Included a diff for updating sslh to 1.12. From changelog: - Added support for configuration file. - New protocol probes can be defined using regular expressions that match the first packet sent by the client. - sslh now connects timed out connections to the first configured protocol instead of 'ssh' (just make sure ssh is the first defined protocol). - sslh now tries protocols in the order in which they are defined (just make sure sslh is the last defined protocol).
OK? -- Björn Ketelaars
Index: Makefile =================================================================== RCS file: /cvs/ports/net/sslh/Makefile,v retrieving revision 1.3 diff -p -u -r1.3 Makefile --- Makefile 22 Apr 2012 20:50:12 -0000 1.3 +++ Makefile 12 May 2012 14:22:41 -0000 @@ -2,7 +2,7 @@ COMMENT = ssl/ssh multiplexer -VERSION = 1.11 +VERSION = 1.12 DISTNAME = sslh-${VERSION} CATEGORIES = security net REVISION = 0 @@ -18,14 +18,21 @@ PERMIT_DISTFILES_FTP = Yes MASTER_SITES = http://www.rutschle.net/tech/ \ http://mirror2.openwrt.org/sources/ -WANTLIB = c wrap +WANTLIB = c config wrap + +LIB_DEPENDS = devel/libconfig + +MAKE_FLAGS = CC="${CC}" \ + CFLAGS="${CFLAGS} -I${LOCALBASE}/include -Wall -DLIBWRAP -DLIBCONFIG" \ + LIBS="${LIBS} -L${LOCALBASE}/lib -lwrap -lconfig" -MAKE_FLAGS = CC="${CC}" NO_REGRESS = Yes do-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/sslh + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sslh ${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/sslh + ${INSTALL_DATA} ${WRKSRC}/example.cfg ${PREFIX}/share/examples/sslh/sslh.conf ${INSTALL_DATA} ${WRKSRC}/sslh.8 ${PREFIX}/man/man8 .for p in sslh-fork sslh-select ${INSTALL_PROGRAM} ${WRKSRC}/$p ${PREFIX}/sbin Index: distinfo =================================================================== RCS file: /cvs/ports/net/sslh/distinfo,v retrieving revision 1.2 diff -p -u -r1.2 distinfo --- distinfo 22 Apr 2012 20:50:12 -0000 1.2 +++ distinfo 12 May 2012 14:22:41 -0000 @@ -1,5 +1,5 @@ -MD5 (sslh-1.11.tar.gz) = TqWZ8PoxriNWRuWiALj4+w== -RMD160 (sslh-1.11.tar.gz) = M5SJ9peu42Wppt2BADbrzxRikIg= -SHA1 (sslh-1.11.tar.gz) = +TDdC6F+prHf+S6lZuPvZorVhGg= -SHA256 (sslh-1.11.tar.gz) = 4b9pmsKZCVRGKSbCYUC4rkDavhB7ua74mWelLH4UHlQ= -SIZE (sslh-1.11.tar.gz) = 25779 +MD5 (sslh-1.12.tar.gz) = JlAU7NrkUS6sypGq/wuagQ== +RMD160 (sslh-1.12.tar.gz) = nYcMu5L4GGQtd5XYwagSFQynZ5w= +SHA1 (sslh-1.12.tar.gz) = YV56XxfGSajzUDVyfq++ovYLjNM= +SHA256 (sslh-1.12.tar.gz) = +YZiW8yLYSdUsrjJX4frcX9U8Iw1aIL/LOCwkL4MKdY= +SIZE (sslh-1.12.tar.gz) = 30305 Index: patches/patch-Makefile =================================================================== RCS file: /cvs/ports/net/sslh/patches/patch-Makefile,v retrieving revision 1.1.1.1 diff -p -u -r1.1.1.1 patch-Makefile --- patches/patch-Makefile 13 Apr 2012 14:14:21 -0000 1.1.1.1 +++ patches/patch-Makefile 12 May 2012 14:22:41 -0000 @@ -1,6 +1,6 @@ ---- Makefile.orig Sat Nov 26 19:06:58 2011 -+++ Makefile Fri Mar 23 19:53:40 2012 -@@ -5,26 +5,19 @@ +--- Makefile.orig Fri May 11 19:38:15 2012 ++++ Makefile Fri May 11 19:40:06 2012 +@@ -6,31 +6,19 @@ USELIBWRAP= # Use libwrap? COV_TEST= # Perform test coverage? PREFIX=/usr/local @@ -17,20 +17,25 @@ CC = gcc -CFLAGS=-Wall -g $(CFLAGS_COV) - #LIBS=-lnet LIBS= - OBJS=common.o sslh-main.o + OBJS=common.o sslh-main.o probe.o -ifneq ($(strip $(USELIBWRAP)),) - LIBS:=$(LIBS) -lwrap - CFLAGS:=$(CFLAGS) -DLIBWRAP -endif -+LIBS:=$(LIBS) -lwrap -+CFLAGS:=$(CFLAGS) -Wall -DLIBWRAP ++LIBS:=$(LIBS) -lwrap -lconfig ++CFLAGS:=$(CFLAGS) -Wall -DLIBWRAP -DLIBCONFIG +-ifneq ($(strip $(USELIBCONFIG)),) +- LIBS:=$(LIBS) -lconfig +- CFLAGS:=$(CFLAGS) -DLIBCONFIG +-endif +- all: sslh $(MAN) echosrv -@@ -46,7 +39,7 @@ + .c.o: *.h +@@ -51,7 +39,7 @@ echosrv: $(OBJS) echosrv.o $(CC) $(CFLAGS) -o echosrv echosrv.o common.o $(LIBS) $(MAN): sslh.pod Makefile @@ -39,8 +44,3 @@ # generic install: install binary and man page install: sslh $(MAN) -@@ -72,4 +65,3 @@ - - test: - ./t -- Index: patches/patch-example_cfg =================================================================== RCS file: patches/patch-example_cfg diff -N patches/patch-example_cfg --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-example_cfg 12 May 2012 14:22:41 -0000 @@ -0,0 +1,38 @@ +--- example.cfg.orig Tue May 8 11:49:34 2012 ++++ example.cfg Sat May 12 16:21:33 2012 +@@ -1,17 +1,17 @@ + verbose: false; +-foreground: true; ++foreground: false; + inetd: false; + numeric: false; + timeout: 2; +-user: "nobody"; +-pidfile: "/var/run/sslh.pid"; ++user: "_sslh"; ++#pidfile: "/var/run/sslh.pid"; + + + # List of interfaces on which we should listen + listen: + ( +- { host: "thelonious"; port: "443"; } +-# , { host: "thelonious"; port: "8080"; } ++ { host: "0.0.0.0"; port: "443"; } ++# , { host: "::0"; port: "443"; } + ); + + # List of protocols +@@ -32,9 +32,8 @@ listen: + protocols: + ( + { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; }, +- { name: "openvpn"; host: "localhost"; port: "1194"; probe: [ "^\x00[\x0D-\xFF]$", "^\x00[\x0D-\xFF]\x38" ]; }, +- { name: "xmpp"; host: "localhost"; port: "5222"; probe: [ "jabber" ]; }, +- { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; }, ++# { name: "openvpn"; host: "localhost"; port: "1194"; probe: [ "^\x00[\x0D-\xFF]$", "^\x00[\x0D-\xFF]\x38" ]; }, ++# { name: "xmpp"; host: "localhost"; port: "5222"; probe: [ "jabber" ]; }, ++# { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; }, + { name: "ssl"; host: "localhost"; port: "443"; probe: [ "" ]; } + ); +- Index: patches/patch-sslh_main_c =================================================================== RCS file: patches/patch-sslh_main_c diff -N patches/patch-sslh_main_c --- patches/patch-sslh_main_c 22 Apr 2012 20:50:12 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,11 +0,0 @@ ---- sslh-main.c.orig Sat Apr 21 17:34:25 2012 -+++ sslh-main.c Sun Apr 22 09:41:43 2012 -@@ -54,7 +54,7 @@ - "-t: timeout before connecting to SSH.\n" \ - "-p: address and port to listen on.\n Can be used several times to bind to several addresses.\n" \ - "--[ssh,ssl,...]: where to connect connections from corresponding protocol.\n" \ --"-P: PID file. Default: /var/run/sslh.pid.\n" \ -+"-P: PID file.\n" \ - "-i: Run as a inetd service.\n" \ - ""; - Index: patches/patch-sslh_pod =================================================================== RCS file: /cvs/ports/net/sslh/patches/patch-sslh_pod,v retrieving revision 1.2 diff -p -u -r1.2 patch-sslh_pod --- patches/patch-sslh_pod 22 Apr 2012 20:50:12 -0000 1.2 +++ patches/patch-sslh_pod 12 May 2012 14:22:41 -0000 @@ -1,6 +1,6 @@ ---- sslh.pod.orig Sat Apr 21 18:34:14 2012 -+++ sslh.pod Sun Apr 22 09:45:36 2012 -@@ -16,12 +16,19 @@ +--- sslh.pod.orig Sat May 12 15:39:27 2012 ++++ sslh.pod Sat May 12 15:43:25 2012 +@@ -17,12 +17,19 @@ to connect to any of these servers on port 443 (e.g. f inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port. @@ -21,25 +21,15 @@ =head2 Protocol detection The protocol detection is made based on the first bytes sent -@@ -45,17 +52,6 @@ - provides, and connects it to the SSH server if it starts - with "SSH-", or connects it to the SSL server otherwise. +@@ -78,7 +85,6 @@ Alternatively, the I<probe> parameter can be set to + "builtin", to use the compiled probes which are much faster + than regular expressions. --=head2 Libwrap support -- --One drawback of B<sslh> is that the B<ssh> and B<httpd> --servers do not see the original IP address of the client --anymore, as the connection is forwarded through B<sslh>. --B<sslh> provides enough logging to circumvent that problem. --However it is common to limit access to B<ssh> using --B<libwrap> or B<tcpd>. For this reason, B<sslh> can be --compiled to check SSH accesses against SSH access lists as --defined in F</etc/hosts.allow> and F</etc/hosts.deny>. - =head1 OPTIONS =over 4 -@@ -140,24 +136,6 @@ +@@ -164,24 +170,6 @@ Runs as an I<inetd> server. Options B<-P> (PID file), Runs in foreground. The server will not fork and will remain connected to the terminal. Messages normally sent to B<syslog> will also be sent to I<stderr>. Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/sslh/pkg/PLIST,v retrieving revision 1.1.1.1 diff -p -u -r1.1.1.1 PLIST --- pkg/PLIST 13 Apr 2012 14:14:21 -0000 1.1.1.1 +++ pkg/PLIST 12 May 2012 14:22:41 -0000 @@ -6,5 +6,7 @@ @bin sbin/sslh-select share/doc/sslh/ share/doc/sslh/README +share/examples/sslh/ +share/examples/sslh/sslh.conf @rcscript ${RCDIR}/sslh_fork @rcscript ${RCDIR}/sslh_select