Commit Graph

468 Commits

Author SHA1 Message Date
Soner Tari
85a96ec844 First working SSL version, surprisingly running so fine and stable for a first prototype that I think there is something wrong and it is just running in passthrough mode :), seriously this is just the beginning. 2017-06-10 21:50:03 +03:00
Soner Tari
d033ea68dd Plain TCP version is running good enough, next will try to switch the SSL on 2017-05-29 12:22:23 +03:00
Daniel Roethlisberger
7677fe0655 SSLsplit 0.5.0 release 2016-03-27 15:46:35 +02:00
Daniel Roethlisberger
cf79be7b2b Fix BSDmakefile for recent versions of BSD make 2016-03-27 15:36:13 +02:00
Daniel Roethlisberger
4c7b1419e4 Include netinet/in.h for INET6_ADDRSTRLEN 2016-03-27 15:35:37 +02:00
Daniel Roethlisberger
0dbb2aee8f Add autossl to NEWS 2016-03-27 15:07:34 +02:00
Daniel Roethlisberger
c7bc4219da Merge branch 'feature/autossl' into develop
Issue:		#87
Contributed by:	Richard Poole
2016-03-27 15:06:58 +02:00
Daniel Roethlisberger
b1cc2b30c1 Remove debug printf 2016-03-27 15:00:16 +02:00
Daniel Roethlisberger
2b02891206 Add paragraph on autossl to README 2016-03-27 14:44:11 +02:00
Daniel Roethlisberger
29f44c3d64 Add autossl spec parsing tests and improve docs 2016-03-27 14:38:06 +02:00
Daniel Roethlisberger
ca7f20e442 Fix connect log for autossl connections 2016-03-27 13:49:50 +02:00
Daniel Roethlisberger
e67978f4dd Merge branch 'develop' into feature/autossl 2016-03-27 13:27:38 +02:00
Daniel Roethlisberger
3c20f473fa Rename and improve autossl peeking function 2016-03-27 13:26:39 +02:00
Daniel Roethlisberger
9843ead5d7 Copy SNI hostname from OpenSSL if ctx->sni is NULL 2016-03-27 13:25:50 +02:00
Daniel Roethlisberger
2f834419eb Handle inbound EOF before outbound CONNECTED
Fix segmentation fault upon receiving BEV_EVENT_EOF on the inbound
bufferevent while the outbound bufferevent has not received
BEV_EVENT_CONNECTED yet.

Issue:		#124
Patch by:	Eun Soo Park
2016-03-27 12:16:57 +02:00
Daniel Roethlisberger
1bd963caf2 Modernize fast cipher suites example and explanation 2016-03-25 23:56:43 +01:00
Daniel Roethlisberger
ac3e845fbe Test dnsbase and evbase for !NULL before freeing
Fix segmentation fault upon exiting the main loop that was introduced
when evdns initialization was made optional, resulting in dnsbase
elements not always being initialized.

Introduced in:	0e2b748
2016-03-25 23:40:45 +01:00
Daniel Roethlisberger
c76b04025e Update khash.h to latest version 2016-03-25 16:49:27 +01:00
Daniel Roethlisberger
3bda2715c7 Don't test NONNULL spec in first loop iteration 2016-03-25 16:44:05 +01:00
Daniel Roethlisberger
88c039b059 Don't test NONNULL arguments for NULL 2016-03-25 16:41:48 +01:00
Daniel Roethlisberger
76cb576ab9 Update NEWS 2016-03-25 16:33:42 +01:00
Daniel Roethlisberger
25b096450d Modernize DHE and ECDHE support
Enable full strength DHE and ECDHE by default in order to allow modern
browsers to connect without weak crypto warnings.

Issue:		#119
Reported by:	@curioustwo
2016-03-25 16:28:30 +01:00
Daniel Roethlisberger
e632490888 Add exception handler to logger, exit on errors
Add exception handler mechanism to logger and use that to exit cleanly
when sslsplit fails to write to a log file or fails to open a log file.

Issue:		#113
Reported by:	Matthias Kadenbach
2016-03-25 15:56:42 +01:00
Daniel Roethlisberger
0b858431a2 Add warning if version string is bogus 2016-03-25 12:34:52 +01:00
Daniel Roethlisberger
0506024587 Update copyright notices to 2016 2016-03-25 12:19:23 +01:00
Daniel Roethlisberger
1c9aa249a9 Fix Travis build by disabling tests using IPv6
TravisCI has removed IPv6 support in 2016.  To cope with this regression
in the testing infrastructure, disable all tests on Travis that depend
on the system being able to handle ::1 as an IP address.  Normal unit
testing still uses the full test suite.
2016-03-25 12:00:35 +01:00
Daniel Roethlisberger
d404063eab Attempt at fixing TravisCI ::1 resolution 2016-03-16 11:32:40 +01:00
Daniel Roethlisberger
b3b7a7ab17 Merge branch 'develop' into feature/autossl 2016-03-15 20:13:12 +01:00
Daniel Roethlisberger
43b697d875 Initialize proxy before daemonizing
Issue:		#104
2016-03-15 19:57:14 +01:00
Daniel Roethlisberger
b3a3c36b70 Fix the SSL session timeout calculation
Issue:		#115
Reported by:	Eun Soo Park
2016-03-15 19:45:58 +01:00
Daniel Roethlisberger
73324dcd7b Update NEWS.md 2016-03-15 19:27:46 +01:00
Daniel Roethlisberger
88973e1757 Add support for XNU 3247.1.106, 3247.10.11 and 3248.20.55
Add XNU headers for OS X 10.11, 10.11.1 and 10.11.2.
2016-03-15 18:59:46 +01:00
Daniel Roethlisberger
ba2f451f5e Fix bev write handler for other->closed case
When other->closed is set, the bufferevent write handler accesses
other->bev even though it is invalid.  Fix this access, and as added
layer of defense against future bugs, set ->bev to NULL whenever
invalidating it, except where the connection is torn down completely.

Reported by:	Eun Soo Park
Introduced in:	2bcfaf4 17d753f
Issue:		#109
2015-11-08 15:44:02 +01:00
Daniel Roethlisberger
17d753fc2d Fix NULL pointer dereference in bev write handler
Only manipulate other->bev if it is not NULL to avoid a NULL pointer
dereference in the proxy bufferevent write handler when only one
direction is fully established, for example during connection shutdown.

Reported by:	@david-holonet
Introduced in:	2bcfaf4
Issue:		#109
2015-11-01 17:56:57 +01:00
Daniel Roethlisberger
2bcfaf4b44 Re-enable EV_READ if disabled and outbuf empty
The event buffer write handler failes to re-enable the corresponding
read event of the opposite connection if the buffer is not only down to
less than half the limit, but completely emptied.  In that case, the
read event would never be re-enabled and the connection would stall and
time out.

Issue:		#109
Patch by:	Eun Soo Park
2015-10-25 17:54:27 +01:00
Daniel Roethlisberger
02ab680b34 Add log to PCAP conversion script
Add contributed python script for parsing the output of sslsplit -L
from a log file or named pipe and converting the log entries to an
emulated PCAP format.  Information not contained in the log, such as
sequence numbers, IP IDs etc is emulated and does not correspond to the
original packets on the network.

Issue:		#27
Contributed by:	Maciej Kotowicz
2015-10-09 11:12:59 +02:00
Daniel Roethlisberger
ceffe7a676 Add log parsing script for sslsplit -L
Add contributed script to read and parse the output of sslsplit -L from
a named pipe or log file and post-process the logged connection data
programmatically from python.

Issue:		#27
Contributed by:	Maciej Kotowicz
2015-09-28 20:32:35 +02:00
Daniel Roethlisberger
b95f46b8bd Add XNU headers for OS X 10.10.3, 10.10.4 and 10.10.5
Add pf ioctl API headers for XNU releases 2782.20.48 (10.10.3),
2782.30.5 (10.10.4) and 2782.40.9 (10.10.5).
2015-09-28 01:11:08 +02:00
Daniel Roethlisberger
0e2b748bba Only init DNS when DNS is required by proxy specs
Only initialize evdns if DNS lookups are actually required by the loaded
proxy specifications.  This allows sslsplit to work in non-DNS modes in
situations where the local DNS resolver does not work, such as for local
use on a system without network connectivity.  Currently, only SNI based
proxy specs require DNS.  On systems without network connectivity, DNS
subsystem init may fail due to /etc/resolv.conf being (temporarily)
unavailable.

Issue:		#104
2015-09-27 16:39:24 +02:00
Daniel Roethlisberger
0d38bca4e0 Add XNU 2782.10.72 headers for OS X 10.10.2 2015-08-10 23:18:33 +02:00
Daniel Roethlisberger
d0d3ca9d21 Update docs and -V for LibreSSL and BoringSSL 2015-08-02 22:06:51 +02:00
Daniel Roethlisberger
79d570fe2e Use direct access workaround with LibreSSL
LibreSSL defines OPENSSL_VERSION_NUMBER == 0x20000000L and therefore
needs special treatment when detecting OpenSSL API features based on
OPENSSL_VERSION_NUMBER.  LibreSSL currently does not seem to implement
SSL_CTX_get0_chain_certs().  Once it does, there will be a need for a
specific version check on LIBRESSL_VERSION_NUMBER.

Reported by:		Jérémie Courrèges-Anglas
2015-08-02 21:34:43 +02:00
Daniel Roethlisberger
a084aa62ec Update NEWS.md 2015-07-28 23:58:57 +02:00
Daniel Roethlisberger
57a2ab8588 Rewrite protocol version macros and refactoring
Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and
HAVE_TLSV12 to indicate that support for the respective protocol is
available in OpenSSL.  This was necessary due to the increased
complexity of testing version support following the phasing out of SSLv2
and SSLv3 from OpenSSL implementations.  This fixes the build with
OpenSSL versions which have SSLv3 support removed.

While here, de-duplicate code for setting SSL_CTX options and do not set
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit
in the context of splitting SSL/TLS for analysis.

Reported by:	Jérémie Courrèges-Anglas
2015-07-28 23:39:51 +02:00
Daniel Roethlisberger
769da7565e Style fix 2015-07-28 22:02:04 +02:00
Daniel Roethlisberger
a08a7233ab Move free() to the else branch where it belongs
This prevents free(NULL) in case of failures in ssl_x509_fingerprint().

Issue:		#103
Reported by:	@david-stratusee
2015-07-10 12:01:52 +02:00
Daniel Roethlisberger
f12dd5bb92 Fix debug mode memory leak of cert fingerprint
Issue:		#103
Reported by:	Scot Loach
2015-07-07 18:12:32 +02:00
Daniel Roethlisberger
3f39f589f2 Warn on OpenSSL version mismatch in debug mode
Issue:		#88
2015-06-23 19:07:23 +02:00
Daniel Roethlisberger
74f62c3e5e Refactor and unify ClientHello parsers
Refactor and unify ssl_tls_clienthello_identify() and the earlier
ssl_tls_clienthello_parse_sni() into a single
ssl_tls_clienthello_parse() function that handles parsing ClientHello
messages for different purposes.  As a result, rename the debug knob
DEBUG_SNI_PARSER into DEBUG_CLIENTHELLO_PARSER.
2015-05-17 20:27:58 +02:00
Daniel Roethlisberger
558ffb8d33 List the dependencies in the install notes 2015-05-02 12:52:37 +02:00