Commit Graph

116 Commits

Author SHA1 Message Date
Soner Tari
6975175117 Defer e2 setup until after parent is connected, to prevent multithreading issues
Refactoring, improvements
2017-07-05 22:32:10 +03:00
Soner Tari
4d88906d24 Clean up and improve 2017-07-04 18:13:34 +03:00
Soner Tari
4f6b207e57 Improve conn termination: Close children asap if there is no parent, close parent asap if there is no child 2017-07-04 12:28:04 +03:00
Soner Tari
ad1f95e465 Remove conn mutexes: Use thrmgr mutex during attach/detatch only, do eveything in the same thread, do not touch the other threads
Flex, fix, and improve conn termination: Make it more similar to orig sslsplit code
Fix issues, and clean-up
2017-07-04 02:12:17 +03:00
Soner Tari
ecfaf24614 Add more child info to conns list, and clean-up 2017-07-02 17:47:26 +03:00
Soner Tari
5047df8cba Fix some of the compiler warnings, rearrange, and clean-up 2017-07-01 23:17:45 +03:00
Soner Tari
be54db770f Add comments, improvements, and clean-up 2017-07-01 18:08:28 +03:00
Soner Tari
0b0f6b21dc Add uuid to all conn mctxs, otherwise we cannot uniquely identify them, causing trouble especially while deleting conns
Fix issues, clean-up
2017-07-01 00:29:39 +03:00
Soner Tari
833e1903e1 Dump conn info list
Remove conns using delete list of timed out conns
Fix issues, improvements
2017-06-30 00:38:37 +03:00
Soner Tari
c11ca7a195 Fix freeing of non-ssl buffer events and fds 2017-06-27 22:11:10 +03:00
Soner Tari
4a34c4792b travis-cgi.org issue seems to be gone now
Rely less on parent ctx, and more on meta ctx
Rearrange, improve, and clean-up
2017-06-27 17:09:01 +03:00
Soner Tari
82b58c2dab Fix multithreading
Clean-up
2017-06-25 14:21:32 +03:00
Soner Tari
9858928b73 Add debug levels, initial 2017-06-15 19:07:37 +03:00
Soner Tari
ab600c8215 Leave if getsockname() fails 2017-06-15 12:00:53 +03:00
Soner Tari
d71533f0b9 Remove SSL proxy specific header line from the packet on the egress exit
Insert our header line right after the first header line in the packet in case the packet is fragmented, otherwise Squid is confused when it cannot find our header line in the first packet
2017-06-13 12:42:10 +03:00
Soner Tari
85a96ec844 First working SSL version, surprisingly running so fine and stable for a first prototype that I think there is something wrong and it is just running in passthrough mode :), seriously this is just the beginning. 2017-06-10 21:50:03 +03:00
Soner Tari
d033ea68dd Plain TCP version is running good enough, next will try to switch the SSL on 2017-05-29 12:22:23 +03:00
Daniel Roethlisberger
ca7f20e442 Fix connect log for autossl connections 2016-03-27 13:49:50 +02:00
Daniel Roethlisberger
e67978f4dd Merge branch 'develop' into feature/autossl 2016-03-27 13:27:38 +02:00
Daniel Roethlisberger
3c20f473fa Rename and improve autossl peeking function 2016-03-27 13:26:39 +02:00
Daniel Roethlisberger
9843ead5d7 Copy SNI hostname from OpenSSL if ctx->sni is NULL 2016-03-27 13:25:50 +02:00
Daniel Roethlisberger
2f834419eb Handle inbound EOF before outbound CONNECTED
Fix segmentation fault upon receiving BEV_EVENT_EOF on the inbound
bufferevent while the outbound bufferevent has not received
BEV_EVENT_CONNECTED yet.

Issue:		#124
Patch by:	Eun Soo Park
2016-03-27 12:16:57 +02:00
Daniel Roethlisberger
25b096450d Modernize DHE and ECDHE support
Enable full strength DHE and ECDHE by default in order to allow modern
browsers to connect without weak crypto warnings.

Issue:		#119
Reported by:	@curioustwo
2016-03-25 16:28:30 +01:00
Daniel Roethlisberger
0506024587 Update copyright notices to 2016 2016-03-25 12:19:23 +01:00
Daniel Roethlisberger
b3b7a7ab17 Merge branch 'develop' into feature/autossl 2016-03-15 20:13:12 +01:00
Daniel Roethlisberger
ba2f451f5e Fix bev write handler for other->closed case
When other->closed is set, the bufferevent write handler accesses
other->bev even though it is invalid.  Fix this access, and as added
layer of defense against future bugs, set ->bev to NULL whenever
invalidating it, except where the connection is torn down completely.

Reported by:	Eun Soo Park
Introduced in:	2bcfaf4 17d753f
Issue:		#109
2015-11-08 15:44:02 +01:00
Daniel Roethlisberger
17d753fc2d Fix NULL pointer dereference in bev write handler
Only manipulate other->bev if it is not NULL to avoid a NULL pointer
dereference in the proxy bufferevent write handler when only one
direction is fully established, for example during connection shutdown.

Reported by:	@david-holonet
Introduced in:	2bcfaf4
Issue:		#109
2015-11-01 17:56:57 +01:00
Daniel Roethlisberger
2bcfaf4b44 Re-enable EV_READ if disabled and outbuf empty
The event buffer write handler failes to re-enable the corresponding
read event of the opposite connection if the buffer is not only down to
less than half the limit, but completely emptied.  In that case, the
read event would never be re-enabled and the connection would stall and
time out.

Issue:		#109
Patch by:	Eun Soo Park
2015-10-25 17:54:27 +01:00
Daniel Roethlisberger
57a2ab8588 Rewrite protocol version macros and refactoring
Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and
HAVE_TLSV12 to indicate that support for the respective protocol is
available in OpenSSL.  This was necessary due to the increased
complexity of testing version support following the phasing out of SSLv2
and SSLv3 from OpenSSL implementations.  This fixes the build with
OpenSSL versions which have SSLv3 support removed.

While here, de-duplicate code for setting SSL_CTX options and do not set
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit
in the context of splitting SSL/TLS for analysis.

Reported by:	Jérémie Courrèges-Anglas
2015-07-28 23:39:51 +02:00
Daniel Roethlisberger
769da7565e Style fix 2015-07-28 22:02:04 +02:00
Daniel Roethlisberger
a08a7233ab Move free() to the else branch where it belongs
This prevents free(NULL) in case of failures in ssl_x509_fingerprint().

Issue:		#103
Reported by:	@david-stratusee
2015-07-10 12:01:52 +02:00
Daniel Roethlisberger
f12dd5bb92 Fix debug mode memory leak of cert fingerprint
Issue:		#103
Reported by:	Scot Loach
2015-07-07 18:12:32 +02:00
Daniel Roethlisberger
74f62c3e5e Refactor and unify ClientHello parsers
Refactor and unify ssl_tls_clienthello_identify() and the earlier
ssl_tls_clienthello_parse_sni() into a single
ssl_tls_clienthello_parse() function that handles parsing ClientHello
messages for different purposes.  As a result, rename the debug knob
DEBUG_SNI_PARSER into DEBUG_CLIENTHELLO_PARSER.
2015-05-17 20:27:58 +02:00
Daniel Roethlisberger
6671a82aed Rename genericstarttls to autossl and improve docs
Issue:		#87
2015-04-21 16:00:55 +02:00
Richard Poole
5c8b5e30d5 connection upgrade feature: upgrade tcp to ssl on client hello
This code looks at the beginning of each read from the src for something
that looks like an ssl client hello message; if it finds one it tries to
upgrade the connection to proxied ssl. So it works only in the simple
case where the connection has no binary data before the upgrade attempt
(so there are no false positives), and where the client hello comes at
the beginning of a packet from the source.
2015-04-18 13:34:04 +01:00
Richard Poole
0f2714ed8a spelling fix 2015-04-18 11:51:28 +01:00
Richard Poole
1f1f7b5559 bugfix: correct calls to log_dbg_printf 2015-04-18 11:50:26 +01:00
Daniel Roethlisberger
914360eb5e Separate host and port into separate strings
Store host and port in separate strings internally and get rid of the
[host]:port representation where separate host and port would be
cleaner.  This includes the following user-visible changes:

-   Generated filenames that contain host and port, such as by -S and
    -F %d and %s, now use a host,port format instead of [host]:port.

-   Connect log now uses separate fields for host and port.

Issue:		#69 #74
Reported by:	Adam Jacob Muller
2015-03-15 17:23:46 +01:00
Daniel Roethlisberger
91da4674e5 Update copyright, license and tagline
-   Update copyright to 2015
-   Remove the non-standard "unmodified" from the 2-clause BSD license
-   Remove scalable from the tagline to avoid misinterpretations
2015-02-24 19:19:20 +01:00
Daniel Roethlisberger
f16783cee2 Move cert writer to logger thread using privsep
Make -w and -W work in conjunction with dropping privileges and
chrooting by moving the cert writer code to a separate logger thread and
using the privsep framework to open the files if they do not exist
already.

Issue:		#70
2014-12-13 23:52:17 +01:00
Daniel Roethlisberger
6ec6c56ded Refactored -w/-W and improved docs 2014-12-13 02:36:45 +01:00
PsychoMario
3aff928daf moved key output to main.c, caught some bugs 2014-12-12 17:28:06 +00:00
PsychoMario
a83cd68605 stored fpr as char* in ctx 2014-12-11 13:57:50 +00:00
PsychoMario
1736564b32 error handling 2014-12-09 23:26:00 +00:00
PsychoMario
4f310a877a implemented -W to write original certs 2014-12-09 21:43:05 +00:00
PsychoMario
a7e2d99b39 added logging of fingerprints, uppercased names 2014-12-09 21:13:04 +00:00
PsychoMario
13dce0aa35 moved write to pxy_srccert_create, -X to -w, opts_free use 2014-12-09 20:02:25 +00:00
PsychoMario
73042d4daa fix mutual exclusivity, sprintf->asprintf 2014-12-09 19:47:10 +00:00
PsychoMario
cbb2a179f9 naive implementation with -X, no help, validation, logging 2014-12-09 19:08:11 +00:00
Daniel Roethlisberger
c4b22efa5a Fix segmentation fault for aborted connections 2014-11-27 23:19:54 +01:00