Disable SSLv2, SSLv3, and compression; generate new DH or ECDH keys
during each handshake; always start a new session on server
renegotiation; set a strong cipher list.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
[ Patch from https://code.google.com/p/shellinabox/issues/detail?id=215 ]
o Use of runtime linkage emperils correctness of package. So, runtime
linking disabled in configuration.
o Workaround using environment variables to pass the names of the
shared libraries into the daemon is disabled.
o Auxiliary source file used to determine the current soname for
libssl is removed.
o Moved libssl from a dependency to being recommended.
o Added small program to support Recommended link generation.
o Fixed typo in lsb-base dependency.
o Added comment in the package description about the need for libssl.
o Fixed permissions on libhttp/ssl.c
o Added environment variables for specifying the ssl and crypto
libraries.
Auto-generated certificates are RSA, but the header does not indicate
this (e.g. BEGIN PRIVATE KEY). Since the type is not specified,
the certificate was not being parsed correctly, and attempts to
connect over HTTPS failed and caused web browser errors.
Fixes "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" in Chrome.
Fixes "ssl_error_no_cypher_overlap" in Firefox.
Completely discard hostnames containing invalid characters, instead of
merely replacing the invalid characters with uninitialized memory.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Fixed some compiler warnings when compiling with -Wextra
Thanks to Jan Jaeger's excellent bug report, made some changes
that should make it easier to build ShellInABox for OpenWRT.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@202 0da03de8-d603-11dd-86c2-0f8696b7b6f9
work reliably on some platforms. So, avoid doing so on anything other
than Linux/i386. For all other platforms, assume that the code is not
linked against libpthread. For ShellInABox, this is always the correct
assumption. But if the code gets embedded into other projects, this
might have to be changed.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@141 0da03de8-d603-11dd-86c2-0f8696b7b6f9
OpenSSL and PAM libraries to be optionally linked as regular shared libraries
instead of being searched for and loaded at run-time.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@65 0da03de8-d603-11dd-86c2-0f8696b7b6f9
provide our own conversation function, if PAM misc is not available. We
rely on login_tty to set up the terminal for us. And we avoid a few other
API uses that turned out to be Linux specific extensions.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@63 0da03de8-d603-11dd-86c2-0f8696b7b6f9
ill-advised choice, as this particular compiler options has a tendency to
generate a lot of false positives.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@62 0da03de8-d603-11dd-86c2-0f8696b7b6f9
In particular, work around a problem with gcc complaining about NULL format
strings. And added additional system header files that might be required on
some platforms.
This should fix some of the problems reported when compiling on BSD-style
systems. But we are still using SysV style session management code. This
probably needs to be rewritten before ShellInABox can be run on BSD-style
system.
In particular, we rely on grantpt(), we use the utmpx API, and we access
/dev/urandom.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@55 0da03de8-d603-11dd-86c2-0f8696b7b6f9
first release of ShellInABox that supports an AJAX interface
instead of the original Java applet.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@2 0da03de8-d603-11dd-86c2-0f8696b7b6f9