SSLproxy

Commit Graph

Author	SHA1	Message	Date
Soner Tari	9d435e180c	Update with SSLsplit 0.5.2 and develop branch changes as of 270218	6 years ago
Soner Tari	4c8831bd90	Update with SSLsplit 0.5.1 changes, fix LibreSSL version issues Add VerifyPeer and AllowWrongHost options	6 years ago
Soner Tari	a1c5d05143	Add support for log priority to error logs, so syslogd prints the correct prio for error logs now	7 years ago
Soner Tari	077e97dbba	Add more CRITICAL error logs Fix some logs Clean-up	7 years ago
Soner Tari	67ddee1585	Import sslsplit-devel changes Add stats logs, initial Add SSLproxy_SrcAddr header field Clean-up	7 years ago
Soner Tari	d033ea68dd	Plain TCP version is running good enough, next will try to switch the SSL on	7 years ago
Daniel Roethlisberger	0506024587	Update copyright notices to 2016	8 years ago
Daniel Roethlisberger	91da4674e5	Update copyright, license and tagline - Update copyright to 2015 - Remove the non-standard "unmodified" from the 2-clause BSD license - Remove scalable from the tagline to avoid misinterpretations	9 years ago
Daniel Roethlisberger	b8213e756d	Merge branch 'feature/privsep' into develop Conflicts: NEWS.md main.c sslsplit.1	10 years ago
Daniel Roethlisberger	f076336e0b	Don't allow -u on Mac OS X with pf proxyspecs Apple checks EUID==0 on ioctl(/dev/pf), whereas OpenBSD and FreeBSD only check permissions on open(/dev/pf). This means that on OS X, it is not possible to open /dev/pf, drop privileges, and send an ioctl to the file descriptor opened earlier with EUID==0. It also means Apple broke the Unix way of dealing with device nodes - why are there file permissions on /dev/pf when they later enforce EUID==0 on use, thereby breaking basic Unix mechanisms? Work around this by disallowing -u with pf proxyspecs and by not automatically dropping to nobody on Mac OS X. Issue: #65 Reported by: Vladimir Marteev	10 years ago
Daniel Roethlisberger	c01ace1261	Introduce privilege separation architecture Fork into a monitor parent process and an actual proxy child process, communicating over AF_UNIX sockets. Certain privileged operations are performed through the privileged parent process, like opening log files or listener sockets, while all other operations happen in the child process, which can now drop its privileges without side-effects for log file opening and other privileged operations. This is also a preparation for -l/-L logfile reopening through SIGUSR1. This means that -S and -F are no longer relative to chroot() if used with -j. This is a deliberate POLA violation.	10 years ago
Daniel Roethlisberger	352b199166	Remove spurious space in netfilter output	10 years ago
Daniel Roethlisberger	6adaf00540	Fix pid_t removal for non-pf engines	10 years ago
Daniel Roethlisberger	c3922d9852	Refactor process lookup out of NAT engine code Local process lookup is independent of the NAT engine used, it depends only on the operating system's process enumeration API. Moving the code out of NAT lookup also makes it work for static and SNI proxyspecs.	10 years ago
Daniel Roethlisberger	18aca24a2c	Return 0 with pid -1 if no process matches	10 years ago
Daniel Roethlisberger	8c21170cd3	Break lines to 80 cols	10 years ago
Daniel Roethlisberger	d9d8674792	Fix memory leak in libproc lookup code	10 years ago
Landon Fuller	9204418c80	Thread pid lookup support through the NAT API. This exposes the pid lookup code as a standard attribute of NAT lookup -- if a matching process cannot be found, or if pid lookup isn't supported by the NAT backend, a pid of -1 is returned. This also adds the local_pid to the pxyconn context; this will be used to populate log strings.	10 years ago
Landon Fuller	bcc74385ab	Log the full process path, rather than the MAXCOMLEN-max process name.	10 years ago
Landon Fuller	55e8da7653	Wire up lookup of the local process/socket originating the proxied connection. This uses Mac OS X's libproc to find the first process that owns a matching socket. Currently, the results are simply logged; the next step will be exposing this generically via the NAT engine lookup API.	10 years ago
Landon Fuller	7a5147cddf	Add libproc to the build configuration.	10 years ago
Daniel Roethlisberger	a42db4d3fe	Also undefine rdport in Mac pf support hack	11 years ago
Daniel Roethlisberger	6643d832d9	Add experimental support for pf on Mac OS X Support pf rdr on Mac OS X 10.7, 10.8 and 10.9 by including the missing Apple headers in the source tree and enable private Apple code. Since we are using an interface marked private by Apple, this code is very experimental. Issue: #15 Reported by: Amit Chowdhary	11 years ago
Daniel Roethlisberger	ca923ee7f1	Update copyright notices to 2014	11 years ago
Daniel Roethlisberger	c972501063	Update copyright notices	11 years ago
Daniel Roethlisberger	6b4b121da2	Fix address family check in netfilter NAT lookup Use src_addr instead of the (yet to be set) dst_addr for determining the address family. Fixes issue #4.	12 years ago
Daniel Roethlisberger	6106940e0c	Omit nat_getsockname_lookup_cb() unless it is used	12 years ago
Daniel Roethlisberger	fda4f57aa7	Remove unused IPv6 code for netfilter NAT engine	12 years ago
Daniel Roethlisberger	f76077c00f	Undefine IPv6 compat defs to fix nat_version() For Linux netfilter, IPV6_ORIGINAL_DST and SOL_IPV6 are defined to SO_ORIGINAL_DST and SOL_IP respectively if they are not defined by the system headers (they aren't defined on vanilla kernels). Undefine these compatibility definitions after use, in order not to mess up the diagnostic output of nat_version().	12 years ago
Daniel Roethlisberger	4cfdef405a	Initial import of sslsplit-0.4.2	12 years ago

30 Commits (9d435e180cab753d14a05fc23ad9d36316e3271f)