git ssb

Files: b108809a78dbedce34bf8dee060fd4a2e72480c8 / ChangeLog

7754 bytesRaw

1 vNEXT:
2 	Added USELIBPCRE to make use of regex engine
3 	optional.
4 
5 	Added support for RFC4366 SNI 
6 	(Travis Burtrum)
7 
8 	Changed configuration file format: 'probe' field is
9 	no longer required, 'name' field can now contain
10 	'sni' or 'regex', with corresponding options (see
11 	example.org)
12 
13 v1.17: 	09MAR2015
14 	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
15 
16 	Transparant proxy support for FreeBSD.
17 	(Ruben van Staveren)
18 
19 	Using -F with no argument will try
20 	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
21 	configuration files. (argument to -F can no longer
22 	be separated from the option by a space, e.g. must
23 	be -Ffoo.cfg)
24 
25 	Call setgroups() before setgid() (fixes potential
26 	privilege escalation).
27 	(Lars Vogdt)
28 
29 	Use portable way of getting modified time for OSX
30 	support.
31 	(Aaron Madlon-Kay)
32 
33 	Example configuration for fail2ban.
34 	(Every Mouw)
35 
36 v1.16:	11FEB2014
37 	Probes made more resilient, to incoming data
38 	containing NULLs. Also made them behave properly
39 	when receiving too short packets to probe on the
40 	first incoming packet.
41 	(Ondrej Kuzn�k)
42 
43 	Libcap support: Keep only CAP_NET_ADMIN if started
44 	as root with transparent proxying and dropping
45 	priviledges (enable USELIBCAP in Makefile). This
46 	avoids having to mess with filesystem capabilities.
47 	(Sebastian Schmidt/yath)
48 
49 	Fixed bugs related to getpeername that would cause
50 	sslh to quit erroneously (getpeername can return
51 	actual errors if connections are dropped before
52 	getting to getpeername).
53 
54 	Set IP_FREEDBIND if available to bind to addresses
55 	that don't yet exist.
56 
57 v1.15:	27JUL2013
58 	Added --transparent option for transparent proxying.
59 	See README for iptables magic and capability
60 	management.
61 
62 	Fixed bug in sslh-select: if number of opened file
63 	descriptor became bigger than FD_SETSIZE, bad things
64 	would happen.
65 
66 	Fixed bug in sslh-select: if socket dropped while
67 	deferred_data was present, sslh-select would crash.
68 
69 	Increased FD_SETSIZE for Cygwin, as the default 64
70 	is too low for even moderate load.
71 
72 v1.14: 21DEC2012
73 	Corrected OpenVPN probe to support pre-shared secret
74 	mode (OpenVPN port-sharing code is... wrong). Thanks
75 	to Kai Ellinger for help in investigating and
76 	testing.
77 
78 	Added an actual TLS/SSL probe.
79 
80 	Added configurable --on-timeout protocol
81 	specification.
82 
83 	Added a --anyprot protocol probe (equivalent to what
84 	--ssl was).
85 
86 	Makefile respects the user's compiler and CFLAG
87 	choices (falling back to the current values if
88 	undefined), as well as LDFLAGS. 
89 	(Michael Palimaka)
90 
91 	Added "After" and "KillMode" to systemd.sslh.service
92 	(Thomas Wei�schuh).
93 
94 	Added LSB tags to etc.init.d.sslh
95 	(Thomas Varis).
96 
97 v1.13: 18MAY2012
98 	Write PID file before dropping privileges.
99 
100 	Added --background, which overrides 'foreground'
101 	configuration file setting.
102 
103 	Added example systemd service file from Archlinux in
104 	scripts/
105 	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
106 	(S�bastien Luttringer)
107 
108 v1.12: 08MAY2012
109 	Added support for configuration file.
110 
111 	New protocol probes can be defined using regular
112 	expressions that match the first packet sent by the
113 	client.
114 
115 	sslh now connects timed out connections to the first
116 	configured protocol instead of 'ssh' (just make sure
117 	ssh is the first defined protocol).
118 
119 	sslh now tries protocols in the order in which they
120 	are defined (just make sure sslh is the last defined
121 	protocol).
122 
123 v1.11: 21APR2012
124 	WARNING: defaults have been removed for --user and
125 	--pidfile options, update your start-up scripts!
126 
127 	No longer stop sslh when reverse DNS requests fail
128 	for logging.
129 
130 	Added HTTP probe.
131 
132 	No longer create new session if running in
133 	foreground.
134 
135 	No longer default to changing user to 'nobody'. If
136 	--user isn't specified, just run as current user.
137 
138 	No longer create PID file by default, it should be
139 	explicitely set with --pidfile.
140 
141 	No longer log to syslog if in foreground. Logs are
142 	instead output to stderr.
143 
144 	The four changes above make it straightforward to
145 	integrate sslh with systemd, and should help with
146 	launchd.
147 
148 v1.10: 27NOV2011
149 	Fixed calls referring to sockaddr length so they work
150 	with FreeBSD.
151 
152 	Try target addresses in turn until one works if
153 	there are several (e.g. "localhost:22" resolves to
154 	an IPv6 address and an IPv4 address and sshd does
155 	not listen on IPv6).
156 
157 	Fixed sslh-fork so killing the head process kills
158 	the listener processes.
159 
160 	Heavily cleaned up test suite. Added stress test
161 	t_load script. Added coverage (requires lcov).
162 
163 	Support for XMPP (Arnaud Gendre).
164 
165 	Updated README.MacOSX (Aaron Madlon-Kay).
166 
167 v1.9: 02AUG2011
168 	WARNING: This version does not work with FreeBSD and
169 	derivatives!
170 
171 	WARNING: Options changed, you'll need to update your
172 	start-up scripts! Log format changed, you'll need to
173 	update log processing scripts!
174 
175 	Now supports IPv6 throughout (both on listening and
176 	forwarding)
177 
178 	Logs now contain IPv6 addresses, local forwarding
179 	address, and resolves names (unless --numeric is
180 	specified).
181 
182 	Introduced long options.
183 
184 	Options -l, -s and -o replaced by their long
185 	counterparts.
186 
187 	Defaults for SSL and SSH options suppressed (it's 
188 	legitimate to want to use sslh to mux OpenVPN and 
189 	tinc while not caring about SSH nor SSL).
190 
191 	Bind to multiple addresses with multiple -p options.
192 
193 	Support for tinc VPN (experimental).
194 
195 	Numeric logging option.
196 
197 v1.8: 15JUL2011
198 	Changed log format to make it possible to link
199 	connections to subsequent logs from other services.
200 
201 	Updated CentOS init.d script (Andre Krajnik).
202 
203 	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
204 	propagated to the child process, so we set up signals after
205 	the fork.) (Fran�ois FRITZ)
206 
207 	Added -o "OpenVPN" and OpenVPN probing and support.
208 
209 	Added single-threaded, select(2)-based version.
210 
211 	Added support for "Bold" SSH clients (clients that speak first)
212 	Thanks to Guillaume Ricaud for spotting a regression
213 	bug.
214 
215 	Added -f "foreground" option.
216 
217 	Added test suite. (only tests connexions. No test for libwrap,
218 	setsid, setuid and so on) and corresponding 'make
219 	test' target.
220 
221 	Added README.MacOSX (thanks Aaron Madlon-Kay)
222 
223 	Documented use with proxytunnel and corkscrew in
224 	README.
225 
226 	
227 v1.7: 01FEB2010
228 	Added CentOS init.d script (Andre Krajnik).
229 
230 	Fixed default ssl address inconsistancy, now
231 	defaults to "localhost:443" and fixed documentation
232 	accordingly (pointed by Markus Schalke).
233 
234 	Children no longer bind to the listen socket, so
235 	parent server can be stopped without killing an
236 	active child (pointed by Matthias Buecher).
237 
238 	Inetd support (Dima Barsky).
239 
240 v1.6: 25APR2009
241 	Added -V, version option.
242 
243 	Install target directory configurable in Makefile
244 
245 	Changed syslog prefix in auth.log to "sslh[%pid]"
246 
247 	Man page
248 
249 	new 'make install' and 'make install-debian' targets
250 
251 	PID file now specified using -P command line option
252 
253 	Actually fixed zombie generation (the v1.5 patch got
254 	lost, doh!)
255 
256 
257 v1.5: 10DEC2008
258 	Fixed zombie generation.
259 
260 	Added support scripts (), Makefile.
261 
262 	Changed all 'connexions' to 'connections' to please
263 	pesky users. Damn users.
264 
265 v1.4: 13JUL2008
266 	Added libwrap support for ssh service (Christian Weinberger)
267 	Only SSH is libwraped, not SSL.
268 
269 v1.3: 14MAY2008
270 	Added parsing for local interface to listen on
271 
272 	Changed default SSL connection to port 442 (443 doesn't make
273 	sense as a default as we're already listening on 443)
274 
275 	Syslog incoming connections
276 
277 v1.2: 12MAY2008
278 	Fixed compilation warning for AMD64 (Thx Daniel Lange)
279 
280 v1.1: 21MAY2007
281 	Making sslhc more like a real daemon:
282 	* If $PIDFILE is defined, write first PID to it upon startup
283 	* Fork at startup (detach from terminal)
284 	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
285 	* Less memory usage (?)
286 
287 v1.0: 
288 	Basic functionality: privilege dropping, target hostnames and ports
289 	configurable.
290 
291 
292

Built with git-ssb-web

cel / sslh

Tree: b108809a78dbedce34bf8dee060fd4a2e72480c8

Files: b108809a78dbedce34bf8dee060fd4a2e72480c8 / ChangeLog

1	vNEXT:
2	Added USELIBPCRE to make use of regex engine
3	optional.
4
5	Added support for RFC4366 SNI
6	(Travis Burtrum)
7
8	Changed configuration file format: 'probe' field is
9	no longer required, 'name' field can now contain
10	'sni' or 'regex', with corresponding options (see
11	example.org)
12
13	v1.17: 09MAR2015
14	Support RFC5952-style IPv6 addresses, e.g. [::]:443.
15
16	Transparant proxy support for FreeBSD.
17	(Ruben van Staveren)
18
19	Using -F with no argument will try
20	/etc/sslh/sslh.cfg and then /etc/sslh.cfg as
21	configuration files. (argument to -F can no longer
22	be separated from the option by a space, e.g. must
23	be -Ffoo.cfg)
24
25	Call setgroups() before setgid() (fixes potential
26	privilege escalation).
27	(Lars Vogdt)
28
29	Use portable way of getting modified time for OSX
30	support.
31	(Aaron Madlon-Kay)
32
33	Example configuration for fail2ban.
34	(Every Mouw)
35
36	v1.16: 11FEB2014
37	Probes made more resilient, to incoming data
38	containing NULLs. Also made them behave properly
39	when receiving too short packets to probe on the
40	first incoming packet.
41	(Ondrej Kuzn�k)
42
43	Libcap support: Keep only CAP_NET_ADMIN if started
44	as root with transparent proxying and dropping
45	priviledges (enable USELIBCAP in Makefile). This
46	avoids having to mess with filesystem capabilities.
47	(Sebastian Schmidt/yath)
48
49	Fixed bugs related to getpeername that would cause
50	sslh to quit erroneously (getpeername can return
51	actual errors if connections are dropped before
52	getting to getpeername).
53
54	Set IP_FREEDBIND if available to bind to addresses
55	that don't yet exist.
56
57	v1.15: 27JUL2013
58	Added --transparent option for transparent proxying.
59	See README for iptables magic and capability
60	management.
61
62	Fixed bug in sslh-select: if number of opened file
63	descriptor became bigger than FD_SETSIZE, bad things
64	would happen.
65
66	Fixed bug in sslh-select: if socket dropped while
67	deferred_data was present, sslh-select would crash.
68
69	Increased FD_SETSIZE for Cygwin, as the default 64
70	is too low for even moderate load.
71
72	v1.14: 21DEC2012
73	Corrected OpenVPN probe to support pre-shared secret
74	mode (OpenVPN port-sharing code is... wrong). Thanks
75	to Kai Ellinger for help in investigating and
76	testing.
77
78	Added an actual TLS/SSL probe.
79
80	Added configurable --on-timeout protocol
81	specification.
82
83	Added a --anyprot protocol probe (equivalent to what
84	--ssl was).
85
86	Makefile respects the user's compiler and CFLAG
87	choices (falling back to the current values if
88	undefined), as well as LDFLAGS.
89	(Michael Palimaka)
90
91	Added "After" and "KillMode" to systemd.sslh.service
92	(Thomas Wei�schuh).
93
94	Added LSB tags to etc.init.d.sslh
95	(Thomas Varis).
96
97	v1.13: 18MAY2012
98	Write PID file before dropping privileges.
99
100	Added --background, which overrides 'foreground'
101	configuration file setting.
102
103	Added example systemd service file from Archlinux in
104	scripts/
105	https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
106	(S�bastien Luttringer)
107
108	v1.12: 08MAY2012
109	Added support for configuration file.
110
111	New protocol probes can be defined using regular
112	expressions that match the first packet sent by the
113	client.
114
115	sslh now connects timed out connections to the first
116	configured protocol instead of 'ssh' (just make sure
117	ssh is the first defined protocol).
118
119	sslh now tries protocols in the order in which they
120	are defined (just make sure sslh is the last defined
121	protocol).
122
123	v1.11: 21APR2012
124	WARNING: defaults have been removed for --user and
125	--pidfile options, update your start-up scripts!
126
127	No longer stop sslh when reverse DNS requests fail
128	for logging.
129
130	Added HTTP probe.
131
132	No longer create new session if running in
133	foreground.
134
135	No longer default to changing user to 'nobody'. If
136	--user isn't specified, just run as current user.
137
138	No longer create PID file by default, it should be
139	explicitely set with --pidfile.
140
141	No longer log to syslog if in foreground. Logs are
142	instead output to stderr.
143
144	The four changes above make it straightforward to
145	integrate sslh with systemd, and should help with
146	launchd.
147
148	v1.10: 27NOV2011
149	Fixed calls referring to sockaddr length so they work
150	with FreeBSD.
151
152	Try target addresses in turn until one works if
153	there are several (e.g. "localhost:22" resolves to
154	an IPv6 address and an IPv4 address and sshd does
155	not listen on IPv6).
156
157	Fixed sslh-fork so killing the head process kills
158	the listener processes.
159
160	Heavily cleaned up test suite. Added stress test
161	t_load script. Added coverage (requires lcov).
162
163	Support for XMPP (Arnaud Gendre).
164
165	Updated README.MacOSX (Aaron Madlon-Kay).
166
167	v1.9: 02AUG2011
168	WARNING: This version does not work with FreeBSD and
169	derivatives!
170
171	WARNING: Options changed, you'll need to update your
172	start-up scripts! Log format changed, you'll need to
173	update log processing scripts!
174
175	Now supports IPv6 throughout (both on listening and
176	forwarding)
177
178	Logs now contain IPv6 addresses, local forwarding
179	address, and resolves names (unless --numeric is
180	specified).
181
182	Introduced long options.
183
184	Options -l, -s and -o replaced by their long
185	counterparts.
186
187	Defaults for SSL and SSH options suppressed (it's
188	legitimate to want to use sslh to mux OpenVPN and
189	tinc while not caring about SSH nor SSL).
190
191	Bind to multiple addresses with multiple -p options.
192
193	Support for tinc VPN (experimental).
194
195	Numeric logging option.
196
197	v1.8: 15JUL2011
198	Changed log format to make it possible to link
199	connections to subsequent logs from other services.
200
201	Updated CentOS init.d script (Andre Krajnik).
202
203	Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not
204	propagated to the child process, so we set up signals after
205	the fork.) (Fran�ois FRITZ)
206
207	Added -o "OpenVPN" and OpenVPN probing and support.
208
209	Added single-threaded, select(2)-based version.
210
211	Added support for "Bold" SSH clients (clients that speak first)
212	Thanks to Guillaume Ricaud for spotting a regression
213	bug.
214
215	Added -f "foreground" option.
216
217	Added test suite. (only tests connexions. No test for libwrap,
218	setsid, setuid and so on) and corresponding 'make
219	test' target.
220
221	Added README.MacOSX (thanks Aaron Madlon-Kay)
222
223	Documented use with proxytunnel and corkscrew in
224	README.
225
226
227	v1.7: 01FEB2010
228	Added CentOS init.d script (Andre Krajnik).
229
230	Fixed default ssl address inconsistancy, now
231	defaults to "localhost:443" and fixed documentation
232	accordingly (pointed by Markus Schalke).
233
234	Children no longer bind to the listen socket, so
235	parent server can be stopped without killing an
236	active child (pointed by Matthias Buecher).
237
238	Inetd support (Dima Barsky).
239
240	v1.6: 25APR2009
241	Added -V, version option.
242
243	Install target directory configurable in Makefile
244
245	Changed syslog prefix in auth.log to "sslh[%pid]"
246
247	Man page
248
249	new 'make install' and 'make install-debian' targets
250
251	PID file now specified using -P command line option
252
253	Actually fixed zombie generation (the v1.5 patch got
254	lost, doh!)
255
256
257	v1.5: 10DEC2008
258	Fixed zombie generation.
259
260	Added support scripts (), Makefile.
261
262	Changed all 'connexions' to 'connections' to please
263	pesky users. Damn users.
264
265	v1.4: 13JUL2008
266	Added libwrap support for ssh service (Christian Weinberger)
267	Only SSH is libwraped, not SSL.
268
269	v1.3: 14MAY2008
270	Added parsing for local interface to listen on
271
272	Changed default SSL connection to port 442 (443 doesn't make
273	sense as a default as we're already listening on 443)
274
275	Syslog incoming connections
276
277	v1.2: 12MAY2008
278	Fixed compilation warning for AMD64 (Thx Daniel Lange)
279
280	v1.1: 21MAY2007
281	Making sslhc more like a real daemon:
282	* If $PIDFILE is defined, write first PID to it upon startup
283	* Fork at startup (detach from terminal)
284	(thanks to http://www.enderunix.org/docs/eng/daemon.php -- good checklist)
285	* Less memory usage (?)
286
287	v1.0:
288	Basic functionality: privilege dropping, target hostnames and ports
289	configurable.
290
291
292

cel / sslh

Tree: b108809a78dbedce34bf8dee060fd4a2e72480c8 shsmasterv1.9v1.8v1.7v1.6v1.5v1.3v1.2v1.18v1.17v1.16v1.15v1.14v1.13v1.12v1.11v1.10v1.1v1.0 <input type="submit" value="Go"/>

Files: b108809a78dbedce34bf8dee060fd4a2e72480c8 / ChangeLog

Tree: b108809a78dbedce34bf8dee060fd4a2e72480c8