git ssb

Files: 1b9937b293a932bf394da6623075b35b5e7bd9d2 / ChangeLog

7954 bytesRaw

1 vNEXT:
2 	Added USELIBPCRE to make use of regex engine
3 	optional.
4 
5 	Added support for RFC4366 SNI and RFC7301 ALPN
6 	(Travis Burtrum)
7 
8 	Changed connection log to include the name of the probe that
9 	triggered.
10 
11 	Changed configuration file format: 'probe' field is
12 	no longer required, 'name' field can now contain
13 	'tls' or 'regex', with corresponding options (see
14 	example.cfg)
15 	Added 'log_level' option to each protocol, which
16 	allows to turn off generation of log at each
17 	connection.
18 
19 v1.17: 	09MAR2015
20 	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
21 
22 	Transparant proxy support for FreeBSD.
23 	(Ruben van Staveren)
24 
25 	Using -F with no argument will try
26 	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
27 	configuration files. (argument to -F can no longer
28 	be separated from the option by a space, e.g. must
29 	be -Ffoo.cfg)
30 
31 	Call setgroups() before setgid() (fixes potential
32 	privilege escalation).
33 	(Lars Vogdt)
34 
35 	Use portable way of getting modified time for OSX
36 	support.
37 	(Aaron Madlon-Kay)
38 
39 	Example configuration for fail2ban.
40 	(Every Mouw)
41 
42 v1.16:	11FEB2014
43 	Probes made more resilient, to incoming data
44 	containing NULLs. Also made them behave properly
45 	when receiving too short packets to probe on the
46 	first incoming packet.
47 	(Ondrej Kuzn�k)
48 
49 	Libcap support: Keep only CAP_NET_ADMIN if started
50 	as root with transparent proxying and dropping
51 	priviledges (enable USELIBCAP in Makefile). This
52 	avoids having to mess with filesystem capabilities.
53 	(Sebastian Schmidt/yath)
54 
55 	Fixed bugs related to getpeername that would cause
56 	sslh to quit erroneously (getpeername can return
57 	actual errors if connections are dropped before
58 	getting to getpeername).
59 
60 	Set IP_FREEDBIND if available to bind to addresses
61 	that don't yet exist.
62 
63 v1.15:	27JUL2013
64 	Added --transparent option for transparent proxying.
65 	See README for iptables magic and capability
66 	management.
67 
68 	Fixed bug in sslh-select: if number of opened file
69 	descriptor became bigger than FD_SETSIZE, bad things
70 	would happen.
71 
72 	Fixed bug in sslh-select: if socket dropped while
73 	deferred_data was present, sslh-select would crash.
74 
75 	Increased FD_SETSIZE for Cygwin, as the default 64
76 	is too low for even moderate load.
77 
78 v1.14: 21DEC2012
79 	Corrected OpenVPN probe to support pre-shared secret
80 	mode (OpenVPN port-sharing code is... wrong). Thanks
81 	to Kai Ellinger for help in investigating and
82 	testing.
83 
84 	Added an actual TLS/SSL probe.
85 
86 	Added configurable --on-timeout protocol
87 	specification.
88 
89 	Added a --anyprot protocol probe (equivalent to what
90 	--ssl was).
91 
92 	Makefile respects the user's compiler and CFLAG
93 	choices (falling back to the current values if
94 	undefined), as well as LDFLAGS. 
95 	(Michael Palimaka)
96 
97 	Added "After" and "KillMode" to systemd.sslh.service
98 	(Thomas Wei�schuh).
99 
100 	Added LSB tags to etc.init.d.sslh
101 	(Thomas Varis).
102 
103 v1.13: 18MAY2012
104 	Write PID file before dropping privileges.
105 
106 	Added --background, which overrides 'foreground'
107 	configuration file setting.
108 
109 	Added example systemd service file from Archlinux in
110 	scripts/
111 	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
112 	(S�bastien Luttringer)
113 
114 v1.12: 08MAY2012
115 	Added support for configuration file.
116 
117 	New protocol probes can be defined using regular
118 	expressions that match the first packet sent by the
119 	client.
120 
121 	sslh now connects timed out connections to the first
122 	configured protocol instead of 'ssh' (just make sure
123 	ssh is the first defined protocol).
124 
125 	sslh now tries protocols in the order in which they
126 	are defined (just make sure sslh is the last defined
127 	protocol).
128 
129 v1.11: 21APR2012
130 	WARNING: defaults have been removed for --user and
131 	--pidfile options, update your start-up scripts!
132 
133 	No longer stop sslh when reverse DNS requests fail
134 	for logging.
135 
136 	Added HTTP probe.
137 
138 	No longer create new session if running in
139 	foreground.
140 
141 	No longer default to changing user to 'nobody'. If
142 	--user isn't specified, just run as current user.
143 
144 	No longer create PID file by default, it should be
145 	explicitely set with --pidfile.
146 
147 	No longer log to syslog if in foreground. Logs are
148 	instead output to stderr.
149 
150 	The four changes above make it straightforward to
151 	integrate sslh with systemd, and should help with
152 	launchd.
153 
154 v1.10: 27NOV2011
155 	Fixed calls referring to sockaddr length so they work
156 	with FreeBSD.
157 
158 	Try target addresses in turn until one works if
159 	there are several (e.g. "localhost:22" resolves to
160 	an IPv6 address and an IPv4 address and sshd does
161 	not listen on IPv6).
162 
163 	Fixed sslh-fork so killing the head process kills
164 	the listener processes.
165 
166 	Heavily cleaned up test suite. Added stress test
167 	t_load script. Added coverage (requires lcov).
168 
169 	Support for XMPP (Arnaud Gendre).
170 
171 	Updated README.MacOSX (Aaron Madlon-Kay).
172 
173 v1.9: 02AUG2011
174 	WARNING: This version does not work with FreeBSD and
175 	derivatives!
176 
177 	WARNING: Options changed, you'll need to update your
178 	start-up scripts! Log format changed, you'll need to
179 	update log processing scripts!
180 
181 	Now supports IPv6 throughout (both on listening and
182 	forwarding)
183 
184 	Logs now contain IPv6 addresses, local forwarding
185 	address, and resolves names (unless --numeric is
186 	specified).
187 
188 	Introduced long options.
189 
190 	Options -l, -s and -o replaced by their long
191 	counterparts.
192 
193 	Defaults for SSL and SSH options suppressed (it's 
194 	legitimate to want to use sslh to mux OpenVPN and 
195 	tinc while not caring about SSH nor SSL).
196 
197 	Bind to multiple addresses with multiple -p options.
198 
199 	Support for tinc VPN (experimental).
200 
201 	Numeric logging option.
202 
203 v1.8: 15JUL2011
204 	Changed log format to make it possible to link
205 	connections to subsequent logs from other services.
206 
207 	Updated CentOS init.d script (Andre Krajnik).
208 
209 	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
210 	propagated to the child process, so we set up signals after
211 	the fork.) (Fran�ois FRITZ)
212 
213 	Added -o "OpenVPN" and OpenVPN probing and support.
214 
215 	Added single-threaded, select(2)-based version.
216 
217 	Added support for "Bold" SSH clients (clients that speak first)
218 	Thanks to Guillaume Ricaud for spotting a regression
219 	bug.
220 
221 	Added -f "foreground" option.
222 
223 	Added test suite. (only tests connexions. No test for libwrap,
224 	setsid, setuid and so on) and corresponding 'make
225 	test' target.
226 
227 	Added README.MacOSX (thanks Aaron Madlon-Kay)
228 
229 	Documented use with proxytunnel and corkscrew in
230 	README.
231 
232 	
233 v1.7: 01FEB2010
234 	Added CentOS init.d script (Andre Krajnik).
235 
236 	Fixed default ssl address inconsistancy, now
237 	defaults to "localhost:443" and fixed documentation
238 	accordingly (pointed by Markus Schalke).
239 
240 	Children no longer bind to the listen socket, so
241 	parent server can be stopped without killing an
242 	active child (pointed by Matthias Buecher).
243 
244 	Inetd support (Dima Barsky).
245 
246 v1.6: 25APR2009
247 	Added -V, version option.
248 
249 	Install target directory configurable in Makefile
250 
251 	Changed syslog prefix in auth.log to "sslh[%pid]"
252 
253 	Man page
254 
255 	new 'make install' and 'make install-debian' targets
256 
257 	PID file now specified using -P command line option
258 
259 	Actually fixed zombie generation (the v1.5 patch got
260 	lost, doh!)
261 
262 
263 v1.5: 10DEC2008
264 	Fixed zombie generation.
265 
266 	Added support scripts (), Makefile.
267 
268 	Changed all 'connexions' to 'connections' to please
269 	pesky users. Damn users.
270 
271 v1.4: 13JUL2008
272 	Added libwrap support for ssh service (Christian Weinberger)
273 	Only SSH is libwraped, not SSL.
274 
275 v1.3: 14MAY2008
276 	Added parsing for local interface to listen on
277 
278 	Changed default SSL connection to port 442 (443 doesn't make
279 	sense as a default as we're already listening on 443)
280 
281 	Syslog incoming connections
282 
283 v1.2: 12MAY2008
284 	Fixed compilation warning for AMD64 (Thx Daniel Lange)
285 
286 v1.1: 21MAY2007
287 	Making sslhc more like a real daemon:
288 	* If $PIDFILE is defined, write first PID to it upon startup
289 	* Fork at startup (detach from terminal)
290 	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
291 	* Less memory usage (?)
292 
293 v1.0: 
294 	Basic functionality: privilege dropping, target hostnames and ports
295 	configurable.
296 
297 
298

Built with git-ssb-web

cel / sslh

Tree: 1b9937b293a932bf394da6623075b35b5e7bd9d2

Files: 1b9937b293a932bf394da6623075b35b5e7bd9d2 / ChangeLog

1	vNEXT:
2	Added USELIBPCRE to make use of regex engine
3	optional.
4
5	Added support for RFC4366 SNI and RFC7301 ALPN
6	(Travis Burtrum)
7
8	Changed connection log to include the name of the probe that
9	triggered.
10
11	Changed configuration file format: 'probe' field is
12	no longer required, 'name' field can now contain
13	'tls' or 'regex', with corresponding options (see
14	example.cfg)
15	Added 'log_level' option to each protocol, which
16	allows to turn off generation of log at each
17	connection.
18
19	v1.17: 09MAR2015
20	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
21
22	Transparant proxy support for FreeBSD.
23	(Ruben van Staveren)
24
25	Using -F with no argument will try
26	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
27	configuration files. (argument to -F can no longer
28	be separated from the option by a space, e.g. must
29	be -Ffoo.cfg)
30
31	Call setgroups() before setgid() (fixes potential
32	privilege escalation).
33	(Lars Vogdt)
34
35	Use portable way of getting modified time for OSX
36	support.
37	(Aaron Madlon-Kay)
38
39	Example configuration for fail2ban.
40	(Every Mouw)
41
42	v1.16: 11FEB2014
43	Probes made more resilient, to incoming data
44	containing NULLs. Also made them behave properly
45	when receiving too short packets to probe on the
46	first incoming packet.
47	(Ondrej Kuzn�k)
48
49	Libcap support: Keep only CAP_NET_ADMIN if started
50	as root with transparent proxying and dropping
51	priviledges (enable USELIBCAP in Makefile). This
52	avoids having to mess with filesystem capabilities.
53	(Sebastian Schmidt/yath)
54
55	Fixed bugs related to getpeername that would cause
56	sslh to quit erroneously (getpeername can return
57	actual errors if connections are dropped before
58	getting to getpeername).
59
60	Set IP_FREEDBIND if available to bind to addresses
61	that don't yet exist.
62
63	v1.15: 27JUL2013
64	Added --transparent option for transparent proxying.
65	See README for iptables magic and capability
66	management.
67
68	Fixed bug in sslh-select: if number of opened file
69	descriptor became bigger than FD_SETSIZE, bad things
70	would happen.
71
72	Fixed bug in sslh-select: if socket dropped while
73	deferred_data was present, sslh-select would crash.
74
75	Increased FD_SETSIZE for Cygwin, as the default 64
76	is too low for even moderate load.
77
78	v1.14: 21DEC2012
79	Corrected OpenVPN probe to support pre-shared secret
80	mode (OpenVPN port-sharing code is... wrong). Thanks
81	to Kai Ellinger for help in investigating and
82	testing.
83
84	Added an actual TLS/SSL probe.
85
86	Added configurable --on-timeout protocol
87	specification.
88
89	Added a --anyprot protocol probe (equivalent to what
90	--ssl was).
91
92	Makefile respects the user's compiler and CFLAG
93	choices (falling back to the current values if
94	undefined), as well as LDFLAGS.
95	(Michael Palimaka)
96
97	Added "After" and "KillMode" to systemd.sslh.service
98	(Thomas Wei�schuh).
99
100	Added LSB tags to etc.init.d.sslh
101	(Thomas Varis).
102
103	v1.13: 18MAY2012
104	Write PID file before dropping privileges.
105
106	Added --background, which overrides 'foreground'
107	configuration file setting.
108
109	Added example systemd service file from Archlinux in
110	scripts/
111	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
112	(S�bastien Luttringer)
113
114	v1.12: 08MAY2012
115	Added support for configuration file.
116
117	New protocol probes can be defined using regular
118	expressions that match the first packet sent by the
119	client.
120
121	sslh now connects timed out connections to the first
122	configured protocol instead of 'ssh' (just make sure
123	ssh is the first defined protocol).
124
125	sslh now tries protocols in the order in which they
126	are defined (just make sure sslh is the last defined
127	protocol).
128
129	v1.11: 21APR2012
130	WARNING: defaults have been removed for --user and
131	--pidfile options, update your start-up scripts!
132
133	No longer stop sslh when reverse DNS requests fail
134	for logging.
135
136	Added HTTP probe.
137
138	No longer create new session if running in
139	foreground.
140
141	No longer default to changing user to 'nobody'. If
142	--user isn't specified, just run as current user.
143
144	No longer create PID file by default, it should be
145	explicitely set with --pidfile.
146
147	No longer log to syslog if in foreground. Logs are
148	instead output to stderr.
149
150	The four changes above make it straightforward to
151	integrate sslh with systemd, and should help with
152	launchd.
153
154	v1.10: 27NOV2011
155	Fixed calls referring to sockaddr length so they work
156	with FreeBSD.
157
158	Try target addresses in turn until one works if
159	there are several (e.g. "localhost:22" resolves to
160	an IPv6 address and an IPv4 address and sshd does
161	not listen on IPv6).
162
163	Fixed sslh-fork so killing the head process kills
164	the listener processes.
165
166	Heavily cleaned up test suite. Added stress test
167	t_load script. Added coverage (requires lcov).
168
169	Support for XMPP (Arnaud Gendre).
170
171	Updated README.MacOSX (Aaron Madlon-Kay).
172
173	v1.9: 02AUG2011
174	WARNING: This version does not work with FreeBSD and
175	derivatives!
176
177	WARNING: Options changed, you'll need to update your
178	start-up scripts! Log format changed, you'll need to
179	update log processing scripts!
180
181	Now supports IPv6 throughout (both on listening and
182	forwarding)
183
184	Logs now contain IPv6 addresses, local forwarding
185	address, and resolves names (unless --numeric is
186	specified).
187
188	Introduced long options.
189
190	Options -l, -s and -o replaced by their long
191	counterparts.
192
193	Defaults for SSL and SSH options suppressed (it's
194	legitimate to want to use sslh to mux OpenVPN and
195	tinc while not caring about SSH nor SSL).
196
197	Bind to multiple addresses with multiple -p options.
198
199	Support for tinc VPN (experimental).
200
201	Numeric logging option.
202
203	v1.8: 15JUL2011
204	Changed log format to make it possible to link
205	connections to subsequent logs from other services.
206
207	Updated CentOS init.d script (Andre Krajnik).
208
209	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
210	propagated to the child process, so we set up signals after
211	the fork.) (Fran�ois FRITZ)
212
213	Added -o "OpenVPN" and OpenVPN probing and support.
214
215	Added single-threaded, select(2)-based version.
216
217	Added support for "Bold" SSH clients (clients that speak first)
218	Thanks to Guillaume Ricaud for spotting a regression
219	bug.
220
221	Added -f "foreground" option.
222
223	Added test suite. (only tests connexions. No test for libwrap,
224	setsid, setuid and so on) and corresponding 'make
225	test' target.
226
227	Added README.MacOSX (thanks Aaron Madlon-Kay)
228
229	Documented use with proxytunnel and corkscrew in
230	README.
231
232
233	v1.7: 01FEB2010
234	Added CentOS init.d script (Andre Krajnik).
235
236	Fixed default ssl address inconsistancy, now
237	defaults to "localhost:443" and fixed documentation
238	accordingly (pointed by Markus Schalke).
239
240	Children no longer bind to the listen socket, so
241	parent server can be stopped without killing an
242	active child (pointed by Matthias Buecher).
243
244	Inetd support (Dima Barsky).
245
246	v1.6: 25APR2009
247	Added -V, version option.
248
249	Install target directory configurable in Makefile
250
251	Changed syslog prefix in auth.log to "sslh[%pid]"
252
253	Man page
254
255	new 'make install' and 'make install-debian' targets
256
257	PID file now specified using -P command line option
258
259	Actually fixed zombie generation (the v1.5 patch got
260	lost, doh!)
261
262
263	v1.5: 10DEC2008
264	Fixed zombie generation.
265
266	Added support scripts (), Makefile.
267
268	Changed all 'connexions' to 'connections' to please
269	pesky users. Damn users.
270
271	v1.4: 13JUL2008
272	Added libwrap support for ssh service (Christian Weinberger)
273	Only SSH is libwraped, not SSL.
274
275	v1.3: 14MAY2008
276	Added parsing for local interface to listen on
277
278	Changed default SSL connection to port 442 (443 doesn't make
279	sense as a default as we're already listening on 443)
280
281	Syslog incoming connections
282
283	v1.2: 12MAY2008
284	Fixed compilation warning for AMD64 (Thx Daniel Lange)
285
286	v1.1: 21MAY2007
287	Making sslhc more like a real daemon:
288	* If $PIDFILE is defined, write first PID to it upon startup
289	* Fork at startup (detach from terminal)
290	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
291	* Less memory usage (?)
292
293	v1.0:
294	Basic functionality: privilege dropping, target hostnames and ports
295	configurable.
296
297
298

cel / sslh

Tree: 1b9937b293a932bf394da6623075b35b5e7bd9d2 shsmasterv1.9v1.8v1.7v1.6v1.5v1.3v1.2v1.18v1.17v1.16v1.15v1.14v1.13v1.12v1.11v1.10v1.1v1.0 <input type="submit" value="Go"/>

Files: 1b9937b293a932bf394da6623075b35b5e7bd9d2 / ChangeLog

Tree: 1b9937b293a932bf394da6623075b35b5e7bd9d2