* Support for PFS is enabled with help of chiper suits that use ECDHE
key exchange. OpenSSL added support for eliptic curve operations (EC)
in version 0.9.8. Note that there are also some library distributions
which don't support EC operations.
* Added precompiler guards for builds with OpenSSL older than 0.9.8 and
builds with '--enable-runtime-loading' configure script option.
* Cleaned up some SSL related code.
* Added "reconnect" and "onsessionchange" message types to use with
embedded terminal. Usage examples were added to misc/embedded.html
file.
* Improved code for unix domain socket functionality.
* Changed initialization of variables and handling of unix socket path.
* Added fixes for command line argument parsing, that I forgot in previous
commit.
* Improved user input checking and error handling for code from #320.
* Added some guards for unlinking socket file in server init and destroy
functions.
* Added peer name handling for AF_UNIX type connections in HTTP handling
code.
* Added more checks for return values and null pointers.
* Removed some dead code and unused variables.
* Fixed handling of calls to exec() family functions. If this functions
fail we need to cleanup resources.
* URL dependency was removed from session handling code. URL object
was only needed to get session key from client request. This was
moved somewhere else to achive better code reusability.
* Added URL parsing functionality that can be used without URL object.
* Recogniton of HTTP header field 'X-Real-IP' was added. Value
is used in LOGIN service with peer name as remote host identifier.
This was we are able to see real IP in login related log files
such as /var/log/auth.log, etc...
* Real IP, peer name and URL are also passed to launched service
as environment variables (SHELLINABOX_PEERNAME, SHELLINABOX_REALIP
and SHELLINABOX_URL). This can be used by custom user service shell
scripts or programs.
* Real IP can also be passed to custom user service as command line
parameter ${realip}.
Commit b06b1f15ac broke the configure option
"--disable-ssl" as the function sslMakeContext() was not enclosed in an
"#if defined(HAVE_OPENSSL)" statement.
Instead of making the browser sniffing more complicated, it's probably
better to use code that works for all current browsers. As such, this
swaps to use gzip compression encoding instead of deflate and drops the
IE browser sniffing code. This means shellinabox works in IE11 and
should work in every version of IE since IE7. From this commit, IE6 is
no longer supported. Thanks @lfourquaux.
Disable SSLv2, SSLv3, and compression; generate new DH or ECDH keys
during each handshake; always start a new session on server
renegotiation; set a strong cipher list.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
[ Patch from https://code.google.com/p/shellinabox/issues/detail?id=215 ]
o Use of runtime linkage emperils correctness of package. So, runtime
linking disabled in configuration.
o Workaround using environment variables to pass the names of the
shared libraries into the daemon is disabled.
o Auxiliary source file used to determine the current soname for
libssl is removed.
o Moved libssl from a dependency to being recommended.
o Added small program to support Recommended link generation.
o Fixed typo in lsb-base dependency.
o Added comment in the package description about the need for libssl.
o Fixed permissions on libhttp/ssl.c
o Added environment variables for specifying the ssl and crypto
libraries.
Auto-generated certificates are RSA, but the header does not indicate
this (e.g. BEGIN PRIVATE KEY). Since the type is not specified,
the certificate was not being parsed correctly, and attempts to
connect over HTTPS failed and caused web browser errors.
Fixes "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" in Chrome.
Fixes "ssl_error_no_cypher_overlap" in Firefox.
Completely discard hostnames containing invalid characters, instead of
merely replacing the invalid characters with uninitialized memory.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
was not really interested in them. This could result in inefficient I/O
behavior and most noticably it broke the ability to interrupt long running
output with CTRL-C.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@238 0da03de8-d603-11dd-86c2-0f8696b7b6f9
systems with an implementation of poll() that isn't completely POSIX
compliant. We now fall back on calling select() instead. That's not our
first choice, but it is presumably the best that MacOS X can do.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@236 0da03de8-d603-11dd-86c2-0f8696b7b6f9
processed buffers. I believe, this could only be triggered by clients that
enabled HTTP pipelining. That might explain why we haven't seen bug reports
any earlier.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@216 0da03de8-d603-11dd-86c2-0f8696b7b6f9
Fixed some compiler warnings when compiling with -Wextra
Thanks to Jan Jaeger's excellent bug report, made some changes
that should make it easier to build ShellInABox for OpenWRT.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@202 0da03de8-d603-11dd-86c2-0f8696b7b6f9
problems dealing with "inherit" styles. This prevented proper switching
between color and monochrome.
Implemented a work-around.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@172 0da03de8-d603-11dd-86c2-0f8696b7b6f9
to manipulate headers more easily. We now add "Connection: close" in more cases
where we force a closing of the connection.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@171 0da03de8-d603-11dd-86c2-0f8696b7b6f9
Some more tweaks for IE6 support. Overall, IE6 is still pretty
broken. Not sure if we can do much about this.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@166 0da03de8-d603-11dd-86c2-0f8696b7b6f9
work reliably on some platforms. So, avoid doing so on anything other
than Linux/i386. For all other platforms, assume that the code is not
linked against libpthread. For ShellInABox, this is always the correct
assumption. But if the code gets embedded into other projects, this
might have to be changed.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@141 0da03de8-d603-11dd-86c2-0f8696b7b6f9
management, if we don't have the privileges to do so, anyway)
- Make ssl.h compile again, even if OpenSSL is not found at compile time.
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@115 0da03de8-d603-11dd-86c2-0f8696b7b6f9
- A couple of changes to avoid false error messages in valgrind.
- Fixed a bug that could potentially lead to a double-free()
git-svn-id: https://shellinabox.googlecode.com/svn/trunk@114 0da03de8-d603-11dd-86c2-0f8696b7b6f9
