SSLproxy

Commit Graph

Author	SHA1	Message	Date
Daniel Roethlisberger	e67978f4dd	Merge branch 'develop' into feature/autossl	8 years ago
Daniel Roethlisberger	0506024587	Update copyright notices to 2016	8 years ago
Daniel Roethlisberger	b3b7a7ab17	Merge branch 'develop' into feature/autossl	8 years ago
Daniel Roethlisberger	0e2b748bba	Only init DNS when DNS is required by proxy specs Only initialize evdns if DNS lookups are actually required by the loaded proxy specifications. This allows sslsplit to work in non-DNS modes in situations where the local DNS resolver does not work, such as for local use on a system without network connectivity. Currently, only SNI based proxy specs require DNS. On systems without network connectivity, DNS subsystem init may fail due to /etc/resolv.conf being (temporarily) unavailable. Issue: #104	9 years ago
Daniel Roethlisberger	57a2ab8588	Rewrite protocol version macros and refactoring Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and HAVE_TLSV12 to indicate that support for the respective protocol is available in OpenSSL. This was necessary due to the increased complexity of testing version support following the phasing out of SSLv2 and SSLv3 from OpenSSL implementations. This fixes the build with OpenSSL versions which have SSLv3 support removed. While here, de-duplicate code for setting SSL_CTX options and do not set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit in the context of splitting SSL/TLS for analysis. Reported by: Jérémie Courrèges-Anglas	9 years ago
Daniel Roethlisberger	6671a82aed	Rename genericstarttls to autossl and improve docs Issue: #87	9 years ago
Richard Poole	5c8b5e30d5	connection upgrade feature: upgrade tcp to ssl on client hello This code looks at the beginning of each read from the src for something that looks like an ssl client hello message; if it finds one it tries to upgrade the connection to proxied ssl. So it works only in the simple case where the connection has no binary data before the upgrade attempt (so there are no false positives), and where the client hello comes at the beginning of a packet from the source.	9 years ago
Daniel Roethlisberger	80b727054b	Refactor proxyspec printing into proxyspec_str()	9 years ago
Daniel Roethlisberger	91da4674e5	Update copyright, license and tagline - Update copyright to 2015 - Remove the non-standard "unmodified" from the 2-clause BSD license - Remove scalable from the tagline to avoid misinterpretations	9 years ago
Daniel Roethlisberger	6ec6c56ded	Refactored -w/-W and improved docs	10 years ago
PsychoMario	b34336ab4b	moved to develop branch	10 years ago
PsychoMario	4f310a877a	implemented -W to write original certs	10 years ago
PsychoMario	cbb2a179f9	naive implementation with -X, no help, validation, logging	10 years ago
Daniel Roethlisberger	c01ace1261	Introduce privilege separation architecture Fork into a monitor parent process and an actual proxy child process, communicating over AF_UNIX sockets. Certain privileged operations are performed through the privileged parent process, like opening log files or listener sockets, while all other operations happen in the child process, which can now drop its privileges without side-effects for log file opening and other privileged operations. This is also a preparation for -l/-L logfile reopening through SIGUSR1. This means that -S and -F are no longer relative to chroot() if used with -j. This is a deliberate POLA violation.	10 years ago
Daniel Roethlisberger	5fd1d7de9c	Rename flags for clarity	10 years ago
Daniel Roethlisberger	80af8f7d52	Fix SSL_METHOD* const mismatch on OpenSSL < 1.0.0	10 years ago
Daniel Roethlisberger	150650c7e9	Make local procinfo run-time optional (-i) and use src host:port	10 years ago
Landon Fuller	a4c518c8a0	Merge remote-tracking branch 'origin/fix-macosx' into logspec_path_support	10 years ago
Daniel Roethlisberger	206c688219	Refactor SSL/TLS debug code	10 years ago
Daniel Roethlisberger	6b0e47dc89	Allow more control over used SSL/TLS versions Add -r to force a specific SSL/TLS protocol version. Add -R to disable one or several SSL/TLS protocol versions. Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2. Issue: #30 Reported by: @Apollo2342	10 years ago
Landon Fuller	06c61c16ed	Add support for specifying log paths as a specialized format string. Format string handling is fully implemented, with the exception of support for automatically creating missing directories.	10 years ago
Landon Fuller	9d54677009	Add support for specifying an explicit group when dropping privileges. This simplifies my use of pf(4) when using group-based rules to exclude splitssl from redirection.	10 years ago
Daniel Roethlisberger	06a02f946a	Always explicitly name the non-null arguments Always explicitly name which arguments are non-null, even if all arguments are non-null. This is to avoid bugs where newly added arguments are automatically non-null by accident, possibly leading to optimisation errors. This also fixes a few potential errors related to non-null arguments; specifically it prevents the compiler optimising away a test for sni being NULL in cachedsess_mkkey(). Issue: #14 Reported by: kythyria	11 years ago
Daniel Roethlisberger	ca923ee7f1	Update copyright notices to 2014	11 years ago
Daniel Roethlisberger	c972501063	Update copyright notices	11 years ago
Daniel Roethlisberger	8eb5165760	Optimize debug branching using __builtin_expect()	12 years ago
Daniel Roethlisberger	439e8a8267	Use WUNRES and MALLOC attribs and fix sloppy code	12 years ago
Daniel Roethlisberger	ee98c04b29	Add generic OCSP denial	12 years ago
Daniel Roethlisberger	4cfdef405a	Initial import of sslsplit-0.4.2	12 years ago

29 Commits (7677fe06557509e95e548318909c1a328b6f6069)