git ssb

Files: aa06261d70509eb5a571937d5e3d5c41e11f193d / ChangeLog

8064 bytesRaw

1 	Added 'syslog_facility' configuration option to
2 	specify where to log.
3 
4 v1.18:	29MAR2016
5 	Added USELIBPCRE to make use of regex engine
6 	optional.
7 
8 	Added support for RFC4366 SNI and RFC7301 ALPN
9 	(Travis Burtrum)
10 
11 	Changed connection log to include the name of the probe that
12 	triggered.
13 
14 	Changed configuration file format: 'probe' field is
15 	no longer required, 'name' field can now contain
16 	'tls' or 'regex', with corresponding options (see
17 	example.cfg)
18 	Added 'log_level' option to each protocol, which
19 	allows to turn off generation of log at each
20 	connection.
21 	Added 'keepalive' option.
22 
23 v1.17: 	09MAR2015
24 	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
25 
26 	Transparant proxy support for FreeBSD.
27 	(Ruben van Staveren)
28 
29 	Using -F with no argument will try
30 	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
31 	configuration files. (argument to -F can no longer
32 	be separated from the option by a space, e.g. must
33 	be -Ffoo.cfg)
34 
35 	Call setgroups() before setgid() (fixes potential
36 	privilege escalation).
37 	(Lars Vogdt)
38 
39 	Use portable way of getting modified time for OSX
40 	support.
41 	(Aaron Madlon-Kay)
42 
43 	Example configuration for fail2ban.
44 	(Every Mouw)
45 
46 v1.16:	11FEB2014
47 	Probes made more resilient, to incoming data
48 	containing NULLs. Also made them behave properly
49 	when receiving too short packets to probe on the
50 	first incoming packet.
51 	(Ondrej Kuzn�k)
52 
53 	Libcap support: Keep only CAP_NET_ADMIN if started
54 	as root with transparent proxying and dropping
55 	priviledges (enable USELIBCAP in Makefile). This
56 	avoids having to mess with filesystem capabilities.
57 	(Sebastian Schmidt/yath)
58 
59 	Fixed bugs related to getpeername that would cause
60 	sslh to quit erroneously (getpeername can return
61 	actual errors if connections are dropped before
62 	getting to getpeername).
63 
64 	Set IP_FREEDBIND if available to bind to addresses
65 	that don't yet exist.
66 
67 v1.15:	27JUL2013
68 	Added --transparent option for transparent proxying.
69 	See README for iptables magic and capability
70 	management.
71 
72 	Fixed bug in sslh-select: if number of opened file
73 	descriptor became bigger than FD_SETSIZE, bad things
74 	would happen.
75 
76 	Fixed bug in sslh-select: if socket dropped while
77 	deferred_data was present, sslh-select would crash.
78 
79 	Increased FD_SETSIZE for Cygwin, as the default 64
80 	is too low for even moderate load.
81 
82 v1.14: 21DEC2012
83 	Corrected OpenVPN probe to support pre-shared secret
84 	mode (OpenVPN port-sharing code is... wrong). Thanks
85 	to Kai Ellinger for help in investigating and
86 	testing.
87 
88 	Added an actual TLS/SSL probe.
89 
90 	Added configurable --on-timeout protocol
91 	specification.
92 
93 	Added a --anyprot protocol probe (equivalent to what
94 	--ssl was).
95 
96 	Makefile respects the user's compiler and CFLAG
97 	choices (falling back to the current values if
98 	undefined), as well as LDFLAGS. 
99 	(Michael Palimaka)
100 
101 	Added "After" and "KillMode" to systemd.sslh.service
102 	(Thomas Wei�schuh).
103 
104 	Added LSB tags to etc.init.d.sslh
105 	(Thomas Varis).
106 
107 v1.13: 18MAY2012
108 	Write PID file before dropping privileges.
109 
110 	Added --background, which overrides 'foreground'
111 	configuration file setting.
112 
113 	Added example systemd service file from Archlinux in
114 	scripts/
115 	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
116 	(S�bastien Luttringer)
117 
118 v1.12: 08MAY2012
119 	Added support for configuration file.
120 
121 	New protocol probes can be defined using regular
122 	expressions that match the first packet sent by the
123 	client.
124 
125 	sslh now connects timed out connections to the first
126 	configured protocol instead of 'ssh' (just make sure
127 	ssh is the first defined protocol).
128 
129 	sslh now tries protocols in the order in which they
130 	are defined (just make sure sslh is the last defined
131 	protocol).
132 
133 v1.11: 21APR2012
134 	WARNING: defaults have been removed for --user and
135 	--pidfile options, update your start-up scripts!
136 
137 	No longer stop sslh when reverse DNS requests fail
138 	for logging.
139 
140 	Added HTTP probe.
141 
142 	No longer create new session if running in
143 	foreground.
144 
145 	No longer default to changing user to 'nobody'. If
146 	--user isn't specified, just run as current user.
147 
148 	No longer create PID file by default, it should be
149 	explicitely set with --pidfile.
150 
151 	No longer log to syslog if in foreground. Logs are
152 	instead output to stderr.
153 
154 	The four changes above make it straightforward to
155 	integrate sslh with systemd, and should help with
156 	launchd.
157 
158 v1.10: 27NOV2011
159 	Fixed calls referring to sockaddr length so they work
160 	with FreeBSD.
161 
162 	Try target addresses in turn until one works if
163 	there are several (e.g. "localhost:22" resolves to
164 	an IPv6 address and an IPv4 address and sshd does
165 	not listen on IPv6).
166 
167 	Fixed sslh-fork so killing the head process kills
168 	the listener processes.
169 
170 	Heavily cleaned up test suite. Added stress test
171 	t_load script. Added coverage (requires lcov).
172 
173 	Support for XMPP (Arnaud Gendre).
174 
175 	Updated README.MacOSX (Aaron Madlon-Kay).
176 
177 v1.9: 02AUG2011
178 	WARNING: This version does not work with FreeBSD and
179 	derivatives!
180 
181 	WARNING: Options changed, you'll need to update your
182 	start-up scripts! Log format changed, you'll need to
183 	update log processing scripts!
184 
185 	Now supports IPv6 throughout (both on listening and
186 	forwarding)
187 
188 	Logs now contain IPv6 addresses, local forwarding
189 	address, and resolves names (unless --numeric is
190 	specified).
191 
192 	Introduced long options.
193 
194 	Options -l, -s and -o replaced by their long
195 	counterparts.
196 
197 	Defaults for SSL and SSH options suppressed (it's 
198 	legitimate to want to use sslh to mux OpenVPN and 
199 	tinc while not caring about SSH nor SSL).
200 
201 	Bind to multiple addresses with multiple -p options.
202 
203 	Support for tinc VPN (experimental).
204 
205 	Numeric logging option.
206 
207 v1.8: 15JUL2011
208 	Changed log format to make it possible to link
209 	connections to subsequent logs from other services.
210 
211 	Updated CentOS init.d script (Andre Krajnik).
212 
213 	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
214 	propagated to the child process, so we set up signals after
215 	the fork.) (Fran�ois FRITZ)
216 
217 	Added -o "OpenVPN" and OpenVPN probing and support.
218 
219 	Added single-threaded, select(2)-based version.
220 
221 	Added support for "Bold" SSH clients (clients that speak first)
222 	Thanks to Guillaume Ricaud for spotting a regression
223 	bug.
224 
225 	Added -f "foreground" option.
226 
227 	Added test suite. (only tests connexions. No test for libwrap,
228 	setsid, setuid and so on) and corresponding 'make
229 	test' target.
230 
231 	Added README.MacOSX (thanks Aaron Madlon-Kay)
232 
233 	Documented use with proxytunnel and corkscrew in
234 	README.
235 
236 	
237 v1.7: 01FEB2010
238 	Added CentOS init.d script (Andre Krajnik).
239 
240 	Fixed default ssl address inconsistancy, now
241 	defaults to "localhost:443" and fixed documentation
242 	accordingly (pointed by Markus Schalke).
243 
244 	Children no longer bind to the listen socket, so
245 	parent server can be stopped without killing an
246 	active child (pointed by Matthias Buecher).
247 
248 	Inetd support (Dima Barsky).
249 
250 v1.6: 25APR2009
251 	Added -V, version option.
252 
253 	Install target directory configurable in Makefile
254 
255 	Changed syslog prefix in auth.log to "sslh[%pid]"
256 
257 	Man page
258 
259 	new 'make install' and 'make install-debian' targets
260 
261 	PID file now specified using -P command line option
262 
263 	Actually fixed zombie generation (the v1.5 patch got
264 	lost, doh!)
265 
266 
267 v1.5: 10DEC2008
268 	Fixed zombie generation.
269 
270 	Added support scripts (), Makefile.
271 
272 	Changed all 'connexions' to 'connections' to please
273 	pesky users. Damn users.
274 
275 v1.4: 13JUL2008
276 	Added libwrap support for ssh service (Christian Weinberger)
277 	Only SSH is libwraped, not SSL.
278 
279 v1.3: 14MAY2008
280 	Added parsing for local interface to listen on
281 
282 	Changed default SSL connection to port 442 (443 doesn't make
283 	sense as a default as we're already listening on 443)
284 
285 	Syslog incoming connections
286 
287 v1.2: 12MAY2008
288 	Fixed compilation warning for AMD64 (Thx Daniel Lange)
289 
290 v1.1: 21MAY2007
291 	Making sslhc more like a real daemon:
292 	* If $PIDFILE is defined, write first PID to it upon startup
293 	* Fork at startup (detach from terminal)
294 	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
295 	* Less memory usage (?)
296 
297 v1.0: 
298 	Basic functionality: privilege dropping, target hostnames and ports
299 	configurable.
300 
301 
302

Built with git-ssb-web

cel / sslh

Tree: aa06261d70509eb5a571937d5e3d5c41e11f193d

Files: aa06261d70509eb5a571937d5e3d5c41e11f193d / ChangeLog

1	Added 'syslog_facility' configuration option to
2	specify where to log.
3
4	v1.18: 29MAR2016
5	Added USELIBPCRE to make use of regex engine
6	optional.
7
8	Added support for RFC4366 SNI and RFC7301 ALPN
9	(Travis Burtrum)
10
11	Changed connection log to include the name of the probe that
12	triggered.
13
14	Changed configuration file format: 'probe' field is
15	no longer required, 'name' field can now contain
16	'tls' or 'regex', with corresponding options (see
17	example.cfg)
18	Added 'log_level' option to each protocol, which
19	allows to turn off generation of log at each
20	connection.
21	Added 'keepalive' option.
22
23	v1.17: 09MAR2015
24	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
25
26	Transparant proxy support for FreeBSD.
27	(Ruben van Staveren)
28
29	Using -F with no argument will try
30	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
31	configuration files. (argument to -F can no longer
32	be separated from the option by a space, e.g. must
33	be -Ffoo.cfg)
34
35	Call setgroups() before setgid() (fixes potential
36	privilege escalation).
37	(Lars Vogdt)
38
39	Use portable way of getting modified time for OSX
40	support.
41	(Aaron Madlon-Kay)
42
43	Example configuration for fail2ban.
44	(Every Mouw)
45
46	v1.16: 11FEB2014
47	Probes made more resilient, to incoming data
48	containing NULLs. Also made them behave properly
49	when receiving too short packets to probe on the
50	first incoming packet.
51	(Ondrej Kuzn�k)
52
53	Libcap support: Keep only CAP_NET_ADMIN if started
54	as root with transparent proxying and dropping
55	priviledges (enable USELIBCAP in Makefile). This
56	avoids having to mess with filesystem capabilities.
57	(Sebastian Schmidt/yath)
58
59	Fixed bugs related to getpeername that would cause
60	sslh to quit erroneously (getpeername can return
61	actual errors if connections are dropped before
62	getting to getpeername).
63
64	Set IP_FREEDBIND if available to bind to addresses
65	that don't yet exist.
66
67	v1.15: 27JUL2013
68	Added --transparent option for transparent proxying.
69	See README for iptables magic and capability
70	management.
71
72	Fixed bug in sslh-select: if number of opened file
73	descriptor became bigger than FD_SETSIZE, bad things
74	would happen.
75
76	Fixed bug in sslh-select: if socket dropped while
77	deferred_data was present, sslh-select would crash.
78
79	Increased FD_SETSIZE for Cygwin, as the default 64
80	is too low for even moderate load.
81
82	v1.14: 21DEC2012
83	Corrected OpenVPN probe to support pre-shared secret
84	mode (OpenVPN port-sharing code is... wrong). Thanks
85	to Kai Ellinger for help in investigating and
86	testing.
87
88	Added an actual TLS/SSL probe.
89
90	Added configurable --on-timeout protocol
91	specification.
92
93	Added a --anyprot protocol probe (equivalent to what
94	--ssl was).
95
96	Makefile respects the user's compiler and CFLAG
97	choices (falling back to the current values if
98	undefined), as well as LDFLAGS.
99	(Michael Palimaka)
100
101	Added "After" and "KillMode" to systemd.sslh.service
102	(Thomas Wei�schuh).
103
104	Added LSB tags to etc.init.d.sslh
105	(Thomas Varis).
106
107	v1.13: 18MAY2012
108	Write PID file before dropping privileges.
109
110	Added --background, which overrides 'foreground'
111	configuration file setting.
112
113	Added example systemd service file from Archlinux in
114	scripts/
115	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
116	(S�bastien Luttringer)
117
118	v1.12: 08MAY2012
119	Added support for configuration file.
120
121	New protocol probes can be defined using regular
122	expressions that match the first packet sent by the
123	client.
124
125	sslh now connects timed out connections to the first
126	configured protocol instead of 'ssh' (just make sure
127	ssh is the first defined protocol).
128
129	sslh now tries protocols in the order in which they
130	are defined (just make sure sslh is the last defined
131	protocol).
132
133	v1.11: 21APR2012
134	WARNING: defaults have been removed for --user and
135	--pidfile options, update your start-up scripts!
136
137	No longer stop sslh when reverse DNS requests fail
138	for logging.
139
140	Added HTTP probe.
141
142	No longer create new session if running in
143	foreground.
144
145	No longer default to changing user to 'nobody'. If
146	--user isn't specified, just run as current user.
147
148	No longer create PID file by default, it should be
149	explicitely set with --pidfile.
150
151	No longer log to syslog if in foreground. Logs are
152	instead output to stderr.
153
154	The four changes above make it straightforward to
155	integrate sslh with systemd, and should help with
156	launchd.
157
158	v1.10: 27NOV2011
159	Fixed calls referring to sockaddr length so they work
160	with FreeBSD.
161
162	Try target addresses in turn until one works if
163	there are several (e.g. "localhost:22" resolves to
164	an IPv6 address and an IPv4 address and sshd does
165	not listen on IPv6).
166
167	Fixed sslh-fork so killing the head process kills
168	the listener processes.
169
170	Heavily cleaned up test suite. Added stress test
171	t_load script. Added coverage (requires lcov).
172
173	Support for XMPP (Arnaud Gendre).
174
175	Updated README.MacOSX (Aaron Madlon-Kay).
176
177	v1.9: 02AUG2011
178	WARNING: This version does not work with FreeBSD and
179	derivatives!
180
181	WARNING: Options changed, you'll need to update your
182	start-up scripts! Log format changed, you'll need to
183	update log processing scripts!
184
185	Now supports IPv6 throughout (both on listening and
186	forwarding)
187
188	Logs now contain IPv6 addresses, local forwarding
189	address, and resolves names (unless --numeric is
190	specified).
191
192	Introduced long options.
193
194	Options -l, -s and -o replaced by their long
195	counterparts.
196
197	Defaults for SSL and SSH options suppressed (it's
198	legitimate to want to use sslh to mux OpenVPN and
199	tinc while not caring about SSH nor SSL).
200
201	Bind to multiple addresses with multiple -p options.
202
203	Support for tinc VPN (experimental).
204
205	Numeric logging option.
206
207	v1.8: 15JUL2011
208	Changed log format to make it possible to link
209	connections to subsequent logs from other services.
210
211	Updated CentOS init.d script (Andre Krajnik).
212
213	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
214	propagated to the child process, so we set up signals after
215	the fork.) (Fran�ois FRITZ)
216
217	Added -o "OpenVPN" and OpenVPN probing and support.
218
219	Added single-threaded, select(2)-based version.
220
221	Added support for "Bold" SSH clients (clients that speak first)
222	Thanks to Guillaume Ricaud for spotting a regression
223	bug.
224
225	Added -f "foreground" option.
226
227	Added test suite. (only tests connexions. No test for libwrap,
228	setsid, setuid and so on) and corresponding 'make
229	test' target.
230
231	Added README.MacOSX (thanks Aaron Madlon-Kay)
232
233	Documented use with proxytunnel and corkscrew in
234	README.
235
236
237	v1.7: 01FEB2010
238	Added CentOS init.d script (Andre Krajnik).
239
240	Fixed default ssl address inconsistancy, now
241	defaults to "localhost:443" and fixed documentation
242	accordingly (pointed by Markus Schalke).
243
244	Children no longer bind to the listen socket, so
245	parent server can be stopped without killing an
246	active child (pointed by Matthias Buecher).
247
248	Inetd support (Dima Barsky).
249
250	v1.6: 25APR2009
251	Added -V, version option.
252
253	Install target directory configurable in Makefile
254
255	Changed syslog prefix in auth.log to "sslh[%pid]"
256
257	Man page
258
259	new 'make install' and 'make install-debian' targets
260
261	PID file now specified using -P command line option
262
263	Actually fixed zombie generation (the v1.5 patch got
264	lost, doh!)
265
266
267	v1.5: 10DEC2008
268	Fixed zombie generation.
269
270	Added support scripts (), Makefile.
271
272	Changed all 'connexions' to 'connections' to please
273	pesky users. Damn users.
274
275	v1.4: 13JUL2008
276	Added libwrap support for ssh service (Christian Weinberger)
277	Only SSH is libwraped, not SSL.
278
279	v1.3: 14MAY2008
280	Added parsing for local interface to listen on
281
282	Changed default SSL connection to port 442 (443 doesn't make
283	sense as a default as we're already listening on 443)
284
285	Syslog incoming connections
286
287	v1.2: 12MAY2008
288	Fixed compilation warning for AMD64 (Thx Daniel Lange)
289
290	v1.1: 21MAY2007
291	Making sslhc more like a real daemon:
292	* If $PIDFILE is defined, write first PID to it upon startup
293	* Fork at startup (detach from terminal)
294	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
295	* Less memory usage (?)
296
297	v1.0:
298	Basic functionality: privilege dropping, target hostnames and ports
299	configurable.
300
301
302

cel / sslh

Tree: aa06261d70509eb5a571937d5e3d5c41e11f193d shsmasterv1.9v1.8v1.7v1.6v1.5v1.3v1.2v1.18v1.17v1.16v1.15v1.14v1.13v1.12v1.11v1.10v1.1v1.0 <input type="submit" value="Go"/>

Files: aa06261d70509eb5a571937d5e3d5c41e11f193d / ChangeLog

Tree: aa06261d70509eb5a571937d5e3d5c41e11f193d