Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,030 Commits
2 Branches
26 Tags
3.0 MiB
develop
master
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '77df635afa'
${ noResults }
Commit Graph

1030 Commits (77df635afab2bc5d71169247569fc83c0fdc505c)
 

Author SHA1 Message Date
Soner Tari 45b34678de Prepend sslproxy line using evbuffer_add_printf() in non-debug mode for non-http protos 
This prevents unnecessary malloc and memmove calls in non-debug mode.
This change is for correctness not for speed, because it improves
conn handling only of the first packet and for non-http protos.
 3 years ago
Soner Tari 74cf3800f2 Fix passthrough in split mode 3 years ago
Soner Tari 9123732739 Fix possible segfaults with srvdst_xferred, autossl and passthrough 
- Fix segfault introduced in previous commit to prevent extra eof event.
We should NULL srvdst.bev after terminating child dst xferred from
srvdst of parent, so that we don't try to access srvdst.bev. This
happens if child conn with dst xferred from parent srvdst is terminated
before parent conn.

- Fix autossl crash trying to engage passthrough mode. We cannot engage
passthrough mode in autossl, because src is already enabled. But we
shouldn't crash either. These changes are expected to fix other possible
segfaults if passthrough is engaged on eventcb of a child conn.
 3 years ago
Soner Tari de9c85f65e Fix signal 11/10 crash due to a second eof event for srvdst in split mode 
We reuse srvdst as dst or child dst, so srvdst == dst or child_dst.
But if we don't NULL the callbacks of srvdst in split mode,
we randomly but rarely get a second eof event for srvdst during conn
termination (especially on arm64), which crashes us with signal 11 or
10, because the first eof event for dst frees the ctx.
Note that we don't free anything here, but just disable callbacks and
events.
This does not seem to happen with srvdst_xferred, but just to be safe we
do the same for it too.
This seems to be an issue with libevent.

TODO: Why does libevent raise the same event again for an already
disabled and freed conn end? Note again that srvdst == dst or child_dst
here.
 3 years ago
Soner Tari 3a9e77524e Report autossl in CONN logging not tcp at unencrypted stage of autossl 
Currently, an autossl conn writes 3x CONN lines in connection logs,
when:

1. tcp srvdst connects (before ssl upgrade)
2. ssl dst connects (src ssl is not complete yet)
3. ssl src connects

This causes misleading connection statistics, as in UTMFW.

TODO: We should write CONN logs at conn termination times, for all
protos not just autossl, not tcp or ssl connect times, so that we don't
write multiple CONN logs for a single conn.
 3 years ago
Soner Tari 69753b250c Add split mode of operation similar to SSLsplit 
The -n command line option enables split mode for all proxyspecs,
effectively making sslproxy behave like sslsplit.
Divert option can be set/unset globally and per-proxyspec.
Add e2e tests for split mode, and update make file for tests
accordingly.
Update documentation accordingly.
Improve code reuse, remove duplicate functions.

This change deserves a release of its own, hence v0.8.4.
 3 years ago
Soner Tari a6cf55cffe Refactor ifdef directive for get_client_ether() call 3 years ago
Soner Tari f8ada5100a Fix initialization of content logging in lp (issue #30) 
readcb fires before connect eventcb, so we enable it in readcb now. But
perhaps lp should behave like sslproxy and not enable readcb until after
connect eventcb.

Note that there is no problem with sslproxy, it's just lp.
 3 years ago
Soner Tari 1bb5bd2398 Improve UserAuth documentation 3 years ago
Soner Tari 41ec0045f5 Disable osx build on travis until xcode/xnu version fixed 3 years ago
Soner Tari 2b9cb937fd Improve documentation 3 years ago
Soner Tari 0bd1a414cb Fix libpcap install on macOS 10.13 3 years ago
Soner Tari 7ed4748d96 Fix clang warning due to -Wpointer-bool-conversion, remove NONNULL for list 
pxyconn.c:1590:9: warning: comparison of nonnull parameter 'list' not
equal to a null pointer is 'true' on first encounter
 3 years ago
Soner Tari 596aebb2f3 Update version to 0.8.3 and copyright year to 2021 3 years ago
Soner Tari 6b2072dc94 Fix formatting for -A option 
Reported on sslsplit as https://github.com/droe/sslsplit/issues/287
 3 years ago
Soner Tari 10f753c012 Remove delimiters around user names 
Delimiter can be either or all of ",", " ", and "\t", and we don't allow
spaces in user names now
 4 years ago
Soner Tari cb28a1e12a Do not debug print proxyspecs in proxy_new() 4 years ago
Soner Tari 65b7fb9847 Reduce code for user lists 4 years ago
Soner Tari 66dddf2cdb Add info on IPv4-only features 4 years ago
Soner Tari 255cd1cd88 Separate make test as unit and e2e 4 years ago
Soner Tari 9c76563cee Fix mistake: return address -> divert address 4 years ago
Soner Tari 177f6a3b52 Improve overview 4 years ago
Soner Tari def65e195c Update man page with README 
Improve README
 4 years ago
Soner Tari f1e9de7386 Improve documentation 4 years ago
Soner Tari f254ac1586 Add info on DivertUsers and PassUsers options 4 years ago
Soner Tari aded848043 Release v0.8.2 4 years ago
Soner Tari e2bf278933 Allow mirroring without explicit target 
Allow omitting the -T option, indicating the target is irrelevant.

The use case is an IDS sensor listening on a dummy interface for the
packets sslsplit produces. The IDS will listen in promisc mode, so the
target is irrelevant.

Copied from sslsplit.
 4 years ago
Soner Tari 463aa1a71e Fix doc typo 4 years ago
Soner Tari 151b305c2f Do not pass null arg to log_*_printf() 
vfprintf %s NULL in "Error from bufferevent: %i:%s %lu:%i:%s:%i:%s:%i:%s
"
Error from bufferevent: 32:Broken pipe 50327584:32:Broken pipe:2:system
library:4095:(null)
 4 years ago
Soner Tari 4c94853fc5 Disable UserAuth in main.mk if we are not on OpenBSD or Linux 
Fixes osx build after updates to userauth
 4 years ago
Soner Tari 80d10a94c3 Move classify_user into identify_user 
Otherwise, we cannot classify user if we need to issue identify_user
events, in case database is busy or locked. We should call classify_user
callback right after the user is identified.
So we introduce classify_user callback to achieve that, which fixes the
classify_user behavior for autssl proto too.

Return void in pxy_userauth
Fix typo in clasify
 4 years ago
Soner Tari 4f3ce763ac Add DivertUsers and PassUsers options 
Update documentation
 4 years ago
Soner Tari 6c0b981831 Update version to 0.8.1 
Update TLS 1.3 documentation.
 4 years ago
Soner Tari 4ee7bbcf15 Fix whitespace 4 years ago
Soner Tari e209a04268 Fix line_num reported if conf file contains structured proxyspecs 4 years ago
Soner Tari 6f5a7ceeb1 Add WITHOUT_USERAUTH switch 4 years ago
Soner Tari ca79405769 Fix doc for MaxSSLProto default as tls13 4 years ago
Soner Tari e51afcfe4a Fix default CipherSuites 4 years ago
Soner Tari 176570c4a4 Silence warning about <sys/sysctl.h> deprecated on Linux 
/usr/include/x86_64-linux-gnu/sys/sysctl.h:21:2: warning: #warning "The
<sys/sysctl.h> header is deprecated and will be removed." [-Wcpp]
 4 years ago
Soner Tari b679439c9f Silence warning about output truncated before terminating nul by gcc 9.3.0 
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning:
‘__builtin_strncpy’ output truncated before terminating nul copying as
many bytes from a string as its length [-Wstringop-truncation]
 4 years ago
Soner Tari 25ec9d58bc Silence alignment warning by gcc 9.3.0 
logpkt.c:351:3: warning: converting a packed ‘ip4_hdr_t’ {aka ‘struct
<anonymous>’} pointer (alignment 1) to a ‘uint16_t’ {aka ‘short unsigned
int’} pointer (alignment 2) may result in an unaligned pointer value
[-Waddress-of-packed-member]
 4 years ago
Soner Tari ad21615dbe Add -U to getopt() shortopts 4 years ago
Soner Tari af27340889 Add -U CipherSuites option 4 years ago
Soner Tari 3f2d0d56d6 Fix debug dump for no_tls12/no_tls13 4 years ago
Soner Tari fade72ec0d Move main.mk under Mk folder and improve make files 4 years ago
Soner Tari 1a3a2fb9f6 Add missing HAVE_TLSV13 code 4 years ago
Soner Tari 2f89a27551 Use Testproxy v0.0.3 4 years ago
Soner Tari 8989873332 Add sni assertions to testproxy e2e tests for tls12 and tls13 4 years ago
Soner Tari 1403c4eda1 Fix travis for ssl libs without tls13, add no_tls13 e2e tests 4 years ago
Soner Tari f9c8ecbc69 Fix build with LibreSSL 3.1.2, which does not have tls13 4 years ago