git ssb

Files: 718fe0e2e9f339a022d9bc13285017fdd76a32e1 / ChangeLog

7991 bytesRaw

1 v1.18:	29MAR2016
2 	Added USELIBPCRE to make use of regex engine
3 	optional.
4 
5 	Added support for RFC4366 SNI and RFC7301 ALPN
6 	(Travis Burtrum)
7 
8 	Changed connection log to include the name of the probe that
9 	triggered.
10 
11 	Changed configuration file format: 'probe' field is
12 	no longer required, 'name' field can now contain
13 	'tls' or 'regex', with corresponding options (see
14 	example.cfg)
15 	Added 'log_level' option to each protocol, which
16 	allows to turn off generation of log at each
17 	connection.
18 	Added 'keepalive' option.
19 
20 v1.17: 	09MAR2015
21 	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
22 
23 	Transparant proxy support for FreeBSD.
24 	(Ruben van Staveren)
25 
26 	Using -F with no argument will try
27 	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
28 	configuration files. (argument to -F can no longer
29 	be separated from the option by a space, e.g. must
30 	be -Ffoo.cfg)
31 
32 	Call setgroups() before setgid() (fixes potential
33 	privilege escalation).
34 	(Lars Vogdt)
35 
36 	Use portable way of getting modified time for OSX
37 	support.
38 	(Aaron Madlon-Kay)
39 
40 	Example configuration for fail2ban.
41 	(Every Mouw)
42 
43 v1.16:	11FEB2014
44 	Probes made more resilient, to incoming data
45 	containing NULLs. Also made them behave properly
46 	when receiving too short packets to probe on the
47 	first incoming packet.
48 	(Ondrej Kuzn�k)
49 
50 	Libcap support: Keep only CAP_NET_ADMIN if started
51 	as root with transparent proxying and dropping
52 	priviledges (enable USELIBCAP in Makefile). This
53 	avoids having to mess with filesystem capabilities.
54 	(Sebastian Schmidt/yath)
55 
56 	Fixed bugs related to getpeername that would cause
57 	sslh to quit erroneously (getpeername can return
58 	actual errors if connections are dropped before
59 	getting to getpeername).
60 
61 	Set IP_FREEDBIND if available to bind to addresses
62 	that don't yet exist.
63 
64 v1.15:	27JUL2013
65 	Added --transparent option for transparent proxying.
66 	See README for iptables magic and capability
67 	management.
68 
69 	Fixed bug in sslh-select: if number of opened file
70 	descriptor became bigger than FD_SETSIZE, bad things
71 	would happen.
72 
73 	Fixed bug in sslh-select: if socket dropped while
74 	deferred_data was present, sslh-select would crash.
75 
76 	Increased FD_SETSIZE for Cygwin, as the default 64
77 	is too low for even moderate load.
78 
79 v1.14: 21DEC2012
80 	Corrected OpenVPN probe to support pre-shared secret
81 	mode (OpenVPN port-sharing code is... wrong). Thanks
82 	to Kai Ellinger for help in investigating and
83 	testing.
84 
85 	Added an actual TLS/SSL probe.
86 
87 	Added configurable --on-timeout protocol
88 	specification.
89 
90 	Added a --anyprot protocol probe (equivalent to what
91 	--ssl was).
92 
93 	Makefile respects the user's compiler and CFLAG
94 	choices (falling back to the current values if
95 	undefined), as well as LDFLAGS. 
96 	(Michael Palimaka)
97 
98 	Added "After" and "KillMode" to systemd.sslh.service
99 	(Thomas Wei�schuh).
100 
101 	Added LSB tags to etc.init.d.sslh
102 	(Thomas Varis).
103 
104 v1.13: 18MAY2012
105 	Write PID file before dropping privileges.
106 
107 	Added --background, which overrides 'foreground'
108 	configuration file setting.
109 
110 	Added example systemd service file from Archlinux in
111 	scripts/
112 	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
113 	(S�bastien Luttringer)
114 
115 v1.12: 08MAY2012
116 	Added support for configuration file.
117 
118 	New protocol probes can be defined using regular
119 	expressions that match the first packet sent by the
120 	client.
121 
122 	sslh now connects timed out connections to the first
123 	configured protocol instead of 'ssh' (just make sure
124 	ssh is the first defined protocol).
125 
126 	sslh now tries protocols in the order in which they
127 	are defined (just make sure sslh is the last defined
128 	protocol).
129 
130 v1.11: 21APR2012
131 	WARNING: defaults have been removed for --user and
132 	--pidfile options, update your start-up scripts!
133 
134 	No longer stop sslh when reverse DNS requests fail
135 	for logging.
136 
137 	Added HTTP probe.
138 
139 	No longer create new session if running in
140 	foreground.
141 
142 	No longer default to changing user to 'nobody'. If
143 	--user isn't specified, just run as current user.
144 
145 	No longer create PID file by default, it should be
146 	explicitely set with --pidfile.
147 
148 	No longer log to syslog if in foreground. Logs are
149 	instead output to stderr.
150 
151 	The four changes above make it straightforward to
152 	integrate sslh with systemd, and should help with
153 	launchd.
154 
155 v1.10: 27NOV2011
156 	Fixed calls referring to sockaddr length so they work
157 	with FreeBSD.
158 
159 	Try target addresses in turn until one works if
160 	there are several (e.g. "localhost:22" resolves to
161 	an IPv6 address and an IPv4 address and sshd does
162 	not listen on IPv6).
163 
164 	Fixed sslh-fork so killing the head process kills
165 	the listener processes.
166 
167 	Heavily cleaned up test suite. Added stress test
168 	t_load script. Added coverage (requires lcov).
169 
170 	Support for XMPP (Arnaud Gendre).
171 
172 	Updated README.MacOSX (Aaron Madlon-Kay).
173 
174 v1.9: 02AUG2011
175 	WARNING: This version does not work with FreeBSD and
176 	derivatives!
177 
178 	WARNING: Options changed, you'll need to update your
179 	start-up scripts! Log format changed, you'll need to
180 	update log processing scripts!
181 
182 	Now supports IPv6 throughout (both on listening and
183 	forwarding)
184 
185 	Logs now contain IPv6 addresses, local forwarding
186 	address, and resolves names (unless --numeric is
187 	specified).
188 
189 	Introduced long options.
190 
191 	Options -l, -s and -o replaced by their long
192 	counterparts.
193 
194 	Defaults for SSL and SSH options suppressed (it's 
195 	legitimate to want to use sslh to mux OpenVPN and 
196 	tinc while not caring about SSH nor SSL).
197 
198 	Bind to multiple addresses with multiple -p options.
199 
200 	Support for tinc VPN (experimental).
201 
202 	Numeric logging option.
203 
204 v1.8: 15JUL2011
205 	Changed log format to make it possible to link
206 	connections to subsequent logs from other services.
207 
208 	Updated CentOS init.d script (Andre Krajnik).
209 
210 	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
211 	propagated to the child process, so we set up signals after
212 	the fork.) (Fran�ois FRITZ)
213 
214 	Added -o "OpenVPN" and OpenVPN probing and support.
215 
216 	Added single-threaded, select(2)-based version.
217 
218 	Added support for "Bold" SSH clients (clients that speak first)
219 	Thanks to Guillaume Ricaud for spotting a regression
220 	bug.
221 
222 	Added -f "foreground" option.
223 
224 	Added test suite. (only tests connexions. No test for libwrap,
225 	setsid, setuid and so on) and corresponding 'make
226 	test' target.
227 
228 	Added README.MacOSX (thanks Aaron Madlon-Kay)
229 
230 	Documented use with proxytunnel and corkscrew in
231 	README.
232 
233 	
234 v1.7: 01FEB2010
235 	Added CentOS init.d script (Andre Krajnik).
236 
237 	Fixed default ssl address inconsistancy, now
238 	defaults to "localhost:443" and fixed documentation
239 	accordingly (pointed by Markus Schalke).
240 
241 	Children no longer bind to the listen socket, so
242 	parent server can be stopped without killing an
243 	active child (pointed by Matthias Buecher).
244 
245 	Inetd support (Dima Barsky).
246 
247 v1.6: 25APR2009
248 	Added -V, version option.
249 
250 	Install target directory configurable in Makefile
251 
252 	Changed syslog prefix in auth.log to "sslh[%pid]"
253 
254 	Man page
255 
256 	new 'make install' and 'make install-debian' targets
257 
258 	PID file now specified using -P command line option
259 
260 	Actually fixed zombie generation (the v1.5 patch got
261 	lost, doh!)
262 
263 
264 v1.5: 10DEC2008
265 	Fixed zombie generation.
266 
267 	Added support scripts (), Makefile.
268 
269 	Changed all 'connexions' to 'connections' to please
270 	pesky users. Damn users.
271 
272 v1.4: 13JUL2008
273 	Added libwrap support for ssh service (Christian Weinberger)
274 	Only SSH is libwraped, not SSL.
275 
276 v1.3: 14MAY2008
277 	Added parsing for local interface to listen on
278 
279 	Changed default SSL connection to port 442 (443 doesn't make
280 	sense as a default as we're already listening on 443)
281 
282 	Syslog incoming connections
283 
284 v1.2: 12MAY2008
285 	Fixed compilation warning for AMD64 (Thx Daniel Lange)
286 
287 v1.1: 21MAY2007
288 	Making sslhc more like a real daemon:
289 	* If $PIDFILE is defined, write first PID to it upon startup
290 	* Fork at startup (detach from terminal)
291 	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
292 	* Less memory usage (?)
293 
294 v1.0: 
295 	Basic functionality: privilege dropping, target hostnames and ports
296 	configurable.
297 
298 
299

Built with git-ssb-web

cel / sslh

Tree: 718fe0e2e9f339a022d9bc13285017fdd76a32e1

Files: 718fe0e2e9f339a022d9bc13285017fdd76a32e1 / ChangeLog

1	v1.18: 29MAR2016
2	Added USELIBPCRE to make use of regex engine
3	optional.
4
5	Added support for RFC4366 SNI and RFC7301 ALPN
6	(Travis Burtrum)
7
8	Changed connection log to include the name of the probe that
9	triggered.
10
11	Changed configuration file format: 'probe' field is
12	no longer required, 'name' field can now contain
13	'tls' or 'regex', with corresponding options (see
14	example.cfg)
15	Added 'log_level' option to each protocol, which
16	allows to turn off generation of log at each
17	connection.
18	Added 'keepalive' option.
19
20	v1.17: 09MAR2015
21	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
22
23	Transparant proxy support for FreeBSD.
24	(Ruben van Staveren)
25
26	Using -F with no argument will try
27	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
28	configuration files. (argument to -F can no longer
29	be separated from the option by a space, e.g. must
30	be -Ffoo.cfg)
31
32	Call setgroups() before setgid() (fixes potential
33	privilege escalation).
34	(Lars Vogdt)
35
36	Use portable way of getting modified time for OSX
37	support.
38	(Aaron Madlon-Kay)
39
40	Example configuration for fail2ban.
41	(Every Mouw)
42
43	v1.16: 11FEB2014
44	Probes made more resilient, to incoming data
45	containing NULLs. Also made them behave properly
46	when receiving too short packets to probe on the
47	first incoming packet.
48	(Ondrej Kuzn�k)
49
50	Libcap support: Keep only CAP_NET_ADMIN if started
51	as root with transparent proxying and dropping
52	priviledges (enable USELIBCAP in Makefile). This
53	avoids having to mess with filesystem capabilities.
54	(Sebastian Schmidt/yath)
55
56	Fixed bugs related to getpeername that would cause
57	sslh to quit erroneously (getpeername can return
58	actual errors if connections are dropped before
59	getting to getpeername).
60
61	Set IP_FREEDBIND if available to bind to addresses
62	that don't yet exist.
63
64	v1.15: 27JUL2013
65	Added --transparent option for transparent proxying.
66	See README for iptables magic and capability
67	management.
68
69	Fixed bug in sslh-select: if number of opened file
70	descriptor became bigger than FD_SETSIZE, bad things
71	would happen.
72
73	Fixed bug in sslh-select: if socket dropped while
74	deferred_data was present, sslh-select would crash.
75
76	Increased FD_SETSIZE for Cygwin, as the default 64
77	is too low for even moderate load.
78
79	v1.14: 21DEC2012
80	Corrected OpenVPN probe to support pre-shared secret
81	mode (OpenVPN port-sharing code is... wrong). Thanks
82	to Kai Ellinger for help in investigating and
83	testing.
84
85	Added an actual TLS/SSL probe.
86
87	Added configurable --on-timeout protocol
88	specification.
89
90	Added a --anyprot protocol probe (equivalent to what
91	--ssl was).
92
93	Makefile respects the user's compiler and CFLAG
94	choices (falling back to the current values if
95	undefined), as well as LDFLAGS.
96	(Michael Palimaka)
97
98	Added "After" and "KillMode" to systemd.sslh.service
99	(Thomas Wei�schuh).
100
101	Added LSB tags to etc.init.d.sslh
102	(Thomas Varis).
103
104	v1.13: 18MAY2012
105	Write PID file before dropping privileges.
106
107	Added --background, which overrides 'foreground'
108	configuration file setting.
109
110	Added example systemd service file from Archlinux in
111	scripts/
112	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
113	(S�bastien Luttringer)
114
115	v1.12: 08MAY2012
116	Added support for configuration file.
117
118	New protocol probes can be defined using regular
119	expressions that match the first packet sent by the
120	client.
121
122	sslh now connects timed out connections to the first
123	configured protocol instead of 'ssh' (just make sure
124	ssh is the first defined protocol).
125
126	sslh now tries protocols in the order in which they
127	are defined (just make sure sslh is the last defined
128	protocol).
129
130	v1.11: 21APR2012
131	WARNING: defaults have been removed for --user and
132	--pidfile options, update your start-up scripts!
133
134	No longer stop sslh when reverse DNS requests fail
135	for logging.
136
137	Added HTTP probe.
138
139	No longer create new session if running in
140	foreground.
141
142	No longer default to changing user to 'nobody'. If
143	--user isn't specified, just run as current user.
144
145	No longer create PID file by default, it should be
146	explicitely set with --pidfile.
147
148	No longer log to syslog if in foreground. Logs are
149	instead output to stderr.
150
151	The four changes above make it straightforward to
152	integrate sslh with systemd, and should help with
153	launchd.
154
155	v1.10: 27NOV2011
156	Fixed calls referring to sockaddr length so they work
157	with FreeBSD.
158
159	Try target addresses in turn until one works if
160	there are several (e.g. "localhost:22" resolves to
161	an IPv6 address and an IPv4 address and sshd does
162	not listen on IPv6).
163
164	Fixed sslh-fork so killing the head process kills
165	the listener processes.
166
167	Heavily cleaned up test suite. Added stress test
168	t_load script. Added coverage (requires lcov).
169
170	Support for XMPP (Arnaud Gendre).
171
172	Updated README.MacOSX (Aaron Madlon-Kay).
173
174	v1.9: 02AUG2011
175	WARNING: This version does not work with FreeBSD and
176	derivatives!
177
178	WARNING: Options changed, you'll need to update your
179	start-up scripts! Log format changed, you'll need to
180	update log processing scripts!
181
182	Now supports IPv6 throughout (both on listening and
183	forwarding)
184
185	Logs now contain IPv6 addresses, local forwarding
186	address, and resolves names (unless --numeric is
187	specified).
188
189	Introduced long options.
190
191	Options -l, -s and -o replaced by their long
192	counterparts.
193
194	Defaults for SSL and SSH options suppressed (it's
195	legitimate to want to use sslh to mux OpenVPN and
196	tinc while not caring about SSH nor SSL).
197
198	Bind to multiple addresses with multiple -p options.
199
200	Support for tinc VPN (experimental).
201
202	Numeric logging option.
203
204	v1.8: 15JUL2011
205	Changed log format to make it possible to link
206	connections to subsequent logs from other services.
207
208	Updated CentOS init.d script (Andre Krajnik).
209
210	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
211	propagated to the child process, so we set up signals after
212	the fork.) (Fran�ois FRITZ)
213
214	Added -o "OpenVPN" and OpenVPN probing and support.
215
216	Added single-threaded, select(2)-based version.
217
218	Added support for "Bold" SSH clients (clients that speak first)
219	Thanks to Guillaume Ricaud for spotting a regression
220	bug.
221
222	Added -f "foreground" option.
223
224	Added test suite. (only tests connexions. No test for libwrap,
225	setsid, setuid and so on) and corresponding 'make
226	test' target.
227
228	Added README.MacOSX (thanks Aaron Madlon-Kay)
229
230	Documented use with proxytunnel and corkscrew in
231	README.
232
233
234	v1.7: 01FEB2010
235	Added CentOS init.d script (Andre Krajnik).
236
237	Fixed default ssl address inconsistancy, now
238	defaults to "localhost:443" and fixed documentation
239	accordingly (pointed by Markus Schalke).
240
241	Children no longer bind to the listen socket, so
242	parent server can be stopped without killing an
243	active child (pointed by Matthias Buecher).
244
245	Inetd support (Dima Barsky).
246
247	v1.6: 25APR2009
248	Added -V, version option.
249
250	Install target directory configurable in Makefile
251
252	Changed syslog prefix in auth.log to "sslh[%pid]"
253
254	Man page
255
256	new 'make install' and 'make install-debian' targets
257
258	PID file now specified using -P command line option
259
260	Actually fixed zombie generation (the v1.5 patch got
261	lost, doh!)
262
263
264	v1.5: 10DEC2008
265	Fixed zombie generation.
266
267	Added support scripts (), Makefile.
268
269	Changed all 'connexions' to 'connections' to please
270	pesky users. Damn users.
271
272	v1.4: 13JUL2008
273	Added libwrap support for ssh service (Christian Weinberger)
274	Only SSH is libwraped, not SSL.
275
276	v1.3: 14MAY2008
277	Added parsing for local interface to listen on
278
279	Changed default SSL connection to port 442 (443 doesn't make
280	sense as a default as we're already listening on 443)
281
282	Syslog incoming connections
283
284	v1.2: 12MAY2008
285	Fixed compilation warning for AMD64 (Thx Daniel Lange)
286
287	v1.1: 21MAY2007
288	Making sslhc more like a real daemon:
289	* If $PIDFILE is defined, write first PID to it upon startup
290	* Fork at startup (detach from terminal)
291	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
292	* Less memory usage (?)
293
294	v1.0:
295	Basic functionality: privilege dropping, target hostnames and ports
296	configurable.
297
298
299

cel / sslh

Tree: 718fe0e2e9f339a022d9bc13285017fdd76a32e1 shsmasterv1.9v1.8v1.7v1.6v1.5v1.3v1.2v1.18v1.17v1.16v1.15v1.14v1.13v1.12v1.11v1.10v1.1v1.0 <input type="submit" value="Go"/>

Files: 718fe0e2e9f339a022d9bc13285017fdd76a32e1 / ChangeLog

Tree: 718fe0e2e9f339a022d9bc13285017fdd76a32e1