Disable SSLv2, SSLv3, and compression; generate new DH or ECDH keys
during each handshake; always start a new session on server
renegotiation; set a strong cipher list.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
[ Patch from https://code.google.com/p/shellinabox/issues/detail?id=215 ]
o Use of runtime linkage emperils correctness of package. So, runtime
linking disabled in configuration.
o Workaround using environment variables to pass the names of the
shared libraries into the daemon is disabled.
o Auxiliary source file used to determine the current soname for
libssl is removed.
o Moved libssl from a dependency to being recommended.
o Added small program to support Recommended link generation.
o Fixed typo in lsb-base dependency.
o Added comment in the package description about the need for libssl.
o Fixed permissions on libhttp/ssl.c
o Added environment variables for specifying the ssl and crypto
libraries.
Auto-generated certificates are RSA, but the header does not indicate
this (e.g. BEGIN PRIVATE KEY). Since the type is not specified,
the certificate was not being parsed correctly, and attempts to
connect over HTTPS failed and caused web browser errors.
Fixes "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" in Chrome.
Fixes "ssl_error_no_cypher_overlap" in Firefox.
Completely discard hostnames containing invalid characters, instead of
merely replacing the invalid characters with uninitialized memory.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
was not really interested in them. This could result in inefficient I/O
behavior and most noticably it broke the ability to interrupt long running
output with CTRL-C.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@238 0da03de8-d603-11dd-86c2-0f8696b7b6f9
systems with an implementation of poll() that isn't completely POSIX
compliant. We now fall back on calling select() instead. That's not our
first choice, but it is presumably the best that MacOS X can do.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@236 0da03de8-d603-11dd-86c2-0f8696b7b6f9
processed buffers. I believe, this could only be triggered by clients that
enabled HTTP pipelining. That might explain why we haven't seen bug reports
any earlier.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@216 0da03de8-d603-11dd-86c2-0f8696b7b6f9
Fixed some compiler warnings when compiling with -Wextra
Thanks to Jan Jaeger's excellent bug report, made some changes
that should make it easier to build ShellInABox for OpenWRT.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@202 0da03de8-d603-11dd-86c2-0f8696b7b6f9
problems dealing with "inherit" styles. This prevented proper switching
between color and monochrome.
Implemented a work-around.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@172 0da03de8-d603-11dd-86c2-0f8696b7b6f9
to manipulate headers more easily. We now add "Connection: close" in more cases
where we force a closing of the connection.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@171 0da03de8-d603-11dd-86c2-0f8696b7b6f9
Some more tweaks for IE6 support. Overall, IE6 is still pretty
broken. Not sure if we can do much about this.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@166 0da03de8-d603-11dd-86c2-0f8696b7b6f9
work reliably on some platforms. So, avoid doing so on anything other
than Linux/i386. For all other platforms, assume that the code is not
linked against libpthread. For ShellInABox, this is always the correct
assumption. But if the code gets embedded into other projects, this
might have to be changed.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@141 0da03de8-d603-11dd-86c2-0f8696b7b6f9
management, if we don't have the privileges to do so, anyway)
- Make ssl.h compile again, even if OpenSSL is not found at compile time.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@115 0da03de8-d603-11dd-86c2-0f8696b7b6f9
- A couple of changes to avoid false error messages in valgrind.
- Fixed a bug that could potentially lead to a double-free()
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@114 0da03de8-d603-11dd-86c2-0f8696b7b6f9
OpenSSL and PAM libraries to be optionally linked as regular shared libraries
instead of being searched for and loaded at run-time.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@65 0da03de8-d603-11dd-86c2-0f8696b7b6f9
provide our own conversation function, if PAM misc is not available. We
rely on login_tty to set up the terminal for us. And we avoid a few other
API uses that turned out to be Linux specific extensions.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@63 0da03de8-d603-11dd-86c2-0f8696b7b6f9
ill-advised choice, as this particular compiler options has a tendency to
generate a lot of false positives.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@62 0da03de8-d603-11dd-86c2-0f8696b7b6f9
In particular, work around a problem with gcc complaining about NULL format
strings. And added additional system header files that might be required on
some platforms.
This should fix some of the problems reported when compiling on BSD-style
systems. But we are still using SysV style session management code. This
probably needs to be rewritten before ShellInABox can be run on BSD-style
system.
In particular, we rely on grantpt(), we use the utmpx API, and we access
/dev/urandom.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@55 0da03de8-d603-11dd-86c2-0f8696b7b6f9
