diff --git a/Doxyfile b/Doxyfile index 551541ce..f91e0b4b 100644 --- a/Doxyfile +++ b/Doxyfile @@ -5,7 +5,7 @@ #--------------------------------------------------------------------------- DOXYFILE_ENCODING = UTF-8 PROJECT_NAME = "UTM Firewall" -PROJECT_NUMBER = 6.5 +PROJECT_NUMBER = 6.5.1 PROJECT_BRIEF = PROJECT_LOGO = OUTPUT_DIRECTORY = ./src/View/docs diff --git a/README.md b/README.md index 5572ff4b..6c54a16f 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ You can find a couple of screenshots on the [wiki](https://github.com/sonertari/ The installation iso file for the amd64 arch is available for download at [utmfw65\_20190506\_amd64.iso](https://drive.google.com/file/d/1djOr_Mc3NEt-nmnMbm1jtmJhHlF3Jy9z/view?usp=sharing). Make sure the SHA256 checksum is correct: f6c9ac66b328a1efcbda34df123cfa01f9cbdfbe9a0aac04ccb20ee7a065fc68. -UTMFW is an updated version of ComixWall. However, there are a few major changes, such as SSLproxy, Snort Inline IPS, PFRE, E2Guardian, many fixes and improvements to the system and the WUI, Firebase push notifications, and network user authentication. Also note that UTMFW 6.5 comes with OpenBSD 6.5-stable including all updates until May 6th, 2019. +UTMFW is an updated version of ComixWall. However, there are a few major changes, such as SSLproxy, Snort Inline IPS, PFRE, E2Guardian, many fixes and improvements to the system and the WUI, Firebase push notifications, and network user authentication. Also note that UTMFW 6.5.1 comes with OpenBSD 6.5-stable including all updates until August 13th, 2019. UTMFW supports deep SSL inspection of HTTP, POP3, and SMTP protocols. SSL/TLS encrypted traffic is decrypted by [SSLproxy](https://github.com/sonertari/SSLproxy) and fed into the UTM services: Web Filter, POP3 Proxy, SMTP Proxy, and Inline IPS (and indirectly into Virus Scanner and Spam Filter through those UTM software). These UTM software have been modified to support the mode of operation required by SSLproxy. @@ -104,7 +104,7 @@ However, the source tree has links to OpenBSD install sets and packages, which s + Copy the required install sets to the appropriate locations to fix the broken links in the sources. - Packages: + Download the required packages available on the OpenBSD mirrors. - + Create the packages which are not available on the OpenBSD mirrors and/or have been modified for UTMFW: sslproxy, e2guardian, p3scan, smtp-gated, snort, imspector, snortips, and libevent 2.1.8 (see `ports` and `ports/distfiles`). + + Create the packages which are not available on the OpenBSD mirrors and/or have been modified for UTMFW: sslproxy, e2guardian, p3scan, smtp-gated, snort, imspector, snortips, and libevent 2.1.11 (see `ports` and `ports/distfiles`). + Copy them to the appropriate locations to fix the broken links in the sources. Note that you can strip down xbase and xfont install sets to reduce the size of the iso file. Copy or link them to the appropriate locations under `openbsd/utmfw`. diff --git a/cd/amd64/packages/e2guardian-5.3.2.tgz b/cd/amd64/packages/e2guardian-5.3.2.tgz deleted file mode 120000 index 865bb459..00000000 --- a/cd/amd64/packages/e2guardian-5.3.2.tgz +++ /dev/null @@ -1 +0,0 @@ -../../../docs/e2guardian/packages/amd64/e2guardian-5.3.2.tgz \ No newline at end of file diff --git a/cd/amd64/packages/e2guardian-5.3.3.tgz b/cd/amd64/packages/e2guardian-5.3.3.tgz new file mode 120000 index 00000000..3e330e11 --- /dev/null +++ b/cd/amd64/packages/e2guardian-5.3.3.tgz @@ -0,0 +1 @@ +../../../docs/e2guardian/packages/amd64/e2guardian-5.3.3.tgz \ No newline at end of file diff --git a/cd/amd64/packages/libevent-2.1.11.tgz b/cd/amd64/packages/libevent-2.1.11.tgz new file mode 120000 index 00000000..4ae0f396 --- /dev/null +++ b/cd/amd64/packages/libevent-2.1.11.tgz @@ -0,0 +1 @@ +../../../docs/libevent/packages/amd64/libevent-2.1.11.tgz \ No newline at end of file diff --git a/cd/amd64/packages/libevent-2.1.8.tgz b/cd/amd64/packages/libevent-2.1.8.tgz deleted file mode 120000 index 4fd609c7..00000000 --- a/cd/amd64/packages/libevent-2.1.8.tgz +++ /dev/null @@ -1 +0,0 @@ -../../../docs/libevent/packages/amd64/libevent-2.1.8.tgz \ No newline at end of file diff --git a/cd/amd64/packages/sslproxy-0.6.0.tgz b/cd/amd64/packages/sslproxy-0.6.0.tgz deleted file mode 120000 index d9867352..00000000 --- a/cd/amd64/packages/sslproxy-0.6.0.tgz +++ /dev/null @@ -1 +0,0 @@ -../../../docs/sslproxy/packages/amd64/sslproxy-0.6.0.tgz \ No newline at end of file diff --git a/cd/amd64/packages/sslproxy-0.7.0.tgz b/cd/amd64/packages/sslproxy-0.7.0.tgz new file mode 120000 index 00000000..e074f3dc --- /dev/null +++ b/cd/amd64/packages/sslproxy-0.7.0.tgz @@ -0,0 +1 @@ +../../../docs/sslproxy/packages/amd64/sslproxy-0.7.0.tgz \ No newline at end of file diff --git a/config/etc/e2guardian/e2guardian.conf b/config/etc/e2guardian/e2guardian.conf index 545f7a86..fbafc62d 100644 --- a/config/etc/e2guardian/e2guardian.conf +++ b/config/etc/e2guardian/e2guardian.conf @@ -1,4 +1,4 @@ -# e2guardian config file for version 5.3.2 +# e2guardian config file for version 5.3.3 #NOTE This file is only read at start-up # @@ -142,6 +142,16 @@ logsyslog = on # it has a different port. filterip = 127.0.0.1 +# loop prevention +# +# For loop prevention purposes list all IPs e2g can be reached on +# Include all e2g host server IPs and any VIP used when when in an array. +# Specify each IP on an individual checkip line. +# +# Defaults: Not set - no loop prevention +# +#checkip = 127.0.0.1 + # the ports that e2guardian listens to. Specify one line per filterip # line. If both mapportstoips and mapauthtoports are set to 'on' # you can specify different authentication mechanisms per port but @@ -176,7 +186,7 @@ filterports = 8080 # This is a connection timeout # If proxy is remote you may need to increase this to 10 or more. # Min 5 - Max 100 -proxytimeout = 20 +proxytimeout = 5 # Connect timeout # Set tcp timeout between the e2guardian and upstream service (proxy or target host) @@ -651,6 +661,18 @@ enablessl = off #genratedcertend = # generatedcertstart = +#Use openssl configuration file +# switch this on if you want e2g to read in openssl configuration +# This is useful if you want to use a hardware acceleration engine. +# default is off +#useopensslconf = off + +#Alternate openssl configuration file +# only used if useopensslconf = on +# default is to use standard openssl configuration file +# only use this if an alternate openssl configuration file is used for e2g +# opensslconffile = '/home/e2/openssl.conf' + # monitor helper path # If defined this script/binary will be called with start or stop appended as follows:- # Note change in V4!!! - No longer detects cache failure diff --git a/config/etc/e2guardian/e2guardianf1.conf b/config/etc/e2guardian/e2guardianf1.conf index 862b2d68..d48489e8 100644 --- a/config/etc/e2guardian/e2guardianf1.conf +++ b/config/etc/e2guardian/e2guardianf1.conf @@ -1,4 +1,4 @@ -# e2guardian filter group config file for version 5.3.2 +# e2guardian filter group config file for version 5.3.3 # This file is re-read on gentle restart and any changes actioned @@ -303,9 +303,9 @@ bypasskey = '' #cgikey = 'you must change this text in order to be secure' # Users will not be able to bypass sites/urls in these lists -sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsitelistwithbypass' -#ipsitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsiteiplistwithbypass' -#urllist = 'name=bannedbypass,messageno=501,path=/etc/e2guardian/lists/bannedurllistwithbypass' +sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/domainsnobypass' +#ipsitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/ipnobypass' +#urllist = 'name=bannedbypass,messageno=501,path=/etc/e2guardian/lists/urlnobypass' # Infection/Scan Error Bypass # Similar to the 'bypass' setting, but specifically for bypassing files scanned and found diff --git a/config/etc/e2guardian/e2guardianf2.conf b/config/etc/e2guardian/e2guardianf2.conf index ae6d8277..d7269516 100644 --- a/config/etc/e2guardian/e2guardianf2.conf +++ b/config/etc/e2guardian/e2guardianf2.conf @@ -1,4 +1,4 @@ -# e2guardian filter group config file for version 5.3.2 +# e2guardian filter group config file for version 5.3.3 # This file is re-read on gentle restart and any changes actioned @@ -49,7 +49,7 @@ sitelist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfilesitelist2 urllist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfileurllist2' sitelist = 'name=exception,messageno=602,path=/etc/e2guardian/lists/exceptionsitelist2' urllist = 'name=exception,messageno=603,path=/etc/e2guardian/lists/exceptionurllist2' -sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsitelistwithbypass2' +sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/domainsnobypass2' urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist2' sitelist = 'name=grey,path=/etc/e2guardian/lists/greysitelist2' urllist = 'name=grey,path=/etc/e2guardian/lists/greyurllist2' diff --git a/config/etc/e2guardian/e2guardianf3.conf b/config/etc/e2guardian/e2guardianf3.conf index a4059f6b..81733158 100644 --- a/config/etc/e2guardian/e2guardianf3.conf +++ b/config/etc/e2guardian/e2guardianf3.conf @@ -1,4 +1,4 @@ -# e2guardian filter group config file for version 5.3.2 +# e2guardian filter group config file for version 5.3.3 # This file is re-read on gentle restart and any changes actioned @@ -50,7 +50,7 @@ sitelist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfilesitelist3 urllist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfileurllist3' sitelist = 'name=exception,messageno=602,path=/etc/e2guardian/lists/exceptionsitelist3' urllist = 'name=exception,messageno=603,path=/etc/e2guardian/lists/exceptionurllist3' -sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsitelistwithbypass3' +sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/domainsnobypass3' urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist3' sitelist = 'name=grey,path=/etc/e2guardian/lists/greysitelist3' urllist = 'name=grey,path=/etc/e2guardian/lists/greyurllist3' diff --git a/config/etc/e2guardian/e2guardianf4.conf b/config/etc/e2guardian/e2guardianf4.conf index e6210612..3531ac8d 100644 --- a/config/etc/e2guardian/e2guardianf4.conf +++ b/config/etc/e2guardian/e2guardianf4.conf @@ -1,4 +1,4 @@ -# e2guardian filter group config file for version 5.3.2 +# e2guardian filter group config file for version 5.3.3 # This file is re-read on gentle restart and any changes actioned @@ -303,9 +303,9 @@ bypasskey = '' #cgikey = 'you must change this text in order to be secure' # Users will not be able to bypass sites/urls in these lists -sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsitelistwithbypass' -#ipsitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsiteiplistwithbypass' -#urllist = 'name=bannedbypass,messageno=501,path=/etc/e2guardian/lists/bannedurllistwithbypass' +sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/domainsnobypass' +#ipsitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/ipnobypass' +#urllist = 'name=bannedbypass,messageno=501,path=/etc/e2guardian/lists/urlnobypass' # Infection/Scan Error Bypass # Similar to the 'bypass' setting, but specifically for bypassing files scanned and found diff --git a/config/etc/e2guardian/lists/bannedsitelistwithbypass b/config/etc/e2guardian/lists/domainsnobypass similarity index 100% rename from config/etc/e2guardian/lists/bannedsitelistwithbypass rename to config/etc/e2guardian/lists/domainsnobypass diff --git a/config/etc/e2guardian/lists/bannedsitelistwithbypass2 b/config/etc/e2guardian/lists/domainsnobypass2 similarity index 100% rename from config/etc/e2guardian/lists/bannedsitelistwithbypass2 rename to config/etc/e2guardian/lists/domainsnobypass2 diff --git a/config/etc/e2guardian/lists/bannedsitelistwithbypass3 b/config/etc/e2guardian/lists/domainsnobypass3 similarity index 100% rename from config/etc/e2guardian/lists/bannedsitelistwithbypass3 rename to config/etc/e2guardian/lists/domainsnobypass3 diff --git a/config/etc/motd b/config/etc/motd index 69d45988..7bac5f9c 100644 --- a/config/etc/motd +++ b/config/etc/motd @@ -1,5 +1,5 @@ -UTMFW 6.5 +UTMFW 6.5.1 -Welcome to UTMFW 6.5: May 2019 -UTMFW 6.5'e hosgeldiniz: May 2019 +Welcome to UTMFW 6.5.1: Aug 2019 +UTMFW 6.5.1'e hosgeldiniz: Agu 2019 diff --git a/config/etc/sslproxy/sslproxy.conf b/config/etc/sslproxy/sslproxy.conf index 6f2f30bc..a97ab5ca 100644 --- a/config/etc/sslproxy/sslproxy.conf +++ b/config/etc/sslproxy/sslproxy.conf @@ -1,4 +1,4 @@ -# Sample configuration for sslproxy v0.6.0 +# Sample configuration for sslproxy v0.7.0 # # Use the -f command line option to start sslproxy with a config file. # See sslproxy.conf(5) and sslproxy(1) for documentation. @@ -79,13 +79,21 @@ CAKey /etc/sslproxy/ca.key # (default: none) #DisableSSLProto tls10 +# Min SSL/TLS protocol version. +# (default: tls10) +#MinSSLProto tls10 + +# Max SSL/TLS protocol version. +# (default: tls12) +#MaxSSLProto tls12 + # Use the given OpenSSL cipher suite spec. # Equivalent to -s command line option. # (default: ALL:-aNULL) Ciphers ALL:!RC4 # Leaf key RSA keysize in bits, use 1024|2048|3072|4096. -# (default: 1024) +# (default: 2048) LeafKeyRSABits 2048 # OpenSSL engine to activate, either ID or full path to shared library diff --git a/config/utmfw.files b/config/utmfw.files index 40b70983..4929cdf0 100644 --- a/config/utmfw.files +++ b/config/utmfw.files @@ -13,9 +13,9 @@ etc/e2guardian/lists/bannedregexpurllist3,644,root,wheel etc/e2guardian/lists/bannedsitelist,644,root,wheel etc/e2guardian/lists/bannedsitelist2,644,root,wheel etc/e2guardian/lists/bannedsitelist3,644,root,wheel -etc/e2guardian/lists/bannedsitelistwithbypass,644,root,wheel -etc/e2guardian/lists/bannedsitelistwithbypass2,644,root,wheel -etc/e2guardian/lists/bannedsitelistwithbypass3,644,root,wheel +etc/e2guardian/lists/domainsnobypass,644,root,wheel +etc/e2guardian/lists/domainsnobypass2,644,root,wheel +etc/e2guardian/lists/domainsnobypass3,644,root,wheel etc/e2guardian/lists/bannedurllist,644,root,wheel etc/e2guardian/lists/bannedurllist2,644,root,wheel etc/e2guardian/lists/bannedurllist3,644,root,wheel diff --git a/config/utmfw.mtree b/config/utmfw.mtree index 8f66ed1c..0c8604c6 100644 --- a/config/utmfw.mtree +++ b/config/utmfw.mtree @@ -126,9 +126,9 @@ bannedregexpurllist3 type=file mode=0644 uname=root gname=wheel bannedsitelist type=file mode=0644 uname=root gname=wheel bannedsitelist2 type=file mode=0644 uname=root gname=wheel bannedsitelist3 type=file mode=0644 uname=root gname=wheel -bannedsitelistwithbypass type=file mode=0644 uname=root gname=wheel -bannedsitelistwithbypass2 type=file mode=0644 uname=root gname=wheel -bannedsitelistwithbypass3 type=file mode=0644 uname=root gname=wheel +domainsnobypass type=file mode=0644 uname=root gname=wheel +domainsnobypass2 type=file mode=0644 uname=root gname=wheel +domainsnobypass3 type=file mode=0644 uname=root gname=wheel bannedurllist type=file mode=0644 uname=root gname=wheel bannedurllist2 type=file mode=0644 uname=root gname=wheel bannedurllist3 type=file mode=0644 uname=root gname=wheel diff --git a/meta/install.sub b/meta/install.sub index 21da17c8..7d43f231 100755 --- a/meta/install.sub +++ b/meta/install.sub @@ -1105,13 +1105,13 @@ CDDEVS=$(scan_dmesg "${MDCDDEVS:-/^cd[0-9][0-9]* /s/ .*//p}") # Selected sets will be installed in the order they are listed in $THESETS. THESETS="isc-bind-9.11.6v0.tgz \ - sslproxy-0.6.0.tgz \ + sslproxy-0.7.0.tgz \ clamav-0.101.2.tgz \ clamavdb.tar.gz \ p5-Mail-SpamAssassin-3.4.2p1.tgz \ p3scan-2.3.2.tgz \ smtp-gated-1.4.20.0.tgz \ - e2guardian-5.3.2.tgz \ + e2guardian-5.3.3.tgz \ blacklists.tar.gz \ snort-2.9.13.tgz \ snortrules.tar.gz \ diff --git a/meta/root.mail b/meta/root.mail index 9586ca17..d963b7d5 100644 --- a/meta/root.mail +++ b/meta/root.mail @@ -1,14 +1,11 @@ -From sonertari@gmail.com Mon May 6 06:50:00 EET 2019 +From sonertari@gmail.com Tue Aug 13 06:50:10 EET 2019 Return-Path: root -Date: May 6 06:50:00 EET 2019 +Date: Aug 13 06:50:10 EET 2019 From: sonertari@gmail.com (Soner Tari) To: root -Subject: Welcome to UTMFW 6.5! +Subject: Welcome to UTMFW 6.5.1! Highlights of this release are: -- User authentication by SSLproxy 0.6.0 -- User-based web filtering and user statistics for http/pop3/smtp -- OpenBSD 6.5 -- PHP 7.3, E2Guardian 5.3.2 with support for SSLproxy users -- Variety of other updates and improvements +- SSLproxy 0.7.0 and Libevent 2.1.11 +- E2Guardian 5.3.3 diff --git a/ports/e2guardian/Makefile b/ports/e2guardian/Makefile index 49246bb6..4c203f92 100644 --- a/ports/e2guardian/Makefile +++ b/ports/e2guardian/Makefile @@ -1,5 +1,5 @@ COMMENT = content scanning web filter -DISTNAME = e2guardian-5.3.2 +DISTNAME = e2guardian-5.3.3 CATEGORIES = www net HOMEPAGE = http://www.e2guardian.org/ @@ -13,7 +13,7 @@ WANTLIB = c m pcre pcreposix stdc++ z # You may need to download the source package yourself, # and copy it under /usr/ports/distfiles/ -MASTER_SITES= https://github.com/e2guardian/e2guardian/releases/tag/v5.3.2/ +MASTER_SITES= https://github.com/e2guardian/e2guardian/releases/tag/v5.3.3/ LIB_DEPENDS = devel/pcre diff --git a/ports/e2guardian/distinfo b/ports/e2guardian/distinfo index 4bbc5f64..b8064b9d 100644 --- a/ports/e2guardian/distinfo +++ b/ports/e2guardian/distinfo @@ -1,2 +1,2 @@ -SHA256 (e2guardian-5.3.2.tar.gz) = /xUJAVe46nt5EKiTuzv1grVljNK0qUF4Bb1cjMG6Xik= -SIZE (e2guardian-5.3.2.tar.gz) = 2009156 +SHA256 (e2guardian-5.3.3.tar.gz) = nYj30sM54BWG0mfyWjAYaC0RW4qq3Bi+2uke+rUchbQ= +SIZE (e2guardian-5.3.3.tar.gz) = 2009254 diff --git a/ports/e2guardian/patches/patch-src_ConnectionHandler_cpp b/ports/e2guardian/patches/patch-src_ConnectionHandler_cpp index a731d08a..8866394e 100644 --- a/ports/e2guardian/patches/patch-src_ConnectionHandler_cpp +++ b/ports/e2guardian/patches/patch-src_ConnectionHandler_cpp @@ -2,7 +2,7 @@ $OpenBSD$ Index: src/ConnectionHandler.cpp --- src/ConnectionHandler.cpp.orig +++ src/ConnectionHandler.cpp -@@ -473,8 +473,13 @@ ConnectionHandler::connectUpstream(Socket &sock, Naugh +@@ -485,8 +485,14 @@ ConnectionHandler::connectUpstream(Socket &sock, Naugh cm.upfailure = false; if (cm.isdirect) { String des_ip; @@ -15,10 +15,11 @@ Index: src/ConnectionHandler.cpp + } else { + des_ip = cm.urldomain; + } - sock.setTimeout(o.connect_timeout); - #ifdef DGDEBUG - std::cerr << thread_id << "Connecting to IPHost " << des_ip << " port " << port << std::endl; -@@ -692,8 +697,9 @@ int ConnectionHandler::handleConnection(Socket &peerco ++ + if (may_be_loop) { // check check_ip list + bool do_break = false; + if (o.check_ip.size() > 0) { +@@ -735,8 +741,9 @@ int ConnectionHandler::handleConnection(Socket &peerco //int pport = peerconn.getPeerSourcePort(); std::string peerIP = peerconn.getPeerIP(); @@ -30,7 +31,7 @@ Index: src/ConnectionHandler.cpp #ifdef DGDEBUG std::cerr << thread_id << " No header recd from client - errno: " << err << std::endl; #endif -@@ -781,6 +787,23 @@ int ConnectionHandler::handleConnection(Socket &peerco +@@ -824,6 +831,23 @@ int ConnectionHandler::handleConnection(Socket &peerco } // @@ -54,7 +55,7 @@ Index: src/ConnectionHandler.cpp // do this normalisation etc just the once at the start. checkme.setURL(ismitm); -@@ -2376,7 +2399,7 @@ bool ConnectionHandler::getdnstxt(std::string &clienti +@@ -2421,7 +2445,7 @@ bool ConnectionHandler::getdnstxt(std::string &clienti // get info from DNS union { HEADER hdr; @@ -63,7 +64,7 @@ Index: src/ConnectionHandler.cpp } response; int responseLen; ns_msg handle; /* handle for response message */ -@@ -2924,7 +2947,7 @@ bool ConnectionHandler::checkByPass(NaughtyFilter &che +@@ -2972,7 +2996,7 @@ bool ConnectionHandler::checkByPass(NaughtyFilter &che } } else if (ldl->fg[filtergroup]->bypass_mode != 0) { if (header.isBypassCookie(checkme.urldomain, ldl->fg[filtergroup]->cookie_magic.c_str(), diff --git a/ports/e2guardian/patches/patch-src_FOptionContainer_cpp b/ports/e2guardian/patches/patch-src_FOptionContainer_cpp index 1952acba..2dff80fa 100644 --- a/ports/e2guardian/patches/patch-src_FOptionContainer_cpp +++ b/ports/e2guardian/patches/patch-src_FOptionContainer_cpp @@ -2,7 +2,7 @@ $OpenBSD$ Index: src/FOptionContainer.cpp --- src/FOptionContainer.cpp.orig +++ src/FOptionContainer.cpp -@@ -378,7 +378,7 @@ bool FOptionContainer::read(const char *filename) { +@@ -376,7 +376,7 @@ bool FOptionContainer::read(const char *filename) { if (reporting_level == 0) { std::cerr << thread_id << "Reporting_level is : " << reporting_level << " file " << filename << std::endl; diff --git a/ports/e2guardian/patches/patch-src_FatController_cpp b/ports/e2guardian/patches/patch-src_FatController_cpp index 43e9f615..fd3eb308 100644 --- a/ports/e2guardian/patches/patch-src_FatController_cpp +++ b/ports/e2guardian/patches/patch-src_FatController_cpp @@ -3,7 +3,7 @@ $OpenBSD$ Index: src/FatController.cpp --- src/FatController.cpp.orig +++ src/FatController.cpp -@@ -1036,7 +1036,7 @@ void log_listener(std::string log_location, bool logco +@@ -1037,7 +1037,7 @@ void log_listener(std::string log_location, bool logco postdata + "\""; break; case 1: @@ -12,7 +12,7 @@ Index: src/FatController.cpp + how + " " + ssize + " " + sweight + " " + cat + " " + stringgroup + " " + stringcode + " " + mimetype + " " + clienthost + " " + ldl->fg[filtergroup]->name + " " + useragent + " " + params + " " + o.logid_1 + " " + o.logid_2 + " " + postdata; -@@ -1077,7 +1077,7 @@ void log_listener(std::string log_location, bool logco +@@ -1078,7 +1078,7 @@ void log_listener(std::string log_location, bool logco if (!logsyslog) *logfile << builtline << std::endl; // append the line else @@ -21,7 +21,7 @@ Index: src/FatController.cpp #ifdef DGDEBUG std::cerr << itemcount << " " << builtline << std::endl; #endif -@@ -1673,12 +1673,11 @@ int fc_controlit() // +@@ -1694,12 +1694,11 @@ int fc_controlit() // gentlereload = false; continue; // OK to continue even if gentle failed - just continue to use previous lists } @@ -38,7 +38,7 @@ Index: src/FatController.cpp } } else { if (rc == SIGUSR1) -@@ -1691,7 +1690,7 @@ int fc_controlit() // +@@ -1712,7 +1711,7 @@ int fc_controlit() // std::cerr << "signal:" << rc << std::endl; #endif if (o.logconerror) { diff --git a/ports/e2guardian/patches/patch-src_Socket_hpp b/ports/e2guardian/patches/patch-src_Socket_hpp index 7d4af1f2..7efd233d 100644 --- a/ports/e2guardian/patches/patch-src_Socket_hpp +++ b/ports/e2guardian/patches/patch-src_Socket_hpp @@ -17,6 +17,6 @@ Index: src/Socket.hpp int my_port; + std::string actualPeerAddr; + int actualPeerPort; - bool ieof; + bool ieof = false; }; diff --git a/ports/e2guardian/pkg/PLIST b/ports/e2guardian/pkg/PLIST index 48efffbb..6e981769 100644 --- a/ports/e2guardian/pkg/PLIST +++ b/ports/e2guardian/pkg/PLIST @@ -235,7 +235,6 @@ share/examples/e2guardian/lists/bannedsiteiplist @sample ${SYSCONFDIR}/e2guardian/lists/bannedsiteiplist share/examples/e2guardian/lists/bannedsitelist @sample ${SYSCONFDIR}/e2guardian/lists/bannedsitelist -share/examples/e2guardian/lists/bannedsitelistwithbypass share/examples/e2guardian/lists/bannedsslsiteiplist @sample ${SYSCONFDIR}/e2guardian/lists/bannedsslsiteiplist share/examples/e2guardian/lists/bannedsslsitelist diff --git a/ports/libevent2/Makefile b/ports/libevent2/Makefile index 070d8445..efb84c4f 100644 --- a/ports/libevent2/Makefile +++ b/ports/libevent2/Makefile @@ -2,12 +2,12 @@ COMMENT= event notification library -V= 2.1.8 +V= 2.1.11 DISTNAME= libevent-$V-stable PKGNAME= libevent-$V CATEGORIES= devel #HOMEPAGE= http://monkey.org/~provos/libevent/ -HOMEPAGE= https://github.com/libevent/libevent/releases/download/release-2.1.8-stable/ +HOMEPAGE= https://github.com/libevent/libevent/releases/download/release-2.1.11-stable/ SHARED_LIBS+= event_core 1.1 # 6.9 SHARED_LIBS+= event_extra 0.1 # 6.9 diff --git a/ports/libevent2/distinfo b/ports/libevent2/distinfo index 83cd51eb..05f33659 100644 --- a/ports/libevent2/distinfo +++ b/ports/libevent2/distinfo @@ -1,2 +1,2 @@ -SHA256 (libevent-2.1.8-stable.tar.gz) = llzFqLtGzkGZpH6bLJ4crjsTfoNW/9rW2U07kGm3HcI= -SIZE (libevent-2.1.8-stable.tar.gz) = 1026485 +SHA256 (libevent-2.1.11-stable.tar.gz) = plusYgLqjFYJ/Vx+SA5tJd5GfqGRfAgpDFIXUvFHKD0= +SIZE (libevent-2.1.11-stable.tar.gz) = 1082234 diff --git a/ports/libevent2/patches/patch-evutil_rand_c b/ports/libevent2/patches/patch-evutil_rand_c deleted file mode 100644 index 5a6bb4c2..00000000 --- a/ports/libevent2/patches/patch-evutil_rand_c +++ /dev/null @@ -1,19 +0,0 @@ -$OpenBSD: patch-evutil_rand_c,v 1.3 2015/01/06 21:28:05 sthen Exp $ -OpenBSD does not need nor provide arc4random_addrandom anymore. -And evutil_secure_rng_add_bytes is a bad API anyway. ---- evutil_rand.c.orig Tue Oct 4 22:55:31 2016 -+++ evutil_rand.c Tue Jul 25 14:39:35 2017 -@@ -193,13 +193,6 @@ evutil_secure_rng_get_bytes(void *buf, size_t n) - } - - void --evutil_secure_rng_add_bytes(const char *buf, size_t n) --{ -- arc4random_addrandom((unsigned char*)buf, -- n>(size_t)INT_MAX ? INT_MAX : (int)n); --} -- --void - evutil_free_secure_rng_globals_(void) - { - evutil_free_secure_rng_globals_locks(); diff --git a/ports/libevent2/patches/patch-include_event2_util_h b/ports/libevent2/patches/patch-include_event2_util_h deleted file mode 100644 index 81ac0cdf..00000000 --- a/ports/libevent2/patches/patch-include_event2_util_h +++ /dev/null @@ -1,27 +0,0 @@ -$OpenBSD: patch-include_event2_util_h,v 1.2 2015/01/06 21:28:05 sthen Exp $ ---- include/event2/util.h.orig Tue Jul 25 14:46:04 2017 -+++ include/event2/util.h Tue Jul 25 14:46:40 2017 -@@ -842,23 +842,6 @@ int evutil_secure_rng_init(void); - EVENT2_EXPORT_SYMBOL - int evutil_secure_rng_set_urandom_device_file(char *fname); - --/** Seed the random number generator with extra random bytes. -- -- You should almost never need to call this function; it should be -- sufficient to invoke evutil_secure_rng_init(), or let Libevent take -- care of calling evutil_secure_rng_init() on its own. -- -- If you call this function as a _replacement_ for the regular -- entropy sources, then you need to be sure that your input -- contains a fairly large amount of strong entropy. Doing so is -- notoriously hard: most people who try get it wrong. Watch out! -- -- @param dat a buffer full of a strong source of random numbers -- @param datlen the number of bytes to read from datlen -- */ --EVENT2_EXPORT_SYMBOL --void evutil_secure_rng_add_bytes(const char *dat, size_t datlen); -- - #ifdef __cplusplus - } - #endif diff --git a/ports/libevent2/patches/patch-openssl-compat_h b/ports/libevent2/patches/patch-openssl-compat_h deleted file mode 100644 index ef14035d..00000000 --- a/ports/libevent2/patches/patch-openssl-compat_h +++ /dev/null @@ -1,28 +0,0 @@ -LibreSSL uses a synthetic version in order to force consumers to check -individual features instead but API isn't compatible with OpenSSL 1.1.x. - -https://github.com/libevent/libevent/commit/d057c45e8f48 - -Index: openssl-compat.h ---- openssl-compat.h.orig -+++ openssl-compat.h -@@ -1,9 +1,9 @@ - #ifndef OPENSSL_COMPAT_H - #define OPENSSL_COMPAT_H - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - --static inline BIO_METHOD *BIO_meth_new(int type, const char *name) -+inline BIO_METHOD *BIO_meth_new(int type, const char *name) - { - BIO_METHOD *biom = calloc(1, sizeof(BIO_METHOD)); - -@@ -30,6 +30,6 @@ static inline BIO_METHOD *BIO_meth_new(int type, const - - #define TLS_method SSLv23_method - --#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ -+#endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) */ - - #endif /* OPENSSL_COMPAT_H */ diff --git a/ports/libevent2/patches/patch-sample_le-proxy_c b/ports/libevent2/patches/patch-sample_le-proxy_c deleted file mode 100644 index 3616032e..00000000 --- a/ports/libevent2/patches/patch-sample_le-proxy_c +++ /dev/null @@ -1,12 +0,0 @@ -$OpenBSD$ ---- sample/le-proxy.c.orig Wed Dec 7 00:13:44 2016 -+++ sample/le-proxy.c Tue Jul 25 15:48:57 2017 -@@ -259,7 +259,7 @@ main(int argc, char **argv) - - if (use_ssl) { - int r; --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - SSL_library_init(); - ERR_load_crypto_strings(); - SSL_load_error_strings(); diff --git a/ports/libevent2/patches/patch-sample_openssl_hostname_validation_c b/ports/libevent2/patches/patch-sample_openssl_hostname_validation_c deleted file mode 100644 index 9596a087..00000000 --- a/ports/libevent2/patches/patch-sample_openssl_hostname_validation_c +++ /dev/null @@ -1,12 +0,0 @@ -$OpenBSD$ ---- sample/openssl_hostname_validation.c.orig Tue Nov 1 17:34:53 2016 -+++ sample/openssl_hostname_validation.c Tue Jul 25 15:48:57 2017 -@@ -48,7 +48,7 @@ SOFTWARE. - - #define HOSTNAME_MAX_SIZE 255 - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - #define ASN1_STRING_get0_data ASN1_STRING_data - #endif - diff --git a/ports/sslproxy/Makefile b/ports/sslproxy/Makefile index b7756455..bdc0b6c5 100644 --- a/ports/sslproxy/Makefile +++ b/ports/sslproxy/Makefile @@ -1,6 +1,6 @@ COMMENT= transparent SSL/TLS proxy to divert decrypted traffic -DISTNAME= sslproxy-0.6.0 +DISTNAME= sslproxy-0.7.0 EXTRACT_SUFX= .tar.gz CATEGORIES= security diff --git a/ports/sslproxy/distinfo b/ports/sslproxy/distinfo index 93bd04b6..346ccfd2 100644 --- a/ports/sslproxy/distinfo +++ b/ports/sslproxy/distinfo @@ -1,2 +1,2 @@ -SHA256 (sslproxy-0.6.0.tar.gz) = NyWjurNXRYHavL5vHvSB7yF0cAvH5d1nlcWWWDWsX2Q= -SIZE (sslproxy-0.6.0.tar.gz) = 1449606 +SHA256 (sslproxy-0.7.0.tar.gz) = RcEM6QUkpsR+ibao0y2BSzN4qkkPC7cLhSCuEDpPyrA= +SIZE (sslproxy-0.7.0.tar.gz) = 1549168 diff --git a/src/Model/sslproxy.php b/src/Model/sslproxy.php index 8b95226d..b8c5350f 100644 --- a/src/Model/sslproxy.php +++ b/src/Model/sslproxy.php @@ -252,6 +252,10 @@ function DelPassSite($site) ), 'DisableSSLProto' => array( ), + 'MinSSLProto' => array( + ), + 'MaxSSLProto' => array( + ), 'Ciphers' => array( ), 'LeafKeyRSABits' => array( diff --git a/src/View/locale/en_EN/LC_MESSAGES/utmfw.po b/src/View/locale/en_EN/LC_MESSAGES/utmfw.po index 0f962521..942fe118 100644 --- a/src/View/locale/en_EN/LC_MESSAGES/utmfw.po +++ b/src/View/locale/en_EN/LC_MESSAGES/utmfw.po @@ -3259,6 +3259,12 @@ msgstr "" msgid "Max Packet Rate" msgstr "" +msgid "Max SSL Protocol" +msgstr "" + +msgid "Max SSL/TLS protocol version." +msgstr "" + msgid "Max Single Host States" msgstr "" @@ -3371,6 +3377,12 @@ msgstr "" msgid "Min" msgstr "" +msgid "Min SSL Protocol" +msgstr "" + +msgid "Min SSL/TLS protocol version." +msgstr "" + msgid "Min TTL" msgstr "" @@ -3841,14 +3853,6 @@ msgstr "" msgid "Passive Intrusion Prevention" msgstr "" -msgid "Passthrough" -msgstr "" - -msgid "" -"Passthrough SSL connections if they cannot be split because of client cert " -"auth or no matching cert and no CA." -msgstr "" - msgid "Passthrough Sites" msgstr "" diff --git a/src/View/locale/en_EN/LC_MESSAGES/utmfw_HELPBOX2.po b/src/View/locale/en_EN/LC_MESSAGES/utmfw_HELPBOX2.po index 0ec9b1ea..1dcb2baa 100644 --- a/src/View/locale/en_EN/LC_MESSAGES/utmfw_HELPBOX2.po +++ b/src/View/locale/en_EN/LC_MESSAGES/utmfw_HELPBOX2.po @@ -537,6 +537,9 @@ msgid "" "\t\tDefault: disabled" msgstr "" +msgid "Max SSL/TLS protocol version." +msgstr "" + msgid "" "Maximal depth directories are scanned at.\n" "\t\tDefault: 15" @@ -547,6 +550,9 @@ msgid "" "\t\tDefault: 10" msgstr "" +msgid "Min SSL/TLS protocol version." +msgstr "" + msgid "Most clients don't need to bind to a specific local port number." msgstr "" @@ -611,11 +617,6 @@ msgid "" "use -1 for no blocking" msgstr "" -msgid "" -"Passthrough SSL connections if they cannot be split because of client cert " -"auth or no matching cert and no CA." -msgstr "" - msgid "" "Passthrough sites. The format is site [(clientaddr|(user|*) [description " "keyword])]. If the site matches SNI or common names in the SSL certificate, " diff --git a/src/View/locale/en_EN/LC_MESSAGES/utmfw_TITLE2.po b/src/View/locale/en_EN/LC_MESSAGES/utmfw_TITLE2.po index 8a9d368d..05a2f86b 100644 --- a/src/View/locale/en_EN/LC_MESSAGES/utmfw_TITLE2.po +++ b/src/View/locale/en_EN/LC_MESSAGES/utmfw_TITLE2.po @@ -559,6 +559,9 @@ msgstr "" msgid "Max Log Item Length" msgstr "" +msgid "Max SSL Protocol" +msgstr "" + msgid "Max Threads" msgstr "" @@ -616,6 +619,9 @@ msgstr "" msgid "Mime" msgstr "" +msgid "Min SSL Protocol" +msgstr "" + msgid "Min children" msgstr "" @@ -685,9 +691,6 @@ msgstr "" msgid "Passive Intrusion Prevention" msgstr "" -msgid "Passthrough" -msgstr "" - msgid "Passthrough Sites" msgstr "" diff --git a/src/View/locale/tr_TR/LC_MESSAGES/utmfw.po b/src/View/locale/tr_TR/LC_MESSAGES/utmfw.po index ca868f9d..03477bb0 100644 --- a/src/View/locale/tr_TR/LC_MESSAGES/utmfw.po +++ b/src/View/locale/tr_TR/LC_MESSAGES/utmfw.po @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: UTMFW 6.5\n" "Report-Msgid-Bugs-To: sonertari@gmail.com\n" "POT-Creation-Date: 2009-11-11 16:21+0200\n" -"PO-Revision-Date: 2019-04-07 16:05+0300\n" +"PO-Revision-Date: 2019-08-13 12:45+0300\n" "Last-Translator: Soner Tari \n" "Language: Turkish\n" "Language-Team: Turkish \n" @@ -3770,6 +3770,12 @@ msgstr "En Yüksek MSS" msgid "Max Packet Rate" msgstr "En Yüksek Paket Hızı" +msgid "Max SSL Protocol" +msgstr "En yüksek SSL protokolü" + +msgid "Max SSL/TLS protocol version." +msgstr "En yüksek SSL/TLS protokol sürümünü kullan." + msgid "Max Single Host States" msgstr "Tek Adres için En Fazla Durum Sayısı" @@ -3886,6 +3892,12 @@ msgstr "Mime'lar" msgid "Min" msgstr "En az" +msgid "Min SSL Protocol" +msgstr "En alçak SSL protokolü" + +msgid "Min SSL/TLS protocol version." +msgstr "En alçak SSL/TLS protokol sürümünü kullan." + msgid "Min TTL" msgstr "En düşük TTL" @@ -4420,16 +4432,6 @@ msgstr "Pasif SES" msgid "Passive Intrusion Prevention" msgstr "Pasif Saldırı Engelleme" -msgid "Passthrough" -msgstr "Doğrudan Geçir" - -msgid "" -"Passthrough SSL connections if they cannot be split because of client cert " -"auth or no matching cert and no CA." -msgstr "" -"SSL bağlantılarını doğrudan geçir, eğer istemci sertifikası istenmişse veya " -"uyan bir sertifika ve CA yoksa." - msgid "Passthrough Sites" msgstr "Doğrudan Geçirilecek Siteler" diff --git a/src/View/locale/tr_TR/LC_MESSAGES/utmfw_HELPBOX2.po b/src/View/locale/tr_TR/LC_MESSAGES/utmfw_HELPBOX2.po index 3c18b2e1..ec917530 100644 --- a/src/View/locale/tr_TR/LC_MESSAGES/utmfw_HELPBOX2.po +++ b/src/View/locale/tr_TR/LC_MESSAGES/utmfw_HELPBOX2.po @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: UTMFW 6.5\n" "Report-Msgid-Bugs-To: sonertari@gmail.com\n" "POT-Creation-Date: 2009-11-11 16:21+0200\n" -"PO-Revision-Date: 2019-04-21 01:08+0300\n" +"PO-Revision-Date: 2019-08-13 12:44+0300\n" "Last-Translator: Soner Tari \n" "Language: Turkish\n" "Language-Team: Turkish \n" @@ -819,6 +819,9 @@ msgstr "" "Şifreli arşivleri virüslü olarak işaretler.\n" "Öndeğer: kapalı" +msgid "Max SSL/TLS protocol version." +msgstr "En yüksek SSL/TLS protokol sürümünü kullan." + msgid "" "Maximal depth directories are scanned at.\n" "\t\tDefault: 15" @@ -833,6 +836,9 @@ msgstr "" "Bir anda çalışan işparçacığı sayısının üst sınırıdır.\n" "Öndeğer: 10" +msgid "Min SSL/TLS protocol version." +msgstr "En alçak SSL/TLS protokol sürümünü kullan." + msgid "Most clients don't need to bind to a specific local port number." msgstr "" "Çoğu istemcinin belli bir yerel kapı numarasına bağlanma ihtiyacı yoktur." @@ -923,13 +929,6 @@ msgstr "" "Sınırlamak için daha yüksek bir değer kullanın (örneğin 512 = 512Kbayt)\n" "İzin vermek için -1 kullanın" -msgid "" -"Passthrough SSL connections if they cannot be split because of client cert " -"auth or no matching cert and no CA." -msgstr "" -"SSL bağlantılarını doğrudan geçir, eğer istemci sertifikası istenmişse veya " -"uyan bir sertifika ve CA yoksa." - msgid "" "Passthrough sites. The format is site [(clientaddr|(user|*) [description " "keyword])]. If the site matches SNI or common names in the SSL certificate, " diff --git a/src/View/locale/tr_TR/LC_MESSAGES/utmfw_TITLE2.po b/src/View/locale/tr_TR/LC_MESSAGES/utmfw_TITLE2.po index 59e8e6cf..d9ce2645 100644 --- a/src/View/locale/tr_TR/LC_MESSAGES/utmfw_TITLE2.po +++ b/src/View/locale/tr_TR/LC_MESSAGES/utmfw_TITLE2.po @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: UTMFW 6.5\n" "Report-Msgid-Bugs-To: sonertari@gmail.com\n" "POT-Creation-Date: 2009-11-11 16:21+0200\n" -"PO-Revision-Date: 2019-04-19 21:07+0300\n" +"PO-Revision-Date: 2019-08-13 12:43+0300\n" "Last-Translator: Soner Tari \n" "Language: Turkish\n" "Language-Team: Turkish \n" @@ -578,6 +578,9 @@ msgstr "Dizin yenileme üst sınırı" msgid "Max Log Item Length" msgstr "Kayıt öğesi uzunluk üst sınırı" +msgid "Max SSL Protocol" +msgstr "En yüksek SSL protokolü" + msgid "Max Threads" msgstr "İşparçacığı üst sınırı" @@ -635,6 +638,9 @@ msgstr "Virüs tarama boyutu üst sınırı" msgid "Mime" msgstr "Mime" +msgid "Min SSL Protocol" +msgstr "En alçak SSL protokolü" + msgid "Min children" msgstr "Alt süreç alt sınırı" @@ -704,9 +710,6 @@ msgstr "Paket Eleği" msgid "Passive Intrusion Prevention" msgstr "Pasif Saldırı Engelleme" -msgid "Passthrough" -msgstr "Doğrudan Geçir" - msgid "Passthrough Sites" msgstr "Doğrudan Geçirilecek Siteler" diff --git a/src/View/sslproxy/sslproxy.php b/src/View/sslproxy/sslproxy.php index 6c1bd96b..5a4b2870 100644 --- a/src/View/sslproxy/sslproxy.php +++ b/src/View/sslproxy/sslproxy.php @@ -73,6 +73,14 @@ function __construct() 'title' => _TITLE2('Disable SSL Protocol'), 'info' => _HELPBOX2('Disable SSL/TLS protocol version.'), ), + 'MinSSLProto' => array( + 'title' => _TITLE2('Min SSL Protocol'), + 'info' => _HELPBOX2('Min SSL/TLS protocol version.'), + ), + 'MaxSSLProto' => array( + 'title' => _TITLE2('Max SSL Protocol'), + 'info' => _HELPBOX2('Max SSL/TLS protocol version.'), + ), 'Ciphers' => array( 'title' => _TITLE2('Ciphers'), 'info' => _HELPBOX2('Cipher specification for both server and client SSL/TLS connections.'), diff --git a/src/lib/defs.php b/src/lib/defs.php index 7971c351..cc474cb7 100644 --- a/src/lib/defs.php +++ b/src/lib/defs.php @@ -23,7 +23,7 @@ */ /// Project version. -define('VERSION', '6.5'); +define('VERSION', '6.5.1'); $ROOT= dirname(dirname(dirname(__FILE__))); $SRC_ROOT= dirname(dirname(__FILE__));