What's new in sslh 1.17
Mar 10, 2015
- Support RFC5952-style IPv6 addresses, e.g. [::]:443.
- Transparant proxy support for FreeBSD. (Ruben van Staveren)
- Using -F with no argument will try /etc/sslh/sslh.cfg and then /etc/sslh.cfg as configuration files. (argument to -F can no longer be separated from the option by a space, e.g. must be -Ffoo.cfg)
- Call setgroups() before setgid() (fixes potential privilege escalation). (Lars Vogdt)
- Use portable way of getting modified time for OSX support. (Aaron Madlon-Kay)
- Example configuration for fail2ban. (Every Mouw)
New in sslh 1.16 (Mar 27, 2014)
- Probes made more resilient, to incoming data containing NULLs. Also made them behave properly when receiving too short packets to probe on the first incoming packet. (Ondrej Kuzník)
- Libcap support: Keep only CAP_NET_ADMIN if started as root with transparent proxying and dropping priviledges (enable USELIBCAP in Makefile). This avoids having to mess with filesystem capabilities. (Sebastian Schmidt/yath)
- Fixed bugs related to getpeername that would cause sslh to quit erroneously (getpeername can return actual errors if connections are dropped before getting to getpeername).
- Set IP_FREEDBIND if available to bind to addresses that don't yet exist.
New in sslh 1.15 (Jul 29, 2013)
- Added--transparent option for transparent proxying. See README for iptables magic and capability management.
- Fixed bug in sslh-select: if number of opened file descriptor became bigger than FD_SETSIZE, bad things would happen.
- Fixed bug in sslh-select: if socket dropped while defered_data was present, sslh-select would crash.
- Increased FD_SETSIZE for Cygwin, as the default 64 is too low for even moderate load.
New in sslh 1.14 (Jul 29, 2013)
- sharing code is... wrong). Thanks to Kai Ellinger for help in investigating and testing.
- Added an actual TLS/SSL probe.
- Added configurable --on-timeout protocol specification.
- Added a --anyprot protocol probe (equivalent to what --ssl was).
- Makefile respects the user's compiler and CFLAG choices (falling back to the current values if undefined), as well as LDFLAGS. (Michael Palimaka)
- Added "After" and "KillMode" to systemd.sslh.service (Thomas Weiflschuh).
- Added LSB tags to etc.init.d.sslh (Thomas Varis).
New in sslh 1.13 (Jul 29, 2013)
- Added --background, which overrides 'foreground' configuration file setting.
- Added example systemd service file from Archlinux in scripts/ https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh
New in sslh 1.12 (May 9, 2012)
- Added support for configuration file.
- New protocol probes can be defined using regular expressions that match the first packet sent by the client.
- sslh now connects timed out connections to the first configured protocol instead of 'ssh' (just make sure ssh is the first defined protocol).
- sslh now tries protocols in the order in which they are defined (just make sure sslh is the last defined protocol).
New in sslh 1.11 (Apr 23, 2012)
- WARNING: defaults have been removed for --user and --pidfile options, update your start-up scripts!
- No longer stop sslh when reverse DNS requests fail for logging.
- Added HTTP probe.
- No longer create new session if running in foreground.
- No longer default to changing user to 'nobody'. If --user isn't specified, just run as current user.
- No longer create PID file by default, it should be explicitely set with --pidfile.
- No longer log to syslog if in foreground. Logs are instead output to stderr.
- The four changes above make it straightforward to integrate sslh with systemd, and should help with launchd.
New in sslh 1.10 (Nov 28, 2011)
- Fixed calls referring to sockaddr length so they work with FreeBSD.
- Try target addresses in turn until one works if there are several (e.g. "localhost:22" resolves to an IPv6 address and an IPv4 address and sshd does not listen on IPv6).
- Fixed sslh-fork so killing the head process kills the listener processes.
- Heavily cleaned up test suite. Added stress test t_load script. Added coverage (requires lcov).
- Support for XMPP (Arnaud Gendre).
- Updated README.MacOSX (Aaron Madlon-Kay).
New in sslh 1.9 (Aug 3, 2011)
- WARNING: Options changed, you'll need to update your start-up scripts! Log format changed, you'll need to update log processing scripts!
- Now supports IPv6 throughout (both on listening and forwarding)
- Logs now contain IPv6 addresses, local forwarding address, and resolves names (unless --numeric is specified).
- Introduced long options.
- Options -l, -s and -o replaced by their long counterparts.
- Defaults for SSL and SSH options suppressed (it's legitimate to want to use sslh to mux OpenVPN and tinc while not caring about SSH nor SSL).
- Bind to multiple addresses with multiple -p options.
- Support for tinc VPN (experimental).
- Numeric logging option.
New in sslh 1.8 (Jul 18, 2011)
- Changed log format to make it possible to link connections to subsequent logs from other services.
- Updated CentOS init.d script (Andre Krajnik).
- Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not propagated to the child process, so we set up signals after the fork.) (FranÁois FRITZ)
- Added -o "OpenVPN" and OpenVPN probing and support.
- Added single-threaded, select(2)-based version.
- Added support for "Bold" SSH clients (clients that speak first) Thanks to Guillaume Ricaud for spotting a regression bug.
- Added -f "foreground" option.
- Added test suite. (only tests connexions. No test for libwrap, setsid, setuid and so on) and corresponding 'make test' target.
- Added README.MacOSX (thanks Aaron Madlon-Kay)
- Documented use with proxytunnel and corkscrew in README.