SSLproxy/TODO
Daniel Roethlisberger 13c85ce5c1 Also build ipfw if pf is detected
OpenBSD 4.7+ and FreeBSD 9.0+ also include ipfw-style divert-to in pf,
so build ipfw NAT engine as well if pf is detected.

Reported by:	Stuart Henderson
2013-12-23 14:27:39 +01:00

16 lines
955 B
Plaintext

- Control SSL_OP_SINGLE_ECDH_USE and other de-optimizations by a
"prefer speed to security" command line option
- Optionally add ephemeral RSA key to SSL_CTX to allow export cipher suites
http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html
- Dump cipher suites sent by the client in debug mode
- Consider memory pools for use by per-connection state
- Handle renego & client cert authentication more gracefully
- Separate orig cert retrieval from actual fwd address/proto config
- CRL denial mode based on targetdir cert's CDPs or by identifying CRL ASN.1
- Browser update denial mode
- Extendable approach to broken certificate verification implementations
- Client fingerprinting: only intercept clients with headers matching regex
- Configurable and/or scriptable modification of requests and/or responses
- STARTTLS for various protocols
- Sample scripts for single file/fifo content log postprocessing