[sslh] Configuration file format change (Was: SNI hostname based probe)
Yves Rutschle
yves at rutschle.net
Wed Jul 15 14:53:06 CEST 2015
Hi Travis,
On Mon, Jul 13, 2015 at 01:31:06PM -0400, moparisthebest wrote:
> But I figured I should also send the patch to the mailing list for
> discussion/review as it appears more active.
I for one like mailing lists better ;-)
Especially in this case as we're changing the configuration
file format, which might be of interest to others.
> This adds the functionality I requested here:
> https://github.com/yrutschle/sslh/issues/53
I love users like you!
> I see this was brought up on the mailing list a few months ago, with a
> resolution to use sslh to proxy to
> [sniproxy](https://github.com/dlundquist/sniproxy), but sniproxy doesn't
> have all the features of sslh such as transparent proxying and such, so
> why not include it? :)
Originally I didn't want to pull in an entire SSL library.
This looks good though.
I have no objection to your code, OTOH I have a sneaky
suspicion the configuration file is becoming inconsistent
(not your fault -- it wasn't really designed, and the only
requirement at the time was to have 'regex' and 'builtins'
and that was it).
E.g. with several regex and several SNI:
protocols:
(
{ name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; },
{ name: "sni"; host: "localhost"; port: "993"; probe: "builtin"; sni_hostnames: [ "mail.rutschle.net", "mail.englishintoulouse.com" ]; },
{ name: "sni"; host: "localhost"; port: "xmpp-client"; probe: "builtin"; sni_hostnames: [ "im.rutschle.net", "im.englishintoulouse.com" ]; },
{ name: "openvpn"; host: "localhost"; port: "1194"; probe: [ "^\x00[\x0D-\xFF]$", "^\x00[\x0D-\xFF]\x38" ]; },
{ name: "xmpp"; host: "localhost"; port: "5222"; probe: [ "jabber" ]; },
{ name: "http"; host: "localhost"; port: "80"; probe: "builtin"; },
{ name: "ssl"; host: "localhost"; port: "443"; probe: [ "" ]; },
{ name: "timeout"; service: "daytime"; host: "localhost"; port: "daytime"; }
);
My issues:
- 'name' isn't really the protocol name, rather it's the
probe name except in the case of the regex probe
- for the 'regex' probe, 'probe' is unclear.
- having multiple 'sni' lines is inconsistent with having
one regex line each with a different protocol name
- probe:"builtin" can really be inferred from the rest
I'd tend to change the config file format as:
protocols:
(
{ name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; },
{ name: "sni"; host: "localhost"; port: "993"; sni_hostnames: [ "mail.rutschle.net", "mail.englishintoulouse.com" ]; },
{ name: "sni"; host: "localhost"; port: "xmpp-client"; sni_hostnames: [ "im.rutschle.net", "im.englishintoulouse.com" ]; },
# OpenVPN
{ name: "regex"; host: "localhost"; port: "1194"; regex_patterns: [ "^\x00[\x0D-\xFF]$", "^\x00[\x0D-\xFF]\x38" ]; },
# XMPP
{ name: "regex"; host: "localhost"; port: "5222"; regex_patterns: [ "jabber" ]; },
{ name: "http"; host: "localhost"; port: "80"; },
# SSL
{ name: "regex"; host: "localhost"; port: "443"; regex_patterns: [ "" ]; },
{ name: "timeout"; service: "daytime"; host: "localhost"; port: "daytime"; }
);
Changes:
- 'name' now is the name of the probe (one of the builtins, or 'sni' or 'regex').
- Built-in probes no longer have a 'probe' field.
- 'regex' field 'probe' is renamed 'regex_patterns', in line with
'sni_hostnames'.
Any objections?
Y.
More information about the sslh
mailing list