| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
- sslh-select now supports UDP protocols. Probes specified in the
protocols configuration entry are tried on incoming packets, TCP or
UDP, and forwarded based on the input protocol (an incoming TCP
connection will be forwarded as TCP, and same with UDP). This has been
tested with DNS as shown in udp.cfg: incoming packets that contain my
domain name are assumed to be a DNS request and forwarded accordingly.
Note this could cause problems if combined with incoming TLS with SNI.
UDP clients and servers need to agree on the IPv4/IPv6 they use: use
the same protocol on all sides! Often, this means explicitely using
`ip4-localhost'. UDP sender-receiver pairs (connections, so to speak)
are kept for 60s, which can be changed with udp_timeout in the
configuration.
- Added probes for UDP protocols QUICK and Teamspeak.
- Added probes for syslog protocol.
- sslh-select refactored to change linear searches through connections
to linear searches through fd_set.
- Fixed a libconfig call to support libconfig 1.7.3.
- Added symbol to support libconfig 1.4.9, still in use in CentOS7.
- Warn about unknown settings in the configuration file.
- Added per-protocol transparent option. sslh-fork drops the capability after
creating the server-side transparent socket. Transparent now uses CAP_NET_RAW
instead of CAP_NET_ADMIN.
- Removed compile-time option to use POSIX regex. Now regex must be
PCRE2 (Perl-Compatible). This was in fact the case since v1.21, as
PCRE are used to parse the config file.
|
|
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
|
|
|
|
v1.21
Added TCP_FASTOPEN support for client sockets (if tfo_ok is
specified in their configuration) and for listenint socket,
if all client protocols support it. (Craig Andrews)
Added 'minlength' option to skip a probe if less
than that many bytes have been received (mostly for
regex)
Moved configuration and command-line management to
use conf2struct. Hopefully this should be transparent
to users.
Update Let's Encrypt entry in example.cfg for tls-alpn-01
challenges; tls-sni-* challenges are now deprecated.
Log to syslog even if in foreground (for people who
use fail2ban)
Use syslog_facility: "none" to disable syslog
output.
v1.21b
Added TCP_FASTOPEN support for client sockets (if tfo_ok is specified
in their configuration) and for listenint socket, if all client
protocols support it. (Craig Andrews)
Added 'minlength' option to skip a probe if less than that many bytes
have been received (mostly for regex)
Moved configuration and command-line management to use conf2struct.
Changes are:
* command line option <-F|--config> no longer defaults to /etc/sslh.cfg,
so you have to specify it explicitly.
* command line option <-v|--verbose> takes a mandatory integer parameter
Update Let's Encrypt entry in example.cfg for tls-alpn-01 challenges;
tls-sni-* challenges are now deprecated.
Log to syslog even if in foreground (for people who use fail2ban)
Use syslog_facility: "none" to disable syslog output.
Changed exit code for illegal command line parameter from 1 to 6 (for
testing purposes)
v1.21c
Removed support for 'ssl' and fix a related segfault bug.
(use tls instead of ssl)
|
|
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
|
|
v1.20: 20NOV2018
Added support for socks5 protocol (Eugene Protozanov)
New probing method:
Before, probes were tried in order, repeating on the
same probe as long it returned PROBE_AGAIN before
moving to the next one. This means a probe which
requires a lot of data (i.e. returne PROBE_AGAIN for
a long time) could prevent sucessful matches from
subsequent probes. The configuration file needed to
take that into account.
Now, all probes are tried each time new data is
found. If any probe matches, use it. If at least one
probe requires more data, wait for more. If all
probes failed, connect to the last one. So the only
thing to know when writing the configuration file is
that 'anyprot' needs to be last.
Test suite heavily refactored; `t` uses `test.cfg`
to decide which probes to test and all setup is
automatic; probes get tested with 'fast' (entire
first message in one packet) and 'slow' (one byte at
a time); when SNI/ALPN are defined, all combinations
are tested.
Old 'tls' probe removed, 'sni_alpn' probe renamed as 'tls'.
You'll need to change 'sni_alpn' to 'tls' in
your configuration file, if ever you used it.
|
|
v1.19: 20JAN2018
Added 'syslog_facility' configuration option to
specify where to log.
TLS now supports SNI and ALPN (Travis Burtrum),
including support for Let's Encrypt challenges
(Jonathan McCrohan)
ADB probe. (Mike Frysinger)
Added per-protocol 'fork' option. (Oleg Oshmyan)
Added chroot option. (Mike Frysinger)
A truckload of bug fixes and documentation
improvements (Various contributors)
|
|
|
|
Jorge Schrauwen in joyent/pkgsrc#14.
|
|
Pkgsrc changes :
- taking over maintainership ;
- updated patch for getopt_long because of the update.
Upstream changes :
- Added USELIBPCRE to make use of regex engine optional ;
- Added support for RFC4366 SNI and RFC7301 ALPN (Travis Burtrum) ;
- Changed connection log to include the name of the probe that triggered ;
- Changed configuration file format: 'probe' field is no longer required,
'name' field can now contain 'tls' or 'regex',
with corresponding options (see example.cfg) ;
- Added 'log_level' option to each protocol,
which allows to turn off generation of log at each connection ;
- Added 'keepalive' option.
|
|
Problems found with existing digests:
Package haproxy distfile haproxy-1.5.14.tar.gz
159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded]
da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]
Problems found locating distfiles:
Package bsddip: missing distfile bsddip-1.02.tar.Z
Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz
Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2
Package djbdns: missing distfile djbdns-cachestats.patch
Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch
Package gated: missing distfile gated-3-5-11.tar.gz
Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz
Package poink: missing distfile poink-1.6.tar.gz
Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz
Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch
Package waste: missing distfile waste-source.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
|
|
the option by a space, e.g. must be -Ffoo.cfg.
Otherwise, /etc/rc.d/sslh start|stop|... will do nothing.
|
|
TODO: I argue that PKGREVISION_NOREV should be the default PKGREVISION...
|
|
|
|
v1.17: 09MAR2015
Support RFC5952-style IPv6 addresses, e.g. [::]:443.
Transparant proxy support for FreeBSD.
(Ruben van Staveren)
Using -F with no argument will try
/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
configuration files. (argument to -F can no longer
be separated from the option by a space, e.g. must
be -Ffoo.cfg)
Call setgroups() before setgid() (fixes potential
privilege escalation).
(Lars Vogdt)
Use portable way of getting modified time for OSX
support.
(Aaron Madlon-Kay)
Example configuration for fail2ban.
(Every Mouw)
|
|
|
|
Changelog for sslh is the following :
v1.16: 11FEB2014
Probes made more resilient, to incoming data containing NULLs. Also made
them behave properly when receiving too short packets to probe on the
first incoming packet.
(Ondrej Kuzník)
Libcap support: Keep only CAP_NET_ADMIN if started as root with
transparent proxying and dropping priviledges (enable USELIBCAP in
Makefile). This avoids having to mess with filesystem capabilities.
(Sebastian Schmidt/yath)
Fixed bugs related to getpeername that would cause sslh to quit
erroneously (getpeername can return actual errors if connections are
dropped before getting to getpeername).
Set IP_FREEDBIND if available to bind to addresses that don't yet exist.
Changelog for pkgsrc :
- now uses Github for fetching source, ${HOMEPAGE} says : "sslh is
managed in Git and pushed to Github" ;
- replaced #!/bin/bash with #!/bin/sh in genver.sh, choice of sh instead
of bash is because of a commit in sslh github :
https://github.com/yrutschle/sslh/commit/62cbb55b8e9c9b0bc878b094c5be815d58276b39
|
|
These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or
ignored otherwise.
|
|
sslh-1.7a and 1.15.
|
|
Based on PR pkg/48320 by Nils Ratusznik.
Pkgsrc change:
* add startup script.
ChangeLog:
v1.15: 27JUL2013
Added --transparent option for transparent proxying.
See README for iptables magic and capability
management.
Fixed bug in sslh-select: if number of opened file
descriptor became bigger than FD_SETSIZE, bad things
would happen.
Fixed bug in sslh-select: if socket dropped while
defered_data was present, sslh-select would crash.
Increased FD_SETSIZE for Cygwin, as the default 64
is too low for even moderate load.
v1.14: 21DEC2012
Corrected OpenVPN probe to support pre-shared secret
mode (OpenVPN port-sharing code is... wrong). Thanks
to Kai Ellinger for help in investigating and
testing.
Added an actual TLS/SSL probe.
Added configurable --on-timeout protocol
specification.
Added a --anyprot protocol probe (equivalent to what
--ssl was).
Makefile respects the user's compiler and CFLAG
choices (falling back to the current values if
undefined), as well as LDFLAGS.
(Michael Palimaka)
Added "After" and "KillMode" to systemd.sslh.service
(Thomas Weißschuh).
Added LSB tags to etc.init.d.sslh
(Thomas Varis).
v1.13: 18MAY2012
Write PID file before dropping privileges.
Added --background, which overrides 'foreground'
configuration file setting.
Added example systemd service file from Archlinux in
scripts/
https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
(Sébastien Luttringer)
v1.12: 08MAY2012
Added support for configuration file.
New protocol probes can be defined using regular
expressions that match the first packet sent by the
client.
sslh now connects timed out connections to the first
configured protocol instead of 'ssh' (just make sure
ssh is the first defined protocol).
sslh now tries protocols in the order in which they
are defined (just make sure sslh is the last defined
protocol).
v1.11: 21APR2012
WARNING: defaults have been removed for --user and
--pidfile options, update your start-up scripts!
No longer stop sslh when reverse DNS requests fail
for logging.
Added HTTP probe.
No longer create new session if running in
foreground.
No longer default to changing user to 'nobody'. If
--user isn't specified, just run as current user.
No longer create PID file by default, it should be
explicitely set with --pidfile.
No longer log to syslog if in foreground. Logs are
instead output to stderr.
The four changes above make it straightforward to
integrate sslh with systemd, and should help with
launchd.
v1.10: 27NOV2011
Fixed calls referring to sockaddr length so they work
with FreeBSD.
Try target addresses in turn until one works if
there are several (e.g. "localhost:22" resolves to
an IPv6 address and an IPv4 address and sshd does
not listen on IPv6).
Fixed sslh-fork so killing the head process kills
the listener processes.
Heavily cleaned up test suite. Added stress test
t_load script. Added coverage (requires lcov).
Support for XMPP (Arnaud Gendre).
Updated README.MacOSX (Aaron Madlon-Kay).
v1.9: 02AUG2011
WARNING: This version does not work with FreeBSD and
derivatives!
WARNING: Options changed, you'll need to update your
start-up scripts! Log format changed, you'll need to
update log processing scripts!
Now supports IPv6 throughout (both on listening and
forwarding)
Logs now contain IPv6 addresses, local forwarding
address, and resolves names (unless --numeric is
specified).
Introduced long options.
Options -l, -s and -o replaced by their long
counterparts.
Defaults for SSL and SSH options suppressed (it's
legitimate to want to use sslh to mux OpenVPN and
tinc while not caring about SSH nor SSL).
Bind to multiple addresses with multiple -p options.
Support for tinc VPN (experimental).
Numeric logging option.
v1.8: 15JUL2011
Changed log format to make it possible to link
connections to subsequent logs from other services.
Updated CentOS init.d script (Andre Krajnik).
Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
propagated to the child process, so we set up signals after
the fork.) (François FRITZ)
Added -o "OpenVPN" and OpenVPN probing and support.
Added single-threaded, select(2)-based version.
Added support for "Bold" SSH clients (clients that speak first)
Thanks to Guillaume Ricaud for spotting a regression
bug.
Added -f "foreground" option.
Added test suite. (only tests connexions. No test for libwrap,
setsid, setuid and so on) and corresponding 'make
test' target.
Added README.MacOSX (thanks Aaron Madlon-Kay)
Documented use with proxytunnel and corkscrew in
README.
|
|
|
|
sslh lets one accept both HTTPS and SSH connections on the same port.
|
