[sslh] Configuration file format change (Was: SNI hostname based probe)

Wed Jul 15 14:53:06 CEST 2015

Hi Travis,

On Mon, Jul 13, 2015 at 01:31:06PM -0400, moparisthebest wrote:
> But I figured I should also send the patch to the mailing list for
> discussion/review as it appears more active.

I for one like mailing lists better ;-)
Especially in this case as we're changing the configuration
file format, which might be of interest to others.

> This adds the functionality I requested here:
> https://github.com/yrutschle/sslh/issues/53

I love users like you!

> I see this was brought up on the mailing list a few months ago, with a
> resolution to use sslh to proxy to
> [sniproxy](https://github.com/dlundquist/sniproxy), but sniproxy doesn't
> have all the features of sslh such as transparent proxying and such, so
> why not include it? :)

Originally I didn't want to pull in an entire SSL library.
This looks good though.

I have no objection to your code, OTOH I have a sneaky
suspicion the configuration file is becoming inconsistent
(not your fault -- it wasn't really designed, and the only
requirement at the time was to have 'regex' and 'builtins'
and that was it). 

E.g. with several regex and several SNI:

protocols:
(
     { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; },
     { name: "sni"; host: "localhost"; port: "993"; probe: "builtin"; sni_hostnames: [ "mail.rutschle.net", "mail.englishintoulouse.com" ]; },
     { name: "sni"; host: "localhost"; port: "xmpp-client"; probe: "builtin"; sni_hostnames: [ "im.rutschle.net", "im.englishintoulouse.com" ]; },
     { name: "openvpn"; host: "localhost"; port: "1194"; probe: [ "^\x00[\x0D-\xFF]$", "^\x00[\x0D-\xFF]\x38" ]; },
     { name: "xmpp"; host: "localhost"; port: "5222"; probe: [ "jabber" ]; },
     { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; },
     { name: "ssl"; host: "localhost"; port: "443"; probe: [ "" ]; },
     { name: "timeout"; service: "daytime"; host: "localhost"; port: "daytime"; }
);

My issues:

- 'name' isn't really the protocol name, rather it's the
  probe name except in the case of the regex probe
- for the 'regex' probe, 'probe' is unclear.
- having multiple 'sni' lines is inconsistent with having
  one regex line each with a different protocol name
- probe:"builtin" can really be inferred from the rest

I'd tend to change the config file format as:

protocols:
(
     { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; },
     { name: "sni"; host: "localhost"; port: "993"; sni_hostnames: [ "mail.rutschle.net", "mail.englishintoulouse.com" ]; },
     { name: "sni"; host: "localhost"; port: "xmpp-client"; sni_hostnames: [ "im.rutschle.net", "im.englishintoulouse.com" ]; },

# OpenVPN
     { name: "regex"; host: "localhost"; port: "1194"; regex_patterns: [ "^\x00[\x0D-\xFF]$", "^\x00[\x0D-\xFF]\x38" ]; },
# XMPP
     { name: "regex"; host: "localhost"; port: "5222"; regex_patterns: [ "jabber" ]; },
     { name: "http"; host: "localhost"; port: "80";  },
# SSL
     { name: "regex"; host: "localhost"; port: "443"; regex_patterns: [ "" ]; },
     { name: "timeout"; service: "daytime"; host: "localhost"; port: "daytime"; }
);

Changes:
- 'name' now is the name of the probe (one of the builtins, or 'sni' or 'regex').
- Built-in probes no longer have a 'probe' field.
- 'regex' field 'probe' is renamed 'regex_patterns', in line with
  'sni_hostnames'.

Any objections?

Y.