Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
404 Commits
2 Branches
26 Tags
3.0 MiB
develop
master
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c7ba155ce9'
${ noResults }
Commit Graph

72 Commits (c7ba155ce9bbf4710d8514770e6e57125f2373ed)

Author SHA1 Message Date
Daniel Roethlisberger 77109df8d2 Improve docs on autogenerated 1024 bit RSA leaf key 
Issue:		#83
 10 years ago
Daniel Roethlisberger 80b727054b Refactor proxyspec printing into proxyspec_str() 10 years ago
Daniel Roethlisberger ce002378b8 Use more intuitive letters for new format specs 
%D for Destination host, %p for the (more interesting) destination port,
%S for Source host, %q for the (less interesting) source port.
 10 years ago
Daniel Roethlisberger e17108f9b7 Merge branch 'master' of https://github.com/AdamJacobMuller/sslsplit into issue/74 10 years ago
Daniel Roethlisberger 914360eb5e Separate host and port into separate strings 
Store host and port in separate strings internally and get rid of the
[host]:port representation where separate host and port would be
cleaner.  This includes the following user-visible changes:

-   Generated filenames that contain host and port, such as by -S and
    -F %d and %s, now use a host,port format instead of [host]:port.

-   Connect log now uses separate fields for host and port.

Issue:		#69 #74
Reported by:	Adam Jacob Muller
 10 years ago
Daniel Roethlisberger 91da4674e5 Update copyright, license and tagline 
-   Update copyright to 2015
-   Remove the non-standard "unmodified" from the 2-clause BSD license
-   Remove scalable from the tagline to avoid misinterpretations
 10 years ago
Adam Jacob Muller 9267cf9bb4 add support for: 
%f - dest address
%h - dest port
%t - source address
%v - source port

format specifiers to pathspec
 10 years ago
Daniel Roethlisberger f16783cee2 Move cert writer to logger thread using privsep 
Make -w and -W work in conjunction with dropping privileges and
chrooting by moving the cert writer code to a separate logger thread and
using the privsep framework to open the files if they do not exist
already.

Issue:		#70
 10 years ago
Daniel Roethlisberger 6ec6c56ded Refactored -w/-W and improved docs 10 years ago
PsychoMario 3aff928daf moved key output to main.c, caught some bugs 10 years ago
PsychoMario b34336ab4b moved to develop branch 10 years ago
PsychoMario 4f310a877a implemented -W to write original certs 10 years ago
PsychoMario 13dce0aa35 moved write to pxy_srccert_create, -X to -w, opts_free use 10 years ago
PsychoMario 73042d4daa fix mutual exclusivity, sprintf->asprintf 10 years ago
PsychoMario 61d5186864 added exclusivity with -K, man page and -h 10 years ago
PsychoMario cbb2a179f9 naive implementation with -X, no help, validation, logging 10 years ago
Daniel Roethlisberger 39e9c898e5 Move default cipher suite spec to defaults.h 10 years ago
Daniel Roethlisberger b8213e756d Merge branch 'feature/privsep' into develop 
Conflicts:
	NEWS.md
	main.c
	sslsplit.1
 10 years ago
Daniel Roethlisberger 5ac565f5df Note that -j impacts -S and -F 10 years ago
Daniel Roethlisberger ab466aafb7 Allow -u root with pf proxyspecs on OS X 10 years ago
Daniel Roethlisberger f076336e0b Don't allow -u on Mac OS X with pf proxyspecs 
Apple checks EUID==0 on ioctl(/dev/pf), whereas OpenBSD and FreeBSD only
check permissions on open(/dev/pf).  This means that on OS X, it is not
possible to open /dev/pf, drop privileges, and send an ioctl to the file
descriptor opened earlier with EUID==0.  It also means Apple broke the
Unix way of dealing with device nodes - why are there file permissions
on /dev/pf when they later enforce EUID==0 on use, thereby breaking
basic Unix mechanisms?  Work around this by disallowing -u with pf
proxyspecs and by not automatically dropping to nobody on Mac OS X.

Issue:		#65
Reported by:	Vladimir Marteev
 10 years ago
Daniel Roethlisberger e69b13f2eb SIGUSR1 re-opens -l/-L log files; add defaults.h 
Issue:		#52
 10 years ago
Daniel Roethlisberger 16a1beb655 Fix version output on local procinfo availability 10 years ago
Daniel Roethlisberger c01ace1261 Introduce privilege separation architecture 
Fork into a monitor parent process and an actual proxy child process,
communicating over AF_UNIX sockets.  Certain privileged operations are
performed through the privileged parent process, like opening log files
or listener sockets, while all other operations happen in the child
process, which can now drop its privileges without side-effects for
log file opening and other privileged operations.  This is also a
preparation for -l/-L logfile reopening through SIGUSR1.

This means that -S and -F are no longer relative to chroot() if used
with -j.  This is a deliberate POLA violation.
 10 years ago
Daniel Roethlisberger a027f87c1c Check if -u and -m user and group exist immediately 10 years ago
Daniel Roethlisberger 2d97659a6b Check if args to -j and -S are directories 10 years ago
Daniel Roethlisberger 86397dac89 Break at 80 cols 10 years ago
Daniel Roethlisberger 5fd1d7de9c Rename flags for clarity 10 years ago
Daniel Roethlisberger fcd008df4b Unify asprintf error handling 10 years ago
Daniel Roethlisberger 544b93a9ab Add procinfo status to -V 10 years ago
Daniel Roethlisberger 150650c7e9 Make local procinfo run-time optional (-i) and use src host:port 10 years ago
Daniel Roethlisberger 0d07aeff7e Don't automatically drop to nobody if logspec is used 10 years ago
Daniel Roethlisberger 38314ea16d Formatting changes 10 years ago
Landon Fuller 7ce301a60f
Fix incorrect format specifiers used in the -F usage example. 10 years ago
Landon Fuller 02c6e6e605
Adopt the new oom_die() usage. 10 years ago
Landon Fuller a4c518c8a0
Merge remote-tracking branch 'origin/fix-macosx' into logspec_path_support 10 years ago
Daniel Roethlisberger 206c688219 Refactor SSL/TLS debug code 10 years ago
Daniel Roethlisberger 601cdf5b52 Add SSL/TLS protocol selection debug code 10 years ago
Daniel Roethlisberger 6b0e47dc89 Allow more control over used SSL/TLS versions 
Add -r to force a specific SSL/TLS protocol version.
Add -R to disable one or several SSL/TLS protocol versions.
Replace WANT_SSLV2_CLIENT and WANT_SSLV2_SERVER to WITH_SSLV2.

Issue:		#30
Reported by:	@Apollo2342
 10 years ago
Daniel Roethlisberger cc6cb59485 Rewrite Mac OS X support to use proper XNU headers 
Move from one set of headers per major OS X release to one set of
headers per XNU release.  Fetch the header files from Apple's official
Open Source site instead of GitHub in the fetchdeps developer target.
As a side effect, 10.6.x is now supported as well (untested), and proper
headers are used for 10.10.

Issue:		#39
 10 years ago
Daniel Roethlisberger 42efb4a980 Slightly improve user experience for new option -m 10 years ago
Daniel Roethlisberger ee9d434cac Further improving OOM handling in early stages of main() 10 years ago
Daniel Roethlisberger b1b8fe09b9 Merge pull request #35 from fix-macosx/specify-custom-gid 
Add support for specifying an explicit group when dropping privileges.
 10 years ago
Daniel Roethlisberger bea022540f Handle strdup() failure in early stages of main() 
Issue:		#38
Reported by:	Markus Elfring
 10 years ago
Landon Fuller e6aa76b844 Implement automatic creation of parent directories. 10 years ago
Landon Fuller 06c61c16ed Add support for specifying log paths as a specialized format string. 
Format string handling is fully implemented, with the exception of
support for automatically creating missing directories.
 10 years ago
Landon Fuller 9d54677009 Add support for specifying an explicit group when dropping privileges. 
This simplifies my use of pf(4) when using group-based
rules to exclude splitssl from redirection.
 10 years ago
Landon Fuller ecbc84438a Fix crash in strdup() when no default NAT engine is available. 10 years ago
Daniel Roethlisberger 3226d9bfcf No longer chroot() by default when run as root 
No longer implicitly use -j /var/empty by default and document clearly
the implications of using -j with -S and/or sni proxyspecs.

Issue:		#21
 11 years ago
Daniel Roethlisberger db0fa32b07 Load -t certificates before dropping privileges 
Load the certificates from the directory given by -t into the
certificate cache after preinit, but before dropping privileges.  This
fixes a number of issues, such as -t directory not being found after
chroot()ing to a different root, -t directory inaccessible due to
changing user with -u, and when using encrypted keys.  This bug was
introduced in 0675219 as a spurious part of fixing #5.

Issue:		#20, #19
Reported by:	Miroslav Stampar
 11 years ago