Skip to content

Releases: sonertari/SSLproxy

SSLproxy 0.9.5

27 Feb 19:03
@sonertari sonertari
v0.9.5
dfb783d
Compare
Choose a tag to compare
SSLproxy 0.9.5 Latest
Latest
  • Fix possible double free of host and serv variables, thanks to @disaykin
  • Fix possible integer overflow, thanks to @disaykin
  • Close fds only once, thanks to @disaykin
  • Fix memory leak, thanks to @disaykin
  • Handle ftell error, thanks to @disaykin
  • Fix mismatched call arguments, thanks to @disaykin
  • Fix memory leak in case of cert key mismatch, thanks to @disaykin
  • Fix file descriptor leak, thanks to @disaykin
  • Handle partial write, thanks to @disaykin
  • Handle return value of gmtime(), thanks to @disaykin
  • Fix double free bugs, thanks to @disaykin
    • Bugs found by Svace static analyzer
  • Fix possible segfault in proto smtp in split mode
  • Fix retval of privsep_server_opensock_verify(), thanks to @Qbog
  • Fix header-size calculation in IPv6 packet mirroring, thanks to @matoro
  • Fix e2e tests with openssl 3
  • Replace deprecated fail_unless() with ck_assert_msg() in unit tests

Contributors

disaykin, matoro, and Qbog
Assets 2

SSLproxy 0.9.4

30 Dec 10:12
@sonertari sonertari
v0.9.4
30ed5b4
Compare
Choose a tag to compare
SSLproxy 0.9.4
  • Fix byte order for ports in mirror trafic, thanks to @piolug93.
  • Fix unit tests with opaque x509 struct.
  • Update testproxy version to 0.0.5.
  • Fix warning for array subscript outside array bounds in function declaration.

Contributors

piolug93
Assets 2

SSLproxy 0.9.3

10 May 08:49
@sonertari sonertari
v0.9.3
e456f56
Compare
Choose a tag to compare
SSLproxy 0.9.3
  • Implement a generic upgrade mechanism with autossl, without STARTTLS.
  • Refactor and improve autossl and split mode.
  • Fix watermarking for underlying buffers in autossl.
  • Fix macOS header selection, update XNU headers for macOS, and re-enable osx on Travis CI.
  • Fix the natengine option passed in proxyspecs on command line.
  • Fix enabling of pcap and mirror logging.
  • Fix build errors with OpenSSL 3.x.
Assets 2

SSLproxy 0.9.2

15 Nov 18:27
@sonertari sonertari
v0.9.2
7654f5e
Compare
Choose a tag to compare
SSLproxy 0.9.2
  • Update with the license change of the Aho Corasick library to the LGPL.
  • Migrate to travis-ci.com.
  • Various fixes and improvements.
Assets 2

SSLproxy 0.9.1

07 Nov 20:16
@sonertari sonertari
v0.9.1
e05dd2b
Compare
Choose a tag to compare
SSLproxy 0.9.1

  • Add structured filtering rules:

    FilterRule {
    Action (Divert|Split|Pass|Block|Match)

    # From
    User (username[*]|$macro|*)  # inline
    Desc (desc[*]|$macro|*)      # comments
    SrcIp (clientip[*]|$macro|*) # allowed

    # To
    SNI (servername[*]|$macro|*)
    CN (commonname[*]|$macro|*)
    Host (host[*]|$macro|*)
    URI (uri[*]|$macro|*)
    DstIp (serverip[*]|$macro|*)
    DstPort (serverport[*]|$macro|*)

    # Multiple Log lines allowed
    Log ([!]connect|[!]master|[!]cert|[!]content|[!]pcap|[!]mirror|$macro|[!]*)

    ReconnectSSL (yes|no)

    # Connection options
    DenyOCSP (yes|no)
    Passthrough (yes|no)
    CACert ca.crt
    CAKey ca.key
    ClientCert client.crt
    ClientKey client.key
    CAChain chain.crt
    LeafCRLURL http://example.com/example.crl
    DHGroupParams dh.pem
    ECDHCurve prime256v1
    SSLCompression (yes|no)
    ForceSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
    DisableSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
    EnableSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
    MinSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
    MaxSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
    Ciphers MEDIUM:HIGH
    CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
    RemoveHTTPAcceptEncoding (yes|no)
    RemoveHTTPReferer (yes|no)
    VerifyPeer (yes|no)
    AllowWrongHost (yes|no)
    UserAuth (yes|no)
    UserTimeout 300
    UserAuthURL https://192.168.0.1/userdblogin.php
    ValidateProto (yes|no)
    MaxHTTPHeaderSize 8192
}

    Structured filtering rules can be used to specify all possible connection
    options to be selectively applied to matching connections, not just
    per-proxyspec or globally. One line filtering rules cannot specify
    connection options.

  • Add -B EnableSSLProto config option.

Assets 2

SSLproxy 0.9.0

21 Oct 12:58
@sonertari sonertari
v0.9.0
07c3f08
Compare
Choose a tag to compare
SSLproxy 0.9.0

  • Add filtering rules:

    (Divert|Split|Pass|Block|Match)
 ([from (
     user (username[*]|$macro|*) [desc (desc[*]|$macro|*)]|
     desc (desc[*]|$macro|*)|
     ip (clientip[*]|$macro|*)|
     *)]
  [to (
     (sni (servername[*]|$macro|*)|
      cn (commonname[*]|$macro|*)|
      host (host[*]|$macro|*)|
      uri (uri[*]|$macro|*)|
      ip (serverip[*]|$macro|*)) [port (serverport[*]|$macro|*)]|
     port (serverport[*]|$macro|*)|
     *)]
  [log ([[!]connect] [[!]master] [[!]cert]
        [[!]content] [[!]pcap] [[!]mirror] [$macro]|[!]*)]
  |*) [# comment]

  • Add Define config option for defining macros to be used in filtering rules.

  • Add Include config option for loading configuration from an include file.

  • Add -Q test config option.

  • Various fixes and improvements.

Note: The UTMFW project provides the SSLproxy Rule Editor, SPRE, which can be used to configure proxyspecs, filtering rules, and options, similar to the PF Rule Editor, PFRE, for OpenBSD/pf.

Assets 2

SSLproxy 0.8.6

09 Sep 10:46
@sonertari sonertari
v0.8.6
6a4a70b
Compare
Choose a tag to compare
SSLproxy 0.8.6

This release focuses on PassSite rules:

  • Use a new data structure for passsite filters, which should considerably improve the performance of passsite search
  • Add support for passsite substring match, along with exact match
  • Fix a multithreading issue in passsite search
  • Fix passsite in split mode
  • And variety of other improvements

PassSite rules can be used to pass certain SSL/TLS sites through sslproxy without being diverted or split. For example, many system services or applications on Android smartphones cannot connect to the Internet from behind sslproxy, because they reject the certificates forged by sslproxy, and adding the CA certificate used with sslproxy to the trusted CAs of the Android smartphone may not solve the problem. In such cases, you can use PassSite rules engaging passthrough mode for the target sites that those applications are trying to connect to, such as Google, Facebook, WhatsApp, Twitter, LinkedIn, and others.

So, SSLproxy can bypass such certificate issues thanks to the improved PassSite feature. However, PassSite rules should be used as a last resort, because connections to those target sites cannot be deep inspected (divert), nor content logged (divert/split) in passthrough mode.

Assets 2

SSLproxy 0.8.5

02 Sep 19:38
@sonertari sonertari
v0.8.5
74cf380
Compare
Choose a tag to compare
SSLproxy 0.8.5

This is a bugfix release:

  • This release fixes possible crashes in split mode, passthrough mode, and autossl.
  • Passthrough mode in autossl seems impossible, but this release fixes a crash trying to engage passthrough in autossl.
Assets 2

SSLproxy 0.8.4

29 Aug 14:58
@sonertari sonertari
v0.8.4
69753b2
Compare
Choose a tag to compare
SSLproxy 0.8.4

Add split mode of operation similar to SSLsplit. In split mode, packets are not diverted to listening programs, effectively making SSLproxy behave like SSLsplit. Split mode can be defined globally or per-proxyspec.

Assets 2

SSLproxy 0.8.3

11 Feb 13:44
@sonertari sonertari
v0.8.3
0bd1a41
Compare
Choose a tag to compare
SSLproxy 0.8.3
  • Improve UserAuth user control lists.
  • Improve documentation.
Assets 2