* Disabled all methods of HTTP fallback when HTTPS is enabled. This
is enforced on server side so that even modified client code (JS)
can not redirect client from HTTPS to HTTP, like it was possible
before (issue #355).
* Current solution unfortunately also disables automatic upgrade from
HTTP to HTTPS (when available), since all non-SSL connections are
droped immediately.
* In case that this SSL feature is abused it is possible to overload the
server. Other web servers disable this feature by default, but users
are able to change it with configuration. This is not possible with
shellinabox as this feature is not needed.
* Solution was implemented similary as in Lighttpd web server.
* Support for PFS is enabled with help of chiper suits that use ECDHE
key exchange. OpenSSL added support for eliptic curve operations (EC)
in version 0.9.8. Note that there are also some library distributions
which don't support EC operations.
* Added precompiler guards for builds with OpenSSL older than 0.9.8 and
builds with '--enable-runtime-loading' configure script option.
* Cleaned up some SSL related code.
management, if we don't have the privileges to do so, anyway)
- Make ssl.h compile again, even if OpenSSL is not found at compile time.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@115 0da03de8-d603-11dd-86c2-0f8696b7b6f9
OpenSSL and PAM libraries to be optionally linked as regular shared libraries
instead of being searched for and loaded at run-time.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@65 0da03de8-d603-11dd-86c2-0f8696b7b6f9
first release of ShellInABox that supports an AJAX interface
instead of the original Java applet.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@2 0da03de8-d603-11dd-86c2-0f8696b7b6f9