Commit Graph

1029 Commits

Author SHA1 Message Date
Soner Tari
20eb2533d1 Fix autossl crash upon protocol error, need fuzzing tests
This happens if there was no autossl handshake prior to ClientHello,
e.g. no STARTTLS message. This is perhaps due to the SSL handshake of a
direct SSL connection, i.e. invalid protocol.
We should not crash upon protocol errors, hence the need for fuzzing
tests.
2020-04-17 11:10:28 +03:00
Soner Tari
efa2b48b94 Disable autossl passthrough
Autossl passthrough crashes with signal 10.
2020-04-16 23:04:23 +03:00
Soner Tari
2b702495b0 Remove comixwall.org 2020-04-16 15:33:50 +03:00
Soner Tari
5c2ac6d1bf Remove writecb for srvdst except for passthrough, remove srvdst_connected and dst_connected flags, clean up autossl
We don't do anything in srvdst writecb except for passhtrough mode.
We handle srvdst and dst connect tasks in connectcb for them by
arranging connect events correctly, so we don't need any extra flags.
Correct connect ordering helps us remove code checking if bev exists.
There were a lot of unnecessary code in autossl. Tcp and ssl code are
decoupled now.
2020-04-16 15:23:42 +03:00
Soner Tari
a24ac850b4 Fix readcb and writecb before connected
Do not enable srvdst readcb until connected
Enable read and write callbacks only after connected
2020-04-16 11:59:18 +03:00
Soner Tari
64c0078ecb Update comments about writecb before connected 2020-04-15 22:04:18 +03:00
Soner Tari
a0d74baa43 Update copyright year to 2020 2020-04-14 18:12:16 +03:00
Soner Tari
a34c953ef0 Validate the response from the smtp server to protect the client
Because we directly relay the packets from the server to the client
until we receive the first packet from the client, at which time we xfer
srvdst to the first child conn and effectively disable this readcb,
hence start diverting packets to the listening program.
Improve documentation.
2020-04-14 17:56:47 +03:00
Soner Tari
1445a5cdf8 Fix smtp proto
We enable readcb for srvdst to relay the 220 smtp greeting from the
server to the client, otherwise the conn stalls.
Related with issue #18 too.
2020-04-13 15:35:09 +03:00
Soner Tari
1a0d46587b Check libevent version before calling bufferevent_openssl_set_allow_dirty_shutdown() 2020-04-12 16:37:19 +03:00
Soner Tari
c3c228d8ce Remove ssl_shutdown_retry_delay and SSLShutdownRetryDelay, not used anymore 2020-04-12 16:05:16 +03:00
Soner Tari
10573a1b7c Copy BSDmakefile to subfolders
So we can individually make clean them
2020-04-12 15:51:41 +03:00
Soner Tari
9ad477e0a7 Fix misc issues with autossl
And various improvements
2020-04-12 15:26:28 +03:00
Soner Tari
a0e475b473 Fix SSL shutdown, which fixes conn stall issue with autossl
Otherwise, we cannot properly shutdown the src conn end of an autossl
conn, and when the next conn uses the same fd of that src, the callback
functions (e.g. the writecb) do not fire, which effectively stalls the
conn. This fixes a longtime issue with autossl support.
So remove pxysslshut.c/h files, not used anymore
2020-04-12 15:18:32 +03:00
Soner Tari
50cfe4d789 Fix sslproxy_header_len if port len is 4, i.e. port <= 9999
Otherwise, if we assume that the port is always 5 chars, we leave a NULL
char between the sslproxy header and CRLF, which confuses
pxy_insert_sslproxy_header() and pxy_try_remove_sslproxy_header(), and
we cannot remove the sslproxy header.
2020-04-12 15:02:24 +03:00
Soner Tari
b848df0b0b Use __func__ not __PRETTY_FUNCTION__ as __FUNCTION__ definition
Because __PRETTY_FUNCTION__ prints a detailed function signature on
OpenBSD
2020-04-10 22:17:30 +03:00
Soner Tari
3af16b3228 Improve verbose debug logs using common header fields to better identify connections
Create function macros for fine* debug logs
Fix a few memory leaks when DEBUG_PROXY enabled
Add main.mk to MKFS list
Put a few function params within DEBUG_PROXY directives
Check retval of a snprintf() call
Fix segfault with -w/-W options if no ssl proxyspec specified, also fixed in sslsplit develop: https://github.com/droe/sslsplit/issues/271
Various clean-up
2020-04-09 21:47:09 +03:00
Soner Tari
4503203c1b Remove MEDIUM ciphers
Cipher assertions become useless if we set ciphers to MEDIUM:HIGH, too
many ciphers would be possible
2020-04-05 22:22:36 +03:00
Soner Tari
c2e93dbbc0 Remove NO_TLS10 test case
The problem with LibreSSL 2.7.4 was not that it didn't support tls10,
but that MEDIUM and HIGH cipher definitions were different from the
openssl version of testproxy, hence tests were failing due to no shared
ciphers
2020-04-05 21:52:02 +03:00
Soner Tari
f1c2e9e881 Detect tls protos using output of sslproxy -V
But this is not going to work, because LibreSSL 2.7.4 says it supports
tls10, but SSL handshake fails if testproxy e2e tests for tls10 are
enabled.
2020-04-05 21:43:44 +03:00
Soner Tari
1a9651877f Clean up 2020-04-04 20:34:44 +03:00
Soner Tari
73724bd673 Fix assertions for tls10 tests, TLSv1.0 == SSLv3 2020-04-04 19:11:18 +03:00
Soner Tari
d42ba28729 Remove tls12 tests for older versions of openssl
Clean up
2020-04-04 19:01:35 +03:00
Soner Tari
4176ee482e Move NO_TLS vars to before_script in travis config 2020-04-04 18:44:42 +03:00
Soner Tari
3afb2b820f Fix NO_TLS vars 2020-04-04 18:31:36 +03:00
Soner Tari
9ac5a93823 Fix testproxy e2e tests for older versions of openssl and libressl
OpenSSL 0.9.8zh and 1.0.0s do not support TLSv11.
LibreSSL 2.2.7 uses other cipher names too.
LibreSSL 2.7.4 (since 2.3.0) does not support TLSv10.
2020-04-04 18:18:01 +03:00
Soner Tari
9ff63a1639 Disable travis testproxy tests on osx
SSL tests fail with "SSL stream connect HandshakeError: the handshake
was interrupted" and "SSL stream error: the handshake failed: Connection
reset by peer (os error 54)"
2020-04-03 12:19:38 +03:00
Soner Tari
ceebacf240 Try fix ssl handshake error 2020-04-03 00:57:49 +03:00
Soner Tari
d4aca98834 Enable debug logs for testproxy 2020-04-03 00:38:28 +03:00
Soner Tari
fc1bb39de3 Fix xnu paths for osx 2020-04-03 00:33:13 +03:00
Soner Tari
19bf7fe0a5 Try travis osx vm only 2020-04-02 23:39:53 +03:00
Soner Tari
519d797459 Fix osx build, no need for nat_used() 2020-04-02 23:38:09 +03:00
Soner Tari
5f14ff2ca6 Enable all travis vms again 2020-04-02 22:59:23 +03:00
Soner Tari
f44db210bb Fix openssl urls 2020-04-02 21:13:38 +03:00
Soner Tari
e2fc1086cf Try fix sudo env 2020-04-02 20:51:44 +03:00
Soner Tari
eb2b91f96b Enable all travis vms and add testproxy e2e tests 2020-04-02 16:54:40 +03:00
Soner Tari
fb500d9a33 Clean up lp make file 2020-04-02 16:49:11 +03:00
Soner Tari
50c1c9477d Try with first travis machine, remove openssl from lp, revert trials 2020-04-01 22:59:40 +03:00
Soner Tari
60924687ed Close ocsp denied conn
Wait until ocsp denied msg is sent and then close the conn in a new http
src w cb
2020-04-01 22:33:08 +03:00
Soner Tari
61f3c86eab Fix e2e test for deny OCSP request
It is not certain if the server should receive the ocsp request of the
client or not, it depends on libevent and various conditions at that
moment
2020-04-01 17:40:41 +03:00
Soner Tari
8a1db3d469 Fix export 2020-04-01 01:00:13 +03:00
Soner Tari
b1edd7e049 Export LD_LIBRARY_PATH before running lp 2020-04-01 00:46:47 +03:00
Soner Tari
fcd71387d0 Use libevent 2.1.11 for testproxy e2e tests 2020-03-31 22:28:56 +03:00
Soner Tari
d1374e70bb Set testproxy log level to 4 2020-03-31 21:33:55 +03:00
Soner Tari
361e1777dd Chain related command lines 2020-03-31 21:07:21 +03:00
Soner Tari
454ae1d81a Comment out non-existing users 2020-03-31 19:43:04 +03:00
Soner Tari
85dded1953 Include errno.h 2020-03-31 19:31:39 +03:00
Soner Tari
e3adfba4ba Add errno.h 2020-03-31 19:22:22 +03:00
Soner Tari
3ebfba3044 Disable lp pkg-config for openssl 2020-03-31 18:18:07 +03:00
Soner Tari
2723171e05 Add openssl to lp, fix xnu path, clean up 2020-03-31 18:10:20 +03:00