Files: 3550cbe77c3429d32f849c2a7074896719055a0c / ChangeLog
7469 bytesRaw
| 1 | v1.17: 09MAR2015 |
| 2 | Support RFC5952-style IPv6 addresses, e.g. [::]:443. |
| 3 | |
| 4 | Transparant proxy support for FreeBSD. |
| 5 | (Ruben van Staveren) |
| 6 | |
| 7 | Using -F with no argument will try |
| 8 | /etc/sslh/sslh.cfg and then /etc/sslh.cfg as |
| 9 | configuration files. (argument to -F can no longer |
| 10 | be separated from the option by a space, e.g. must |
| 11 | be -Ffoo.cfg) |
| 12 | |
| 13 | Call setgroups() before setgid() (fixes potential |
| 14 | privilege escalation). |
| 15 | (Lars Vogdt) |
| 16 | |
| 17 | Use portable way of getting modified time for OSX |
| 18 | support. |
| 19 | (Aaron Madlon-Kay) |
| 20 | |
| 21 | Example configuration for fail2ban. |
| 22 | (Every Mouw) |
| 23 | |
| 24 | v1.16: 11FEB2014 |
| 25 | Probes made more resilient, to incoming data |
| 26 | containing NULLs. Also made them behave properly |
| 27 | when receiving too short packets to probe on the |
| 28 | first incoming packet. |
| 29 | (Ondrej Kuzn�k) |
| 30 | |
| 31 | Libcap support: Keep only CAP_NET_ADMIN if started |
| 32 | as root with transparent proxying and dropping |
| 33 | priviledges (enable USELIBCAP in Makefile). This |
| 34 | avoids having to mess with filesystem capabilities. |
| 35 | (Sebastian Schmidt/yath) |
| 36 | |
| 37 | Fixed bugs related to getpeername that would cause |
| 38 | sslh to quit erroneously (getpeername can return |
| 39 | actual errors if connections are dropped before |
| 40 | getting to getpeername). |
| 41 | |
| 42 | Set IP_FREEDBIND if available to bind to addresses |
| 43 | that don't yet exist. |
| 44 | |
| 45 | v1.15: 27JUL2013 |
| 46 | Added --transparent option for transparent proxying. |
| 47 | See README for iptables magic and capability |
| 48 | management. |
| 49 | |
| 50 | Fixed bug in sslh-select: if number of opened file |
| 51 | descriptor became bigger than FD_SETSIZE, bad things |
| 52 | would happen. |
| 53 | |
| 54 | Fixed bug in sslh-select: if socket dropped while |
| 55 | deferred_data was present, sslh-select would crash. |
| 56 | |
| 57 | Increased FD_SETSIZE for Cygwin, as the default 64 |
| 58 | is too low for even moderate load. |
| 59 | |
| 60 | v1.14: 21DEC2012 |
| 61 | Corrected OpenVPN probe to support pre-shared secret |
| 62 | mode (OpenVPN port-sharing code is... wrong). Thanks |
| 63 | to Kai Ellinger for help in investigating and |
| 64 | testing. |
| 65 | |
| 66 | Added an actual TLS/SSL probe. |
| 67 | |
| 68 | Added configurable --on-timeout protocol |
| 69 | specification. |
| 70 | |
| 71 | Added a --anyprot protocol probe (equivalent to what |
| 72 | --ssl was). |
| 73 | |
| 74 | Makefile respects the user's compiler and CFLAG |
| 75 | choices (falling back to the current values if |
| 76 | undefined), as well as LDFLAGS. |
| 77 | (Michael Palimaka) |
| 78 | |
| 79 | Added "After" and "KillMode" to systemd.sslh.service |
| 80 | (Thomas Wei�schuh). |
| 81 | |
| 82 | Added LSB tags to etc.init.d.sslh |
| 83 | (Thomas Varis). |
| 84 | |
| 85 | v1.13: 18MAY2012 |
| 86 | Write PID file before dropping privileges. |
| 87 | |
| 88 | Added --background, which overrides 'foreground' |
| 89 | configuration file setting. |
| 90 | |
| 91 | Added example systemd service file from Archlinux in |
| 92 | scripts/ |
| 93 | https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh |
| 94 | (S�bastien Luttringer) |
| 95 | |
| 96 | v1.12: 08MAY2012 |
| 97 | Added support for configuration file. |
| 98 | |
| 99 | New protocol probes can be defined using regular |
| 100 | expressions that match the first packet sent by the |
| 101 | client. |
| 102 | |
| 103 | sslh now connects timed out connections to the first |
| 104 | configured protocol instead of 'ssh' (just make sure |
| 105 | ssh is the first defined protocol). |
| 106 | |
| 107 | sslh now tries protocols in the order in which they |
| 108 | are defined (just make sure sslh is the last defined |
| 109 | protocol). |
| 110 | |
| 111 | v1.11: 21APR2012 |
| 112 | WARNING: defaults have been removed for --user and |
| 113 | --pidfile options, update your start-up scripts! |
| 114 | |
| 115 | No longer stop sslh when reverse DNS requests fail |
| 116 | for logging. |
| 117 | |
| 118 | Added HTTP probe. |
| 119 | |
| 120 | No longer create new session if running in |
| 121 | foreground. |
| 122 | |
| 123 | No longer default to changing user to 'nobody'. If |
| 124 | --user isn't specified, just run as current user. |
| 125 | |
| 126 | No longer create PID file by default, it should be |
| 127 | explicitely set with --pidfile. |
| 128 | |
| 129 | No longer log to syslog if in foreground. Logs are |
| 130 | instead output to stderr. |
| 131 | |
| 132 | The four changes above make it straightforward to |
| 133 | integrate sslh with systemd, and should help with |
| 134 | launchd. |
| 135 | |
| 136 | v1.10: 27NOV2011 |
| 137 | Fixed calls referring to sockaddr length so they work |
| 138 | with FreeBSD. |
| 139 | |
| 140 | Try target addresses in turn until one works if |
| 141 | there are several (e.g. "localhost:22" resolves to |
| 142 | an IPv6 address and an IPv4 address and sshd does |
| 143 | not listen on IPv6). |
| 144 | |
| 145 | Fixed sslh-fork so killing the head process kills |
| 146 | the listener processes. |
| 147 | |
| 148 | Heavily cleaned up test suite. Added stress test |
| 149 | t_load script. Added coverage (requires lcov). |
| 150 | |
| 151 | Support for XMPP (Arnaud Gendre). |
| 152 | |
| 153 | Updated README.MacOSX (Aaron Madlon-Kay). |
| 154 | |
| 155 | v1.9: 02AUG2011 |
| 156 | WARNING: This version does not work with FreeBSD and |
| 157 | derivatives! |
| 158 | |
| 159 | WARNING: Options changed, you'll need to update your |
| 160 | start-up scripts! Log format changed, you'll need to |
| 161 | update log processing scripts! |
| 162 | |
| 163 | Now supports IPv6 throughout (both on listening and |
| 164 | forwarding) |
| 165 | |
| 166 | Logs now contain IPv6 addresses, local forwarding |
| 167 | address, and resolves names (unless --numeric is |
| 168 | specified). |
| 169 | |
| 170 | Introduced long options. |
| 171 | |
| 172 | Options -l, -s and -o replaced by their long |
| 173 | counterparts. |
| 174 | |
| 175 | Defaults for SSL and SSH options suppressed (it's |
| 176 | legitimate to want to use sslh to mux OpenVPN and |
| 177 | tinc while not caring about SSH nor SSL). |
| 178 | |
| 179 | Bind to multiple addresses with multiple -p options. |
| 180 | |
| 181 | Support for tinc VPN (experimental). |
| 182 | |
| 183 | Numeric logging option. |
| 184 | |
| 185 | v1.8: 15JUL2011 |
| 186 | Changed log format to make it possible to link |
| 187 | connections to subsequent logs from other services. |
| 188 | |
| 189 | Updated CentOS init.d script (Andre Krajnik). |
| 190 | |
| 191 | Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not |
| 192 | propagated to the child process, so we set up signals after |
| 193 | the fork.) (Fran�ois FRITZ) |
| 194 | |
| 195 | Added -o "OpenVPN" and OpenVPN probing and support. |
| 196 | |
| 197 | Added single-threaded, select(2)-based version. |
| 198 | |
| 199 | Added support for "Bold" SSH clients (clients that speak first) |
| 200 | Thanks to Guillaume Ricaud for spotting a regression |
| 201 | bug. |
| 202 | |
| 203 | Added -f "foreground" option. |
| 204 | |
| 205 | Added test suite. (only tests connexions. No test for libwrap, |
| 206 | setsid, setuid and so on) and corresponding 'make |
| 207 | test' target. |
| 208 | |
| 209 | Added README.MacOSX (thanks Aaron Madlon-Kay) |
| 210 | |
| 211 | Documented use with proxytunnel and corkscrew in |
| 212 | README. |
| 213 | |
| 214 | |
| 215 | v1.7: 01FEB2010 |
| 216 | Added CentOS init.d script (Andre Krajnik). |
| 217 | |
| 218 | Fixed default ssl address inconsistancy, now |
| 219 | defaults to "localhost:443" and fixed documentation |
| 220 | accordingly (pointed by Markus Schalke). |
| 221 | |
| 222 | Children no longer bind to the listen socket, so |
| 223 | parent server can be stopped without killing an |
| 224 | active child (pointed by Matthias Buecher). |
| 225 | |
| 226 | Inetd support (Dima Barsky). |
| 227 | |
| 228 | v1.6: 25APR2009 |
| 229 | Added -V, version option. |
| 230 | |
| 231 | Install target directory configurable in Makefile |
| 232 | |
| 233 | Changed syslog prefix in auth.log to "sslh[%pid]" |
| 234 | |
| 235 | Man page |
| 236 | |
| 237 | new 'make install' and 'make install-debian' targets |
| 238 | |
| 239 | PID file now specified using -P command line option |
| 240 | |
| 241 | Actually fixed zombie generation (the v1.5 patch got |
| 242 | lost, doh!) |
| 243 | |
| 244 | |
| 245 | v1.5: 10DEC2008 |
| 246 | Fixed zombie generation. |
| 247 | |
| 248 | Added support scripts (), Makefile. |
| 249 | |
| 250 | Changed all 'connexions' to 'connections' to please |
| 251 | pesky users. Damn users. |
| 252 | |
| 253 | v1.4: 13JUL2008 |
| 254 | Added libwrap support for ssh service (Christian Weinberger) |
| 255 | Only SSH is libwraped, not SSL. |
| 256 | |
| 257 | v1.3: 14MAY2008 |
| 258 | Added parsing for local interface to listen on |
| 259 | |
| 260 | Changed default SSL connection to port 442 (443 doesn't make |
| 261 | sense as a default as we're already listening on 443) |
| 262 | |
| 263 | Syslog incoming connections |
| 264 | |
| 265 | v1.2: 12MAY2008 |
| 266 | Fixed compilation warning for AMD64 (Thx Daniel Lange) |
| 267 | |
| 268 | v1.1: 21MAY2007 |
| 269 | Making sslhc more like a real daemon: |
| 270 | * If $PIDFILE is defined, write first PID to it upon startup |
| 271 | * Fork at startup (detach from terminal) |
| 272 | (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist) |
| 273 | * Less memory usage (?) |
| 274 | |
| 275 | v1.0: |
| 276 | Basic functionality: privilege dropping, target hostnames and ports |
| 277 | configurable. |
| 278 | |
| 279 | |
| 280 |
Built with git-ssb-web