yrutschle / sslh Goto Github PK
View Code? Open in Web Editor NEWApplicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)
Home Page: https://www.rutschle.net/tech/sslh/README.html
License: GNU General Public License v2.0
Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)
Home Page: https://www.rutschle.net/tech/sslh/README.html
License: GNU General Public License v2.0
The documentation of the command line parameters in the source code (which is the only place where I could find them!) seems a bit inconsistent. The -u parameter is mentioned and seems required but not explained. How am I to use this program? The -F parameter has two explanations which say the same with different words.
When you start the program in CentOS 6.5 64 bits crashes with a "Segmentation fault". It doesn't happen in CentOS 6.5 32 bits.
I found that the problem is located in the timeout parameter of config file. If I put it in this way:
It crashes, but if I put:
It works.
The both options works in CentOS 6.5 32 bits.
It seems to be a bug in the 64 bits version of libconfig. Maybe you can modify the .cfg files with the quotes in the timeout parameter.
./genver.sh
generates no output when the source tree is not a git working directory.
Not sure if this is the right place to ask, but the sslh package in the Raspbian repository (based on Debian wheezy, ported for arm) requires the following packages to install:
apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libconfig9 ssl-cert
Is this by design? Actually I wanted to use this with SSH and OpenVPN for now, not HTTPS. And even if HTTPS is added, it's probably hosted on a different machine in the network, where the package manager doesn't reach in.
Hi
You could set a default config file to /etc/sslh.conf for example, so that it doesn't have to be put in the command line.
Trying to connect to server (x.y.z.t port 655)
Using proxy at proxy.company.fr port 1080
Connected to server (x.y.z.t port 655)
Proxy request granted
Connection closed by server (x.y.z.t port 655)
Closing connection with server (x.y.z.t port 655)
Could not set up a meta connection to server
Trying to re-establish outgoing connection in 5 seconds
Trying to connect to server (x.y.z.t port 655)
Using proxy at proxy.company.fr port 1080
Connected to server (x.y.z.t port 655)
Proxy request granted
Connection closed by server (x.y.z.t port 655)
Closing connection with server (x.y.z.t port 655)
Could not set up a meta connection to server
Trying to re-establish outgoing connection in 10 seconds
See also http://www.tinc-vpn.org/pipermail/tinc/2011-November/002799.html
If you use sslh from the inetd.conf file, and give the --inetd option, it apparently still wants to have a -p option. An error message to that effect is shown if you ssh -v to it. You won't see that message if you use plain ssh, so that will be a bit mysterious.
Fortunately the actual argument to the -p option is indeed ignored, as documented for the --inetd option. So just giving the option is a workaround, but it looks deceptive in the inetd.conf file of course (suggesting something that is irrelevant)
It looks like it is the check on line 453 of sslh-main.c which is responsible.
if (!addr_listen) {
fprintf(stderr, "No listening address specified; use at least one -p option\n");
exit(1);
}
Hya all,
I'm trying to use sslh to push https traffic forward to my nas.
However it's just not connecting.
Ssh traffic does work however but that is on the same server.
So any idea why this does not work or what I am doing wrong ?
Direct connection to my nas on port 4443 does work.
As does the connection on 8022 on my ssh server.
So I've use the mangle example on my ssh server:
iptables -t mangle -N SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 8022 --jump SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 4443 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
My sslh config looks like:
verbose: true;
foreground: true;
inetd: false;
numeric: false;
transparent: true;
timeout: "2";
user: "root";
pidfile: "/var/run/sslh.pid";
listen:
(
{ host: "192.168.178.32"; port: "443"; }
);
protocols:
(
{ name: "ssh"; service: "ssh"; host: "192.168.178.32"; port: "8022"; probe: "builtin"; },
{ name: "ssl"; host: "192.168.178.6"; port: "4443"; probe: "builtin"; },
);
Not sure if this has something to do with sslh, but it worked fine before placing SSLH before it.
I have current topology;
Now when I visit https://website.com/, I get redirected to https://website.com:8006/
Apologies if this is misplaced. Great piece of software btw!
Hello!
Server command:
/usr/local/sbin/sslh --user sslh --listen 0.0.0.0:443 --openvpn 127.0.0.1:1194 --ssh 127.0.0.1:22 --ssl 127.0.0.1:445 --pidfile /var/run/sslh/sslh.pid
Ports:
root@dhmd:/etc/openvpn# netstat -naptu | fgrep LISTEN
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 23053/openvpn
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 18123/unbound
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 608/sshd
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 18123/unbound
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 22656/sslh
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 22726/apache2
tcp6 0 0 :::80 :::* LISTEN 22726/apache2
tcp6 0 0 :::22 :::* LISTEN 608/sshd
tcp6 0 0 ::1:8953 :::* LISTEN 18123/unbound
Client is behind HTTP proxy that allows HTTP CONNECT only to port 443.
machine -> non-transparent squid -> internet -> sslh -> https/ssh/openvpn
I am able to ssh to the machine using corkscrew, open https page on the browser, but not openvpn to it using proxy settings inside openvpn.
syslog when trying to connect to openvpn:
Feb 26 21:18:24 dhmd sslh[22656]: connection from firewall.example.com:45808 to dhmd:https forwarded from localhost:50936 to localhost:ssh
Feb 26 21:18:24 dhmd sshd[23088]: Did not receive identification string from 127.0.0.1
Feb 26 21:18:32 dhmd sslh[22656]: connection from firewall.example.com:58468 to dhmd:https forwarded from localhost:50938 to localhost:ssh
Feb 26 21:18:32 dhmd sshd[23090]: Did not receive identification string from 127.0.0.1
When I replace sslh with openvpn listening directly on port 443, it works fine.
For some reason sslh classifies the connection as ssh instead of openvpn, maybe the probe that detects openvpn needs updating?
sslh is latest release version -- v1.17.
Hi I am running sslh on a (small) vps which is process number limited so I did go the sslh-select path.
However after running for a while sslh silently quits.
I did run sslh-select in foreground to see what exactly happens.
Here is the Log:
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to ssl failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
forward to http failed:connect: No buffer space available
*** Error in `/usr/sbin/sslh': munmap_chunk(): invalid pointer: 0x00000000010b0818 ***
Aborted
It looks like the server run out of memory (as said it is a small vps with ~2GB ram) also running a mailserver (where clamd is hogging the memory)
I can live with the fact that some requests are not handled but sslh should remain live so I dont have to restart it from time to time.
Thanks in advance
It seems the last version of sslh (both stable 1.16 version and git version of 20/03/2014) don't work with puTTY and kiTTY (I try with last version of kitty 0.63.0.7).
#/usr/bin/sslh-fork -f -v -F /etc/sslh.conf
ssh addr: geek85-server:casp. libwrap service: ssh family 2 2
ssl addr: geek85-server:https. libwrap service: (null) family 2 2
timeout addr: localhost.localdomain:daytime. libwrap service: daytime family 10 10
listening on:
geek85-server:https
timeout: 2
on-timeout: timeout
listening to 1 addresses
turning into nobody
sslh-fork v1.16-5-g53550ff started
capabilities: = cap_net_admin+ep
accepted fd 4
connecting to localhost.localdomain:daytime family 10 len 28
bind:22:Invalid argument
bind_peer:22:Invalid argument
connect: Invalid argument
with linux standard ssh, no problem (OpenSSH 6.5p1)
accepted fd 4
**** writing deferred on fd -1
probing for ssh
connecting to geek85-server:casp family 2 len 16
connection from 192.168.1.67:37882 to geek85-server:https forwarded from 192.168.1.67:37882 to geek85-server:casp
flushing deferred data to fd 3
the awkward behavior is that there is no probing at all and it is deferred to timeout directly...
Hello,
I can configure this filter based on geolocation if I connect directly through SSH server, but I am not able to configure this using SSLH (with transparent setup, forwarding the real source IP to SSH server).
Is there any way to set this up?
This is the guide to configure the filter: http://www.axllent.org/docs/view/ssh-geoip/
Thanks!
Hi!
Sorry if this might be the wrong place to ask, but sslh is driving me nuts :)
I've setup sslh to handle ssl/hkp(s)/ and ssh and it works perfectly.
however every connect results in a log in auth.log which is realy spammy (~30k Visits over https, each resulting in a line in auth.log)
Is there any way to restrict sslh logging?
I have already tried to setup a rsyslogd filter like
http://william.shallum.net/random-notes/sslh-configuring-logging-logrotate-and-logwatch
but the messages STILL go to /var/log/auth.log AND /var/log/sslh.log.
I only (if any) want them to go to the dedicated sslh.log file.
Also maybe only log SSH connection trys since hkp(s) and https is already logged by webserver.
Thank you in advance
Hi,
I would like to report an issue I have with SSLH installed on a QNAP running QTS 4.2.1 and having the 2 factor authentication login security enabled.
Background:
QNAP runs QTS, a customized *unix OS developed by QNAP. The OS provides a Web interface which can be accessed via login + password (in one page) or via login + password (in one page) + 2FA code (in another page) using google authenticator.
QTS (the we interface) can be accessed on port (for example) 4444.
With SSLH we want to access to QTS and to ssh server using port 443.
Problem:
When using SSLH (on port 443) to access QTS the 2FA code is not requested (i.e the second page is simply skipped) even if enabled.
In fact if you access to QTS on port 4444 the 2FA code is requested (i.e. the second page is loaded).
How to reproduce the error:
HOWEVER PLEASE NOTE that the error appears also if you compile SSLH from sources.
ENABLED=yes
PROCS=sslh
ARGS="-p 0.0.0.0:443 --ssh localhost:22 --ssl localhost:4444 -t 2 -v 0"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[~]# ./opt/etc/init.d/S14sslh
4a. Try to connect to ssh server:
ssh [ip]:443 -> IT WORKS
4b. Try to connect to QTS using port 4444 (i.e. without passing through SSLH):
https://[ip]:4444 -> login successful requiring 2FA code (i.e the second page is showed and you need to enter 2FA code)
4c. Try to connect to QTS using port 443 (i.e. passing through SSLH)::
https://[ip]:443 -> ogin successful requiring 2FA code BUT 2FA code is NOT requested (i.e the second page is skipped and you have immediate access to QTS desktop).
Is this a SSLH issue not being able to process 2FA code request page or the issue is to be searched at the QTS 2FA page level?
Using verbose connection you can only see:
getnameinfo(NI_NAMEREQD):Name or service not known
getnameinfo(NI_NAMEREQD):Name or service not known
Is it related to that? Where to look at?
Thanks
Hi
I have a problem to use ipv6 with your software. (let say my ipv6 is ::1 and my ipv4 is 1.1.1.1) When I configure it to listen to 1.1.1.1:443, all works fine. When it's localhost:443, I can't connect at all. If I add [::1]:443, it outputs an error saying that the argument is invalid. Any idea ?
Thanks for your awesome piece of software.
I use sslh v1.16
I would like to point out that identifiers like "__COMMON_H_
" and "__PROBE_H_
" do not fit to the expected naming convention of the C language standard.
Would you like to adjust your selection for unique names?
I suggest to reuse a higher level build system than your current small make file so that powerful checks for software features will become easier.
When using an HTTP proxy to contact an openvpn server, the packets are accounted as http ones, and not openvpn. So in the protocol section, I had to point http to the openvpn port. It's the expected behavior, but I have searched for a solution for 2 months ^^ You should add a note in the README to help the others users. I use it on port 443, so redirecting http on this port should not be a problem.
Hi,
I tested sslh-fork and sslh-select on Ubuntu with --transparent option running under an unprivileged user sslh.
For some reason sslh-select starts hanging after a couple connections coming in showing problems during protocol detection.
This doesn't happen when I use sslh-fork.
/var/log/auth.log:
May 10 20:01:42 hostname sshd[6903]: Bad protocol version identification '\026\003\001' from 169.xx.xx.xx port 38046
turning on verbose I see the following:
**** writing deferred on fd -1
probing for ssh
probing for ssl
connecting to hostname:4443 family 2 len 16
flushing deferred data to fd 24
processing fd0 slot 9
connecting to hostname:4422 family 2 len 16
flushing deferred data to fd 25
processing fd0 slot 10
connecting to hostname:4422 family 2 len 16
flushing deferred data to fd 26
selecting... max_fd=35 num_probing=0
processing fd1 slot 0
activity on fd6
...
processing fd0 slot 1
**** writing deferred on fd -1
probing for ssh
probing for ssl
connecting to hostname:4443 family 2 len 16
flushing deferred data to fd 8
...
My system setup:
Kernel: Linux hostname 3.13.0-24-generic
SSLH version: v1.16-13-gd10b539
SSLH daemon opts: --transparent --user sslh --listen 192.168.1.2:443 --ssh 192.168.1.2:4422 --ssl 192.168.1.2:4443 --pidfile /var/run/sslh/sslh.pid
used the iptables, ip route, ip rule settings from the README.
I asked on unix.stackexchange.com why this software was so prpcessor-intensive. This is the question and the very good answer I got, it seemsmto be a bug. Hope this helps.
http://unix.stackexchange.com/questions/141337/port-multiplexer-sslh-why-is-it-so-resource-intensive
Has this been used on embedded system with arm CPU ?
Looking at applying it and curious of the status
Hi!
I'm using sslh on Debian 8.0 (Jessie) and use the transparent proxy feature.
Where should I put the iptables script to make it persistent? I think there should be a hint added to the (otherwise great) documentation.
Hello Admin,
I try to use sslh to re-assign my socks5 task to port 8088, but it seems the program cannot recognise it. I'm trying to use shadowsocks in order to use google, but the firewall in my office only allows a few ports like 80,443,22. I try to use a proxy to transfer the information to the server port 443, if it can recognize it as a socks5 protocol it can further deliver the info to 8088. That's how I access to google.
Well, you know my position now...
Any guide on this? Thanks a lot.
while adding systemd support I realized this program fork()s for every connection, which is horrible for performance. It would be much better to use SO_REUSEPORT
functionality of Linux 3.9+.
--openvpn
+ --ssl
seems to work. But with --openvpn
+ --ssh
I OpenVPN throws WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1546 -- please en
Good evening,
on my rpi2 running Raspbian Wheezy make install (and install-debian) fails when using USELIBCAP=1. Configure, make and install (and operation of sslh) are fine when i don't use USELIBCAP.
Make fails at "cc -Wall -g -o sslh-fork sslh-fork.o common.o sslh-main.o probe.o tls.o -lconfig -lcap". Nothing happens after that. Even after hours. No error is given.
libcap-dev, libcap2 and libcap2-bin are installed.
What could possibly be the cause of this error? Thank you in advance!
I'm using Debian 7.8 and sslh-select v1.17.
My sslh.cfg
:
listen:
(
{ host: "0.0.0.0"; port: "443"; }
);
protocols:
(
{ name: "ssh"; service: "ssh"; host: "192.168.0.1"; port: "222"; probe: "builtin"; },
{ name: "ssl"; host: "192.168.0.1"; port: "4443"; probe: "builtin"; }
);
Transparent proxying is working fine, except for one situation.
I tunnel via ssh on port 443 and try to open https://192.168.0.1:443
.
I'm getting ERR_CONNECTION_CLOSED
and sslh is writing in auth.log
:
bind:98:Address already in use
bind_peer:98:Address already in use
I can open https://192.168.0.1:4443
successfully.
Hi,
we are using sslh since a lot of years ago. Sometimes from pc (e.g. using putty client) it doen't recognize the ssh traffic and it forwards the traffic to SSL. The result is that the server closed the connection
We are using the last relese available on Debian squeeze.
The log reports:
accepted fd 4
connected to something
Dec 14 17:39:37 localhost sslh[25768]: connection from XX.XX.XX.XX:24586 forwarded to SSL
server socket closed
connection closed down
sslh starts with the following opts:
DAEMON_OPTS="-u sslh -p 0.0.0.0:443 -s 127.0.0.1:22 -l 127.0.0.1:442 -P /var/run/sslh.pid -v"
x86_64-gentoo-linux-musl-gcc -march=native -O2 -fstack-protector-all -fomit-frame-pointer -DLIBWRAP -DLIBCONFIG -DLIBCAP -c sslh-main.c
x86_64-gentoo-linux-musl-gcc -march=native -O2 -fstack-protector-all -fomit-frame-pointer -DLIBWRAP -DLIBCONFIG -DLIBCAP -c probe.c
probe.c: In function ‘regex_probe’:
probe.c:229:50: error: ‘REG_STARTEND’ undeclared (first use in this function)
for (; *probe && regexec(*probe, p, 0, &pos, REG_STARTEND); probe++)
^
probe.c:229:50: note: each undeclared identifier is reported only once for each function it appears in
Makefile:43: recipe for target 'probe.o' failed
Would you like to add more error handling for return values from functions like the following?
Hello,
I'm running sslh v1.17 on FreeBSD 10.2-RELEASE-p2 and I get an error when trying to enable transparent proxying. I have security.jail.allow_raw_sockets: 1
but after setting transparent
to true
and restarting the service, if I start a request I receive
connect: Operation not permitted
at the console, and
Sep 10 19:31:03 proxy sslh-fork[29529]: setsockopt IP_BINDANY:1:Operation not permitted
Sep 10 19:31:03 proxy sslh-fork[29529]: bind_peer:1:Operation not permitted
in the messages log. Chaning the user from nobody
to root
doesn't help.
My config is:
verbose: false;
foreground: false;
inetd: false;
numeric: true;
transparent: false;
timeout: "2";
user: "nobody";
pidfile: "/var/run/sslh.pid";
listen:
(
{ host: "192.168.24.28"; port: "444"; }
);
protocols:
(
{ name: "tls"; host: "192.168.24.28"; port: "443"; probe: "builtin"; },
{ name: "ssh"; service: "ssh"; host: "192.168.23.24"; port: "44"; probe: "builtin"; },
{ name: "xmpp"; host: "192.168.24.20"; port: "522"; probe: "builtin"; },
{ name: "anyprot"; host: "192.168.24.28"; port: "443"; probe: "builtin"; }
);
Any ideas what might be causing this?
Thank you!
genver.sh prints the ambiguos zip-date style for the version, instead of the correct format
(ie, v1.16) when compiled from the tarballed release.
The current iptables directive recommended in the README for transparent proxying targets to wide.
iptables -t mangle -A OUTPUT -p tcp -o eth0 --sport 22 -j SSLH
As it is, all the outgoing packets from port 22 (ssh daemon) are marked (and treated specially). The problem is that it also marks the connexions made directly to the 22 port, so the only way to ssh is via the sslh port. It should also permit direct connexions to the 22 port.
Hello,
I am trying to integrate SSLH into my existing OpenSSH and Apache setup. I changed Apache to listen on port 1234, and set SSLH to direct HTTPS (i.e. with SSL) connections on port 443 to port 1234, and SSH connections to my OpenSSH port. SSH works, but HTTPS doesn't.
When I try to open my webpage on the Apache server, my browser tells me "Secure Connection Failed The connection to nycticebus.penonek.com was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."
Is this a known issue, and if so how might I alleviate it? Thank you!
As there is a builtin probe for the commons protocols, the probe directive could be made optional, with a default to "builtin".
Could you support detection of DNS on port 53/tcp?
Hi,
I've been using sslh for some time without issue but now the following is happening (I'm running Debian on both server and client, and I just pulled the latest git version and the same issue is present):
If I run this:
/usr/sbin/sslh --ssl 127.0.0.1:8443 --ssh 127.0.0.1:22 -p 0.0.0.0:443 -v -f
Then ssh it like this from another computer:
ssh @ -p 443
It hangs for awhile and then displays:
ssh_exchange_identification: Connection closed by remote host
Meanwhile the output from sslh is as follows:
ssl addr: localhost:8443. libwrap service: (null) family 2 2
ssh addr: localhost:ssh. libwrap service: sshd family 2 2
listening on:
0.0.0.0:https
timeout to ssh: 2
listening to 1 addresses
sslh-fork v1.13b started
accepted fd 4
connecting to localhost:8443 family 2 len 16
connection from to :https forwarded from localhost:46072 to localhost:8443
flushing defered data to fd 3
As you can see, it is incorrectly forwarding the SSH traffic to the HTTPS webserver.
HTTPS access continues to work correctly.
I guess stunnel has this functionality if you have it terminate your SSL connections, but I think it can be done without terminating them?
Basically lots of things run over TLS, imaps, stmps, openvpn, https etc etc, so if sslh listened on port 443, it could detect if the connection was TLS and had an SNI name, and then forward to the correct backend port based off that?
For example I'd have www.example.org forward to nginx, vpn.example.org could forward to openvpn, imap.example.org would forward to dovecot, smtp.example.org to postfix etc etc, and I guess it'd fallback to whatever --ssl was set to if an SNI name wasn't set? Is this doable with a tool like sslh?
edit:
For example if in one screen you run netcat, then try to connect to it with SNI, you get this:
$ nc -l 1234 | xxd
0000000: 1603 0101 4001 0001 3c03 03e3 318b 17c9 ....@...<...1...
0000010: 518b d555 5e5d ca15 bcf3 cb3b b2cc 75c7 Q..U^].....;..u.
0000020: 8616 7d0b 12f1 4878 ead3 bb00 0092 c030 ..}...Hx.......0
0000030: c02c c028 c024 c014 c00a 00a3 009f 006b .,.(.$.........k
0000040: 006a 0039 0038 0088 0087 c032 c02e c02a .j.9.8.....2...*
0000050: c026 c00f c005 009d 003d 0035 0084 c012 .&.......=.5....
0000060: c008 0016 0013 c00d c003 000a c02f c02b ............./.+
0000070: c027 c023 c013 c009 00a2 009e 0067 0040 .'.#.........g.@
0000080: 0033 0032 009a 0099 0045 0044 c031 c02d .3.2.....E.D.1.-
0000090: c029 c025 c00e c004 009c 003c 002f 0096 .).%.......<./..
00000a0: 0041 c011 c007 c00c c002 0005 0004 0015 .A..............
00000b0: 0012 0009 0014 0011 0008 0006 0003 00ff ................
00000c0: 0100 0081 0000 0010 000e 0000 0b65 7861 .............exa
00000d0: 6d70 6c65 2e63 6f6d 000b 0004 0300 0102 mple.com........
00000e0: 000a 0034 0032 000e 000d 0019 000b 000c ...4.2..........
00000f0: 0018 0009 000a 0016 0017 0008 0006 0007 ................
0000100: 0014 0015 0004 0005 0012 0013 0001 0002 ................
0000110: 0003 000f 0010 0011 0023 0000 000d 0020 .........#.....
0000120: 001e 0601 0602 0603 0501 0502 0503 0401 ................
0000130: 0402 0403 0301 0302 0303 0201 0202 0203 ................
The s_client command used is:
openssl s_client -connect 127.0.0.1:1234 -showcerts -tls1_2 -servername example.com
When compiling sslh 1.16 in the openSUSE Build Service, I get the following informational output from rpmlint:
missing-call-to-setgroups-before-setuid /usr/sbin/sslh
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and
this would be a potential security issue to be fixed. Seek POS36-C on the web
for details about the problem.
I used the following patch to get rid of the message:
Index: sslh-v1.16/common.c
===================================================================
--- sslh-v1.16.orig/common.c
+++ sslh-v1.16/common.c
@@ -577,6 +577,14 @@ void drop_privileges(const char* user_na
set_keepcaps(1);
+ /* When dropping privileges from root, the `setgroups` call will
+ * remove any extraneous groups. If we don't call this, then
+ * even though our uid has dropped, we may still have groups
+ * that enable us to do super-user things. This will fail if we
+ * aren't root, so don't bother checking the return value, this
+ * is just done as an optimistic privilege dropping function.
+ */
+ setgroups(0, NULL);
res = setgid(pw->pw_gid);
CHECK_RES_DIE(res, "setgid");
res = setuid(pw->pw_uid);
Maybe you can check/integrate this ?
If you follow the instructions of the configuration section sslh doesn't start. You have to copy the basic.cfg or example.cfg file as /etc/default/sslh and modify the "listen" section with your settings (for example IP address).
Hi.
I have a new problem : I can't make the config file work. In my current config file, ns342653 is defined in /etc/hosts with my ipv4 and v6 public adresses. When I try to connect with ssh, I have this log :
déc. 23 09:58:48 ns342653.ip-91-121-135.eu sslh[28923]: **** writing deferred on fd -1
déc. 23 09:58:48 ns342653.ip-91-121-135.eu sslh[28923]: all probes failed, connecting to first protocol: ssh
déc. 23 09:58:48 ns342653.ip-91-121-135.eu sslh[28923]: connecting to localhost.localdomain:ssh family 2 len 16
I also would like to make the transparent proxy work. What host should I put in the hosts directive ? ns342653 ?
It happens that both ends of the connection become unavailable. Because sslh doesn't set SO_KEEPALIVE on the receiving and sending socket, the process is never terminated.
Please add SO_KEEPALIVE on both ends.
I don't really understand the timeout directive. Why does it default to ssh ? I think it should simply drop the connexion with a timeout error.
sslh does not provide this information at the moment and it is not possible to log/restrict clients on a local/vhost web server. However, it is technically possible.
NGINX, for example, has the following settings:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
or by using:
proxy_redirect default;
Please consider implementing it as well.
Hi,
It's unclear to me about the license of sslh, can you put a license file in the tree and add header for all files?
Thanks.
Hello guys! I am running openvpn server version 2.3.10 and client version 2.3.9. sslh is running on Debian 7, sslh version is 1.17.
I've launched sslh with following options:
sslh --listen 0.0.0.0 443 --openvpn 127.0.0.1 1194 --ssh 127.0.0.1 22 --ssl 127.0.0.2 4443 --xmpp 10.0.0.13 5222
Proxying for ssh, ssl, xmpp works. For openvpn it doesn't!
All that client logs say is:
mar 02 10:14:15 localhost openvpn@Dell[20363]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
mar 02 10:14:15 localhost openvpn@Dell[20363]: TLS Error: TLS handshake failed
openvpn server do not seem to get any trial of connection to.
openvpn server has no 'local' directive.
I forgot to mention that without sslh in the middle openvpn is working perfectly.
This commit prevents cmdline_config() working in the expected manner:
The function is meant to try /etc/sslh/sslh.cfg first if no configuration is given and then fall back to /etc/sslh.cfg and then if still no configuration fail.
Since config_parse() as of this commit bails on a nonexistent file then if no config is provided /etc/sslh/sslh.cfg will be tried and when that's not found it will bail rather than test for /etc/sslh.cfg next.
We should either change cmdline_config to only check one file (or no default file) or revert the commit so that cmdline_config() still works as expected.
Ubuntu 12.04.3 LTS
sslh v1.15-21-ga168461
sudo make install
./genver.sh: 3: [: x-r: unexpected operator
Changing /bin/sh
to /bin/bash
in genver.sh resolves the issue.
Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.