| Age | Commit message (Collapse) | Author |
|---|
|
|
|
effectively disabled support for the SSL protocols. SSL remains a
common term describing SSL/TLS, there is some controvery about this
change, and the name really doesn't matter, but I feel confident about
it now.
(btw., sthen@ pointed out some historical context:
http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
|
found by yasuoka@
|
|
|
|
|
|
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.
pfctl parse.y patch from and ok deraadt@
|
|
This should be equivalent to the statistics available
via the various relaydctl show commands
okay benno@ reyk@
|
|
to a single line and print to stderr instead of stdout. This makes it
easier to follow the debug output again. Also, as a rule of thumb, it
is OK to exceed 80 chars for these kinds of developer debug messages.
OK blambert@
|
|
SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform
with another SSL library). Also fix the SSLv3 handling so that 'no sslv3'
actually works as intended.
ok reyk@
|
|
format string, create a temporary message.
OK deraadt@
|
|
ok millert@
|
|
relevant example snippet in the relayd.conf(5) man page.
Change the default SSL protocols in the example file/man page to
"no tlsv1.0" (suggested by sthen@), which will enable the TLSv1.1
and TLSv1.2 protocols only.
feedback/ok jsing@ reyk@ sthen@
|
|
It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following
directive in a relay block: "transparent forward to destination".
OK sthen@
|
|
OK sthen@ jsing@
|
|
Instead of the widespread-but-overflow-prone
while (newlen < wanted) { newlen *= 2; }
idiom, just realloc() for the space requested by the caller and check
for additive overflow.
Also change type of 'newlen' variable from int to size_t to avoid
overflows there.
Pointed out by deraadt@
ok reyk@
|
|
ok reyk@
|
|
|
|
as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
|
work done by andre@
Re-add a randomized hash seed (which had apparently
gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured
to forward traffic to the same host, falling back to
the random seed when not explicitly configured to do so.
ok reyk@
|
|
now instead of terminating the process.
ok florian@
|
|
"Sync with RFC 7230-7235 phrases and IANA registered status codes.
ok reyk@"
|
|
happend with non-persistent PUT connections that had a very short
body. If the whole body was read from the client before the
connection to the server was set up, the event callback was not
called. Do the regular checks after relay_connect() succeeded.
OK reyk@
|
|
request. Additionally, the DNS code tried to use an invalid timeout.
Fix from mm@freebsd.org
Reported by Johan Schuijt
|
|
ok reyk benno
|
|
the other direction, the timeouts did not work. They were longer
than specified. Link the splicing and non-splicing timeouts.
Found by make run-regress-args-timeout-http.pl
OK reyk@
|
|
|
|
|
|
ok reyk
|
|
ok reyk
|
|
ok reyk
|
|
ok benno@
|
|
implicit ok reyk
|
|
common web servers). Add a related regress test.
OK benno@
|
|
|
|
|
|
clients. Additionally, add options for disallowing client-initiated
renegotiations and to prefer the server's cipher list over the
client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was
discussed with jsing@ resulting in a few different defaults.
ok benno@
|
|
gurus.
ok reyk@ benno@
|
|
with associated lists instead of the complicated lookup table and
"others" list. This might add a little malloc overhead for common
headers but also fixes some issues like the handling of repeated
headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part)
ok benno@
|
|
suggested by reyk@
|
|
ok reyk@
|
|
ok benno@
|
|
bogus pointer values - make sure to zero the first rule_kv element.
awesome benno@
|
|
Found by clang.
|
|
|
|
|
|
language. The grammar is inspired by pf and allows to write versatile
last-matching filter rules in protocol sections starting with the
"pass", "block" or "match" keywords. This work was started almost two
years ago and replaces large parts of relayd(8)'s HTTP and filtering
code. The initial version reimplements and extends HTTP filtering,
but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
|
ok reyk
|
|
|
|
ok eric@
|
|
From thib
|
