Commit Graph

30 Commits

Author SHA1 Message Date
Daniel Roethlisberger
db0fa32b07 Load -t certificates before dropping privileges
Load the certificates from the directory given by -t into the
certificate cache after preinit, but before dropping privileges.  This
fixes a number of issues, such as -t directory not being found after
chroot()ing to a different root, -t directory inaccessible due to
changing user with -u, and when using encrypted keys.  This bug was
introduced in 0675219 as a spurious part of fixing #5.

Issue:		#20, #19
Reported by:	Miroslav Stampar
2014-01-30 22:39:39 +01:00
Daniel Roethlisberger
ac98c2d9cc Fix segmentation fault when using -t without a CA
The key type checks which are used to optimize the loading of DH and
ECDH parameters should check the type of the supplied server key, not
the global options key.
2014-01-30 22:21:08 +01:00
Daniel Roethlisberger
658bbfa6fe SSLsplit master 2014-01-29 20:16:34 +01:00
Daniel Roethlisberger
c4ac9c60bc SSLsplit 0.4.8 release 2014-01-15 19:07:07 +01:00
Daniel Roethlisberger
9d5641c0e0 Update NEWS 2014-01-15 19:01:33 +01:00
Daniel Roethlisberger
716139b169 Suppress SPDY/QUIC by removing Alternate-Protocol headers 2014-01-14 17:35:56 +01:00
Daniel Roethlisberger
d4d249fb87 Update NEWS 2014-01-14 00:46:52 +01:00
Daniel Roethlisberger
a5660fa3c9 Update NEWS 2014-01-14 00:29:45 +01:00
Daniel Roethlisberger
2235e1aad9 Fix memory leak in fake cert generation code
The code in pxy_ossl_servername_cb() which generated the forged
certificates did not call SSL_CTX_free() on the newly allocated SSL_CTX
struct after associating it with the SSL struct, which increments the
reference count internally.  Also add some comments explaining OpenSSL
reference counting behaviour to be more explicit on what happens to the
instances that OpenSSL keeps track of.
2014-01-13 23:56:59 +01:00
Daniel Roethlisberger
202b1270e3 Create session.pem without Internet connectivity
Use openssl s_server in order to create a temporary SSL server for
creating an SSL session dump for the unit tests to work with.  This
removes the requirement of having Internet connectivity for running the
test suite, which prevented package builds from running the unit tests.
2014-01-11 21:49:05 +01:00
Daniel Roethlisberger
54685bab6d Update NEWS 2014-01-11 19:14:11 +01:00
Daniel Roethlisberger
c8723506e7 Update NEWS 2014-01-11 17:55:17 +01:00
Daniel Roethlisberger
6643d832d9 Add experimental support for pf on Mac OS X
Support pf rdr on Mac OS X 10.7, 10.8 and 10.9 by including the missing
Apple headers in the source tree and enable private Apple code.  Since
we are using an interface marked private by Apple, this code is very
experimental.

Issue:		#15
Reported by:	Amit Chowdhary
2014-01-10 15:03:13 +01:00
Daniel Roethlisberger
90fd8ec28e Update NEWS 2014-01-07 23:18:16 +01:00
Daniel Roethlisberger
7839de3b0d Update NEWS 2013-12-23 14:39:15 +01:00
Daniel Roethlisberger
33692df51a SSLsplit 0.4.7 release 2013-07-02 16:06:16 +02:00
Daniel Roethlisberger
a0fd9c1050 Start thrmgr threads after forking 2013-07-02 15:54:46 +02:00
Daniel Roethlisberger
1e67db0b66 Update NEWS after merge of feature/resphdrfilter 2013-06-29 22:52:29 +02:00
Daniel Roethlisberger
38280818f8 Add HTTP content-length to connect log 2013-06-29 22:50:39 +02:00
Daniel Roethlisberger
b746a6f6bb Add HTTP response header filtering
Filter response headers in order to remove HPKP headers.  As an added
benefit, parse the HTTP status code and add it to the connection log.
2013-06-29 22:35:51 +02:00
Daniel Roethlisberger
b662906f9b SSLsplit 0.4.6 release 2013-06-03 17:58:03 +02:00
Daniel Roethlisberger
8fceac4201 Update NEWS for issue #9 2013-05-27 00:29:02 +02:00
Daniel Roethlisberger
711448759c Bind to ports before dropping privileges
This fixes a regression which caused bind() to ports < 1024 to fail with
the default settings of dropping privileges to nobody.

Issue:          #8
Reported by:    Ian Grispan
2013-04-24 17:17:23 +02:00
Daniel Roethlisberger
20b3f66120 Work around segfault with OpenSSL 1.0.0k/1.0.1e
A bug in OpenSSL 1.0.0k and 1.0.1e caused sslsplit to crash when loading
certificates using SSL_get_certificate().  Work around the bug by
directly accessing the respective members of SSL* when using any of the
broken versions of OpenSSL.
2013-04-24 15:44:06 +02:00
Daniel Roethlisberger
37758dda59 SSLsplit 0.4.5 release 2012-11-07 18:36:51 +01:00
Daniel Roethlisberger
6e6868c051 Update NEWS 2012-10-23 23:01:59 +02:00
Daniel Roethlisberger
71f06e501c Update NEWS 2012-10-17 00:18:46 +02:00
Daniel Roethlisberger
eb6162389f Remove commit ids from NEWS file 2012-10-16 22:02:17 +02:00
Daniel Roethlisberger
e19a97b21f Update NEWS and TODO 2012-10-01 14:49:24 +02:00
Daniel Roethlisberger
11fdf52553 Add NEWS file, documenting release history 2012-05-13 21:07:43 +02:00