SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to
the extra certificates chain. When building on OpenSSL 1.0.2 or newer,
use the new API instead of directly accessing `extra_certs`.
Issue: #79
- Update copyright to 2015
- Remove the non-standard "unmodified" from the 2-clause BSD license
- Remove scalable from the tagline to avoid misinterpretations
OpenSSL 0.9.8y also crashes in OpenSSL's SSL_get_certificate() on a
NULL pointer dereference. Fix by also using the direct access hack
developed for OpenSSL 1.0.0k and 1.0.1e with OpenSSL 0.9.8y.
Add -r to force a specific SSL/TLS protocol version.
Add -R to disable one or several SSL/TLS protocol versions.
Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2.
Issue: #30
Reported by: @Apollo2342
The code in pxy_ossl_servername_cb() which generated the forged
certificates did not call SSL_CTX_free() on the newly allocated SSL_CTX
struct after associating it with the SSL struct, which increments the
reference count internally. Also add some comments explaining OpenSSL
reference counting behaviour to be more explicit on what happens to the
instances that OpenSSL keeps track of.
Extend and improve the workaround introduced in commit 20b3f66120.
Automatically replace SSL_get_certificate() with a drop-in replacement
if a version of OpenSSL known to be broken is used. This now covers the
use of SSL_get_certificate() within the connection manager as well and
resolves one more case where OpenSSL could crash.
A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading
certificates using SSL_get_certificate(). Work around the bug by
directly accessing the respective members of SSL* when using any of the
broken versions of OpenSSL.
Add group parameters for 2048 and 4096 bit Diffie-Hellman in addition to
the previous 512 and 1024 bit parameters. Also add a meaningful error
message when a group size is requested which is not provided.