apple checks EUID==0 on ioctl(/dev/pf), whereas OpenBSD and FreeBSD only
check permissions on open(/dev/pf).  This means that on OS X, it is not
possible to open /dev/pf, drop privileges, and send an ioctl to the file
descriptor opened earlier with EUID==0.  It also means Apple broke the
Unix way of dealing with device nodes - why are there file permissions
on /dev/pf when they later enforce EUID==0 on use, thereby breaking
basic Unix mechanisms?  Work around this by disallowing -u with pf
proxyspecs and by not automatically dropping to nobody on Mac OS X.

Issue:		#65
Reported by:	Vladimir Marteev
2014-11-28 00:13:42 +01:00
Daniel Roethlisberger
a9bd438756 Minor updates to manual page 2014-11-25 23:38:05 +01:00
Daniel Roethlisberger
125163a003 Add local process lookup on FreeBSD using sysctl() API 2014-11-19 22:30:01 +01:00
Daniel Roethlisberger
84dfba04f2 Update manual page 2014-11-16 20:15:19 +01:00
Daniel Roethlisberger
96ad8f92af Add -i and restore order 2014-11-14 16:40:56 +01:00
Daniel Roethlisberger
81241139c7 Merge branch 'logspec_path_support' of git://github.com/fix-macosx/sslsplit into issue/55 2014-11-13 22:26:38 +01:00
Daniel Roethlisberger
a5ccfa3d4b Remove SSLv2 bug section and add contributors 2014-11-13 19:45:43 +01:00
Landon Fuller
bea605d7ca
Update the man page to include the -F option and its logspec directives. 2014-11-07 17:03:55 -07:00
Daniel Roethlisberger
6b0e47dc89 Allow more control over used SSL/TLS versions
Add -r to force a specific SSL/TLS protocol version.
Add -R to disable one or several SSL/TLS protocol versions.
Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2.

Issue:		#30
Reported by:	@Apollo2342
2014-11-05 20:06:11 +01:00
Daniel Roethlisberger
edf1dac8fa Improve manual page re protocols and scalability
Issue:		#42
2014-11-02 20:40:53 +01:00
Daniel Roethlisberger
769fbd042d Filter HSTS response headers to allow cert override
Also remove HTTP Strict Transport Security (HSTS, RFC 6797) headers from
HTTP responses.  With HSTS active, the user is not allowed to accept
untrusted certificates.
2014-11-02 20:25:17 +01:00
Daniel Roethlisberger
0a225ae65c Update documentation after merging pull req #35 2014-10-23 13:28:14 +02:00
Daniel Roethlisberger
85b177f6b0 Special device nodes may be needed for -j to work 2014-08-26 14:29:56 +02:00
Daniel Roethlisberger
3226d9bfcf No longer chroot() by default when run as root
No longer implicitly use -j /var/empty by default and document clearly
the implications of using -j with -S and/or sni proxyspecs.

Issue:		#21
2014-01-30 23:34:37 +01:00
Daniel Roethlisberger
6643d832d9 Add experimental support for pf on Mac OS X
Support pf rdr on Mac OS X 10.7, 10.8 and 10.9 by including the missing
Apple headers in the source tree and enable private Apple code.  Since
we are using an interface marked private by Apple, this code is very
experimental.

Issue:		#15
Reported by:	Amit Chowdhary
2014-01-10 15:03:13 +01:00
Daniel Roethlisberger
ca923ee7f1 Update copyright notices to 2014 2014-01-06 14:09:18 +01:00
Daniel Roethlisberger
8cc81c7f1c FreeBSD pf also has divert-to since 9.0-RELEASE 2013-12-23 14:13:27 +01:00
Daniel Roethlisberger
0987300e28 Improve IPFW and pf wording in the documentation 2013-12-23 13:57:57 +01:00
Daniel Roethlisberger
68a60b9734 Update manual page for OpenBSD
Add configuration examples for both old and new OpenBSD pf syntax and
give an example of using OpenBSD pf divert sockets for redirection.
Based on the OpenBSD port patchset.

Reported by:	Stuart Henderson
2013-12-17 15:28:30 +01:00
Daniel Roethlisberger
c73ce64c16 Update README and manual page for HPKP prevention 2013-06-29 23:29:31 +02:00
Daniel Roethlisberger
c972501063 Update copyright notices 2013-04-24 20:36:38 +02:00
Daniel Roethlisberger
807b7c1d3b Fix typo in manpage 2012-10-16 21:56:03 +02:00
Daniel Roethlisberger
62af96e413 Clarify when it is preferred to use SNI proxyspecs 2012-05-13 22:33:31 +02:00
Daniel Roethlisberger
3742404fe9 Update ECDH default curve name in manual page 2012-05-11 18:19:07 +02:00
Daniel Roethlisberger
7ad1deb680 Document intended use of SSLsplit 2012-05-11 18:12:22 +02:00
Daniel Roethlisberger
6d58824de2 Fix typo in manual page 2012-05-03 01:01:57 +02:00
Daniel Roethlisberger
2d1ad219b9 Change default cipher suite to "ALL:-aNULL" 2012-05-02 14:59:47 +02:00
Daniel Roethlisberger
1bd2872b20 DH group parameters are also loaded from -c 2012-05-02 13:46:18 +02:00
Daniel Roethlisberger
7aca81a7b7 Improve CA cert/key config code and docs
Make -c and -k functional twins by also loading DH params in -c and by
fixing certificate loading in -k.  Improve the documentation for both
switches and simplify the SYNOPSIS in sslsplit(1).
2012-04-22 22:59:00 +02:00
Daniel Roethlisberger
ee98c04b29 Add generic OCSP denial 2012-04-22 19:12:38 +02:00
Daniel Roethlisberger
4cfdef405a Initial import of sslsplit-0.4.2 2012-04-13 14:47:30 +02:00