Commit Graph

503 Commits

Author SHA1 Message Date
Daniel Roethlisberger
2a4a9c8b23 Fix fallback to passthrough when no cert present
Properly reset connection state when reconnecting the dst part of the
connection.  This fixes the fallback to passthrough when no certficates
are present which can be used to split the SSL.

Issue:          #9
Reported by:    ceear
2013-05-27 00:22:45 +02:00
Daniel Roethlisberger
ac9a2613e0 Only generate RSA leaf key if CA key present
Issue:          #9
Reported by:    ceear
2013-05-27 00:17:36 +02:00
Daniel Roethlisberger
9f23fb31aa Log new bev connections to debug log 2013-05-27 00:03:05 +02:00
Daniel Roethlisberger
b06a2474f5 Shortcut errlog thrqueue in debug mode 2013-05-27 00:01:44 +02:00
Daniel Roethlisberger
c972501063 Update copyright notices 2013-04-24 20:36:38 +02:00
Daniel Roethlisberger
711448759c Bind to ports before dropping privileges
This fixes a regression which caused bind() to ports < 1024 to fail with
the default settings of dropping privileges to nobody.

Issue:          #8
Reported by:    Ian Grispan
2013-04-24 17:17:23 +02:00
Daniel Roethlisberger
f99e5e34a7 Improve workaround for OpenSSL 1.0.0k/1.0.1e
Extend and improve the workaround introduced in commit 20b3f66120.
Automatically replace SSL_get_certificate() with a drop-in replacement
if a version of OpenSSL known to be broken is used.  This now covers the
use of SSL_get_certificate() within the connection manager as well and
resolves one more case where OpenSSL could crash.
2013-04-24 17:15:49 +02:00
Daniel Roethlisberger
20b3f66120 Work around segfault with OpenSSL 1.0.0k/1.0.1e
A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading
certificates using SSL_get_certificate().  Work around the bug by
directly accessing the respective members of SSL* when using any of the
broken versions of OpenSSL.
2013-04-24 15:44:06 +02:00
Daniel Roethlisberger
f27dc964a5 Add warning for OpenSSL 1.0.1e bug causing crash 2013-04-03 19:01:48 +02:00
Daniel Roethlisberger
146188b750 Improve SNI peek debugging 2013-04-03 18:12:52 +02:00
Daniel Roethlisberger
469a6e470d Update TODO 2013-04-03 18:12:52 +02:00
Daniel Roethlisberger
bd639bf847 Fix typo in comment 2013-04-03 18:12:52 +02:00
Daniel Roethlisberger
d3a84b38f6 Add TODO item 2013-01-26 19:02:25 +01:00
Daniel Roethlisberger
92db084d25 Fix documentation of sys_sockaddr_parse() 2012-12-06 16:03:30 +01:00
Daniel Roethlisberger
37758dda59 SSLsplit 0.4.5 release 2012-11-07 18:36:51 +01:00
Daniel Roethlisberger
005ebd1b95 Fix syslog for more error cases
Also fix issue #6 for target certificate loading error cases.
2012-10-23 23:04:22 +02:00
Daniel Roethlisberger
6e6868c051 Update NEWS 2012-10-23 23:01:59 +02:00
Daniel Roethlisberger
d3abdfd5dc Fix race condition on proxy startup failure
Yield the CPU in the main thread until the proxy thread manager is fully
started.  Otherwise, the main thread could free the proxy thread manager
while the threads are still starting up, leading to a deadlock.
2012-10-23 22:52:54 +02:00
Daniel Roethlisberger
bb15224d11 Flush error queue prior to exiting
Reorganize the cleanup code after detaching from the TTY in order to be
able to flush the error queue before calling exit().  Addresses issue #6
2012-10-23 21:30:11 +02:00
Daniel Roethlisberger
7713f82b62 Move more log writes after log initialization 2012-10-17 00:24:26 +02:00
Daniel Roethlisberger
71f06e501c Update NEWS 2012-10-17 00:18:46 +02:00
Daniel Roethlisberger
1995dc4b89 Reinitialize SSL mutexes after fork
See issue #5.
2012-10-17 00:11:53 +02:00
Daniel Roethlisberger
067521924a Cleanup tgcrt loading to protect mutexes from fork
See issue #5.
2012-10-17 00:10:47 +02:00
Daniel Roethlisberger
173b2435d2 Allocate thread queue in start() not new() 2012-10-16 23:38:48 +02:00
Daniel Roethlisberger
3d15f14239 Fix lost error message 2012-10-16 23:37:46 +02:00
Daniel Roethlisberger
bb9c353ecb Initialize proxy after detaching from TTY
Fixes issue #5.
2012-10-16 23:20:55 +02:00
Daniel Roethlisberger
0073cbdc47 Make cache initialization fork()-safe
POSIX threads require mutexes to be reinitialized after fork().  Not
doing so will break daemon mode, depending on pthread implementation.
See issue #5.
2012-10-16 23:05:37 +02:00
Daniel Roethlisberger
b27175f910 Reorder initialization in main() 2012-10-16 22:52:54 +02:00
Daniel Roethlisberger
eb6162389f Remove commit ids from NEWS file 2012-10-16 22:02:17 +02:00
Daniel Roethlisberger
807b7c1d3b Fix typo in manpage 2012-10-16 21:56:03 +02:00
Daniel Roethlisberger
6b2bef3920 Add separate LICENSE file 2012-10-03 01:12:12 +02:00
Daniel Roethlisberger
cdfaeedb80 Ignore all DH param files under extra/pki 2012-10-03 00:53:02 +02:00
Daniel Roethlisberger
ff6fbef91f Add 4096-bit Diffie-Hellman to dh target 2012-10-03 00:50:50 +02:00
Daniel Roethlisberger
35c3967eef Remove obsolete dhall target from .PHONY 2012-10-03 00:50:24 +02:00
Daniel Roethlisberger
bd77e6a228 Improve ssl_tmp_dh_callback() error messages 2012-10-01 14:55:55 +02:00
Daniel Roethlisberger
79c2c6e520 Add support for 2048 and 4096 bit Diffie-Hellman
Add group parameters for 2048 and 4096 bit Diffie-Hellman in addition to
the previous 512 and 1024 bit parameters.  Also add a meaningful error
message when a group size is requested which is not provided.
2012-10-01 14:49:24 +02:00
Daniel Roethlisberger
e19a97b21f Update NEWS and TODO 2012-10-01 14:49:24 +02:00
Daniel Roethlisberger
6b4b121da2 Fix address family check in netfilter NAT lookup
Use src_addr instead of the (yet to be set) dst_addr for determining the
address family.  Fixes issue #4.
2012-09-27 17:30:19 +02:00
Daniel Roethlisberger
6106940e0c Omit nat_getsockname_lookup_cb() unless it is used 2012-08-06 08:33:39 +02:00
Daniel Roethlisberger
1b20544333 Add temporary RSA keys to TODO 2012-08-06 08:33:17 +02:00
Daniel Roethlisberger
fda4f57aa7 Remove unused IPv6 code for netfilter NAT engine 2012-06-05 23:24:53 +02:00
Daniel Roethlisberger
fc8c0110c5 Do not generate ECC keys for unit tests 2012-06-05 23:24:53 +02:00
Daniel Roethlisberger
5ed3e5172b Make explanation of DEBUG_CFLAGS clearer 2012-06-05 23:12:08 +02:00
Daniel Roethlisberger
2266f07b4f Update TODO 2012-06-05 22:59:53 +02:00
Daniel Roethlisberger
a4040d8372 Suppress warnings for system headers with -isystem
Use -isystem instead of -I in CPPFLAGS to suppress compiler warnings for
system and library headers.
2012-05-23 19:09:52 +02:00
Daniel Roethlisberger
911e15763d Add opts->debug branch prediction test case 2012-05-14 22:50:20 +02:00
Daniel Roethlisberger
ef1330d69f Remove const from util_skipws() and add tests 2012-05-14 21:44:38 +02:00
Daniel Roethlisberger
5c048e3990 Remove unneeded include statements 2012-05-14 21:43:24 +02:00
Daniel Roethlisberger
6fe4c5bf01 Sign release tarball using GnuPG 2012-05-14 21:07:53 +02:00
Daniel Roethlisberger
62af96e413 Clarify when it is preferred to use SNI proxyspecs 2012-05-13 22:33:31 +02:00