./net/sslh, Multiplex ssl, ssh, and other connections on the same port

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.22c, Package name: sslh-1.22c, Maintainer: nils

Sslh accepts connections on specified ports, and forwards
them further based on tests performed on the first data
packet sent by the remote client.

Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are
implemented, and any other protocol that can be tested using
a regular expression, can be recognised. A typical use case
is to allow serving several services on port 443 (e.g. to
connect to ssh from inside a corporate firewall, which
almost never block port 443) while still serving HTTPS on
that port.

Hence sslh acts as a protocol demultiplexer, or a
switchboard. Its name comes from its original function to
serve SSH and HTTPS on the same port.


Required to run:
[devel/pcre] [devel/libconfig]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 143.51 KB

Version history: (Expand)


CVS history: (Expand)


   2023-08-02 18:17:20 by Nia Alarie | Files touched by this commit (41)
Log message:
*: Use FORCE_C_STD=c99 for C packages that use for loop initial
declarations without setting -std=c99.
   2023-07-12 22:29:57 by Nia Alarie | Files touched by this commit (1)
Log message:
sslh: Assumes compiler defaults to c99.
   2022-01-01 17:47:21 by Olaf Seibert | Files touched by this commit (5) | Package updated
Log message:
net/sslh: update to 1.22c

- sslh-select now supports UDP protocols. Probes specified in the
  protocols configuration entry are tried on incoming packets, TCP or
  UDP, and forwarded based on the input protocol (an incoming TCP
  connection will be forwarded as TCP, and same with UDP). This has been
  tested with DNS as shown in udp.cfg: incoming packets that contain my
  domain name are assumed to be a DNS request and forwarded accordingly.
  Note this could cause problems if combined with incoming TLS with SNI.
  UDP clients and servers need to agree on the IPv4/IPv6 they use: use
  the same protocol on all sides! Often, this means explicitely using
  `ip4-localhost'. UDP sender-receiver pairs (connections, so to speak)
  are kept for 60s, which can be changed with udp_timeout in the
  configuration.

- Added probes for UDP protocols QUICK and Teamspeak.

- Added probes for syslog protocol.

- sslh-select refactored to change linear searches through connections
  to linear searches through fd_set.

- Fixed a libconfig call to support libconfig 1.7.3.

- Added symbol to support libconfig 1.4.9, still in use in CentOS7.

- Warn about unknown settings in the configuration file.

- Added per-protocol transparent option. sslh-fork drops the capability after
  creating the server-side transparent socket. Transparent now uses CAP_NET_RAW
  instead of CAP_NET_ADMIN.

- Removed compile-time option to use POSIX regex. Now regex must be
  PCRE2 (Perl-Compatible). This was in fact the case since v1.21, as
  PCRE are used to parse the config file.
   2021-10-26 13:07:15 by Nia Alarie | Files touched by this commit (958)
Log message:
net: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts...):

net/radsecproxy/distinfo

The following distfiles could not be fetched (fetched conditionally?):

./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
   2021-10-07 16:43:07 by Nia Alarie | Files touched by this commit (962)
Log message:
net: Remove SHA1 hashes for distfiles
   2021-06-13 14:04:22 by Olaf Seibert | Files touched by this commit (6) | Package updated
Log message:
net/sslh: update to 1.21

v1.21

Added TCP_FASTOPEN support for client sockets (if tfo_ok is
specified in their configuration) and for listenint socket,
if all client protocols support it.  (Craig Andrews)

Added 'minlength' option to skip a probe if less
than that many bytes have been received (mostly for
regex)

Moved configuration and command-line management to
use conf2struct. Hopefully this should be transparent
to users.

Update Let's Encrypt entry in example.cfg for tls-alpn-01
challenges; tls-sni-* challenges are now deprecated.

Log to syslog even if in foreground (for people who
use fail2ban)

Use syslog_facility: "none" to disable syslog
output.

v1.21b

Added TCP_FASTOPEN support for client sockets (if tfo_ok is specified
in their configuration) and for listenint socket, if all client
protocols support it.  (Craig Andrews)

Added 'minlength' option to skip a probe if less than that many bytes
have been received (mostly for regex)

Moved configuration and command-line management to use conf2struct.
Changes are:
* command line option <-F|--config> no longer defaults to /etc/sslh.cfg,
so you have to specify it explicitly.
* command line option <-v|--verbose> takes a mandatory integer parameter

Update Let's Encrypt entry in example.cfg for tls-alpn-01 challenges;
tls-sni-* challenges are now deprecated.

Log to syslog even if in foreground (for people who use fail2ban)

Use syslog_facility: "none" to disable syslog output.

Changed exit code for illegal command line parameter from 1 to 6 (for
testing purposes)

v1.21c

Removed support for 'ssl' and fix a related segfault bug.
(use tls instead of ssl)
   2020-01-26 18:32:28 by Roland Illig | Files touched by this commit (981)
Log message:
all: migrate homepages from http to https

pkglint -r --network --only "migrate"

As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
   2018-12-05 22:20:32 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
sslh: update to 1.20.

v1.20: 20NOV2018
	Added support for socks5 protocol (Eugene Protozanov)

	New probing method:
	Before, probes were tried in order, repeating on the
	same probe as long it returned PROBE_AGAIN before
	moving to the next one. This means a probe which
	requires a lot of data (i.e. returne PROBE_AGAIN for
	a long time) could prevent sucessful matches from
	subsequent probes. The configuration file needed to
	take that into account.

	Now, all probes are tried each time new data is
	found. If any probe matches, use it. If at least one
	probe requires more data, wait for more. If all
	probes failed, connect to the last one. So the only
	thing to know when writing the configuration file is
	that 'anyprot' needs to be last.

	Test suite heavily refactored; `t` uses `test.cfg`
	to decide which probes to test and all setup is
	automatic; probes get tested with 'fast' (entire
	first message in one packet) and 'slow' (one byte at
	a time); when SNI/ALPN are defined, all combinations
	are tested.

	Old 'tls' probe removed, 'sni_alpn' probe renamed as 'tls'.
	You'll need to change 'sni_alpn' to 'tls' in
	your configuration file, if ever you used it.