git ssb

Files: 2cb424c6464be24045c9f41b66811c3992970189 / ChangeLog

7863 bytesRaw

1 vNEXT:
2 	Added USELIBPCRE to make use of regex engine
3 	optional.
4 
5 	Added support for RFC4366 SNI 
6 	(Travis Burtrum)
7 
8 	Changed configuration file format: 'probe' field is
9 	no longer required, 'name' field can now contain
10 	'sni' or 'regex', with corresponding options (see
11 	example.org)
12 	Added 'log_level' option to each protocol, which
13 	allows to turn off generation of log at each
14 	connection.
15 
16 v1.17: 	09MAR2015
17 	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
18 
19 	Transparant proxy support for FreeBSD.
20 	(Ruben van Staveren)
21 
22 	Using -F with no argument will try
23 	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
24 	configuration files. (argument to -F can no longer
25 	be separated from the option by a space, e.g. must
26 	be -Ffoo.cfg)
27 
28 	Call setgroups() before setgid() (fixes potential
29 	privilege escalation).
30 	(Lars Vogdt)
31 
32 	Use portable way of getting modified time for OSX
33 	support.
34 	(Aaron Madlon-Kay)
35 
36 	Example configuration for fail2ban.
37 	(Every Mouw)
38 
39 v1.16:	11FEB2014
40 	Probes made more resilient, to incoming data
41 	containing NULLs. Also made them behave properly
42 	when receiving too short packets to probe on the
43 	first incoming packet.
44 	(Ondrej Kuzn�k)
45 
46 	Libcap support: Keep only CAP_NET_ADMIN if started
47 	as root with transparent proxying and dropping
48 	priviledges (enable USELIBCAP in Makefile). This
49 	avoids having to mess with filesystem capabilities.
50 	(Sebastian Schmidt/yath)
51 
52 	Fixed bugs related to getpeername that would cause
53 	sslh to quit erroneously (getpeername can return
54 	actual errors if connections are dropped before
55 	getting to getpeername).
56 
57 	Set IP_FREEDBIND if available to bind to addresses
58 	that don't yet exist.
59 
60 v1.15:	27JUL2013
61 	Added --transparent option for transparent proxying.
62 	See README for iptables magic and capability
63 	management.
64 
65 	Fixed bug in sslh-select: if number of opened file
66 	descriptor became bigger than FD_SETSIZE, bad things
67 	would happen.
68 
69 	Fixed bug in sslh-select: if socket dropped while
70 	deferred_data was present, sslh-select would crash.
71 
72 	Increased FD_SETSIZE for Cygwin, as the default 64
73 	is too low for even moderate load.
74 
75 v1.14: 21DEC2012
76 	Corrected OpenVPN probe to support pre-shared secret
77 	mode (OpenVPN port-sharing code is... wrong). Thanks
78 	to Kai Ellinger for help in investigating and
79 	testing.
80 
81 	Added an actual TLS/SSL probe.
82 
83 	Added configurable --on-timeout protocol
84 	specification.
85 
86 	Added a --anyprot protocol probe (equivalent to what
87 	--ssl was).
88 
89 	Makefile respects the user's compiler and CFLAG
90 	choices (falling back to the current values if
91 	undefined), as well as LDFLAGS. 
92 	(Michael Palimaka)
93 
94 	Added "After" and "KillMode" to systemd.sslh.service
95 	(Thomas Wei�schuh).
96 
97 	Added LSB tags to etc.init.d.sslh
98 	(Thomas Varis).
99 
100 v1.13: 18MAY2012
101 	Write PID file before dropping privileges.
102 
103 	Added --background, which overrides 'foreground'
104 	configuration file setting.
105 
106 	Added example systemd service file from Archlinux in
107 	scripts/
108 	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
109 	(S�bastien Luttringer)
110 
111 v1.12: 08MAY2012
112 	Added support for configuration file.
113 
114 	New protocol probes can be defined using regular
115 	expressions that match the first packet sent by the
116 	client.
117 
118 	sslh now connects timed out connections to the first
119 	configured protocol instead of 'ssh' (just make sure
120 	ssh is the first defined protocol).
121 
122 	sslh now tries protocols in the order in which they
123 	are defined (just make sure sslh is the last defined
124 	protocol).
125 
126 v1.11: 21APR2012
127 	WARNING: defaults have been removed for --user and
128 	--pidfile options, update your start-up scripts!
129 
130 	No longer stop sslh when reverse DNS requests fail
131 	for logging.
132 
133 	Added HTTP probe.
134 
135 	No longer create new session if running in
136 	foreground.
137 
138 	No longer default to changing user to 'nobody'. If
139 	--user isn't specified, just run as current user.
140 
141 	No longer create PID file by default, it should be
142 	explicitely set with --pidfile.
143 
144 	No longer log to syslog if in foreground. Logs are
145 	instead output to stderr.
146 
147 	The four changes above make it straightforward to
148 	integrate sslh with systemd, and should help with
149 	launchd.
150 
151 v1.10: 27NOV2011
152 	Fixed calls referring to sockaddr length so they work
153 	with FreeBSD.
154 
155 	Try target addresses in turn until one works if
156 	there are several (e.g. "localhost:22" resolves to
157 	an IPv6 address and an IPv4 address and sshd does
158 	not listen on IPv6).
159 
160 	Fixed sslh-fork so killing the head process kills
161 	the listener processes.
162 
163 	Heavily cleaned up test suite. Added stress test
164 	t_load script. Added coverage (requires lcov).
165 
166 	Support for XMPP (Arnaud Gendre).
167 
168 	Updated README.MacOSX (Aaron Madlon-Kay).
169 
170 v1.9: 02AUG2011
171 	WARNING: This version does not work with FreeBSD and
172 	derivatives!
173 
174 	WARNING: Options changed, you'll need to update your
175 	start-up scripts! Log format changed, you'll need to
176 	update log processing scripts!
177 
178 	Now supports IPv6 throughout (both on listening and
179 	forwarding)
180 
181 	Logs now contain IPv6 addresses, local forwarding
182 	address, and resolves names (unless --numeric is
183 	specified).
184 
185 	Introduced long options.
186 
187 	Options -l, -s and -o replaced by their long
188 	counterparts.
189 
190 	Defaults for SSL and SSH options suppressed (it's 
191 	legitimate to want to use sslh to mux OpenVPN and 
192 	tinc while not caring about SSH nor SSL).
193 
194 	Bind to multiple addresses with multiple -p options.
195 
196 	Support for tinc VPN (experimental).
197 
198 	Numeric logging option.
199 
200 v1.8: 15JUL2011
201 	Changed log format to make it possible to link
202 	connections to subsequent logs from other services.
203 
204 	Updated CentOS init.d script (Andre Krajnik).
205 
206 	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
207 	propagated to the child process, so we set up signals after
208 	the fork.) (Fran�ois FRITZ)
209 
210 	Added -o "OpenVPN" and OpenVPN probing and support.
211 
212 	Added single-threaded, select(2)-based version.
213 
214 	Added support for "Bold" SSH clients (clients that speak first)
215 	Thanks to Guillaume Ricaud for spotting a regression
216 	bug.
217 
218 	Added -f "foreground" option.
219 
220 	Added test suite. (only tests connexions. No test for libwrap,
221 	setsid, setuid and so on) and corresponding 'make
222 	test' target.
223 
224 	Added README.MacOSX (thanks Aaron Madlon-Kay)
225 
226 	Documented use with proxytunnel and corkscrew in
227 	README.
228 
229 	
230 v1.7: 01FEB2010
231 	Added CentOS init.d script (Andre Krajnik).
232 
233 	Fixed default ssl address inconsistancy, now
234 	defaults to "localhost:443" and fixed documentation
235 	accordingly (pointed by Markus Schalke).
236 
237 	Children no longer bind to the listen socket, so
238 	parent server can be stopped without killing an
239 	active child (pointed by Matthias Buecher).
240 
241 	Inetd support (Dima Barsky).
242 
243 v1.6: 25APR2009
244 	Added -V, version option.
245 
246 	Install target directory configurable in Makefile
247 
248 	Changed syslog prefix in auth.log to "sslh[%pid]"
249 
250 	Man page
251 
252 	new 'make install' and 'make install-debian' targets
253 
254 	PID file now specified using -P command line option
255 
256 	Actually fixed zombie generation (the v1.5 patch got
257 	lost, doh!)
258 
259 
260 v1.5: 10DEC2008
261 	Fixed zombie generation.
262 
263 	Added support scripts (), Makefile.
264 
265 	Changed all 'connexions' to 'connections' to please
266 	pesky users. Damn users.
267 
268 v1.4: 13JUL2008
269 	Added libwrap support for ssh service (Christian Weinberger)
270 	Only SSH is libwraped, not SSL.
271 
272 v1.3: 14MAY2008
273 	Added parsing for local interface to listen on
274 
275 	Changed default SSL connection to port 442 (443 doesn't make
276 	sense as a default as we're already listening on 443)
277 
278 	Syslog incoming connections
279 
280 v1.2: 12MAY2008
281 	Fixed compilation warning for AMD64 (Thx Daniel Lange)
282 
283 v1.1: 21MAY2007
284 	Making sslhc more like a real daemon:
285 	* If $PIDFILE is defined, write first PID to it upon startup
286 	* Fork at startup (detach from terminal)
287 	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
288 	* Less memory usage (?)
289 
290 v1.0: 
291 	Basic functionality: privilege dropping, target hostnames and ports
292 	configurable.
293 
294 
295

Built with git-ssb-web

cel / sslh

Tree: 2cb424c6464be24045c9f41b66811c3992970189

Files: 2cb424c6464be24045c9f41b66811c3992970189 / ChangeLog

1	vNEXT:
2	Added USELIBPCRE to make use of regex engine
3	optional.
4
5	Added support for RFC4366 SNI
6	(Travis Burtrum)
7
8	Changed configuration file format: 'probe' field is
9	no longer required, 'name' field can now contain
10	'sni' or 'regex', with corresponding options (see
11	example.org)
12	Added 'log_level' option to each protocol, which
13	allows to turn off generation of log at each
14	connection.
15
16	v1.17: 09MAR2015
17	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
18
19	Transparant proxy support for FreeBSD.
20	(Ruben van Staveren)
21
22	Using -F with no argument will try
23	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
24	configuration files. (argument to -F can no longer
25	be separated from the option by a space, e.g. must
26	be -Ffoo.cfg)
27
28	Call setgroups() before setgid() (fixes potential
29	privilege escalation).
30	(Lars Vogdt)
31
32	Use portable way of getting modified time for OSX
33	support.
34	(Aaron Madlon-Kay)
35
36	Example configuration for fail2ban.
37	(Every Mouw)
38
39	v1.16: 11FEB2014
40	Probes made more resilient, to incoming data
41	containing NULLs. Also made them behave properly
42	when receiving too short packets to probe on the
43	first incoming packet.
44	(Ondrej Kuzn�k)
45
46	Libcap support: Keep only CAP_NET_ADMIN if started
47	as root with transparent proxying and dropping
48	priviledges (enable USELIBCAP in Makefile). This
49	avoids having to mess with filesystem capabilities.
50	(Sebastian Schmidt/yath)
51
52	Fixed bugs related to getpeername that would cause
53	sslh to quit erroneously (getpeername can return
54	actual errors if connections are dropped before
55	getting to getpeername).
56
57	Set IP_FREEDBIND if available to bind to addresses
58	that don't yet exist.
59
60	v1.15: 27JUL2013
61	Added --transparent option for transparent proxying.
62	See README for iptables magic and capability
63	management.
64
65	Fixed bug in sslh-select: if number of opened file
66	descriptor became bigger than FD_SETSIZE, bad things
67	would happen.
68
69	Fixed bug in sslh-select: if socket dropped while
70	deferred_data was present, sslh-select would crash.
71
72	Increased FD_SETSIZE for Cygwin, as the default 64
73	is too low for even moderate load.
74
75	v1.14: 21DEC2012
76	Corrected OpenVPN probe to support pre-shared secret
77	mode (OpenVPN port-sharing code is... wrong). Thanks
78	to Kai Ellinger for help in investigating and
79	testing.
80
81	Added an actual TLS/SSL probe.
82
83	Added configurable --on-timeout protocol
84	specification.
85
86	Added a --anyprot protocol probe (equivalent to what
87	--ssl was).
88
89	Makefile respects the user's compiler and CFLAG
90	choices (falling back to the current values if
91	undefined), as well as LDFLAGS.
92	(Michael Palimaka)
93
94	Added "After" and "KillMode" to systemd.sslh.service
95	(Thomas Wei�schuh).
96
97	Added LSB tags to etc.init.d.sslh
98	(Thomas Varis).
99
100	v1.13: 18MAY2012
101	Write PID file before dropping privileges.
102
103	Added --background, which overrides 'foreground'
104	configuration file setting.
105
106	Added example systemd service file from Archlinux in
107	scripts/
108	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
109	(S�bastien Luttringer)
110
111	v1.12: 08MAY2012
112	Added support for configuration file.
113
114	New protocol probes can be defined using regular
115	expressions that match the first packet sent by the
116	client.
117
118	sslh now connects timed out connections to the first
119	configured protocol instead of 'ssh' (just make sure
120	ssh is the first defined protocol).
121
122	sslh now tries protocols in the order in which they
123	are defined (just make sure sslh is the last defined
124	protocol).
125
126	v1.11: 21APR2012
127	WARNING: defaults have been removed for --user and
128	--pidfile options, update your start-up scripts!
129
130	No longer stop sslh when reverse DNS requests fail
131	for logging.
132
133	Added HTTP probe.
134
135	No longer create new session if running in
136	foreground.
137
138	No longer default to changing user to 'nobody'. If
139	--user isn't specified, just run as current user.
140
141	No longer create PID file by default, it should be
142	explicitely set with --pidfile.
143
144	No longer log to syslog if in foreground. Logs are
145	instead output to stderr.
146
147	The four changes above make it straightforward to
148	integrate sslh with systemd, and should help with
149	launchd.
150
151	v1.10: 27NOV2011
152	Fixed calls referring to sockaddr length so they work
153	with FreeBSD.
154
155	Try target addresses in turn until one works if
156	there are several (e.g. "localhost:22" resolves to
157	an IPv6 address and an IPv4 address and sshd does
158	not listen on IPv6).
159
160	Fixed sslh-fork so killing the head process kills
161	the listener processes.
162
163	Heavily cleaned up test suite. Added stress test
164	t_load script. Added coverage (requires lcov).
165
166	Support for XMPP (Arnaud Gendre).
167
168	Updated README.MacOSX (Aaron Madlon-Kay).
169
170	v1.9: 02AUG2011
171	WARNING: This version does not work with FreeBSD and
172	derivatives!
173
174	WARNING: Options changed, you'll need to update your
175	start-up scripts! Log format changed, you'll need to
176	update log processing scripts!
177
178	Now supports IPv6 throughout (both on listening and
179	forwarding)
180
181	Logs now contain IPv6 addresses, local forwarding
182	address, and resolves names (unless --numeric is
183	specified).
184
185	Introduced long options.
186
187	Options -l, -s and -o replaced by their long
188	counterparts.
189
190	Defaults for SSL and SSH options suppressed (it's
191	legitimate to want to use sslh to mux OpenVPN and
192	tinc while not caring about SSH nor SSL).
193
194	Bind to multiple addresses with multiple -p options.
195
196	Support for tinc VPN (experimental).
197
198	Numeric logging option.
199
200	v1.8: 15JUL2011
201	Changed log format to make it possible to link
202	connections to subsequent logs from other services.
203
204	Updated CentOS init.d script (Andre Krajnik).
205
206	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
207	propagated to the child process, so we set up signals after
208	the fork.) (Fran�ois FRITZ)
209
210	Added -o "OpenVPN" and OpenVPN probing and support.
211
212	Added single-threaded, select(2)-based version.
213
214	Added support for "Bold" SSH clients (clients that speak first)
215	Thanks to Guillaume Ricaud for spotting a regression
216	bug.
217
218	Added -f "foreground" option.
219
220	Added test suite. (only tests connexions. No test for libwrap,
221	setsid, setuid and so on) and corresponding 'make
222	test' target.
223
224	Added README.MacOSX (thanks Aaron Madlon-Kay)
225
226	Documented use with proxytunnel and corkscrew in
227	README.
228
229
230	v1.7: 01FEB2010
231	Added CentOS init.d script (Andre Krajnik).
232
233	Fixed default ssl address inconsistancy, now
234	defaults to "localhost:443" and fixed documentation
235	accordingly (pointed by Markus Schalke).
236
237	Children no longer bind to the listen socket, so
238	parent server can be stopped without killing an
239	active child (pointed by Matthias Buecher).
240
241	Inetd support (Dima Barsky).
242
243	v1.6: 25APR2009
244	Added -V, version option.
245
246	Install target directory configurable in Makefile
247
248	Changed syslog prefix in auth.log to "sslh[%pid]"
249
250	Man page
251
252	new 'make install' and 'make install-debian' targets
253
254	PID file now specified using -P command line option
255
256	Actually fixed zombie generation (the v1.5 patch got
257	lost, doh!)
258
259
260	v1.5: 10DEC2008
261	Fixed zombie generation.
262
263	Added support scripts (), Makefile.
264
265	Changed all 'connexions' to 'connections' to please
266	pesky users. Damn users.
267
268	v1.4: 13JUL2008
269	Added libwrap support for ssh service (Christian Weinberger)
270	Only SSH is libwraped, not SSL.
271
272	v1.3: 14MAY2008
273	Added parsing for local interface to listen on
274
275	Changed default SSL connection to port 442 (443 doesn't make
276	sense as a default as we're already listening on 443)
277
278	Syslog incoming connections
279
280	v1.2: 12MAY2008
281	Fixed compilation warning for AMD64 (Thx Daniel Lange)
282
283	v1.1: 21MAY2007
284	Making sslhc more like a real daemon:
285	* If $PIDFILE is defined, write first PID to it upon startup
286	* Fork at startup (detach from terminal)
287	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
288	* Less memory usage (?)
289
290	v1.0:
291	Basic functionality: privilege dropping, target hostnames and ports
292	configurable.
293
294
295

cel / sslh

Tree: 2cb424c6464be24045c9f41b66811c3992970189 shsmasterv1.9v1.8v1.7v1.6v1.5v1.3v1.2v1.18v1.17v1.16v1.15v1.14v1.13v1.12v1.11v1.10v1.1v1.0 <input type="submit" value="Go"/>

Files: 2cb424c6464be24045c9f41b66811c3992970189 / ChangeLog

Tree: 2cb424c6464be24045c9f41b66811c3992970189