Only initialize evdns if DNS lookups are actually required by the loaded
proxy specifications. This allows sslsplit to work in non-DNS modes in
situations where the local DNS resolver does not work, such as for local
use on a system without network connectivity. Currently, only SNI based
proxy specs require DNS. On systems without network connectivity, DNS
subsystem init may fail due to /etc/resolv.conf being (temporarily)
unavailable.
Issue: #104
LibreSSL defines OPENSSL_VERSION_NUMBER == 0x20000000L and therefore
needs special treatment when detecting OpenSSL API features based on
OPENSSL_VERSION_NUMBER. LibreSSL currently does not seem to implement
SSL_CTX_get0_chain_certs(). Once it does, there will be a need for a
specific version check on LIBRESSL_VERSION_NUMBER.
Reported by: Jérémie Courrèges-Anglas
Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and
HAVE_TLSV12 to indicate that support for the respective protocol is
available in OpenSSL. This was necessary due to the increased
complexity of testing version support following the phasing out of SSLv2
and SSLv3 from OpenSSL implementations. This fixes the build with
OpenSSL versions which have SSLv3 support removed.
While here, de-duplicate code for setting SSL_CTX options and do not set
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit
in the context of splitting SSL/TLS for analysis.
Reported by: Jérémie Courrèges-Anglas
Fix automatic search for dependencies when multiple instances of the
same library are installed in different prefixes that we search, by
using the first one found. Automatic search is only used when
pkg-config was not found. This fixes compiler errors caused by spurious
path names within compiler or linker flags, such as
ld: can't map file, errno=22 file '/usr/lib' for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see
invocation)
While here, also make XNU header version fallback more robust and add
(diabled) version mappings for 10.10.2 and 10.10.3 which are not
published by Apple yet.
Issue: #96
Reported by: Jan Vilhuber
Make sure we always initialize OpenSSL explicitly, even if there are no
certificates or keys loaded or generated. Previously, OpenSSL would
only have been initialized if the configuration actually uses
certificates or keys, which is not always the case, e.g. with -t
pointing to an empty directory.
Issue: #92
Reported by: xelalexv
This reverts commit aaa4e94f84.
The initialize_nameservers argument to evdns_base_new was deliberately
not set to 1 because we call evdns_resolv_conf_parse manually later, as
we want more differentiated error reporting.
Issue: #86
Note that OpenSSL may not support -sha256 on all platforms so we
actually check for support before using it in `make test`. For the
examples, a modern version of OpenSSL that supports -sha256 is assumed.
Issue: #83
Allow for additional flags to pkg-config by means of a PCFLAGS variable.
This e.g. allows to set PCFLAGS='--static' for static builds in
combination with CFLAGS='-static' and LDFLAGS='-static'.
Issue: #82
Reported by: @kickwindbg
Introducing the overridable variables INSTALLUID, INSTALLGID, BINUID,
BINGID, BINMODE, MANUID, MANGID, MANMODE that allow overriding of uid,
gid and mode of installed files. Note that this solution still has the
limitation that uid, gid and mode of created directories cannot be set.
Issue: #81
Reported by: Shiloh Heurich
SSLsplit was directly accessing `extra_certs` within `SSL_CTX` to get to
the extra certificates chain. When building on OpenSSL 1.0.2 or newer,
use the new API instead of directly accessing `extra_certs`.
Issue: #79
If the proper headers matching either the reported XNU version or OS X
version exactly cannot be found, use the latest headers that SSLsplit
knows about. This fixes build on new releases of OS X that have no
source code published by Apple yet.
This fixes the following make error on Mac OS X versions that we don't
explicitly support yet due to missing sources:
GNUmakefile:55: *** unterminated call to function `shell': missing `)'.
Stop.
Reported by: Justin Garrick
Percent is used to specify the interface for link-local addresses.
Even though this is not strictly necessary for NTFS, it makes sense to
replace percent with underscore as well to have cleaner filenames.
Also add some unit tests for sys_ip46str_sanitize() that actually test
the intended behaviour.