Commit Graph

37 Commits

Author SHA1 Message Date
Daniel Roethlisberger
35dae31624 Rename badly named local var to avoid grep FPs
Issue:		#83
2015-03-24 20:28:40 +01:00
Daniel Roethlisberger
a027fb68cd Fix loading of certificate chains with OpenSSL 1.0.2
SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to
the extra certificates chain.  When building on OpenSSL 1.0.2 or newer,
use the new API instead of directly accessing `extra_certs`.

Issue:		#79
2015-03-15 00:09:36 +01:00
Daniel Roethlisberger
91da4674e5 Update copyright, license and tagline
-   Update copyright to 2015
-   Remove the non-standard "unmodified" from the 2-clause BSD license
-   Remove scalable from the tagline to avoid misinterpretations
2015-02-24 19:19:20 +01:00
Daniel Roethlisberger
27cf6c90e7 Merge branch 'feature/genstore' into develop 2014-12-13 03:20:38 +01:00
Daniel Roethlisberger
3da7407f14 Use same hash algo in RSA sigs as orig cert uses 2014-12-13 03:18:13 +01:00
Daniel Roethlisberger
11f6742bff Add convenience functions for printing SHA1 values 2014-12-12 23:50:55 +01:00
Daniel Roethlisberger
8422c6b478 Minor code cleanup of ssl_key_identifier_sha1() 2014-12-12 18:07:46 +01:00
Daniel Roethlisberger
8b0b1d0226 Add ssl_key_identifier_sha1() utility function
Issue:		#67
2014-12-12 17:38:34 +01:00
Daniel Roethlisberger
e69b13f2eb SIGUSR1 re-opens -l/-L log files; add defaults.h
Issue:		#52
2014-11-25 23:45:40 +01:00
Daniel Roethlisberger
341d6b77d1 Use SSL_get_certificate() hack for OpenSSL 0.9.8y
OpenSSL 0.9.8y also crashes in OpenSSL's SSL_get_certificate() on a
NULL pointer dereference.  Fix by also using the direct access hack
developed for OpenSSL 1.0.0k and 1.0.1e with OpenSSL 0.9.8y.
2014-11-19 20:01:42 +01:00
Daniel Roethlisberger
fcd008df4b Unify asprintf error handling 2014-11-17 19:11:27 +01:00
wjensen
cc0b57d341 Fix memory leaks in ssl_x509_load() and ssl_key_load(), remove unnecessary condition in ssl_x509chain_load() 2014-11-11 09:46:29 -08:00
Daniel Roethlisberger
6b0e47dc89 Allow more control over used SSL/TLS versions
Add -r to force a specific SSL/TLS protocol version.
Add -R to disable one or several SSL/TLS protocol versions.
Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2.

Issue:		#30
Reported by:	@Apollo2342
2014-11-05 20:06:11 +01:00
Daniel Roethlisberger
8dbea83b21 Prevent malloc(0) when ssl_x509_names() returns no names 2014-11-04 18:33:00 +01:00
Daniel Roethlisberger
eca1ac9a5e Rewrite ssl_x509_subject_cn() error handling 2014-11-03 22:32:22 +01:00
Daniel Roethlisberger
76aab3b816 Fix X509_NAME_get_text_by_NID() error handling 2014-11-03 22:10:44 +01:00
Daniel Roethlisberger
ed99fc0260 Use NULL instead of '\0' to avoid type conversion 2014-10-21 15:16:09 +02:00
Daniel Roethlisberger
47c409cbb5 Don't rely on OpenSSL to pull in string.h
Obtained from:	OpenBSD port patches
2014-06-21 19:20:34 +02:00
Daniel Roethlisberger
2235e1aad9 Fix memory leak in fake cert generation code
The code in pxy_ossl_servername_cb() which generated the forged
certificates did not call SSL_CTX_free() on the newly allocated SSL_CTX
struct after associating it with the SSL struct, which increments the
reference count internally.  Also add some comments explaining OpenSSL
reference counting behaviour to be more explicit on what happens to the
instances that OpenSSL keeps track of.
2014-01-13 23:56:59 +01:00
Daniel Roethlisberger
05410fe9b3 Enable SSL_MODE_RELEASE_BUFFERS by default 2014-01-13 23:33:31 +01:00
Daniel Roethlisberger
b82ca9b414 Print status of free'd SSL structs in debug mode 2014-01-11 17:28:41 +01:00
Daniel Roethlisberger
ca923ee7f1 Update copyright notices to 2014 2014-01-06 14:09:18 +01:00
Daniel Roethlisberger
c972501063 Update copyright notices 2013-04-24 20:36:38 +02:00
Daniel Roethlisberger
f99e5e34a7 Improve workaround for OpenSSL 1.0.0k/1.0.1e
Extend and improve the workaround introduced in commit 20b3f66120.
Automatically replace SSL_get_certificate() with a drop-in replacement
if a version of OpenSSL known to be broken is used.  This now covers the
use of SSL_get_certificate() within the connection manager as well and
resolves one more case where OpenSSL could crash.
2013-04-24 17:15:49 +02:00
Daniel Roethlisberger
20b3f66120 Work around segfault with OpenSSL 1.0.0k/1.0.1e
A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading
certificates using SSL_get_certificate().  Work around the bug by
directly accessing the respective members of SSL* when using any of the
broken versions of OpenSSL.
2013-04-24 15:44:06 +02:00
Daniel Roethlisberger
f27dc964a5 Add warning for OpenSSL 1.0.1e bug causing crash 2013-04-03 19:01:48 +02:00
Daniel Roethlisberger
1995dc4b89 Reinitialize SSL mutexes after fork
See issue #5.
2012-10-17 00:11:53 +02:00
Daniel Roethlisberger
bd77e6a228 Improve ssl_tmp_dh_callback() error messages 2012-10-01 14:55:55 +02:00
Daniel Roethlisberger
79c2c6e520 Add support for 2048 and 4096 bit Diffie-Hellman
Add group parameters for 2048 and 4096 bit Diffie-Hellman in addition to
the previous 512 and 1024 bit parameters.  Also add a meaningful error
message when a group size is requested which is not provided.
2012-10-01 14:49:24 +02:00
Daniel Roethlisberger
38d22415af Generic EC loading, new default curve 'secp160r2' 2012-05-11 17:39:12 +02:00
Daniel Roethlisberger
fa425e08d4 Fix PURIFY and warn when not seeding the RNG 2012-04-23 00:51:02 +02:00
Daniel Roethlisberger
a224d1e7e8 Add facility to recognize OCSP requests 2012-04-22 18:02:58 +02:00
Daniel Roethlisberger
d4be8c3e38 Refactor ssl_x509_names_to_str() for maintainability 2012-04-17 23:35:43 +02:00
Daniel Roethlisberger
04c9112621 Add OCSP URL parsing 2012-04-17 23:03:59 +02:00
Daniel Roethlisberger
c75e0569b3 Fix ssl_x509_names() DNSName segfault 2012-04-17 22:59:15 +02:00
Daniel Roethlisberger
ae306f3b0b Fix ssl_x509_names() to NULL-terminate buffer 2012-04-17 21:55:47 +02:00
Daniel Roethlisberger
4cfdef405a Initial import of sslsplit-0.4.2 2012-04-13 14:47:30 +02:00