SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to
the extra certificates chain. When building on OpenSSL 1.0.2 or newer,
use the new API instead of directly accessing `extra_certs`.
Issue: #79
The state machine makes sure that both af and addr are written to before
they are being read. However, to silence compiler warnings, it does not
hurt to explicitly initialize af and addr anyway. This gets rid of the
following spurious compiler warnings:
opts.c: In function 'proxyspec_parse':
opts.c:380:8: warning: 'af' may be used uninitialized in this function [-Wmaybe-uninitialized]
af = sys_sockaddr_parse(&spec->connect_addr,
^
opts.c:316:8: warning: 'addr' may be used uninitialized in this function [-Wmaybe-uninitialized]
af = sys_sockaddr_parse(&spec->listen_addr,
^
Reported by: Thomas Klausner
Issue: #78
If the proper headers matching either the reported XNU version or OS X
version exactly cannot be found, use the latest headers that SSLsplit
knows about. This fixes build on new releases of OS X that have no
source code published by Apple yet.
- Update copyright to 2015
- Remove the non-standard "unmodified" from the 2-clause BSD license
- Remove scalable from the tagline to avoid misinterpretations
This fixes the following make error on Mac OS X versions that we don't
explicitly support yet due to missing sources:
GNUmakefile:55: *** unterminated call to function `shell': missing `)'.
Stop.
Reported by: Justin Garrick
Make -w and -W work in conjunction with dropping privileges and
chrooting by moving the cert writer code to a separate logger thread and
using the privsep framework to open the files if they do not exist
already.
Issue: #70
Apple checks EUID==0 on ioctl(/dev/pf), whereas OpenBSD and FreeBSD only
check permissions on open(/dev/pf). This means that on OS X, it is not
possible to open /dev/pf, drop privileges, and send an ioctl to the file
descriptor opened earlier with EUID==0. It also means Apple broke the
Unix way of dealing with device nodes - why are there file permissions
on /dev/pf when they later enforce EUID==0 on use, thereby breaking
basic Unix mechanisms? Work around this by disallowing -u with pf
proxyspecs and by not automatically dropping to nobody on Mac OS X.
Issue: #65
Reported by: Vladimir Marteev