d1a3328c58Differentiate PassSite option from Passthrough option: PassSite does not require Passthrough now Remove redundant if conditions
v0.6.0
Soner Tari
2019-05-02 19:06:48 +0300
c146b8a0ecMake sure sni and ssl_names are not null, fixes signal 11 crash reported by @janusloo
Soner Tari
2019-05-01 00:35:15 +0300
c3abe74776Add client filtering to PassSite option, per site filters can be defined using client IP addresses, users, and description keywords
Soner Tari
2019-04-21 01:00:46 +0300
07a6c32e93Update documentation with PassSite option
Soner Tari
2019-04-20 01:13:06 +0300
7e17bd198eRequire ssl_names if passsite is set
Soner Tari
2019-04-19 23:20:59 +0300
7e8fcbcafaMove strncpy() call from passsite matching to initial PassSite setup
Soner Tari
2019-04-19 04:21:41 +0300
ddeb9831edAdd PassSite option, if the site matches SNI or common names in the SSL certificate, the connection is passed through the proxy, issue #12
Soner Tari
2019-04-19 01:16:05 +0300
89150fe4d6Enable more ssl info in conn logs, especially common names in crts
Soner Tari
2019-04-18 16:01:44 +0300
8c2fd3cc31Replace recursion with while loop in child max fd computation and debug logging
Soner Tari
2019-03-31 17:19:16 +0300
3c8d6e7e4eFix the location of the assertion checking NULL thr conns list, nice catch by this assert() call, that it is misplaced, so add further assertions
Soner Tari
2019-03-29 15:38:03 +0300
0eaf475193Update documentation with the new user info in SSLproxy line
Soner Tari
2019-03-28 17:06:07 +0300
f9b850f63bAdd user info to SSLproxy header line, so listening programs know network users Debug print conf file option
Soner Tari
2019-03-28 14:16:59 +0300
a76ce0e2b4Remove any SSLproxy line, parent or child In case parent receives SSLproxy line from local network
Soner Tari
2019-03-27 21:23:48 +0300
11d1b64c1cUpdate version to 0.6.0
Soner Tari
2019-03-27 15:22:50 +0300
9275315541Add OpenFilesLimit option, use 50-10000, so user does not need to modify system-wide value now
Soner Tari
2019-03-27 14:23:18 +0300
074e5d6400Add LeafKeyRSABits option for user to change leaf key RSA keysize in bits, so it can be set to 1024|2048|3072|4096 now
Soner Tari
2019-03-27 03:07:36 +0300
44b125f77eAvoid malloc/free for vars of known sizes
Soner Tari
2019-03-25 03:39:15 +0300
d0ad45e74dFix autossl userauth: srvdst should call userauth and redirect too
Soner Tari
2019-03-24 22:28:43 +0300
040d00b546Fix passthrough mode broken by the new pending ssl conns list: It is necessary to NULL the sslctx to prevent passthrough mode trying to access it (signal 11 crash) Note that we cannot redirect failed ssl connections to login page while switching to passthrough mode Remove now redundant pxy_fd_readcb() function
Soner Tari
2019-03-24 15:57:03 +0300
98c1186cb8Improve documentation, and simplify code
Soner Tari
2019-03-24 01:31:19 +0300
ad38b68ad7Fix a possible multithreading issue: Ignore event_add() failure and do not try to close the conn after adding it to pending ssl conns list
Soner Tari
2019-03-23 23:32:44 +0300
42eb887ebbDo not modify conn thread fields without locking on thrmgr thread, so we only modify thr load and thr conn list, no tread stats, on thrmgr now
Soner Tari
2019-03-23 00:09:18 +0300
072dbe2611Fix privsep PRIVSEP_REQ_UPDATE_ATIME command: Do not request an fd from sys_recvmsgfd() and sys_sendmsgfd(), otherwise opens an stdin (fd 0), causing fd leak Remove redundant logging call
Soner Tari
2019-03-22 19:19:39 +0300
bf67b617c2Keep track of ssl conns waiting for the first packet, and remove them if they time out Otherwise if no packet arrives, hence readcb does not fire, that ssl conn is lost causing memory and fd leak Accepting a connection does not mean that a packet will be received Use better names
Soner Tari
2019-03-22 15:21:39 +0300
dc788862a9Reintroduce BEV_OPT_THREADSAFE flag, after a signal 10 crash involving buffer events Rearrange and fix fd close locations and conn termination
Soner Tari
2019-03-21 06:06:56 +0300
6f2cf92e51Do not pass BEV_OPT_THREADSAFE flag to bufferevent new socket/filter functions anymore: Multithreading issues seems to be solved now
Soner Tari
2019-03-19 17:17:57 +0300
cc0b94c17fDo not do anything with the conn ctx on the thrmgr thread after setting event callbacks and/or socket connect Always lock conn thr while reading ctx fields, otherwise we may get wrong values
Soner Tari
2019-03-18 03:59:40 +0300
17122fa6a8Always keep thr load and conns list in sync
Soner Tari
2019-03-17 18:57:33 +0300
c43e359a1bDo not modify thr stats without locking, otherwise max fd stats were sometimes wrong
Soner Tari
2019-03-16 23:19:48 +0300
3147723774Add attribs, enclose debug params between debug macros, and improve documentation
Soner Tari
2019-03-16 00:44:12 +0300
dcaaa49f90Improve documentation and use better names
Soner Tari
2019-03-15 15:39:15 +0300
79ad5e86ccFix expired conn handling, signal 6 crash: Do not lock conn thr mutex twice while freeing expired conns Fix passthrough mode: Do not SSL_free() srvdst ssl anymore and do not add conn to thr conns list twice
Soner Tari
2019-03-15 00:20:53 +0300
844e68116aMove userauth from thrmgr thread to conn handling threads, and do not enable r/w callbacks until userauth succeeds Lock conn thread instead of thrmgr thread while adding conns (giant thrmgr lock versus conn thread level locks), so add conn thread mutex and remove thrmgr mutex Offload thrmgr thread by moving many conn related setup to conn handling threads Fix signal 6 crash caused by calling pxy_thrmgr_timer_cb() while failed conn is being freed, so use conn thread mutexes and defer adding conn to thr conn list until conn setup succeeds Other fixes, improvements, and clean-up
Soner Tari
2019-03-14 03:47:03 +0300
2f3fda5367Do not try to close conns on the thrmgr thread after setting event callbacks and/or socket connect Use strncpy() instead of memcpy(), to limit max size with dest buffer
Soner Tari
2019-03-13 17:11:54 +0300
7b11eb15faUpdate copyright year to 2019
Soner Tari
2019-03-13 14:42:40 +0300
56c3bdf5d8Do not try to term/close conns on the thrmgr thread after setting event callbacks and/or socket connect
Soner Tari
2019-03-12 19:36:30 +0300
76a599d464Put the getdtablecount() solution back in, otherwise sometimes, although rarely, we get "Error 24 on listener: Too many open files" nonstop, it's better to be safe(r)
Soner Tari
2019-03-11 02:41:16 +0300
96ecd8e4c3Pass BEV_OPT_THREADSAFE to bufferevent_socket_new() and similar functions, otherwise if we are out of fds, we get signal 10 or 6 crashes sometimes, nothing else seems to work
Soner Tari
2019-03-11 01:56:09 +0300
3a6f797917Do not forget to reset sqlite stmt if userdb is busy or locked, otherwise we get stuck and go out of fds too Check retval of event_add() calls Reduce frequency of userdb atime updates by not updating until idle time reaches more than half of user timeout value, otherwise privsep server can get very busy causing locked userdb Do not care about multiple matches of IP addresses in arp cache on OpenBSD either Performance and code reuse improvements, simplifications
Soner Tari
2019-03-10 04:26:00 +0300
0d49ba56dbEnable user auth support on Linux
Soner Tari
2019-03-09 18:10:52 +0300
4f4b41d5adAdd user and proto validation info to connection logs
Soner Tari
2019-03-09 01:09:08 +0300
56ddbcb5c8Update version to 0.5.10
Soner Tari
2019-03-08 20:24:08 +0300
f3e7a359a6Update documentation with user auth feature
Soner Tari
2019-03-06 22:43:43 +0300
6f37661772Enable user auth for all supported protos or proxyspec types
Soner Tari
2019-03-06 01:09:02 +0300
fcd24a2cbeDo not terminate redirected connection until src outbuf is empty, otherwise 302 redirection may not have been sent yet
Soner Tari
2019-03-05 19:01:53 +0300
1f451aa04dChange user db table name to users, change mac column name to ether Clean up
Soner Tari
2019-03-02 03:44:14 +0300
c37bcc6de1Add UserDBPath and UserTimeout options
Soner Tari
2019-03-02 02:52:48 +0300
fd52ba0c56Refactor, handle error conditions, and clean up
Soner Tari
2019-03-02 02:04:53 +0300
cde3fbca3fRedirect user to login page and redirect again to orig target after successful authentication, currently supported only on OpenBSD Get ethernet address and compare with the one in userdb, on each conn setup Create user_auth options Rename and clean-up
Soner Tari
2019-03-01 02:08:24 +0300
588122b512Explain support for remote listening programs in README
Soner Tari
2019-01-07 01:05:48 +0300
e132b12d79Support remote listening programs using ua and ra proxyspec options, address of remote listening program that decrypted packets are diverted to and address SSLproxy is listening for returned packets from remote listening program, respectively
Soner Tari
2019-01-06 18:09:17 +0300
70a22f4515Do not break the event loop if out of fds, instead properly check all retvals of libevent functions So remove getdtable*() solution
Soner Tari
2018-11-30 02:49:37 +0300
f848248f54Use better names and fix white space
Soner Tari
2018-11-10 23:33:12 +0300
d0687b3398Fix double init of protoctx, memory leak Free vars where they are allocated, always
Soner Tari
2018-11-10 20:46:39 +0300
83468afb1fFix ssl setup error handling, ssl ctx does not have any proto arg, so arg is always null at that point
Soner Tari
2018-11-10 19:22:16 +0300
3f148cf3b9Move thrmgr->conn_count inc for conn id back to conn acceptcb, because acceptcb runs on thrmgr thread which is single threaded, so there is no multithreading issues there
Soner Tari
2018-11-09 12:32:16 +0300
360b951adePrevent possible multithreading issues, which would not cause crashes but incorrect conn ids and memory leaks due to broken thread conn linked lists
Soner Tari
2018-11-09 02:10:08 +0300
3d1ed7c8d2Fix the link for The Risks of SSL Inspection, markdown doesn't like the new line in between caption and link
Soner Tari
2018-11-06 21:44:25 +0300
3fd02eee9dUse available_fds() on osx to detect out of file descriptors condition, borrowed from opensmtpd
v0.5.8
Soner Tari
2018-11-03 20:57:50 +0300
e1d96a874eDisable getdtablecount() on osx, temporarily
Soner Tari
2018-11-03 20:23:54 +0300
7847486bc4Try to fix travis osx build, osx does not have getdtablecount() either
Soner Tari
2018-11-03 19:23:13 +0300
52d37297b6Update with sslsplit develop changes, especially content logging Change SIGHUP to behave like SIGUSR1
Soner Tari
2018-11-03 18:23:31 +0300
12ecc96648Assume co-ownership of refactored and new pxy and proto source files by adding copyright line below the original copyright line
Soner Tari
2018-10-30 12:42:52 +0300
87eb6ce004Move conn end free function callback to conn end struct, proto ctx should not keep track of such conn end details, conn end should know which function to be called to free itself, we may have different protos on different ends of the same conn Improve and clean up
Soner Tari
2018-10-29 21:38:42 +0300
5351e78740Combine term and enomem handling code and improve
Soner Tari
2018-10-29 01:59:26 +0300
ca959ca391Do not call topmost callback functions directly, use them in bufferevent setup only, otherwise can possibly cause double free of ctx Run preexec and postexec logging and/or stats code when calling interface callback functions directly, they are mostly called in edge cases, but otherwise we would miss related logs and/or stats
Soner Tari
2018-10-28 23:51:22 +0300
8c7b8bafcfFix build warning with LibreSSL 2.8.2, id is const now
Soner Tari
2018-10-27 00:30:09 +0300
62b4760930Improve messages for omitted tests Do not remove repo file session.pem
Soner Tari
2018-10-26 18:13:17 +0300
cd78d881c8Fix passthrough mode double free crash and free any/all data of previous proto asap Improve and clean up
Soner Tari
2018-10-23 04:02:00 +0300
d4a209cbfbAvoid redundant void to ctx type casts by passing ctx explicitly
Soner Tari
2018-10-23 00:18:48 +0300
e8e8071772Defer conn free until the exit code of topmost callback functions, for both parent and child connections, this is necessary to handle error conditions correctly and terminate connections gracefully So introduce term flags in ctx and replace free functions with term functions to raise the term flag, this approach enables us to terminate connection anywhere in the code without causing use after free crashes Improve and clean up
Soner Tari
2018-10-22 23:13:42 +0300
c085cafe0fRename srv_dst to srvdst Clean up
Soner Tari
2018-10-22 16:12:07 +0300
adb99db518Handle out of memory conditions correctly Do not do anything else with ctx while returning from topmost callback functions if it is freed Rename functions, improve, and clean up
Soner Tari
2018-10-22 15:30:18 +0300
cbb9d593c4Do not do anything else with ctx while returning from topmost callback functions if it is freed Handle out of memory conditions correctly
Soner Tari
2018-10-22 01:57:15 +0300
2aeec751e0Handle out of memory conditions correctly
Soner Tari
2018-10-22 00:18:27 +0300
2f0e574f09Fix autossl, but Evolution client sometimes does not send ehlo, especially after user rejects self-signed cert, which needs further investigation And other improvements
Soner Tari
2018-10-21 22:01:46 +0300
c91d569723Improve debug logging, log proto name on connect/disconnect Rename vars and functions Improve and clean up
Soner Tari
2018-10-21 00:25:01 +0300