Only initialize evdns if DNS lookups are actually required by the loaded
proxy specifications. This allows sslsplit to work in non-DNS modes in
situations where the local DNS resolver does not work, such as for local
use on a system without network connectivity. Currently, only SNI based
proxy specs require DNS. On systems without network connectivity, DNS
subsystem init may fail due to /etc/resolv.conf being (temporarily)
unavailable.
Issue: #104
Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and
HAVE_TLSV12 to indicate that support for the respective protocol is
available in OpenSSL. This was necessary due to the increased
complexity of testing version support following the phasing out of SSLv2
and SSLv3 from OpenSSL implementations. This fixes the build with
OpenSSL versions which have SSLv3 support removed.
While here, de-duplicate code for setting SSL_CTX options and do not set
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit
in the context of splitting SSL/TLS for analysis.
Reported by: Jérémie Courrèges-Anglas
This code looks at the beginning of each read from the src for something
that looks like an ssl client hello message; if it finds one it tries to
upgrade the connection to proxied ssl. So it works only in the simple
case where the connection has no binary data before the upgrade attempt
(so there are no false positives), and where the client hello comes at
the beginning of a packet from the source.
- Update copyright to 2015
- Remove the non-standard "unmodified" from the 2-clause BSD license
- Remove scalable from the tagline to avoid misinterpretations
Fork into a monitor parent process and an actual proxy child process,
communicating over AF_UNIX sockets. Certain privileged operations are
performed through the privileged parent process, like opening log files
or listener sockets, while all other operations happen in the child
process, which can now drop its privileges without side-effects for
log file opening and other privileged operations. This is also a
preparation for -l/-L logfile reopening through SIGUSR1.
This means that -S and -F are no longer relative to chroot() if used
with -j. This is a deliberate POLA violation.
Add -r to force a specific SSL/TLS protocol version.
Add -R to disable one or several SSL/TLS protocol versions.
Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2.
Issue: #30
Reported by: @Apollo2342
Always explicitly name which arguments are non-null, even if all
arguments are non-null. This is to avoid bugs where newly added
arguments are automatically non-null by accident, possibly leading to
optimisation errors.
This also fixes a few potential errors related to non-null arguments;
specifically it prevents the compiler optimising away a test for sni
being NULL in cachedsess_mkkey().
Issue: #14
Reported by: kythyria