git ssb

0+

cel / sslh



Tree: 21f524f71165538dcde9f8de32b9f69385ba0c87

Files: 21f524f71165538dcde9f8de32b9f69385ba0c87 / ChangeLog

7991 bytesRaw
1v1.18: 29MAR2016
2 Added USELIBPCRE to make use of regex engine
3 optional.
4
5 Added support for RFC4366 SNI and RFC7301 ALPN
6 (Travis Burtrum)
7
8 Changed connection log to include the name of the probe that
9 triggered.
10
11 Changed configuration file format: 'probe' field is
12 no longer required, 'name' field can now contain
13 'tls' or 'regex', with corresponding options (see
14 example.cfg)
15 Added 'log_level' option to each protocol, which
16 allows to turn off generation of log at each
17 connection.
18 Added 'keepalive' option.
19
20v1.17: 09MAR2015
21 Support RFC5952-style IPv6 addresses, e.g. [::]:443.
22
23 Transparant proxy support for FreeBSD.
24 (Ruben van Staveren)
25
26 Using -F with no argument will try
27 /etc/sslh/sslh.cfg and then /etc/sslh.cfg as
28 configuration files. (argument to -F can no longer
29 be separated from the option by a space, e.g. must
30 be -Ffoo.cfg)
31
32 Call setgroups() before setgid() (fixes potential
33 privilege escalation).
34 (Lars Vogdt)
35
36 Use portable way of getting modified time for OSX
37 support.
38 (Aaron Madlon-Kay)
39
40 Example configuration for fail2ban.
41 (Every Mouw)
42
43v1.16: 11FEB2014
44 Probes made more resilient, to incoming data
45 containing NULLs. Also made them behave properly
46 when receiving too short packets to probe on the
47 first incoming packet.
48 (Ondrej Kuzn�k)
49
50 Libcap support: Keep only CAP_NET_ADMIN if started
51 as root with transparent proxying and dropping
52 priviledges (enable USELIBCAP in Makefile). This
53 avoids having to mess with filesystem capabilities.
54 (Sebastian Schmidt/yath)
55
56 Fixed bugs related to getpeername that would cause
57 sslh to quit erroneously (getpeername can return
58 actual errors if connections are dropped before
59 getting to getpeername).
60
61 Set IP_FREEDBIND if available to bind to addresses
62 that don't yet exist.
63
64v1.15: 27JUL2013
65 Added --transparent option for transparent proxying.
66 See README for iptables magic and capability
67 management.
68
69 Fixed bug in sslh-select: if number of opened file
70 descriptor became bigger than FD_SETSIZE, bad things
71 would happen.
72
73 Fixed bug in sslh-select: if socket dropped while
74 deferred_data was present, sslh-select would crash.
75
76 Increased FD_SETSIZE for Cygwin, as the default 64
77 is too low for even moderate load.
78
79v1.14: 21DEC2012
80 Corrected OpenVPN probe to support pre-shared secret
81 mode (OpenVPN port-sharing code is... wrong). Thanks
82 to Kai Ellinger for help in investigating and
83 testing.
84
85 Added an actual TLS/SSL probe.
86
87 Added configurable --on-timeout protocol
88 specification.
89
90 Added a --anyprot protocol probe (equivalent to what
91 --ssl was).
92
93 Makefile respects the user's compiler and CFLAG
94 choices (falling back to the current values if
95 undefined), as well as LDFLAGS.
96 (Michael Palimaka)
97
98 Added "After" and "KillMode" to systemd.sslh.service
99 (Thomas Wei�schuh).
100
101 Added LSB tags to etc.init.d.sslh
102 (Thomas Varis).
103
104v1.13: 18MAY2012
105 Write PID file before dropping privileges.
106
107 Added --background, which overrides 'foreground'
108 configuration file setting.
109
110 Added example systemd service file from Archlinux in
111 scripts/
112 https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
113 (S�bastien Luttringer)
114
115v1.12: 08MAY2012
116 Added support for configuration file.
117
118 New protocol probes can be defined using regular
119 expressions that match the first packet sent by the
120 client.
121
122 sslh now connects timed out connections to the first
123 configured protocol instead of 'ssh' (just make sure
124 ssh is the first defined protocol).
125
126 sslh now tries protocols in the order in which they
127 are defined (just make sure sslh is the last defined
128 protocol).
129
130v1.11: 21APR2012
131 WARNING: defaults have been removed for --user and
132 --pidfile options, update your start-up scripts!
133
134 No longer stop sslh when reverse DNS requests fail
135 for logging.
136
137 Added HTTP probe.
138
139 No longer create new session if running in
140 foreground.
141
142 No longer default to changing user to 'nobody'. If
143 --user isn't specified, just run as current user.
144
145 No longer create PID file by default, it should be
146 explicitely set with --pidfile.
147
148 No longer log to syslog if in foreground. Logs are
149 instead output to stderr.
150
151 The four changes above make it straightforward to
152 integrate sslh with systemd, and should help with
153 launchd.
154
155v1.10: 27NOV2011
156 Fixed calls referring to sockaddr length so they work
157 with FreeBSD.
158
159 Try target addresses in turn until one works if
160 there are several (e.g. "localhost:22" resolves to
161 an IPv6 address and an IPv4 address and sshd does
162 not listen on IPv6).
163
164 Fixed sslh-fork so killing the head process kills
165 the listener processes.
166
167 Heavily cleaned up test suite. Added stress test
168 t_load script. Added coverage (requires lcov).
169
170 Support for XMPP (Arnaud Gendre).
171
172 Updated README.MacOSX (Aaron Madlon-Kay).
173
174v1.9: 02AUG2011
175 WARNING: This version does not work with FreeBSD and
176 derivatives!
177
178 WARNING: Options changed, you'll need to update your
179 start-up scripts! Log format changed, you'll need to
180 update log processing scripts!
181
182 Now supports IPv6 throughout (both on listening and
183 forwarding)
184
185 Logs now contain IPv6 addresses, local forwarding
186 address, and resolves names (unless --numeric is
187 specified).
188
189 Introduced long options.
190
191 Options -l, -s and -o replaced by their long
192 counterparts.
193
194 Defaults for SSL and SSH options suppressed (it's
195 legitimate to want to use sslh to mux OpenVPN and
196 tinc while not caring about SSH nor SSL).
197
198 Bind to multiple addresses with multiple -p options.
199
200 Support for tinc VPN (experimental).
201
202 Numeric logging option.
203
204v1.8: 15JUL2011
205 Changed log format to make it possible to link
206 connections to subsequent logs from other services.
207
208 Updated CentOS init.d script (Andre Krajnik).
209
210 Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
211 propagated to the child process, so we set up signals after
212 the fork.) (Fran�ois FRITZ)
213
214 Added -o "OpenVPN" and OpenVPN probing and support.
215
216 Added single-threaded, select(2)-based version.
217
218 Added support for "Bold" SSH clients (clients that speak first)
219 Thanks to Guillaume Ricaud for spotting a regression
220 bug.
221
222 Added -f "foreground" option.
223
224 Added test suite. (only tests connexions. No test for libwrap,
225 setsid, setuid and so on) and corresponding 'make
226 test' target.
227
228 Added README.MacOSX (thanks Aaron Madlon-Kay)
229
230 Documented use with proxytunnel and corkscrew in
231 README.
232
233
234v1.7: 01FEB2010
235 Added CentOS init.d script (Andre Krajnik).
236
237 Fixed default ssl address inconsistancy, now
238 defaults to "localhost:443" and fixed documentation
239 accordingly (pointed by Markus Schalke).
240
241 Children no longer bind to the listen socket, so
242 parent server can be stopped without killing an
243 active child (pointed by Matthias Buecher).
244
245 Inetd support (Dima Barsky).
246
247v1.6: 25APR2009
248 Added -V, version option.
249
250 Install target directory configurable in Makefile
251
252 Changed syslog prefix in auth.log to "sslh[%pid]"
253
254 Man page
255
256 new 'make install' and 'make install-debian' targets
257
258 PID file now specified using -P command line option
259
260 Actually fixed zombie generation (the v1.5 patch got
261 lost, doh!)
262
263
264v1.5: 10DEC2008
265 Fixed zombie generation.
266
267 Added support scripts (), Makefile.
268
269 Changed all 'connexions' to 'connections' to please
270 pesky users. Damn users.
271
272v1.4: 13JUL2008
273 Added libwrap support for ssh service (Christian Weinberger)
274 Only SSH is libwraped, not SSL.
275
276v1.3: 14MAY2008
277 Added parsing for local interface to listen on
278
279 Changed default SSL connection to port 442 (443 doesn't make
280 sense as a default as we're already listening on 443)
281
282 Syslog incoming connections
283
284v1.2: 12MAY2008
285 Fixed compilation warning for AMD64 (Thx Daniel Lange)
286
287v1.1: 21MAY2007
288 Making sslhc more like a real daemon:
289 * If $PIDFILE is defined, write first PID to it upon startup
290 * Fork at startup (detach from terminal)
291 (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
292 * Less memory usage (?)
293
294v1.0:
295 Basic functionality: privilege dropping, target hostnames and ports
296 configurable.
297
298
299

Built with git-ssb-web