SSLproxy/NEWS
Daniel Roethlisberger db0fa32b07 Load -t certificates before dropping privileges
Load the certificates from the directory given by -t into the
certificate cache after preinit, but before dropping privileges.  This
fixes a number of issues, such as -t directory not being found after
chroot()ing to a different root, -t directory inaccessible due to
changing user with -u, and when using encrypted keys.  This bug was
introduced in 0675219 as a spurious part of fixing #5.

Issue:		#20, #19
Reported by:	Miroslav Stampar
2014-01-30 22:39:39 +01:00

75 lines
2.7 KiB
Plaintext

### SSLsplit master
- Load -t certificates before dropping privileges (issues #19 and #20).
- Fix segmentation fault when using -t without a CA.
### SSLsplit 0.4.8 2014-01-15
- Filter out Alternate-Protocol response header to suppress SPDY/QUIC.
- Add experimental support for pf on Mac OS X 10.7+ (issue #15).
- Also build ipfw NAT engine if pf is detected to support pf divert-to.
- Unit tests (make test) no longer require Internet connectivity.
- Always use SSL_MODE_RELEASE_BUFFERS when available, which lowers the per
connection memory footprint significantly when using OpenSSL 1.0.0+.
- Fix memory corruption after the certificate in the cache had to be updated
during connection setup (issue #16).
- Fix file descriptor leak in passthrough mode (-P) after SSL errors.
- Fix OpenSSL data structures memory leak on certificate forgery.
- Fix segmentation fault on connections without SNI hostname, caused by
compilers optimizing away a NULL pointer check (issue #14).
- Fix thread manager startup failure under some circumstances (issue #17).
- Fix segmentation faults if thread manager fails to start (issue #10).
### SSLsplit 0.4.7 2013-07-02
- Fix remaining threading issues in daemon mode.
- Filter HPKP header lines from HTTP(S) response headers in order to prevent
public key pinning based on draft-ietf-websec-key-pinning-06.
- Add HTTP status code and content-length to connection log.
### SSLsplit 0.4.6 2013-06-03
- Fix fallback to passthrough (-P) when no matching certificate is found
for a connection (issue #9).
- Work around segmentation fault when loading certificates caused by a bug
in OpenSSL 1.0.0k and 1.0.1e.
- Fix binding to ports < 1024 with default settings (issue #8).
### SSLsplit 0.4.5 2012-11-07
- Add support for 2048 and 4096 bit Diffie-Hellman.
- Fix syslog error messages (issue #6).
- Fix threading issues in daemon mode (issue #5).
- Fix address family check in netfilter NAT lookup (issue #4).
- Fix build on recent glibc systems (issue #2).
- Minor code and build process improvements.
### SSLsplit 0.4.4 2012-05-11
- Improve OCSP denial for GET based OCSP requests.
- Default elliptic curve is now 'secp160r2' for better ECDH performance.
- More user-friendly handling of -c, -k and friends.
- Unit test source code renamed from *.t to *.t.c to prevent them from being
misdetected as perl instead of c by Github et al.
- Minor bugfixes.
### SSLsplit 0.4.3 2012-04-22
- Add generic OCSP denial (-O). OCSP requests transmitted over HTTP or HTTPS
are recognized and denied with OCSP tryLater(3) responses.
- Minor bugfixes.
### SSLsplit 0.4.2 2012-04-13
- First public release.