Apple checks EUID==0 on ioctl(/dev/pf), whereas OpenBSD and FreeBSD only
check permissions on open(/dev/pf). This means that on OS X, it is not
possible to open /dev/pf, drop privileges, and send an ioctl to the file
descriptor opened earlier with EUID==0. It also means Apple broke the
Unix way of dealing with device nodes - why are there file permissions
on /dev/pf when they later enforce EUID==0 on use, thereby breaking
basic Unix mechanisms? Work around this by disallowing -u with pf
proxyspecs and by not automatically dropping to nobody on Mac OS X.
Issue: #65
Reported by: Vladimir Marteev
Add -r to force a specific SSL/TLS protocol version.
Add -R to disable one or several SSL/TLS protocol versions.
Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2.
Issue: #30
Reported by: @Apollo2342
Also remove HTTP Strict Transport Security (HSTS, RFC 6797) headers from
HTTP responses. With HSTS active, the user is not allowed to accept
untrusted certificates.
Support pf rdr on Mac OS X 10.7, 10.8 and 10.9 by including the missing
Apple headers in the source tree and enable private Apple code. Since
we are using an interface marked private by Apple, this code is very
experimental.
Issue: #15
Reported by: Amit Chowdhary
Add configuration examples for both old and new OpenBSD pf syntax and
give an example of using OpenBSD pf divert sockets for redirection.
Based on the OpenBSD port patchset.
Reported by: Stuart Henderson
Make -c and -k functional twins by also loading DH params in -c and by
fixing certificate loading in -k. Improve the documentation for both
switches and simplify the SYNOPSIS in sslsplit(1).