[sslh] sslh on Mac OS X

Aaron Madlon-Kay aaron at madlon-kay.com
Fri Mar 11 02:41:39 CET 2011 

Yves,

Thanks very much for your help! I adjusted my settings based on your recommendations (sslh listening on network interface only, Apache listening on localhost only) but nothing seems to have changed. I still get the same messages in sslh's log.

However I did just notice a different console message that may help clear things up: The system claims that sslh is crashing every time I try to connect to it. I don't know if that's true, since I'm not seeing the startup messages repeated in sslh's log ("listening on ...", "turning into nobody", etc.), but the crash report generated is as follows:

Process:         sslh-fork [12501]
Path:            /usr/local/sbin/sslh/sslh-fork
Identifier:      sslh-fork
Version:         ??? (???)
Code Type:       X86-64 (Native)
Parent Process:  sslh-fork [12372]

Date/Time:       2011-03-11 10:34:32.501 +0900
OS Version:      Mac OS X 10.6.6 (10J567)
Report Version:  6

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   libSystem.B.dylib             	0x00007fff80f7f160 strlen + 16
1   libSystem.B.dylib             	0x00007fff80f8ab5c __vfprintf + 8144
2   libSystem.B.dylib             	0x00007fff80f88ceb __vfprintf + 351
3   libSystem.B.dylib             	0x00007fff80fd7154 vfprintf + 92
4   sslh-fork                     	0x0000000100001b59 0x100000000 + 7001
5   sslh-fork                     	0x0000000100001bc9 0x100000000 + 7113
6   sslh-fork                     	0x0000000100001004 0x100000000 + 4100
7   sslh-fork                     	0x0000000100001142 0x100000000 + 4418
8   sslh-fork                     	0x000000010000229b 0x100000000 + 8859
9   sslh-fork                     	0x0000000100000cac 0x100000000 + 3244

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x00000000ffffffff  rbx: 0x00007fff80f89068  rcx: 0x0000000000000005  rdx: 0x0000000000000005
  rdi: 0x0000000000000000  rsi: 0x00000000ffffffff  rbp: 0x00007fff5fbff120  rsp: 0x00007fff5fbfe808
   r8: 0x0000000000000000   r9: 0x0000000100101100  r10: 0x0000000100002758  r11: 0x0000000000000007
  r12: 0x0000000000000010  r13: 0x0000000000000005  r14: 0x00007fff5fbfeb00  r15: 0x0000000000000000
  rip: 0x00007fff80f7f160  rfl: 0x0000000000010286  cr2: 0x0000000000000000

Binary Images:
       0x100000000 -        0x100002ff7 +sslh-fork ??? (???) <EDAC0970-ED0A-640E-0BC3-2FB67BD74C0B> /usr/local/sbin/sslh/sslh-fork
    0x7fff5fc00000 -     0x7fff5fc3bdef  dyld 132.1 (???) <472D950D-70F8-B810-A959-9184C2AA6C74> /usr/lib/dyld
    0x7fff80f7b000 -     0x7fff8113cfff  libSystem.B.dylib 125.2.1 (compatibility 1.0.0) <71E6D4C9-F945-6EC2-998C-D61AD590DAB6> /usr/lib/libSystem.B.dylib
    0x7fff819d5000 -     0x7fff819d9ff7  libmathCommon.A.dylib 315.0.0 (compatibility 1.0.0) <95718673-FEEE-B6ED-B127-BCDBDB60D4E5> /usr/lib/system/libmathCommon.A.dylib
    0x7fffffe00000 -     0x7fffffe01fff  libSystem.B.dylib ??? (???) <71E6D4C9-F945-6EC2-998C-D61AD590DAB6> /usr/lib/libSystem.B.dylib

I don't know if that means anything to you, but please let me know if you have some additional insight!

Thank you,
Aaron


On 2011/03/11, at 3:07, Yves Rutschle wrote:

> Hi Aaron,
> 
> Sorry I haven't replied to your previous message yet --
> thanks for the feedback, I'll add your information in a
> README.
> 
> On Fri, Mar 11, 2011 at 12:21:48AM +0900, Aaron Madlon-Kay wrote:
>> sslh-fork -f -v -u nobody -p 0.0.0.0:443 -s localhost:22 -l localhost:443
>                               ^^^^^^^
> This is suspicious, you're asking sslh to listen to all
> addresses on 443.
> 
>> (Apache and sshd are set to listen on the default settings, e.g. all addresses on 443 and 22 respectively.)
> 
> You can't have Apache AND sslh listen to all addresses on
> 443: sslh must have bound the port (otherwise it wouldn't
> start) so I'll surmise that Apache started and didn't bind
> 443, so when sslh forwards to localhost:443 it all goes
> pear-shaped.
> 
> Try to use your network interface address instead, e.g.:
> sslh-fork -f -v -u nobody -p 192.168.0.123:443 -s localhost:22 -l localhost:443
> 
> (assuming your network interface is 192.168.0.123).
> 
> Also make sure that localhost resolves to 127.0.0.1, which
> is what it should, but who knows what Apple decided it
> should be ;)  :
> 
> $ dig localhost
> [...]
> localhost.              10800   IN      A       127.0.0.1
> 
> 
> And then make sure that Apache listens only on localhost and
> not on your external address as well (192.168.0.123 in my
> example):
> # netstat -lpnt | grep apache
> tcp        0      0 127.0.0.1:80            0.0.0.0:* LISTEN      3696/apache2    
> tcp        0      0 192.168.0.250:80        0.0.0.0:* LISTEN      3696/apache2    
> tcp        0      0 127.0.0.1:443           0.0.0.0:* LISTEN      3696/apache2    
> 
> => my Apache listens on localhost 80 and 443, and external
> address on 80. (note in Linux you need to be root for this
> command to work -- I don't know about OS X).
> 
> 
>> Is there any hope of this working on OS X? If anyone can give me some pointers I would very much appreciate it.
> 
> There are FreeBSD people who use it, and I believe OS X is
> based on FreeBSD, so there is no reason it shouldn't work.
> Which is not to say it won't need some ironing to adapt to
> the local quirks...
> 
> Y.

More information about the sslh mailing list