[sslh] sslh on Mac OS X
Aaron Madlon-Kay
aaron at madlon-kay.com
Fri Mar 11 02:41:39 CET 2011
Yves,
Thanks very much for your help! I adjusted my settings based on your recommendations (sslh listening on network interface only, Apache listening on localhost only) but nothing seems to have changed. I still get the same messages in sslh's log.
However I did just notice a different console message that may help clear things up: The system claims that sslh is crashing every time I try to connect to it. I don't know if that's true, since I'm not seeing the startup messages repeated in sslh's log ("listening on ...", "turning into nobody", etc.), but the crash report generated is as follows:
Process: sslh-fork [12501]
Path: /usr/local/sbin/sslh/sslh-fork
Identifier: sslh-fork
Version: ??? (???)
Code Type: X86-64 (Native)
Parent Process: sslh-fork [12372]
Date/Time: 2011-03-11 10:34:32.501 +0900
OS Version: Mac OS X 10.6.6 (10J567)
Report Version: 6
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 libSystem.B.dylib 0x00007fff80f7f160 strlen + 16
1 libSystem.B.dylib 0x00007fff80f8ab5c __vfprintf + 8144
2 libSystem.B.dylib 0x00007fff80f88ceb __vfprintf + 351
3 libSystem.B.dylib 0x00007fff80fd7154 vfprintf + 92
4 sslh-fork 0x0000000100001b59 0x100000000 + 7001
5 sslh-fork 0x0000000100001bc9 0x100000000 + 7113
6 sslh-fork 0x0000000100001004 0x100000000 + 4100
7 sslh-fork 0x0000000100001142 0x100000000 + 4418
8 sslh-fork 0x000000010000229b 0x100000000 + 8859
9 sslh-fork 0x0000000100000cac 0x100000000 + 3244
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x00000000ffffffff rbx: 0x00007fff80f89068 rcx: 0x0000000000000005 rdx: 0x0000000000000005
rdi: 0x0000000000000000 rsi: 0x00000000ffffffff rbp: 0x00007fff5fbff120 rsp: 0x00007fff5fbfe808
r8: 0x0000000000000000 r9: 0x0000000100101100 r10: 0x0000000100002758 r11: 0x0000000000000007
r12: 0x0000000000000010 r13: 0x0000000000000005 r14: 0x00007fff5fbfeb00 r15: 0x0000000000000000
rip: 0x00007fff80f7f160 rfl: 0x0000000000010286 cr2: 0x0000000000000000
Binary Images:
0x100000000 - 0x100002ff7 +sslh-fork ??? (???) <EDAC0970-ED0A-640E-0BC3-2FB67BD74C0B> /usr/local/sbin/sslh/sslh-fork
0x7fff5fc00000 - 0x7fff5fc3bdef dyld 132.1 (???) <472D950D-70F8-B810-A959-9184C2AA6C74> /usr/lib/dyld
0x7fff80f7b000 - 0x7fff8113cfff libSystem.B.dylib 125.2.1 (compatibility 1.0.0) <71E6D4C9-F945-6EC2-998C-D61AD590DAB6> /usr/lib/libSystem.B.dylib
0x7fff819d5000 - 0x7fff819d9ff7 libmathCommon.A.dylib 315.0.0 (compatibility 1.0.0) <95718673-FEEE-B6ED-B127-BCDBDB60D4E5> /usr/lib/system/libmathCommon.A.dylib
0x7fffffe00000 - 0x7fffffe01fff libSystem.B.dylib ??? (???) <71E6D4C9-F945-6EC2-998C-D61AD590DAB6> /usr/lib/libSystem.B.dylib
I don't know if that means anything to you, but please let me know if you have some additional insight!
Thank you,
Aaron
On 2011/03/11, at 3:07, Yves Rutschle wrote:
> Hi Aaron,
>
> Sorry I haven't replied to your previous message yet --
> thanks for the feedback, I'll add your information in a
> README.
>
> On Fri, Mar 11, 2011 at 12:21:48AM +0900, Aaron Madlon-Kay wrote:
>> sslh-fork -f -v -u nobody -p 0.0.0.0:443 -s localhost:22 -l localhost:443
> ^^^^^^^
> This is suspicious, you're asking sslh to listen to all
> addresses on 443.
>
>> (Apache and sshd are set to listen on the default settings, e.g. all addresses on 443 and 22 respectively.)
>
> You can't have Apache AND sslh listen to all addresses on
> 443: sslh must have bound the port (otherwise it wouldn't
> start) so I'll surmise that Apache started and didn't bind
> 443, so when sslh forwards to localhost:443 it all goes
> pear-shaped.
>
> Try to use your network interface address instead, e.g.:
> sslh-fork -f -v -u nobody -p 192.168.0.123:443 -s localhost:22 -l localhost:443
>
> (assuming your network interface is 192.168.0.123).
>
> Also make sure that localhost resolves to 127.0.0.1, which
> is what it should, but who knows what Apple decided it
> should be ;) :
>
> $ dig localhost
> [...]
> localhost. 10800 IN A 127.0.0.1
>
>
> And then make sure that Apache listens only on localhost and
> not on your external address as well (192.168.0.123 in my
> example):
> # netstat -lpnt | grep apache
> tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 3696/apache2
> tcp 0 0 192.168.0.250:80 0.0.0.0:* LISTEN 3696/apache2
> tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN 3696/apache2
>
> => my Apache listens on localhost 80 and 443, and external
> address on 80. (note in Linux you need to be root for this
> command to work -- I don't know about OS X).
>
>
>> Is there any hope of this working on OS X? If anyone can give me some pointers I would very much appreciate it.
>
> There are FreeBSD people who use it, and I believe OS X is
> based on FreeBSD, so there is no reason it shouldn't work.
> Which is not to say it won't need some ironing to adapt to
> the local quirks...
>
> Y.
More information about the sslh
mailing list