Tags: ictus4u/sslh
Tags
Vulnerability fix: Same as v2.0-rc1, with a few bugfixes and correction for CVE-2022-4639.
New sslh-ev: this is functionaly equivalent to sslh-select (mono-proc… …ess, only forks for specified protocols), but based on libev, which should make it scalable to large numbers of connections. New log system: instead of --verbose with arbitrary levels, there are now several message classes. Each message class can be set to go to stderr, syslog, or both. Classes are documented in example.cfg. UDP connections are now managed in a hash to avoid linear searches. The downside is that the number of UDP connections is a hard limit, configurable with the 'udp_max_connections', which defaults to 1024. Timeouts are managed with lists. inetd merges stderr output to what is sent to the client, which is a security issue as it might give information to an attacker. When inetd is activated, stderr is forcibly closed. New protocol-level option `resolve_on_forward`, requests that target names are resolved at each connection instead of at startup. Useful for dynamic DNS situations. (Paul Schroeder/milkpirate)
Fix yrutschle#302: sslh will corrupt memory for platform where sizeof(void*) != sizeof(struct listen_endpoint).
v1.22: 17AUG2021 sslh-select now supports UDP protocols. Probes specified in the `protocols` configuration entry are tried on incoming packets, TCP or UDP, and forwarded based on the input protocol (an incoming TCP connection will be forwarded as TCP, and same with UDP). This has been tested with DNS as shown in udp.cfg: incoming packets that contain my domain name are assumed to be a DNS request and forwarded accordingly. Note this could cause problems if combined with incoming TLS with SNI. UDP clients and servers need to agree on the IPv4/IPv6 they use: use the same protocol on all sides! Often, this means explicitely using 'ip4-localhost'. UDP sender-receiver pairs (connections, so to speak) are kept for 60s, which can be changed with `udp_timeout` in the configuration. Added probes for UDP protocols QUICK and Teamspeak. Added probes for syslog protocol. sslh-select refactored to change linear searches through connections to linear searches through fd_set. Fixed a libconfig call to support libconfig 1.7.3. Added symbol to support libconfig 1.4.9, still in use in CentOS7. Warn about unknown settings in the configuration file. Added per-protocol `transparent` option. sslh-fork drops the capability after creating the server-side transparent socket. Transparent now uses CAP_NET_RAW instead of CAP_NET_ADMIN. Removed compile-time option to use POSIX regex. Now regex must be PCRE2 (Perl-Compatible). This was in fact the case since v1.21, as PCRE are used to parse the config file.
v1.22: 17AUG2021 sslh-select now supports UDP protocols. Probes specified in the `protocols` configuration entry are tried on incoming packets, TCP or UDP, and forwarded based on the input protocol (an incoming TCP connection will be forwarded as TCP, and same with UDP). This has been tested with DNS as shown in udp.cfg: incoming packets that contain my domain name are assumed to be a DNS request and forwarded accordingly. Note this could cause problems if combined with incoming TLS with SNI. UDP clients and servers need to agree on the IPv4/IPv6 they use: use the same protocol on all sides! Often, this means explicitely using 'ip4-localhost'. UDP sender-receiver pairs (connections, so to speak) are kept for 60s, which can be changed with `udp_timeout` in the configuration. Added probes for UDP protocols QUICK and Teamspeak. Added probes for syslog protocol. sslh-select refactored to change linear searches through connections to linear searches through fd_set. Fixed a libconfig call to support libconfig 1.7.3. Added symbol to support libconfig 1.4.9, still in use in CentOS7. Warn about unknown settings in the configuration file. Added per-protocol `transparent` option. sslh-fork drops the capability after creating the server-side transparent socket. Transparent now uses CAP_NET_RAW instead of CAP_NET_ADMIN. Removed compile-time option to use POSIX regex. Now regex must be PCRE2 (Perl-Compatible). This was in fact the case since v1.21, as PCRE are used to parse the config file.
Added TCP_FASTOPEN support for client sockets (if tfo_ok is specified… … in their configuration) and for listenint socket, if all client protocols support it. (Craig Andrews) Added 'minlength' option to skip a probe if less than that many bytes have been received (mostly for regex) Moved configuration and command-line management to use conf2struct. Changes are: * command line option <-F|--config> no longer defaults to /etc/sslh.cfg, so you have to specify it explicitly. * command line option <-v|--verbose> takes a mandatory integer parameter Update Let's Encrypt entry in example.cfg for tls-alpn-01 challenges; tls-sni-* challenges are now deprecated. Log to syslog even if in foreground (for people who use fail2ban) Use syslog_facility: "none" to disable syslog output. Changed exit code for illegal command line parameter from 1 to 6 (for testing purposes)
Added TCP_FASTOPEN support for client sockets (if tfo_ok is specified in their configuration) and for listenint socket, if all client protocols support it. (Craig Andrews) Added 'minlength' option to skip a probe if less than that many bytes have been received (mostly for regex) Moved configuration and command-line management to use conf2struct. Hopefully this should be transparent to users. Update Let's Encrypt entry in example.cfg for tls-alpn-01 challenges; tls-sni-* challenges are now deprecated. Log to syslog even if in foreground (for people who use fail2ban) Use syslog_facility: "none" to disable syslog output.
v1.20: 20NOV2018 Added support for socks5 protocol (Eugene Protozanov) New probing method: Before, probes were tried in order, repeating on the same probe as long it returned PROBE_AGAIN before moving to the next one. This means a probe which requires a lot of data (i.e. returne PROBE_AGAIN for a long time) could prevent sucessful matches from subsequent probes. The configuration file needed to take that into account. Now, all probes are tried each time new data is found. If any probe matches, use it. If at least one probe requires more data, wait for more. If all probes failed, connect to the last one. So the only thing to know when writing the configuration file is that 'anyprot' needs to be last. Test suite heavily refactored; `t` uses `test.cfg` to decide which probes to test and all setup is automatic; probes get tested with 'fast' (entire first message in one packet) and 'slow' (one byte at a time); when SNI/ALPN are defined, all combinations are tested. Old 'tls' probe removed, 'sni_alpn' probe renamed as 'tls'. You'll need to change 'sni_alpn' to 'tls' in your configuration file, if ever you used it.
PreviousNext