Enable full strength DHE and ECDHE by default in order to allow modern
browsers to connect without weak crypto warnings.
Issue: #119
Reported by: @curioustwo
Add exception handler mechanism to logger and use that to exit cleanly
when sslsplit fails to write to a log file or fails to open a log file.
Issue: #113
Reported by: Matthias Kadenbach
TravisCI has removed IPv6 support in 2016. To cope with this regression
in the testing infrastructure, disable all tests on Travis that depend
on the system being able to handle ::1 as an IP address. Normal unit
testing still uses the full test suite.
When other->closed is set, the bufferevent write handler accesses
other->bev even though it is invalid. Fix this access, and as added
layer of defense against future bugs, set ->bev to NULL whenever
invalidating it, except where the connection is torn down completely.
Reported by: Eun Soo Park
Introduced in: 2bcfaf417d753f
Issue: #109
Only manipulate other->bev if it is not NULL to avoid a NULL pointer
dereference in the proxy bufferevent write handler when only one
direction is fully established, for example during connection shutdown.
Reported by: @david-holonet
Introduced in: 2bcfaf4
Issue: #109
The event buffer write handler failes to re-enable the corresponding
read event of the opposite connection if the buffer is not only down to
less than half the limit, but completely emptied. In that case, the
read event would never be re-enabled and the connection would stall and
time out.
Issue: #109
Patch by: Eun Soo Park
Add contributed python script for parsing the output of sslsplit -L
from a log file or named pipe and converting the log entries to an
emulated PCAP format. Information not contained in the log, such as
sequence numbers, IP IDs etc is emulated and does not correspond to the
original packets on the network.
Issue: #27
Contributed by: Maciej Kotowicz
Add contributed script to read and parse the output of sslsplit -L from
a named pipe or log file and post-process the logged connection data
programmatically from python.
Issue: #27
Contributed by: Maciej Kotowicz
Only initialize evdns if DNS lookups are actually required by the loaded
proxy specifications. This allows sslsplit to work in non-DNS modes in
situations where the local DNS resolver does not work, such as for local
use on a system without network connectivity. Currently, only SNI based
proxy specs require DNS. On systems without network connectivity, DNS
subsystem init may fail due to /etc/resolv.conf being (temporarily)
unavailable.
Issue: #104
LibreSSL defines OPENSSL_VERSION_NUMBER == 0x20000000L and therefore
needs special treatment when detecting OpenSSL API features based on
OPENSSL_VERSION_NUMBER. LibreSSL currently does not seem to implement
SSL_CTX_get0_chain_certs(). Once it does, there will be a need for a
specific version check on LIBRESSL_VERSION_NUMBER.
Reported by: Jérémie Courrèges-Anglas
Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and
HAVE_TLSV12 to indicate that support for the respective protocol is
available in OpenSSL. This was necessary due to the increased
complexity of testing version support following the phasing out of SSLv2
and SSLv3 from OpenSSL implementations. This fixes the build with
OpenSSL versions which have SSLv3 support removed.
While here, de-duplicate code for setting SSL_CTX options and do not set
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit
in the context of splitting SSL/TLS for analysis.
Reported by: Jérémie Courrèges-Anglas
Refactor and unify ssl_tls_clienthello_identify() and the earlier
ssl_tls_clienthello_parse_sni() into a single
ssl_tls_clienthello_parse() function that handles parsing ClientHello
messages for different purposes. As a result, rename the debug knob
DEBUG_SNI_PARSER into DEBUG_CLIENTHELLO_PARSER.
Fix automatic search for dependencies when multiple instances of the
same library are installed in different prefixes that we search, by
using the first one found. Automatic search is only used when
pkg-config was not found. This fixes compiler errors caused by spurious
path names within compiler or linker flags, such as
ld: can't map file, errno=22 file '/usr/lib' for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see
invocation)
While here, also make XNU header version fallback more robust and add
(diabled) version mappings for 10.10.2 and 10.10.3 which are not
published by Apple yet.
Issue: #96
Reported by: Jan Vilhuber
Make sure we always initialize OpenSSL explicitly, even if there are no
certificates or keys loaded or generated. Previously, OpenSSL would
only have been initialized if the configuration actually uses
certificates or keys, which is not always the case, e.g. with -t
pointing to an empty directory.
Issue: #92
Reported by: xelalexv
This reverts commit aaa4e94f84.
The initialize_nameservers argument to evdns_base_new was deliberately
not set to 1 because we call evdns_resolv_conf_parse manually later, as
we want more differentiated error reporting.
Issue: #86
This code looks at the beginning of each read from the src for something
that looks like an ssl client hello message; if it finds one it tries to
upgrade the connection to proxied ssl. So it works only in the simple
case where the connection has no binary data before the upgrade attempt
(so there are no false positives), and where the client hello comes at
the beginning of a packet from the source.
