Commit Graph

69 Commits

Author SHA1 Message Date
Soner Tari
67ddee1585 Import sslsplit-devel changes
Add stats logs, initial
Add SSLproxy_SrcAddr header field
Clean-up
2017-07-25 16:07:39 +03:00
Daniel Roethlisberger
7677fe0655 SSLsplit 0.5.0 release 2016-03-27 15:46:35 +02:00
Daniel Roethlisberger
29f44c3d64 Add autossl spec parsing tests and improve docs 2016-03-27 14:38:06 +02:00
Daniel Roethlisberger
e67978f4dd Merge branch 'develop' into feature/autossl 2016-03-27 13:27:38 +02:00
Daniel Roethlisberger
1bd963caf2 Modernize fast cipher suites example and explanation 2016-03-25 23:56:43 +01:00
Daniel Roethlisberger
25b096450d Modernize DHE and ECDHE support
Enable full strength DHE and ECDHE by default in order to allow modern
browsers to connect without weak crypto warnings.

Issue:		#119
Reported by:	@curioustwo
2016-03-25 16:28:30 +01:00
Daniel Roethlisberger
0506024587 Update copyright notices to 2016 2016-03-25 12:19:23 +01:00
Daniel Roethlisberger
b3b7a7ab17 Merge branch 'develop' into feature/autossl 2016-03-15 20:13:12 +01:00
Daniel Roethlisberger
bbbeb7c3a4 Further improve wording for clarity 2015-05-01 12:11:44 +02:00
Daniel Roethlisberger
a0a27742dc Rewrite description for clarity
Issue:		#60, #93
2015-05-01 11:59:59 +02:00
Daniel Roethlisberger
6671a82aed Rename genericstarttls to autossl and improve docs
Issue:		#87
2015-04-21 16:00:55 +02:00
Daniel Roethlisberger
96b038ef9b Merge branch 'feature/starttls' of https://github.com/RichardPoole42/sslsplit into feature/autossl 2015-04-21 15:09:31 +02:00
Daniel Roethlisberger
a9863c012b Add Richard Poole to contributor lists 2015-04-21 11:53:39 +02:00
Richard Poole
5c8b5e30d5 connection upgrade feature: upgrade tcp to ssl on client hello
This code looks at the beginning of each read from the src for something
that looks like an ssl client hello message; if it finds one it tries to
upgrade the connection to proxied ssl. So it works only in the simple
case where the connection has no binary data before the upgrade attempt
(so there are no false positives), and where the client hello comes at
the beginning of a packet from the source.
2015-04-18 13:34:04 +01:00
Daniel Roethlisberger
330ea4a74c Clarify explanation of -t
Issue:		#84
2015-03-29 14:19:39 +02:00
Daniel Roethlisberger
77109df8d2 Improve docs on autogenerated 1024 bit RSA leaf key
Issue:		#83
2015-03-24 20:33:38 +01:00
Daniel Roethlisberger
6e53e93d0f Move from sha1 to sha256 in examples and tests
Note that OpenSSL may not support -sha256 on all platforms so we
actually check for support before using it in `make test`.  For the
examples, a modern version of OpenSSL that supports -sha256 is assumed.

Issue:		#83
2015-03-24 20:33:09 +01:00
Daniel Roethlisberger
568b5a681c Update documentation for new -F formats 2015-03-15 18:41:49 +01:00
Daniel Roethlisberger
ce002378b8 Use more intuitive letters for new format specs
%D for Destination host, %p for the (more interesting) destination port,
%S for Source host, %q for the (less interesting) source port.
2015-03-15 18:39:36 +01:00
Daniel Roethlisberger
01d10b192a IPv6 addrs in filenames use underscore not colon
Use underscore instead of colon for all IPv6 addresses in generated
filenames in order to generate NTFS clean filenames.

Issue:		#69
2015-03-15 17:52:04 +01:00
Daniel Roethlisberger
914360eb5e Separate host and port into separate strings
Store host and port in separate strings internally and get rid of the
[host]:port representation where separate host and port would be
cleaner.  This includes the following user-visible changes:

-   Generated filenames that contain host and port, such as by -S and
    -F %d and %s, now use a host,port format instead of [host]:port.

-   Connect log now uses separate fields for host and port.

Issue:		#69 #74
Reported by:	Adam Jacob Muller
2015-03-15 17:23:46 +01:00
Daniel Roethlisberger
62cd0b8af6 Update list of contributors 2015-02-24 20:56:27 +01:00
Daniel Roethlisberger
6a78aeed2d Minor rewording 2015-02-24 20:52:12 +01:00
Daniel Roethlisberger
692dccfeae Merge branch 'clarify-linux-REDIRECT' of https://github.com/fd0/sslsplit into issue/76 2015-02-24 20:43:02 +01:00
Daniel Roethlisberger
91da4674e5 Update copyright, license and tagline
-   Update copyright to 2015
-   Remove the non-standard "unmodified" from the 2-clause BSD license
-   Remove scalable from the tagline to avoid misinterpretations
2015-02-24 19:19:20 +01:00
Alexander Neumann
925209ef4f Add hints for using Linux iptables REDIRECT target 2015-02-22 17:47:41 +01:00
Daniel Roethlisberger
b8d8af7b29 Document the limitations of passthrough mode (-P) 2015-01-04 14:21:49 +01:00
Daniel Roethlisberger
6ec6c56ded Refactored -w/-W and improved docs 2014-12-13 02:36:45 +01:00
Daniel Roethlisberger
7f378251e8 Update documentation 2014-12-12 23:22:11 +01:00
PsychoMario
b34336ab4b moved to develop branch 2014-12-12 17:03:06 +00:00
PsychoMario
5d7c52cde1 fix manpage 2014-12-09 21:43:49 +00:00
PsychoMario
4f310a877a implemented -W to write original certs 2014-12-09 21:43:05 +00:00
PsychoMario
13dce0aa35 moved write to pxy_srccert_create, -X to -w, opts_free use 2014-12-09 20:02:25 +00:00
PsychoMario
61d5186864 added exclusivity with -K, man page and -h 2014-12-09 19:40:07 +00:00
Daniel Roethlisberger
d6b11f61b7 Clarify needed permission to open /dev/pf et al for reading
Issue:		#66
Reported by:	Nikolay Khodov
2014-12-08 19:40:01 +01:00
Daniel Roethlisberger
b8213e756d Merge branch 'feature/privsep' into develop
Conflicts:
	NEWS.md
	main.c
	sslsplit.1
2014-11-28 11:08:05 +01:00
Daniel Roethlisberger
f076336e0b Don't allow -u on Mac OS X with pf proxyspecs
Apple checks EUID==0 on ioctl(/dev/pf), whereas OpenBSD and FreeBSD only
check permissions on open(/dev/pf).  This means that on OS X, it is not
possible to open /dev/pf, drop privileges, and send an ioctl to the file
descriptor opened earlier with EUID==0.  It also means Apple broke the
Unix way of dealing with device nodes - why are there file permissions
on /dev/pf when they later enforce EUID==0 on use, thereby breaking
basic Unix mechanisms?  Work around this by disallowing -u with pf
proxyspecs and by not automatically dropping to nobody on Mac OS X.

Issue:		#65
Reported by:	Vladimir Marteev
2014-11-28 00:13:42 +01:00
Daniel Roethlisberger
e69b13f2eb SIGUSR1 re-opens -l/-L log files; add defaults.h
Issue:		#52
2014-11-25 23:45:40 +01:00
Daniel Roethlisberger
a9bd438756 Minor updates to manual page 2014-11-25 23:38:05 +01:00
Daniel Roethlisberger
c01ace1261 Introduce privilege separation architecture
Fork into a monitor parent process and an actual proxy child process,
communicating over AF_UNIX sockets.  Certain privileged operations are
performed through the privileged parent process, like opening log files
or listener sockets, while all other operations happen in the child
process, which can now drop its privileges without side-effects for
log file opening and other privileged operations.  This is also a
preparation for -l/-L logfile reopening through SIGUSR1.

This means that -S and -F are no longer relative to chroot() if used
with -j.  This is a deliberate POLA violation.
2014-11-24 22:14:09 +01:00
Daniel Roethlisberger
125163a003 Add local process lookup on FreeBSD using sysctl() API 2014-11-19 22:30:01 +01:00
Daniel Roethlisberger
84dfba04f2 Update manual page 2014-11-16 20:15:19 +01:00
Daniel Roethlisberger
96ad8f92af Add -i and restore order 2014-11-14 16:40:56 +01:00
Daniel Roethlisberger
81241139c7 Merge branch 'logspec_path_support' of git://github.com/fix-macosx/sslsplit into issue/55 2014-11-13 22:26:38 +01:00
Daniel Roethlisberger
a5ccfa3d4b Remove SSLv2 bug section and add contributors 2014-11-13 19:45:43 +01:00
Landon Fuller
bea605d7ca
Update the man page to include the -F option and its logspec directives. 2014-11-07 17:03:55 -07:00
Daniel Roethlisberger
6b0e47dc89 Allow more control over used SSL/TLS versions
Add -r to force a specific SSL/TLS protocol version.
Add -R to disable one or several SSL/TLS protocol versions.
Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2.

Issue:		#30
Reported by:	@Apollo2342
2014-11-05 20:06:11 +01:00
Daniel Roethlisberger
edf1dac8fa Improve manual page re protocols and scalability
Issue:		#42
2014-11-02 20:40:53 +01:00
Daniel Roethlisberger
769fbd042d Filter HSTS response headers to allow cert override
Also remove HTTP Strict Transport Security (HSTS, RFC 6797) headers from
HTTP responses.  With HSTS active, the user is not allowed to accept
untrusted certificates.
2014-11-02 20:25:17 +01:00
Daniel Roethlisberger
0a225ae65c Update documentation after merging pull req #35 2014-10-23 13:28:14 +02:00