Files: 8af039d3eb3e890482fd6755532d7786a104cae8 / ChangeLog
7954 bytesRaw
1 | vNEXT: |
2 | Added USELIBPCRE to make use of regex engine |
3 | optional. |
4 | |
5 | Added support for RFC4366 SNI and RFC7301 ALPN |
6 | (Travis Burtrum) |
7 | |
8 | Changed connection log to include the name of the probe that |
9 | triggered. |
10 | |
11 | Changed configuration file format: 'probe' field is |
12 | no longer required, 'name' field can now contain |
13 | 'tls' or 'regex', with corresponding options (see |
14 | example.cfg) |
15 | Added 'log_level' option to each protocol, which |
16 | allows to turn off generation of log at each |
17 | connection. |
18 | |
19 | v1.17: 09MAR2015 |
20 | Support RFC5952-style IPv6 addresses, e.g. [::]:443. |
21 | |
22 | Transparant proxy support for FreeBSD. |
23 | (Ruben van Staveren) |
24 | |
25 | Using -F with no argument will try |
26 | /etc/sslh/sslh.cfg and then /etc/sslh.cfg as |
27 | configuration files. (argument to -F can no longer |
28 | be separated from the option by a space, e.g. must |
29 | be -Ffoo.cfg) |
30 | |
31 | Call setgroups() before setgid() (fixes potential |
32 | privilege escalation). |
33 | (Lars Vogdt) |
34 | |
35 | Use portable way of getting modified time for OSX |
36 | support. |
37 | (Aaron Madlon-Kay) |
38 | |
39 | Example configuration for fail2ban. |
40 | (Every Mouw) |
41 | |
42 | v1.16: 11FEB2014 |
43 | Probes made more resilient, to incoming data |
44 | containing NULLs. Also made them behave properly |
45 | when receiving too short packets to probe on the |
46 | first incoming packet. |
47 | (Ondrej Kuzn�k) |
48 | |
49 | Libcap support: Keep only CAP_NET_ADMIN if started |
50 | as root with transparent proxying and dropping |
51 | priviledges (enable USELIBCAP in Makefile). This |
52 | avoids having to mess with filesystem capabilities. |
53 | (Sebastian Schmidt/yath) |
54 | |
55 | Fixed bugs related to getpeername that would cause |
56 | sslh to quit erroneously (getpeername can return |
57 | actual errors if connections are dropped before |
58 | getting to getpeername). |
59 | |
60 | Set IP_FREEDBIND if available to bind to addresses |
61 | that don't yet exist. |
62 | |
63 | v1.15: 27JUL2013 |
64 | Added --transparent option for transparent proxying. |
65 | See README for iptables magic and capability |
66 | management. |
67 | |
68 | Fixed bug in sslh-select: if number of opened file |
69 | descriptor became bigger than FD_SETSIZE, bad things |
70 | would happen. |
71 | |
72 | Fixed bug in sslh-select: if socket dropped while |
73 | deferred_data was present, sslh-select would crash. |
74 | |
75 | Increased FD_SETSIZE for Cygwin, as the default 64 |
76 | is too low for even moderate load. |
77 | |
78 | v1.14: 21DEC2012 |
79 | Corrected OpenVPN probe to support pre-shared secret |
80 | mode (OpenVPN port-sharing code is... wrong). Thanks |
81 | to Kai Ellinger for help in investigating and |
82 | testing. |
83 | |
84 | Added an actual TLS/SSL probe. |
85 | |
86 | Added configurable --on-timeout protocol |
87 | specification. |
88 | |
89 | Added a --anyprot protocol probe (equivalent to what |
90 | --ssl was). |
91 | |
92 | Makefile respects the user's compiler and CFLAG |
93 | choices (falling back to the current values if |
94 | undefined), as well as LDFLAGS. |
95 | (Michael Palimaka) |
96 | |
97 | Added "After" and "KillMode" to systemd.sslh.service |
98 | (Thomas Wei�schuh). |
99 | |
100 | Added LSB tags to etc.init.d.sslh |
101 | (Thomas Varis). |
102 | |
103 | v1.13: 18MAY2012 |
104 | Write PID file before dropping privileges. |
105 | |
106 | Added --background, which overrides 'foreground' |
107 | configuration file setting. |
108 | |
109 | Added example systemd service file from Archlinux in |
110 | scripts/ |
111 | https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh |
112 | (S�bastien Luttringer) |
113 | |
114 | v1.12: 08MAY2012 |
115 | Added support for configuration file. |
116 | |
117 | New protocol probes can be defined using regular |
118 | expressions that match the first packet sent by the |
119 | client. |
120 | |
121 | sslh now connects timed out connections to the first |
122 | configured protocol instead of 'ssh' (just make sure |
123 | ssh is the first defined protocol). |
124 | |
125 | sslh now tries protocols in the order in which they |
126 | are defined (just make sure sslh is the last defined |
127 | protocol). |
128 | |
129 | v1.11: 21APR2012 |
130 | WARNING: defaults have been removed for --user and |
131 | --pidfile options, update your start-up scripts! |
132 | |
133 | No longer stop sslh when reverse DNS requests fail |
134 | for logging. |
135 | |
136 | Added HTTP probe. |
137 | |
138 | No longer create new session if running in |
139 | foreground. |
140 | |
141 | No longer default to changing user to 'nobody'. If |
142 | --user isn't specified, just run as current user. |
143 | |
144 | No longer create PID file by default, it should be |
145 | explicitely set with --pidfile. |
146 | |
147 | No longer log to syslog if in foreground. Logs are |
148 | instead output to stderr. |
149 | |
150 | The four changes above make it straightforward to |
151 | integrate sslh with systemd, and should help with |
152 | launchd. |
153 | |
154 | v1.10: 27NOV2011 |
155 | Fixed calls referring to sockaddr length so they work |
156 | with FreeBSD. |
157 | |
158 | Try target addresses in turn until one works if |
159 | there are several (e.g. "localhost:22" resolves to |
160 | an IPv6 address and an IPv4 address and sshd does |
161 | not listen on IPv6). |
162 | |
163 | Fixed sslh-fork so killing the head process kills |
164 | the listener processes. |
165 | |
166 | Heavily cleaned up test suite. Added stress test |
167 | t_load script. Added coverage (requires lcov). |
168 | |
169 | Support for XMPP (Arnaud Gendre). |
170 | |
171 | Updated README.MacOSX (Aaron Madlon-Kay). |
172 | |
173 | v1.9: 02AUG2011 |
174 | WARNING: This version does not work with FreeBSD and |
175 | derivatives! |
176 | |
177 | WARNING: Options changed, you'll need to update your |
178 | start-up scripts! Log format changed, you'll need to |
179 | update log processing scripts! |
180 | |
181 | Now supports IPv6 throughout (both on listening and |
182 | forwarding) |
183 | |
184 | Logs now contain IPv6 addresses, local forwarding |
185 | address, and resolves names (unless --numeric is |
186 | specified). |
187 | |
188 | Introduced long options. |
189 | |
190 | Options -l, -s and -o replaced by their long |
191 | counterparts. |
192 | |
193 | Defaults for SSL and SSH options suppressed (it's |
194 | legitimate to want to use sslh to mux OpenVPN and |
195 | tinc while not caring about SSH nor SSL). |
196 | |
197 | Bind to multiple addresses with multiple -p options. |
198 | |
199 | Support for tinc VPN (experimental). |
200 | |
201 | Numeric logging option. |
202 | |
203 | v1.8: 15JUL2011 |
204 | Changed log format to make it possible to link |
205 | connections to subsequent logs from other services. |
206 | |
207 | Updated CentOS init.d script (Andre Krajnik). |
208 | |
209 | Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not |
210 | propagated to the child process, so we set up signals after |
211 | the fork.) (Fran�ois FRITZ) |
212 | |
213 | Added -o "OpenVPN" and OpenVPN probing and support. |
214 | |
215 | Added single-threaded, select(2)-based version. |
216 | |
217 | Added support for "Bold" SSH clients (clients that speak first) |
218 | Thanks to Guillaume Ricaud for spotting a regression |
219 | bug. |
220 | |
221 | Added -f "foreground" option. |
222 | |
223 | Added test suite. (only tests connexions. No test for libwrap, |
224 | setsid, setuid and so on) and corresponding 'make |
225 | test' target. |
226 | |
227 | Added README.MacOSX (thanks Aaron Madlon-Kay) |
228 | |
229 | Documented use with proxytunnel and corkscrew in |
230 | README. |
231 | |
232 | |
233 | v1.7: 01FEB2010 |
234 | Added CentOS init.d script (Andre Krajnik). |
235 | |
236 | Fixed default ssl address inconsistancy, now |
237 | defaults to "localhost:443" and fixed documentation |
238 | accordingly (pointed by Markus Schalke). |
239 | |
240 | Children no longer bind to the listen socket, so |
241 | parent server can be stopped without killing an |
242 | active child (pointed by Matthias Buecher). |
243 | |
244 | Inetd support (Dima Barsky). |
245 | |
246 | v1.6: 25APR2009 |
247 | Added -V, version option. |
248 | |
249 | Install target directory configurable in Makefile |
250 | |
251 | Changed syslog prefix in auth.log to "sslh[%pid]" |
252 | |
253 | Man page |
254 | |
255 | new 'make install' and 'make install-debian' targets |
256 | |
257 | PID file now specified using -P command line option |
258 | |
259 | Actually fixed zombie generation (the v1.5 patch got |
260 | lost, doh!) |
261 | |
262 | |
263 | v1.5: 10DEC2008 |
264 | Fixed zombie generation. |
265 | |
266 | Added support scripts (), Makefile. |
267 | |
268 | Changed all 'connexions' to 'connections' to please |
269 | pesky users. Damn users. |
270 | |
271 | v1.4: 13JUL2008 |
272 | Added libwrap support for ssh service (Christian Weinberger) |
273 | Only SSH is libwraped, not SSL. |
274 | |
275 | v1.3: 14MAY2008 |
276 | Added parsing for local interface to listen on |
277 | |
278 | Changed default SSL connection to port 442 (443 doesn't make |
279 | sense as a default as we're already listening on 443) |
280 | |
281 | Syslog incoming connections |
282 | |
283 | v1.2: 12MAY2008 |
284 | Fixed compilation warning for AMD64 (Thx Daniel Lange) |
285 | |
286 | v1.1: 21MAY2007 |
287 | Making sslhc more like a real daemon: |
288 | * If $PIDFILE is defined, write first PID to it upon startup |
289 | * Fork at startup (detach from terminal) |
290 | (thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist) |
291 | * Less memory usage (?) |
292 | |
293 | v1.0: |
294 | Basic functionality: privilege dropping, target hostnames and ports |
295 | configurable. |
296 | |
297 | |
298 |
Built with git-ssb-web